Search covid

The European Securities and Markets Authority (ESMA) has published its decision of 16 March 2020 (Decision), which requires natural or legal persons who have net short positions in relation to a share admitted to trading on a regulated market to notify to a competent authority details of any such position if the position reaches or exceeds 0.1% of the issued share capital. The requirement will last for three months from the date of its entry into force, which is today.

The Decision was taken in accordance with Article 28 of Regulation EU 236/2012, which allows for ESMA to take such measures where there is a threat to the orderly functioning and integrity of financial markets or to the stability of the whole or part of the financial system in the Union; and there are cross-border implications.

The Decision follows from short selling bans initiated by a number of competent authorities last week, also made under EU 236/2012. The Decision looks to provide a community-wide position, which in turn reduces arbitrage opportunities and looks to protect the integrity of the market as a whole.

For the full text of the Decision, please click here.

On 12 March 2020, the European Central Bank (ECB) announced a number of measures to ensure that its directly supervised banks can continue to fulfil their role in funding the real economy.

Key points in the announcement include:

  • the ECB will allow banks to operate temporarily below the level of capital defined by the Pillar 2 guidance, the capital conservation buffer and the liquidity coverage ratio;
  • banks will be allowed to partially use capital instruments that do not qualify as Common Equity Tier 1 capital, for example Additional Tier 1 or Tier 2 instruments, to meet the Pillar 2 requirements; and
  • the ECB is discussing with banks individual measures, such as adjusting timetables, processes and deadlines. For example, the ECB will consider rescheduling on-site inspections and extending deadlines for the implementation of remediation actions stemming from recent on-site inspections and internal model investigations, while ensuring the overall prudential soundness of the supervised banks.

On 12 March 2020, the European Banking Authority (EBA) issued a statement on actions to mitigate the impact of COVID-19 on the EU banking sector.

Key points in the statement include:

  • the EBA will postpone the EU-wide stress test exercise to 2021. This is intended to allow banks to focus on and ensure continuity of their core operations, including support for their customers;
  • the EBA will carry out an additional EU-wide transparency exercise in order to provide updated information on banks’ exposures and asset quality to market participants;
  • EBA recommends that Member State competent authorities (NCAs) plan supervisory activities, including on-site inspections, in a pragmatic and flexible way, and possibly postpone those deemed non-essential;
  • NCAs are encouraged, where appropriate, to make full use of the flexibility already embedded in the existing regulatory framework;
  • it is crucial that the classification of exposures accurately and timely reflects any deterioration of asset quality. There is, however, flexibility in the implementation of the EBA Guidelines on management of non-performing and forborne exposures and the EBA calls for a close dialogue between supervisors and banks, also on their non-performing exposure strategies, on a case by case basis.

On 11 March 2020, the Bank of England’s (BoE) Financial Policy Committee (FPC) made a decision to set the UK countercyclical capital buffer rate at 0% with immediate effect. The FPC expects to maintain the 0% rate for at least 12 months, so that any subsequent increase would not take effect until March 2022 at the earliest.

Following the FPC decision the PRA has made a statement covering both:

  • distributions; and
  • transitional measures on technical provisions relief for insurers.

When discussing distributions the PRA states that it expects firms not to increase dividends and other distributions in response to this policy action and will monitor firms’ distributions against this expectation. The PRA expects boards of PRA-regulated firms to consider this when deciding distributions.

The PRA may engage with relevant senior managers and/or check written records, such as relevant board minutes, to assess whether any relevant decisions were subject to an appropriate level of discussion, documentation and oversight.

The PRA requests that firms note the following when considering whether to use their capital buffers:

  • use of the PRA buffer or CRD IV combined buffer is not a breach of capital requirements or threshold conditions;
  • the PRA buffer is confidential and the automatic distribution restrictions associated with the CRD IV combined buffer do not apply to it; and
  • automatic distribution restrictions resulting from use of the CRD IV combined buffer are a capital conservation measure. Such restrictions are consistent with the overarching aim of these buffers, which is to enable banks to continue to support the real economy and avoid amplifying a system-wide stress.

The transcript of the press conference on the BoE measures to deal with COVID-19 can be found here.

We have produced both a short form and long form checklist of suggested actions that financial services clients may wish to consider as they respond to the COVID-19 outbreak. This is built around the four headline actions outlined in our publication “COVID-19: Regulatory aspects for boards to consider”. It is intentionally not prescriptive or exhaustive, and should be tailored by each firm to their business model and arrangements.

