Operational Risks and Your Custodian: A Perfect Match?

Operational Risks and Your
Custodian: A Perfect Match?

November 2014

Hewitt EnnisKnupp, An Aon Company
© 2014 Aon plc

Introduction

Institutional investors have always been concerned about risk, but with the increasing complexity of
investment opportunities, the broadening of asset allocations beyond simply stocks and bonds, and the
global nature of investment portfolios, monitoring all the risks associated with an investment program has
become a more significant undertaking.

This paper identifies the operational risks that institutional investors face—specifically those risks that
come with safekeeping, monitoring, and reporting on a plan’s assets—and discusses the implications for
evaluating custodians. Whether a plan utilizes separate accounts, requires consolidated reporting, or
needs assistance with benefit payments, cash movement, or private asset reporting, most institutional
investors rely heavily on the custodian bank to provide operational support for the investment program.
Therefore, institutional investors should evaluate a custodian’s capabilities through an operational risk
lens.

This paper establishes the operational risk lens institutional investors should use when evaluating their
custodian by:

1. Defining the key operational risks faced by institutional investors; and

2. Summarizing, for each identified risk, the capabilities, processes, and infrastructure a custodian
should possess to be a perfect match for a program that faces that risk.

Role of a Custodian Bank

The primary role of a custodian bank is to hold in safekeeping the assets of its clients. Similar to a
personal investment account, the custodian maintains the position information on behalf of clients while
also facilitating trading, providing pricing information, and managing cash activity. The key responsibilities
of a custodian bank are to:

 Hold assets in custody. This occurs onshore, offshore with an affiliate, or offshore with a sub-
custodian. When needed, the main custodian is responsible for selecting the sub-custodian.

 Provide daily and/or monthly asset pricing. Pricing information is provided to custodians by third-
party vendors that are reviewed for accuracy and methodology.

 Monitor and settle depository transactions. Custodians are also critical in monitoring and settling
trades. They are connected electronically to the depositories, providing operational efficiencies and
economies of scale when initiating and settling trades.

Consulting | Investment Consulting 1

 Monitor and post income payments. Custodians track and record interest on bonds and equity
security dividends. The custody system monitors the scheduled payment date and ensures the
correct payment is posted to the right account.

 Provide audited reporting. The custodian provides final market value, transactions, cash positions,
and cash activity on a daily or monthly basis.

Other services that custodian banks often provide include proxy voting, tax reclaim services, corporate
actions, cash management, performance reporting, risk reporting, compliance monitoring, securities
lending, and foreign exchange.

The largest, most sophisticated and capable global custodian banks bring many advantages when they
provide operational services. The economies of scale they are afforded by servicing trillions of dollars in
assets keeps costs low and service levels high. Their dedication to the custody business is evidenced by
investments in personnel and technology, and also is driven by the percentage and level of revenue the
custody business provides to the overall bank organization. They benefit from the global network (e.g.,
sub-custodian network, depositories) they have developed over many years of servicing global clients.

Because institutional investors rely heavily on their custodian banks to provide operational support,
custodian banks should be evaluated based on their ability to mitigate the investor’s key operational risks.
Here, we provide a framework for performing this evaluation.

Operational Risks: Finding Their Perfect Match

We identify 12 key operational risks that are faced by institutional investors and offer guidance on the
processes, capabilities, and expertise a custodian must possess to help mitigate them (i.e., what makes a
custodian the “perfect match”). Not every investment program will be exposed to every one of these
operational risks, but a significant portion will apply to all institutional investment programs.

1. Headline Risk

Definition
This is the risk that the custodian experiences a high-profile negative event that spreads throughout the
media and negatively impacts the institution’s credibility. Headline risk is important to consider because a
significant organizational issue at a custodian can cause undue concern and scrutiny, and force change.
Organizational stability is also important because of the exposure institutional investment programs have
to the custodian bank. Should there be any significant issues, there could be risk to the safety of the
assets, the ability to process transactions, and other operational complexities.

Consulting | Investment Consulting 2

Evaluation Criteria
Evaluating and monitoring a custodian’s financial and organizational stability is paramount in mitigating
headline risk. Key factors include capital ratios, credit ratings, total assets under custody, revenue
generated by custody operations, and the SSAE16 report. In recent years, the number of lawsuits filed
against custodian banks or their parent organizations has increased; therefore, institutional investors
should be aware of the level and breadth of any legal issues faced by the custodian banks.

