• Namibian Public Pension Fund
  • 2024
  • Real Estate, Europe
  • Commingled fund
  • Monitoring review of an existing fund investment
  • Operational due diligence ("ODD")

Our specialist says:

bfinance successfully engaged with the manager to implement a series of control enhancements which helped to mitigate the client’s operational risk exposure. Our firm’s analysis also provided the investor with comfort that the fund in question was being managed in accordance with its investment restrictions and Luxembourg regulatory requirements.


Client objective

A prominent public sector pension fund sought support in conducting a thorough ODD assessment of an existing investment in a European Core Plus Real Estate strategy. The manager in question had extended the fund’s investment period on multiple occasions, the vehicle’s performance had significantly lagged against expectations and the investor wanted assurance that its return experience was not a result of operational weakness.


Outcomes

  • The Fund in question is a Luxembourg domiciled vehicle which falls under the European Union’s Alternative Investment Managers Fund Directive (“AIFMD”). The Manager has appointed a third-party service provider to act as the vehicle’s Alternative Investment Fund Manager (“AIFM”), Depositary and Fund Administrator which bfinance met with this firm as part of its operational risk assessment.
  • Our evaluation of the manager revealed numerous control shortcomings that we consider to be material deviations from best practice. The ORS team pursued an active dialogue with the firm to agree a plan of action focused on implementing appropriate control and process improvements to align the manager’s operational framework with bfinance’s expectations of an institutional asset management business.
  • ORS’ analysis of the firm’s technology, cyber security and business continuity policies and procedures identified that the manager did not perform ongoing vulnerability scans, placed no restrictions on the use of removeable media, had not implemented a formal cyber security training program for employees, its staff were not subject to mandatory phishing tests on at least an annual basis, it did not test its ability to communicate with employees in an emergency scenario and its password protocols were potentially at risk of compromise. The firm also shared a copy of its most recent penetration testing report, conducted by a CREST accredited penetration testing specialist, which revealed that a number of vulnerabilities identified by the vendor had yet to be remedied.
  • bfinance engaged with the manager, its IT service provider and a cyber security software vendor employed by the service provider, to address these control weaknesses, as a result of which the manager’s technology environment is now subject to daily vulnerability scans, the use of removable media devices is no longer permitted, all staff a subject to cyber security training upon hire and annually thereafter, phishing testing is performed annually, and the firm’s password protocols and business continuity testing framework have been enhanced. ORS was further able to verify that the vulnerabilities identified in the manager’s most recent penetration test had been addressed to the satisfaction of the CREST accredited vendor.
  • In addressing the investor’s concerns about the manner in which the fund’s investment period had been extended, bfinance was able to confirm with the vehicle’s AIFM that the manager had acted in accordance with the terms detailed in the fund’s Offering Memorandum and that all extension had been subject to consultation with fund’s Advisory Committee and approved by its Board of Directors.