The economic and operational stresses caused by the Novel Coronavirus (COVID-19) are highlighting the need for regulated financial institutions to formulate responses to address significant business disruptions (SBDs) and to revisit and enhance their business continuity plans (BCPs). Financial institutions should review and consider their policies in light of the threats posed by SBDs and also consider their obligations under their respective regulatory regimes. In addition to pandemic-specific guidance published by financial regulators in light of COVID-19, the relevant regulatory agencies have also previously published general business continuity guidance which should be followed in these circumstances. For financial institutions operating on a cross-border basis, different responses to the regulatory requirements may be required or otherwise a global policy that covers all elements or the most stringent requirements should be put in place.
We have already commented on the position for broker-dealers and now comment more broadly for banks as well as broker-dealers, and on a trans-Atlantic basis. You may also like to see our other client notes relating to the impact of COVID-19, such as the impact for derivatives and the use of force majeure provisions in commercial contracts.
Continuity Planning at US Banks, Branches and Bank Holding Companies
The Federal Financial Institutions Examination Council (the FFIEC) recently issued guidance on behalf of its member agencies to remind financial institutions that business continuity plans should address the threat of a pandemic outbreak and its potential impact on the delivery of critical financial services. These financial institutions include U.S. banks, U.S. branches of non-U.S. banks and bank holding companies. It should be noted, however, that this guidance is not exhaustive with respect to BCPs. Financial institutions may consult the Federal Reserve’s website for a more complete set of guidance concerning business continuity plans.
The FFIEC Guidance identifies actions that financial institutions can take in response to SBDs such as pandemics. Specifically, the FFIEC states that an institution’s BCP should “address pandemics and provide for a preventive program, a documented strategy scaled to the stages of a pandemic outbreak, a comprehensive framework to ensure the continuance of critical operations, a testing program, and an oversight program to ensure that the plan is reviewed and updated.” Given the ever-evolving nature of pandemics, this portion of the BCP must be flexible and reflect the institution’s size, complexity and business activities.
Various state regulators, including the New York Department of Financial Services (NYDFS), have also published guidance for regulated institutions regarding plan preparedness. Please see our Client Alert, NYDFS Requires COVID-19 Preparedness Plans from Regulated Entities, in Shearman & Sterling Perspectives (March 17, 2020).
Pandemics and Traditional Business Continuity Plans
The FFIEC Guidance highlights the need for financial institutions to contemplate the differences between a pandemic and other traditional forms of business continuity issues. Typically, business continuity issues other than pandemics are more predictable in timeline, sometimes man-made and easier to safeguard against. The human risk and inherent uncertainty of pandemics present an uncertain timeline with a higher number of contingencies. Accordingly, the potential impact of a pandemic on the delivery of critical financial services to its customers should be incorporated into a financial institution’s ongoing business impact analysis and risk assessment processes.
Indeed, U.S. regulatory agencies have requested that financial institutions work with their customers to ensure that services are maintained and customers receive the access to financial products they need during these times of stress. This is reflective of past Federal Reserve guidance, where banking organizations were encouraged to work with borrowers and other customers affected by major disasters or emergencies, including waiving of ATM fees and ease of access to credit.
In addition, state bank regulators, such as the NYDFS, have released guidance on supporting businesses impacted by COVID-19 addressed to New York State regulated banks, credit unions and licensed lenders. In light of the financial stresses that a pandemic can impose on customers, the NYDFS encouraged its regulated banks, credit unions and licensed lenders to consider all reasonable and prudent steps to assist businesses that have been adversely impacted by COVID-19, including:
- Offering payment accommodations, such as allowing loan borrowers to defer payments, extending the payment due dates or otherwise adjusting or altering terms of existing loans, which would avoid delinquencies and negative credit agency reporting;
- Waiving overdraft fees;
- Easing credit terms for new loans;
- Waiving late fees for loan balances; and
- Proactively reaching out to customers and those adversely impacted via app announcements, text, e-mail or otherwise to explain the above-listed and any other assistance being offered to them.
Elements of a Traditional Business Continuity Plan
Below is a non-exhaustive list of topics the FFIEC has stated should be covered in a financial institution’s BCP:
- A program to reduce the likelihood that an institution’s operations will be significantly affected by a pandemic event. The program may include monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, in addition to providing appropriate hygiene training and tools to employees.
