- This Katten Advisory focuses on the impact of the COVID-19 outbreak on regulatory compliance obligations of financial firms operating in the United States, with a focus on securities and derivatives industry matters.
- Key US regulatory bodies, including the Commodity Futures Trading Commission, the Securities and Exchange Commission, the National Futures Association and the Financial Industry Regulatory Authority, have issued guidance and/or specific relief in light of the COVID-19 pandemic, and many of these critical releases issued to date are summarized herein.
- This Advisory also includes, as appendices, a summary chart of illustrative business continuity plan (BCP) requirements applicable to certain derivatives and securities industry firms and a practical "checklist" that firms can use to assess and respond to issues during this challenging time.
- For further information and guidance around COVID-19, the Centers for Disease Control and Prevention (CDC), the World Health Organization (WHO), and Johns Hopkins University & Medicine maintain robust websites of relevant information, which are being updated on an ongoing basis.1
COVID-19 — Specific Guidance from Regulators
Multiple regulators have issued informational guidance and/or specific regulatory relief in response to the COVID-19 outbreak.2
To the extent there may be unique regulatory compliance challenges, firms are advised to discuss them in advance with relevant regulators and seek relief, if possible; in all cases, firms should ensure that all regulatory breaches or difficulties meeting regulatory standards are documented with as much specificity as possible.
In the sections that follow, we summarize each regulator's compliance guidance and/or relief issued to date to address this pandemic.
On March 17, the Commodity Futures Trading Commission (CFTC) issued a series of no-action letters to provide certain CFTC-regulated entities and registrants with temporary regulatory relief from a targeted set of regulatory requirements.3
- The CFTC's Division of Swap Dealer and Intermediary Oversight (DSIO) issued a set of Staff Letters4 aimed at a broad range of market participants — including futures commission merchants (FCMs), introducing brokers (IBs), swap dealers (SDs), retail foreign exchange (forex) dealers, floor brokers, and members of designated contract markets (DCMs) and swap execution facilities (SEFs). These letters provide for temporary no-action relief from a number of CFTC regulatory requirements, as described below.
- Until June 30, 2020, DSIO will not recommend enforcement action against FCMs, IBs, SDs, retail forex dealers, floor brokers and members of DCMs and SEFs for failure to record the time and date on certain order records and trade information by time stamp or other timing device as required by CFTC rules if the personnel who are responsible for preparing such records are mandated by the firm's BCP to be absent from their normal offices, provided that the required records are created, are maintained, and include any required date and time to the nearest minute. This date and time entry could be manually entered.
- Until June 30, 2020, DSIO will not recommend enforcement action against FCMs, IBs, SDs, retail forex dealers, and floor brokers for failure to record the oral communications of personnel who would otherwise be required to use a recorded line pursuant to CFTC rules if such personnel are mandated by the firm's BCP to be absent from their normal offices, provided that a written record of the communication is maintained that identifies date, time, participants and subject matter, and that the firm takes "affirmative steps" to collect and maintain any written materials prepared by affected personnel in connection with such communications.
- Until June 30, 2020, DSIO will not recommend enforcement action against floor brokers who are not physically located in a pit or other place determined by a contract market, nor will floor brokers be subject to a requirement to register as an IB because of failure to so locate, if the floor broker is required by the DCM's BCP to be absent from such place.
- DSIO will not recommend enforcement action against FCMs and SDs who would otherwise be required to provide the CFTC with a copy of their Chief Compliance Officer (CCO) annual reports prior to September 1, 2020, provided that they submit such reports within 30 calendar days of their original due dates.
- The CFTC's Division of Market Oversight (DMO) issued a set of Staff Letters5 covering SEFs and DCMs. These letters provide for temporary no-action relief from certain audit trail-related requirements for SEFs and DCMs, as well as an extension of the deadline for submission of CCO annual compliance and certain financial reports for SEFs.
- Until June 30, 2020, DMO will not recommend enforcement action against any SEFs that cannot meet requirements around recording of voice communications, to the extent that voice trading personnel are outside their normal offices, provided that the SEF makes reasonable efforts to record in writing the time, date, parties and subject matter of unrecorded conversations, all transaction terms are captured in SEF systems, and orders (even if placed on unrecorded lines) are retained in the SEF's normal audit trail.
