Due Diligence: Asset Managers and Certification

Operational due diligence (ODD) is essential for investors worldwide to assess the reliability and integrity of asset managers. Certifications play a crucial role in this process, providing investors with a reliable basis to substantiate and validate their conclusions. While the core principles of ODD are universal, there are differences in the standards and frameworks used in Europe and the United States. This article compares the European and American approaches to certification by asset managers, focusing on financial reporting, non-financial information, and information security.

European Certifications and Standards

In Europe, asset managers often focus on international standards such as ISAE 3402 Type 2, which confirms the effectiveness of internal control systems for financial reporting and provides investors with assurance about the reliability of financial reports. Additionally, ISAE 3000 focuses on the assurance of non-financial information such as sustainability and regulatory compliance, addressing the growing demand from European investors for responsible and sustainable investments. The ISO/IEC 27001 and ISO/IEC 27002 standards provide a framework for information security management and specific security measures, which are crucial for protecting sensitive data and complying with stringent European data protection laws, offering investors peace of mind that their data is secure. Finally, ISO 22301, the standard for business continuity management, helps organizations prepare for operational disruptions, which is vital for the stability and continuity of financial services, providing investors with assurance that the manager has robust continuity plans in place.

American Certifications and Standards

In the United States, asset managers use several additional and alternative standards and frameworks such as SSAE 18 (SOC 1 and SOC 2), the American counterpart to ISAE 3402. SOC 1 reports focus on internal controls relevant to financial reporting, while SOC 2 reports evaluate the effectiveness of controls related to security, availability, processing integrity, confidentiality, and privacy, which is particularly important for asset managers focusing on information security. The NIST Cybersecurity Framework provides detailed guidelines and best practices for managing cybersecurity risks and is flexible enough to be tailored to the specific needs of different organizations, making it valuable for US asset managers and assuring investors that the manager is adequately protected against cyber threats. FedRAMP, a key compliance framework for cloud service providers (CSPs) working with the government, sets security requirements that, although specific to CSPs, indirectly indicate strict security standards that asset managers can consider, giving investors confidence in the robustness of the manager’s IT infrastructure. Lastly, the Cybersecurity Maturity Model Certification (CMMC), developed by the US Department of Defense, is relevant for organizations working with the department and emphasizes cybersecurity best practices, providing investors with validation that the manager adheres to the highest standards of cybersecurity.

Differences in Focus and Priorities; Regulation and Compliance

In Europe, the General Data Protection Regulation (GDPR) and other national legislations are stricter and more enforceable regarding data protection and privacy. This explains the widespread adoption of ISO/IEC 27001 and 27002 among European asset managers, ensuring investors that their data is handled in accordance with the strictest requirements.

In the U.S., there is more focus on sector-specific regulations such as SEC regulations for financial institutions and FedRAMP for cloud service providers. The NIST Cybersecurity Framework offers flexibility for adaptation to various sectors, providing investors with assurance that the manager is well-prepared for sector-specific risks.

Differences in Focus and Priorities; Sustainability and ESG

European asset managers often lead in integrating ESG criteria into their operations, supported by regulations such as the EU Sustainable Finance Disclosure Regulation (SFDR). ISAE 3000 assurance on non-financial information validates the manager’s ESG practices, which is crucial for investors seeking sustainable investments.

In the U.S., interest in ESG is growing, but it does not yet have the same level of regulatory support as in Europe. Nevertheless, American asset managers can benefit from SOC 2 reports that cover aspects of confidentiality and privacy relevant to ESG initiatives, assuring investors that ESG-related data is adequately protected.

Conclusion

While the core principles of operational due diligence remain consistent across continents, the specific standards and frameworks differ between Europe and the United States. European asset managers often adhere to international standards such as ISAE 3402, ISAE 3000, and ISO/IEC 27001, covering a broad range of financial and non-financial controls alongside robust information security measures. In the U.S., the emphasis is on standards like SSAE 18, SOC 2, and the NIST Cybersecurity Framework, offering flexible, detailed guidelines for both financial and information security controls.

These certifications are not only a mark of compliance with international standards but also provide investors with essential validation and substantiation of their conclusions regarding the reliability and integrity of asset managers. For investors operating globally, understanding these differences is crucial for conducting accurate and effective due diligence, enabling them to make well-informed decisions and manage risks more effectively.