4. 4. Key controls for Digital Investment Managers
This section of the Guidance describes how the FSRA applies particular requirements of the FSRA Rulebook to all Digital Investment Managers, regardless of whether they are eligible for the prudential capital relief outlined in section 3, above. It is not exhaustive, and should be read in conjunction with the Rulebook itself, as well as:a. chapter 2 of the GPM, which outlines the FSRA’s approach to authorisation for all FSP applicants; andb. Supplementary Guidance - Authorisation of Investment Management Activities.7
A critical component of the digital investment management business model is the use of algorithms to automate the investment process. Accordingly, the FSRA sees a need to ensure that Digital Investment Managers have adequate algorithm and technology governance policies and processes in place to address the specific risks arising from such a technology-driven business model. The limited human interaction between Digital Investment Managers and their clients necessitates consideration of how suitability assessments are performed and the disclosures that are made to clients.
Additionally, given their heavy dependence on collecting and processing client data and the risks of cyberattacks to their automated and largely digital mode of operations, Digital Investment Managers must also put in place robust data security policies and systems to ensure compliance with all relevant data protection regulations, including the ADGM’s Data Protection Regulations and, as appropriate, PRU 6.6 – 6.9.8
8 These sections of PRU pertain to information technology systems, information security, outsourcing, and business continuity.
Algorithms are at the core of the service offered by Digital Investment Managers. They are used to undertake critical components of the investment management process such as risk profiling, portfolio allocation and rebalancing. Accordingly, the FSRA expects that Digital Investment Managers will establish internal governance structures that enable its Board and Senior Management to have robust oversight and control over the design, performance, deployment and security of algorithms.9 The roles and responsibilities of all personnel who oversee the design, performance and integrity of algorithms must be clearly defined.10
9 Refer to GEN 2.2.3 and 220.127.116.11 Refer to GEN 3.3.2(1).
4.5In assessing the adequacy of the oversight and controls that the Digital Investment Manager establishes in relation to the development and deployment of its algorithms, the FSRA will take into account the following considerations.11a. Qualifications and competency of staff: the Digital Investment Manager must ensure that it has qualified and competent staff to ensure the proper functioning and supervision of the algorithm model (the “Model”) on an ongoing basis. The Digital Investment Manager must have adequate training and documented manuals in place to address any key-man and business continuity risks.12b. Developing and testing the Model: the Digital Investment Manager must maintain proper documentation explaining the decision tree or logic of the algorithm to ensure that the outcomes produced by the Model are explainable, traceable and repeatable. The Digital Investment Manager must also ensure the relevance of any data or assumptions upon which the Model is based, and that any client questionnaire it uses takes into account potential behavioural biases that may lower the accuracy of client responses. The Digital Investment Manager must carry out sufficient testing to demonstrate that its Model meets these principles. Where appropriate (e.g. in the case of a complex Model), the FSRA may require a third-party audit to validate the performance outcomes of the Model as purported.c. Managing and maintaining the Model: the Digital Investment Manager must establish safeguards, including with respect to access controls and security, to protect the integrity of the Model (including algorithm source code). The Digital Investment Manager should maintain the ability and relevant resources to modify the Model in the event that there is a need to stop the algorithm or make changes to it. The FSRA will also require the Digital Investment Manager to demonstrate that it has a clear process for detecting and reporting programming errors and unexpected outcomes. In the event of failure or outage of the Model, the Digital Investment Manager must have contingency plans to ensure that its services to clients are not adversely affected and that the clients’ interests are safeguarded.13d. Ongoing monitoring and reviews: the Digital Investment Manager must conduct ongoing monitoring and reviews to assess whether the Model effectively achieves its intended objectives and outcomes, and to manage the risks of inaccuracy, bias or exception. The Board and Senior Management must also periodically review the Digital Investment Manager’s internal governance structure and measures to ensure that they remain appropriate and effective.
11 Sub paragraphs (b), (c) and (d) follow from GEN 18.104.22.168 Refer to GEN 3.3.33 and PRU 6.9.13 Refer to GEN 3.3.33 and PRU 6.9.
4.6The Digital Investment Manager must ensure that its systems and controls are adequate and appropriate for the scale, nature and complexity of its business.14 This applies in particular to systems and controls concerning:a. the transmission and storage of information;b. the assessment, mitigation and management of risks relating to the provision of digital investment management services, including data security;c. the effecting and monitoring of transactions by the Digital Investment Manager;d. the technical operations of the Digital Investment Manager, including contingency arrangements for disruption to its facilities;e. the operation of its functions relating to the safeguards and protections to investors; andf. outsourcing.
14 Refer to GEN 2.2.3 and chapter 3.3, PRU 6.6 and 6.7, and other requirements in the Rulebook as applicable.
4.7In assessing whether the systems and controls used by the Digital Investment Manager are adequate and appropriate for the scale and nature of its business, the FSRA may have regard to the following:a. the distribution of duties and responsibilities among its key individuals;b. the staffing and resources of the Digital Investment Manager;c. the arrangements made to enable key individuals to supervise the operations of the Digital Investment Manager; andd. the arrangements for internal and external audit, including technology audits.
