Financial institutions face two categories of emergencies arising out of the coronavirus disease that could impair their functioning. The first is directly financial: a sudden drop in the value of financial assets, or loss of liquidity, whether domestically or elsewhere in the world that could lead to a national or even global financial crisis. The second is operational: the failure of the support structures that underpin the financial system. Insurers are additionally likely to be exposed through claims made against business lines covering risks such as business interruption, health, workers’ compensation, and life insurance. This is blog looks at some of the issues affecting the operational resilience of financial institutions in light of the spread of Coronavirus.
What have the UK regulators said?
The Bank of England (BoE), the Prudential Regulation Authority and the Financial Conduct Authority are in close contact with those key firms they directly supervise to ensure that their senior management is evaluating and planning to mitigate the risks posed and, in particular, to take steps to see that financial markets continue to function. In this respect, the PRA and FCA will be looking at the experience of Asia Pacific regulators during the avian flu (2014), swine flu (2009) and SARS (2002-3) pandemics over the last 20 years.
The outgoing Bank of England (BoE) Governor, Mark Carney, in evidence on 4 March 2020 to the UK Treasury Select Committee, stated that he expected “disruption” rather than “destruction” of the economy. He also noted that there is no expectation that the economic impact of Covid-19 could be as severe as the 2008 financial crisis. However, it is clear that regulators are watching emerging trends closely and taking the situation seriously. In a scenario where up to a fifth of the UK workforce could be affected at its peak, the BoE is aiming to ensure that “all necessary contingency plans are in place.”
What are the regulatory considerations around contingency planning?
On 3 March 2020, the BoE issued a statement to the Treasury Select Committee. This confirmed that the BoE’s Prudential Regulation Committee and financial market infrastructure (FMI) supervisors were reviewing the contingency plans of banks, insurers and FMI (e.g. trading venues and CCPs). This included assessments of operational risks and the ability of these entities to serve customers and markets using split teams and remote working.
For its part, the FCA, in guidance published on 4 March 2020, reminded firms that it expects them to have contingency plans in place to deal with major events including operational risk assessments. This is in line with the FCA’s current focus on operational risk and systems and controls more generally; however, there has been relatively limited thematic guidance to the market on the regulator’s expectations for dealing with pandemic scenarios. For example, with the exception of a review of the payments system in 2016, it is understood that UK regulators have not carried out a market wide pandemic exercise for many years. There have been stress tests within the banking sector around sharp reductions in demand from particular jurisdictions (including China), however, which may assist in the current environment.
Senior management seeking to understand the regulator’s expectations in relation to operational risk and management of market-wide events such as the Coronavirus outbreak should, however, review the BoE, PRA and FCA Consultation Paper ‘Building Operational Resilience’ published in December 2019. This sets out an approach to “operational resilience” for all firms that refers to “the ability of firms to prevent, adapt, respond to, recover and learn from operational disruptions.” Although the majority of firms have focused more recently on operational risk arising from IT outages and cyber-attacks, the market volatility we have seen in recent days in connection with the spread of Coronavirus may require firms to review and potentially put into effect their operational resilience procedures.
Pursuant to the proposals on operational resilience, it is clear that UK regulators expect financial institutions to identify critical business services and establish related “impact tolerances” (i.e. thresholds for maximum tolerable disruption). Firms must then test their ability to remain within those impact tolerances through a range of severe but plausible disruption scenarios. The testing process is intended to focus on the response and recovery actions firms would take to continue the delivery of an important business service assuming that a disruption has occurred. The proposals note that in some circumstances, taking the systems and therefore the business service off-line might be the safest option where a tolerance level has been triggered (which, on a much larger scale, is effectively what happened when a circuit breaker was triggered on the NYSE after the S&P 500 plunged 7% on 9 March 2020). As noted, recent market volatility and the need to perform a general operational risk assessment may well cause firms to revisit whether their current impact tolerances are fit for purpose and what actions need to be taken in the event of a tolerance breach. The resilience of service providers’ systems and controls in situations where regulated firms rely on the provision of outsourced services may also need to be reviewed in light of recent events.
What are the regulatory considerations around off-site and home working?
In common with firms in other sectors of the economy, the financial sector is imposing travel restrictions on employees and arranging for staff to work from home and/or from alternative back-up locations. Moreover, firms that carry on trading activities are preparing to split up trading desks to reduce the risk should a trading desk have to close where an individual falls ill.
This approach will inevitably create new challenges for compliance staff seeking to monitor trading and the provision of other regulated activities; whilst remote working is not exactly new to financial firms, the scale of offsite working as a result of Coronavirus will likely be uncharted territory.
Issues will arise in particular around managing staff who are engaged in sales and trading activities, and who are required to operate remotely. Call recording and monitoring, for example, will need to take place even in circumstances where staff work remotely. Although many firms now have remote recording solutions (e.g. software applications on mobile phones that allow for recording where calls are routed through the relevant application), safeguards may need to be considered to ensure that staff solely use recorded lines.
The FCA’s guidance on Covid-19 notes in this context that all firms will take “reasonable steps to meet their regulatory obligations.” It confirms that trading activities may take place from backup sites or with staff working from home, but this is provided that: (i) orders are promptly entered into trading systems; (ii) staff use recorded lines; and (iii) that compliance support is available when needed.
What happens when firms are unable to comply with regulatory requirements?
In the worst case scenario, UK regulators may grant waivers over specific rules applying to financial institutions. However, we are expecting regulators to take a “business as usual” approach in relation to the operational monitoring and oversight procedures that firms are expected to apply. Thus, firms should stay in contact with the FCA or the PRA as applicable in circumstances where they risk breaching regulatory requirements, and any breaches should be disclosed in the usual fashion. A key risk mitigant will be to ensure that senior management and compliance oversight and internal reporting systems are tested and functioning as close to “normal” as possible, even in a remote working scenario.