2. Contract Risk

Definition
Contract risk is the risk that something material is missing from the custody contract or that key
operational topics have not been clearly or completely described. Lack of clarity in key areas presents
significant risk.

Evaluation Criteria
Investors should conduct a comprehensive evaluation of the custody contract on a periodic basis
(typically every three to five years) and if possible, compare the current document to other custodian
contracts. There are a number of key operational factors to evaluate within the custodial agreement to
ensure they have been clearly defined, including the roles and responsibilities of the custodian and client,
the description of services provided by the custodian, and the level or existence of indemnification should
the custodian make a mistake. In addition, legal counsel should be intimately involved in the negotiation
process to ensure that the contract suitably protects the client from losses due to negligence, fraud, and
willful misconduct.

3. Regulatory Risk

Definition
Regulatory risk is the risk that a custodian bank is adversely affected by or is out of compliance with a
regulation, likely resulting from a lack of preparedness. The regulatory environment is extremely fluid and
custodian banks must stay abreast of changes.

Evaluation Criteria
We expect a custodian bank to have a group dedicated to regulatory affairs. While it is not necessary that
this group reside within the custody division, we do expect that the custody division participate in
regulatory oversight efforts. Changes to regulations can impact the viability of business lines or products.
Utilizing a team of individuals to analyze regulatory implications on the firm’s overall business strategy
and to participate in industry trade groups is something we view favorably.

Consulting | Investment Consulting 3

4. System Integration Risk

Definition
System integration risk relates to the integration of systems, and is the risk that the conversion of raw
custody data to accounting reports is not completed in an accurate, timely, and automated fashion.
System integration risk also covers the risk that the accounting data does not accurately and seamlessly
flow through to other platforms such as performance reporting, compliance monitoring, and private asset
administration. Additionally, there is the risk that the underlying feeds providing inputs to client-ready
reports are of insufficient quality.

Evaluation Criteria
System integration risk can be evaluated by understanding the systems and processes the custodian has
in place to flow data through the various custody platforms, how the systems are built and maintained, the
frequency of data transmission, how much manual intervention is involved, and the reconciliations that
are performed.

5. Trading Risk

Definition
Custodian banks process millions of trades every day and are ultimately responsible for ensuring that
trades are processed correctly (meaning cash and securities get to the right place at the right time).
Trading risk is simply the risk that a trade is not settled or processed appropriately and causes losses or
liquidity issues within the investment program.

Evaluation Criteria
Sound procedures for processing and settlement help ensure that trades will not fail. Such procedures
should be refined over time as markets develop and innovations occur. When possible, we expect a
custodian to be a direct participant in a given market, and to have an automated process with real-time
updates. The settlement cycle varies by security type, and custodian banks should have visibility into the
process throughout the cycle to ensure timely and accurate settlement. It is best practice to use strategies
such as pre-matching and to have real-time communications with depositories or local agents.
Institutional investors should also ensure that the custodian has separate, specialized teams that liaison
with investment managers and trading desks.

6. Data Management Risk

Definition
In any situation where information is stored on a technology system, there is risk that the data is not
accurately maintained. The more complex the program, the more exposure investment programs have to
data management risk. Complexity can be driven by an array of factors such as asset size, type of

Consulting | Investment Consulting 4

investments held, number of accounts, volume of U.S. and non-U.S. trades, derivative usage, and plan
accounting structure.

Evaluation Criteria
First and foremost, every custodian bank should have an SSAE 16 report that provides information on
internal processes and controls. A third-party auditor produces the report, and notes any exceptions or
material weaknesses. Custody clients should review this document to ensure there are no notable
exceptions and that the internal processes and controls are robust.

Furthermore, a custodian should have quality control procedures in place across all custodial operation
groups that ensure transactions are booked correctly, positions are accurately priced, and custody
information is accurately communicated across systems. More specifically, custodians should have
established tolerance levels to monitor pricing accuracy, checks and balances in place to catch
processing errors, and quality control reports that are reviewed on a daily basis.

