Chapter 10: Investor Money Management Plan

1. The Investor Money Management Plan (IMMP) is a fundamental feature of a fund service provider’s investor money risk management framework and is essential to ensuring investor money risks are effectively managed.
2. The IMMP should be regarded by fund service providers as a “master” document for the purpose of documenting investor money arrangements, risks and mitigating controls.
3. Fund service providers should consider engaging external skilled persons with the requisite investor money regulatory expertise during the initial drafting or enhancement of the IMMP.

   Purpose of the IMMP

4. The purpose of the IMMP is to:
   • Document a fund service provider’s business model and related risks in respect of the safeguarding of investor money and the controls in place to mitigate those risks
   • Demonstrate how a fund service provider’s systems and controls meet the principles of the investor money regime;
   • Enable the board to monitor, challenge and approve material changes to a fund service provider’s business model, its investor money processes, controls and understand the associated risks to safeguarding investor money; and
   • Make information readily available to assist in the prompt distribution of investor money, particularly in the event of the fund service provider’s insolvency.

   Reviewing the IMMP

5. While Regulation 88(2)(b) provides that the IMMP should be reviewed and updated at least on an annual basis, this does not detract from the fact that the IMMP should be considered a “living” document. It must be continually re-assessed to ensure it remains current and reflective of a fund service provider’s evolving business model and investor money risks and mitigating controls. The fund service provider should ensure that:
   • Documents or other supporting information can be retrieved immediately (where locations/hyperlinks to folders and/or documents are provided in the IMMP); and
   • Information is up-to-date, such as access rights, key internal and external contacts and organisational structure.
6. A fund service provider should ensure that the external auditor, responsible for performing the Investor Money Examination (IME) and preparing the assurance report, reviews any processes undertaken by the fund service provider to assess the on-going appropriateness of the IMMP, including evidence of any steps taken by the fund service provider to test and maintain the IMMP (e.g. periodic testing of hyperlinks in the insolvency section).

   Changes to the IMMP

7. A fund service provider’s IMMP should be updated in a timely manner in order to reflect material changes to the fund service provider’s business model or a change in circumstances that affect how the fund service provider safeguards investor money, to ensure the IMMP remains current and up-to-date.
8. Material changes to the IMMP may be triggered in many ways, such as through errors, omissions or control weaknesses highlighted during regular internal monitoring, or through findings from the IME conducted by the fund service provider’s external auditor.
9. Material changes to the IMMP should be notified to, discussed with and approved by, the fund service provider’s board. This should include any significant changes to the fund service providers business or arrangements and any errors, omissions or control weaknesses highlighted from the regular monitoring, including the external auditors review (refer to Investor Money Examination section herein) to ensure that the IMMP remains current. All other changes (i.e. those considered non-material) to the IMMP should be documented and reported to the board for the purposes of the annual review.
10. Any judgement made by the Board and / or senior management in relation to the following should be documented with the basis for that judgement and the information used to support it at that time:
    • materiality;
    • new investment funds;
    • using new third parties;
    • managing concentration risk (counterparty).
11. This is not an exhaustive list; in the event circumstances change, the impact on the Board and / or senior management’s judgement should be considered and updated.

    Structure of the IMMP

12. A fund service provider should ensure that the IMMP is well structured. It may choose to do so under the following key headings:
    • Business model and risk assessment;
    • Operational structures;
    • Governance and outsourcing arrangements;
    • Processes, procedures and records;
    • Information to facilitate the distribution of investor money (insolvency plan); and
    • Additional information pertinent to the fund service provider.

    Content of the IMMP

13. The following guidance on the content of the IMMP is non-exhaustive and does not specifically address each of the individual requirements in Regulation 88.
14. A fund service provider should document in its IMMP matters relevant to its business model and related risks to safeguarding investor money. The content of the IMMP should appropriately reflect the nature, scale and complexity of the fund service provider’s business model and associated investor money arrangements.
15. A fund service provider’s IMMP should be of sufficient detail to enable an independent reader to understand the fund service provider’s business model, the resulting risks to safeguarding investor money and the controls in place to mitigate those risks. Independent readers would include the Central Bank, an insolvency practitioner and an external auditor.
16. To avoid duplication of information, the IMMP may guide the reader, where applicable, through hyperlinks or other such pathways to the location of relevant internal documents. Supporting access details should be provided to ensure information pertaining to investor money is readily available. Fund service providers should continually monitor hyperlinks or other such pathways that have been included in the IMMP, to ensure that they continue to operate effectively and that the information contained in the linked documentation is up to date at all times.

    Business Model and Risk Assessment

    Business Model

17. A fund service provider’s IMMP should clearly explain how investor money obligations arise in the context of the investments firm’s business model and describe how the fund service provider is able to differentiate, monitor and control the investor money subject to the Investor Money Requirements (IMR).

    Investor Money Risk

18. In order to embed the IMMP effectively in a fund service provider’s overall risk management framework, it is necessary to develop and incorporate a comprehensive investor money risk matrix into the IMMP that captures and evaluates emerging fund service provider-specific risks. Accurate risk identification is necessary in order to effectively evaluate the adequacy of controls in mitigating risk as new risks relating to the safeguarding of investor money emerge. The investor money risk matrix should be readily understood by an independent reader, to promote a greater level of oversight and challenge in evaluating the effectiveness of a fund service provider’s investor money control framework.
19. The investor money risk matrix should reflect fully the risks to safeguarding investor money, including those specific to the fund service provider’s business model and operational arrangements. The investor money risk matrix should also set out the processes and controls in place to mitigate these risks to the safeguarding of investor money and include an evaluation of how those controls mitigate the risks. The Central Bank expects a fund service provider to clearly map the material risks identified to the relevant controls and processes in place, in order to mitigate these risks.
20. A fund service provider should document the material risks to investor money held as well as the processes and controls to mitigate those risks, as provided for under Regulations 88(4)(c) and 88(4)(d). This should include items such as (but not limited to):
    • counterparty risk including jurisdiction and associated legal risks;
    • concentration risk;
    • operational risk including risk of fraud;
    • compliance with investor mandates;
    • outsourcing risk;
    • group arrangements;
    • Key Person Risk;
    • Emerging Risks, and
    • any other relevant risks.
21. When considering these risks, a fund service provider should consider the life cycle of the transaction i.e. the receipt of money from the investor to the point where the money is transferred to the investment fund and, likewise, from the investment fund until it is returned back to the investor. Consideration of the life cycle could include, but is not limited to, flowcharts or illustrative diagrams showing critical interventions, particularly in cases where the processing of investor money requires manual intervention. The fund service provider should record how cash is received and disbursed.

    Operational Structures

22. A fund service provider should provide details of the operational structure that supports the fund service provider’s investor money arrangements, including key committees and support functions, in the IMMP.

    Governance and Outsourcing Arrangements

    Governance

23. The IMMP should contain an organisational chart detailing the various roles involved in the monitoring and oversight of investor money related processes and controls and any relevant reporting lines. The IMMP should document details of the management information provided to the board of the fund service provider and any relevant governance forums for the purpose of monitoring the risks and mitigating controls associated with the safeguarding of investor money including details of the recipients of this information. The IMMP should record where such management information is located.
24. The IMMP should document the particular responsibilities of the Head of Investor Money Oversight (HIMO) and how those responsibilities are implemented in practice.

    Oversight of outsourced functions

25. Where a fund service provider outsources to another party, (regardless of whether that other party is in the same group as the fund service provider or is independent) the performance of any function related to the safeguarding of investor money, the arrangement should be clearly documented in the IMMP. This should include (but is not limited to) the following details:
    • The name of the outsourced service provider;
    • Its jurisdiction of incorporation;
    • A description of the investor money functions it undertakes on behalf of the fund service provider;
    • The rationale for the outsourcing arrangement;
    • An explanation as to where the arrangement fits into the overall investor money control framework; and
    • Any function(s) which is specifically excluded from the outsourcing arrangement.

    For the avoidance of doubt, this Guidance applies to outsourced service providers as opposed to those third parties with whom investor money are deposited.

26. The fund service provider should have adequate and effective oversight over the outsourced service provider to ensure that the appropriate processes, systems and controls are in place to support the continued performance of the outsourced function. The fund service provider should maintain a record to evidence the oversight of the process, and document this in the IMMP.
27. A fund service provider should document how the HIMO reviews and challenges management information received from outsourced service providers in the IMMP. This should include details of the frequency and format (e.g. discussion at investor money fora) of such reviews.

    Processes, Procedures and Records

28. Fund service providers should include an overview of how investor money reconciliation and calculation processes are performed, the frequency at which these processes are performed, and the approach to investigating, identifying the cause of and remediating investor money differences or discrepancies identified through the performance of these processes. A hyperlink (or other such pathway) to the underlying procedural document(s) in respect of these processes may also be included.

    Information to Facilitate the Distribution of Investor Money

29. The insolvency information must form a stand-alone section in the IMMP and operate as an effective ‘road-map’ for an independent third party, such as an insolvency practitioner.
30. A fund service provider should ensure there is sufficient information available to enable the distribution of investor money to take place as efficiently and effectively as possible with minimum cost to clients in the event of the fund service provider’s insolvency. This information could also be required in the event that a fund service provider is required to facilitate an orderly transfer of assets to another fund service provider.
31. Insolvency information may be contained in the IMMP document or it may guide the reader, where applicable, through hyperlinks or other such pathways to the location of relevant information. Supporting access details should be provided to ensure information to facilitate the distribution of investor money is readily available.
32. Fund service providers should conduct regular reviews of the content in the insolvency section of the IMMP and continually monitor hyperlinks or other such pathways to ensure that they continue to operate effectively and that the information contained in the linked documentation is up to date at all times and is accessible to an independent party, such as an insolvency practitioner.
33. A fund service provider should consider the following information (inter alia) for inclusion in the insolvency section of the IMMP:
    • A list of all third parties where investor money is deposited, including account numbers, details of the persons authorised to conduct transactions on third party investor money accounts and whether such third party collection accounts are pooled. The Central Bank expects a fund service provider to have and apply a process to ensure that any amendments to the list of third parties are made only following approval by senior management;
    • A list of agreements between the fund service provider and any third party, and any amendments to such agreements. This should include investor money facilities agreements in place with third parties. A fund service provider should document its processes in maintaining and updating relevant legal agreements associated with the holding of investor money;
    • A list of any agreements with relevant parties;
    • A list of any agreements with outsourced service providers relating to the outsourcing of any critical or important function related to the safeguarding of investor money;
    • A record of the location of the books and records that the fund service provider maintains pursuant to the requirements in IMR, along with instructions for access. This should include any relevant books and records held by other parties on behalf of the fund service provider;
    • Details of the relevant investor money accounts on the general ledger system(s) used by the fund service provider for recording investor money transactions, including instructions for accessing all relevant books and records and generating any relevant reports from the general ledger system(s), and details of all staff with access to the general ledger system(s);
    • A description of any key reports used to monitor investor money with instructions on how to generate such reports;
    • A record of the location where the most recent investor money calculation is stored and details of how to access previous calculations;
    • A record of the location where the most recent investor money reconciliations are stored and details of how to access previous reconciliations; and
    • Details of any applicable investor compensation or deposit guarantee schemes in jurisdictions where a fund service provider has deposited investor money with third parties.
34. More generally, the IMMP should be sufficiently detailed to enable an insolvency practitioner to understand the business model and controls for safeguarding investor money. It is important that the IMMP provides a sufficient level of detail for an insolvency practitioner to understand the type of investor money held by the fund service provider and where they are deposited.

