Fitch: Internal Audit Key for European Servicers Risk Management
OREANDA-NEWS. European servicers are developing their risk management and compliance capabilities in response to financial regulators' emphasis on robust governance and assurance functions, Fitch Ratings says. We view internal audit (IA) as a key part of risk management and compliance, and this is reflected in our servicer ratings; those that have no or untested IA functions are at the low end of the rating scale.
Audit findings and management's response indicate whether management is paying attention to, and addressing, potential risks. Most servicers have IA programmes, although some have only recently implemented them.
For example, Situs Global Servicing has strengthened its risk and compliance framework over the last two years, including engaging a third party to provide IA. A full audit cycle has been completed and all of its findings addressed.
This and other measures such as creating a Risk and Compliance Group are positive, but the IA regime is relatively new, and taking a consistent approach over a number of cycles is important for effective risk management.
This meant we did not give full credit to the current IA arrangement when we affirmed Situs's German Commercial Mortgage Primary Servicer Rating, upgraded its Commercial Special Servicer Rating and assigned its UK Commercial Mortgage Primary Servicer Rating, in October.
Virtual Lease Services (VLS) is one of the few Fitch-rated UK servicers with no IA function. A developing risk management framework (VLS has created an oversight team and a compliance monitoring plan), regular client quality control checks, and the small size of the company, give comfort around governance.
But the absence of an IA programme is a rating constraint, as we noted when we upgraded VLS's ABS Primary Servicer Rating (VLS does not service mortgages) in November. This upgrade followed continued and well managed portfolio growth that we think is indicative of long-term shareholder support for a sustainable business.
A servicer's risk management infrastructure is often determined by the size and scope of operations, and different servicers take different approaches to ensure the independence of IA activity. Several have in-house IA units that report directly to the board. Others use third-parties or parent company resources for IA (group IA functions are usually well established).
We do not view one approach as more effective than another, but different approaches may be appropriate for different businesses. For instance, Italy's Credito Fondiario (CF) set up its own IA team after a change of ownership in 2013 (it was previously owned by a subsidiary of Morgan Stanley, and benefited from the support of the bank's group auditors). As we noted when we affirmed CF's servicer ratings earlier this year, its overall risk management framework has been enhanced, and audit reports have been reviewed and follow-ups addressed under the new IA regime, although it is early to make a full assessment of its effectiveness.
For a small servicer like VLS, using third-party or group resources might be easier than recruiting and retaining experienced personnel to act as an in-house IA function. It remains to be seen whether VLS, which is 49%-owned by Investec Asset Finance, will take this approach.