20
Key Third Party / External Subservice Organisations
MSWM uses the services of third-party service providers in some operations with Service Level agreements
in place. Monitoring of service providers is overseen by Management, with compliance undertaking periodic
monitoring to ensure that counterparties are complying with reporting and other contractual obligations.
MSWMs key external subservice provider relevant to supporting custody services for MSWM PWM clients is
Clearstream, in the provision of investor statement reporting. This report does not include controls at
Clearstream or any other external sub-service organisation.
The effectiveness of controls performed by users and their service providers should also be considered as
part of the overall system of controls.
5 IT systems
5.1 Network and Infrastructure
MSWM PWM utilises both mainframe and distributed technology. The key system platforms are
standardized on z/OS, Linux and Windows operating systems. Morgan Stanley owns and operates the
Data Centres located in Somerset, New Jersey, Piscataway, New Jersey, and Ashburn, Virginia.
5.2 Information Technology Organisation
Morgan Stanley IT is divided into the business units with a New York based IT Senior Manager heading
up PWM IT from a global perspective while global functional heads report to the New York based IT
Senior Manager. Some of the functional heads also have a regional responsibility, in which case they
also report to local business heads in their regional offices. Staff working on global projects will have a
link, organized by function, to the functional area that is leading and managing that project.
Morgan Stanley’s Enterprise Infrastructure Group (“EI”) is responsible for each business line’s server
management and deployment needs, providing adherence to Morgan Stanley IT standards. PWM is a
business line under the responsibility of the Engineering/service account manager for PWM. While the
responsibility is centralized, the specialized support groups are resident in each location. Specialized
groups include Network, UNIX, Windows and database support. The IT functions generally operate based
on firm wide standards. There are policies and procedures for many functions set by Quality Assurance
and Production Management (QAPM).
Production Management is responsible for supporting PWM applications and ensuring the stability of the
IT environment. Responsibilities include application support, software turnovers/deployments and
monitoring of overnight batch processes. ASG personnel are located across several regions which
ensures that there is coverage throughout the day and night. Refer below to Section III 5.4 In Scope
Application for further details.
In-bound instructions to Clearstream are received electronically via Webstreme - a secure order
management system developed by Clearstream. An ASAE 3402 Assurance Report on Controls at a
Service Organisation has been received from Clearstream which is referred to as "Report on the Internal
Controls for Custody, Investment Administration and Related Information Technology Services".
5.3 BCM/DRP
Morgan Stanley maintains global programs for business continuity management and technology disaster
recovery that facilitate activities designed to protect the Firm during a business continuity event. A
business continuity event is an interruption with potential impact to normal business activity of the Firm’s
people, operations, technology, suppliers, and/or facilities.
The business continuity program’s core functions are business continuity planning (with associated
testing) and crisis management. The Firm has dedicated Business Continuity Management staff
responsible for coordination of the program governed by the Business Continuity Governance Committee
and a Risk Oversight Committee. In addition, a Committee of the Board of Directors (the “Board
Committee”) and senior management oversee the program. BCM reports to the Board Committee at
least annually on the status of program components such as business continuity events and business
continuity testing results.
BCM facilitates the exchange of information within the Firm during an incident. BCM works with partners
in Technology, Security, and Corporate Services to assess incidents for the level of impact to businesses
and, as appropriate, escalate them accordingly. BCM provides 24/7 global coverage to monitor and
manage incidents.