Home Circulars 2021 SEBI SEBI - 2021 This
Forgot password New User/ Regiser ⇒ Register to get Live Demo
Risk Management Framework (RMF) for Mutual Funds - SEBI - SEBI/HO/IMD/IMD-1 DOF2/P/CIR/2021/630Extract CIRCULAR SEBI/HO/IMD/IMD-1 DOF2/P/CIR/2021/630 September 27, 2021 To, All Mutual Funds/ Asset Management Companies (AMCs)/ Trustee Companies/ Board of Trustees of Mutual Funds/ Association of Mutual Funds in India (AMFI) Sir / Madam, Sub: Risk Management Framework (RMF) for Mutual Funds 1. In order to ensure that mutual funds render, at all times, high standards of service, exercise due diligence, ensure proper care in their operations and to protect the interests of investors, SEBI vide Circular No. MFD/CIR/15/19133/2002, dated September 30, 2002 prescribed certain systems, procedures and practices that must be followed by all mutual funds with regard to risk management in various areas like fund management, operations, customer service, marketing and distribution, disaster recovery and business contingency, etc. 2. Since the date of issuance of the aforesaid circular, there have been significant developments in the mutual fund industry and in the financial markets as a whole, including in the area of product innovation, investment in newer asset classes, distribution landscape, technological evolution, investor penetration and awareness, increase in risk elements, etc. Accordingly, it has been decided to review the extant Risk Management Framework for Mutual Funds. The matter was deliberated in the Mutual Funds Advisory Committee (MFAC) based on the inputs received from the mutual fund industry. The recommendations of MFAC have been suitably incorporated in the Risk Management Framework for mutual funds. 3. With the overall objective of management of key risks involved in mutual fund operation, the revised Risk Management Framework (RMF) shall provide a set of principles or standards, which inter alia comprise the policies, procedures, risk management functions and roles responsibilities of the management, the Board of AMC and the Board of Trustees. 4. The detailed RMF for mutual funds are placed at Annexure-A. 5. The elements of RMF, wherever applicable, have been segregated into mandatory elements' which should be implemented by the AMCs and recommendatory elements' which address other leading industry practices that can be considered for implementation by the AMCs, to the extent relevant to them. 6. AMCs shall perform a self-assessment of their RMF and practices and submit a report, thereon, to their Board along with the roadmap for implementation of the framework. The aforesaid exercise must be completed and the necessary systems must be in place at the AMCs to enable compliance with the provisions of this circular with effect from January 01, 2022. The Circular No. MFD/CIR/15/19133/2002, dated September 30, 2002 on Risk Management System shall be rescinded with effect from January 01, 2022. However, AMCs may choose to adopt the provisions of this circular before the effective date. 7. Compliance with the RMF should be reviewed annually by the AMC. Reports of such reviews shall be placed before the Board of AMC and Trustees for their consideration and appropriate directions, if any. Trustees may forward the findings and steps taken to mitigate the risk along with their comments to SEBI in the half-yearly trustee reports. 8. This circular is issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange Board of India Act, 1992 , read with the provisions of Regulation 77 of SEBI (Mutual Funds) Regulations, 1996 , to protect the interests of investors in securities and to promote the development of, and to regulate the securities market. Yours faithfully, Hruda Ranjan Sahoo Deputy General Manager Investment Management Department 022-26449586 [email protected] Annexure A Risk Management Framework (RMF) for Mutual Funds 1.0 RMF Standards i. AMCs shall establish a RMF for its mutual fund business. The RMF of mutual funds shall have the following characteristics: a. Be structured, efficient and timely. b. Be an integral part of the mutual fund s processes and governance framework, at both the operational and strategic level, and consider all available information i.e. both internal and external. c. Be customized to both AMC's and scheme s risk profile, focuses on potential risks and implements mitigation and control measures to explicitly address uncertainty. d. Be dynamic and flexible enough to identify new risks that emerge and make allowances for those risks that no longer exist. e. Recognize that people and culture have an impact on its effectiveness, and accordingly the framework must communicate and consult with stakeholders throughout. f. Protect reputation. ii. The objectives of RMF should assist the management and the Board of Directors of both AMC and Trustees in: a. Demonstrating high standards of due diligence in daily management. b. Promoting proactive management and early identification of risk. c. Assigning and increasing accountability and responsibility in the organization. d. Managing risk within the tolerance limits defined in the RMF. iii. The RMF of mutual funds shall comprise the following components: a. Governance and Organization. b. Identification of Risks. c. Measurement and Management of Risks. d. Reporting of Risks and related Information. 1.1 Governance and Organization i. Risk Management shall be an independent and specific function of the AMC. ii. There should be at least one CXO level officer identified to be responsible for the risk management of specific functions of the AMC/Mutual Fund. For instance, there should be dedicated risk officers for various key risks such as Investment Risk (by Chief Investment Officer), Compliance Risk (by Chief Compliance Officer), Operational Risk (by Chief Operating Officer or similar functionary responsible for the respective functions overseen), Cyber Security (by Chief Information Security Officer), etc. iii. The policy on risk management of the mutual fund should have clarity on roles and responsibility assigned to CXOs and the same needs to be disclosed on their website. iv. AMC should have a Chief Risk Officer (CRO), who would be responsible for the overall risk management of the mutual fund operation including the key risks. This is in addition to one CXO level officer responsible for each key risk type. The CXO shall be the Head of Department or official of the AMC up to one level below CEO, other than CRO. However, for the overall risk management of the mutual fund, along with the management, both board of AMC and trustees should also be responsible. For this purpose, both the AMC and the trustees should mandatorily have separate Risk Management Committees (RMCs). These committees shall undertake annual review of RMF at both AMC and scheme level. The CRO should be part of the RMCs. The RMCs shall report to the Board of AMCs and trustees respectively and also recommend long term solutions regarding risk management both at the AMC level as well as the scheme level. v. There shall be clear demarcation between the roles and responsibilities of the respective CXOs and the CRO. For instance, while defining the role of CRO, it should be ensured that the CRO would be responsible for the overall governance of the RMF; the investment decisions and the other functions of CIO are not encroached upon and the risk taking ability of CIO in accordance of the scheme objective is not hindered. The CRO or the risk management function of the CRO cannot be entrusted with day to day functioning, the responsibility for which shall lie with the respective CXOs. vi. The AMC should maintain risk metric for each mutual fund scheme. The risk metric should incorporate each key risk type like investment risk, liquidity risk, credit risk, etc. along with the path to maintain the targeted risk level. The metric may incorporate evaluation of risk levels vis- -vis an appropriate benchmark, wherever applicable. The RMCs shall meet at least once in a quarter to review various risks including risk metrics at both the scheme and the AMC level and assist the board of AMCs and trustees in discharging their duties in this regard. 