PRACTICE NOTE: Compliance checklist for operating during a pandemic

As the global COVID-19 pandemic spreads, compliance and risk departments at financial services firms have been on high alert and
working overtime as firms switched on business continuity plans, closed offices and sent employees home to work.

Establishing and maintaining continuity plans is a normal part of the compliance and risk function. Review of BCPs is also a standard part of exams by regulators. The fact that virtually every firm has now had to enact at least some parts of their BCP, it is logical that regulators will ask how things went in the next exam cycle.

Checklist for businesses

Here is our checklist for compliance and risk professionals regarding the altered work landscape for employees as a result of the pandemic.

Business continuity strategies

  • Business continuity strategies must be sufficiently flexible to address a wide range of possible scenarios, including pandemics – even long-duration, multi-national ones.
  • They should spell out remote access solutions, emergency procedures that outline how to recover data and equipment, reach employees and security specialists, protect the integrity of the physical workspaces the business owns. The back-up systems must be well-established and responsibilities over providing access must be clear. A point person should be routing inquiries and sending updates to top executives and the board of directors.

Vendor obligations

  • Consider whether and how vendors can fulfil their obligations. Speak with counsel about how contract terms can be altered and emergency provisions triggered. Force majeure or unforeseeable circumstances clauses are not as straightforward as one might think, and there can be a high hurdle in meeting unique ones.

Cybersecurity risk

  • Remind employees of the heightened cybersecurity risk of working remotely, specifically phishing and ransomware attacks. Remote workers must also be reminded of the necessity to safeguard customer records and privacy information. Consider prohibiting the printing of any business documents at home.
  • Archiving communications between staff and clients is perhaps one of the most common work-from-home pitfalls. Reminding and training remote workers of this essential task along with other safeguard measures is vital.
  • Protecting data at all costs is essential. Cybercriminals might use this pandemic as a means of scamming customers and compromising data. Keep clients, regulators and the workforce informed on cybersecurity solutions for computers, networks and your encrypted connectivity. Enforce policies regarding personal computers and phones and what data can be accessed by whom.
  • Firms should also redistribute all relevant company policies related to the use of personal computers, smartphones, tablets, and WiFi networks and remind staff that the policies still apply to those working from home, and security protocols will not be relaxed.
  • Remote work requires training personnel to be able to spot fraudulent behaviour and report it promptly; phishing scams can increase during emergency periods like pandemics.

Services review and training

  • Firms should anticipate additional burdens on IT Help Desks as more individuals work remotely and experience technology problems. Firms should be sure all help desks are adequately trained and staffed to handle increased volumes.
  • Compliance and risk departments should also coordinate a review and testing with technology departments. The compliance team and the tech department should test the company’s remote VPN capacity and measure connection speeds.
  • Ideally, members of the emergency response organisation have received training on performing their duties and on testing the BCP’s effectiveness with relevant courses and emergency exercises before a pandemic or other emergency strikes.
  • The creation of a pandemic task force or committee is valuable to coordinate information from various business lines, and departments including; IT, human resources, compliance, risk, operations, facilities, and communications.
  • Compliance and HR departments should also be careful to protect personal medical information under applicable health privacy regulations if employees become infected or ill. Despite a perceived need to share such information, it is imperative to maintain individual employee health privacy, and counsel should be consulted on when and how disclosures can be made.
  • Review the business’s insurance coverage. Business interruption and supply-chain coverage, including contingent business interruption, will typically require a showing of property damage that gave rise to the loss. They typically offer very limited coverage for pandemic diseases, due to exclusions and sub-limited coverage.

Personnel inventory

  • Compliance, risk, and senior management must take inventory of essential employees and determine how many and which personnel are needed onsite at various locations and consider backup personnel as well under various business disaster or disruption scenarios. Contact information for all personnel, especially key employees, should be updated.

Regulatory relief

  • Regulatory filing deadline relief for disclosures and registrations can be made use of. Firms must summarise why the relief is needed. Impediments should be listed with specificity, like disruptions to transportation, limited access to facilities and support staff, etc. Include the virus as a source of uncertainty in any management discussion and analysis.
  • If no-action relief is sought from the regulator, explain why the relief is needed as a commonsense or ethical solution, even if not technically permitted.

Communications

  • For corporate board meetings, a change of meeting time, date and communication medium should be noted in the proxy statement, if there is still time.
  • Tell customers what is being done behind the scenes to be able to provide continuing service, and what delays they might experience.

And finally!

  • Remember the responses to this pandemic need to change with it and with legal authorities’ directives.

To keep updated on the latest news and information regarding the COVID-19 pandemic visit: Thomson Reuters’ COVID-19 Resource Centre

Subscribe to Business Insight

Discover best practice and keep up-to-date with insights on the latest industry trends.