2024 is shaping up to be a challenging year for the real estate sector. Significant upheavals are expected due to financial policy shifts, stringent regulations, economic and political turbulence, and deep-seated cultural changes. These dynamics are posing fresh challenges for asset management and leading to new demands on risk management practices.
To remain effective, asset managers must navigate this evolving risk landscape, play out new threat and risk scenarios, and tweak their risk strategies, controls, and processes accordingly.
Three critical areas warrant particular attention in 2024: cybercrime, financial crime, and ESG (Environmental, Social, Governance) concerns. The focus on these areas stems from a rise in cyberattacks, stricter anti-money laundering measures, and increasing regulatory and procedural risks associated with ESG issues.
Cybercrime: protect your data!
The asset management industry saw a 7% increase in cyberattacks in 2023 compared to 2022. Sensitive data related to clients, properties, and transactions are becoming prime targets for cybercriminals.
Hackers often gain entry through phishing emails, what’s often referred to as "social engineering," and ransomware attacks. With stolen access credentials, cybercriminals can easily view, copy, and misuse sensitive data or documents. Additionally, the risk can also originate from within, from employees. Where data access controls are lacking or too lax, the risk of data misuse or theft goes up.
When developing a comprehensive corporate security strategy, consider the following measures:
1. Enhanced access controls
Tightening access controls drastically reduces the risk of unauthorized access. Adding layers of security, such as two-factor authentication (2FA) or multi-factor authentication (MFA), which combine two or more verification methods, can further strengthen defenses. These methods can be bolstered by biometric verifications, such as fingerprint scans. For a deeper dive, check out our blog post "Data access governance—the key to security and efficiency in asset management."
2. Invest in secure technology solutions
Investing in secure, cutting-edge software is crucial for lowering cybersecurity risks. Particularly considering the ever-increasing exchange of data with external service providers, it's worth considering the use of an industry-specific data room. Such platforms ensure that critical information and data are securely shared and processed with all parties involved. Features like encryption, access controls, monitoring functions, and reporting help keep confidential data safe from unauthorized access and leaks.
3. Implement an incident response plan (IRP)
An IRP sets clear protocols for identifying, responding to, and recovering from a cyberattack. It primarily focuses on detecting an attack, blocking it, and mitigating its effects (restoring systems and data to their original state). An IRP includes defined steps for collaborating with law enforcement, reporting to regulatory bodies, and communicating with clients and other stakeholders during a crisis.
4. Training, awareness, and fostering a culture of security
It is vital to significantly reduce the risk of cyberattacks through staff training and awareness. Regular updates on existing and emerging cyber threats can foster a strong security culture, which is an effective defense against various types of cyberattacks.
5. Take out cyber insurance
Cyber insurance helps lessen the financial impact of cyber incidents, enabling swift recovery and the continuation of operations. Policies cover direct costs such as forensic investigations, data restoration, legal fees, and even ransom payments. Some policies also support compensating regulatory fines.
Financial crime: the risk of money laundering
According to the Federal Financial Supervisory Authority (BaFin), since 2023, it has been "more aggressively and better staffed in preventing money laundering." This also applies to registered capital management companies, which BaFin notes still struggle with adequately adjusting their money laundering prevention processes.
BaFin's increased commitment is evident in more special audits (by auditors or BaFin itself) and so-called supervisory visits. These visits have repeatedly identified deficiencies in risk analysis and the "know-your-customer" process. Violations of the Money Laundering Act can lead to severe fines, with penalties of up to five million euros or ten percent of the annual turnover, depending on the severity of the offense.
To prevent money laundering, asset management companies need to:
1. Perform a risk analysis
Companies must maintain a written risk analysis that assesses the risks associated with their business operations and clients in terms of money laundering (and terrorism financing). This analysis should be regularly reviewed (at least annually) and updated as necessary.
2. Establish "know-your-customer" processes
Companies need to ensure transparency about their customers and investors. This involves understanding the origin and source of investment funds.
3. Appoint a money laundering officer
The money laundering officer is the point of contact for BaFin, law enforcement agencies, and the Central Office for Financial Transaction Investigations.
Twisting the truth: greenwashing
In September 2023, the U.S. Securities and Exchange Commission (SEC) fined Deutsche Bank's subsidiary DWS $25 million. The charge: DWS had represented its supposedly sustainable fund products as more "green" than they were, i.e., greenwashing.
As legislation and regulatory complexity increase, so does the risk of intentional or unintentional violations. Financial consequences often accompany a loss of trust and reputation damage among customers, partners, and investors. How can asset managers effectively counteract greenwashing?
1. Improve data quality
Ensuring high data quality is crucial for minimizing greenwashing risks. The fact that data often comes from various sources and external service providers complicates control and transparency.
Asset managers must adjust their quality management accordingly and carefully check data providers. Both automated and manual screening routines should be employed to detect errors and discrepancies.
2. Increase transparency
"Investors still can't quickly and clearly understand just how sustainable a product really is," Mark Branson, head of BaFin stated in the Handelsblatt. As a result, asset managers should inform their investors as transparently as possible about their own ESG metrics. Clarity and comprehensibility are just as important as the scope and detail of the information.
So, avoid complex explanations and unclear expressions and tailor your language and terminology to suit your audience. This also applies to the naming of products or funds. The European Securities Markets Authority (ESMA) recommends, for example, that funds with ESG-related terms in their title should invest at least 80% of their assets in ecological or social features. Funds labeled as "sustainable" should additionally invest at least 50% of their total portfolio value in sustainable investments (PwC: Greenwashing Risks).
3. Implement process management
Asset managers should establish comprehensive quality assurance processes and strategies for transparent and clear disclosures based on best practices to minimize the risks of greenwashing. A thorough examination of relevant regulations is essential to determine the need for transparency and reporting. Subsequently, sources, providers, and calculation methods for all required data must be defined. Data quality assurance is of central importance. Additional plausibility checks before disclosure and the four-eyes principle can reduce the risk of incorrect calculations or misleading statements.
Conclusion: communicate clearly to avoid misunderstandings and misleading interpretations
The risk landscape is constantly evolving. In 2024, asset managers should particularly focus on three key areas: cybercrime, financial crime, and ESG risks.
In combating cybercrime, protecting sensitive data is of utmost importance. Here, enhanced access controls, investments in secure technology solutions, and implementing an incident response plan are vital.
To prevent financial crime, especially money laundering, asset management companies must conduct risk analyses, establish "know-your-customer" processes, and appoint a money laundering officer.
The growing complexity of ESG themes brings the risk of greenwashing. To counter this, improving data quality, communicating transparently about ESG metrics, and establishing robust processes for quality assurance and disclosure are essential.
