By Kate Wellman and Neil Bloomfield. As COVID-19 continues to spread globally, U.S. financial services regulators have released guidance to their supervised institutions to encourage proactive planning for what may be months of sustained impact to business infrastructure and the financial system. The theme running through recent guidance released by the Federal Financial Institutions Examination Council (FFIEC), Financial Industry Regulatory Authority (FINRA), and federal and state banking agencies is the need for flexibility. Financial institutions, like all of us grappling with the effects of the outbreak, cannot know what lies ahead—where the virus will spread next, what measures governments around the world will take to stem its tide, and how long it will last. Institutions therefore must have measures in place to allow them to adapt quickly to shifting priorities, restrictions, and guidance. The regulators, in turn, have shown a willingness to be flexible, among other things by relaxing submission deadlines and reporting requirements, rescheduling examinations and inspections, and providing assistance to impacted institutions. As always, the focus is on ensuring protection of customers and their assets, but the regulators also acknowledge the significant threat COVID-19 poses to employee safety and wellbeing.
FFIEC and FINRA Emphasis on Business Continuity Planning
The Interagency Statement on Pandemic Planning released by the FFIEC on March 6 and FINRA Regulatory Notice 20-08 published on March 9 reinforce the obligation of firms to include pandemic planning in their business continuity plans (BCPs). Business continuity planning refers to the process by which firms prepare for recovery and resumption of operations following an unexpected disruption, for example due to a natural disaster, cybersecurity issue, or technical outage. The FFIEC and FINRA guidance acknowledge the unique nature of a pandemic as compared to these more traditional events triggering a BCP. Unlike those events, which are typically short in duration and limited in geographical impact, a pandemic may affect multiple continents and resurface in waves, each lasting two to three months at a time. Traditional disaster response measures therefore may not work in a pandemic situation.
FFIEC Guidance on Content of BCP
Under the FFIEC guidance, a financial institution’s BCP should include five components:
- Preventive program. The preventive program is intended to mitigate the potential impact to an institution’s operations from a pandemic, including by preparing employees with hygiene training and tools and providing for proactive communication and coordination with critical service providers.
- Response strategy. The strategy should be tailored to the different stages of a pandemic, for example the six pandemic intervals described by the Centers for Disease Control and Prevention, which include accelerating levels of an outbreak, recovery from an initial wave, and preparation for future waves. The strategy also should address reentry of absent personnel into the workplace.
- Framework to ensure continuance of critical operations. The framework should include facilities, systems, or procedures that allow the institution to adapt if the pandemic incapacitates a significant percentage of its staff for prolonged periods of time. This could involve minimizing of contact among staff and with external parties through social distancing techniques and tightened visitor procedures and rerouting of customers to banking services online or over the phone. The framework should also consider potential public health or government actions.
- Testing program. The program must be designed to gauge the effectiveness of pandemic planning practices and capabilities and the ability of critical operations to continue. In particular, testing should consider the impact of significant use of remote access and telecommunicating capabilities by employees and of online and telephone services by customers. Examples include planned “work from home” days, communications exercises involving a crisis management team, and testing of various scenarios involving increased employee absences. The program also must include reporting of test results to management.
- Oversight program. The pandemic plan should be regularly reviewed and updated with appropriate involvement of senior management and the board of directors. Senior management is responsible for developing and communicating the plan and related policies, processes, and procedures, and ensuring the plan’s regular testing. The board is responsible for overseeing development of, and senior management’s involvement in, the plan and for approving the plan.
The FFIEC guidance also calls on financial institutions to incorporate consideration of a pandemic into the institution’s business impact analysis (BIA) and broader risk assessment processes, the results of which inform the content of the BCP. The BIA should identify the potential impact on essential business functions and processes and customers, estimate the maximum downtime that could be tolerated, and evaluate potential cross training of key positions and plans for critical service providers. The BIA should also forecast employee absenteeism due not only to employee illness, but also to related issues such as closing of schools, quarantining of households with infected members, and restriction of public transportation. Specific risk assessment and risk management actions should include, among other things, performance of a “gap analysis” comparing existing processes with what would be required during a pandemic, coordination with third parties including critical service providers, management monitoring of national and international news sources, strategies to protect employees and plan for their potential absences through cross training and succession plans, and assessment of remote working capabilities.
FINRA Focus on Review of BCPs and Core Member Requirements
The FINRA notice encourages member firms to review their BCPs to consider whether the BCPs appropriately promote pandemic preparedness. The specific issues for BCPs highlighted by FINRA include whether a firm’s BCP is sufficient to address staff absenteeism, increased reliance on remote working arrangements and associated cybersecurity risks, travel or transportation limitations, and technology interruptions. The notice also emphasizes that FINRA’s core requirements of member firms, including supervision of associated persons and protection of customer funds, apply with full force during a pandemic. As a result, a firm will need to adjust its processes when much of its staff is working from home; customer trade execution and account and fund access is disrupted; and customer calls and interactions are rerouted to alternate locations. Certain registration requirements, however, may not be enforced where alternate working arrangements and facilities are necessary, for example the requirement that a firm register its office locations and provide FINRA with office address information for registered persons. FINRA also indicated its willingness to grant extensions for filings and regulatory inquiry responses and to postpone on-site inspections.
Federal and State Banking Agencies Call for Customer Assistance
In a joint statement released on March 9, the Board of Governors of the Federal Reserve System, Consumer Financial Protection Bureau, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and Conference of State Bank Supervisors called on financial institutions to meet the financial needs of customers and members impacted by the coronavirus. The agencies encouraged institutions to work constructively with borrowers in accordance with safe and sound lending practices and assured institutions that examiners should not scrutinize such efforts. The agencies further pledged their support, including to expedite appropriate requests to make services available to affected communities, provide regulatory assistance to supervised institutions in need, and schedule examinations in a way that minimizes disruption and burden.
Kate Wellman frequently advises clients on matters relating to recovery and resolution planning, corporate governance, and other regulatory compliance issues. She also has experience representing major financial institutions in investigations by government authorities in the U.S. and globally, including regarding foreign exchange trading and the allegations raised by the Panama Papers.