To obtain a copy of the checklists please contact Jonathan Herbst, John Coley or Iain Hawthorn.

In light of mounting concerns about COVID-19, aka the coronavirus, FINRA recently published FINRA Regulatory Notice 20-08 – Pandemic-Related Business Continuity Planning, Guidance and Regulatory Relief. Notice 20-08 provides both guidance on pandemic preparedness and regulatory relief to impacted member firms. Notice 20-08 supplements previous guidance on pandemic preparedness that FINRA published in October 2009 in response to the outbreak of influenza A (H1N1) or swine flu. FINRA’s prior guidance is available at FINRA Regulatory Notice 09-59 – FINRA Provides Guidance on Pandemic Preparedness. Member firms are urged to review both notices carefully. Firms should also stay current with respect to COVID-19 related updates from the Centers for Disease Control and Preparedness (the “CDC”) including, in particular, the CDC’s interim guidance for businesses and employers.

Business Continuity Plan Review. Notice 20-08 urges member firms to review their business continuity plans (BCPs) to ensure they are sufficiently flexible to address a wide range of possible effects in the event of a pandemic. In this regard, member firms may want to review the list of possible pandemic related effects set forth in Notice 09-59, which reflects FINRA’s survey of selected member firms with respect to preparedness for a global pandemic. Concerns identified by the survey participants as possibly arising from a pandemic included: absenteeism (25%), telecommunications disruptions (12%), and remote work arrangements (12%). Additional concerns included commuting (9%), provision of customer service (8%), transportation (6%), trade clearance and settlement (5%), counterparties (4%), market volatility (4%), regulatory filings (4%), power disruptions (2%), and access to online accounts (1%).

Emergency Contact Information. Notice 20-08 also urges each member firm to review its required emergency contacts to ensure that FINRA has a reliable means of contacting the firm. Member firms may register and update their emergency contact persons through the FINRA Contact System (FCS), which can be accessed through the FCS webpage. Firms that are unable to contact FINRA through their usual contacts due to pandemic or other business disruptions should contact FINRA’s Call Center at 301/590-6500.

BCP Activation and Business Disruptions. Notice 20-08 also urges firms that have activated their BCPs or that are facing business disruptions, whether solved or ongoing, to contact their assigned FINRA Risk Monitoring Analyst.

Remote Offices or Telework Arrangements.   Notice 20-08 recognizes that member firms may employ a variety of methods to mitigate the impact of a pandemic, including social distancing, travel restrictions, revised sick leave policies, special pandemic leave time, or specialized seating plans for densely populated floors or buildings. Firms may also employ remote offices or telework arrangements, whether from home or a backup or recovery location.

Firms that use remote offices or telework arrangements should consider how such arrangements might affect their supervisory system and ensure that they establish and maintain a supervisory system that is reasonably designed to supervise the activities of each associated persons working from an alternative or remote location.  Similarly, recently issued MSRB Notice 2020-07 also reminds regulated entities of their supervisory requirements in light of COVID-19 concerns.

Firms that use space-sharing arrangements should take into account and address the risks associated with sharing office space, including customer privacy, information security and recordkeeping considerations.

Notice 20-08 also suggests that member firms may find it helpful to test broad use of remote offices or telework arrangements prior to activation. Notice 09-59 offers additional guidance and suggestions related to telecommuting preparedness  as well as a discussion on regulatory and business considerations, with a particular focus on issues related to absenteeism, remote work arrangements and telecommunications.

Notice 09-59 also includes a list of actions and protocols that survey respondents had activated in response to the H1N1 pandemic. In addition to those listed above, these included:

  • distribution of hand sanitizers, masks, gloves and hygiene products;
  • increased sanitizing and disinfecting of facilities;
  • increased use of communication channels to disseminate important health and safety information and calm employee and customer concerns;
  • travel restrictions and quarantines (voluntary and/or mandatory) often based on CDC recommendations;
  • minimization or elimination of group meetings;
  • enhanced use of remote meeting and conference call capabilities;
  • reassessment and revision of human resource policies and testing of information technology (IT) and remote work capabilities; and
  • increased allowable sick time and encouragement to use such time.

