The sudden spread of the COVID-19 pandemic has had a significant impact on markets and the daily operations of firms in the financial services industry. Stuart Meher, Principal Consultant at LEO GRC, talks through the regulatory changes ahead in both the UK and US markets, and how financial service organizations can prepare.
The changes COVID-19 has had on our working lives, from home working environments to increased risk of fraud, money laundering, and other illegal activities has led to regulators in both the US and UK issuing guidance and best practices for financial services firms to address a variety of issues.
This guidance includes, but is not limited to:
- Maintaining the health and safety of employees
- Operational resilience
- Information security
- Financial crimes systems and controls
- Regulatory reporting
- Impact on customers
In separate statements issued by regulators in the US, the Federal Reserve Bank of New York (FRBNY), Securities and Exchange Commission (SEC), and the Financial Industry Regulatory Authority (FINRA) all expressed a commitment to maintaining high standards of transparency, executing market surveillance systems and maintaining enforcement and investor protection.
In the UK, the guiding principle of the Financial Conduct Authority (FCA) is to prevent or reduce harm to consumers and markets by focusing on the stability of markets, protecting vulnerable customers, and operational resilience.
Related reading: ‘A Practical Look at Microlearning for Compliance Training’
The Pandemic’s Impact on Training
Given the changing landscape resulting from COVID-19, LEO GRC has identified four major “themes” that global financial institutions should consider when developing their 2021 training programs. These include:
- Culture and Conduct
- Governance and Leadership
- Products and Innovation
- Financial Crime, Market Conduct, and Service to Customers
Let’s explore each below.
1) Culture and Conduct
Cultures are created through the establishment of acceptable behaviors by firms and their employees.
In a typical business environment, face-to-face social interactions between employees is the norm, whether in a more formal environment such as a meeting or in a less structured setting. Since the COVID-19 outbreak, these interactions have shifted as more employees are conducting business remotely from a home environment.
It’s also important to remember that these social interactions can be used by employees as an outlet to express their feelings and that the isolation created by working from home may represent an impediment to doing so. This is especially true in a time when the COVID-19 pandemic has increased stress levels.
As such, firms must take into consideration the overall health and safety of its employees—physical, emotional, and psychological. While so many are trying to work their best in a global pandemic, the psychological, social, and financial/economic pressures cannot be underestimated or ignored.
Some may experience financial stress due to permanent job loss or temporary furlough while others struggle with establishing a work-life balance in the “new normal” environment.
Handpicked for you: ‘5 Ways to Improve Governance, Risk, and Compliance Training At a Distance’
It should be noted that these added stressors could result in an increased risk of misconduct due to a shift in priorities or an unrecognized decrease in motivation or focus. This further emphasizes the need to have a robust supervisory structure in place. More on this later...
As part of maintaining a sustainable culture of compliance in times of crisis or uncertainty, firms are required to develop a Business Continuity Plan (BCP). Among others, one of the main purposes of the BCP is to establish processes for firms to operate critical business functions during emergency situations.
During the COVID-19 pandemic, it’s recommended that a firm’s BCP be reviewed to ensure that the topics listed below are included:
- Flexibility to modify and enhance compliance policies and procedures
- Adapting supervisory procedures to account for risks and conflicts that may arise from conducting business in a remote location
- Security of IT infrastructure, including systems and servers
- Procedures to establish the confidentiality and protection of sensitive information
Questions to ask of your BCP:
- Have appropriate steps been taken to ensure the health and safety of employees?
- How does our firm assess whether the culture of compliance has been compromised during the pandemic?
- Is our firm’s BCP up to date? Has it been reviewed and approved in accordance with established procedures?
You might also like: ‘Super Compliance and Impactful Analytics: How to Drive Sustainable Change’
2) Governance and Leadership
As mentioned above, the added stressors resulting from the pandemic could result in an increased risk of misconduct which may expose a firm to regulatory sanctions, financial penalties, and damage to its reputation.
This further emphasizes the need for firms to ensure they have a governance structure in place to adequately supervise their personnel, including the oversight of those engaged in investment and trading activities.
In a Risk Alert dated August 12, 2020, the SEC’s Office of Compliance Inspections and Examinations (OCIE) “encourages Firms to closely review and, where appropriate, modify their supervisory and compliance policies and procedures” to respond to the health and economic effects of COVID-19. This would include conducting work from remote locations, dealing with market volatility, and responding to operational, technological, and other challenges.
Firms may also need to amend procedures for onboarding new employees to account for the inability to perform due diligence background checks and obtain fingerprint information.
