As members of the financial industry prepare to meet the challenges associated with COVID-19, key government agencies have begun to offer guidance with respect to how their regulated financial institutions, including non-depositories, can meet their compliance obligations while balancing the realities of a potential pandemic event due to COVID-19. This blog summarizes the updates that we are aware of to date and will be updated as additional developments occur. While all of these offerings may not be applicable to each financial institution or non-depository licensee, the best practices and guidance offered will help instruct your institution in moving forward, and Bradley is ready to assist with any questions you have.
FFIEC Interagency Statement on Pandemic Planning
Here are key takeaways from the FFIEC Statement and a more detailed summary follows.
- Leadership of a financial institution must either prepare or update existing business continuity plans to include all aspects of pandemic planning.
- Actions must be commensurate to the size and operations of the business.
- Financial institutions must cooperate with local governmental agencies and emergency organizations to determine how best to proceed during a pandemic. Constant monitoring of communications from those agencies is important.
- Employee and consumer safety are essential. Educating employees, including providing a thorough understanding of the pandemic planning efforts of the institution, should take place.
- Cross training of employees should take place in the event there are significant absences of employees.
- An evaluation of risk must take place, with a particular focus on company systems and dependency upon third parties. Financial institutions should be aware of the pandemic planning efforts of their critical third-party vendors and prepare back-up options in the event that a critical vendor may not adequately provide services.
- Evaluate internal systems with a focus on remote capabilities (e.g., capacity, bandwidth, and authentication mechanisms) to determine whether they can handle significant numbers of employees working from home.
Released by the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision and the State Liaison Committee on March 6, 2020, the FFIEC Statement supplements certain previous guidance offered by certain of these agencies during March 2006.
The statement emphasizes that each institution’s business continuity plan (BCP) should “address pandemics and provide for a preventive program, a documented strategy scaled to the stages of a pandemic outbreak, a comprehensive framework to ensure the continuation of critical operations, a testing program, and an overnight program to ensure the plan is reviewed and updated.” The BCP that each financial institution must have is essential and must describe how the institution will manage operations during the pandemic event.
The FFIEC Statement notes that pandemic planning presents unique challenges and is more difficult to determine because of the anticipated scale and duration resulting from a pandemic. The BCP of each institution must be tailored to reflect the institution’s size, complexity, and business activities. How the actual financial services offered by the financial institution will be impacted in a pandemic must be incorporated into the ongoing business impact analysis and risk assessment processes of the financial institution.
Each BCP must include:
- A preventative program to reduce the likelihood that an institution’s operations will be significantly affected by a pandemic event. This should include monitoring of potential outbreaks, educating employees, and communicating and coordinating with critical service providers and suppliers, in addition to hygiene training and tools for employees;
- A documented strategy that ensures that the pandemic efforts of the institution are scaled consistent with the stage and severity of an outbreak. Such strategy should outline plans for how to recover from a pandemic wave and proper preparations for any subsequent waves;
- A comprehensive framework for facilities, systems, or procedures that provide the financial institution with the capability to continue its critical operations in the event large numbers of its employees are unavailable. Among others, this shall include telecommuting options, redirection of customers from branch to electronic banking services, and conducting business at alternative sites. Financial institutions should consider how customers may react to these efforts and how increased demands in other areas could impact the bank. Furthermore, financial institutions must consider guidance from public health officials and other governmental authorities in their decisions;
- A testing program to ensure the effectiveness of the financial institution’s pandemic practices in allowing critical operations to continue; and
- An oversight program to ensure ongoing review and updates to the BCP so that it is continually up to date.
The FFIEC Statement provides resources offered by the U.S. government and other industry publications that are beneficial in developing plans relating to pandemic events, including, for example, guidance from the Department of Health and Human Services Centers for Disease Control and Prevention and the Department of Homeland Security.
Each institution’s board of directors is responsible for overseeing the development of the pandemic plan. Senior management is responsible for developing the plan and operationalizing the plan into specific policies, processes, and procedures. The FFIEC Statement counsels the board and senior management to consider the pandemic as a significant risk to the entire business. Pandemic planning activities must involve senior business management from all functional business and product areas, including administrative, human resources, legal, IT support functions, and key product lines. Senior management also is responsible for communicating the plan throughout the organization and making sure that all employees understand their roles and responsibilities during any pandemic event.