1.1.1 Risk Management Policy The risk management policy can be a macro level description of risk management governance (including roles and responsibilities of the Board of AMC and the three lines of defense Management, Risk Management Team and Internal Auditor), the organization's risk appetite and key elements of its risk management process. The policy on the RMF shall be approved by the board of AMC and trustees. The mandatory and recommendatory elements for inclusion in the risk management policy, approved by the board of AMC and trustees, are outlined below: 1.1.1.1 Mandatory Elements i. There shall be an approved policy on the RMF both at AMC and scheme level. ii. A risk appetite framework should be in place at both AMC and scheme level. Quantification of the framework in the form of a metric for key risks shall include but not limiting to credit risk, market risk and liquidity risk, etc. and targeted path of improvement. The metric, wherever applicable, should incorporate an appropriate benchmark vis- -vis which the measurements of risk and targeted risk levels may be made. iii. There should be a Delegation of Power (DoP) framework covering daily risk management, daily risk reporting and corrective actions at various levels of management. iv. Formation of RMCs (of both AMC and Trustees), its roles and responsibilities. v. Each CXO level officer to take ownership of risks and manage risk level for those risks as are applicable to their area of operation. vi. Clarity on roles and responsibility assigned to CXOs vii. Responsibility of line management and process ownership for risk management and reflection of the same in the performance appraisal through Key Result Areas (KRAs) of key officials of line management. The performance may be evaluated vis- -vis an appropriate benchmark, if applicable. viii. All aspects of risks that the AMC can face along with the mitigation plans, including but not limited to: a. Risk management practices in fund management, customer service, marketing and distribution. b. Disaster recovery and business contingency planning. ix. Limit management framework for the material or key risks. x. Risk assessment monitoring measures and tools for all risks with quantified risk indicators and limits thereto. xi. Implementation of scenario analysis and stress testing. xii. Risk mitigation requirements and control mechanisms. xiii. Additional triggers that could require review of the RMF, including: a. Material claims or litigations from customers or incidents. b. Material findings from internal or external audits. c. Adverse media attention impacting reputation risk. d. Adverse observations from the regulator(s), etc. e. Key risk indicator breaches. f. New regulatory requirements. g. Sector-relevant developments or incidents. 1.1.1.2 Recommended Elements i. Use of technology to automate risk management, reporting and compliance. 1.1.2 Risk Management Function Responsibility of Board of AMC, Trustees and the Management 1.1.2.1 Risk Management - Role of the Board of AMC and Trustees i. Approving the RMF policies and procedures including the risk metrics at scheme level. ii. Defining, reviewing and approving the AMC s and scheme s risk appetite framework. iii. Periodic monitoring of risk appetite versus actual risk at scheme level. iv. Event based monitoring of Risk appetite versus actual risk at scheme level. v. Define specific responsibility of the management, including CEO vi. Approval for policy for risk based KRAs and KRAs at level of CEO and up to one level below CEO. Suggest modifications in KRA outcomes and link compensation to those KRAs. vii. Review of actions taken by Board of AMC and management in respect of risk management. viii. Reporting of material risk related observations to SEBI on periodic basis. ix. Setting up of the risk management function and developing appropriate structures and procedures to ensure that it can function independently. x. Approving a methodology for Board Evaluation of the RMF (either through outsourced or self-assessment) on an annual basis. xi. Annual review of effectiveness of the AMC and/or management s risk management function and policies including risk metrics to address the risk outcomes. xii. Trustee may recommend reduction/ change in the risk level of the schemes within the Potential Risk Class (PRC). xiii. For assessing the effectiveness of the RMF, a. The board of AMC should seek an annual report through an internal management assessment process or from a third party covering all key risks and key risk metrics both at the AMC and scheme level. b. The RMCs of both AMCs and Trustees shall meet at least once in a quarter to review various risks including the risk metrics at both AMC and scheme level. c. The Board of AMC should have all relevant information of appropriate committee(s) (with the mandate and membership), CRO, CXO(s) for specific risk management, audit functions, investor relations, investment and credit decisions, etc. 1.1.2.2 Risk Management - Role of the Management i. The risk management role of the management can be broadly classified into risk management roles and responsibilities of the CEO, CRO, CIO, CXOs and the fund manager. ii. The overall role of the management shall be as below: a. Overseeing the risk management function. b. Keeping the Board of AMC and Trustees informed on new or emerging risks. c. Putting in place a mechanism for risk reporting on quarterly basis to the Board of AMC and trustees, covering all risks including risk metrics, escalation of material risk related incidents, if any, and timely and corrective actions taken in specific cases of risk escalation. This may be carried out with an objective to address the root cause in escalation of such risks and also to improve the measurement and control mechanism for prevention of reoccurrence of such risks. d. Establishing an organization-wide risk-conscious culture. e. Inclusion of risk management as a parameter for performance appraisal (through KRAs or equivalent) of all the officials of the AMC at the level of CEO and up to two levels below CEO. f. Establishing human resource practices pertaining to hiring, orientation and training in order to send messages to employees regarding the organization's expected standards on integrity, ethical behavior, competence and risk management. 1.1.2.2.1 Risk Management - Role of Chief Executive Officer (CEO) i. The CEO shall be responsible for all the risks at both AMC and Scheme level. ii. The CEO shall a. ensure that the outcomes of risk management function are reported to him on a monthly basis b. define specific responsibility of CIO and CXO regarding risk management c. define a risk appetite framework for schemes and AMC. d. define appropriate risk metric for respective CXO, CIO, fund manager, etc. e. ensure adherence to the guidelines pertinent to SEBI in respect of RMF and relevant principles thereunder including risk identification, risk management, risk reporting (both periodic and escalation of material incident) and corrective actions taken, if any. f. The CEO shall approve the corrective action on various findings and report to the board of AMC and trustee regarding the same and also escalate to board of AMCs and trustees, if required, any major findings being reported. 1.1.2.2.2 Risk Management - Role of Chief Risk Officer (CRO) i. The CRO shall be responsible for ensuring that there is an effective governance framework and reporting framework of risk management in line with the regulatory requirements. ii. The risk management roles of the CRO are as under: a. Implementation of Risk management framework across the organization. b. Review specific responsibility of management, including CEO, CIO, CXOs, and Fund Managers. c. Put in place mechanism for risk reporting at least on a quarterly basis to the board of AMC, trustees and RMCs, covering all risks including risk metrics, escalation of material risk related incidents, timely and corrective actions taken, if any. d. Independent assessment of reporting of risk to various committees and CEO, etc. e. Put in place mechanism for reporting to CEO - Including outcomes for risk management function on monthly basis. f. The reporting of risk as above is independent from the CIO and verified by the risk team. g. There is a DoP approved by the Board of AMC for risk management by CRO covering the following: 1) Daily risk management 2) Daily risk reporting 3) Corrective actions at the level of Fund manager, CIO and CEO. h. The CRO shall inform to board of AMCs, trustee and risk committees regarding any major findings or corrective actions required and also update on closure or the status of various recommendations. 1.1.2.2.3 Risk Management - Role of Chief Investment Officer (CIO) i. Daily management of risk and necessary reporting relating to Investment risk of all scheme(s) such as market Risk, liquidity Risk, credit risk etc. and other scheme specific risks (Compliance Risk, Fraud Risk, etc.) lies on the CIO. ii. In respect of all schemes CIO should ensure: a. Adherence to the guidelines pertinent to SEBI in respect of RMF and relevant principles thereunder including risk identification, risk management, risk reporting (both periodic and escalation of material incident) and corrective actions taken, if any. b. Defining specific responsibility of Fund Managers c. Adherence to risk appetite framework - maintain risk level for schemes iii. CIO will calculate the overall risk by taking in to account the weighted average of (i) the risk-o-meter and (ii) the events of defaults. Both (i) and (ii) are to be calculated in terms of a number taking into account the risk-o-meter and events of defaults or early mortality of investments which may inter alia include credit default, change in yield, change in NAV, external shock or unusual redemptions, etc. to quantify the overall risk. iv. The CIO shall escalate the corrective actions taken, if any, to the CEO and the CRO. 1.1.2.2.4 Risk Management - Role of other CXOs i. The CXOs shall be responsible for the governance of the respective risk types. ii. In respect of respective risk type, CXO should ensure: a. Adherence to the guidelines pertinent to SEBI in respect of RMF and relevant principles thereunder including risk identification, risk management, risk reporting (both periodic and escalation of material incident) and corrective actions taken. b. Defining specific responsibility regarding risk management of key personnel reporting to them. c. Maintaining risk level as per the risk metric. iii. The CXOs shall take immediate corrective action for non-compliance or major finding post approval from CEO as per DoP and shall report to CRO regarding the risk reports. iv. The CXO shall escalate to CEO and the CRO any major findings reported by respective risk management function. 