Skip to main content

Clifford Chance

Clifford Chance

Regulatory Investigations and Financial Crime Insights

Coronavirus: Five steps to building a financial institution's resilience

Coronavirus (Covid-19) is, by any measure, a disruption like no other. In the financial services sector, particularly in the UK, regulated firms such as banks, asset managers and insurers must ensure that their Coronavirus contingency planning meets not just the complex challenges raised by this event but also increasingly stringent regulatory standards.

While communicable diseases such as SARS have featured on the regulatory agenda before, the sheer scale and potential impact of Coronavirus will make its management particularly challenging. Previous disruption events attracting regulator interest have typically been confined to short-term issues affecting a particular service or product which can, once fully identified, be directly resolved. By contrast, Coronavirus is a multifaceted event likely to last for a prolonged period of time. Disruption is likely to come not only from the disease itself but also from government mandated containment measures which are expected to vary day to day and country to country. As a result, firms will need to think laterally about how they might be impacted.

In particular, recent pronouncements from both prudential and conduct UK regulators regarding the need for firms to be operationally resilient have taken on new meaning in the wake of the pandemic. In this context, below are five steps to help build firmwide resilience to the outbreak.

Step 1: Understand your regulatory requirements

Consultation papers published jointly by the UK regulators at the end of last year set out regulatory expectations with respect to disruption events, emphasising the need to assume that such events would happen and for firms to plan accordingly. The Financial Conduct Authority (FCA) has reinforced this approach in the context of Coronavirus (see published statement here), stating that it expects firms to have contingency plans in place to deal with major events such as Coronavirus and that it is actively reviewing the contingency plans of a wide range of firms. Further, the FCA expects firms to take "all reasonable steps" to meet their regulatory obligations in the context of the Coronavirus outbreak. In practical terms, this means that whilst firms should not expect strict liability to apply, they can expect the regulator to robustly challenge their contingency planning before agreeing to any forbearance following a regulatory breach.

Step 2: Identify the key business services which could be affected by the outbreak

The recent consultation papers have suggested that firms must identify and map the people, processes, technology, facilities and information that support important business services which could be affected by disruptions. In the context of the recent outbreak, this would include considering how vulnerable these services are to disruption caused by Coronavirus.

Although unique to every individual business, some general issues to consider in this respect could be:

  • any aspect of service delivery that cannot be performed remotely, for example transactions where documents need to be physically executed in front of a notary;
  • services that require additional regulatory measures, for example transaction reporting, or additional security, such as recorded lines or handling market-sensitive information. The FCA is clear that it expects firms to comply with their regulatory obligations notwithstanding the disruption caused, which will include the ability to enter orders and transactions promptly into the relevant systems, use recorded lines when trading and give staff access to the compliance support they need;
  • if a service is contingent on an outsourcing arrangement with a third party, firms must understand how vulnerable the third party is to the effects of the pandemic on its staff and functionality;
  • support functions in specialist centres which could impact business functionality if they are physically closed or understaffed. Firms should consider that UK government guidelines may differ from foreign guidelines, which may require sites to be closed at an earlier stage in the epidemic; and
  • services that require handling of cash, given that a number of countries have identified cash as a possible medium facilitating the spread of the virus. China, for example, has in some provinces, stopped the transfer of old bank notes and asked commercial lenders to identify cash taken from certain locations which is then being collected and destroyed.

Step 3: Identify alternative practical measures to ensure service continuity

In line with current regulatory expectations, a business taking all reasonable steps to minimise the impact of a disruption event needs to understand its maximum tolerable level of disruption to an important business service. Once this tolerance level is reached, firms should ensure that they are quickly implementing alternative practical measures to ensure service continuity and, where possible, testing these measures prior to implementation.

  • transferring significant staff to home working. Firms contemplating this should ensure that IT support systems are adequately tested and can cope with increased usage. In addition, where certain activities, such as trading, involve a number of different systems, remote operation of these systems should be fully tested; and
  • utilising other network offices to perform certain functions. Where this means moving a regulated activity to a different jurisdiction, the firm should ensure that:

-   it has the necessary licences to carry out the required activities in that jurisdiction;

-   where activities carry additional regulatory requirements, for example, transaction reporting, adequate systems are also in place to satisfy the necessary requirements in the new jurisdiction; and

-   where the functions rely on a third-party outsourced service provider, the network office has access to the right outsourcing contracts and the right internal systems to be able to work with the outsourcer.

Step 4: Prioritise communication

Based on previous enforcement action in the operational resilience space, regulators will expect firms to focus strongly on communications with customers, regulators and the wider market where Coronavirus impacts on the provision of business services.

Firms should consider:

Their communication strategy

Regulators already expect firms to be utilising a broad spectrum of channels to communicate with their customers and other third parties, including text, email, websites and social media.  Given that there is likely to be prolonged disruption, firms should consider setting up a centralised communications approach to ensure that messaging is consistent, strikes an appropriate tone and is in line with the latest government and medical guidelines.  It will also be important to consider how certain subsets of customers are treated, for example, firms should consider whether it is appropriate to communicate with particular customers proactively if a member of staff has become infected and may have previously had contact with them.

How to deal with vulnerable customers

Planning should also include consideration of interaction with potentially vulnerable customers, particularly the elderly, who are likely to be a group severely impacted by the outbreak. For example, in the event that branches are closed due to infection risk and there are insufficient staff available to service telephone helplines, firms should consider how communications will be managed for customer subsets who may not have access to online platforms.

How to address customers' individual circumstances

Firms will need to keep in mind that customers themselves may be severely disrupted.  Businesses in the wholesale and commercial space may be grappling with severe economic challenges and retail customers may be dealing with complex personal issues.  In the context of broader economic disruption, it is likely that regulators will also look carefully at whether firms are treating customers fairly and have plans in place for a large volume of forbearance requests. 

Their interactions with the regulators and the wider market

With respect to regulators, firms should strongly consider whether certain steps taken to combat Coronavirus constitute notifiable events, particularly in circumstances where staff are quarantined, offices are closed or employees test positive for the virus.  Similarly, firms should consider the form and content of communications with the wider market to the extent that business services are disrupted.

Step 5: Ensure continued senior management accountability

Regulators have recently been under increased pressure from the UK government to hold senior managers to account for issues related to disruption events. The FCA and PRA have identified the Chief Operations Function (SMF 24) as accountable for a firm's operational resilience and operational continuity. It is anticipated that, in due course, UK regulators may require firms to appoint a senior manager with responsibility for managing Coronavirus contingency planning. This responsibility may similarly align to SMF 24.

In particular, firms should consider:

Key concerns for accountable senior managers

Coronavirus may create additional challenges for relevant senior managers. Senior managers will need, for example, to consider what information to have available both internally, with respect to how the situation is impacting the business, and externally, such as the latest medical and government guidance in the UK and any jurisdictions where staff are assigned to relevant service delivery. More broadly, firms will need to consider how senior management appropriately supervise staff working remotely or performing functions from a foreign affiliate entity.

Steps to protect senior managers against regulatory scrutiny

To protect against regulatory scrutiny, firms should ensure that relevant senior managers have appropriate awareness of the firm's operational risk and contingency plans with respect to Coronavirus, and are appropriately trained to understand the key technical issues involved.  Other board members will require appropriate Management Information to perform an appropriate "check and challenge" role and ensure adequate oversight and governance around senior decision-making.