Cybersecurity.  Notice 20-08 also encourages firms to consider the increased cybersecurity risk that might arise due to the use of remote offices or telework arrangements or even heightened anxiety among associated persons.  In particular, firms should consider the need to:

  • ensure that virtual private networks and other remote access systems are properly patched with available security updates;
  • check that system entitlements are current;
  • employ the use of multi-factor authentication for remote access; and
  • remind associated persons of cyber risks through education and other exercises designed to promote heightened vigilance.

Customer Communications. Firms should consider that they may experience significantly increased customer call volumes or online account usage during a pandemic and should review their BCPs regarding communicating with customers to ensure customer access to funds and securities. As necessary, firms should also place notices on their websites to keep customers informed of contact persons regarding, trade execution, accounts, and access to funds or securities, and to address other concerns arising from absent employees and/or a reduced ability to communicate with customers.

Military Personnel and National Guard.  Notice 20-08 reminds member firms that FINRA Rule 1210 provides specific relief to persons registered with FINRA who volunteer or are called into active military duty as may occur in the event of an emergency declaration arising from a pandemic. See FINRA’s Active Military Guidance webpage for further information and with respect to providing the required notifications.

Regulatory Relief.  Notice 20-08 also announces a variety of relief from regulatory requirements, including:

  • Form U4 – A temporary suspension of requirements to maintain updated Form U4 information regarding employment addresses for registered persons who temporarily relocate due to COVID-19;
  • Form BR – A waiver of the requirement that member firms submit branch office applications on Form BR for any newly opened temporary office locations or space-sharing arrangements established as a result of recent events – though in such case, the firm should use its best efforts to provide written notification to its FINRA Risk Monitoring Analyst in accordance with the requirements set forth in Notice 20-08.
  • Regulatory Filings and Responses to FINRA Inquiries – Firms having difficulty making timely filings or responding to regulatory inquiries or investigations should contact their Risk Monitoring Analysts or relevant FINRA department to seek extensions.
  • Qualification Examination and Continuing Education Window Expiration – Persons who have a qualification examination or continuing education window that is due to expire are encouraged to contact FINRA regarding an extension.

 

Introduction

The COVID-19 outbreak has been declared as a public health emergency of international concern by the World Health Organization, which is causing a significant impact to people’s lives, businesses and the wider economy.

Whilst a significant effort is being made globally to contain the virus, crises such as these can unfold unpredictably. Therefore as the situation develops, firms across all sectors are having to work rapidly to ensure that their business services can continue to operate, their staff (and places of work) remain safe and their customers remain properly and appropriately served.

Effective and successful management of crises such as these is directly related to how well prepared organisations are to respond, and should be key operational resilience considerations for firms.

We have set out in this briefing key regulatory issues that boards need to think about in the immediate term as part of effective crisis response planning and to ensure that business as usual activities can carry on.

FCA statement

The FCA has already issued a statement on COVID-19 setting out at a high level its expectations of firms. The key messages from the regulator are:

  • it expects all firms to have contingency plans in place to deal with major events;
  • alongside the Bank of England, it is actively reviewing the contingency plans of a wide range of firms. This includes assessments of operational risks, the ability of firms to continue to operate effectively and the steps firms are taking to serve and support their customers;
  • it expects firms to take all reasonable steps to meet their regulatory obligations. For example, the FCA expects firms to be able to enter orders and transactions promptly into the relevant systems, use recorded lines when trading and give staff access to the compliance support they need. If firms are able to meet these standards and undertake these activities from backup sites or with staff working from home, the FCA has no objection to this; and
  • it is discussing with firms and trade associations any particular issues they may have and are working with them to resolve these. The FCA wants to understand the pressures they are facing and will be continuing its active dialogue with firms, institutions and industry bodies in the coming days and weeks. The FCA will keep its guidance under review as necessary.

Operational resilience

The COVID-19 outbreak has brought operational resilience into even sharper focus. Before Christmas both the PRA and the FCA published consultation papers on the issue. The purpose of these papers is to create a shift in the mind-set, from firms prioritising their own commercial interests to considering the vulnerabilities of consumers and the financial system as a whole when making decisions. They are also intended to foster a culture where firms are forward looking, making decisions today that help prevent operational incidents tomorrow that impact consumers, financial markets and the UK financial system. To do this the proposals are designed so that firms will be in a position to continue providing business services that are heavily relied on, even in the event of severe operational disruption. Firms should therefore have robust contingency plans in place that take into account high impact but low probability events so they are prepared for the worst.