7. Global Custody Risk

Definition
This is one of the key risks that exists for plans with international assets, because they almost always
require the use of sub-custodians. Most of the world’s largest custodians do not have custody operations
in every country, requiring these organizations to contract with a local custodian. Engaging sub-
custodians or affiliate custody services introduces additional risks, including:

 Failure or default of sub-custodian

 Lack of contingency planning and/or sufficient contractual protection by main custodian to handle
adverse organizational events

 Weak controls and processes in place at sub-custodian

Evaluation Criteria
Investors should evaluate the custodian’s process for reviewing the sub-custodians in their network,
including the frequency of the sub-custodian reviews, the size of the team responsible for evaluating the
sub-custodian relationships, the team’s experience and capabilities, and the overall evaluation criteria.
The evaluation process should include collaboration with the enterprise risk management team to ensure
full coverage of the organization’s potential operational risks and an onsite visit by key team members.
The evaluation criteria need to include a review of internal controls, security and data protection,
technology infrastructure, financial stability and strength, trade settlement procedures, communication
structure, and positive historical performance in performing custody services.

Consulting | Investment Consulting 5

Reviewing the agreements in place between the sub-custodian and the custodian is also important to
ensure that contractual protections exist and plans are established should the sub-custodian experience
an adverse organizational event. In addition, investors should be sure that the sub-custodian’s accounts
and assets are segregated and solely in the name of the client.

Finally, the custodian should be able to demonstrate expertise in the nuances of investing in international
markets, including knowledge about the opening of new accounts, tax implications, and holding idle cash
where possible to limit the client’s credit risk to the sub-custodian.

8. Foreign Exchange Risk

Definition
Similar to global custody risk, foreign exchange (FX) risk is present when a client has international assets
that require FX services associated with trade settlement and income payments. There are a few different
operational avenues through which an investment manager can access the FX markets, including
straight-through processing with the custodian, negotiating trades directly with the custodian’s FX desk, or
utilizing a competitive bidding process with third-party dealers. The main risk in trading foreign exchange
is the execution quality of the trade (i.e., the risk of receiving sub-optimal rates on FX trades). This risk is
especially high when clients utilize a custodian’s automated straight-through processing capabilities.
Executing FX trades in restricted markets can also lead to elevated transaction costs due to their
historical lack of transparency.

Evaluation Criteria
Custodians should provide a high level of transparency in reporting FX trading information. Ensure that a
document explaining the agreed-upon execution time, execution frequency, mark-ups/downs, benchmark
rate, and reporting requirements is available. Reporting should at a minimum include the execution price,
mark-up/down, size and direction of the trade, and benchmark rate.

Institutional investors should also evaluate the custodian’s capabilities in trading FX—including size and
experience of the team, counterparty evaluation, and access to the key FX dealers. We prefer custodians
that offer multiple execution options for straight-through processing.

9. Security Risk

Definition
Security risk is the risk that custody data is accessed or shared with unauthorized parties or that a
transaction involving custody assets is initiated by an unauthorized individual or entity. The unauthorized
movement of assets or disclosure of positions can adversely impact an investment program.

Consulting | Investment Consulting 6

Evaluation Criteria
A thorough evaluation of a custodian bank’s security structure should include both a review of procedures
and live examples of security protocols. A top-tier custodian bank should have in-house security experts
that establish, implement, and monitor all security-related initiatives. While it is important that individuals
at a custodian bank are capable of understanding the security protocols, it is expected that security-
related checks and balances are completely or almost completely automated through an exception-based
system.

Granting access to custody data is a key process related to both internal security at the custodian and
external security at the client. In general, individuals who are internal to a custodian bank should be
provided the minimum level of access required for them to carry out their assigned tasks. Externally,
clients should be provided unique login IDs and passwords. The custodian bank defines the level of
access associated with each login ID.

10. Cash Management Risk

Definition
Carefully managing and controlling the movement and use of cash and ensuring that overnight cash
positions are invested are critical risk management functions. Cash management risk is the risk that cash
movements are not properly managed either through lack of adequate procedures or poor implementation
of those procedures.

Evaluation Criteria
Institutional investors should ensure that their custodian has a tightly controlled process for establishing
and maintaining a list of authorized signers. There should also be specific processes for executing
various cash-related transactions including, but not limited to, wires, intra-fund transfers, and expense
payments. Custodians should have the ability to impose secondary or even tertiary approvals on cash
transactions, set dollar limits, and restrict certain authorized signers from specific types of transactions or
accounts, based on the client’s preference. Utilizing an online cash movement system can also be very
beneficial in streamlining the process, automating authorization levels, and setting dollar thresholds.
Constant monitoring of cash movements is critical as well, and should be a key component of the
custodian’s daily monitoring process.

