March 18, 2020
The economic and operational stresses caused by the Novel Coronavirus (COVID-19) are highlighting the need for regulated financial institutions to formulate responses to address significant business disruptions (SBDs) and to revisit and enhance their business continuity plans (BCPs). Financial institutions should review and consider their policies in light of the threats posed by SBDs and also consider their obligations under their respective regulatory regimes. In addition to pandemic-specific guidance published by financial regulators in light of COVID-19, the relevant regulatory agencies have also previously published general business continuity guidance which should be followed in these circumstances. For financial institutions operating on a cross-border basis, different responses to the regulatory requirements may be required or otherwise a global policy that covers all elements or the most stringent requirements should be put in place.
We have already commented on the position for broker-dealers and now comment more broadly for banks as well as broker-dealers, and on a trans-Atlantic basis. You may also like to see our other client notes relating to the impact of COVID-19, such as the impact for derivatives and the use of force majeure provisions in commercial contracts.
The Federal Financial Institutions Examination Council (the FFIEC) recently issued guidance on behalf of its member agencies to remind financial institutions that business continuity plans should address the threat of a pandemic outbreak and its potential impact on the delivery of critical financial services. These financial institutions include U.S. banks, U.S. branches of non-U.S. banks and bank holding companies. It should be noted, however, that this guidance is not exhaustive with respect to BCPs. Financial institutions may consult the Federal Reserve’s website for a more complete set of guidance concerning business continuity plans.
The FFIEC Guidance identifies actions that financial institutions can take in response to SBDs such as pandemics. Specifically, the FFIEC states that an institution’s BCP should “address pandemics and provide for a preventive program, a documented strategy scaled to the stages of a pandemic outbreak, a comprehensive framework to ensure the continuance of critical operations, a testing program, and an oversight program to ensure that the plan is reviewed and updated.” Given the ever-evolving nature of pandemics, this portion of the BCP must be flexible and reflect the institution’s size, complexity and business activities.
Various state regulators, including the New York Department of Financial Services (NYDFS), have also published guidance for regulated institutions regarding plan preparedness. Please see our Client Alert, NYDFS Requires COVID-19 Preparedness Plans from Regulated Entities, in Shearman & Sterling Perspectives (March 17, 2020).
The FFIEC Guidance highlights the need for financial institutions to contemplate the differences between a pandemic and other traditional forms of business continuity issues. Typically, business continuity issues other than pandemics are more predictable in timeline, sometimes man-made and easier to safeguard against. The human risk and inherent uncertainty of pandemics present an uncertain timeline with a higher number of contingencies. Accordingly, the potential impact of a pandemic on the delivery of critical financial services to its customers should be incorporated into a financial institution’s ongoing business impact analysis and risk assessment processes.
Indeed, U.S. regulatory agencies have requested that financial institutions work with their customers to ensure that services are maintained and customers receive the access to financial products they need during these times of stress. This is reflective of past Federal Reserve guidance, where banking organizations were encouraged to work with borrowers and other customers affected by major disasters or emergencies, including waiving of ATM fees and ease of access to credit.
In addition, state bank regulators, such as the NYDFS, have released guidance on supporting businesses impacted by COVID-19 addressed to New York State regulated banks, credit unions and licensed lenders. In light of the financial stresses that a pandemic can impose on customers, the NYDFS encouraged its regulated banks, credit unions and licensed lenders to consider all reasonable and prudent steps to assist businesses that have been adversely impacted by COVID-19, including:
Below is a non-exhaustive list of topics the FFIEC has stated should be covered in a financial institution’s BCP:
The FFIEC’s Business Continuity Management (BCM) booklet provides a methodology for financial institutions to follow as they develop, update and implement their pandemic plan. Essential to the development and implementation of a pandemic plan is inclusion of senior business management from all functional, business and product areas, including administrative, human resources, legal, IT support functions and key product lines.
In addition to following a cyclical process of planning, preparing, responding and recovering, management may also face specific issues, highlighted below, and can consider mitigating controls.
A financial institution’s board of directors must oversee the development, approval and senior management support of its pandemic response plan. Senior management is responsible for developing the pandemic plan and putting it into practice, including testing and revision of the plan. Senior management must also communicate the plan throughout the financial institution so that employees understand their role and responsibilities in responding to a pandemic event.