- A documented strategy that provides for scaling the institution’s pandemic efforts so they are consistent with the effects of a particular stage of a pandemic outbreak. The strategy should also include plans for re-entering personnel into the workplace.
- A comprehensive framework of facilities, systems or procedures that provide the organization the capability to continue its critical operations in the event that large numbers of the institution’s staff are unavailable for prolonged periods. These may include social distancing, telecommuting, redirecting customers from branch to electronic banking services or conducting operations from alternative sites.
- A program to test the effectiveness of the financial institution’s pandemic planning practices and capabilities.
- Oversight over the pandemic plan so that policies, standards and procedures include up-to-date, relevant information provided by governmental sources or by the financial institution’s monitoring program.
The FFIEC’s Business Continuity Management (BCM) booklet provides a methodology for financial institutions to follow as they develop, update and implement their pandemic plan. Essential to the development and implementation of a pandemic plan is inclusion of senior business management from all functional, business and product areas, including administrative, human resources, legal, IT support functions and key product lines.
In addition to following a cyclical process of planning, preparing, responding and recovering, management may also face specific issues, highlighted below, and can consider mitigating controls.
Board and Senior Management Responsibilities
A financial institution’s board of directors must oversee the development, approval and senior management support of its pandemic response plan. Senior management is responsible for developing the pandemic plan and putting it into practice, including testing and revision of the plan. Senior management must also communicate the plan throughout the financial institution so that employees understand their role and responsibilities in responding to a pandemic event.
Business Impact Analysis Factors
The potential effects of a pandemic should factor into the financial institution’s business impact analysis (BIA). The BIA should:
- Determine which essential business functions and processes may be affected by a pandemic;
- Identify the potential impact of a pandemic on the institution’s essential business functions and processes and supporting resources;
- Identify the potential impact of a pandemic on customers, including which customers could be most affected by a pandemic and how disruption of services to those customers could have the greatest impact on the local economy;
- Identify the laws and regulations applicable to specific business functions and processes;
- Estimate the maximum amount of time a particular business function and process may be down during a pandemic in order for the financial institution to continue functioning properly;
- Assess cross-training conducted for key business positions and processes in case of employee absenteeism or realignment; and
- Evaluate the plans of critical service providers for operating during a pandemic.
Risk Assessment and Risk Management for a Pandemic
Financial institutions should include the following risk assessment and risk management steps for pandemic planning:
- Estimate the impact and probability of a business disruption on operations and prioritize accordingly;
- Assess the financial institution’s ability to mitigate the severity of potential business disruptions resulting from a pandemic;
- Review and approve a written pandemic plan by the board of directors or a committee thereof and senior management at least annually; and
- Communicate and disseminate the plan and the current status of the pandemic to employees.
Action Steps for a Pandemic
The actions that arise from a pandemic should include the following:
- Coordination with third parties, especially those with whom the financial institution is interdependent.
- Identification of triggering events, which occur when an environmental change takes place that requires management to implement its response plans based on the pandemic alert status.
- Employee protection strategies, which promote employee awareness by communicating the risks of a pandemic outbreak and discussing the steps employees can take to reduce the likelihood of contracting a pandemic virus.
- Mitigating controls, such as cross-training and that succession plans have been developed.
- Ensuring telecommuting strategies will work by analyzing remote access capabilities.
Ongoing Reassessment and Revision of Pandemic Plans
A financial institution’s pandemic plan should be sufficiently flexible to adjust to ongoing developments and new information. Consistent testing of the pandemic plan can ensure that the plan is able to meet these needs. Accordingly, a pandemic plan should incorporate testing:
- Roles and responsibilities of management, employees, key suppliers and customers;
- Key pandemic planning assumptions;
- Increased reliance on online banking, telephone banking and call center services; and
- Remote access and telecommuting capabilities.
The FFIEC has suggested several alternatives for pandemic testing, which include: “work at home days for critical and essential employees to test remote access capabilities and infrastructure; crisis management team communication exercises; table top exercises that test various scenarios related to escalated absenteeism rates; additional or modified call-tree exercises; and community, regional or industry-wide exercises with members of the financial services sector to test the financial sector’s ability to respond to a pandemic-like crisis.”