It’s recognized that managing and supervising employees working from remote locations presents unique challenges. However, this also provides opportunities for managers to establish ongoing and regular communication with employees and discuss the issues that they’re experiencing both on a personal and professional level. This expression of empathy during these challenging times may yield unanticipated returns such as increased motivation, purpose, direction, and productivity.
Questions to ask:
- Are our firm’s policies and procedures up to date? Have they been reviewed and approved in accordance with established protocols?
- Do our organizational charts reflect current governance and supervisory structure? Are they readily available to all employees?
- Have our managers been provided with training on the best practices for communicating and motivating employees (particularly during the pandemic)?
3) Products and Innovation
During the pandemic, firms should ensure that systems are enhanced to protect against identity theft, cybersecurity risks, and phishing. Furthermore, employees should be encouraged to encrypt documents and utilize password-protected systems while working from a remote location.
To ensure the stability, security, and integrity of the financial markets and maintain the public’s trust and confidence in the business’ conduct, firms must have appropriate trading systems and controls in place to adequately allow for supervision, compliance monitoring, and surveillance.
In Regulatory Notice 20-16, FINRA recommends that oversight of trading from remote locations include, but not be limited to, the following measures:
- Require trades to complete attestations that they will comply with policies and procedures, including those related to information barriers, voice recordings, privacy, and recordkeeping requirements
- Implementing a process for enhanced supervision by senior management
- Testing the trader’s remote trading capabilities with an assigned office partner
- Requiring all supervisors responsible for monitoring remote traders to complete a special supervisory checklist
By adopting these and other controls, firms will be able to effectively monitor issues ranging from order entry, trade execution, potential market manipulation (including frontrunning and interest rate benchmark submissions), and timely trade reporting.
Working from a remote location has resulted in firms having to transition to virtual (distance) training to both reinforce existing policies and procedures and address issues arising from the new working-from-home environment. When assigning training to its employees, firms should take into consideration the volume of training assignments, length of each course and the amount of seat time required.
Topics such as those listed below have taken on a heightened level of importance during the pandemic:
- Training regarding the use of technology, tools, and services
- Treatment and handling of confidential firm and customer information
- Identity of cybersecurity vulnerabilities and potential fraud risks in a remote working environment
- Procedures for escalating and reporting suspicious activity.
Questions to ask:
- Have our firm’s systems been updated to adapt to a work-from-home environment?
- If needed, have our firm's employees been adequately trained on the use of new technologies?
- Are our supervisory policies and procedures current?
- Has our training program been amended to adapt to the new working environment and meet all regulatory requirements?
You might also like: ‘4 Ways Microlearning Principles Can Help You Adapt GRC Training to the “New Normal’
4) Financial Crime, Market Conduct, and Service to Customers
There’s speculation that criminals are exploiting opportunities created by the COVID-19 pandemic which increases the risks of money laundering, fraud, and other financial crimes.
Among other things, the COVID-19 pandemic has reinforced the need for firms in the financial sector to have in place the flexibility to keep their anti-money laundering and terrorist financing compliance processes operating efficiently, including procedures for performing customer due diligence, transaction monitoring, alert generation, and suspicious activity reporting. This applies regardless of whether the reviews are conducted manually or electronically.
As stated previously, many firms are permitting employees to conduct business from remote locations. As such, it’s incumbent to ensure that employees have access to the same systems and databases while working remotely as they would in the traditional work environment. Regulators have an expectation that firms will continue to maintain high standards for effective due diligence and monitoring during the pandemic.
Related reading: ‘Why It’s Time to Rethink Your Approach to Financial Crime Training’
Bribery, corruption, and trading while in possession of confidential or material non-public information represent other areas of financial crime that requires enhanced monitoring. As such, it’s critical that firms closely monitor adherence to internal policies and procedures governing employee trading, gifts and entertainment, participation in outside business activities and conflicts of interest.
Furthermore, employees should be provided with training that reinforces the requirements for the proper handling of confidential and material, non-public information, particularly for those employees who have access to such information, are working remotely, and can no longer rely on the information barriers that were established in the traditional work environment.
In addition, in the Risk Alert mentioned earlier, the OCIE refers to the obligation that Firms have to protect investors’ personally identifiable information (“PII”). Concerns were raised about “vulnerabilities around the potential loss of sensitive information due to the remote access to networks and web-based applications, the increased use of personally-owned devices, and changes in controls over physical records, such as sensitive documents printed at remote locations and the absence of personnel at Firms’ locations.”
More from the blog: ‘How to Motivate Your Learners Using Personalized Compliance Training’
Questions to ask:
- Are our Anti-Money Laundering policies and procedures current?
- Is there an adequate surveillance system in place to monitor employee trading?
- Are our employees aware of the firm’s whistleblowing and escalation procedures to be followed in the event suspicious activity is detected?