The potential effects of a pandemic should factor into the financial institution’s business impact analysis (BIA). The BIA should:
Financial institutions should include the following risk assessment and risk management steps for pandemic planning:
The actions that arise from a pandemic should include the following:
A financial institution’s pandemic plan should be sufficiently flexible to adjust to ongoing developments and new information. Consistent testing of the pandemic plan can ensure that the plan is able to meet these needs. Accordingly, a pandemic plan should incorporate testing:
The FFIEC has suggested several alternatives for pandemic testing, which include: “work at home days for critical and essential employees to test remote access capabilities and infrastructure; crisis management team communication exercises; table top exercises that test various scenarios related to escalated absenteeism rates; additional or modified call-tree exercises; and community, regional or industry-wide exercises with members of the financial services sector to test the financial sector’s ability to respond to a pandemic-like crisis.”
FINRA Rule 4370 is FINRA’s emergency preparedness and business continuity rule and requires each FINRA member to create and maintain a written BCP identifying procedures relating to an emergency or SBD. Such procedures must be reasonably designed to enable the member to meet its existing obligations to customers. In addition, such procedures must address the member’s existing relationships with other broker-dealers and counterparties. Broker-dealers with cross-border operations should consider that different responses may be required to address the same SBD across distinct regions.
The elements that comprise a BCP are flexible and may be tailored to the size and needs of a member. Each plan, however, must, at a minimum, address:
In addition, members must:
Many firms also incorporate important testing, both periodic and episodic, in order to detect and remediate weaknesses and to demonstrate compliance.
Among the considerations that broker-dealers should assess when evaluating their policies are the following:
In the event of a SBD, firms may need to take steps to ensure the physical safety and health of associated persons. For example, many firms today have general prohibitions on associated persons traveling to epidemic-affected countries and/or certain affected areas of countries. Some firms require supervisory approval to travel to non-affected areas of affected countries. These prudential prohibitions are important as the State Department makes recommendations that U.S. citizens do not travel to affected areas, but rarely bans citizens from traveling.
In the case of pandemics, firms also have to grapple with policies for both associated persons who (i) have travelled to affected areas, and who (ii) may have come into contact with others (e.g., roommates) who have travelled to affected areas. Firms should develop and communicate those policies to associated persons, and some firms are utilizing systems to monitor associated persons. Some firms have adopted quarantine policies for associated persons who have travelled to affected areas, prohibiting them from coming to the office and requiring them to self-isolate for 14 days or more.
When SBDs occur, it is common for larger-than-usual numbers of broker-dealer associated persons to work remotely, including from home. Broker-dealer associated persons should be cautioned not to hold any location out as an office of the firm (other than firm-designated non-branch locations, branch offices and offices of supervisory jurisdiction (OSJs). Further, associated persons who are working remotely should be reminded not to store any firm documents at their personal residences, but rather to scan documents into firm systems. Associated persons working remotely should also be reminded of good document security practices.
When larger than usual numbers of associated persons are working remotely, communication between associated persons and supervisors, as well as communication among supervisors, is critical. Technology has vastly changed broker-dealer remote work in the past few years, with personal video conferencing technologies available on most phones and well-regarded document sharing systems, screen-sharing systems and virtual private network systems (VPNs) used throughout the industry. Broker-dealer teams that work remotely report that increased use of these technologies and increased frequency of team calls among working units (and among unit supervisors) are best practices.
Other firms, in anticipation of having larger-than-usual numbers of associated persons working remotely, are creating multiple teams that can come into office locations on a rotating or periodic basis as a means of balancing reduced in-office time with maintenance of core systems.
Telecommuting can interrupt normal flows of communication between associated persons, customers, regulators and critical business constituents like banks, clearing houses and counterparties. Many firms use communication technologies effectively to minimize communications disruptions. To ensure that communications are not disrupted while associated persons are working from outside of the office, firms may wish to review their policies and BCPs to determine if any further detail is required.
Firms should also consider creating a centralized process for simultaneously contacting all associated persons that are working outside of the central office rather than depending on each unit to contact staff individually. It is also a best practice to frequently update emergency contact lists.
Member firms’ increased use of outside entities to perform functions related to their business operations can create compliance risks, particularly during SBDs. Regulators have stated that a member firm’s use of a third-party service provider does not relieve the firm of its ultimate responsibility to achieve compliance with all applicable securities laws and regulations and FINRA and MSRB rules. As such, firms should take reasonable steps to ensure that all of its current or prospective third-party service providers, especially those relating to core services such as clearing brokers, are capable of performing any required outsourced activities in the case of a SBD.
One best practice is for firms to create a list of their vendors, assess the susceptibility of each vendor to SBDs, categorize vendor relationships in terms of that risk and then incorporate that assessment into the firm’s own BCP. It is also a best practice to maintain contact information for key relationship contacts at essential high-risk vendors, especially e-mail addresses and mobile phone numbers.
