Financial services firms have recently become more attuned to the challenges of adopting business continuity plans (BCPs) in light of the spread of the coronavirus. The ECB-SSM has published a letter to all Significant Credit Institutions advising them to (1) revise their contingency and BCP assessments; (2) assess how quickly such measures could be implemented and sustained; (3) establish measures of infection control in the workplace and (4) review and revise the capacity of existing IT infrastructure. The UK's Financial Conduct Authority's expectations, on the other hand, have some items that are more precise and which EU-27 firms may wish to consider.
While there is no exact catch-all cure on how to prepare, firms will do well to implement the top-10 key priorities contained in this article, namely to: (1) centralize and coordinate teamwork; (2) review preparedness planning; (3) establish protocols; (4) revisit health & safety arrangements and education; (5) manage contractual risks; (6) test resilience of financial arrangements as well as funding channels; (7) step up monitoring and transition of insolvency risks; (8) consider the adequacy of insurance and re-insurance coverage; (9) revisit policies and procedures for dealing with vulnerable customers; (10) ensure clear and consistent communication.
The continued spread across jurisdictions of the coronavirus known as COVID-19 during the first quarter of 2020 has caused many financial market participants to activate contingency as well as business continuity plans (BCPs), many of which have had to be revisited and amended to account for this new threat to persons and processes. COVID-19, as with previous (often more virulent) forms of influenza-like outbreaks, does not halt at borders, nor does it discriminate by types of business lines and the activity of firms or their counterparties and clients.
Financial services firms, large and small, have all become quite aware of the need, and related challenges of adopting, often at short notice, business continuity plans, or to react to steps taken by counterparties (including financial market infrastructure providers). Clients and suppliers are also under pressure. For many businesses moving large amounts of staff to remote working arrangements is not free from challenges in terms of sufficient resources but also the impact of external pressures impacting some of those plans. These external pressures can range from formal quarantines to recommendations of "social distancing"1 that impact workers but also to the reality of staff needing to care for relatives or the pressure put on parents during forced school closures. These challenges are not likely to be alleviated by government-led action and deployment of measures from the monetary and/or fiscal policy toolkits and BCP staff of financial services firms ought to take these pressures into account as to how it affects its own plans as well as parties they engage with.
Across the EU-27 and the UK, both national competent authorities (NCAs), along with the European Supervisory Authorities (ESAs), including the European Central Bank (ECB)2, acting both in its central banking and supervisory roles at the head of the Banking Union's Single Supervisory Mechanism (SSM), have communicated their supervisory expectations and guidance on how firms should deal with what are proving to be difficult times. This Client Alert assesses some of those key messages, as available up to March 9, 2020, and lists certain steps supervised institutions may wish to take in the short-term, as these are relevant to curtail and contain risks caused by the COVID-19 crisis, but also over the longer term, as this crisis has identified loopholes in regulation. For that reason, the suggested measures will likely translate into longer-term supervisory expectations.
The ECB-SSM's supervisory expectations
On March 3, 2020, the ECB-SSM published a letter3 to all Significant Credit Institutions (SCIs) i.e., the ca. 120 Banking Union Supervised Institutions (BUSIs) under the direct supervision of the ECB-SSM. The principles set out therein are also likely to be of relevance to the much wider body of BUSIs that are indirectly supervised in the EU's Banking Union by the ECB-SSM and directly supervised by relevant NCAs, inasmuch as these messages are possibly of importance to non-banking sector financial services firms, their counterparties and customers.
The letter reminds SCIs to review their BCPs and to "consider what actions can be taken to enhance preparedness to minimize the potential adverse effects of the spread of COVID-2019. Preparations for employee safety and business continuity should include consideration of the main risks associated with a potential pandemic." This regrettably does not go into much in the way of detail, although the letter does point out that BUSIs could be subject to challenges in their operational capabilities if employees are unable to perform their tasks, as well as the same type of impact affecting third-party outsourcers and suppliers needed to maintain critical processes. In light of this identified set of risks, the ECB-SSM advises SCIs to:
- revise contingency and BCP arrangements and whether these account for various stages of pandemic scenarios and impact across the types of business operations and geographic footprint, and make amendments where necessary, including in relation to back-up sites and the resilience of large-scale remote working facilities or other remote working arrangements that can be activated;
- assess how quickly such contingency measures could be implemented and sustained for a prolonged period of time under various pandemic scenarios and whether these would still be capable of operating in the event of failings of any related or third parties i.e., reverse stress-testing the contingency measures;
- irrespective of the above, to establish adequate measures of infection control in the workplace, which can "include systems to reduce infection transmission", which is undefined, and to improve worker education. While these are sensible and desirable measures, it may also require coordination with employee representatives and/or employment lawyers as well as medical professionals to ensure such measures are fit for purpose in their design as well as their implementation, as well as being legal and not open for abuse; and
- reviewing and revising capacity and resilience of existing IT and cloud-based infrastructure, equally in light of increased cyber-attacks and cyber-crime targeting on-site and remote-based internal and client-facing resources.
