First published on 13th March 2020 by Todd Ehret, Thomson Reuters Regulatory Intelligence
As the global COVID-19 pandemic spreads, some financial services firms and regulators who have resisted the growing practice of telecommuting are allowing or requiring employees to work from home. The change in policy is welcomed by many.
Wall Street giants JPMorgan Chase & Co, Goldman Sachs and Morgan Stanley this week announced programs for working remotely to stem the spread of the pandemic, after financial firms reported their first cases of the disease in New York City.
However, the practice presents challenges, risks, and opportunities for compliance departments at these firms. Security, compliance monitoring, and supervisory obligations required by regulatory bodies all present challenges in a telecommuting environment. Below we review some of these challenges and offer some practical suggestions.
The U.S. Securities and Exchange Commission (SEC) this week encouraged its Washington, D.C. employees to work from home. The move came after the SEC was informed that a headquarters employee was treated for respiratory symptoms. "The employee was informed by a physician that the employee may have the coronavirus and was referred for testing," an SEC spokesperson said. "Amongst other precautions, the SEC is encouraging Headquarters employees to telework until further guidance."
A spokesperson for the SEC said, "the SEC remains able and committed to fully executing its mission on behalf of investors, including monitoring market function and working closely with other regulators and market participants."
The SEC issued a coronavirus directive this week that was joined by a long list of regulators. Several banking agencies agreed they would also "provide appropriate regulatory assistance to affected institutions subject to their supervision." The SEC called for transparency on the part of firms in disclosing material risks and operational concerns to investors, adding that it would ease regulatory burdens modestly and "consider additional relief from other regulatory requirements" if needed.
"Regulators note that financial institutions should work constructively with borrowers and other customers in affected communities," said the bank regulators' statement. "Prudent efforts that are consistent with safe and sound lending practices should not be subject to examiner criticism." The letter was issued by the Federal Reserve, the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau, the Federal Deposit Insurance Corp., and other agencies.
On Monday, the Financial Industry Regulatory Authority (FINRA) released a regulatory notice advising brokers to review their business continuity plans and consider their preparations for such pandemic situations. The notice also addressed the possible need to work remotely. "FINRA understands that the use of remote offices or telework arrangements during a pandemic may necessitate a member firm to implement other ways to supervise its associated persons who change their work locations or arrangements for the duration of the pandemic," the notice said.
Review business continuity plans
The sudden need to work remotely as a result of the coronavirus pandemic should prompt compliance departments to review their business continuity plans (BCPs). Despite an annual requirement to review BCPs under FINRA Rule 4370, BCPs only seem to garner attention at the time of crisis. The terrorist attacks of September 11, 2001, and Hurricane Sandy are two examples where financial services firms experienced disruptions and were forced to enact their BCPs.
FINRA Rule 4370(c) requires that business continuity plans, must address several critical areas including; (1) data backup and recovery; (2) all mission-critical systems; (3) financial and operational assessments; (4) alternate communications between customers and the member; (5) alternate communications between the member and its employees; (6) alternate physical location of employees; (7) critical business constituent, bank, and counter-party impact; (8) regulatory reporting; (9) communications with regulators; and (10) how the member will assure customers' prompt access to their funds and securities in the event that the member determines that it is unable to continue its business.
FINRA has provided a Small Firm Business Continuity Plan Template as an optional tool to aid small firms.
Another valuable resource can be found in items 16 and 18 in the FINRA Business Continuity Planning FAQs, which discuss a firm's preparation and testing efforts, particularly related to pandemics.
FINRA Regulatory Notice 09-59 was released in 2009 as a result of the outbreak of influenza A (H1N1) or swine flu, which infected nearly 61 million people in the U.S. and caused 12,469 deaths. Worldwide, more than 575,000 people died from the swine flu. The notice helps firms understand the concerns and risk-mitigating actions and appropriate measures to prepare for the effects of a pandemic.
The three most significant challenges identified as likely during a serious pandemic outbreak were absenteeism, telecommunications disruptions, and remote work arrangements.
Risks, challenges, and suggestions
To reduce absenteeism, firms are allowing personnel to work remotely. Compliance and risk departments should coordinate and undertake a review and testing with technology departments. Compliance and IT should test the company's remote VPN capacity and measure connection speeds. Adding additional capacity may be necessary as systems could easily be overloaded with users working remotely.
Working remotely is universally seen by technology professionals as carrying an increased cybersecurity risk. The risk of a security breach on a secure home WiFi network is not significantly greater than a secure WiFi network in the office, but the use of public WiFi connections should be strongly discouraged.
Compliance should redistribute all relevant company policies related to the use of personal computers, smartphones, tablets, and WiFi networks for work and remind staff that the policies still apply to those working from home, and security protocols will not be relaxed.
Archiving of communications between staff and clients is perhaps one of the most common work-from-home failures and is, therefore, essential. Reminding and training remote workers of this along with other safeguard measures is essential.
Firms should anticipate additional burdens on IT Help Desks as more individuals work remotely and experience technology problems. Firms should be sure all help desks are adequately trained and staffed to handle increased volumes.
There is no substitute for chief compliance officers and other compliance personnel on-site actively engaging with staff. The inability to drop in on trading floors and meet with front-line personnel is perhaps one of the most significant lapses or inadequacies of remote working arrangements. Therefore, those working remotely must still be constantly reminded that their actions are still being monitored by other means.
Remote workers must also be reminded of the necessity to safeguard customer records and privacy information so that it is kept confidential.
Compliance and HR departments should also be careful to protect personal medical information under applicable health privacy regulations such as Health Insurance Portability and Accountability Act (HIPPA) if employees become infected or ill. Despite a perceived need to share such information, it is imperative to maintain individual employee health privacy.
Compliance, risk, and senior management must take inventory of essential employees and determine how many, and what personnel are needed onsite at various locations and consider backup personnel as well under various business disaster or disruption scenarios. Contact information for all personnel, especially key employees, should be updated.