Coronavirus (COVID-19) unlikely to excuse UK financial Regulation violations

Coronavirus (COVID-19) unlikely to excuse UK financial Regulation violations

Law 360: With a focus on treatment of customers and the markets continuing to operate, the Financial Conduct Authority (FCA) has published guidance to assist firms in managing their coronavirus (COVID-19) response.

While the regulators are slowing or curtailing regulatory change to allow firms to address the practical challenges arising from COVID-19, firms are expected to take reasonable steps to ensure that they are prepared to meet the challenges COVID-19 could pose to customers and staff and to report immediately if they believe that they will be in difficulty. The Prudential Regulation Authority (PRA) has also announced supervisory and prudential measures to address the unprecedented challenges of COVID-19.

Despite the above, it should not be assumed that COVID-19-related reasons will be deemed by regulators as a valid reason for not meeting regulatory expectations. Regulatory investigations and/or enforcement could no doubt follow any failures or shortcomings. With this warning in mind, we have set out below some of the key considerations for our financial services clients in managing the impact of COVID-19. The key FCA principles and PRA fundamental rules stand true.

Maintain operational resilience

While operational resilience was already a clear priority for regulators with consultations this year, COVID-19 has brought it into sharp focus. Firms should ensure that they have contingency plans in place to deal with major events and to ensure that the plans have been tested. The regulators are actively reviewing the contingency plans of a wide range of firms, including:

  1. firms’ assessments of operational risks

  2. the ability of firms to continue to operate effectively in a stressed scenario

  3. steps firms are taking to serve and support their customers

While the FCA expects firms to take all reasonable steps to meet regulatory obligations which are in place to protect their consumers and maintain market integrity, these steps are not defined. A nonexhaustive list of steps should include:

  1. having a senior manager responsible for business continuity and for managing the impact of the coronavirus

  2. identifying critical business services (if this has not been done already)—these are services which, if disrupted, could cause harm to consumers or market integrity

  3. consideration of how changes to any service may impact customers

  4. assessing level of current resources and how critical operations can be maintained if personnel are unavailable due to illness, self-isolation or caring responsibilities (for example by increasing data security measures)

  5. implementing a plan of action to ensure operations can be maintained (this may include remote working for staff, closing a call centre or moving trading operations)

  6. ensuring that any operational changes are supported by appropriate systems and controls (including record management, call recording, etc)

Identifying areas where the firm relies on third-party suppliers and confirm that their business continuity plans will be effective to manage COVID-19 risk and, if not how firms can rapidly remedy this, increase monitoring and oversight where necessary and/or engage alternative trusted suppliers.

Continued customer focus

A firm’s obligation to treat customers fairly continues unabated in these challenging times. Despite the significant disruption, COVID-19 is causing and will cause for firms, there is a regulatory expectation that firms will ensure that consumers are appropriately protected. The current situation may be putting customers already classed as vulnerable in a difficult situation and the number of customers in that category may increase significantly as individual’s livelihoods are impacted by the pandemic and the government-imposed restrictions that have followed.

The regulators have reacted positively to banks who have offered mortgage repayment holidays to UK customers or offered assistance to their customers, for example repayment plans (including payment holidays and repayment on an interest-only basis) and term extensions which could provide assistance to vulnerable borrowers.

Similarly, the FCA has notified insurers that, in cases where customers are relying on a policy renewal to cover travel arrangements made before the coronavirus escalated, where appropriate, insurers should consider claims under the terms of the original travel policy.

In addition to implementing strategies designed to reduce harm to customers, customers should be kept informed of changes to services that may affect them, particularly if these involve issues relating to access to cash (due to additional monitoring and checks required on mobile or online banking) or, for insurers, availability of insurance coverage or policy exclusions that may impact cover.