Potential effects associated with a pandemic event should be a component of the financial institution’s business impact analysis (BIA). The BIA should:
- Assess and prioritize essential business functions and processes;
- Identify the potential impact on essential business functions and processes, as well as supporting resources;
- Identify the potential impact on customers, including those that could be most affected and those that could have the greatest impact on the (local) economy;
- Identify the legal and regulatory requirements for the institution’s business functions and processes;
- Estimate the maximum downtime associated with the institution’s business functions and processes that may occur during a pandemic;
- Assess cross training conducted for key business positions and processes; and
- Evaluate the plans of critical service providers for operating during a pandemic and monitor those companies during the pandemic to ensure that critical services are available. Back-up service providers may be needed in order to mitigate risk. The FFIEC Statement provides that “[s]pecial attention should be directed at the institution’s ability to access leased premises and whether sufficient internet access capacity is available if telecommuting is a key risk mitigation strategy.”
In any BIA, financial institutions should forecast employee absences and also consider family care issues that may impact business operations. In a severe pandemic, absences could rise to 40% during peak weeks of any outbreak, with lower rates during the weeks before and after the peak. Certain public health measures, such as closing schools or quarantining households or altering public transportation schedules, will likely increase the rate of absenteeism.
As any institution develops its BIA, one should consider external factors. Interdependencies among external services relied upon by financial institutions and any potential for associated disruptions should be incorporated into any BIA.
A financial institution’s risk assessment process is critical and will be critical as to whether the BCP efforts are successful. According to the FFIEC Statement, institutions should take the following steps in connection with pandemic planning:
- Prioritizing the severity of potential business disruptions resulting from a pandemic, based on the institution’s estimate of impact and probability of occurrence on operations;
- Performing a “gap analysis” that compares existing business processes and procedures with what is needed to mitigate the severity of potential business disruptions resulting from a pandemic;
- Developing a written pandemic plan to follow during a possible pandemic event;
- Reviewing and approving the pandemic plan by the board or a committee thereof and senior management at least annually; and
- Communicating and disseminating the plan and the current status of pandemic phases to employees.
While additional specific detail is included in the FFIEC Statement, the following risk management steps arising from a pandemic should be undertaken by any financial institution:
- Openly coordinate with outside groups, including critical service providers. Information should be shared, as appropriate, to develop coalitions to provide support and maintenance for vital services during a pandemic. Management should coordinate its efforts with local public health and emergency management teams and should be in a position to alert public authorities in the event of significant absenteeism caused by an outbreak.
- Communication with customers and the media is critical to ensure accurate information is available.
- Management should regularly monitor its service providers and identify potential weaknesses in the service and supply chains and develop potential alternatives for obtaining critical services and supplies.
- Management should be in a position to respond when triggering events are identified by various organizations, such as a governmental agency. For example, if a local emergency organization identifies a triggering event, management must deploy any response plans based upon the facts and circumstances. This presumably involves monitoring loan and national alerts and then being able to communicate updates to the financial institution’s employees and customers.
- Financial institutions must have employee protection strategies. Employee awareness should be heightened during any pandemic. The FFIEC Statement includes specific risk management strategies that should be considered, including, for example, publicizing the Centers for Disease Control and Prevention’s “Cover Your Cough” and “Clean Your Hands” programs.
- Financial institutions should ensure that employees are cross-trained and succession plans have been developed.
- Because there may be a high reliance on employee telecommuting, there could be a strain on an institution’s remote capabilities (e.g., capacity, bandwidth, and authentication mechanisms). Institutions must understand their own infrastructure and needs and potentially make capacity upgrades if necessary.
The FFIEC Statement also provides for risk monitoring and testing suggestions so that institutions can be prepared for potential impacts associated with a pandemic.
Washington Department of Financial Institutions Interim Regulatory Guidance Issued on March 5, 2020
The Washington Department of Financial Institutions (DFI) issued its Interim Regulatory Guidance under the Consumer Loan and Mortgage Broker Practices Acts. Under its Interim Regulatory Guidance, licensed mortgage loan originators may work from their homes, even if the home is not a licensed branch location, if certain requirements are met.
