For the COVID-19 New Normal, Risk and Compliance Advisories Aplenty

The coronavirus pandemic has set off a wave of financial and operational disruption - as in the case of remote work arrangements - causing sudden shifts in risk exposures and mitigation measures.

“Risk overall is going to ratchet up, and risk managers are likely to see overall changes in a lot of the key risk indicators they monitor - and not necessarily positive changes,” says Trace Fooshee, senior analyst in the Fraud & AML (anti-money-laundering) practice of Aite Group.

“The biggest risk we see financial firms and regulators focused on right now is business continuity management,” says Carlo di Florio, partner and chief services officer of ACA Compliance Group.

Di Florio, a former director of the Securities and Exchange Commission's Office of Compliance Inspections and Examinations, adds, “We will see a number of firms that are able to manage this issue effectively, and others that are not, and that presents a huge risk - not just to the firm itself, but to the entire financial system.”

Fooshee, di Florio and others who advise on risk and compliance issues cite new and growing concerns in such areas as fraud and AML, communications archiving and recordkeeping, business continuity, third-party risks, cybersecurity and IT, privacy and data protection, and conduct and culture - all at a time of rolling economic shocks, market volatility, liquidity strains and threats to personal health.

Regulatory Flexibility

Regulators from the Federal Reserve to the Commodity Futures Trading Commission to the SEC have taken steps affording “flexibility” and “targeted relief” to help firms and their clients through the market distress. Still there is a need, as the SEC put it, to maintain “enforcement and investor protection efforts, particularly with regard to the protection of our critical market systems and our most vulnerable investors.”

The U.K. Financial Conduct Authority similarly gives regulated entities “the ability to consider their arrangements and customers' circumstances . . . while managing the risks to their employees, customers and the impact on the market.” U.K. companies have been granted extra time to complete audited financial statements, but the FCA and Bank of England have not relented on the end-2021 goal of transitioning from the Libor interest-rate benchmark.

U.S. banking regulators on March 27 allowed for a two-year extension on the capital transition accompanying the current expected credit loss (CECL) standard, and for early adoption of the standardized approach for measuring counterparty credit risk (SA-CCR). And the Basel Committee on Banking Supervision deferred by a year the final implementation date for Basel III standards.

The U.S. Treasury's Financial Crimes Enforcement Network, on the AML frontlines, has acknowledged possible delays in filing required Suspicious Activity Reports but admonished financial institutions “to remain alert about malicious or fraudulent transactions similar to those that occur in the wake of natural disasters.”

Advice and Reports

Also trending are advisories, checklists and solutions from consultants and service providers.

Deloitte, for example, in COVID-19 potential implications for the banking and capital markets sector, summarizes in a question-and-answer format actions that risk managers and other executives should be considering. Those in the “Risk and Controls” category include: Does the current environment warrant an update of internal models? How should any potential changes to counterparty creditworthiness be addressed in existing contracts and arrangements? How can risk controls regarding conduct risk be upheld in alternate work arrangements?

PwC's COVID-19 and the banking and capital markets industry covers workforce, finance and liquidity issues. For the last, it advises thinking about early-warning disclosures of assets at risk of impairment and general risk factors, among others. In a late March survey of chief financial officers, 84% said a potential global recession was one of their top three concerns, well ahead of financial impact (64%) and declining consumer confidence (45%).

A McKinsey & Co. article presents China as a case study or blueprint for adjusting to a remote work environment, including advice on how to effectively manage work teams and communicate with employees in a way that reinforces company culture and helps to reduce risk - though without specifics on the financial sector's regulatory requirements.

“Opportunities Exist”

“Governments' moves to 'flatten the curve' are creating significant operational challenges for most financial institutions, not to mention risks to their business performance,” Gwenn Bezard, co-founder and research director of Aite Group, said on March 20 in releasing the Boston-based firm's COVID-19: Challenges and Opportunities in Financial Services. “Opportunities exist though, and financial institutions and technology vendor leaders should not lose sight of those.”

Each section of the 28-page report - on banking and payments, securities and investments, insurance, and fraud, AML and cybersecurity - outlines challenges, opportunities and recommendations.

On AML and financial crime, Aite Group is expecting more accounts-payable scams and internal fraud, while FinCEN characterizes as “emerging trends” imposter scams, investment scams, product scams and insider trading.

The Financial Industry Regulatory Authority (FINRA) in late March put out tips for avoiding coronavirus scams and a cybersecurity notice about measures “firms and their associated persons should take . . . to address increased vulnerability to cybersecurity attacks and to protect customer and firm data on firm and home networks, as well as devices.”

Aite analyst Fooshee notes, “Unfortunately, fraudsters thrive when normal routines and ways of doing business are disrupted.” He is particularly concerned about a sharp uptick in “money mules” - people who may be unemployed or financially desperate and fall victim to what are essentially money-laundering schemes that put their bank accounts at risk.

Fooshee's contribution to the COVID-19 report mentions a host of risks related to the shift to a work-at-home model. “When financial sector employees are outside of the corporate setting, it's a less controlled environment, and more things can go wrong,” he says. The threats include phishing attacks, malware and phone-based scams, and illicit credit card activity.

Aite says that institutions should “look to providers of strong authentication, secure connectivity, distributed access, and managed security monitoring to help them extend private networking environments securely.” Among the report's recommendations is “multifactor authentication [beyond simple passwords] as a prerequisite to accessing internal networks, data, or applications.”