In the broker-dealer context, certain activities require special consideration when responding to SBDs. Firms should consider examining their policies and procedures to ensure that SBDs will not prevent them from:
On March 09, 2020, FINRA published Regulatory Notice 20-08 specifically addressing pandemic-related business continuity considerations in light of the COVID-19 outbreak, as well as providing potential regulatory relief from certain obligations. This notice did not create new rules or obligations, but highlighted key considerations for member firms and noted the possibility of additional regulatory relief and guidance in the future. For additional information regarding this notice, see our Client Alert Update Regarding FINRA Regulatory Notice 20-08: Pandemic-Related Business Continuity Planning, Guidance and Regulatory Relief, in Shearman & Sterling Perspectives (March 13, 2020).
The Markets in Financial Instruments Directive and the Capital Requirements Directive require EU banks and investment firms to take reasonable steps to ensure continuity and regularity in the performance of the firm’s services and activities, by using appropriate and proportionate systems, resources and procedures. The requirements in both of these Directives have been transposed into the national laws of EU member states and there may be differences in the approach that require a nuanced response by firms.
The Banking Supervision arm of the European Central Bank sent a letter to large Eurozone banks and investment firms on March 03, 2020. The ECB is responsible for direct prudential supervision of certain significant banks based in the Eurozone as part of the Single Supervisory Mechanism. The focus of the ECB’s letter is on the need for firms to consider contingencies where operations are dependent on their staff remaining healthy and available to work, as well as having access to the suitable systems and processes. The ECB calls on firms to:
The U.K. Financial Conduct Authority (FCA) published a statement on COVID-19 on March 04, 2020, highlighting that, along with the Bank of England, the Prudential Regulation Authority and HM Treasury, the FCA is actively reviewing the contingency plans of a wide range of firms. The statement confirms that, where a firm is using backup sites or allowing staff to work remotely, the FCA expects firms to be able to continue to enter orders and transactions promptly and use recorded lines when trading. Staff should also have access to the required compliance support.
The FCA has also published a statement on support for consumers in which it makes clear that firms must continue to treat customers fairly in light of the coronavirus pandemic. Furthermore, on March 17, 2020, the FCA issued a statement setting out the steps it was taking in response to the epidemic to ensure the protection of consumers and the continued functioning of markets, including adjustments to its own work program and delaying deadlines for responses to consultations. Many persons working at regulators, as well as in institutions, are now working remotely and so this will change the way in which interactions such as meetings, calls, filings and regulatory processes take place. Based on our own recent interactions with the FCA, we understand that the FCA is allowing extended time to persons involved in authorization and supervisory processes to respond to information requests and is being flexible where possible.
U.K. banks and investment firms are required to establish, implement and maintain an adequate BCP. The objective of the BCP is, in the event of an interruption to a firm’s systems and procedures, to limit losses, preserve essential data and functions and ensure a firm can maintain its regulated activities. Where that is not possible, the aim of the BCP should be the timely recovery of the data and functions and the timely resumption by the firm of its regulated activities.
The U.K.’s FCA states that other firms should consider the business continuity rules as if they were guidance.
A BCP should cover:
U.K. regulatory guidance states that firms should monitor and, on a regular basis, evaluate the adequacy and effectiveness of its systems, internal control mechanisms and arrangements. In addition, firms must take steps to address any identified deficiencies.
The U.K. business continuity rules are closely related to the rules and policies on operational resilience. When considering a firm’s BCP, the relevant U.K. regulator will consider how it fits into the firm’s overarching operational resilience framework.
Furthermore, the U.K. regulators will also consider any relevant and applicable EU guidance issued by one of the European Supervisory Authorities.
Consistent with the approach of the U.S. regulators, the U.K. regulators continue to state that a firm remains fully accountable for any function that is has outsourced to a third party.
The Prudential Regulation Authority (PRA) is consulting on proposals to modernize the regulatory framework applicable to banks and large investment firms on outsourcing and third-party risk management. The proposals are in response to the increasing reliance by firms on technology provided by third-party providers, which creates risks around, for example, data security. The proposals include requiring firms to:
Both the PRA and the FCA hold banks and investment firms to high-level principles. Two of these are particularly relevant to business continuity planning. First, a firm must take reasonable care to organize and control its affairs responsibly and effectively, with adequate risk management systems. Secondly, a firm must deal with its regulators in an open and cooperative way, disclosing to the relevant regulator anything relating to the firm that the regulator would reasonably expect notice.