1.1.2.2.5 Risk Management - Role of Fund Manager (FM) i. The FM shall be responsible for daily management of investment risk of managed scheme(s) such as market Risk, liquidity Risk, credit risk and other scheme specific risks and appropriate risk reporting of any risk related event to CIO. ii. In respect of schemes managed by them, FMs should ensure: a. Adherence to relevant SEBI guidelines in respect of RMF and relevant principles thereunder including risk identification, risk management, reporting and corrective actions etc. b. Adherence to risk appetite framework to maintain appropriate risk level for schemes. c. If there is any need of change in the risk appetite of the scheme within the PRC of that particular scheme, the same is to be with the approval of the CIO. iii. The FM shall take corrective action, if required, as per the approved DoP and escalate major risk related event to CIO. 1.2 Identification of Risks For the identification of risks, the RMF should address the following key questions: 1.2.1 What are the different types of risks faced by the mutual fund/AMC and its mutual fund schemes? 1.2.2 What is the probability of the happening of each of the above risks, considering the control environment and automation within the AMC, external factors or dependencies such as market infrastructure, outsourced activities, etc. and available historical risk data? 1.2.3 What is the likely impact of key risk events, in terms of financial loss, reputation loss, impact on investors/ unit holders and regulatory action? 1.2.4 What are the emerging or new risks due to new business lines, new products, statutory changes, changes in external environment or market infrastructure, etc.? 1.2.5 The mandatory and recommendatory elements for identification of risks, are outlined below: 1.2.5.1 Mandatory Elements i. Each AMC shall identify on an ongoing basis, the specific risks to be covered within the RMF, based on the nature, scale and complexity of its business, the risk profiles and strategies of the funds it manages, and the impact of different risks on its mutual funds business. ii. Documented risk profile for each of the key functions incorporating events that might create, enhance, prevent, degrade, accelerate or delay the achievement of objectives, sources of risks and areas impacted due to the event. 1.2.5.2 Recommendatory Elements i. Formalized risk appetite statement (incorporating themes such as investment, sales, and operational losses as a result of in-house or outsourced activities) both at the scheme and AMC level. 1.3 Measurement and Management of Risks 1.3.1 AMC should have approved internal policy for measurement of various scheme specific risks (such as governance risk, investment risk, liquidity risk, credit risk) through appropriate risk metrics. 1.3.1.1 It should reflect the Risk-O-Meter and the PRC of the scheme vis-a-vis the scheme benchmark. 1.3.1.2 The policy should have the defined guidelines regarding the appropriate risk metric with role clarity depending on the responsibility of each person. 1.3.2 AMCs should have approved internal policy for measurement of organization wide risk like operational risk, technology risk, legal risk, talent risk, outsourcing risk, etc. 1.3.3 Having identified and documented the applicable risks, the risk management function should develop process/tools to measure and manage those risks. For this purpose, the following needs to be considered for each risk category: i. Ascertaining the measurement criteria for each risk category (qualitative and quantitative criteria). ii. Documentation of measurement tool(s) for each risk category, i.e. Risk and Control Self-Assessment (RCSA), stress testing, scenario analysis, etc. iii. Determination of required frequency of monitoring. iv. Developing a process for escalation. v. Determination and documentation of remedial or mitigating actions. Wherever appropriate, it is recommended that AMCs consider documenting risk limits based on their risk appetite. 1.3.4 The mandatory and recommendatory elements for measurement and management of risks, are outlined below: 1.3.4.1 Mandatory Elements i. The AMCs shall have established structure and responsibility across the three lines of defense: a. Business Operations. b. Oversight functions like Risk Management and Compliance. c. Internal Audit. ii. Internal Audit and Oversight functions like Risk Management and Compliance shall ensure the following: a. There should be a dedicated internal auditor at the AMC level for audit of the RMF of the AMC. However, the same may be carried out by independent auditor appointed by trustees, provided that the personnel undertaking the said audit have relevant expertise in the domain of risk management necessary for both the AMC level and the scheme level audit. In such scenario, care must be taken that no conflict arises w.r.t submission of independent audit reports by the auditor to the audit committee and the Board of both the AMC and the trustees for the conduct of their respective audit functions. b. The internal auditor should audit both the scheme level and AMC level risks. c. The internal auditor should audit compliance with the internal policies of the AMC on risk management as well as the applicable rules and regulations mandated by SEBI on risk management. d. For the processes being audited by the internal auditor, a non-compliance rate shall be computed. The non-compliance rate may be computed based on sampling out of the total number of processes being audited. e. The internal auditor should submit the internal audit report to the audit committee of the AMC and the Board of AMC representing the non-compliance rate as audited in the books of accounts of the AMC and its schemes. While submitting to the audit committee, the non-compliance level shall be converted to an overall internal audit score represented in the form of a number providing a quantitative representation of the internal audit report. This number shall be generated considering all key risk types. f. Further, this number shall be compared in subsequent internal audits to analyze the improvement in minimizing the non-compliance level at the AMC. This shall reflect the degree of rectification of non-compliance as done at the level of AMC. Therefore, this number may be represented in the form of a Rectification Index in the internal audit report. iii. There shall be an RCSA process with defined frequency. iv. There shall be an established mechanism for reporting to the CRO, management and the Board of AMC and Trustees. v. Periodic review of policy frameworks shall be done to ensure that the said policies are up-to-date responding to new strategic priorities and risks and the monitoring mechanisms are working to ensure compliance with the updated policies. vi. Mechanisms are established for management to make use of early warning indicators to identify, evaluate, and respond to changes quickly. vii. Periodic stress tests are performed on critical risks and the impact of risks are assessed based on acceptable tolerances. viii. Based on the management of the risk level as defined by respective risk metric of CXOs, necessary corrective actions must be taken to address any short comings. The output of the risk level shall be an indicator of the performance of the respective CXOs and shall form one of the inputs for their performance review. 1.3.4.2 Recommendatory Elements i. There should be independent testing and verification of efficacy of corporate governance standards and business line compliances, validation of the RMF and assurance over the risk management processes by external agency. 1.4 Reporting of Risks and Related Information 1.4.1 Adequate risk reporting is an integral part of the risk management framework and it is important that those responsible for different functions within the AMC shall ensure that they exercise sufficient oversight to report on their risk profile and risk management actions. 