Fooshee points to the need for effective and frequent messaging to off-site workers: “It's all about raising awareness, education, and reinforcing the culture,” which can be done with gamification techniques to test security awareness, or systematic nudges and reminders. “You need skilled practitioners - people who understand behavioral science - to make nudge messages work,” Fooshee says.

Vendor Monitoring

Aite capital markets technology analyst Spencer Mindlin has his sights on vendor risk management, saying that contracts should be reviewed and possibly updated as the vendor services - for example, the provision of bandwidth to accommodate certain remote workers - may not meet current needs. He recommends having regular and ongoing conversations with vendors to understand how they are coping through the crisis in terms of staffing and scaling capacity.

The good news, Mindlin says, is that to date, “We have not heard of any big blow-ups in the financial services sector due to vendor risk.”

Mindlin also notes that securities and investment companies have been scrambling to accommodate work taking place away from the office, and the rush to obtain and deploy necessary equipment.

“Some traders need six screens to get their job done,” Mindlin says, and the need to adjust - often with heightened dependency on Slack, Microsoft Teams and Zoom applications - came suddenly to companies and workers alike.

Trading operations have been moving to outsourced trading desks (OTDs) from providers such as Tora, Tourmaline Partners and Virtu. The offerings vary, Mindlin says, their track records remote traders suggest that they can be helpful in supporting the transition amid COVID-19 challenges.

Rising Cloud Demand

The Aite report highlights the importance of cloud technology in facilitating remote work.

“If you are working with a good cloud provider, it means you can better scale up operations, have global redundancy,” and thereby accommodate a remote workforce around the world, says Mindlin, who sees the pandemic as an impetus for more cloud adoption.

Remote working has stimulated growth for HighSide, a multinational provider of technology that enables secure collaboration while smoothing compliance with requirements like those of the SEC, the HIPAA health data privacy law, and Europe's General Data Protection Regulation.

“The number of incidents we've been called to help clean up due to cloud service compromises has been significant over the last five years, and the number keeps growing,” says a blog by HighSide president and chief security officer Aaron Turner. “Only strong MFA [multi-factor authentication] can help reduce those risks.”

HighSide is currently offering its solution free in a so-called cybersecurity relief initiative. “I've been focusing on cybersecurity for nearly three decades, and I've never seen a moment in time where so many businesses across so many regions have been at such risk,” Turner says.

Another company, application security and compliance vendor ImmuniWeb, offers a “salvage plan,” including “a bundle of our solutions for $500,000 value for organizations and companies now migrating their workflow into the digital space because of coronavirus.”

“With employees working from home, firms' cyber risk profile has increased significantly,” says an ACA Compliance Group blog post. “Cyber criminals are stepping up their activity because they perceive controls are weaker at the moment.”

Maintain Vigilance

Despite regulators' statements of flexibility and forbearance, ACA's di Florio warns that firms should not neglect compliance obligations or allow a backlog to pile up: “Coming out of this in two or three months, the work is not going to go away.”

He says that risk managers ought to be thinking about key person risk - that for employees responsible for key enterprise and compliance risk functions, there are two or three others on staff who can step in if the primary individual becomes ill. “This has to happen across every risk area - on the business side as well on the core business process side,” di Florio adds.

“I believe financial firms will now start to think and understand that they need a back-up for everything, not just for their telephones and technology systems, but also for their people, because we may see yet another black swan event like this one in the days ahead, and even more of them,” says Chris Jenkins, managing director at trading execution platform Tora. The company developed its OTD service as a response to the SARS virus outbreak in Asia.

“It is a dangerous thing to tell people that you are going to relieve recordkeeping requirements for a certain period of time,” says Chris Wooten, executive vice president of the surveillance group, NICE Vertical Markets. “If you are not continuing to monitor your regulatory compliance activities, financial firms are probably going to have some problems over time.”

Wooten explains in a blog post that by bringing the same controls to the homes of remote workers as they have in the office, firms can continue to be vigilant about risk and recordkeeping and “help protect the finance markets in this time of great uncertainty.” All communications need to be captured and analyzed, accommodating the fact that many capabilities are available through the cloud.

“If someone is going to do something wrong, it is human nature that they will talk about it or brag about it before or after they did it, and that's why analyzing those communications across a broad number of work channels is critical,” Wooten says. “If you are able to identify the risk early, you are more likely to stop it before it happens.”

Update Continuity Plans

Marianna Shafir, regulatory adviser with communications compliance and archiving provider Smarsh, says that many pre-COVID-19 business continuity plans did not account for the possibility of a pandemic, and this will have to be addressed going forward.

“The new avenues they will have to look at include technology that can accommodate an entire workforce that is working remotely,” Shafir says.

She suggests that risk and compliance executives review policies and procedures; assess the risk and compliance implications of changed work processes; update policies for the new work model; in training, stress communication practices that are permitted and those that are prohibited; and continue to capture both customer and employee records, making sure to adhere to confidentiality and privacy rules.

A Smarsh blog on best practices for collaboration platforms highlights the importance of updating policies to cover remote work communication and conference tools such as Slack, Teams and Zoom, and the need for training and retraining to ensure ease of use of these tools, while minimizing disruption to business operations.

“There will be a lot of learning that will come out of the COVID-19 pandemic and its impact on financial firms,” says NICE's Wooten. “I suspect that many of the financial institutions will do an extensive de-brief on this. We will figure out what we did well, what we did not do well, what risks were managed effectively, and we will be better prepared for this sort of event the next time around.”

Katherine Heires is a freelance business journalist and founder of MediaKat llc.