CSSF ACTIVITY REPORT 2018
The CSSF issued its 2018 activity report (currently only in French) in July 2019. See : http://www.cssf.lu/…/Rapports…/Rapport_2018/CSSF_RA_2018.pdf There are some details on the “off-site surveillance” as well as on the “on-site surveillance”, which are quite interesting for management companies (IFMs), but maybe not surprising. Below is a loose, unofficial translation pertaining to page 79 of the report: Page 79: LA SURVEILLANCE DES GESTIONNAIRES DE FONDS D’INVESTISSEMENT ET DES OPC / SUPERVISION OF INVESTMENT FUND MANAGEMENT COMPANIES :
As part of the on-site controls dedicated to the governance of the IFMs, the CSSF noted shortcomings in the monitoring of the delegated activities, a theme already highlighted in the CSSF's previous Activity Reports in view of the recurrence of observations and to the importance of the subject. Weaknesses have been noted in the due diligence process, both during initia contact and on an ongoing basis. Indeed, it turns out that the due diligence reviews are sometimes incomplete, or even missing. In addition, certain due diligence procedures do not include an analysis of the results of the controls performed. When the activities are delegated to entities belonging to the same group, the CSSF noted a lack of involvement of the IFMs in the continuous monitoring of the delegates. However, the CSSF wishes to point out that in terms of supervision and monitoring of delegation, the rules do not differentiate according to whether or not the delegate is part of the group to which the IFM belongs. In addition, the frequency and information captured by KPIs are consistently inadequate for delegated activities. With regard to the internal audit function, the CSSF noted that the audit plan does not always cover all the functions of the IFMs and their subsidiaries and branches. Finally, the recommendations made by the internal auditor are not systematically followed up appropriately. The CSSF also noted that the updating of the IFM procedures manuals is not always adapted to the evolution of their activities and the regulations in force. In addition, it was noted that the management bodies of certain IFMs do not have management information enabling them to carry out their activities properly and do not record in writing the decisions taken on them. Finally, as regards the use of information technologies, the CSSF has noted weaknesses in the management of access rights and in the design and implementation of continuity plans, even though these help reduce the vulnerability of entities in the event of incidents or external computer attacks.