1.4.2 The mandatory elements for reporting of risk and related information, are outlined below: 1.4.2.1 Mandatory Elements i. In order to ensure that the risk management function obtains the necessary information from other departments as well as from outsourcing partners (wherever applicable), a structured bottom-up reporting process should be designed and the risk management function should perform meaningful and independent analysis of such information. ii. The outcomes of the risk management function should mandatorily be reported to the management at least once on a monthly basis and to the Board of AMC and Trustees on a quarterly basis. Trustees may forward the results and steps taken to mitigate the risk along with their comments to SEBI in the half-yearly trustee reports. iii. Risk reports should consider the following: a. It should be holistic (considering all risk categories identified), timely and accurate. b. It should incorporate the risk metrics comprising the risk profile of all schemes and the risk profile consolidated across the departments and the AMC level. It should also incorporate the rectification index as calculated in the internal audit report for both the AMC and the scheme level. c. It should contain all necessary information to assess whether appropriate measures have been taken by the management to control and mitigate all relevant risks. d. It should provide information on existing as well as new risks including a statement on severity (e.g. low, medium, high) and its evolution over time, and the measures to mitigate existing risks where possible. iv. The Risk management function shall ensure that any significant emerging risk issues that are not adequately addressed by the responsible functional department are promptly reported to the management or the risk management team and to the Board of AMC. 2.0 Managing Key Risks a. SEBI (Mutual Funds) Regulations, 1996 vide various circulars has prescribed certain norms which would cover many aspects of risk management such as, stress testing, internal credit risk assessment, cyber security and system audit, liquidity buffer, creation of segregated portfolio, investment restrictions, investment due diligence, etc. that are to be adhered to by the mutual funds. The following sections incorporate comprehensive guidelines for management of various key risks by the AMCs, elements of which may overlap with the above mentioned norms and in such cases, the detailed norms specified in the relevant circular must be strictly followed. b. These key risks may be divided in to two broad categories. i. Scheme specific risks ii. AMC specific risks c. The scheme specific risks are the risks majorly associated with the core activities of investment and portfolio management. The AMC specific risks are the risks associated with the functioning of the mutual fund business by the AMC. d. The scheme specific risks may be divided in to the following categories. i. Investment risk ii. Credit risk iii. Liquidity risk and iv. Governance risk The AMC specific risks may be divided in to the following categories. i. Operational Risk ii. Technology, Information Security and Cyber Risk iii. Reputation and Conduct Risks iv. Outsourcing Risk v. Sales and Distribution Risk vi. Financial Reporting Risk vii. Legal Tax Risks and viii. Talent Risk The compliance risk shall be applicable for both investment management activity (scheme specific risk) and business activity of AMC (AMC specific risk). The following sections incorporate comprehensive guidelines for management of the key risks 2.1 Investment Risk 2.1.1 Investment risk can be defined as the probability or likelihood of occurrence of losses relative to the expected return on any particular investment. 2.1.2 Investment risk management should be based on reasonable investor expectations about the risks that the mutual fund will take in order to achieve its investment objectives, which can be thought of as the fund s risk profile or risk appetite. A fund's risk profile should be stated in its communications with investors including in its Scheme Information Document (SID) and marketing materials, which state the fund's investment strategies and risk factors. The SID shall also incorporate any other elements of risk appetite as may be stipulated by AMCs and Trustees. 2.1.3 Investment risk management should involve both controlling risk by limiting certain risk exposures and the size probability of losses, as well as using a number of active investment techniques that seek to align the fund s investments with its investment objectives, its risk profile, and the portfolio manager's investment convictions. 2.1.4 Risk control should focus on placing limits on a fund s investment positions and concentrations. These limits should include the investment restrictions mentioned in the fund s SID as well as any limits and restrictions imposed by the risk management function within the regulatory limits. Risk control activities may include reviewing portfolio concentrations and adjusting portfolio holdings accordingly; evaluating and reviewing new and/or complex instruments, such as derivatives, and imposing conditions and limits on their use; monitoring and limiting credit exposure from issuers of portfolio securities and from counterparties; and ensuring that a fund is managed in compliance with the SID and the regulatory investment restrictions. 2.1.5 The mandatory and recommendatory elements for managing investment risk, are outlined below: 2.1.5.1 Mandatory Elements i. The AMC should have the following policies / process: a. An investment universe to be updated periodically and responsibility for the same should be clearly defined. b. An investment policy for investment in various asset classes/ securities as permitted by SEBI from time to time and policy on hedging of interest rate risk, foreign exchange risk, price risk, etc. c. Policy on participation in IPOs/FPOs including policy on participation in IPOs/FPOs of associate/ group company(ies). d. Trade execution policy. e. Policy on trade allocation and Inter-Scheme Transfers (ISTs). f. Investment valuation policy. g. Broker empanelment policy. h. Trustee should review the portfolio at frequency as required by SEBI Regulations. ii. The AMC must ensure that investment risk is adequately factored in by: a. Setting up an Investment committee which has close coordination with related departments, and monitors market risk. b. Setting limits for issuer/ sector exposure vis-a-vis benchmark (in line with MF Regulations and internal limits). c. Setting limits for investment in debt and money market instruments of various credit qualities. d. Having all relevant documents and disclosures (that are required for listing) with regard to the debt and money market instruments before finalizing the deal for investment into the respective instruments so that mutual funds as investors into such instruments are not at an informational disadvantage vis- -vis other market participants or lenders. e. Review of passive breaches and corrective actions. iii. Investment Committee shall be responsible for the following: a. Review of Investment Policy at a pre-defined frequency. b. Reviewing the Investment plan or policy to meet the investment objectives documented in the SID. c. Any other responsibility as assigned by the management. iv. The AMC should conduct the following to manage and monitor investment risks (at scheme level or aggregate portfolio level, whichever is applicable): a. Redemption analysis. b. Investor concentration analysis. Both single investor and/or group concentration. c. Monitor investment risk at a defined frequency. d. Managing and monitoring investment restrictions for overseas investment, if any. e. Monitor investment risk at individual portfolio level and also concentration risk and other relevant risks at aggregate level in a structured manner. f. Stress testing for investment risk. g. Consider investment risk while launching new products. h. Ensure that Trade Allocation policy is adhered to along with adequate information to identify those allocations that are out of line with the normal percentage allocation across funds. i. Quantitative risk analysis using metrics such as VaR, Sharpe Ratio, Treynor Ratio, Information Ratio, etc. j. Prepare and maintain management reports on topics discussed and conclusions made at investment committee meetings (including interest rate prospects, risk-taking and hedging policy, etc.) k. Distributor concentration analysis. v. Further, it should be ensured that: a. Actual risk measures and reports are adapted to the risk characteristics of the individual asset classes, and capture dependencies between risks (e.g. market risk and liquidity risk). b. Actual risk measures address risks in normal and stressed market conditions. c. Actual risk measures cover all risk types in the portfolio, including counterparty credit and liquidity risks (assets, investors). d. Appropriate tools are adopted for measurement of market and credit risks on different types of investment products. e. Adequate processes and controls are in place to ensure that risk reporting is complete, accurate, timely and meets the needs of various stakeholders. f. Adequate documentation of calculations, analyses and decisions is maintained. g. Performance and positions with regard to objectives of schemes are reviewed. h. Performance vis- -vis scheme benchmarks and performance of peer group(s) is reviewed. i. Exceptions are defined and their monitoring is conducted. j. Exceptions in style drift and portfolio concentration are reviewed. k. In cases of inter scheme transfer, the scheme (s) buying the securities must conduct an enhanced level of due diligence. 2.1.5.2 Recommendatory Elements The AMCs may consider the following practices: a. Regular analysis on bulk trades and block deals of large values. b. Formulating a plan for assessing and monitoring risks of investing in multiple markets. c. Setting limits for minimum number of stocks/securities, cash (net of derivatives), stocks/securities vis-a-vis benchmark and Beta range. 2.2 Credit Risk 2.2.1 The credit risk relevant to mutual funds is the issuer credit risk attributable to individual securities and the negative outlook on specific sectors or industries and its consequent impact on the credit exposures. 