First published March 23, 2020, Regulatory Intelligence
The continuing uncertainty regarding COVID-19 is having a profound impact on financial services firms, their employees and customers, and the wider world but it is clear firms must be prepared for all eventualities. The minutiae of a firm's virus or other preparations will be firm-specific but there are a number of common considerations for all organisations.
The specific ramifications of geopolitical and other uncertainties cannot, by definition, be planned for but many of the unduly damaging aspects can be offset by training and awareness, together with an effective suite of tested policies and procedures.
The point gains even sharper focus with regulatory changes such as the sector-by-sector implementation of the Senior Managers and Certification Regime (SMCR) in the UK, the Manager-in-Charge regime in Hong Kong and the Banking Executive Accountability Regime in Australia, as well as plans for a senior manager accountability regime in Singapore and an approach similar to the UK SMCR in Ireland. All these initiatives highlight the growing potential for individuals as well as firms to be held accountable for compliance failings.
Planning for uncertainty
Firms and their compliance officers need to acknowledge that uncertainty exists and that their ability to foresee or offset events may be limited. That should not prevent them from developing policies and procedures to enable them to be agile in their response to the unexpected.
Firms may wish to consider creating a stand-alone policy to deal with events arising from uncertainty or they may wish to align their approach to the one in place for handling dawn raids or other surprise inspections. As with all policies it should be clearly documented, and all members of staff should be aware of the policy and familiar with its contents. The board and all senior managers should be briefed in detail and asked to confirm expressly their understanding of the agreed approach. In addition:
Disaster recovery and business continuity plans
Firms should keep their disaster recovery and business continuity plans under review and test their efficacy. Any dependencies should be assessed carefully to consider whether the back-ups (for example, IT, physical location) could themselves be affected by the practical anti-COVID-19 measures implemented by governments around the world. Some firms are required to build and maintain "living wills," for which the same criteria would apply.
Many firms process data in a number of locations and in a number of jurisdictions. Firms should have a central record of exactly what data is held, where, and on what basis. This is necessary both to comply with data protection requirements and to ensure accessibility and, where needed, retrieval. Should a swift and comprehensive repatriation of data be required, firms must know exactly what is held, where, and under what terms.
Firms should keep all outsourcing agreements under review. Equally, firms should keep all entities (even those in the same group structure) to which processes or other activities are outsourced under review to ensure that, with shifting virus measures and evolving geopolitical realities, the outsourcing remains strategically viable. The Thomson Reuters Regulatory Intelligence Cost of Compliance Report 2019 reported that 28% of firms outsource some or all of their compliance functionality. Compliance officers must ensure they have line of sight to all outsourced compliance functionality and a back-up plan if that functionality needs to be reallocated, potentially at speed.
The shifting political approaches to manage the virus contagion risk have put a spotlight on where employees work and the likelihood that they may be, in large numbers, unwell. While managing the (self) isolation or sick leave of employees will primarily be the responsibility of the human resources function, compliance officers will need to be in the loop in terms of keeping regulatory registrations up-to-date and ensuring the firm is not left with any undue long-term gaps in key roles and skill sets. All firms will have an organisation chart setting our who reports to whom. Many firms also capture, explicitly, who is responsible for what in the business. Those firms which do not already document who is responsible for what, and where, should consider building the next level of detail into their organisation charts. It is much simpler for firms to respond with agility to events if there is immediate clarity as to who is in a position to take which of the required actions to remediate an unexpected event.
Increase in cyber risk
Inevitably, some will seek to take advantage of uncertainty and the greater potential for the unexpected to happen. There has already been an increase in cyber risk, with phishing in particular growing given the need to work remotely. Firms should ensure company-confidential, sensitive client or other important files are securely and regularly backed up in a remote, unconnected back-up or storage facility. The basics done consistently well will go a long way toward providing firms and their clients with a reasonable level of cyber resilience. If the firm has been a victim of, say, a ransomware attack it should use all possible means to regain access to IT systems and client files as swiftly and cleanly as possible. This may mean paying any ransom demanded as a matter of urgency. The follow-up action is then to learn the lessons to prevent a recurrence of the attack.
Communication is an essential part of the successful management of an unexpected event, whatever the root cause. The policy should clearly state who should be contacted, and in what order. While the local compliance officer should be one of the first people contacted, senior managers all the way to the top of a firm should be included in the communication ladder. The firm's press office should also be high on the contact list, with an agreed holding statement as a minimum. The efficient handling of PR is a critical part of the process.
Communication with regulators
Firms also need to consider communication with regulators. This can take a couple of forms — in a single jurisdiction firms should actively consider the need to inform their financial services regulator of any substantive adverse event. For firms who are in multiple jurisdictions, the impact of a substantive adverse event should be considered for reporting to the jurisdiction's lead financial services regulator.
The only true test of a policy is once it has been used for real. Detailed jurisdiction-specific policies and procedures may look great on paper but until they have been tested in the often-controlled chaos of an unexpected adverse event then there is no way to know whether or not they were fit-for-purpose. A post-event review should be used to refine and update any policy and to initiate a new round of training and awareness for the entire firm.
The international response to the pandemic, the resulting geopolitical uncertainty and the associated potentially adverse events are going to be challenging for firms and their senior managers, but documented and communicated policies should allow difficult situations to be managed as smoothly as possible.