Considerations for US Broker-Dealers
Background: FINRA Rule 4370
FINRA Rule 4370 is FINRA’s emergency preparedness and business continuity rule and requires each FINRA member to create and maintain a written BCP identifying procedures relating to an emergency or SBD. Such procedures must be reasonably designed to enable the member to meet its existing obligations to customers. In addition, such procedures must address the member’s existing relationships with other broker-dealers and counterparties. Broker-dealers with cross-border operations should consider that different responses may be required to address the same SBD across distinct regions.
The elements that comprise a BCP are flexible and may be tailored to the size and needs of a member. Each plan, however, must, at a minimum, address:
- Data backup and recovery (hard copy and electronic);
- All mission-critical systems;
- Financial and operational assessments;
- Alternate communications between customers and the member;
- Alternate communications between the member and its employees;
- Alternate physical location of employees;
- Critical business constituent, bank and counterparty impact;
- Regulatory reporting;
- Communications with regulators; and
- How the member will assure customers’ prompt access to their funds and securities in the event that the member determines that it is unable to continue its business.
In addition, members must:
- Designate a registered principal who is a member of senior management to approve the plan and conduct the required annual review;
- Disclose in writing to customers upon account opening, on the member’s website, or in writing upon request, how its BCP addresses the possibility of future SBDs of varying scope;
- Update emergency contact information, via such electronic or other means as FINRA may specify, in the event of any material change in accordance with Rule 4517 (Member Filing and Contact Information Requirements); and
- Report to FINRA prescribed emergency contact information for the member.
Many firms also incorporate important testing, both periodic and episodic, in order to detect and remediate weaknesses and to demonstrate compliance.
Among the considerations that broker-dealers should assess when evaluating their policies are the following:
Health and Safety
In the event of a SBD, firms may need to take steps to ensure the physical safety and health of associated persons. For example, many firms today have general prohibitions on associated persons traveling to epidemic-affected countries and/or certain affected areas of countries. Some firms require supervisory approval to travel to non-affected areas of affected countries. These prudential prohibitions are important as the State Department makes recommendations that U.S. citizens do not travel to affected areas, but rarely bans citizens from traveling.
In the case of pandemics, firms also have to grapple with policies for both associated persons who (i) have travelled to affected areas, and who (ii) may have come into contact with others (e.g., roommates) who have travelled to affected areas. Firms should develop and communicate those policies to associated persons, and some firms are utilizing systems to monitor associated persons. Some firms have adopted quarantine policies for associated persons who have travelled to affected areas, prohibiting them from coming to the office and requiring them to self-isolate for 14 days or more.
When SBDs occur, it is common for larger-than-usual numbers of broker-dealer associated persons to work remotely, including from home. Broker-dealer associated persons should be cautioned not to hold any location out as an office of the firm (other than firm-designated non-branch locations, branch offices and offices of supervisory jurisdiction (OSJs). Further, associated persons who are working remotely should be reminded not to store any firm documents at their personal residences, but rather to scan documents into firm systems. Associated persons working remotely should also be reminded of good document security practices.
When larger than usual numbers of associated persons are working remotely, communication between associated persons and supervisors, as well as communication among supervisors, is critical. Technology has vastly changed broker-dealer remote work in the past few years, with personal video conferencing technologies available on most phones and well-regarded document sharing systems, screen-sharing systems and virtual private network systems (VPNs) used throughout the industry. Broker-dealer teams that work remotely report that increased use of these technologies and increased frequency of team calls among working units (and among unit supervisors) are best practices.
Other firms, in anticipation of having larger-than-usual numbers of associated persons working remotely, are creating multiple teams that can come into office locations on a rotating or periodic basis as a means of balancing reduced in-office time with maintenance of core systems.
Telecommuting can interrupt normal flows of communication between associated persons, customers, regulators and critical business constituents like banks, clearing houses and counterparties. Many firms use communication technologies effectively to minimize communications disruptions. To ensure that communications are not disrupted while associated persons are working from outside of the office, firms may wish to review their policies and BCPs to determine if any further detail is required.
Firms should also consider creating a centralized process for simultaneously contacting all associated persons that are working outside of the central office rather than depending on each unit to contact staff individually. It is also a best practice to frequently update emergency contact lists.
Outsourced Functions and Vendor Management
Member firms’ increased use of outside entities to perform functions related to their business operations can create compliance risks, particularly during SBDs. Regulators have stated that a member firm’s use of a third-party service provider does not relieve the firm of its ultimate responsibility to achieve compliance with all applicable securities laws and regulations and FINRA and MSRB rules. As such, firms should take reasonable steps to ensure that all of its current or prospective third-party service providers, especially those relating to core services such as clearing brokers, are capable of performing any required outsourced activities in the case of a SBD.
