Many financial service institutions have been hesitant to create teleworking processes and systems that would give them more flexibility to service clients and build the business. However, within the regulatory framework, landmines appear at every turn.
Under federal guidelines, the financial services sector is identified as a “Critical Infrastructure Sector” by the Department of Homeland Security. Under this guidance, financial services sector workers are essential critical infrastructure workers during the COVID-19 response emergency. Firms must evaluate “essential” from “non-essential” staff. For any “non-essential” staff members, the available guidance generally advises implementing teleworking during this unprecedented time.
For Firms that never dreamed of building a virtual workforce, below are some key considerations to help keep your program in compliance with regulatory guidance while teleworking.
The pandemic has shown numerous weaknesses in some programs, specifically protections in place for those working from home. Cybercriminals are hard at work taking advantage of individuals and companies that don’t have the infrastructure or solid program in place for telework. The SEC recently published its Cybersecurity and Resiliency Observations noting key failures in cybersecurity programs and other programs within the Firm. FINRA also published a Small Firm Cybersecurity checklist which includes guidance on building a program with the following:
- Identify and assess cybersecurity threats;
- Protect assets from cyber intrusions;
- Detect when their systems and assets have been compromised;
- Respond when a compromise occurs; and
- Implement a plan to recover lost, stolen or unavailable assets.
Practical Considerations for Cybersecurity:
- Send reminders of cybersecurity risks and schemes for staff to remain vigilant.
- Look into VPNs or virtual computers that help create consistent protections across staff who are teleworking.
- Consider how the staff is storing files.
- Review firewalls and perform proper updates.
FINRA recently released NTM 20-08 to give Firms additional guidance on relevant information affecting the industry members. Important items include:
- Telework Arrangements
- Form U4/U5
- Emergency Office Locations
- Communicating with Customers
- Communicating with FINRA
- Military Personnel
- Regulatory Filings and Deadlines
The SEC’s most recent guidance from 2004 was not written in anticipation of the current pandemic; however, it’s still relevant today. In 2016, the SEC published similar guidance, Business Continuity Planning For Registered Investment Companies, and noted: “Rule 38a-1 under the Investment Company Act of 1940 (“Investment Company Act”) requires funds to adopt and implement written compliance policies and procedures reasonably designed to prevent violation of the federal securities laws. In the staff’s view, fund complexes should consider their respective compliance obligations under the federal securities laws when assessing their ability to continue operations during a business continuity event.”
Practical Considerations for Supervision:
- Supervisory systems must be reasonable based on the Firm’s compliance program and risks. Evaluating your program in light of this pandemic is one such risk that your system should be designed for.
- Testing of critical systems from remote systems to internal operations should be implemented and results and changes made based on findings.
- Main office and branch testing procedures may need to be re-evaluated in delivery or moved to a later date.
FINRA Rule 2210 defines the venues of communication, types of communication, approval, and recordkeeping guidelines. Communication with the public may be one point of stress during the pandemic. Now more than ever, a Firm should reiterate and confirm that all staff members understand its approved venues of communication. As many staff members and clients begin teleworking, do not allow your Firm’s communication program to become lax.
Firms should review electronic communication and storage policies. We previously provided a useful blog resource on electronic storage media that we encourage Firms to review. If your Firm did not allow text message or social media communication before the COVID-19 pandemic, it still should not be allowed. Creating clear communication on what is expected and approved by staff members working outside of the office (company communication, memo, etc.) will help reinforce your communications program and avoid regulatory scrutiny after this is over.
For more information on key considerations for your Firm during the COVID-19 outbreak, see our previous post on BCP and COVID-19: Considerations for Firms.
Contact us today to learn how our team of expert consultants can help your firm and its compliance programs during this unprecedented time.