Operational ResilienceFurther information on operational resilience available on the Citi Fiduciary Services webpage www.citi.com/mss/solutions/pfss/solutions/fund/fiduciary-services

This communication may not refl ect the views and opinions of Citigroup Inc, its subsidiaries and branches thereof worldwide (together “Citi”) or other Citi personnel. The information in this communication is thought to be reliable but may not be accurate, complete or up-to-date. Such information may change without notice. This communication should not be redistributed without Citi’s written permission. It is not advice and should not be treated or relied upon as such. You should engage your own professional advisors in relation to the matters raised in this communication and other applicable regulations. Citi accepts no liability for losses (whether direct, indirect or consequential) arising from the use of this communication by you or third parties, including losses caused by negligence, except for liabilities which cannot be limited by law.

GRA30427 05/19

*Global IT-BPO Outsourcing Deals Analysis (KPMG), What Is Cloud Computing and Why Does It Matter to Business? (Verdict), Multi-Cloud Fundamental to Financial Services Transformation (451 Research). **E.g. ID, access, governance, data security/loss prevention, encryption, and security monitoring and ops.

OUTSOURCING: THE VIEW FROM ABOVE . . .DOES EVERY CLOUD HAVE A SILVER LINING? THERE ARE AIMS, CHOICES AND CERTAINTIES THAT SUGGEST THERE MIGHT BE . . .

1 CERTAINTYREMAINS FOR ALLFIRMS, WHEREVER

THEIR OUTSOURCED

FUNCTIONS SIT

THERE'S NO CONSISTENT DEFINITION OF “CLOUD OUTSOURCING”

HAVE RESOURCES TO

SUPPORT RESPONSIBILITIES,

OVERSEE RISKS AND

MANAGE ARRANGEMENTS

PRIVATE,

PUBLIC,

HYBRID,

IAAS,

PAAS,

AND SAAS

SERVICES

ABOUND3 AIMS

EXPLAIN WHY

MORE FIRMS

OUTSOURCE

BUSINESS

ACTIVITIES

FLEXIBILITY

EFFICIENCY

EXPENDITURE

2 CHOICES LIE BEFORE FIRMS

LOOKING TO

DESIGN THEIR OPS

MODELS AND TECH STRATEGIES TECH RISES

AS FINTECH/REGTECH FIRMS USE CLOUD SERVICES

DEVELOP AND RUN

OWN SERVICES

USE THIRD PARTIES

FOR SOME/ALL NEEDS

ROUTES TO:

ALIGNMENT

CONSISTENCY

STANDARDS

LOCATION

LAYERS

PURCHASED

CLOUD

COMPUTING

FALLS WITHIN

OUTSOURCING

UNDERSTAND WHAT WILL BE EXPECTEDWHEN USING THIRD PARTIES TO DELIVER KEY OPS SERVICES• Materiality of outsourcing• Legalities and regulation • Accountability and scope• Affi liates, cross-border too!• Due diligence and monitoring• Service provider contracts• Security tied to confi dentiality• Continuity tied data and GDPR• Functional concentration risk• Resolution and termination.• Regulator/intermediary access…

…to records and inspection rights

IF YOU'RE A REGULATED FIRMPREPARE TO ASK YOURSELF...• Are providers’ data protection

standards aligned to yours?• Are “on premises” and cloud

security ops consistent?• Are services and security

architecture standards defi ned?**• Are you considering the location of

data with providers?• Are you monitoring risk across

cloud supply chain layers?

3 AIMS3 AIMS3 AIMS

EXPLAIN WHY

EXPLAIN WHY

EXPLAIN WHY

EXPLAIN WHY

EXPLAIN WHY

MORE FIRMS

MORE FIRMS

MORE FIRMS

EU COMMISSION

FinTech Action Plan

8 Mar 2018

2 CHOICES

2 CHOICES

2 CHOICES LIE BEFORE FIRMS

LIE BEFORE FIRMS

LIE BEFORE FIRMS

LIE BEFORE FIRMS

LIE BEFORE FIRMS

LIE BEFORE FIRMS

LIE BEFORE FIRMS LOOKING TO

LOOKING TO

LOOKING TO

DESIGN THEIR OPS

DESIGN THEIR OPS

DESIGN THEIR OPS

DESIGN THEIR OPS

DESIGN THEIR OPS

DESIGN THEIR OPS

MODELS AND TECH

MODELS AND TECH

MODELS AND TECH DEVELOP AND RUN

APAC ASIFMA

Principles for outsourcing

July 2018IRE CBI

Findings and issues

for discussion

Nov 2018

TECH RISES AS FINTECH/REGTECH FIRMS USE ROUTES TO:

