The coronavirus (COVID-19) pandemic
As the coronavirus (COVID-19) pandemic advances into its most serious phase in the UK, we’ve put forward some suggestions on how regulated firms should consider protecting themselves and their clients.
What needs to happen?
Regulatory compliance and managing regulatory expectations
COVID-19 is already impacting the availability of resources and this situation is likely to become more acute over the coming weeks. Firms may conclude it is simply not practical to allocate significant resources to testing controls in the current environment. In those circumstances, it will be important to consider whether these can be deployed from other areas. Failing that, it is crucial that the firm is able to evidence what steps it has taken to mitigate the risk as a result of a reduction in resource. If the reduction impacts remediation activities or regulatory deadlines generally, then a firm should communicate this fact to the regulator in a timely fashion to ensure the firm is meeting its obligations of openness and transparency under FCA Principle 11.
Client communications
There is a regulatory expectation that firms will ensure that clients and their assets are adequately protected during severe disruption. This is not only about making business decisions designed to mitigate harm to clients and in particular to vulnerable customers. It is also about ensuring clients are adequately informed about how the business is responding to the pandemic and how they are or will be affected by any material decisions that firms make.
As the recent coronavirus pandemic can provide an opportunity to fraudsters and cyber criminals, firms are expected to continue to help vulnerable consumers access their banking services, whether it be online or over the phone.
Impact on consumers
As advised by the FCA, despite the current situation, firms are still expected to handle complaints promptly. If the coronavirus pandemic, however, prevents a firm from doing this, they should inform the FCA on a timely basis. Firms are still required to aim to resolve a complaint within the required 15 days. If the firm cannot meet the deadline, they should advise the customer of the reasons.
Safeguarding arrangements (Payment Services clients only)
Discussing the impacts that COVID-19 will have on customers automatically brings safeguarding arrangements into the conversation. In order to protect customers, Authorised Payment Institutions and Electronic Money Institutions are generally required to comply with safeguarding requirements, while Small Payment Institutions have a choice of safeguarding funds. During the current crisis, firms that are obligated to safeguard, as well as those that choose to, must ensure that they are fully meeting safeguarding requirements. Firms should do this by reviewing their current safeguarding arrangements and ensuring that any weak areas identified are addressed, by implementing tighter safeguarding measures/controls. Compliance will ensure protection for both the customer and the firm itself.
Maintaining critical business services
If a firm has yet to identify its most important business services, then it should swiftly take steps to do so and should then implement a plan for ensuring these are maintained throughout.
Protecting confidential information and customers’ data
This heightened risk environment presents an enhanced opportunity for criminal wrongdoers to perpetrate hacks and fraudulent activity either against firms or their customers. Significantly higher volumes of remote working will increase these threats as well as present a greater risk of inadvertent data breach as employees may lack the safeguards that we take for granted in the workplace, such as secure access to buildings. In order to combat the risk of company information and/or customers sensitive data from being accessed by unauthorised users, the firm should ensure that it has made secure connections to its network available to all working staff. This includes providing adequate Virtual Private Network connections.
Ensuring appropriate governance is in place
Best practice involves creating and maintaining a crisis response committee, with delegated authority from the Board, that meets regularly and maintains a record of materials presented, discussions had, and decisions made. This committee should comprise the key business leads and subject matter experts to advise on strategy and approach, and these individuals should be documented within the firm’s BCP.
Outsourcing and third-party risk
This is about mapping key areas of vulnerabilities where the firm relies on external parties to provide important/critical or non-critical functions related to its payment services operations. Prior to establishing a relationship with an outsourcer, a firm should take the necessary steps to verify with its outsourcers that they have adequate plans in place to manage the risk to their systems and services arising from a disruption. The firm should be able to challenge the quality and performance of the outsourced functions and conduct their own risk assessment on the outsourcer’s operations. Should the firm assess that the outsourcer is no longer able to provide the agreed-to functions, the firm should be able to end their relationship with the outsourcer, and seamlessly switch from one provider to another, without receiving any interruptions to its business activities.
Managing employee well-being
The regulators have emphasised recently the importance of managing employee well-being and the relevance this has to maintaining a healthy culture.
Staying attuned to conduct risk
With a remote working workforce, highly volatile markets and an atmosphere of collective anxiety about job security, market conduct and, more generally, staff conduct could present a material risk.
Financial crime and fraud risk
Opportunists will seek to take advantage of a coronavirus environment and capitalize on their criminal illicit activity, acts of fraud and scams. Firms and individual employees should be forewarned to remain alert to these attacks.
Operational resilience and business continuity
Firms should meet the challenges posed to their companies (and customers alike) by COVID-19, via putting their business continuity plans (BCPs) into practice. It is essential that all firms have these plans in place to manage and mitigate the operational impact of Coronavirus. These BCPs should allow the firm to continue providing their most important business services remotely while protecting their customers and market integrity. More generally, firms are expected to:
- Have sufficiently robust systems and controls to continue to operate effectively (including the continued internal and external communication while operating remotely) in a stressed situation with business continuity plans to manage this
- Have a Senior Manager responsible for business continuity and for managing the impact of coronavirus
- Implement appropriate access for staff to work remotely
- Ensure continuous sound security over the firm’s network to prevent and detect breaches
- Use recorded lines during communications with customers (if required)
- Act fairly, honestly and professionally in accordance with the best interests of customers
- Ensure that all customer communications are clear, fair and not misleading
Firms should consider, along with other challenges, the impact of staff absences and the need to ensure staff wellbeing on continuity of service. Firms must identify how staff absence or inability to use business premises can be sufficiently mitigated to ensure critical services are provided to customers. Any weaknesses/issues identified with the contingency measures should be documented and immediately rectified. Where firms identify gaps through their planning that will, or could, cause harm to customers, they should notify the FCA through their usual supervisory contact.
How can we help you?
If you are concerned about the implications of any of the issues raised in this update and would like advice or help, please contact us on 0207 436 0630 or email info@thistleinitiatives.co.uk. We can provide a full range of compliance services, including advice on how to improve your business resumption, contingency planning and client assets arrangements.