The ECB-SSM's letter concludes with a call on SCIs (the BCP teams and "the person responsible for pandemic preparedness" – which many SCIs may not have) to immediately reach out proactively to their Joint Supervisory Teams (JSTs) in the event of significant developments as the JSTs are monitoring the planned or implemented actions of SCIs.
The UK's view
The UK's Financial Conduct Authority (FCA) published its own supervisory statement4 to the much wider range of 59,000 financial services firms it regulates across a spectrum of sectors beyond banking. The FCA, which will be coordinating its contingency responses in conjunction with the Bank of England and HM Treasury, states that it expects "...all firms to have contingency plans in place to deal with major events. Alongside the Bank [of England] we are actively reviewing the contingency plans of a wide range of firms. This includes assessments of operational risks, the ability of firms to continue to operate effectively and the steps firms are taking to serve and support their customers."
The FCA's expectations, while conceptually similar to those of the ECB-SSM, do have some items that are more precise and something that EU-27 firms, regardless of their primary supervisor, may still wish to consider. This includes firms ensuring that staff and systems are:
- able to enter orders and transactions promptly into relevant internal systems;
- using recorded lines – an issue given remote working. Private landlines and most mobile phones (including firm as opposed to privately-owned telephones that may have taken hold due to sanctioned "bring your own device" policies that some regulators may have encouraged as part of cost-saving measures) do not have recording software. There may also be an absence of sufficient permissioned IT resources (desktops/laptops and/or video conferencing) or software issues – i.e., lack of VPN bandwidth capabilities or remote log-ins to core software not being permitted or in the design build of such software; and
- equipped with suitable access to compliance support they might need to accommodate for measures that are likely to be beyond "business as usual".
So what next?
The FCA's focus on the implications of having sufficient and sustainable access to software and hardware points to areas that might need reflecting in firms' contingency and BCP measures. These statements and those of the ECB-SSM are also echoed by various industry associations (in London and the EU-27), also pointing to the fact that some regulatory rules and supervisory principles may need altering and amending temporarily or perhaps on a longer-lasting basis.
This change in thinking would be necessary to firstly account for the differences in working patterns and resulting inefficiencies of the firms and their people, but also the adverse impacts of COVID-19 on clients and counterparties. Secondly, it also needs to be taken note of that the majority of financial regulatory rules were never designed for observance by firms' staff and their supervisors in a (prolonged) remote working environment, let alone one that is operating in contingency conditions. This applies to core financial regulatory considerations but also to more wider-reaching issues such as data protection and GDPR compliance if large-scale remote working operates on "bring your own device" stopgap measures. This issue may also arise in relation to the fitness for purpose of certain apps, such as trading apps, are not designed to cover all products offered by a firm (i.e., an app that can only trade currency pairs but derivatives may prove more of a danger despite being used for remote working). Firms will need to also consider pointing supervisors to each other's statements to push them in case there are diverging or opposing views on what is considered to amount to be compliant during challenging times.
The relevant supervisory community may also need to think about how to encourage firms to proactively deal with trust and mistrust issues within firms, including but not limited to those that qualify as "vulnerable employees" and wider discrimination, but also confidence levels in them from their clients and counterparties given current reporting on COVID-19, as well as the impact of fake news, in addition to thinking about how to deal with more "real economy" operational issues if there are further stresses to supply chains or even a suspension of say postal services.
More fundamental concerns have also been expressed, albeit from financial services firms that have already implemented BCPs and contingency planning, on the need for continuity and resilience of services providers and products to ensure remote working actually works, and also that periodic deep cleaning of on-site and back-up sites is undertaken regularly, especially if staff are rotating in and out of stages of social distancing and/or quarantine. With some jurisdictions having already become susceptible to shortages of necessary products that are free from risks or contaminants, this adds additional pressures that firms may wish to take note of, not just for their own operations but also for the wider well-being of their staff and indeed all stakeholders they may engage with. Continued if not intensified communication with insurers and re-insurers is also likely to be crucial.
There is a growing expectation from market participants (but no certainty from policymakers) that supervisors may waive rules, certainly on a temporary basis, for certain activities that are required to be carried out on-site, as well as to exempt certain exposures to clients and counterparties that are particularly hard pressed by COVID-19's impacts. These issues also raise more fundamental questions about whether this approach could actually drive moral hazard and be counterproductive to the financial stability issues that supervisors and financial markets policymakers are actually seeking to protect.
How can firms better prepare?