- Until June 30, 2020, DMO will not recommend enforcement action against DCMs that fail to comply with audit trail requirements, to the extent that those failings are a result of interactions with market participants who are relying on the DSIO Staff Letters described above, provided that the DCM requires such participants to comply with the applicable conditions of those DSIO Staff Letters and that orders entered by such participants are retained in the DCM's normal audit trail.
- DMO will not recommend enforcement action against any SEF or SEF CCO for failure to timely submit to the CFTC either an annual compliance report or a fourth quarter financial report (where either report would have been due prior to September 1, 2020), provided that such reports are submitted no later than 120 days after the end of the fiscal year for that SEF.
The Securities and Exchange Commission (SEC) has provided COVID-19 related conditional regulatory relief with respect to certain obligations of investment advisers and investment companies, and has issued no-action relief with respect to compliance with Consolidated Audit Trail-related obligations of national securities exchanges and securities brokerage firms.6
- With respect to federally registered investment advisers, the SEC has made available conditional relief from filing/delivery obligations for filings due on or before April 30, 2020 (which would include many advisers' annual Form ADV and Form PF filings) if a filer cannot meet a deadline due to the impact of COVID-19. This relief allows for an extension of the relevant filing deadline for up to 45 days from its original date but requires communication of the reasons for the requested relief to the SEC and/or clients.7
- The SEC has updated certain online FAQ pages to address certain issues that investment advisers are facing as a result of the COVID-19 pandemic. The SEC clarified that advisers do not need to add additional offices to their Form ADV filings to reflect temporary telework arrangements that are part of a firm's BCP.8 With respect to the so-called "custody rule" (SEC Rule 206(4)-2), the SEC indicated that, if a client mails or otherwise delivers assets to the adviser at one of its office locations, it would not consider an adviser to have received those assets until firm personnel can actually access deliveries at that location.9 In addition, an existing custody rule FAQ provides that SEC staff would not recommend enforcement action if a pooled investment vehicle's audited financial statements are distributed after the standard 120-day deadline if the adviser reasonably believed the statements would be distributed in a timely fashion, but were not so distributed "under certain unforeseeable circumstances."10
- Additionally, the SEC has granted the following conditional regulatory relief to registered investment companies and business development companies, provided that they have been adversely affected by COVID-19: relaxation of requirements around in-person voting by boards of directors; temporary extensions (up to 45 days) of deadlines for Form N-CEN and Form N-PORT filings, as well as due dates for semiannual and annual report and prospectus deliveries; and allowance for certain firms to call or redeem securities upon fewer than 30 days' notice (which notice is accomplished by filing Form N-23C-2).11
- The SEC's Division of Trading and Markets (DTM) has provided the participants in the Consolidated Audit Trail (CAT) NMS Plan (i.e., the national securities exchanges and the Financial Industry Regulatory Authority (FINRA)) with no-action relief from enforcing their CAT compliance rules with regard to CAT implementation deadlines against members of such exchanges and against members of FINRA.12 DTM indicates that its no-action relief applies through May 20, 2020, but could be extended.
On March 4, National Futures Association (NFA) issued a Notice to Members13 reflecting its understanding that, in developing contingency plans to deal with the impact of COVID-19, members may have "specific concerns" regarding their ability to comply fully with all CFTC and NFA requirements, particularly if some or all of their staff are unable to work from the firm's offices or backup facilities. According to the Notice, NFA and CFTC staff "intend to take a practical approach that will give [m]embers appropriate flexibility in implementing contingency plans needed to continue to conduct business" if regulatory relief is required. However, NFA encourages members to review their BCPs to ensure they address situations like COVID-19 and contain up-to-date information (e.g., current key persons and contact information). NFA also recommends that members consider providing employees with new or updated training on working from remote locations.14
On March 13, NFA provided relief from the requirement that all associated persons (APs) who are not located in a member's main office must work from a branch office that has been listed on the member's Form 7-R, which office must be supervised by a branch office manager. NFA stated that it will not pursue disciplinary action against a member that permits APs to work temporarily from locations not listed as branch offices and without branch managers, provided that the member implements alternative supervisory methods to adequately supervise the APs' activities and meet its recordkeeping requirements. Member firms should also ensure that these procedures are documented.15
On March 18, NFA issued another Notice to Members16 allowing for parallel temporary relief for its members in line with the regulatory relief granted in the no-action letters issued by the CFTC on March 17, as discussed above. NFA additionally provided relief to forex dealer members (FDMs) in the form of 30-day filing deadline extensions for FDMs' CCO annual reports, if such FDMs would otherwise have had CCO annual report filing due dates between March 31 and September 1, 2020.