One best practice is for firms to create a list of their vendors, assess the susceptibility of each vendor to SBDs, categorize vendor relationships in terms of that risk and then incorporate that assessment into the firm’s own BCP. It is also a best practice to maintain contact information for key relationship contacts at essential high-risk vendors, especially e-mail addresses and mobile phone numbers.
Critical Broker-Dealer Functions
In the broker-dealer context, certain activities require special consideration when responding to SBDs. Firms should consider examining their policies and procedures to ensure that SBDs will not prevent them from:
- Communicating with customers (firms should promptly place a notice on their website indicating alternative communication methods if normal customer communication is interrupted);
- Providing customer access to funds and securities;
- Order taking;
- Order entry;
- Order execution;
- Communicating effectively with markets, exchanges, venues and regulators;Transferring securities to and from clearing agencies;
- Custody of securities; or
- Creating and retaining books and records in compliance with SEC and FINRA regulations (including that electronic records must be kept in write once read many (WORM) format).
FINRA Regulatory Notice 20-08: Pandemic-Related Business Continuity Planning, Guidance and Regulatory Relief
On March 09, 2020, FINRA published Regulatory Notice 20-08 specifically addressing pandemic-related business continuity considerations in light of the COVID-19 outbreak, as well as providing potential regulatory relief from certain obligations. This notice did not create new rules or obligations, but highlighted key considerations for member firms and noted the possibility of additional regulatory relief and guidance in the future. For additional information regarding this notice, see our Client Alert Update Regarding FINRA Regulatory Notice 20-08: Pandemic-Related Business Continuity Planning, Guidance and Regulatory Relief, in Shearman & Sterling Perspectives (March 13, 2020).
Considerations for Banks and Investment Firms in the EU and UK
The Markets in Financial Instruments Directive and the Capital Requirements Directive require EU banks and investment firms to take reasonable steps to ensure continuity and regularity in the performance of the firm’s services and activities, by using appropriate and proportionate systems, resources and procedures. The requirements in both of these Directives have been transposed into the national laws of EU member states and there may be differences in the approach that require a nuanced response by firms.
Significant Institutions in the Banking Union
The Banking Supervision arm of the European Central Bank sent a letter to large Eurozone banks and investment firms on March 03, 2020. The ECB is responsible for direct prudential supervision of certain significant banks based in the Eurozone as part of the Single Supervisory Mechanism. The focus of the ECB’s letter is on the need for firms to consider contingencies where operations are dependent on their staff remaining healthy and available to work, as well as having access to the suitable systems and processes. The ECB calls on firms to:
- Establish adequate measures of infection control in the workplace, including systems to reduce infection transmission and worker education;
- Assess their contingency plans, in particular, to ensure that the plans include a pandemic scenario and provide for scaling measures appropriate for the firm’s geographic footprint and business risk, taking into account the stages of a pandemic outbreak;
- Assess how quickly measures could be implemented and how long operations could be sustained in a pandemic scenario;
- Assess whether alternative and sufficient back-up sites can be established;
- Assess and test the firm’s capabilities for large scale remote working;
- Assess and test the capacity of existing IT infrastructure;
- Assess the risks of increased cyber-security related fraud; and
- Assess the ability of their critical service providers to ensure continuity of services.
The U.K. Financial Conduct Authority (FCA) published a statement on COVID-19 on March 04, 2020, highlighting that, along with the Bank of England, the Prudential Regulation Authority and HM Treasury, the FCA is actively reviewing the contingency plans of a wide range of firms. The statement confirms that, where a firm is using backup sites or allowing staff to work remotely, the FCA expects firms to be able to continue to enter orders and transactions promptly and use recorded lines when trading. Staff should also have access to the required compliance support.
The FCA has also published a statement on support for consumers in which it makes clear that firms must continue to treat customers fairly in light of the coronavirus pandemic. Furthermore, on March 17, 2020, the FCA issued a statement setting out the steps it was taking in response to the epidemic to ensure the protection of consumers and the continued functioning of markets, including adjustments to its own work program and delaying deadlines for responses to consultations. Many persons working at regulators, as well as in institutions, are now working remotely and so this will change the way in which interactions such as meetings, calls, filings and regulatory processes take place. Based on our own recent interactions with the FCA, we understand that the FCA is allowing extended time to persons involved in authorization and supervisory processes to respond to information requests and is being flexible where possible.