2.2.2 The mandatory and recommendatory elements for managing credit risk, are outlined below: 2.2.2.1 Mandatory Elements i. To manage credit risk, the AMC must have a robust framework comprising: a. An approved and documented Credit Risk Management policy. b. Analysis and evaluation of ratings received from multiple credit rating agencies for securities across portfolios, at all points of time i.e. before investing in such securities/instruments or products and also on continuous basis. c. Formal procedure for AMCs to carry out their own credit assessment of assets and reduce reliance on credit rating agencies. For this purpose, all AMCs shall have an appropriate policy and system in place to conduct an in-house credit risk assessment or due diligence of debt and money market instruments or products at all points of time i.e. before investing in such instruments or products and also on continuous basis. d. Adequate provisions to generate early warning signals (including yield based alerts) on deterioration of credit profile of the issuer. Based on the alerts generated, the AMCs shall take appropriate measures and report the same to trustees. e. Concentration limits (counterparty wise, group wise, industry or sector wise, geography wise) monitoring. f. Stress testing for credit risk - applying shocks based on rating downgrades, negative outlook on specific industries and the consequent impact on credit exposures. 2.2.2.2 Recommendatory Elements i. Over a period of time and having regard to the size, scale and complexity of the fixed income portfolio, AMCs may consider developing sector level standards for implementing internal credit assessment based models to measure credit risk in line with the prevailing global best practices. 2.3 Liquidity Risk 2.3.1 Thinly traded securities carry the danger of not being easily saleable at or near their real values. Further, all securities run the risk of not being saleable in tight market conditions at or near their real values. Measuring and monitoring liquidity risk is an important aspect of risk management. 2.3.2 The mandatory and recommendatory elements for managing liquidity risk, are outlined below: 2.3.2.1 Mandatory Elements i. Liquidity Risk has to be modelled at the level of each scheme (except schemes that do not have continuous liquidity requirements like close ended and interval schemes) and should display alerts pertaining to asset liability mis-match on monthly basis and in line with any other relevant guidelines as specified by SEBI in this regard from time to time. The aforesaid model, should be based on the following key principles: a. The secondary market liquidity of assets of the scheme, shall be incorporated into the liquidity risk management model. b. For debt and money market instruments, the total asset value shall be classified in various maturity buckets for e.g. assets maturing in days 0-30, 30-60, 60-90 and so on. Debt and money market instruments that have a demonstrable secondary market liquidity shall be classified into a lesser maturity bucket depending upon the reasonable time in which particular value of the said instrument can be expected to be offloaded. In the absence of demonstrable secondary market liquidity, the instruments shall be strictly classified based only on the maturity dates. c. Liabilities of scheme shall be modelled in similar buckets based on back testing of historical data for subscription and redemption amounts in the respective schemes. The back testing period should be sufficiently long (say for last 5 years) to include spikes in redemptions because of market wide events. Organization specific factors/risks that may have a bearing on redemptions should also be factored into the model. d. Liquidation of assets at near the value ascribed to each asset in the scheme portfolio in specified period of time, shall be one of the factors to be considered in liquidity risk management. e. The model should incorporate forward looking asset liability mis-match for the scheme at different periods of time at least up to next 30 days. ii. The AMC should have policy in place on management of the mis-match in putative liabilities vis- -vis the liquid assets of each scheme. It should follow the following principles: a. There should be an upper limit or threshold on the mis-match in putative liabilities vis- -vis the liquid assets of each scheme. The upper limit shall be customized depending on size or type of the scheme. b. There should be a system based mechanism to generate alerts as per point-(a) above. c. The policy shall include monthly reporting to Board of AMC and Trustees and on quarterly basis to SEBI in a standard format (to be prescribed by AMFI in consultation with SEBI). d. The report shall include the details of alerts generated by the system regarding asset liability mis-match in excess of the defined threshold and subsequent actions taken to address the same. The scheme wise mis-match limits shall be put in the system and all alerts shall be managed effectively. iii. Stress testing should be mandatorily conducted for all schemes (excluding close ended and interval schemes) appropriately atleast on monthly basis. The results of the stress testing may be placed before trustees in every quarter. Trustees may forward the results along with their comments and steps taken, if any, to SEBI in the half-yearly trustee reports. With respect to stress testing of open ended debt schemes, norms have been provided vide SEBI circular No. CIR/IMD/DF/03/2015 dated April 30, 2015 and SEBI circular No. SEBI/HO/IMD/DF3/CIR/P/2020/229 dated November 6, 2020 and the same must be adhered to and any future guidelines issued by SEBI in this regard may suitably be followed. iv. The policies and procedures implemented by the AMC should include the following: a. Measures and limits for monitoring liquidity risk - cash flow approaches, ratios/tools for monitoring market liquidity (including equity market), etc. b. Measures for managing intra-day liquidity and controls around the same. c. Stress testing policy to align the stress testing requirements mandated by SEBI for mutual funds in India specifically incorporating: 1. Risk parameters used and methodology adopted to conduct the stress tests. 2. Procedure to deal with stress events and early warning signals. d. Overview of funding plans/strategy during normal and stressed events, including contingency funding plan. v. Systematic classification and evaluation of liquidity risks should be initiated by performing following activities: a. Evaluation and disclosure of liquidity risk associated with schemes/products in the SID. b. Controls around preparation and accuracy of cash flows. c. Management of collateral and margins for execution and settlement of derivatives, securities and money-market instruments. 2.3.2.2 Recommendatory Elements i. AMCs may consider introducing the following measures: a. Judicious use of intraday / overnight borrowing lines to address liquidity / settlement risks faced by the mutual funds. Uncommitted lines of credit available with the AMC may not be useful in real time of stress and therefore while assessing liquidity risk of AMC, these lines should be treated differently than committed lines. b. Internal committee with the mandate to review and provide direction on liquidity risk management. c. Identifying and reporting appropriate and relevant information to the management, for decision making. d. Reporting to the Board of AMC on any other material outcomes and events. 2.4 Governance Risk 2.4.1 Governance risk is a risk that the persons who are in position of power or fiduciary responsibility towards the holders of security (equity/debt), do not act in the best interest of such stakeholders, rather compromise the interest of such stake holders for their personal gain. 2.4.2 The act of people with power may significantly impact the equity market price of the shares along with having a direct impact on debt issuances. 2.4.2.1 Mandatory Elements a. The AMC shall have an approved policy to deal with governance risk of the investee companies. b. The policy shall incorporate measures such as assessment of whether there are enough system checks and balances in the governance structure of the issuer to prevent such wrong doing and also assessment of track record or history of the issuer to monitor the trend of their past behavior. c. The policy shall also include guidelines on how it identifies and monitors any conflicts of interest involving members of the Board/ KMPs of the investee company. d. The AMC shall adhere to the Stewardship Code prescribed by SEBI for mutual funds which inter alia includes continuous monitoring of the investee companies on various matters such as operational and financial performance, corporate governance, related party transactions, opportunities or risks including ESG risks, etc., bearing in mind the insider trading Regulation while seeking information from the investee company for the purpose of monitoring etc. 2.5 Operational Risk 2.5.1 Operational risk refers to the risk of loss resulting from inadequate or failed processes, people and systems or from external events, e.g. internal fraud, external fraud, physical damage caused by nature or man-made, etc. 2.5.2 As operational risk could manifest in any function or process within the organization or at a third party service provider, it is important to have adequate monitoring and tracking of all elements that can go wrong. This includes fails, reconciliation differences, customer complaints, guideline breaches, systems issues, process gaps, system bugs, etc. It is equally important to have an escalation process as any undue delay in reporting could magnify the loss or turn a gain into a loss. 2.5.3 The key for effective operational risk management should be to create a process that tracks the various elements of operational risk over time, to identify trends that could be an early warning signal, and to implement an exception/escalation process that ensures the problems which are significant, large, aged or growing dealt with at increasingly higher levels of management. 