Global Trustee and Fiduciary Services Bite-Sized Issue 5 2024

Global Trustee and Fiduciary Services Bite-Sized | Issue 5 | 2024 14 QUICK LINKS CYBERSECURITY DIVERSITY DORA ELTIF EMIR FINTECH FSB IOSCO SUSTAINABLE FINANCE/ESG UCITS ASIA EUROPE NETHERLANDS NORTH AMERICA UNITED KINGDOM NETHERLANDS AFMMakes Recommendations for IT Security of Capital Markets In a press release published on 18 April 2024, the Dutch Authority for the Financial Markets (AFM) said that capital market firms should pay due attention to the design and structure of their IT risk register, service level management in respect of intra-group outsourcing and the inclusion of cyber-attack scenarios when testing their business continuity plans. The AFM says it makes these recommendations on the basis of an in-depth study of the maturity of IT security measures, arising from the 2022 self-assessment survey of capital market firms. The in-depth study was conducted among selected firms on a subset of the security measures. Although the in-depth study did not identify any significant shortcomings in relation to the selected measures, certain areas of concern have nonetheless emerged. The three main recommendations for enhancing IT security measures are: • Establish a comprehensive IT risk register – An IT risk register contains an overview of all risk assessments that have been carried out, including inherent risks and residual risks, and the related action plans. The structure and depth of the risk registers that were surveyed differ. This makes it difficult to determine whether all the risks are adequately mitigated and residual risks align with a firm’s risk tolerance. • Include cyber-attack scenarios in business continuity tests – Cyber-attack scenario testing is an important approach to ensure that a firm can recover from cyber attacks, such as a ransomware attack. These scenarios are not always part of business continuity tests. • Establish adequate service level management in respect of intra-group outsourcing – Several selected firms are part of an international group and outsource significant parts of their IT services within that group. Service level management should also be adequately in place for the monitoring of intra-group services. Service level management in respect of intra-group outsourcing was in some cases less formalised than external outsourcing arrangements. Link to AFM Press Release here NORTH AMERICA Retirement Security Rule and Amendments to Class Prohibited Transaction Exemptions for Investment Advice Fiduciaries On 23 April 2024, the US Department of Labor (DOL) released its Retirement Security Rule to update the standards around advisors providing paid advice to retirement investors under the Employee Retirement Income Security Act (ERISA). Investors protected by the rule may be in different types of retirement accounts, including pension plans, 401(k) plans, and individual retirement accounts (IRAs). The rule and (amended) prohibited transaction exemptions (PTEs) update the definition of an investment advice fiduciary and are triggered by the nature of advice sold to investors. Persons recommending insurance products for retirement accounts are covered. The effective date is 23 September 2024 with the transition period for PTEs ending on 23 September 2025. ERISA contained a five-part test that had to be satisfied before a person giving investment advice would be treated as a fiduciary. That will be replaced with a status test focusing more on the nature of any provided advice than the relationship between parties involved. According to the rule’s fact sheet, a person will be an investment advice fiduciary if: • The provider makes an investment recommendation to a retirement investor; • The recommendation is provided for a fee or other compensation, such as commissions; and • The financial services provider holds itself out as a trusted adviser by: – Specifically stating that it is acting as a fiduciary under Title I or II of ERISA; or – Making the recommendation in a way that would indicate to a reasonable investor that it is acting as a trusted adviser making individualized recommendations based on the investor’s best interest.