On March 9, FINRA issued a Regulatory Notice17 containing updated pandemic-related guidance and regulatory relief for its member firms. The Notice encourages member firms to review their BCPs to consider pandemic preparedness and contact their FINRA Risk Monitoring Analysts to discuss the possibility of implementing those BCPs if needed and any other issues with respect to pandemic-related disruptions of their businesses. The Notice provides a range of specific regulatory relief in various areas, including with respect to supervision and oversight of associated persons working in remote offices or via telework arrangements; however, FINRA made clear that it still expected member firms to establish and maintain a supervisory system reasonably designed to oversee each associated person working remotely. Other relief granted by FINRA relates to suspension of Form U4 requirements for temporary relocations of registered persons and Form BR filing requirements for new temporary office locations. However, if a member relocates personnel to a temporary location that is not currently registered as a branch office or identified as a regular non-branch location, the firm should provide written notification to its FINRA Risk Monitoring Analyst as soon as possible, and such notice should include at a minimum the office address, the names of each member firm involved, the names of registered personnel affected, a contact telephone number, and, if possible, the expected duration of the relocation. The Notice also grants certain extensions or late-fee waivers in connection with filings or qualifications. FINRA stated that it understands that members may require additional time to respond to open inquiries or investigations and to make upcoming filings, and members should contact FINRA staff to seek extensions where needed. The Notice further advises that if appropriately registered personnel are unavailable to service customers, firms should post notice on their websites to inform affected customers of the appropriate person to contact concerning execution of trades and access to funds and securities.
Additionally, FINRA has created coronavirus-related FAQs that will provide temporary relief to member firms from certain FINRA rules and requirements.18 To date, the FAQs grant member firms temporary relief from the requirement in FINRA Rule 1010(c) that all Form U4 filings must be manually signed, subject to certain conditions.
Business Continuity Requirements
Currently, most financial services companies operating in the United States are subject to requirements that they have comprehensive BCPs in place. With respect to requirements issued by securities and derivatives industry regulators, illustrative examples of these obligations are generally summarized in the comparison table set forth in Exhibit A. Note that firms must generally designate emergency contact persons and provide their information to applicable regulators; in light of the current situation, firms should be sure to promptly review and update any such information.
Employment, Cybersecurity, and Other Legal and Practical Considerations
Exhibit B to this Advisory includes a list of actions or assessments that firms should take in light of the COVID-19 outbreak. This list is not intended to be exhaustive, but rather a pragmatic guide toward high-value preparatory or responsive activities to which firms might choose to dedicate their resources under current circumstances. Many of the items in Exhibit B relate to considerations around employees' working from home, which is now being required by an ever-increasing number of financial services companies.
The most important measure companies and individuals can take during the current crisis is to be informed by facts. Knowledge of COVID-19 and its impact on the community is quickly evolving day by day, so the best practice that any firm can follow is to closely monitor communications from government sources - particularly the CDC and the WHO19 - for additional guidance and information.
EXHIBIT A – BCP Requirements Summary Chart
--> Scroll to see full table data
--> Scroll to see full table data
(17 C.F.R. § 23.603)
(17 C.F.R. § 270.38a-1; Inv. Mgmt. Guidance Update No. 2016-04)
(Compliance Rule 2-38; Interpretative
Notice No. 9052)
Swap dealers (SDs) and major swap participants (MSPs)
Registered investment companies and business development companies20
NFA Members (i.e., futures commission merchants (FCMS), introducing brokers (IBs), commodity pool operators (CPOs), commodity trading advisors (CTAs) and retail forex dealers)
FINRA Members (i.e., securities broker-dealer firms)
Essential contents (as applicable)21
Essential contents (as applicable) (cont.)