2.5.4 SEBI vide circular SEBI/HO/IMD/DF2/CIR/P/2019/57, dated April 11, 2019 has provided indicative guidelines encompassing system audit framework. The systems and processes as elaborated in the aforementioned circulars must be in place and any future guidelines issued by SEBI in this regard may be suitably followed. 2.5.5 The mandatory elements for managing operational risk, are outlined below: 2.5.5.1 Mandatory Elements i. The AMC should implement the following policies: a. Operational risk management policy, shall cover the following key elements: 1. Purpose and scope. 2. Governance Structure - Roles and Responsibilities. 3. Identification of operational risk events. 4. Management of the operational risk events, e.g. reversal of positions, rectifications, etc. 5. Guidelines regarding transactions with associates, group entities, related parties or even with other stakeholders, such as distributors, channel partners, brokers, etc. 6. Escalation and reporting. 7. Compensation of loss, if any. 8. Follow-up actions, e.g. strengthening of systems and processes, training, etc. 9. Communication with external stakeholders - regulators, investors, distributors, etc. 10. Implementation of a new product approval' process to ensure that all functions have the systems, people, processes to support a new product 11. Recording and documentation. b. The Dealing room policy incorporating the non- usage of mobile, restricted internet access, dedicated recorded lines, handling of information, etc. In this regard, the detailed guidelines on this aspect as provided in SEBI circular SEBI/HO/IMD/DF2/CIR/P/2020/175 dated September 17, 2020 as well as in the part B of Fifth Schedule of SEBI (Mutual Funds) Regulations, 1996 or any further SEBI guidelines may be referred to. c. Roles and responsibilities are defined for the following: 1. Time stamping, application processing and confirmation, 2. Review of KYC and investor declarations as specified through various SEBI regulations, 3. Timely and accurate credit identification (for investor subscription) and bank reconciliations (banks/custody). 4. A system to track and report high value transactions (including bulk redemptions) to the Investment management function. 5. Control oversight on brokerage computation and payment, redemptions, inter-scheme switches, maturity payments in closed ended funds, dividend payouts, tax and other statutory payments, subscription refunds, identification of unclaimed amounts and their deployment as per regulatory requirements, etc. 6. Review of value dated transactions, reversals, broker/ distributor code changes, etc. 7. Incident reporting and escalation matrix for the same. 8. Maintaining a Chinese wall between the different businesses earned out by the Asset Management Company (such as PMS, AIF, Overseas Investments, Advisory, Mutual Funds, etc.) 9. Documented process to review human errors in transaction processing to identify training needs and corrective actions to prevent the errors in the future. d. There is an adequate RCSA process for operational risks on a periodic basis with a structured reporting methodology. e. The AMC should perform the following: 1. Analyze and classify frauds into internal (within the organization) and external (by persons outside the organization) frauds, identify root causes and incorporate monitoring mechanisms to address fraud scenarios. 2. Reporting of frauds and near miss incidents to the Board of AMC and Trustees on quarterly basis. f. Insurance cover shall be obtained for first and third party losses: 1. The mutual fund must have insurance cover against third party losses arising from errors and omissions: (a) Third party liabilities refer to liabilities arising out of financial loss to investors or any other third party, incurred due to errors and omissions of directors, officers, employees, trustees, R T agents, custodians etc. (b) The level and type of cover should be recommended by the AMC and approved by the Trustees. 2. Further, the AMC shall have insurance to cover first party losses: (a) First party losses are those which impact the insured and include asset based losses (due to natural or unnatural disasters such as fire, flood, burglary, etc.) as well as financial or data losses. (b) They also include losses due to the acts of employees of the insured and computer based crimes such as hacking or virus attacks that may impact the data of the mutual fund, etc. (c) Key details of the same, together with claims thereunder, shall be annually reported to the Trustees. g. The AMC should have an integrated system (front-mid-back) to perform the following functions: 1. Order generation 2. Position-keeping (Positions on all supported products are updated in real time). Trades can be accounted for by an electronic feed. 3. Pre-trade compliance checks 4. Order execution 5. Deal booking 6. Straight-through processing to allow one-time capture of trade details. 7. System check on preset parameters and reporting of breaches e.g. whether investments made in permitted securities or limits on deal size, etc. have been adhered. 8. Automatic time-stamping of deals. 9. Maker-checker authorisations. 10. Exception reporting. 11. Generation of deal confirmations. 12. Monitoring of outstanding confirmations, settlements and payments. 13. Cash management. 14. Integrated reporting across the Mutual Fund. 15. The back office system should facilitate daily fund projections to ascertain liquidity and settlement requirements. h. The AMC should have documented procedures for the following: 1. Trade confirmations, settlements. 2. Cash flow Management. 3. Collateral Management. 4. Corporate Actions. 5. Margin Management. 6. Security Master Creation. 7. Pricing and Valuation. 8. Corporate action tracking and accounting. 9. Oversight on Service Providers Custodians, Fund Administrators - SLA tracking, Parallel Valuation and calculation of NAV. The oversight over custodians shall inter alia include, receipt of daily position report from custodian, end of day reconciliation of positions with custodian data and once a week complete reconciliation of fund accounting system records with custodian records. i. The AMC may implement the following depending upon the scale and complexity of business: a. Documenting a Fraud Response Plan and reporting of near miss incidents. b. Developing Fraud Risk scenarios and updating with changing business dynamics, documentation thereof being maintained in appropriately designed and updated Fraud Risk Registers (capturing details such as past fraud incidents). c. Using data analytics as a key tool for identifying fraud patterns and indicators. d. Conducting a fraud control and reporting' training program. 2.6 Compliance Risk 2.6.1 Failure by the AMC to meet its regulatory obligations or manage changes in legal statutory and regulatory requirements may result in investigations, fines, financial forfeiture, or regulatory sanctions and material loss to investors and the organization. 2.6.2 The mandatory and recommendatory elements for managing compliance risk, are outlined below: 2.6.2.1 Mandatory Elements i. The AMC shall establish and maintain policies as required by applicable statutes and regulations, including policies to address the following: a. Know Your Client (KYC), Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) b. Outsourcing c. Customer Complaints Investor Grievance Should inter alia include details of adherence to SEBI regulations with regard to investor servicing and complaint resolution, tracking complaint resolution, update of complaint log and forwarding of complaints and the Management Information System (MIS) to compliance officer, complaint resolution process being reviewed by compliance officer. The compliance officer shall review the complaints with an objective to catch early warning signs for fraud or any systemic issues. d. Related Party Transactions. e. Front running f. Conflict of Interest. g. Employee Trading (including issues related to Insider Trading). h. Code of Conducts. i. Commission and other sales marketing costs. j. Commercial Bribes or Kickbacks. k. Fraud Risk Management l. Whistle Blowing m. Information Security and Data Privacy n. Gifts and Entertainment o. Record Retention p. Dealing Room Policy q. All disclosure requirements (including derivative transactions, off balance sheet items and contingent liabilities, etc.). ii. There should be defined responsibilities for: a. Filing of timely and accurate regulatory reports to the Regulator(s) and Board of AMC and Trustees as prescribed by the applicable laws and