Maintaining continued customer focus will need to incorporate:

  1. clear communications about the firm’s response to COVID-19, through multiple channels (taking account of, for example, potential internet connection problems and access issues for elderly/vulnerable customers)

  2. ensuring that all customer communications are clear, fair and not misleading

  3. regular updates to ensure that the firm’s response is up-to-date given daily governmental briefings and publications from the regulators

  4. information as to how customers may be impacted by the firm’s response

  5. ensuring internal consistency in the way customers are treated under any COVID-19 related assistance programs (eg any requests by customers for relief on their mortgage payments should be assessed by the same objective criteria)

  6. direction as to steps customers may need to take

  7. information on complaints handling, including if there may be delays in providing a response

Protect against fraud and cyber risk

Criminals are using the internet, telephones and doorstep calls to exploit fear of the pandemic. There have been a range of scams that include the sale of fake sanitisers, bogus demands for donations and false offers to run errands for the elderly and vulnerable. Some scammers are offering alleged health supplements that claim to prevent infection from the virus. Others are sending phishing emails to vulnerable individuals with the promise of a tax refund from HM Revenue and Customs due to COVID-19.

The threat of fraud is no lower in financial services where organised criminals and opportunists may perceive additional vulnerabilities—reduced staff, changes in operational management, remote working—as an opportunity to commit fraud against firms or their customers. This is the time to:

  1. remind employees of the need for vigilance and the dangers of opening attachments and links from untrusted sources

  2. activate anti-virus, monitoring tools and endpoint detection and response software to quarantine laptops remotely in order to limit the spread of any malicious malware

Governance and reporting

While the emergence and fast-moving pace of COVID-19 is unprecedented, regulators expect firms to have appropriate governance procedures and processes in place to manage a crisis, as part of their business continuity planning. Given the severity and potential impact of COVID-19, a firm would be expected to have a dedicated subcommittee of the board or a special committee with delegated authority from the board, comprising senior management, and with the ability to make decisions, swiftly, as issues arise, develop or progress.

As with board committee meetings, meetings of the subcommittee or special committee should:

  1. take place regularly 

  2. be minuted (including rationale and decisions)

  3. maintain records of materials presented

Key personnel with responsibility for operations should be part of or invited as regular members to the committee.

Members/attendees may include, among others: general counsel (given the potential for new legislation or regulation), chief operating officer (due to the overriding need to ensure operational resilience in challenging times) and chief security/information officer (due to the enhanced risk of fraud and cyber threat).

Senior managers have additional responsibilities to ensure that decisions that are made are reasoned and recorded. Should the regulators decide to investigate any decisions made at a later stage (sometimes years on), these records will be essential for any defence by the firm and/or the relevant individuals. Senior managers and certified persons should bear in mind that the relevant regulatory duties are generally based on the concept of reasonable steps—this mirrors the firm’s obligations in the FCA’s principles for business and in the individual conduct rules.

Care should be taken in relation to financial reporting. The Financial Reporting Council has advised companies and auditors to consider whether to refer to the possible impact of COVID-19 on their business in their reporting of principal risks and uncertainties. Where mitigating actions can be taken, these should also be reported alongside the description of the risk itself.

Companies need to monitor developments and ensure that they are providing up-to-date and meaningful disclosure when preparing their year-end reports. In addition, the FCA recently requested a moratorium on preliminary results due to be published within the next two weeks. This should not be confused with a relaxation of the rules on market disclosure: the Market Abuse Regulation remains in full force and listed companies are still required to announce inside information to the market as soon as possible unless there is a valid reason to delay disclosure.

Cooperate with the Regulator

Finally, the regulatory consequences of being unprepared from a business continuity perspective or for lacking appropriate systems and controls during COVID-19 may be far more serious than the impact of any underlying issues. Regulated firms must fulfil their duty to deal with the regulators in an open and cooperative way and must disclose to the FCA and PRA anything of which it should reasonably expect notice.

This content is based on an article first published by Law360, a LexisNexis® company, on 3 April 2020 and is published with permission.

Further information can be found at: (subscription required).

Related Articles:
Latest Articles: