Jim Micklethwaite – CSDs manufacture risk as well as mitigate it

CSDs tend to be faithful adherents to regulatory requirements, and the CPMI-IOSCO principles for financial market infrastructures are no exception. But the way in which CSDs operate can leave residual areas of risk that are not always picked up by regulators. Risks also mutate over time. Which is why Jim Micklethwaite, head of operations at Thomas Murray, advises investors, global custodians and local custodians to monitor actively the risk they are exposed to when holding assets at CSDs.

Thomas Murray has, since the turn of the century, published detailed Risk Assessments of 140 central securities depositories (CSDs) in 100 markets. The firm provides these proprietary assessments on a subscription basis to a client base of custodian banks, asset managers and Investor CSDs, primarily to support their risk and network management functions.

It is sometimes asked why these groups rely on these assessments when the 24 Principles for financial market infrastructures[1] (PFMIs), published in April 2012 by the Committee on Payments and Market Infrastructures (CPMI) and the International Organisation of Securities Commissions (IOSCO), have become the de facto standards that every CSD must achieve. Why are they not enough to satisfy risk managers?

Jim Micklethwaite, head of operations at Thomas Murray, has more than one answer to that question. The obvious one is the fact that in July 2001 the American securities regulator, the Securities and Exchange Commission (SEC), added a new rule to the 1940 Investment Company Act. The new Section 17(f)7 set minimum standards for the custody of assets of American mutual fund investors held by CSDs in foreign jurisdictions.  The CPMI-IOSCO principles do not provide adequate assurance that CSDs are meeting those standards, especially as investments and risks change all the time.

Most importantly, Section 17(f)7 insisted that the primary custodian bank to a fund “must provide the fund or its adviser with an analysis of the custodial risks of using the depository, monitor the depository on a continuing basis and notify the fund of any material changes in risks associated with using the depository.” This was the foundation of the CSD Risk Assessments prepared by Thomas Murray to support (initially) US primary custodians of US mutual funds.

Following regulatory principles does not equate to pursuing best practices

Section 17(f) 7 continues to matter. Indeed, many American banks white-label the Thomas Murray CSD Risk Assessments and offer them to their clients, in most cases relying on Thomas Murray technology as well. But the main reason the Risk Assessments have not been displaced by the CPMI-IOSCO principles is that the principles are only a starting point.

“Internationally agreed principles do not necessarily equate to best practices,” explains Micklethwaite. “The principles are set at a level everybody should be able to attain. They are the minimum acceptable practices that aim to bring everybody up to a reasonable standard.”

As Micklethwaite points out, that reasonable standard remains elusive, at least on the universal scale. Thomas Murray has assessed a number of CSDs against the CPMI-IOSCO principles, and found considerable variation in levels of awareness, let alone attainment. “Though the principles have become the global benchmark, not all markets have attained it,” explains Micklethwaite. “The speed at which local market regulators have adopted and embedded them into their oversight of financial market infrastructures (FMIs), varies widely.”

Within the European Union (EU), for example, the CPMI-IOSCO principles have become part of the regulatory furniture via measures such as the Central Securities Depositories Regulation (CSDR) and the European Market Infrastructure Regulation (EMIR). “But in some emerging markets, regulators have put no pressure whatsoever on FMIs to comply,” says Micklethwaite. “Though they are becoming alert to what is required now.”

This variance does not reflect any serious difficulties in implementation. “The principles are extremely practical in nature,” says Micklethwaite. “They were designed so that FMIs can embed them in their daily operational processes through internal controls and policies.”  When Thomas Murray assesses a CSD against the principles, it always asks for concrete evidence of compliance. The company finds gaps occur only when a CSD has yet to take practical steps, not because compliance is impossible.

“The main area in which implementation of the CPMI-IOSCO principles gets tricky is when alterations to the legal or regulatory framework are required,” says Micklethwaite. “In many markets, securities laws have not been updated to keep pace with operational and technological change, and amendments or revisions can take years.” Concepts captured by the principles, such as settlement finality and rights of ownership over securities, are not always prescribed in detail by existing laws. The CPMI-IOSCO appetite for high levels of transparency by FMIs to their users can also run into cultural resistance.

In addition, the principles are usually provided on a self-assessment basis, which means it is the CSD itself which evaluates its level of observance. This raises issues such as whether the interpretation of the principles, and the requirement to observe them in full, will vary by CSD.

CSDs themselves do not usually have a global comparison of standards in other markets or jurisdictions to measure themselves against. The Thomas Murray reports, by contrast, represent an independent, unbiased opinion regarding the risks investors are exposed to when holding assets at a specific CSD. They also measure how that CSD adheres to best practices (as opposed to merely meeting regulatory requirements).

Asset-servicing remains conspicuously risky area

But Micklethwaite has yet to encounter outright hostility to the principles. “They set a base level, and everybody wants to get there,” he says. However, the original edition of the principles also contained some obvious omissions. One of them – cyber-security – was covered in a subsequent CPMI-IOSCO publication four years later.[2] Asset servicing, on the other hand, remains an important area in which the supranational regulators have yet to pronounce at all.

“Asset servicing is a major area of risk for CSDs, particularly those taking on a centralised role in corporate actions, as opposed to simply settling the payment of entitlements, because processing instructions is an area in which you can face very large financial claims if you make an error in calculating entitlements,” explains Micklethwaite. “It is an area of risk a lot of our clients at the major global custodians and investment banks are very concerned about. Consequently, we assign a high weighting to asset servicing in our CSD Risk Assessments.”

Thomas Murray estimates that around 70 per cent of CSDs they monitor have assumed some form of additional risk in asset servicing, and it is not clear how many of them have sufficient capital resources or specific insurance to meet large financial claims. This matters to investors as well as their agents. In theory, CSD risk falls on the direct participants in CSDs – namely, custodian banks and brokers – rather than their buy-side clients. But in practice these intermediaries resist underwriting risks at market infrastructures which they are forced to use to settle transactions and hold assets. For them, CSD risk is market risk, and they expect their clients to own it.[3]

It is precisely because investors rather than intermediaries own CSD risk that the Thomas Murray CSD Risk Assessments go beyond the CPMI-IOSCO principles. “The way we look at CSD risk is very different from the way CPMI-IOSCO look at risk,” explains Micklethwaite. “The PFMIs are policy- and procedure-based, whereas our risk assessment methodology is much more process-based. We look at the models by which CSDs conduct settlement, safekeeping and asset servicing, assess where there are inefficiencies, and give an opinion on how those inefficiencies translate into risk for the intermediaries and their underlying clients.”

CSD risk is not a static concept

In other words, instead of measuring how CSDs conform to a fixed set of principles, Thomas Murray monitors how risk mutates across a range of CSD activities over time. It then updates its understanding of global best practices to take account of how CSDs are mitigating their risks. “Best practices must evolve, as CSDs advance in the way that they do things,” says Micklethwaite. “We refresh our methodology every year to make sure that we are keeping track of changes in practice.”

Keeping the methodology up to date, without sacrificing the ability to maintain enough industry norms to make sensible comparisons of the risks, is not easy. CSDs fulfil the same functions in many different ways, making it hard to derive norms. Thomas Murray also has to update the information the methodology consumes, and on a continuous basis. For this purpose, it relies on a network of custodian banks to feed the firm with information on changes in local CSD practices and procedures. These are then used to recalibrate best practices.

The custodians that supply the information, and the CSDs they use, are also invited to review and validate the CSD Risk Assessments once a year. Interestingly, a public version of the Risk Assessment can be commissioned and published by the CSD, which itemises the strengths and weaknesses of its models and practices. “We take the Risk Assessment and translate it into a practical project plan for our CSD clients,” says Micklethwaite.

In fact, the firm has built a CSD consulting practice based on its understanding of CSD behaviour. Emerging market CSDs have made considerable use of Thomas Murray to improve the way they operate and manage risk. CSDs which have links to other CSDs also subscribe to the Risk Assessments service, to manage the risks their counterparts represent to them. “We bring a global view of how CSDs can tackle risks,” says Micklethwaite. “It helps individual CSDs work out better ways to be more efficient.”

The main driver of CSD reform is the prospect of attracting foreign capital

That search for efficiency goes beyond compliance with regulation and international standards such as the PFMIs. There is also a powerful incentive for emerging markets CSDs in particular to improve: the competition amongst emerging markets to present a best-in-class market infrastructure to foreign investors. “Most CSDs are conscious of the post-trade criteria within the country classifications set by MSCI, S&P and FTSE Russell,” explains Micklethwaite. “There are boxes to be ticked to secure the trusted status that enables a foreign investor to look at a market and not have major concerns about the safety of their assets, the finality of their settlements or the collection of their entitlements.”

Once a place in a desired market index is secured, CSDs turn to working out how to cut the costs charged to foreign investors. “That said, certain CSDs are still very expensive, and therefore their markets are expensive,” notes Micklethwaite. “There are competitive tensions between groups within markets that are competing with other markets to be low cost as well as low risk.” CSDs also look to increase their competitive edge by diversifying into additional product and service areas.

CSDs diversify in many ways – consensually, widely and even aggressively

Diversification into new business areas can alter the nature of the risks CSDs incur and pose to their users. “As a CSD moves into different areas of business they have to change their attitude towards risk,” explains Micklethwaite. “There is a lot of pressure on the CSDs that want to move up the value chain and compete with commercial entities, to remain cognisant of their role as risk-mitigating entities and systemically important infrastructures. It is a difficult balancing act.”

Nevertheless, many CSDs are diversifying. Micklethwaite divides them into two broad schools, which strike a different balance between the urge to grow and the responsibility to remain stable. The first is made up of CSDs that regard themselves as utilities only, with a clear mandate to make their markets cheaper and more efficient for their users, including foreign investors. They focus on identifying market practices that can be commoditised and automated to make them more efficient, cheaper and less risky.

The Depository Trust and Clearing Corporation (DTCC), with its moves into mutual fund order routing (Fund/SERV) and credit default swap matching and confirmation messaging (Deriv/SERV) is the classic instance of a CSD pursuing this sort of strategy. Success hinges on CSD stakeholders, which are often profiting from the market inefficiencies, being persuaded that they will gain from the improvement, either through reduced costs or from the expansion of the market as costs fall.

Some CSDs interpret this pursuit of efficiency more widely, and range beyond the capital markets into the wider social environment as general data repositories. “Some CSDs are looking to extend their trusted role as market utilities into other areas where there is a high level of bureaucracy or manual processing,” says Micklethwaite. Examples include land registries, insurance documentation, pension services, tax accounting, academic records, curriculum vitae, and retail loan record-keeping.

The second group behaves more aggressively. Its members are comfortable competing with their users to provide the same services to end-investors and fund managers. Competitive tensions of this kind have existed in Europe since the turn of the century, when Euroclear spawned its proposed hub-and-spoke model, and both TARGET2-Securities (by robbing CSDs of a large proportion of their settlement revenues) and CSDR (by licensing new entrants to the European market) have accentuated them. “Entities that are used to being infrastructures are being forced to compete with the sub-custodian banks,” says Micklethwaite. “It will benefit some but will also see other CSDs fall by the way-side.”

Membership of each group is of course determined by the ownership and control structures of particular CSDs. It is difficult for the DTCC, for example, to pursue strategies which conflict with the interests of the custodian and investment banks which control the organisation. Likewise, CSDs constrained by membership of a vertically integrated trading and clearing entity (such as Clearstream) find their priorities are determined largely by the needs of the group. Truly independent entities (such as CDSL India) have more strategic latitude, though even they can run into regulatory or governmental barriers.

Regulators nevertheless tend, says Micklethwaite, to keep the barriers to entry low. “Regulators have a responsibility to give equal treatment to any entity that wants to provide CSD services in a market, provided they have passed the requisite tests of soundness and quality, and do not introduce any further risk,” he says.

New digital technologies can be a distraction from the core responsibilities of a CSD

Some of those new challengers are armed with new technologies. But Micklethwaite warns CSDs not to be distracted by the lavish promises of new digital technologies such as blockchain, artificial intelligence (AI) and machine learning (ML). He thinks CSDs should make investing in cyber-security their technological priority.

Thomas Murray has already incorporated the cyber-security threats and remedies raised by CPMI-IOSCO in the paper of June 2016[4] into its CSD Risk Assessments. Micklethwaite reckons it is only a matter of time before CSDs are attacked and, with many CSDs not yet up-to-speed with their cyber-security policies and procedures, investing in blockchain and AI can only divert money and attention.

He accepts that any technology which increases levels of automation also reduces risk. “If you can automate and embed the risk controls into a system so that the process is completed on a standardised and uniform basis with as little human intervention as possible, it does diminish the risk overall,” says Micklethwaite. But he is not convinced that novel solutions are necessary.

“Even putting manual processes under four-eye control can reduce risk,” says Micklethwaite. “New technologies have enormous potential in some areas but there are still some very basic things that need to be done properly, and that ought to be the priority. Get your house in order first. Make sure everything that should be done is being done in an efficient and low risk way before worrying about blockchain and AI. What CSDs do is standardise and commoditise processes at a central utility, and a lot of processes can still be done much better with existing technologies.”

But even current technologies have to be paid for. And at more than one CSD the funds to invest in new systems are not always available. This is obviously the case in frontier and emerging markets with low levels of activity. But, even in major markets, CSDs that belong to vertically integrated trading, clearing and settlement groups can lack the autonomy to invest or raise external funds. Even those CSDs which can afford to invest find there is a limited choice of vendors, all of them quickly buried by a single sizeable project.

CSDs are increasingly interested in benchmarking their revenues, costs and capital

Ageing systems are also inhibiting the ability of CSDs to expand into new services. For Thomas Murray, however, diversification has prompted the creation of a new service for CSDs: capital, cost and revenue benchmarking. Inevitably, the ability to deliver the service is inhibited by the understandable reluctance of CSDs to disclose sensitive financial information that may be of use to a competitor in their own market or from abroad, or to their users.

But Thomas Murray has found CSDs receptive to disclosing financial information as part of a peer group, all of whose members will gain from the analysis. “A lot of CSDs want to understand the costs and benefits of moving into new areas of business,” says Micklethwaite. “While we have access to all of the published financials of the CSDs, you cannot always get to the level of detail required to do a full analysis, so we do put CSDs into particular peer groups and ask them for extra information from their management accounts to obtain a great level of granularity.”

In addition, measuring capital adequacy has become a subject of interest to CSDs, who are as aware as their users of the risks they represent. “Boards have been looking at the capital levels in CSDs and testing to check that they are efficiently capitalised rather than over-capitalised,” says Micklethwaite. This has led to some pioneering work by Thomas Murray. Although CSDR makes CSD licences within the EU contingent on meeting modest capital requirements, there are no internationally agreed standards to measure the capital adequacy of CSDs.

As an issue, capital becomes acute when CSDs establish links to each other. In fact, CSDR insists that any CSD contemplating a link conducts a proper evaluation process. “The real risk in CSD-to-CSD links is the capital question,” says Micklethwaite. “They do not have the same financial resources as a custodian bank.” He adds that users are always tempted by the lower costs of a link, but equally deterred by the increased risk. This is why transaction volumes over links are, with a handful of exceptions, less than spectacular.

It is an apt reminder of the importance of risk, and of the value of risk mitigation. Understanding risk at a CSD is much simpler than understanding risk at a central counterparty clearing house (CCP) or an investment bank, but it would be a mistake to view a CSD as a money-in and money-out utility that never takes any principal risk. CSDs vary too much, and are evolving so fast, that the Thomas Murray CSD Risk Assessments are likely to remain of considerable importance to the post-trade securities markets for a long time to come.



[1] The Committee on Payments and Market Infrastructures (CPMI) and the International Organisation of Securities Commissions (IOSCO), Principles for financial market infrastructures, April 2012.

[2] The Committee on Payments and Market Infrastructures (CPMI) and the International Organisation of Securities Commissions (IOSCO), Guidance on cyber resilience for financial market infrastructures, June 2016.

[3] See John Siena of Brown Brothers Harriman (BBH) on the dialogue between CSDs and custodians on this point at: https://www.wfc2019.net/meeting-regulatory-challenges-requires-dialogue-not-disputes-between-csds-and-custodians/

[4] See note 2 above.

Show open popup early birds