(1) Identification of (a) documents, data, facilities, infrastructure, personnel and competencies essential to operations and obligations of the firm; (b) supervisory personnel responsible for implementing the BCP and emergency contacts; and (c) potential interruptions at third parties that are necessary to the operations of the firm and a plan to minimize the impact of such disruptions;
(2) Communication plan for the following persons in the event of a disruption: counterparties; swap data repositories; execution facilities; trading facilities; clearing facilities; regulatory authorities; data, communications and infrastructure providers and other vendors; disaster recovery specialists and others essential to recovery of documentation and data, resumption of operations, and compliance with Commodity Exchange Act and CFTC rules;
(3) Procedures for back-up facilities, infrastructure, staffing and other resources for the recovery of data and documentation and to resume operations as soon as reasonably possible (ordinarily, by the next business day);
(4) Maintenance of back-up facilities, infrastructure and staffing arrangements in areas geographically separate from the firm's primary facilities, infrastructure and personnel (including contractual arrangements for use of facilities and infrastructure of third parties); and
(5) Back-up or copying, with sufficient frequency and off-site storage, of documents and data essential to the operations and regulatory obligations of the firm.
(1) Covering the facilities, technology/systems, employees, and activities conducted by the firm's adviser and any affiliated entities, as well as dependencies on critical services provided by other third-party service providers;
(2) Including a broad cross-section of employees from key functional areas across the fund complex typically including, but not limited to, senior management (including officers of the fund), technology, information security, operations, human resources, communications, legal, compliance, and risk management to assist in efforts to ensure continuity and resiliency when events occur; and
(3) With respect to critical service providers: (i) understanding their backup processes and contingency plans, and how they interact with the firm's BCP; (ii) understanding how the providers monitor, detect and respond to security incidents, as well as having communication protocols to implement if needed with respect to providers; (iii) addressing how the BCPs of key providers might interact with each other and with the fund's BCP; and (iv) contemplating how a service provider disruption might impact the firm's business under various scenarios.
(1) Establishing back-up facilities, systems, and personnel that are located in one or more reasonably separate geographic areas from the Member's primary facilities, systems, and personnel (e.g., primary and back-up facilities should be located in different power grids and different telecommunication vendors should be used), which may include arrangements for the temporary use of facilities, systems, and personnel provided by third parties;
(2) Backing up or copying essential documents and data (e.g., general ledger) on a periodic basis and storing the information off-site in either hard-copy or electronic format;
(3) Considering the impact of business interruptions encountered by third parties and identifying ways to minimize that impact; and
(4) Developing a communication plan to contact essential parties such as employees, customers, carrying brokers, vendors and disaster recovery specialists.
(1) Data back-up and recovery (hard copy and electronic);
(2) All mission critical systems;
(3) Financial and operational assessments;
(4) Alternate communications between customers and the member;
(5) Alternate communications between the member and its employees;
(6) Alternate physical location of employees;
(7) Critical business constituent, bank, and counter-party impact;
(8) Regulatory reporting;
(9) Communications with regulators; and
(10) How the member will assure customers' prompt access to their funds and securities in the event that the member determines that it is unable to continue its business.
BCP review required?
Yes – annually
Yes – at a minimum annually
Yes – periodically
Yes – annually
Each SD and MSP must provide to the CFTC the name and contact information of two employees whom the CFTC can contact in the event of an emergency or other disruption. The individuals identified must be authorized to make key decisions on behalf of the SD or MSP and have knowledge of the firm's BCP.
Firms must designate Chief Compliance Officers (CCOs), and these individuals' contact information is regularly reported to the SEC and can presumably be used by the SEC in case of emergency.
Each FCM, SD, MSP and retail forex dealer must provide NFA with names and contact information for all key management employees (as identified by NFA) and the addresses for its primary and alternate disaster recovery sites. Each IB, CPO and CTA must provide NFA with an individual whom NFA can contact in the event of an emergency (with an additional backup contact if the member has more than one principal). Emergency contact persons must be authorized to make key decisions in the event of an emergency.
