The COVID-19 pandemic increasingly impacted financial services firms’ operations last week, often prompting companies to implement elements of their business continuity plans, including having more and more employees work from remote locations such as their residences. In response, US and other financial services regulators issued guidance, extended relief and took other relevant actions.
Next week, more home working is anticipated as governments worldwide seek to slow the spread of COVID-19 by minimizing situations where persons might congregate in groups, such as in formal workplaces.
Early last week, in response to current developments, the Financial Industry Regulatory Authority issued a comprehensive pandemic-related regulatory notice reminding members of their requirement to have and review at least annually a business continuity plan. These plans should be designed to enable firms to meet their regulatory obligations to customers and address firms’ relationships to other broker-dealers and counterparties. Although each firm should develop a BCP tailored to its unique business, each BCP must address 10 enumerated elements as provided by a FINRA rule. (Click here to access FINRA Rule 4370.) Among these elements are
-
data backup and recovery;
-
mission critical systems;
-
alternative communications between members and their customers and employees;
-
alternative physical location of employees; and
-
how a member will ensure customers’ access to their funds and securities if a member cannot continue its business.
In its notice, FINRA encouraged firms to consider pandemic preparation specifically, including:
-
issues related to employee absenteeism;
-
use of remote offices or teleworking arrangements;
-
travel or transportation limitations; and
-
technology interruptions or slowdowns.
FINRA referred members to a regulatory notice it issued in 2009 expressly related to pandemic preparedness for specific guidance (click here to access).
Acknowledging the likelihood of increased use of remote offices and teleworking "to mitigate the impacts of a pandemic," FINRA said that where there was widespread remote working by employees, firms might have to institute non-traditional methods of supervision. However, members would still be expected to implement an oversight system “reasonably designed” to supervise the activities of employees “while working from an alternative or remote location during the pandemic.” FINRA encouraged members to test the use of remote offices and teleworking capabilities prior to implementing their BCPs.
FINRA also observed that risk of cyber-breaches might be elevated because of the use of remote offices and tele-working. Accordingly, FINRA recommended that firms ensure that:
-
virtual private networks are protected by the latest security updates;
-
system entitlements are current;
-
multi-factor authentication is used by employees to access systems remotely; and
-
employees are reminded to be vigilant against cyber threats.
To accommodate the use of remote locations, FINRA indicated that, during the course of the COVID-19 pandemic, it would suspend the requirement that that registration filings for registered persons (Form u4) be updated to reflect temporary employment addresses, as well as firm requirements to update their registration information to reflect new temporary offices (Form BR). FINRA did request, however, that members use their “best efforts” to notify their FINRA Risk Manager in writing of any new temporary office space or space-sharing arrangements as soon as possible. FINRA also cautioned member firms to be careful to validate the identity of customers from remote locations.
The National Futures Association offered similar guidance to its members two weeks ago. (Click here for details in the article “Business Not as Usual – Regulators Issue Guidance on Responding to COVID-19 and Firms Take Precautions to Adapt” in the March 9, 2019 edition of Bridging the Week.)
Last week, in anticipation of relief being granted by staff of the Commodity Futures Trading Commission later this week, CME Group and ICE Futures U.S. granted relief from certain of their rules to members. Among other things, both organizations said that, during the duration of the COVID-19 pandemic, persons authorized to handle customer orders could do so from locations other than the premises of registered entities provided such locations were approved by their employers; special rules applied to floor brokers on CME Group. Generally all persons accepting orders that could not be entered immediately into the organization’s order matching system must:
-
prepare a written order with an account identification; the time of receipt; and the time the order was modified, returned, confirmed or cancelled. This time information does not need to be recorded by electronic timestamp;
-
retain all electronic communications related to the order, including instant messages and emails; and
-
retain both order records and electronic communications for at least five years.
The organizations will not require compliance with oral recording requirements with orders handled from temporary remote locations. CME Group also adopted express, similar exemptions from preparing order records with electronic timestamps for block trade and exchange for related product (EFRP) transactions arranged from remote locations during the COVID-19 pandemic. Ordinary CME Group and IFUS trade practice and other rules would apply during the COVID-19 pandemic period.
Actions taken by other regulators included:
-
the Securities and Exchange Commission authorized Cboe to close its trading floors effective March 16 and amend certain of its rules to facilitate electronic trading in the exchange's exclusively listed index options in a manner analogous to floor trading. The SEC also issued (1) guidance related to issuer annual meetings and the application of federal proxy rules for such meetings; (2) relief to investment advisers related to filing and other requirements related to Forms ADV and PF; and (3) relief to investment companies regarding annual meetings, filing requirements and the provision of certain reports to investors, all subject to certain conditions;
-
CME Group closed its trading floor operations as of the end of business on March 13; the reopening of the trading floor “will be evaluated as more medical guidance on the coronavirus becomes available.” Relevant products will continue to trade on CME Globex although aspects of some options contracts were amended to better accommodate electronic trading;
-
the UK Financial Conduct Authority and at least two European Union national regulators prohibited short sales in enumerated securities;
-
the NFA reminded swap dealers of their obligation to notify the CFTC if they activate their BCPs other than for testing; and
-
the European Securities and Markets Authority issued a reminder to financial market participants related to business continuity planning, market disclosure, financial reporting, and risk management by fund managers.
Getting the Business Done: There will be many challenges to remotely supervising employees working from home, particularly where telephone lines may not be recorded and timestamps may not be electronic. Moreover, where required records will be very dispersed, collection, review, organization and retention of manually generated order records could be challenging.
Firms permitting or requiring remote working should document in writing all procedures that should be followed by registrants working remotely, including dealing with customers and counterparties, as well as memorializing orders, and should implement means to test employees’ compliance with such procedures in a manner practical under the circumstances. Firms should also implement procedures that are reasonably designed to enable them to assess remote employees’ compliance with remote working procedures. All procedures must be practical under the circumstances and address particular business activities and remote working situations. Customers and counterparties must be advised how to contact their remote-working contacts at firms, and what backup exists should they be unable to contact their ordinary firm contact. Temporary procedures that are not fully compliant with applicable law should be noted and ordinary regulatory contacts should be advised of these as soon as practical. Employees should be formally trained regarding any new procedures.
Firms must be mindful of cybersecurity and other issues that might arise if employees use their own computers to connect to firm networks. Employees must be careful not to fall for phishing attacks or requests for transactions by unauthorized persons masquerading as legitimate clients. Use of private means of communication for regulated business may be expressly prohibited by ordinary firm policy; however, it may occur notwithstanding by employees working remotely.
Moreover, to the extent possible, supervisors should regularly stay in contact with subordinates – preferably by a video-facing service, but at least by telephone. Virtual group meetings should also be encouraged as they may not only help to maintain dispersed employees' morale, but could also identify common issues arising through experience that should be promptly mitigated. Records of such conversations should be retained.
It will be a challenging period. However, by drafting and updating procedures based on evolving experiences, reasonably effective if not optimal supervision can occur.
This article originally appeared on Lexology.
