First published March 20, 2020, Regulatory Intelligence
The business continuity plans (BCP) of financial services firms and market infrastructures were not designed for a long-lasting global pandemic and are likely to come under pressure as the COVID-19 outbreak continues. Faltering BCPs may raise new risks for firms and senior managers, particularly when more traders may be working from home with less surveillance.
"How long can firms survive in this environment when people work from home constantly? We have the Financial Conduct Authority statement saying working from home is OK, but please apply the FCA rules and, if you don't, that will be OK in some cases. They're being flexible on recording [communications], for example. How long firms can allow traders to trade depends on how much they care about call taping and transaction recording. Is this going to be a month or two months? How long can working from home or a back-up centre continue until it becomes the new normal? What does that mean from a governance and market abuse perspective? What does it mean from a senior manager's perspective? It gives rise to a whole number of risks arising from trading happening in a less-supervised environment," said Tim Cant, a financial regulation partner at Ashurst in London.
An announcement by the UK Financial Conduct Authority (FCA) highlighted some of the risks that will arise from homeworking including difficulty recording calls and other communications, submitting regulatory data, conducting trade surveillance as well as preventing market abuse.
"As firms are moving to alternative sites and working-from-home arrangements, they must consider the broader control environment in these new circumstances," the FCA said.
Many firms will not have considered extending a control environment to home working and many employees are not set up for homeworking, beyond having a laptop. The FCA still expects firms to continue to record calls, for example, and expects "some scenarios may emerge where this is not possible". It says it "will continue to monitor for market abuse and, if necessary, take action". How realistic that is given most FCA staff too are now working remotely is hard to know. The regulator is likely to face some of the same challenges as firms.
Market abuse concerns
The FCA's statement highlights its concerns about market abuse occurring while firms are in flux. It asks firms to advise them if they are unable to meet the Market Abuse Regulation ( MAR) or Markets in Financial Instruments Directive II ( MiFID II) recordkeeping and communications surveillance requirements.
"We expect firms to consider what steps they could take to mitigate outstanding risks if they are unable to comply with their obligations to record voice communications. This could include enhanced monitoring, or retrospective review once the situation has been resolved," the FCA said.
The question is whether traders working from home will seek to take advantage of the situation.
"Yes. Yes, they will. That is why monitoring systems have significant amounts of automation and audio/visual alerts and notification waterfalls built in. Nobody is infallible but there should be no increased risk just because someone is taking a breather in another room," said Sam Tyfield, a financial services partner at Shoosmiths in London.
The FCA said thus far business continuity plans were generally working well; however, another view is that the pandemic is showing that BCPs have not been taken seriously enough.
"I call it the COVID canary. This situation has highlighted that business continuity plans were fond aspirations as opposed to concrete plans, which is always the case. It is always ignored. People are very much realising it now," said Frank Brown, practice lead at Bovill in London.
Firms' infrastructure that allows for remote working — conference-calling facilities, virtual private networks (VPN) — is straining to accommodate so many people working from home. Another, more practical, problem is that some employees, including senior managers, are not set up to work from home. Not everyone has a kitted-out home office or reliable broadband.
"It is very difficult for firms. The analogy would be snow in the UK. We don't have high-tech snowploughs and we don't have a lot of them. So we fail. It's the same thing with VPN and broadband. That would be a fair cost to organisations, but maybe it is a cost they need to bear. It hasn't been on their radar prior to this to guarantee bandwidth capacity on VPN, teleconferencing and video conferencing. It may be that after the regulators' work on operational resilience is complete, [guaranteeing bandwidth capacity] is going to be a fixed cost they're going to have to bear. Firms should have X amount of working-from-home capacity as a baseline for business continuity," he said.
Team A, team B and deep cleans in between
Firms have been sending staff to back-up sites for weeks now, in some cases splitting them between the main office and the off-site location. The clear advantage is employees can access surveilled systems, but a disadvantage is travelling to the sites. There are variations on this approach, which will all come under strain if many employees become ill or infect each other on site.
"What many firms are doing is categorising staff into critical and non-critical. Non-critical people can work from home and critical people will ship off to the disaster-recovery site. Now that's been refined and there are two, or four, or eight disaster-recovery sites and critical people are assigned to one. Another approach is to split shifts with a deep clean in between shifts. It's not something you can do overnight, and it needs to have been in planning for a long time. Until you are faced with the reality of a situation, you can't model it," Tyfield said.
The team A, team B approach — two teams alternately using a disaster recovery site — in part relies on there being more than one employee able to fulfil a role. Again, in the event one or both of those employees falls ill, the approach becomes less reliable. Sharing a single back-up site is also a risk. There is then the question of the efficacy of deep cleans.
"Deep cleans are fairly commonplace. There is definitely an aspiration for it, the question is whether cleaning contractors understand how to perform a deep clean in a potential biohazard situation," Brown said.
Reuters reported yesterday that five global banks said they had no plans to disband trading and market-making teams working in London's two main financial districts of the "Square Mile" and Canary Wharf as well as in suburban back-up sites, although they were equipping traders to cope with a sudden change in circumstances.
Four of the banks said they understood financial sector market makers would be defined as "key workers" alongside healthcare professionals and police, meaning some traders would be granted special permissions to travel to work and keep markets open in the event of a city-wide shutdown.