Finally, the evaluation should include reviewing the investment guidelines of the short-term investment
funds available for overnight sweep, as well as the cash management experience of the team. Investment
guidelines should be conservative in nature, and the team managing the funds should be focused on
credit evaluation, have a robust process for including or excluding credits from the short-term investment
funds, and maintain adequate levels of liquidity.

Consulting | Investment Consulting 7

11. Client Support Risk

Definition
This is the risk that the individuals assigned to servicing a client lack the knowledge, capabilities, and
willingness to deliver the custody services required by the client. While institutional trust and custody has
increasingly become a technology-driven business, we believe that a strong client support model is still
necessary to ensure seamless delivery of custody services to end users.

Evaluation Criteria
The client support team should be experienced, responsive, and stable. Moreover, it is important that the
bank’s existing relationships (in terms of size and plan structure) be a compatible fit with the client. The
senior individuals on a client support team should have experience with similar types of plans, client
types, and investment programs. We recommend evaluating the number of client relationships per client
service officer, client team turnover, client base attrition, training modules for client service professionals,
escalation procedures for client requests, senior management experience, and tenure of client service
professionals. The client service support model should also be analyzed to determine its appropriateness
for each client.

12. Fee Risk

Definition
Custody fees can be complex and can lack transparency. We define fee risk as the risk that the fees
assessed for custody services are not competitive and lack transparency. Typically, custody fees consist
of a basis point charge on some predefined asset base, plus itemized fees for accounts, transactions, and
other custody services such as performance reporting or compliance monitoring. A flat fee for all custody
services is also becoming more common. Fee risk is especially significant in instances that such fees are
passed on to participants or beneficiaries.

Evaluation Criteria
Custody fees should be evaluated relative to current market rates for an investor of similar size and
structure. It is also important to analyze whether an itemized fee or a flat fee is appropriate, given the
services utilized and overall structure of the investment program. For example, a complex defined
contribution plan may be more inclined to choose a flat fee over an asset-based fee, since assets will
almost surely increase over time—but without an increase in complexity of the plan. Compare this to a
frozen, simplified defined benefit plan that may prefer to have an itemized fee schedule that has a higher
weight than an asset-based fee, given that assets will decline over time. The structure of the fee is just as
important to negotiate and analyze as the absolute fee.

Consulting | Investment Consulting 8

Implementation and Application

Traditionally, institutional investors have evaluated the primary services a custodian provides based on
the investment plan structure, reporting needs and requirements, and necessary client service support.
These overall capabilities are evaluated either through an explicit scoring system, or more qualitatively
in conjunction with a review of an RFP response, onsite visits, and finalist presentations (we provide a
sample scoring methodology in the Appendix). Such adjunct evaluation factors are often weighted equally
(or almost equally) in the evaluation.

However, we encourage institutional investors to use an evaluation framework that is customized to place
the highest weights on the operational risk areas of greatest importance to their specific circumstances.

The most efficient way to accomplish this is to identify the operational risks that the plan faces and then
classify each risk as high, medium, or low. Focus on the custodian’s ability to mitigate the highest
operational risks first, and weight those risks highest in the evaluation. The investor should subsequently
evaluate the custodian’s ability to mitigate the medium and low-level risks, but weight those lower. This
shifts the evaluation from the custodian’s overall capabilities to the custodian’s capabilities in those areas
that are most critical to the particular client’s operational risks.

As an example, consider a small investor for whom public scrutiny is inherent in managing its investment
program and that only uses commingled funds (to see the effect this has on the evaluation). In the
traditional framework, equal emphasis might be placed on organization, reporting, and technology.
However, in the operational risk framework, this plan should more strongly emphasize a custodian’s
organizational stability (headline/regulatory risk) and client service support (client support risk), while
reducing the overall emphasis on accounting/reporting and technology support (system integration/data
management risk) because of its low level of overall complexity and data management needs.

One of the primary benefits of this new framework is that it can be applied to any type of plan—large,
small, simple, complex, or public/corporate/endowment/foundation—and in different regions around the
world. It does not make the evaluation process more complex; it simply changes the focus of the
evaluation.

