Insights overview

Managing regulatory obligations in lockdown

The current situation undoubtedly presents significant challenges for regulated financial services firms and in particular for their compliance officers and senior management.

In regulatory terms, the FCA and PRA have shown themselves willing to be pragmatic and realistic in their expectations of firms, through steps like the relaxation of certain deadlines around regulatory reporting, extension of deadlines for consultations, the delayed implementation of planned regulatory changes and even through specific measures such as the suggestion that firms may be able to accept “selfies” and scanned documentation from customers as part of the AML customer due diligence process.

However it is important to recognise that the FCA also expects “firms to be taking reasonable steps to ensure they are prepared to meet the challenges coronavirus could pose to customers and staff, particularly through their business continuity plans … We also expect firms to manage their financial resilience and actively manage their liquidity. Firms should report to us immediately if they believe they will be in difficulty”. The FCA also noted that it stands “ready to take any steps necessary to ensure customers are protected and markets continue to function well”.

The question of what will amount to “reasonable steps” will, of course, vary from firm to firm, being dependent on a number of factors, not least the size of the firm, the nature of the activities it undertakes (and the regulatory obligations and risks which it will need to manage in consequence) and the extent to which it already makes use of remote working and technology within its business. There are, however, some ways in which firms can approach the task of prioritising and help ensure the steps they have taken are seen to be “reasonable”, even if viewed with the benefit of hindsight:

Prioritise those areas of the business that will or might have an impact on the ability of the firm to meet the FCA’s threshold conditions – for instance, by ensuring regular monitoring of the firm’s position relative to its capital requirement and by ensuring that the firm’s mind and management remains in the UK;
Keep in mind the FCA’s core objectives and principles for business – for instance by ensuring that appropriate attention is paid to mitigating the risk that the business is used to facilitate financial crime, by maintaining a robust control environment over the prevention or detection of market abuse and by ensuring that the information needs of customers are understood and met;
Take care to exercise appropriate oversight of the firm’s outsourcers, recognising that many of them may be facing similar challenges and ensuring that their response to those challenges does not pose risks for the firm itself or its customers, particularly if they are located in different countries;
Apply appropriate rigour to the selection and deployment of any new or revised processes, including any technology based solutions;
Ensure your governance processes and structures have adapted and that the MI you have in place will help you to identify where risks may have crystallised or may be about to do so;
Maintain service levels for customers to the fullest extent possible, and where this is not possible, manage customer expectations appropriately;
Ensure that any tasks that have been deferred – whether specifically driven by regulation (such as regulatory reporting) or otherwise – remain visible and are addressed as promptly as possible once a business as usual environment returns;
Recognise that this is a fast moving environment and make sure you keep abreast of developments, including new announcements from the FCA – the FCA has published consultation papers in the past few days and weeks with timescales calling for responses within as little as 48 or 72 hours;
Carry out stress testing and reverse stress testing to help identify the potential impact of future developments, including – for instance, significant absenteeism or the failure of an outsource provider. Ensure you have a contingency plan (or rather, plans).

The above steps should go some way towards helping firms survive through the current situation and in a manner which ensures they are not faced with significant regulatory criticism for an inadequate response