4.8Digital Investment Managers must comply with the rules relating to suitability in the FSRA’s Conduct of Business Rulebook (“COBS”).15 These rules require Digital Investment Managers to have a reasonable basis for considering that any Specified Investments they recommend, or Transactions they execute on a discretionary basis, are suitable for the client.16 In making this determination of suitability, Digital Investment Managers must:a. undertake an appropriate assessment of the particular client's needs, objectives, financial situation and also, to the extent relevant, their risk tolerance, knowledge, experience and understanding of the risks involved; andb. take into account any other relevant requirements and circumstances of the client of which the Authorised Person is, or ought reasonably to be, aware.17
15 Digital Investment Managers are also subject to the Principles for Authorised Persons in GEN 2.2. Principle 8 requires Authorised Persons to take reasonable care to ensure the suitability of their Advice and discretionary decisions for clients who are entitled to rely upon their judgment: GEN 22.214.171.124 COBS 3.4.2(a).17 COBS 3.4.2(a). Pursuant to COBS 3.4.2(b) and (e), Digital Investment Managers may limit the extent to which they will consider suitability for Professional Clients.
4.9Given the nature of their business models, Digital Investment Managers typically rely heavily on an online questionnaire to collect the information needed to perform suitability assessments (“Risk Profile Questionnaire”). When designing a Risk Profile Questionnaire, the FSRA expects that Digital Investment Managers will ensure that the following requirements are met.a. The information obtained to assess suitability is proportionate with the complexity and risk of the Specified Investments recommended or transacted through the platform. Digital Investment Managers that offer Specified Investments that are relatively high risk or have complex features will need to undertake more extensive due diligence to form a reasonable basis for assessing that these products are suitable for the client.b. There is a mechanism to exclude clients for whom the Digital Investment Manager’s services would not be suitable, or who require advice that goes beyond the scope of what the Digital Investment Manager can provide. These mechanisms may take the form of ‘knock out’ questions that, for example, reject prospective clients whose investment horizon, liquidity needs or other circumstances are misaligned with the Specified Investments offered through the platform.c. Inconsistencies in the information provided by prospective clients are addressed through follow up questions or engagement with a human advisor who can explain the context of the questions and their purpose.d. Where a client selects a portfolio that is not recommended, information is provided to the client explaining why the recommended portfolio (as opposed to the portfolio selected by the client) is considered suitable in light of the client’s personal circumstances as understood from the client’s responses to the Risk Profile Questionnaire.
Digital Investment Managers must take reasonable steps to ensure that the client information they hold is accurate, complete and up to date.18 In order to comply with this requirement, the FSRA expects that Digital Investment Managers will periodically prompt clients to update their information. This may be achieved by requiring clients to recomplete the Risk Profile Questionnaire, or by posing a more targeted set of questions to identify any changes in the client’s personal circumstances which may impact the suitability of the clients’ portfolios.
18 COBS 3.4.3.
Digital Investment Managers must comply with the disclosure requirements in COBS.19 The information that must be provided to a client differs according to the particular services provided20 and whether the client is a Retail Client or Professional Client. In all cases, communication between a Digital Investment Manager and a client must be clear, fair and not misleading.21
19 The majority of these requirements are contained in Chapter 12 of COBS.20 Refer to COBS 12.1.3 for the disclosures required for Investment Business and COSB 12.1.4 for the disclosures required for an Investment Manager.21 GEN 2.2.6, COBS 3.2.1.
4.12In the case of Retail Clients, Digital Investment Managers must provide sufficient details of the service that they will provide.22 In discharging this obligation, the FSRA considers that Digital Investment Managers will need to disclose, among other things, the following information to clients.a. The nature and scope of the services it offers, including the types of products and how it determines whether these products are suitable to meet the investment objective(s) of the client;b. Details of how the Model is relied upon in the investment process;c. The key assumptions and limitations of the Model used by the Digital Investment Manager;d. Circumstances where the Model may fail to perform as intended or where the Digital Investment Manager may halt (for instance due to volatile markets) or make material adjustments to the algorithm, and how these would impact clients;e. The degree of human involvement and oversight of the investment process; andf. The inherent, material risks arising from the Digital Investment Manager’s business model, such as the risks arising from automated portfolio rebalancing.
22 COBS 12.1.2(a)(v).
4.13Digital Investment Managers are also subject to a number of other disclosure requirements including, but not limited to, the following.a. Circumstances where the Digital Investment Manager expects clients to update the information they have provided in their Risk Profile Questionnaire.23b. Details of any conflicts of interest.24c. Details of the arrangements put in place by the Digital Investment Manager regarding Client Assets.25 The Digital Investment Manager should also describe the specific risks faced by clients where Client Assets are held by:i. a regulated financial institution within the UAE; orii. a regulated financial institution outside the UAE, which could complicate the process of recovering Client Assets in the event of the financial institution defaulting or becoming insolvent.d. In the case of Retail Clients:i. key particulars of the Digital Investment Manager’s complaints handling procedures;26ii. details of fees, costs and other charges and the basis upon the Digital Investment Manager will impose them;27 andiii. the content and frequency of the periodic reporting statements that the Digital Investment Manager will issue.28
23 COBS 126.96.36.199 COBS 3.5.4 and, in the case of Retail Clients, 12.1.2(vi).25 Refer to COBS 14.2.10 and 15.7 as applicable.26 COBS 12.1.2(viii).27 COBS 12.1.2(a)(iv).28 COBS 12.1.3(e).
In addition to the content of the disclosures, Digital investment Managers should also consider when and how best to make the disclosures in order to ensure that they are read and understood by clients (in particular, Retail Clients).