Consulting | Investment Consulting 9

Appendix: Sample Scoring Framework and Methodology

It is likely that most custodian bank evaluations involve ranking evaluation factors in terms of relative
importance to the success of the overall partnership between client and custodian bank. Each factor is
assigned a weighting, and then scored using a simple scale such as poor, average, above average, and
excellent. We believe this is an acceptable evaluation framework, and we refer to this as the “traditional”
evaluation framework. The table below depicts the hypothetical scoring of a custodian bank under the
traditional framework.

Table 1

Evaluation Criteria Weight Score (1= poor; 4= excellent)

Organization 15% 3

Client Service 20% 2

Accounting, Reporting, Data Management 10% 3

Trading 10% 4
Online Platform 15% 4

Global Custody 10% 2

Cash Management 5% 2

Contract Negotiation/Fees 15% 1

Score -- 3.4

By considering how a custodian bank helps investors mitigate operational risks, we believe an alternative
perspective on the capabilities of a custodian bank can be introduced. We refer to this as the “risk-
adjusted” custodian evaluation framework. Operational risks are associated, or “mapped,” to the
evaluation factors identified in the traditional framework (see Table 3). The result is an evaluation that
more heavily weights factors associated with the operational risks deemed most significant to a given
investment program.

Consulting | Investment Consulting 10

One method for adjusting the weightings of the traditional evaluation factors is based on assigning a
severity for the associated risks. We use three levels of risk severity: low, moderate, and high. For each
level, we have a predefined minimum and maximum weighting for the associated evaluation factor, as
depicted below.

Table 2

Risk Severity Minimum Weight Maximum Weight

High 20% 30%

Moderate 10% 20%

Low 0% 10%

Once mapping is complete and risks have been identified as high, moderate, or low, the development of a
risk-adjusted evaluation framework is complete. Table 3 on the following page shows how operational
risks are mapped to traditional evaluation factors, and we depict a hypothetical example of how
weightings are altered based on the risk severity.

Consulting | Investment Consulting 11

Table 3 Associated Risk(s) Risk Risk- Score
Severity Adjusted
Evaluation Criteria Headline; Regulatory; Weighting
Contract
Organization High 25% 3
Client Service Client Support
Accounting, Reporting, Data High 30% 2
Management System Integration; Data
Trading Management Low 5% 3
Online Platform
Trading Low 5% 4
High 20% 4
Security

Global Custody Global Custody; FX Moderate 10% 2

Cash Management Cash Management Low 2.50% 2

Fees Fee Low 2.50% 1

Score -- 100% 2.8

As shown in the hypothetical example (Tables 1 and 3), the overall score for the custodian bank on a risk-
adjusted basis is lower than the score calculated on a traditional basis. This suggests that when the
evaluation focuses on how effectively the custodian bank helps mitigate operational risks, this particular
custodian is less capable.

Consulting | Investment Consulting 12

Contact Information

Kristen Doyle, CFA
Partner and Head of Trust Services
Investment Consulting
+ 1.312.381.1283
[email protected]

Joel Brightfield
Senior Consultant
Investment Consulting
+ 1.314.719.3851
[email protected]

Consulting | Investment Consulting 13

About Hewitt EnnisKnupp

Hewitt EnnisKnupp, Inc., an Aon plc company (NYSE: AON), is an SEC-registered investment adviser,
and provides investment consulting services to over 480 clients in North America with total client assets of
approximately $1.7 trillion as of 6/30/2014. More than 270 investment consulting professionals in the U.S.
advise institutional investors such as corporations, public organizations, union associations, health
systems, endowments, and foundations with investments ranging from $1 million to $310 billion. For more
information, please visit hewittennisknupp.com.

About Aon Hewitt

Aon Hewitt empowers organizations and individuals to secure a better future through innovative talent,
retirement, and health solutions. We advise, design, and execute a wide range of solutions that enable
clients to cultivate talent to drive organizational and personal performance and growth, navigate
retirement risk while providing new levels of financial security, and redefine health solutions for greater
choice, affordability, and wellness. Aon Hewitt is the global leader in human resource solutions, with over
30,000 professionals in 90 countries serving more than 20,000 clients worldwide. For more information on
Aon Hewitt, please visit aonhewitt.com.

Consulting | Investment Consulting 14