Member must report to FINRA prescribed emergency contact information for the member, including designation of two associated persons as emergency contact persons. At least one emergency contact person must be a member of senior management and a registered principal of the member. A member with only one associated person must designate as a second emergency contact person an individual, either registered with another firm or nonregistered, who has knowledge of the member's business operations.
EXHIBIT B – COVID-19 "Checklist"
Employee and cybersecurity related matters
- Establish and/or test emergency communication systems for employees.
- Communicate essential aspects of the firm's business continuity plan (BCP) to employees, particularly as may be amended in light of the COVID-19 pandemic, and ensure that all employees understand their roles and obligations pursuant to the BCP.
- Plan for long periods of working from home (WFH), understanding that employee-supervision requirements must be met and cybersecurity protections should be accorded particular importance.
- Take all reasonable steps to ensure compliance with regulatory and supervisory obligations and firm policies. Document all regulatory-related decisions, in particular to the extent that full compliance cannot be achieved.
- Document, in writing, practical and sufficiently specific procedures that should be followed while operating on a WFH basis. Consider in particular dealings with customers and counterparties and maintenance of confidentiality and data privacy, and include specific guidance on how required records (including records around trade orders) that are generated remotely should be retained and transmitted to the firm.
- Issue clear guidance on employees' use of virtual private networks, secure Wi-Fi networks, two-factor authentication, and personal devices/accounts.
- Implement means to train employees on and test compliance with WFH procedures.
- Monitor usage of all major systems against capacity limitations, and anticipate how a capacity constraint would be addressed.
- Inform all customer or third party contacts of the best methods by which to reach firm personnel.
- To the extent possible, encourage supervisors to stay in close contact with all subordinates, preferably by video or telephone. Regularly schedule team "check-ins" can be helpful to boost morale and identify common issues with WFH systems.
- Enhance cybersecurity surveillance and alert employees to the heightened risk of potential cyberattacks in the WFH environment. Employees should remain vigilant of potential phishing scams, exercise caution when handling emails, and report any suspicious communications.
- Implement reasonable business travel protocols, including restricting nonessential business travel and requiring a self-quarantine period for employees who have visited high-risk areas or are exhibiting symptoms of illness.
- Understand obligations to provide reasonable accommodation for disability and family/individual sick leave, while also respecting medical privacy, and wage payment obligations to employees who do not or cannot report to work. Monitor government sources for potential updates related to these issues.
- Ensure employee-related policies and procedures comply with applicable local, state and federal laws.
- Be cognizant of preventing unlawful discrimination in the workplace by not making determinations of risk based on race or ethnicity.
Customer relations, trading, financial risk and regulatory related matters
- Review contracts with customers and counterparties to ensure that compliance with all provisions can be maintained; take note of provisions that might be effected by the COVID-19 pandemic (e.g., force majeure, material breach, material adverse change/effect, investment/leverage restrictions, required notices).
- Consider whether any public/investor-facing disclosures or materials and/or materials submitted to applicable regulators or markets should be updated in light of developments related to COVID-19.
- Establish and/or test backup communication channels to connect with customers, counterparties and regulators.
- Consider proactively reaching out to all customers to keep them abreast of firm operations and provide them with emergency firm contacts.
- Ensure processes are in place to handle routine communications with customers and regulators.
- Review and update internal and external authorizations around trading, account access, and service-provider approvals.
- Closely monitor leverage and margin arrangements, and review any related documentation, especially with respect to covenants, conditions, and collateral requirements.
- Consider potential for margin calls; assess whether degrees of leverage and/or counterparty exposure are appropriate in light of market volatility.
- Conduct stress tests to identify any potential or nonobvious risks to firm liquidity.
- Be particularly cognizant of communication obligations with respect to any deterioration or worsening of the firm's financial condition.
- Keep apprised of new communications or guidance from governmental or regulatory bodies.
Service provider and insurance related matters
- Identify key service provider and other third-party relationships (e.g., with clearing firms, custodians, fund administrators, telecommunication services, outsourcing companies, mail services, utilities).
