Global menu

Our global pages

Close

Coronavirus - Immediate considerations for financial services clients in response to the COVID-19 pandemic

  • United Kingdom
  • Coronavirus
  • Financial services disputes and investigations
  • Litigation and dispute management
  • Financial services

20-03-2020

Communications need to be clear and timely

Constantly review and maintain your customer communications content and strategy.  There is a regulatory expectation that firms will ensure consumers are adequately protected during severe disruption.  This is not only about making business decisions designed to mitigate harm to consumers, e.g. responding swiftly to interest rate changes, but it is also about ensuring customers are adequately informed about how your business is responding to the pandemic and how they are / will be affected by any material decisions you make.  Best practice will involve:

  • maintaining regular contact with customers through multiple channels (particularly because a firm needs to manage the risk around IT system outages, which are more likely where capacity is being stretched by increased demands on the infrastructure)
  • providing up-to-the-minute information (e.g. responding swiftly to the daily governmental briefings)
  • communicating in a way that is clear and easily understood.  Given the customers most vulnerable to this pandemic are the over-70s who are also likely to be the least technologically-minded, firms should be looking at ‘analogue’ options to maintain contact (e.g. press and radio advertising, as well as customer mailing exercises which may be particularly crucial where customers are required to self-isolate for up to 12 weeks)
  • when dealing with consumer complaints consider a flexible approach that makes more use of electronic communications with complainants.  Firms should be particularly mindful of the impact of any delays in handling complaints in the present climate, particularly in respect of vulnerability and hardship cases

Maintaining critical business services

Make sure you know what your most important business services are and ensure these are maintained throughout the disruption caused by COVID-19.  This may mean suspending other, less important business services.  If a firm has yet to identify its most important business services then it should swiftly take steps to do so, and then implement a plan for ensuring these are maintained throughout.  What is important will obviously depend on the nature of your business.  However, factors to take into consideration in determining what is most important in this instance might include:

  • the nature of your customer base, including vulnerable customers – such as customers over 70 - who will be more susceptible to harm from this disruption
  • the ability of customers to obtain the service from other providers
  • whether the failure of the service could cause contagion impacting other financial institutions which rely on that service or lead to impact on markets

Protect confidential information and your customers data

This heightened risk environment presents an enhanced opportunity for criminal wrongdoers to perpetrate hacks and fraudulent activity either against your firm or your customers.  Significantly higher volumes of remote working will increase these threats as well as presenting a greater risk of inadvertent data breach as employees may lack the safeguards that we take for granted in the work place, such as secure access to buildings.  Firms—including their lawyers— should be particularly vigilant for cyber-attacks. Some quick, simple and crucial steps firms can take to improve cyber preparedness and response, include:

  • ensure employees are reminded of the critical need for cyber hygiene, especially when teleworking
  • confirm that Cyber Incident Response Teams have hard copy access to response plans at home, not just in the office
  • ensure that key members have a good sense of the regulatory and contractual notification obligations in the event of a breach (or know whom to call who does). There is no guarantee that regulators or counterparties will grant leniency for failing to know or meet notification deadlines because of coronavirus-related distraction
  • firms should also note the ICO has issued some guidance regarding Covid-19 issues and the handling of Data Subject Access Requests (DSARs) which indicates a degree of pragmatism regarding DSAR timeframes

Ensure you have appropriate governance in place 

Best practice involves creating and maintaining a crisis response committee, with delegated authority from the Board, that meets regularly and maintains a contemporaneous record of materials presented, discussions had and decisions made.  This committee should comprise the key business leads and subject matter experts to advise on strategy and approach.  It should also be swift of foot and capable of responding in real time as this crisis develops ensuring a coordinated approach to manage internal and external communications effectively.   

  • staying up to date on rapidly changing legislation, regulations and regulatory guidance, applying prompt responsive plans to implement in a timely and effective manner
  • where customers or markets are at put at risk as a consequence of decisions made by a firm or its delegated committee, it will be critically important that a firm can produce evidence of the rationale for decisions made and the information or evidence on which these were made
  • whilst regulators are less likely to take action against a firm for decisions reasonably made on a sound evidential basis, the absence of evidence for a decision can severely prejudice a firm’s ability to defend its decisions in the event they are subsequently scrutinised by a regulator (often with a degree of hindsight)

Outsourcing and third party vendor risk

This is not just about insurance and managing potential liability, it’s also about mapping key areas of vulnerabilities where the firm relies on third party service providers.  A firm should have taken steps already to verify with its vendors that they have adequate plans in place to manage the risk to their systems and services arising from the pandemic.  Where gaps are identified these should be quickly plugged or work-arounds found, to mitigate risk.  Firms should also consider increasing the oversight and monitoring of these third parties as they invoke their BCP call to action plans, ensuring optimum service and minimal disruption and impact to customers.   