regulations. b. Pre-use review of AMC s marketing materials (collateral, brochures etc.), website uploads, digital advertising and performance advertising etc. c. Monitoring that all investments and holdings are consistent with disclosures made to clients and applicable restrictions. d. Mechanism for prevention or detection of possible insider trading at the personnel or portfolio levels. e. Review for adequacy of disclosures made to the investors regarding significant risks such as liquidity, counterparty and credit (quality of investments made mainly debt based on the credit rating), investment, and other risk areas. f. Measures to prevent and detect trading violations involving short selling. g. Maintenance of all required licenses, registrations, approvals and permissions. iii. AMCs should have an Anti-Money Laundering/Combating Financing of Terrorism (AML/CFT) program with the following attributes: a. Employees understand obligations and contents of policies to effectively carry out their AML/CFT responsibilities. b. Transaction Monitoring is done to identify Suspicious Activities. c. Suspicious Transactions Reporting is done to the relevant authorities. d. Adequate training programs to ensure employees are constantly aware of money laundering/financing of terrorism risks and measures (focus on their roles and responsibilities). iv. AMCs should have systems in place to detect and prevent securities market violations including securities market frauds and malpractices at their end: a. A report containing details of the alerts generated and the subsequent actions taken in this regard should be submitted to trustees on a quarterly basis. b. Trustees may forward the results along with their comments and steps taken, if any, to SEBI in the half-yearly trustee reports. 2.6.2.2 Recommendatory Elements i. The following policies may be incorporated by the AMCs depending on complexity and scale of operations: a. Political Contributions. b. Outside business activity policy. ii. The AML/CFT program of the AMCs may include the following depending on the size and scale: a. investor awareness programs (literature or pamphlets or such) to educate clients about the AMC s AML/CFT obligations. b. Review of client risk scoring model to ensure effectiveness of the AML/CFT program. c. Independent or External review of AML/CFT policies to ensure their effectiveness. 2.7 Technology, Information Security and Cyber Risk 2.7.1 Given the huge dependence on technology, any system failure could trigger a variety of risks, e.g. operational risk, compliance risk. etc. Technology Operations should support processing and storage of information, such that the required information is available in a timely, reliable, secure and resilient manner. 2.7.2 Increasing disclosure requirements on public portals by AMCs required a focused approach towards data management. Digitalization and online platforms have given rise to need for effectively mitigating information security and cyber risks. SEBI vide circulars, SEBI/HO/IMD/DF2/CIR/P/2019/12, SEBI/HO/IMD/DF2/CIR/P/2019/57, SEBI/HO/IMD/DF2/CIR/P/2019/58 dated January 10, 2019, April 11, 2019 and April 11, 2019 respectively has provided indicative guidelines encompassing cyber security and cyber resilience framework and audit framework encompassing systems and processes for Mutual Funds/AMCs. The systems and processes as elaborated in the aforementioned circulars must be in place and any future guidelines issued by SEBI in this regard may be suitably followed. 2.8 Reputation and Conduct Risks 2.8.1 The risk of damage to the firm's reputation that could lead to negative publicity, costly litigation, a decline in the customer base or the exit of key employees and therefore, directly or indirectly, financial loss or revenue shrinkage. 2.8.2 Conduct risk is often defined as the risk to the delivery of fair customer outcomes or to market integrity. 2.8.3 The mandatory and recommendatory elements for managing reputation and conduct risk are outlined below: 2.8.3.1 Mandatory Elements i. The management must look into reputation and conduct risks and inculcate their significance in the AMC culture by, a. Integrating reputation and conduct risk considerations into strategy-setting and business planning. b. Establishing a crisis management policy (to minimize or neutralize negative publicity in the event of any incident or bad conduct by an employee). c. Establishing monitoring tool(s) for social media grievances, etc. ii. The Board of AMC should approve and monitor the effectiveness of implementation of an enforceable code of ethics and business conduct; in the event of a material breach in conduct or a significant reputation risk event, the Board of AMC should be informed. iii. The following practices must be adopted by the AMC: a. While designing or improving the products, the complexity of the product and consumer behaviors must be considered. b. Impact assessment should be undertaken for sales and promotion expenses (i.e. evaluation of value added v/s cost incurred) using appropriate techniques, e.g. analysis of complaints, compliance monitoring program, data analytics, mystery shopping, etc. c. Preventive measures and monitoring mechanism should be implemented to mitigate mis-selling risks. 2.8.3.2 Recommendatory Elements i. AMCs may consider adopting: a. Reputation risk policy. b. Media interaction policy and procedures c. Assessment and management of reputation via brand management tools, data analytics, business intelligence. d. Framework / Process to review and action any negative mention in traditional or social media. e. Procedures to monitor reputation risk on an ongoing basis. ii. The management may be involved in increasing awareness about conduct risk within the AMCs by: a. Conducting training programs for conduct risk awareness. b. Monitoring conduct risk indicators. c. Incorporating conduct performance as part of the AMCs sales and marketing team metrics. 2.9 Outsourcing Risk 2.9.1 Inadequate management of outsourced processes lead to errors, frauds, Inefficiencies, poor quality investor services, breach of fiduciary duties data pilferages and long term impact on reputation and contractual obligations. 2.9.2 Asset management companies often rely on third parties including Custodians, Fund Administrators, R T agents, and various types of outsourced service providers who perform operational, accounting, recordkeeping and other types of services. In utilizing the services of such third parties, it is important from a risk management perspective to keep in mind that asset managers have ongoing fiduciary obligations to their customers even though they have delegated certain of their roles to others. It is therefore critical to perform careful reviews of the capabilities of third parties at inception of relationships and on an ongoing basis, and to review information provided by third parties for completeness, balance and accuracy in order to be able to determine whether such third parties meet the risk management, credit, operational, legal and other relevant standards of the reviewing company with respect to the function they are performing. 2.9.3 The mandatory and recommendatory elements for managing Outsourcing risk, are outlined below: 2.9.3.1 Mandatory Elements i. Risk management with respect to any outsourced activity should be done in the manner as if the activities were being done in-house. ii. There shall be a dedicated person in the AMC who would be responsible for the outsourced activities of each outsourced vendor. iii. The AMC should have a Board approved Outsourcing Policy incorporating the following aspects (as well as other applicable regulatory requirements): a. Listing of core activities which cannot be outsourced. b. Procedure for outsourcing, including risk and materiality assessment. c. Monitoring and control of outsourced activities (as part of outsourcing risk management program). d. Information security and confidentiality (including data privacy/ protection standards). e. Criteria for selection and minimum qualification. f. Minimum quality standards. g. Tenure of agreement. h. Responsibility for outsourced functions. i. Acceptable level of deviations. j. Periodic review of service levels and pricing. k. Restriction on sub-delegation or sub-contracting. l. Right for inspection and audit. m. Approval authorities. n. Service level agreement. o. Archival and retrieval of documents/data. p. Insurance requirements. q. Incident reporting and escalation matrix. iv. Before outsourcing any activity, the AMC should ensure the following is in place: a. Outsourcing agreements with service provider are legal and binding as per the law. b. Due diligence (including AML/CFT, if applicable) is conducted on the service provider, where the outsourced activity is material, which may include the following considerations: 1. Availability of qualified and experienced service providers to perform the service on an ongoing basis 2. Arrangements for structured review of the capability and experience of service providers 3. Evaluation of relevant personnel for critical functions, to evaluate their specific competencies and execution capabilities 4. A disaster recovery and business continuity plan exist with regard to the contracted services and products, and that the adequacy and effectiveness of the same