ALIGNMENT

EU EBA

Final Report

on Guidelines

25 Feb 2019

REGTECH FIRMS USE CLOUD SERVICES

TECH RISES AS FINTECH/REGTECH FIRMS USE

EU EIOPA

Report on cloud

computing

27 Mar 2019

DEVELOP AND RUN

OWN SERVICES

USE THIRD PARTIES

FOR SOME/ALL NEEDSDEVELOP AND RUN

LUX CSSF

Circular on outstourcing

to the cloud

27 Mar 2019

UK FCA

Guidance on outsourcing

to cloud and other

third-party IT services

July 2018

International IOSCO

Principles for market

intermediaries

Feb 2005

EU ESAs

Joint advice on ICT risk

management requirements

10 April 2019

REMAINS FOR ALLFIRMS, WHEREVER

FIRMS, WHEREVER

FIRMS, WHEREVER

THEIR OUTSOURCED

THEIR OUTSOURCED

AUS ASIC

Proposed market integrity

rules for technological and

operational resilience

27 June 2019

PURCHASED

CLOUD

COMPUTING

FALLS WITHIN

OUTSOURCING

PURCHASED

EU EBA

Guidelines provide

a framework

30 Sept 2019

OPERATIONAL RESILIENCE *

HOW READY ARE YOU TO ANTICIPATE, PREVENT AND ADAPT TO CHANGES WHEN THEY HAPPEN?

Regulators want firms to be reasonably able to guarantee continuity of services and adapt to sudden disruption.

Interconnected financial activities require global engagement to deal with risks and technological and financial fragmentation.

Asset managers will need to pay close attention to developments to avert the risk that regulatory expectations are not being met.

Recent regulatory guidance includes...

OngoingPolicy Developments — BCBS/FSB/G7/US/UK/SING/HK/MEX

Ongoing Exams — US & UK

October 2019Operational Resilience CP — UK BoE/FCA/PRA

18 April 2019 UpdateIT Guidance Webpage and futher Guidance - US FED

10 April 2019EU Cyber Resilience Framework — Joint Advice of the ESAs

7 March 2019Tech Risk/Continuity Guidelines — MAS Consults

13 December 2018Guidelines on ICT and Security Risk — EBA

3 December 2018Cyber resilience Oversight — ECB

5 July 2018 Building UK Operational Resilience — UK BoE/FCA/PRA

AT BOARD LEVEL Financial services firms are so

technologically interdependent that operational resilience has become a

top agenda item.

ACROSS THE FIRM Firms will need a culture change to meet regulators’ outcome-based expectations, which start with a

presumption of failure.

BY ALL COUNTS Resuming services and systems

will need to be seen from the customer’s perspective and with risk

appetites set by business owners.

RISKS ABOUND These include process and IT

complexities, more 3rd and 4th party outsourcing, and data quality, integrity

and sharing…

REAL THREATSThe rising sophistication of cyber threats as incidents become more

human-led, smarter and deliberately exploitative than ever.

AND VIRTUAL A lack of meaningful tech, data

and cyber risk analysis — even for activities like supply-chain management

— posed by the Internet of Things.

THE BIG ASK? To assess operational resilience

and learn what investment, if any, can help address it, firms will need ANSWERS TO KEY QUESTIONS

ANTICIPATE PREVENT ADAPT

We can no longer architect based on time; we must architect based on scenarios. — G7 REGULATOR, October 2019

* The ability of firms, FMIs and the sector as a whole to prevent, respond to, recover and learn from operational disruptions (BoE, PRA, FCA).

1 Roundup of 2019 IoT predictions — research firms Gartner & IDC. 2 Straits Research “IoT in Banking and Financial Services Market”, 2019.

This communication may not reflect the views and opinions of Citigroup Inc, its subsidiaries and branches thereof worldwide (together “Citi”) or other Citi personnel. The information in this communication is thought to be reliable but may not be accurate, complete or up-to-date. Such information may change without notice. This communication should not be redistributed without Citi’s written permission. It is not advice and should not be treated or relied upon as such. You should engage your own professional advisors in relation to the matters raised in this communication and other applicable regulations. Citi accepts no liability for losses (whether direct, indirect or consequential) arising from the use of this communication by you or third parties, including losses caused by negligence, except for liabilities which cannot be limited by law. © 2019 Citigroup Inc. All rights reserved. CITI and Arc Design is a registered service mark of Citigroup Inc.

GRA30929 11/19

INTERNET OF THINGSTHE WORLD IS SLOWLY SWITCHING ON TO A REALITY WHERE EVERYTHING COMMUNICATES.

AS IoT TECHNOLOGY NETWORKS THE CONDITION, POSITION AND MOVEMENT OF OBJECTS, INCLUDING PEOPLE, ARE FIRMS FULLY PREPARED FOR THE VALUE IT PROMISES TO DELIVER?

DISTRIBUTING Value not just across financial services but also to customers

IoT can create more efficient, less expensive and smarter processes for firms.

EVOLVING Products and advice to sync with day-to-day customer events

Banks and institutions offering customers advice and services correlating with their daily events.

SAFEGUARDINGOpportunities from risks in business and economic models

Data quantity and diversity created by things like biometrics and beacon technology pose privacy, security and storage challenges.

Will IoT be as transformative to financial services as the internet?From a $745bn baseline, global spend expected to see double-digit growth to 2022.1

USA and China predicted to lead the way, spending $194bn and $182bn apiece.1

It’s forecast that there will be 25bn connected things by 2021.1

The interplay of 5G and AI are poised to rewire how things communicate.