    IT systems and controls

35. The IMMP should include an explanation of all internal and external IT systems used by the fund service provider in respect of investor money processes and the controls which validate the data obtained from these IT systems.
36. A fund service provider’s IMMP should document how access is controlled and monitored for key IT systems and how segregation is implemented in practice. It is also important that an independent reader can understand the interactions and dependencies between key IT systems, relevant to investor money processes.
37. A fund service provider should outline in the IMMP, the arrangements that it has in place to ensure that critical systems relating to the safeguarding of investor money remain accessible and operational, particularly in the event of a fund service provider’s insolvency. Such arrangements should form part of the fund service provider’s business continuity planning.
38. A description of the systems and controls in relation to the production of information in relation to investor money and submission of such information to a third party. The Central Bank expects a fund service provider to have appropriate segregation of duties to ensure documented controls are reviewed by independent and appropriately qualified and knowledgeable persons.

    Flow of Investor Money

39. The general flows of investor money in and out of third party investor money accounts should be clearly documented in the IMMP.

    Materiality

40. A fund service provider should identify and regularly re-assess its investor money materiality thresholds, to ensure that there is regular and meaningful escalation and reporting of investor money matters. The rationale for the materiality thresholds should be clearly documented in the IMMP.
41. The materiality thresholds for escalating matters within the fund service provider, including to the board and/or reporting to the Central Bank, should be documented in the IMMP.
42. A fund service provider may have different materiality thresholds and triggers for different processes and controls.
43. Materiality thresholds should be calibrated so as to identify issues in a fund service provider’s controls, processes and procedures for safeguarding investor money. These thresholds and related triggers should be approved by the board and take into account both quantitative and qualitative criteria.
44. A fund service provider should specify and document in the IMMP a quantitative level of materiality (e.g. the level of investor money) which would trigger escalation within the fund service provider and/or reporting to the Central Bank, along with the basis for this. Materiality in the context of reconciliation differences is discussed in more detail in the Guidance on Reconciliation Requirements chapter of this Guidance Note.
45. This should take into account the amount of investor money held and also consider the fund service provider’s own net assets.
46. Fund service providers should also consider qualitative criteria which may trigger reporting or escalation within the business. An incident may be quantitatively immaterial but have other features which may pose a risk to effectively safeguarding investor money (e.g. where a fund service provider is contemplating the use of non-standard practices in order to facilitate a client, even if this does not relate to a material quantum of investor money, this should trigger an immediate escalation within the fund service provider as it may expose the fund service provider to increased operational risks, with potential for adverse consequences).
47. Fund service providers should document in the IMMP the qualitative criteria which may trigger escalation within the fund service provider and/or reporting to the Central Bank, along with the basis for this judgement.
48. A fund service provider should monitor its materiality threshold levels on an ongoing basis, to ensure they are fit for purpose and appropriately calibrated to the fund service provider’s evolving business model and investor money transaction cycle. Where there is a change to its business model, the environment or the level of investor money held, a fund service provider should amend the materiality threshold level as appropriate. Any changes to investor money materiality threshold levels should be approved by the board and clearly communicated to the fund service provider’s staff, as appropriate. Staff within the fund service provider that are assigned tasks relating to obligations under the IMR should be sufficiently qualified, knowledgeable and experienced to identify when both qualitative and quantitative materiality thresholds are met.

    Breach and incident log

49. The Central Bank is of the view that information relating to investor money breaches and incidents, regardless of materiality, should be readily accessible by an independent third party, in particular the Central Bank and the fund service provider’s external auditor (as part of the preparation of the assurance report required under Regulation 89 of the IMR). It may also serve as a helpful resource to the fund service provider itself as part of regular staff training on investor money and/or in evaluating materiality thresholds. This does not detract from the requirement for a fund service provider to report any breach of the IMR, in accordance with Regulation 92(1)(f) of the IMR.
50. The location of the investor money breach and incident log should be referenced in the IMMP, by hyperlink or other such pathway.
51. The investor money breach and incident log should list all investor money breaches/incidents, and in each case contain the below information (at a minimum):

• Indicate the relevant provision(s) in the IMR that apply;
• Provide an overview of the breach/incident;
• Outline the process for remediation of the breach/incident;
• In the case of an incident, indicate whether it is deemed material;
• Indicate whether the breach/incident has been reported to the board of the fund service provider and/or the Central Bank; and
• The status of the breach/incident (e.g. open/under investigation/closed).

Issued: 4 July 2023

Last revision: 4 July 2023