Swiss external asset managers: What are the challenges after having become licensed?

According to FINMA’s Guidance 02/2023 from 30 January 2023, a total of 1699 license applications were received by the end of 2022. FINMA granted a license to 670 institutions (of which 642 are portfolio managers). 1060 institutions had informed FINMA that they will not apply for a license.

Portfolio managers who missed the deadline for submitting their application are obliged to cease the activities that require a license. Those who nevertheless continue to act as portfolio managers may face regulatory proceedings and penal sanctions. FINMA has already opened numerous investigations on suspicion of unauthorised portfolio management activity and has filed criminal charges in numerous cases.

Organisational requirements as the greatest challenge

Those portfolio managers who have submitted their application to FINMA on time but have not yet received a license must be prepared for a longer waiting period. As of 31 December 2022, over 1000 of these applications were still pending with FINMA for review. However, the duration of the processing time by FINMA is also significantly influenced by the complexity of the application, or rather the business activity and client structure of a portfolio manager.

The experience gained from license applications over the past two years has shown that FINMA has consistently pursued and applied its risk-based licensing approach. The higher the inherent risks of a business model are assessed, the higher the requirements for receiving the license. This includes, among other things, an appropriate organisation, internal processes, directives, training requirements and the design of the risk and compliance function. The focus was increasingly on the provision under Art. 26 para. 2 FinIO, according to which the independence of risk management and internal control from the profit-oriented activity (asset management) is required if a portfolio manager has five or more full-time positions or annual gross revenues of more than CHF 2 million and a business model with increased risks.

It is important to note that FINMA is responsible for the interpretation of the term ‘business model with increased risks’. According to FINMA, risk increasing factors are in particular the following: De-minimis management of collective investment schemes (investment funds) or pension assets, involvement of foreign custodian banks, unlimited power of attorney on client accounts, acceptance of retrocessions, focus on volatile respectively risky assets (e.g. cryptocurrencies) or certain foreign client structures.

Various portfolio managers were required to adapt their organisation accordingly in order to ensure the independence of the control functions and their deputy. Larger companies (more than five employees) were often able to rely on internal resources, provided they had the necessary knowledge and experience in the area of risk and compliance. For smaller institutions, outsourcing of the risk and compliance function - or at least of the deputy function - was usually the obvious option. For this purpose, specialised external providers, sometimes also lawyers or fiduciaries with the corresponding know-how, were contracted accordingly.

Next milestone: First regulatory audit

Those portfolio managers who have already been approved have reached an important initial milestone with regard to obtaining the FINMA license. One of the next important steps is the first regulatory audit under the new regime, in the context of which, in particular, compliance with the provisions of money laundering law and FinSA-requirements will be audited by an external auditing company.

The audit will show whether the implemented controls and the system of directives stand up to the ‘everyday test’ and whether the requirements defined therein are actually lived in day-to-day business. A central aspect is the documentation of the controls carried out; the well-known audit principle applies: ‘If it is not documented, it is not done.’

It is therefore crucial for portfolio managers to document the controls they have carried out (e.g., annual re-approval of business relationships with increased risks, regular review of deviations in the portfolio from the investor profile, etc.) in such a way that a third party can form a reliable picture of compliance with the regulatory obligations. This also includes the reporting of the risk and compliance function to the management and/or the board of directors in the form of a written report at least once a year. It is advisable to integrate the defined controls as swiftly as possible, to train employees accordingly, and to create appropriate documentation bases.