U.K. banks and investment firms are required to establish, implement and maintain an adequate BCP. The objective of the BCP is, in the event of an interruption to a firm’s systems and procedures, to limit losses, preserve essential data and functions and ensure a firm can maintain its regulated activities. Where that is not possible, the aim of the BCP should be the timely recovery of the data and functions and the timely resumption by the firm of its regulated activities.
The U.K.’s FCA states that other firms should consider the business continuity rules as if they were guidance.
Elements of a Business Continuity Plan
A BCP should cover:
- Resource requirements, such as people, systems and other assets, and arrangements for obtaining these resources;
- The recovery priorities for the firm’s operations;
- Communication arrangements for internal and external concerned parties, including the U.K. regulators, a firm’s clients and the media;
- Escalation and invocation plans that outline the processes for implementing the BCP, together with relevant contact information;
- Processes to validate the integrity of information affected by the disruption; and
- Regular testing of the BCP in an appropriate and proportionate manner.
U.K. regulatory guidance states that firms should monitor and, on a regular basis, evaluate the adequacy and effectiveness of its systems, internal control mechanisms and arrangements. In addition, firms must take steps to address any identified deficiencies.
Business continuity plans within the operational resilience framework
The U.K. business continuity rules are closely related to the rules and policies on operational resilience. When considering a firm’s BCP, the relevant U.K. regulator will consider how it fits into the firm’s overarching operational resilience framework.
Furthermore, the U.K. regulators will also consider any relevant and applicable EU guidance issued by one of the European Supervisory Authorities.
Consistent with the approach of the U.S. regulators, the U.K. regulators continue to state that a firm remains fully accountable for any function that is has outsourced to a third party.
The Prudential Regulation Authority (PRA) is consulting on proposals to modernize the regulatory framework applicable to banks and large investment firms on outsourcing and third-party risk management. The proposals are in response to the increasing reliance by firms on technology provided by third-party providers, which creates risks around, for example, data security. The proposals include requiring firms to:
- Maintain an up-to-date register of information on their outsourcing arrangements (proposed to apply from December 31, 2021);
- Conduct due-diligence on their proposed service providers and undertake and risk assessments to determine the materiality of each outsourcing arrangement; and
- Cover key areas in written outsourcing agreements, such as data security, access, audit and information rights, sub-outsourcing and business continuity and exit plans.
Both the PRA and the FCA hold banks and investment firms to high-level principles. Two of these are particularly relevant to business continuity planning. First, a firm must take reasonable care to organize and control its affairs responsibly and effectively, with adequate risk management systems. Secondly, a firm must deal with its regulators in an open and cooperative way, disclosing to the relevant regulator anything relating to the firm that the regulator would reasonably expect notice.
Key Takeaways from the FCA’s Review of UK Retail Banks’ BCPs
In July 2019, the FCA published the outcome of a review into the BCPs of U.K. small-to-medium sized retail banks, payment institutions and electronic money institutions. The FCA set out its expectations of firms and the key takeaways are set out below.
U.K. banks and investment firms should ensure that they provide adequate training to all staff across the firm on the firm’s business continuity planning and implementation. This will assist all staff to understand what is expected of them when responding to an event.
Customer Communication and Processes
U.K. banks and investment firms should identify and document customer critical processes, which can be prioritized swiftly for action. The objective is to reduce harm.
The FCA expects firms to proactively identify, test and revise the firm’s relevant capabilities—people, systems and processes—on an ongoing basis. Where a firm identifies a weak area, it should take steps to enhance the firm’s response to reduce harm.
To speed up reaction times, U.K. banks and investment firms should consider preparing detailed pre-drafted and pre-approved communication plans for internal/external stakeholders, including their customers. These communication plans might include specific messages to be used, how they should be issued and in which scenarios.
Individuals Responsible for Responding to an Event
A firm’s response to an event should be managed and driven by appropriate individuals with relevant knowledge, experience and seniority. A firm could also consider introducing an additional independent overlay, responsible for oversight and challenge of proposed solutions and timeframes.
Recent events have challenged firms across the globe, and financial institutions are no exception. All financial institutions should consider their business continuity and emergency preparedness plans and determine if any additions, modifications or updates are required.