When objects start sharing cloud data and analysing it, the world will change.

Yet as mobile, bio ID and tech progress, fims face new standards and hurdles.

How are insurance firms and banks already utilising IoT?Auto insurance telematics, smart watches, smart commercial real-estate building management, data gathering, mobile banking are prevalent examples.

What will you do to keep pace with IoT developments?Banking and financial services IoT is expected to grow at a CAGR of 28.9% during 2019-2026.2

To be ready to reap the rewards of the investment, firms will want to keep a watchful eye on IoT as it emerges.

DELIVERINGInvestment choices based on client behaviours,

preferences and location

Asset managers using data from a client’s device or ecosystem could tailor client risk modelling,

investment options and asset allocation.

AUTOMATING Asset management without data protection

or usage worries

Firms combining real-time data flows from sensors with cognitive and M2M tech could further automate

asset management.

PROCESSINGPossible benefits in the asset management industry

There are companies already analysing tangible data like driving habits and health, but IoT

benefits are less obvious to asset managers.

1

5

AN OPERATIONAL SHIFT IN MINDSETRegulators are calling on firms to be able to protect and sustain their core business functions not just when it’s business as usual but also in times of stress or disruption. But who does this concern, what does it entail and how are affected participants expected to respond? Below we capture some of the latest regulatory guidance to emerge on what will no doubt require a change in thinking about operational resilience.

Markets and Securities Services

On 5 December 2019, the Bank of England (BoE), the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) (“UK regulators”) published joint Consultation Papers on operational resilience:

2 3 41

BoE and FCA joint foreword: Building Operational Resilience: Impact Tolerances for Important Business Services (accessible here).

CP19/32 FCA: Building Operational Resilience: Impact Tolerances for Important Business Services and Feedback to DP18/04 (accessible here).

CP29/19 PRA: Operational Resilience: Impact Tolerances for Important Business Services (accessible here).

The PRA also published CP30/19: Outsourcing and Third Party Risk Management, which firms are encouraged to read alongside CP29/19 (accessible here).

The new proposals further develop the earlier 2018 joint Discussion Papers (accessible here).

This communication may not reflect the views and opinions of Citigroup Inc, its subsidiaries and branches thereof worldwide (together “Citi”) or other Citi personnel. The information in this communication is thought to be reliable but may not be accurate, complete or up-to-date. Such information may change without notice. This communication should not be redistributed without Citi’s written permission. It is not advice and should not be treated or relied upon as such. You should engage your own professional advisors in relation to the matters raised in this communication and other applicable regulations. Citi accepts no liability for losses (whether direct, indirect or consequential) arising from the use of this communication by you or third parties, including losses caused by negligence, except for liabilities which cannot be limited by law.

© 2020 Citibank, N.A. All rights reserved. Citi and Arc Design and other marks used herein are service marks of Citigroup Inc., used and registered throughout the world.

GRA31825 09/20

THE GREATER THE AI THE GREATER THE NEED FOR RESILIENCE The EU Commission wants to strengthen the financial sector’s digital (ICT and security) resilience, build an enhanced legal framework on several pillars and capture the impacts of policy options.

RESILIENT FINANCE AND WHY CONTINUITY IN RESOLUTION MATTERS

Firms need to make strategic business decisions and investment choices to build and maintain operational resilience to any major incident. Important before covid, such resilience has become all the more vital at a time of low-interest rates and rapid digitisation, where it can fortify the balance sheet, demonstrate agility and secure growth.

December 2019

EU Commission shares its digital

operational resilience

framework.

The FCA’s take on operational resilience

The ability to prevent, adapt, respond to, recover and learn from operational

disruptions.

MITIGATING RISKS AND COSTS OF UP TO $645BN Financial services, which relies on digital technologies and data, including algorithms, software and hardware, is three times more at risk to cyber-attack than any other sector, and the impact is global.

August 2020Basel Committee

releases its principles for operational resilience.

A LIVING DOCUMENT FOR FMI RESOLUTION PLANNING A common 5-part questionnaire will aim to reduce the many-to-one nature of enquiries, streamline information provision and facilitate continued access to critical Financial Market Infrastructure (FMIs) services.

RESOLUTION IS NOW GAINING MOMENTUM Besides building on existing guidance, consultative documents on operational resilience principles cover authorities’ resolution powers, which has received less attention than other subsets.

HIGHER-RESOLUTION PLANNING? After submission of finalised questionnaire responses to authorities and FMI participants in Q4 2020, authorities and firms may wish to add FMI-specific information to their resolution planning.

14 August 2020

FSB questionnaire aids continuity

of access to FMIs for firms.

Information on the FMI and its structure.Information on the rulebook and contractual provisions on termination.

Phase prior to resolution, during signs of distress at the FMI participant.Resolution phase.

Arrangements and operational processes for continued access in resolution.

1

2

3

4

5

Questions to capture ?

January 2021 and beyondAcross markets

and geographies, continuity will

continue to hold sway.

DRIVING INTEREST GLOBALLY Disruptions like covid and geopolitical tensions mean operational resilience needs to be embedded in BAU, making firms more client-responsive.