is maintained and tested periodically by the service provider. c. Analysis of the benefits and risks of outsourcing the proposed activity as well as the service provider risk, and determination of the cost implications for establishing the outsourcing arrangement. v. After outsourcing any activity, the AMC shall ensure: a. Outsourcing vendors process/people/systems are reviewed. b. A periodic internal review is done on the functioning of outsourced activities (like Fund Accounting and R T agent functions) at least annually. c. An effective structured tool (IT / manual) is used to review/benchmark the performance of the third party service providers (Fund Administrators / Custodians / R T agents) vis-a-vis the SLA. d. The result of the review documented and risks emanating from them are highlighted and remediation plans are monitored on an ongoing basis. e. Communication of its error tolerance, code of conduct and objective to its third party service providers (Fund Administrators / Custodians / R T agents). f. The service provider should test business continuity and contingency plan on a periodic basis to ensure adequacy and effectiveness . vi. The Mutual Fund should establish reconciliation procedures with regard to periodic reconciliation between fund accounting system, R T system and bank account and conduct a periodic audit of all investor-related activities, carried out both by the Mutual Fund and the R T agent, to ensure that all allotments, redemptions, income distributions and commission distributions have been accurate and timely. vii. The Mutual Fund should ensure that the fund accounting systems used (in-house or by the fund accountant to whom this activity has been outsourced) facilitate: a. Validation of NAV calculations. b. Automated and manual price feeds. c. Identification of missing prices. d. Flagging of price variances beyond pre-established tolerance levels. 2.9.3.2 Recommendatory Elements i. To enhance protection over outsourcing risk, AMCs may include the following as part of their evaluation / monitoring program: a. Consider fraud vulnerabilities in the outsourced process, including: 1. Detailed periodic fraud risk assessment program 2. Fraud response plan 3. Fraud risk register 4. Reporting to the AMC s Board b. Maintain an exit strategy including a pool of comparable service providers, in the event that a contracted service provider is unable to perform or in the event of a critical fraud. 2.10 Sales and Distribution Risk 2.10.1 As most AMCs outsource or use other channels for distributing products, such as banks, IAs, brokers, NBFCs, Distributors, etc., there is a need of monitoring risks associated with managing distribution channels and processes, commission pay-outs, brokerage disbursements, sales expenses, etc. 2.10.2 The mandatory and recommendatory elements for managing sales and distribution risk, are outlined below: 2.10.2.1 Mandatory Elements i. The KRA/performance appraisal at the relevant CXO level must capture the performance in managing the risk of mis-selling. The risk of mis-selling may incorporate the components like the number of mis-sellings, outcomes in the inspection report, analysis of the portfolio of investors, analysis based on assessment of appropriateness to the investors, etc. As an example, a parameter to gauge mis-selling may be the analysis of whether growth in the AUM of a scheme is on account of performance or mainly due to higher commission paid to distributor. ii. The AMC shall also be responsible for the mis-selling done by the persons associated with selling of mutual funds including distributors. The performance disclosure to investors, if any, by the distributors should be true and fair. It should not be misleading to the investor by representing any selective time period representing the favorable return. iii. Detailed analysis should be done at the AMC level to verify mis-sellings, if any. iv. All the sales staff and distributers must be NISM certified with the required qualifications prescribed by SEBI/AMFI. v. The AMC must implement the following procedures relating to distributor commissions: a. Analytical tools/ audit procedures used to review trends/errors in brokerage/ commission disbursements. b. An approved methodology for determining commission structures applicable to distributors / products, together with an authorization matrix for approving deviations and reporting cost-benefit outcome. c. Ensuring that commissions and other payments made to distributors adhere to AMFI and regulatory requirements. vi. Conducting regular performance reviews for distributors. vii. Conducting enhanced due diligence of distributors where appropriate (suitable policy to be incorporated) 2.10.2.2 Recommendatory Elements i. Distribution risks can be further monitored by: a. Monitoring marketing, sales and promotional expenses which includes the nature of expenses and approval matrix for the expenses. b. Monitoring and reporting the cost-benefit outcome of the marketing, marketing, sales and promotional expenses c. Undertaking mystery shopping. d. Claw back provisions in the commission structures to provide adequate protection from continuous services to the investors. 2.11 Financial Reporting Risk 2.11.1 Absence of internal control over financial reporting with regard to the mutual fund schemes, may pose the following risks: i. Improper maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of assets ii. Absence of reasonable assurance that transactions are recorded as necessary to permit calculation of NAV and preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures are being made only in accordance with authorizations of the management and the Board iii. Failure to prevent or timely detect unauthorized acquisition, use, or disposition of assets that could have a material effect on the NAV and/or financial statements. 2.11.2 The mandatory elements for managing financial reporting risk, are outlined below: 2.11.2.1 Mandatory Elements i. The AMC should have detailed accounting policies and procedures for Mutual Fund accounting. ii. Adequate segregation of duties must be created within the Finance (or relevant) function for Mutual Fund accounting. iii. There should be documentation and regular testing of internal controls over financial reporting of Mutual Fund schemes. 2.12 Legal Tax Risks 2.12.1 Legal Tax risk is the risk of loss to an institution which is primarily caused by: i. A defective transaction. ii. A claim (including a defense to a claim or a counterclaim) being made or some other event occurring which results in a liability for the institution or other loss (for example, as a result of the termination of a contract). iii. Failing to take appropriate measures to protect assets (for example, intellectual property) owned by the institution. iv. Change in law v. Misinterpretation of statutes and regulations. vi. Failure to collect or pay appropriate taxes, or submit required returns or information. 2.12.2 The mandatory elements for managing legal and tax risk, are outlined below: 2.12.2.1 Mandatory Elements i. The AMC should have documented processes and defined responsibilities for: a. Calculation and deposit statutory levies applicable to Mutual Funds. b. Acceptance of applications from permitted jurisdictions. c. Monitoring of risks emanating from tax related aspects and their redressal. d. Implementation of new and amended statutory and regulatory requirements. ii. To mitigate legal risks, the AMC should have documented processes and defined responsibilities for: a. Review of material agreements. b. Authorized personnel for execution and registration of legal agreements and documents. c. Centralized register of all legal agreements d. Archival of physical and electronic versions of all legal agreements and documents. 2.13 Talent Risk 2.13.1 Talent risk is the risk of not having the right people in place at the right time to drive current and future business growth. 2.13.2 The mandatory and recommendatory elements for managing talent risk, are outlined below: 2.13.2.1 Mandatory Elements i. With respect to talent risk, there should be proper succession planning for identified key positions. At no point of time the AMC is deprived of the services of any Key Managerial Person. ii. The AMC should have adequately documented policies and procedures for: a. Recruiting staff with appropriate experience, skill levels, and degree of expertise to undertake specialized business operations., in particular, those relating to risk management b. Employing screening procedures, including background checks, for job applicants, particularly for key positions. c. Creation of policies for recruiting, retaining and remunerating staff, especially for key personnel. d. Evaluation of the candidate's capability and experience to manage the risks associated with the concerned role is should be a key element of the recruitment process. e. Adequate back-ups for key people are present. 2.13.2.2 Recommendatory Elements i. AMCs may implement a remuneration policy that prevents excessive risk taking and also ensures retention of good talent. ii. A Remuneration Committee, comprising mainly of non-executive directors may be established to review and recommend the policy relating to the remuneration of key management personnel, including the CEO, Fund Managers, etc.
|