In December 2019, the PRA published Consultation Paper 30/19: Outsourcing and third party risk management that set out proposals for modernising the regulatory framework on outsourcing and third party risk management. Along with this the PRA also published Consultation Paper 29/19: Operational resilience: impact tolerances for important business services (CP29/19).

One of the key points the PRA makes in CP29/19 is that whilst avoiding disruption to particular systems is a contributing factor to operational resilience, it is ultimately the business service that needs to be resilient. The PRA proposes that firms need to consider the chain of activities that make up the business service, from taking on an obligation to delivery of service, and determine which part of the chain is critical to delivery. Obviously, this varies from business to business and in some cases the chain will be long. The PRA considers that the most critical parts of the service should be operationally resilient, and that firms should accordingly focus their work on the resources necessary to deliver those activities in the chain.

In terms of an internal service such as HR or payroll, the PRA does not expect such services to be identified as business services unless the failure to deliver them would impact on the delivery of outward facing business services which have direct consequences for safety and soundness, financial stability or the appropriate degree of policyholder protection.

In terms of prioritising business services, the PRA has proposed that a business service is important if its disruption could pose a risk to the firm’s safety and soundness or financial stability, or in the case of insurers, the appropriate degree of policyholder protection. It therefore follows that boards and senior management not only have to identify business services within their firm but also assess each services’ relative importance and then conclude an approved impact tolerance. The proposed PRA policy in CP29/19 would introduce a requirement for boards and senior management to approve the impact tolerances that have been set for each of their firm’s important business services.

In December 2019, the FCA also published a consultation focussing on operational resilience, Consultation Paper 19/32: Building operational resilience: impact tolerances for important business services and feedback to DP18/04 (CP19/32). Unsurprisingly, the FCA follows a similar line to that taken by the PRA although in light of their differing statutory objectives the FCA focuses more on consumer protection rather than financial stability. The FCA is proposing that firms:

  • identify their important business services that if disrupted could cause harm to consumers or market integrity;
  • identify and document the people, processes, technology, facilities and information that support a firm’s important business services;
  • set impact tolerances for each important business service;
  • test their ability to remain within their impact tolerances through a range of severe but plausible disruption scenarios;
  • conduct lessons learned exercises to identify, prioritise and invest in their ability to respond and recover from disruptions as effectively as possible;
  • develop internal and external communication plans for when important business services are disrupted; and
  • create a self-assessment document.

The deadline for comments on the PRA and FCA consultations is 3 April 2020. The PRA stated in CP29/10 that it intended to publish its final policy in the second half of 2020 (the FCA simply stated ‘next year’), although it may be that as things develop with COVID-19 these final policy papers may appear sooner rather than later.

Notwithstanding the above UK papers, there are also papers from the European Supervisory Authorities that provide some assistance. For example, the European Banking Authority’s guidelines on security measures for operational and security risk of payment services under the Payment Services Regulation 2.

Crisis response planning: some areas for boards to consider

A robust crisis response plan and capability is key to minimising the impact the crisis has on a business, its staff and its customers. Firms should have in place crisis management and business continuity plans as part of their operational resilience frameworks that consider a range of scenarios, including a health pandemic, which should help them respond.

Given the various unknowns at this early stage in respect of COVID-19 and how it may impact nationally and internationally, it’s important that firms, if they haven’t done so already:

ACTION POINT 1: Assemble a proportionate but robust cross-functional response team to review their plans in detail:

It is possible that an outbreak such as this could touch on all parts of an organisation, therefore it is important to include relevant stakeholders from across the business – HR, communications, customer services, legal, compliance etc – headed by an appropriately senior individual to ensure it gets the profile it requires.

ACTION POINT 2: Scenario plan and consider the impacts on the crisis response plan:

Consider the range of scenarios that could occur as a result of the crisis in the short, medium and longer term. These should be plausible, but severe in nature so as to prepare the organisation for what could be a prolonged period of high-stress. Various broad factors can influence this. Take for example, as we have seen in a number of areas of the country already, the impact of school closures, which may seem like a small and trivial matter at first glance. Some things to think about in respect of this example may include, but not be limited to:

  • Staff: Will more people need to work from home as a result (particularly those with child care responsibilities)?
  • Systems: If so, will systems accessed remotely be able to cope with a higher number of users for an extended period?
  • Operations: If system bandwidth is an issue, are there other things that can be done to reduce the impact (e.g. amend working hours, operate a shift system etc)?
  • Customers: If factors impacting the level of service change (such as a change to opening hours), how will this be communicated to customers? How will customers be kept up to date if and when your response changes?