To work from home without penalty, specific data security provisions must be met. Those data security provisions are:
- The Washington-licensed mortgage loan originator must be able to access the company’s secure loan origination system (including any cloud-based system) from any of the mortgage loan originator’s device(s) using a virtual private network (VPN) or similar system that requires passwords or other forms of authentication to access.
- All security updates, patches, or other alterations to the security of the device(s) must be maintained.
- The Washington-licensed mortgage loan originator must not keep any physical business records of any kind at any location other than the licensed main office.
In addition, Washington-licensed mortgage loan originators are not permitted to meet with any consumers at their unlicensed home location if they elect to work from home.
As originally issued, the Interim Regulatory Guidance is effective through June 5, 2020.
Connecticut Department of Banking Issued “No Action” Position on March 9, 2020
The Connecticut Department of Banking issued a “no action” position with respect to working from home. For all consumer credit licensees, employees will be permitted to work from home through April 30, 2020, so long as specific criteria are met. Those criteria include:
- The Connecticut licensable activity must be conducted from the home of an individual working on behalf of a Connecticut consumer credit licensee;
- The individual that is working from home is electing to do so because of a reason relating to the COVID-19 outbreak and has informed the consumer credit licensee (i.e., the employer) of the reason in written correspondence;
- The individual holds the required individual licenses to perform the activities that he or she will conduct from home. Those licenses could include, for example, a mortgage loan originator license or a loan processor or under license;
- The individual, when working from home, will not meet with any borrowers or potential borrowers at his or her residence; and
- The Connecticut consumer credit licensee (i.e., the employer) must, at all times, exercise reasonable supervision of the Connecticut licensable activity being performed at the home office and ensure that appropriate safeguards and controls are established relating to consumer information and data security.
New York Department of Financial Services Issued Statement on March 10, 2020
The New York Department of Financial Services (DFS) is requiring that each regulated institution provide a response to the DFS that describes how it plans to manage the risk of disruption to its services and operations. While plans are requested as soon as possible, they must be provided to the DFS no later than 30 days from the date of the notice (April 8, 2020). Responses must be provided to firstname.lastname@example.org.
The plan requested by the DFS is largely consistent with the FFIEC Statement’s guidance regarding BCP discussed above. The DFS is requiring each institution’s plan to be flexible and address a range of possible effects from a potential pandemic associated with COVID-19. Plans must reflect the institution’s size, complexity, and activities. At a minimum, plans must address:
- Preventative measures, tailored to the institution’s specific operations, regarding how to mitigate the risk of operational disruption, including identifying the impact on customers and counterparties;
- A documented strategy addressing the impact of the outbreak in stages, so that the institution’s efforts can be adjusted consistent with the effects of particular stages of the outbreak. The strategy should include assessments of how quickly measures could be adopted and how long operations could be sustained under different stages of the outbreak;
- An assessment of all the institution’s facilities, including alternative and back-up sites, systems, policies and procedures necessary to continue critical operations, and services if members of the staff are unavailable for long periods or are working off-site. The plan should include an assessment and testing as to whether large scale off-site working arrangements can be activated and maintained to ensure operational continuity. Such assessment should include existing information technology and systems to determine whether increased remote usage can be accommodated and handled with current resources;
- An assessment of potential increased cyberattacks and fraud;
- Employee protection strategies, including employee awareness and steps employees can take to reduce the likelihood of contracting COVID-19;
- An assessment of the preparedness of critical third-party vendors;
- The development of a communication plan to effectively communicate with customers, counterparties and the public and to deliver important news and instructions to employees, along with establishing forums for questions to be asked and addressed;
- Testing the plan to ensure its effectiveness; and
- Governance and oversight of the plan, including identifying the critical members of a response team. Oversight should include the ongoing review and updating of the plan, including the tracking of relevant information from government sources and the institution’s own monitoring program.
Finally, the DFS tasks the boards of directors of regulated institutions with the responsibility of having plans in place and having appropriate resources available to implement the plans. Senior management must ensure that effective policies, processes and procedures are in place to execute the plan. Senior management also is responsible for communicating the plan throughout the institution to ensure consistency in approach and so that employees understand their roles and responsibilities.