- Establish and/or test backup lines of communications with these providers.
- Create plains to address potential disruptions in service at these providers.
- Review contracts with these providers to identify provisions that might be implicated by the COVID-19 outbreak (e.g., performance risk allocation, force majeure, material breach, material adverse change/effect, required notices).
- Review provider's BCPs or contingency plans for potential interdependencies or weaknesses, and create a plan to address such shortcomings.
- Review commercial insurance policies for any potentially available coverage and any express exclusions/limits.
- Assess notice and claim requirements under existing policies, especially relating to proof and quantification of loss, and have a plan in place to prepare and send such communications to insurers promptly.
- Determine whether liability insurance policies might cover emergency actions taken by agents of the firm, and document decisions and justifications for actions in a manner that would support potential claims on these policies.
2 The focus herein is on US regulators. Note that the UK Financial Conduct Authority (FCA) also issued a Statement reconfirming its expectation that all firms have contingency plans to handle major events. The FCA indicated it expects firms "to take all reasonable steps" to ensure they meet their regulatory requirements, including, for example, maintaining the capability to enter orders and transactions into appropriate systems, recording conversations when trading, and providing staff compliance support when required. FCA, Statement on Covid-19 (coronavirus) (Mar. 4, 2020), https://www.fca.org.uk/news/statements/covid-19-coronavirus.
11 Order Granting Exemptions from Specified Provisions of the Investment Company Act and Certain Rules Thereunder; Commission Statement Regarding Prospectus Delivery, Investment Company Act Release No. 33817 (Mar. 13, 2020), https://www.sec.gov/rules/other/2020/ic-33817.pdf.
12 Consolidated Audit Trail Reporting, SEC Staff No Action Letter (Mar. 16, 2020), https://www.sec.gov/divisions/marketreg/mr-noaction/2020/consolidated-audit-trail-reporting-031620.pdf. Separately, the SEC staff also issued relief that exempts the CAT participants from collecting or retaining certain retail customer data, including social security numbers and birthdates. Order Granting Conditional Exemptive Relief from Section 6.4(d)(ii)(C) and Appendix D Sections 4.1.6, 6.2, 8.1.1, 8.2, 9.1, 9.2, 9.4, 10.1, and 10.3 of the National Market System Plan Governing the Consolidated Audit Trail, Securities Exchange Act Release No. 34-88393 (Mar. 17, 2020), https://www.sec.gov/rules/exorders/2020/34-88393.pdf.
14 Note that the CME Group and ICE Futures U.S. also granted relief from certain of their rules to their members. During the duration of the COVID-19 pandemic, both organizations indicated that persons authorized to handle customer orders could do so from locations other than the premises of registered entities, provided such locations were approved by their employers; CME Group issued special rules on this topic with respect to floor brokers. The organizations have also prescribed processes for accepting orders that cannot be entered immediately into the organization's order matching system. The organizations stated that they will not require compliance with oral recording requirements with respect to orders handled remotely. CME Group also adopted express exemptions from preparing order records with electronic timestamps for block trade and exchange for related product transactions arranged from remote locations during the COVID-19 pandemic. See CME Group, Regulatory Relief Concerning Covid-19 Pandemic, Special Executive Report S-8559 (Mar. 13, 2020), https://www.cmegroup.com/content/dam/cmegroup/notices/market-regulation/2020/03/SER-8559.pdf; ICE Futures U.S., Temporary Relief from Exchange Rule 4.18(e) and Other Requirements for Intermediaries Handling Customer Business (Mar. 13, 2020), https://www.theice.com/publicdocs/futures_us/exchange_notices/ICE_Futures_US_COVID-19_MEMO_2020313.pdf.
20 Note that, in 2016, the SEC proposed BCP requirements for investment advisers, but such requirements have not been implemented to date. See Press Release, SEC, SEC Proposes Rule Requiring Investment Advisers to Adopt Business Continuity and Transition Plans (June 28, 2016), https://www.sec.gov/news/pressrelease/2016-133.html.
21 The SEC guidance does not contain minimum requirements, but rather presents the material included here as "notable practices" for fund businesses.