As part of scenario planning, it’s important to establish accurate factual information from credible sources. In situations such as these social media in particular can be awash with inaccurate information or speculation, which may be unhelpful and impair decision-making.

ACTION POINT 3: Test the plan and its key components:

Undertake testing of your crisis response plan using the plausible, but severe scenarios that you have considered. Some of the key components of the response plan include the communication media that you intend to use to keep staff and other stakeholders up to date on your response to the crisis, systems stress testing and effective / safe management of sites from which you operate, be they head offices, operations hubs or branches.

As you conduct the testing, what do the results show you? To what extent does it highlight previously unforeseen weaknesses that need addressing promptly? Which stakeholders need to be involved in addressing these weaknesses and how do you satisfy yourself that once action has been taken, this addresses the weaknesses identified?

All of these factors will serve to enhance your crisis response plan and overall preparedness.

ACTION POINT 4: Communicate to stakeholders:

In fast moving and unpredictable circumstances such as these, clear and timely communication to stakeholders is key. Staff, customers and regulators are all important stakeholders to keep updated in respect of an organisation’s planned response in the run up to and throughout the period of crisis response:

  • Staff: will need to know what is expected of them if the crisis management plan is invoked. It is important that staff know how they should prepare, what action they should take, when they should take action and how they will be communicated with in the run up to and during a period of crisis management response. Staff will likely want to know how their safety has been considered, therefore this should also form a key element of any communications that are issued.
  • Customers: will need to know the impact that any implementation of a crisis management plan will have on them and this should be communicated in a timely manner. Consider the extent to which their access to services will be impacted in any way. Will online systems / apps be available as normal? Will telephone lines operate as normal? Is it likely response times / processing times will take longer? Clear explanations of the impacts, timescales and reasons behind these will help to manage your relationships with your customers.
  • Regulators: will expect firms to have in place robust crisis management and response plans and may ask to see these or ask you how you are satisfied that your plans are sufficiently robust. Be ready for this as it is likely any request will require an almost immediate response.

How Norton Rose Fulbright can help:

We are able to help financial institutions on their operational resilience journeys and can provide support in the following areas:

  • Governance and oversight arrangements in respect of operational resilience matters.
  • Management information, reporting and oversight.
  • Third party provider risk and controls assessments.
  • Scenario planning and building outputs into crisis response plans.
  • Preparing for and responding to requests for information from the regulators.
  • Monitoring the latest developments from the PRA and FCA.
  • Sharing our broader experience in respect of operational resilience matters with relevant management.

On 3 March 2020, the European Central Bank (ECB) issued a letter to significant institutions concerning their contingency preparedness in the context of COVID-19.

In the letter the ECB makes the point that supervised entities are expected to review their business continuity plans and consider what actions can be taken to enhance preparedness to minimise the potential adverse effects of the spread of COVID-19.

The ECB also states that supervised entities are expected to take appropriate actions for preparing and responding to a potential pandemic, which may include:

  • establishing adequate measures of infection control in the workplace which can include systems to reduce infection transmission and worker education;
  • assessing to what extent contingency plans include a pandemic scenario which provides for scaling measures commensurate with the institution’s geographic footprint and business risk for the particular stages of a pandemic outbreak;
  • assessing how quickly measures foreseen under the pandemic scenario of the contingency plan could be implemented and how long operations could be sustained under such a scenario;
  • assessing whether alternative and sufficient back-up sites can be established in light of possible pandemic;
  • assessing and urgently testing whether large scale remote working or other flexible working arrangements for critical staff can be activated and maintained to ensure business continuity;
  • proactively assessing and testing the capacity of existing IT infrastructure, also in light of a potential increase of cyber-attacks and potential higher resilience on remote banking services;
  • assessing risks of increased cyber-security related fraud, aimed both to customers or to the institution via phising mails etc; and
  • entering into a dialogue with critical service providers to understand whether and to ascertain how services continuity would be ensured in case of a pandemic.

For further information on the legal implications of COVID-19 please refer to the Norton Rose Fulbright hub here.