While there is no exact catch-all cure on how to prepare, the following non-exhaustive list of key priorities (in addition to the items discussed above) should act as a primer for firms across all sectors of financial markets:
- Centralize and coordinate teamwork: Set-up a sufficiently resourced and empowered central coordination team (CCT) which is comprised of senior management contacts (and an appropriate amount of sufficiently briefed delegates/alternates around global locations) representing business functions but equally control functions (legal, compliance, risk, governance, audit and BCP/contingency planning), IT and cyber-resilience, procurement, as well as human capital and business premises functions, including employment lawyers, security and premises management, as well as a secretariat function to manage communication with CCT members and wider stakeholders. Consider appointing documented channels with agreed counterparts at key counterparties, clients and stakeholders (in particular supervisors), as well as external lawyers. Firms should also ensure that the context, debate and outcome of decisions when taken are appropriately recorded and – this would assist in the event of future investigations by supervisors and/or disputes with contentious parties;
- Review preparedness planning: Periodically revise BCP and contingency measures and the assumptions these are based on, as well as the need for further potential fallbacks as well as periodically test the design and implementation fitness for purpose of remote working access (including cloud-based solutions) channels connected to relevant trading, business and compliance systems (including by way of app) across all off-site electronic devices and private permissioned devices and take corrective measures including potentially through routing orders/information through skeleton staff that are operating on-site systems at respective business and/or back-up locations;
- Establish protocols: for internal (restricted and unrestricted) as well as external-facing communications for "business as normal" as well as emergency situations;
- Revisit health & safety arrangements and education: Ensure consistency on health & safety communications across the firm's operations, regardless of region but reflective of local law considerations, on what precautions staff (and related parties) need to take during business and out-of-business operations. This may include implementing and communicating policies and procedures on the reporting of concerns/absences/felling unwell, flexible/home-working policies, dynamic resourcing, i.e. rotating of staff members, as well as policies on voluntary/mandatory self-isolation and mental well-being support, restrictions on private/business travel, especially to high-risk areas, clarity on permitted expenses and insurance, as well as provision of facilities to staff and related parties, including childcare/creche, on-site healthcare and other facilities that could contribute to contamination. Firms may also wish to consider how to communicate to staff (and related parties) as well as other precautions they may wish to take with respect to daily life, access to resources and medical care, including in light of global to local recommendations and/or restrictions due to COVID-19 or otherwise;
- Manage contractual risks: Ensure that contracts can continue to be concluded as well as disputed, including revisiting or establishing protocols on the legality and use of electronic signatures and who may be approved to do so (i.e. this may require updating relevant signing authorities), as well as assessing the rights and risks that the firm and its counterparties have in respect of contractual obligations (whether directly relevant or due to issues at third parties) and what this might mean for events of default including cross-default and cascading/linked insolvencies, force majeure and/or MAC provisions, change in law/illegality, suspensions and/or moratoriums, enforceability rights and ease to enforce, as well as counterparty and regulatory reporting etc., along with a readiness and/or willingness to renegotiate contractual terms and/or enter into forbearance or other relief measures;
- Test resilience of financial arrangements as well as short- to longer-term funding channels: both in terms of its access to sufficiently stable normal and/or contingency funding, as well as with respect to the ability to meet one's own obligations. This will include looking at susceptibility to and resilience against financial and non-financial risks, but also at requirements under representations, warranties, undertakings, covenants and compliance with other forms of periodic reporting it or its credit support providers receive and/or provide;
- Step up monitoring and transition of (in)solvency risks of own and counterparty position: including strength of monitoring of ratings-based and other triggers, along with an assessment of adequacy of fallbacks, including transition measures to transfer exposures and/or identity of counterparties to another person. as well as obligations with respect to regulatory and/or corporate public disclosures;
- Consider the adequacy of insurance and re-insurance coverage: in the event of heightened claims or whether existing claims cover COVID-19's extraordinary circumstances, including those that arise as a result of contingency planning;
- Revisit policies and procedures for dealing with vulnerable customers, as well as customer, client and counterparty engagement: more generally in terms of fairness and clarity, whether from conception and conclusion of financial products, to any complaints handling and/or contentious disputes; and
- Ensure clear and consistent communication across all internal and external channels: so as to ensure all recipients are on the same level during times of rapid change and stresses.
1 This trend has become notably pronounced given the threats it could bring to large open-plan trading floors that house traders, analysts and other key function holders in close proximity to one another. The same might apply to back-up/disaster recovery sites. ↩
2 It should be noted that the ECB has published a public summary (available here) of its own internal precautions, including a travel ban until April 20, 2020 (i.e. after Western Christian Easter, but not Orthodox Christian Easter) binding upon ECB employees on official business (but not necessarily personal travel), postponement of all conferences other than monetary policy press conferences, and postponement of the "ECB Listens" campaign that was supposed to be part of the centerpiece of the ECB's 2020 Strategic Review. Both the ECB and FCA have also started the first tests of large-scale remote working arrangements ahead of perhaps operationalizing this for a longer period. ↩
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.