Shearman And Sterling

doctor clipboard

March 17, 2020

NYDFS Requires COVID-19 Preparedness Plans from Regulated Entities


Jump to...



The arrival of Novel Coronavirus (COVID-19) in New York, and the United States more generally, has roiled the U.S. and global economy and significantly affected numerous businesses. In light of these circumstances, the New York Department of Financial Services (“NYDFS”) released a set of industry letters on March 10, 2020 (the “Industry Letters”) that: (i) require regulated institutions to have preparedness plans in place to address operational and financial risks posed by the outbreak of COVID-19 and to submit a description of those plans to the NYDFS, and (ii) encourage New York regulated banks, credit unions and licensed lenders to consider all reasonable and prudent steps to assist businesses that have been adversely impacted by COVID-19. On March 12, 2020, the NYDFS also provided relief by order of the Superintendent of the NYDFS from certain New York Banking Law notice requirements (including with respect to office closures or relocations), as well as extensions regarding certain NYDFS regulatory reporting requirements in this period.


Regulated institutions must submit a description to the NYDFS of their plans to manage the potential financial risk and the risk of disruption to their services and operations from the outbreak of COVID-19 as soon as possible—and by April 9th at the latest. Submissions should be made to the following designated email address:

Major Issues

The major issues highlighted in the Industry Letters include:

  • Operational and Financial Preparedness. Each regulated institution must have a preparedness plan that addresses, inter alia: (i) strategies for mitigating operational disruptions and protecting employees, (ii) an evaluation of the outbreak’s impact on employees, facilities and critical third-party service providers, and (iii) various financial assessments, such as assessment of the credit risk ratings of customers and the adequacy of loan loss reserves. The NYDFS emphasizes that each regulated institution’s plan should “be sufficiently flexible to effectively address a range of possible effects that could result from an outbreak of COVID-19, and reflect the institution’s size, complexity and activities.”
  • Cybersecurity Threats. Regulated institutions should consider concerns related to increased cybersecurity threats as hackers and other bad actors take advantage of global chaos to target regulated institutions.

Board and Senior Management Oversight

The NYDFS also explicitly allocates responsibility to the board of directors (or equivalent body) for ensuring that appropriate plans are in place and for allocating sufficient resources to implement a preparedness plan: “The senior management of institutions is responsible for ensuring effective policies, processes, and procedures are in place to execute the plan and for communicating the plan throughout the institution to ensure consistency in approach so that employees understand their roles and responsibilities.”

Preparedness Plan Requirements

More specifically, each regulated institution’s plan should address the following items, at a minimum:

  • Tailored preventative measures to mitigate the risk of operational disruption, which should include identifying the impact on customers and counterparties;
  • A documented strategy addressing the impact of the outbreak in stages, so that the regulated institution’s efforts can be appropriately scaled, consistent with the effects of a particular stage of the outbreak;
  • Assessment of all facilities, systems, policies and procedures necessary to continue critical operations and services if members of the staff are unavailable for longer periods or are working off-site, including the effectiveness and security of remote access;
  • An assessment of potential increased risk of cyber-attacks and fraud due to the outbreak;
  • Employee protection strategies, critical to sustaining an adequate workforce during the outbreak, including employee awareness and steps that employees can take to reduce the likelihood of contracting COVID-19;
  • Assessment of the preparedness of critical third-party service providers and suppliers;
  • Development of a communication plan to effectively communicate with customers, counterparties and the public, and to deliver important news and instructions to employees, along with establishing forums for questions to be asked and addressed;
  • Testing the plan to ensure its policies, processes and procedures are effective; and
  • Governance and oversight of the plan, including identifying the critical members of a response team to ensure ongoing review and updates to the plan, including the tracking of relevant information from government sources and the institution’s own monitoring program.

Financial Impact

A regulated institution’s plan to assess and monitor the potential financial risk that may arise from the outbreak of COVID-19 should include, at a minimum:

  • Assessment of the credit risk ratings of the customers, counterparties and business sectors impacted by COVID-19;
  • Assessment of the credit exposure to customers, counterparties and business sectors impacted by COVID-19, arising from lending, trading, investing, hedging and other financial transactions, including any credit modifications, extensions and restructurings (including capitalizations of interest);
  • Assessment of the scope and the size of credits adversely impacted by COVID-19 that currently are in, or potentially may move to, non-performing/delinquent status, including consideration of stress testing and/or sensitivity analysis of loan portfolios and the adequacy of loan loss reserves;
  • Assessment of the valuation of assets and investments that may be, or have been, impacted by COVID-19;
  • Assessment of the overall impact of COVID-19 on the regulated institution’s earnings, profits, capital and their liquidity (including impact on loan-to-deposit ratio); and
  • Assessment of reasonable and prudent steps to assist those adversely impacted by COVID-19.

Relief to Customers

In light of the financial stresses that a pandemic can impose on customers, the NYDFS encourages its regulated banks, credit unions and licensed lenders to consider all reasonable and prudent steps to assist businesses that have been adversely impacted by COVID-19, including:

  • Offering payment accommodations, such as allowing loan borrowers to defer payments, extending the payment due dates or otherwise adjusting or altering terms of existing loans, which would avoid delinquencies and negative credit agency reporting;
  • Waiving overdraft fees;
  • Easing credit terms for new loans;
  • Waiving late fees for loan balances; and
  • Proactively reaching out to customers and those adversely impacted via app announcements, text, email or otherwise to explain the above-listed and any other assistance being offered to them.

NYDFS Temporary Relief

The NYDFS Superintendent has issued an order providing temporary relief to regulated institutions regarding the following:

  • Temporary Relocation. New York State regulated entities may temporarily relocate any of their authorized places of business, and close any of their branch offices or locations, if adversely affected by the outbreak of COVID-19, without complying with the prior notice or application requirements of the New York Banking Law or Financial Services Law.
    • The regulated entities and individuals must give the NYDFS prompt written notice of any such relocation or branch closing and all activities conducted from any such relocated places of business must remain subject to regulation and supervision of the NYDFS.
  • Continued Supervision and Oversight of Remote Workers. Individuals employed by or working for regulated entities and conducting licensable activities from their personal residences will remain subject to the full supervision and oversight of such regulated entities.
    • Such regulated entities must maintain appropriate safeguards and controls, including but not limited to those related to data protection and cybersecurity, to ensure continued safety and soundness of such regulated entities and persons.
  • Board Meetings by Phone. Participation in a meeting of the board of directors or trustees or of any committee of such board of directors or trustees of a bank or trust company can be conducted by telephone, video-conferencing, or similar electronic means allowing all persons in the meeting to hear each other, and it will constitute an in person meeting.

Extension of Deadlines. The deadline for the following filings, among others, is extended by forty-five (45) days from the original respective due date for regulated entities unable to meet filing deadlines due to the outbreak of COVID-19:

  • Certifications of compliance with cybersecurity requirements and transaction monitoring and filtering programs;
  • Annual Reports and Comparative Statements of commercial banks, trust companies, stock-form savings banks and stock-form savings and loan associations;
  • Annual Reports of licensed lenders, sales finance companies and money transmitters; and
  • Quarterly Financial Statements of virtual currency licensees.

The extensions do not include:

  • Notices to the Superintendent of a cybersecurity event; and
  • Submission of plans to address London Interbank Offered Rate cessation and transition risk pursuant to the Industry Letter dated December 23, 2019, which are due on March 23, 2020.
Special thanks to Caitlin Hutchinson Maddox for her contribution to this publication.