In July 2019, the FCA published the outcome of a review into the BCPs of U.K. small-to-medium sized retail banks, payment institutions and electronic money institutions. The FCA set out its expectations of firms and the key takeaways are set out below.
U.K. banks and investment firms should ensure that they provide adequate training to all staff across the firm on the firm’s business continuity planning and implementation. This will assist all staff to understand what is expected of them when responding to an event.
Customer Communication and Processes
U.K. banks and investment firms should identify and document customer critical processes, which can be prioritized swiftly for action. The objective is to reduce harm.
The FCA expects firms to proactively identify, test and revise the firm’s relevant capabilities—people, systems and processes—on an ongoing basis. Where a firm identifies a weak area, it should take steps to enhance the firm’s response to reduce harm.
To speed up reaction times, U.K. banks and investment firms should consider preparing detailed pre-drafted and pre-approved communication plans for internal/external stakeholders, including their customers. These communication plans might include specific messages to be used, how they should be issued and in which scenarios.
Individuals Responsible for Responding to an Event
A firm’s response to an event should be managed and driven by appropriate individuals with relevant knowledge, experience and seniority. A firm could also consider introducing an additional independent overlay, responsible for oversight and challenge of proposed solutions and timeframes.
Recent events have challenged firms across the globe, and financial institutions are no exception. All financial institutions should consider their business continuity and emergency preparedness plans and determine if any additions, modifications or updates are required.
 During a pandemic, financial institutions may face contingencies that this memo does not address. Should additional concerns arise, we encourage you to consult regulatory guidance and/or contact a member of the Shearman & Sterling team. It is also important to note that many regulators are now working remotely, which may affect the status of meetings, calls, filings and other regulatory processes.
 Our other client notes relating to COVID-19 are available on our COVID-19 Resource Centre.
 The FFIEC comprises principals of the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Consumer Financial Protection Bureau and the State Liaison Committee. See the Federal Financial Institutions Examination Council, Interagency Statement on Pandemic Planning (Mar. 06, 2020), (the “FFIEC Guidance”).
 The FFIEC Guidance, also published by the Federal Reserve as SR 20-3 / CA 20-2, supersedes Federal Reserve SR Letter 07-18, “FFIEC Guidance on Pandemic Planning” and SR Letter 06-5, “Influenza Pandemic Preparedness.”
 See the Federal Reserve’s Information Technology Guidance.
 Supra note 3.
 See our Shearman & Sterling Client Alert, NYDFS Requires COVID-19 Preparedness Plans from Regulated Entities (March 17, 2020).
 See Federal Reserve, SR 20-4 / CA 20-3: Supervisory Practices Regarding Financial Institutions Affected by Coronavirus (Mar. 13, 2020).
 See Federal Reserve, SR 13-6 / CA 13-3: Supervisory Practices Regarding Banking Organizations and their Borrowers and Other Customers Affected by a Major Disaster or Emergency (Mar. 29, 2013).
 See the New York Department of Financial Services, Industry Letter Regarding Guidance to New York State Regulated Banks, Credit Unions and Licensed Lenders Regarding Support for Businesses Impacted by the Novel Coronavirus (Mar. 10, 2020).
 See the Federal Financial Institutions Examination Council, Interagency Statement on Pandemic Planning (Mar. 06, 2020).
 See FINRA Regulatory Notice 13-25.
 See FINRA Regulatory Notice 11-14.
 Supra note 16.
 See FINRA Regulatory Notice 12-45.
 See FINRA Regulatory Notice 07-49.
 See FINRA Regulatory Notice 20-08.
 See our Client Alert Update Regarding FINRA Regulatory Notice 20-08: Pandemic-Related Business Continuity Planning, Guidance and Regulatory Relief, in Shearman & Sterling Perspectives (March 13, 2020).
 See the ECB’s Letter to Significant Institutions.
 See the U.K. Financial Conduct Authority (FCA) Statement on Covid-19 (coronavirus).
 See the FCA publication Cornoavirus (Covid-19): support for consumers.
 See the FCA publication FCA information for firms on Coronavirus (Covid-19) response.
 The U.K. regulators—the FCA, the Prudential Regulation Authority and the Bank of England—are currently consulting on improving the U.K.’s operational resilience framework and on impact tolerances. See our Blog Post UK Regulators Launch Consultation on Operational Resilience in Financial Services, in the Shearman & Sterling Financial Regulatory Blog (Dec. 05, 2019).
 See the FCA publication Retail Banking: Business Continuity Planning.