  • when seeking to exit non-critical third party relationships to reduce costs in non-core areas (i.e. the flipside of maintaining continuity), firms should consider the legal implications of how this is done to avoid regulatory criticism around customer impact and aim to minimise the later impact of claims from third parties around the basis of any exit

Managing employee well-being

The regulators have been particularly vocal in recent years about the importance of managing employee well-being and the relevance this has to maintaining a healthy culture.  The coronavirus pandemic is plainly a highly stressful situation and will inevitably increase the risk to employee well-being.  Key issue that employer firms should be considering to manage the impact on its workforce include:

  • pay for individuals unable to work due to self-isolation or sickness
  • actively reviewing and monitoring the Working at Home Policy to ensure it continues to be fit for purpose
  • focussing on protecting mental health by keeping people connected for mental well-being and social purposes, as well as monitoring the usage of EAPs (Employee Assistance Programmes)
  • focussing on family friendly support policies, e.g. emergency back-up for children, elderly relatives and vulnerable individuals
  • using MI in the form of people tracking and analytics to stay informed of incidents of self-isolation, illness, recovery and critical resources

Stay attuned to conduct risk

With a remote working workforce, highly volatile markets and an atmosphere of collective anxiety about job security, market conduct and, more generally, staff conduct could present a material risk, particularly because BCP arrangements will inevitably make it harder for firms to monitor behaviour.  Regulators will expect firms to be particularly alive to this risk and to take steps to ensure that crucial data used for monitoring conduct continues to be produced, analysed and acted on where something requires investigation.  This applies at both the micro level of individual staff behaviours and at the macro level where the conduct of the corporate in a crisis might conflict with regulatory expectations.  By way of example, the PRA has issued guidance that banks should not increase dividends or other distributions, such as bonuses, in response to the PRA / BoE policy actions to combat economic impact of COVID-19.  For other FS firms, there is no doubt the FCA would take a similarly dimly view of this sort of conduct.

Financial crime and fraud risk

Fraud can destroy trust between companies and customers, throw carefully laid plans into chaos and undermine an organisation’s collective identity, culture and values.  Unfortunately there are opportunists who will seek to take advantage of a coronavirus environment and capitalize on their criminal illicit activity, acts of fraud and scams. Scams linked to the virus include telephone fraud, cyber threats using phishing and malware to target victims. Firms and individual employees should be forewarned to remain alert to these attacks. 

Additionally firms will need to consider the broader financial crime risk exposures, a call to action to review the adequacy of the financial crime framework, its effectiveness and suitability to operate within a remote environment. In this situation, firms should consider the effectiveness of their systems and controls to prevent, detect and deter financial crime, particularly:

  • review their ability to deploy effective measures to block fraudulent payments
  • robustly screen customers and scrutinise payment alerts, mange increased volume trends, ensuring effective capacity planning to support prompt investigation
  • vigorously challenge customer and payment parameter setting ensuring money laundering suspicions are appropriately identified, promptly investigated and reported upon
  • scrutinise the ability of the Money Laundering Reporting Officer to discharge their responsibilities effectively, access information and records to support prompt decisioning around financial crime risk,  decision rationale firmly evidenced, recorded with the appropriate escalation measures in place
  • ensure they maintain continued regular MI and data reporting
  • demonstrate continued governance oversight and board escalation as appropriate

Consider the impact on regulatory compliance and proactively manage regulatory expectations

  • COVID19 is already impacting on availability resource and this situation is likely to become more acute over the coming weeks.  Firms may conclude it is simply not practical to allocate significant resource to testing controls in the current environment.  In those circumstances, it will be important to consider whether resources can be deployed from other areas.  Failing that, it is crucial the firm is able to evidence what steps it has taken to mitigate the risk as a result of a reduction in resource
  • if the reduction in resource impacts on remediation activities or regulatory deadlines generally, such as compliance with complaints deadlines under DISP, then a firm should communicate this fact to the regulator in a timely fashion to ensure the firm is meeting its obligations of openness and transparency under PRIN 11
  • firms also need to be alive to the legal and regulatory risks that can arise from making changes to existing process in response to this crisis.  For instance, using electronic signatures as an alternative to wet signatures (see our article here on how to use e-signatures effectively) or creating a remote working solution which inadvertently discriminates against employees on the grounds of disability or gender