On 4 March 2020, the Financial Conduct Authority (FCA) published a statement in which it made clear its expectations of firms having adequate contingency plans in place to deal with major events, including the Coronavirus Disease (COVID-19). Given its geographic spread, the World Health Organisation (WHO) has declared the COVID-19 outbreak to be a pandemic. Sushil Kuner from our Financial Services Regulatory team explores the impact of COVID-19 on Financial Services and some practical steps which firms should consider taking in response.
Impact of COVID-19 on Financial Services
COVID-19 is reported to be highly contagious and a more severe disease than seasonal influenza in a population where no-one has immunity to the new virus. The full impact of COVID-19 is yet to be determined but already, it has led to severe market volatility, interest rate cuts and diminished consumer confidence. The UK has moved from the ‘Contain’ to ‘Delay’ phase in its response to COVID-19, with anyone displaying symptoms of COVID-19 being requested to self-isolate. This is a fast-moving picture, and firms should watch out for further developments.
All UK Financial Services firms will be expected to implement measures to protect and support their staff from being exposed to or contracting COVID-19, and observe relevant UK Government policy implemented from time to time.
However, Regulators will also be expecting firms to take all reasonable steps to ensure they continue to meet their regulatory obligations and are able to continue to operate effectively. The FCA has made clear that, together with the Bank of England and HM Treasury, it will be reviewing the contingency plans of a wide range of firms which will “include assessments of operational risks, the ability of firms to continue to operate effectively and the steps firms are taking to service and support their customers.”
Contingency measures – key considerations
While these measures are by no means exhaustive and individual firms should consider the operational risks in the context of their specific business models, firms should consider the following when determining whether their contingency arrangements are adequate:
- Governance arrangements – given the serious threat of COVID-19 to particular groups, including the elderly and those with underlying health conditions, and the fact that the full threat of COVID-19 is as yet unknown, it is imperative that firms ensure they have a robust crisis management policy in place and identify all internal personnel who carry out key governance functions. Firms should prepare for the risk that Senior Managers approved by the FCA/PRA under the Senior Managers and Certification Regime (SMCR) may be personally impacted by COVID-19 and that their roles may need to be temporarily carried out by others who may need to be pre-approved by the relevant Regulator.
Businesses should also consider the impact of COVID-19 on the running of the Board and that sufficient contingency arrangements are in place to ensure continuity of Board decision-making. Examples may include Board members dialling in to meetings remotely so that they are not all in the same location, thereby minimising the risk of the whole Board contracting COVID-19 if one member has it. Firms should also consider the impact on any quorum requirements for Board meetings and meetings of any relevant sub-committees responsible for ensuring effective governance and oversight over the business.
- Cyber resilience – the European Central Bank has recently warned banks to prepare for an increase in cyberattacks as cyber-criminals seek to take advantage of potential chaos caused by COVID-19. Firms should ensure that mass staff shortages do not impact on their cyber-resilience and ability to withstand malicious attacks.
There have been press reports of a significant rise in the number of phishing emails in which cyber-criminals take advantage of fears over COVID-19. Given the impact of COVID-19 on financial markets, there is a high risk that cyber criminals may attempt to manipulate investors through similar phishing exercises. Financial firms should ensure they are taking all reasonable measures to shield their customers from such practices.
Firms should also ensure that their IT systems are able to cope with increased demand from consumers for online services. For example, self-isolation measures may mean that bank customers may be forced to use online services rather than using branch services, thereby increasing the strain on online services.
- Treating Customers Fairly – firms should ensure they are continuously assessing the impact of COVID-19 on customers and ensure they treat customers fairly and consider the needs of those potentially affected by the Coronavirus. The potential risks of COVID-19 are wide-ranging and could include certain businesses becoming insolvent due to worsening trading conditions and increasing unemployment levels. As a result, some consumers may face severe financial difficulties, for example, not being able to meet mortgage or other credit commitments. Firms should ensure they identify any particularly vulnerable customer segments and treat them accordingly.
COVID-19 has had an unprecedented impact on financial markets, causing billions to be wiped off stock markets worldwide. The European Securities and Markets Authority (ESMA), together with National Competent Authorities, have made clear that:
- all financial market participants, including infrastructures, should be ready to apply their contingency plans, including deployment of business continuity measures, to ensure operational continuity in line with regulatory obligations;
- issuers should disclose as soon as possible any relevant significant information concerning the impacts of COVID-19 on their fundamentals, prospects or financial situation in accordance with their transparency obligations under the Market Abuse Regulation;
- issuers should provide transparency on the actual and potential impacts of COVID-19, to the extent possible based on both a qualitative and quantitative assessment on their business activities, financial situation and economic performance in their 2019 year-end financial report if these have not been finalised or otherwise in their interim financial reporting disclosures; and
- asset managers should continue to apply to the requirements on risk management, and react accordingly.
- Systems and controls – the FCA has stated in its most recent statement “we expect firms to take all reasonable steps to meet their regulatory obligations. For example, we would expect firms to be able to enter orders and transactions promptly into the relevant systems, use recorded lines when trading and give staff access to the compliance support they need. If firms are able to meet these standards and undertake these activities from backup sites or with staff working from home, we have no objection to this.”
As such, firms should ensure that for any employees permitted to work from home whose activities are ordinarily subject to routine oversight and monitoring in the workplace, they continue to be monitored when working remotely. This may, for example, mean enabling telephone call recording for home workers and enabling secure remote access to work systems.
Firms should also consider the possibility of imposing requirements on a proportion of staff to work remotely from home in the absence of any governmental policy requiring businesses to enforce remote working. Given the high risk of contagion of COVID-19, this may mitigate the risk of mass staff absence/illness where a handful of infected individuals could potentially infect the entire workforce.
- Outsourcing arrangements – FCA/PRA regulated firms which outsource services, in particular critical or important services, should be monitoring their outsourcing arrangements closely. The regulated firm remains responsible to the relevant regulator for the activities being conducted by outsourced providers. In the event that the operations of the outsourced provider are impacted by COVID-19 to the extent that it can no longer meet its obligations under the outsourcing agreement, the regulated firm should take swift action to ensure continuity of business.
- Capital and prudential considerations – firms need to consider what the impact would be on their business if a number of their customers become insolvent. This could challenge firms’ liquidity and capital positions, and previous stress-testing and related assumptions may need to be reviewed in view of a possible global recession and volatile or declining market conditions. Firms with significant exposure to customers in the retail, leisure, hospitality and catering sectors in particular may need to re-visit this.
It is crucial that firms accurately document how they are meeting their regulatory requirements through deployment of their contingency plans and, where there are lessons to be learned, documenting them so that improvements can be made for future incidents. Senior managers have a key role to play in this, and need to demonstrate involvement and appropriate oversight to mitigate the risk of personal liability.
Given today’s technological advancements, firms should be considering the extent to which they may be able to deploy tools such as Artificial Intelligence in future contingency planning arrangements.
All FCA regulated firms should be preparing for the potential impact of COVID-19 on their day to day activities and ensuring that they have implemented reasonable measures to minimise the risk of disruption to their businesses.