The rapid spread of the novel coronavirus disease 2019 (COVID-19) and global uncertainty surrounding government and market responses have caused financial market volatility to soar to levels not seen since the 2008 financial crisis. In this regard, on March 12 the Dow Jones Industrial Average suffered its worst one day loss since the market crash of October 1987. Asset managers, broker-dealers, banks, public companies and even regulators are considering how to monitor and mitigate operational risks during this pandemic and how to best protect against potential regulatory and enforcement risk. While presenting very stark challenges, the market turmoil also provides firms an opportunity to evaluate and strengthen their business continuity plans (“BCP”), compliance documentation protocols, cybersecurity infrastructure, trade monitoring, and other critical control measures that were conceived and built during less stressful conditions.
This alert discusses considerations and best practices for managing certain risks to public companies and financial services firms presented by the COVID-19 crisis, how these responses fit into the regulatory framework for BCPs, and the guidance and relief regulators have provided to date.
We encourage our clients to check Baker McKenzie’s Coronavirus Resource Center for other analysis and resources designed to help understand, prepare and respond to challenges posed by the virus and its impact on markets and the economy.
SEC Relief for Immediately Affected Public Companies and SEC Registrants
The SEC has been closely monitoring the impact of COVID-19 and is actively providing regulatory relief and assistance for public companies and other SEC registrants:
- Public Companies. On March 4, 2020, the SEC announced an order allowing publicly traded companies an additional 45 days to file certain disclosure reports due between March 1 and April 30, 2020. The SEC action extends to periodic reporting obligations, as well as the distribution of proxy and information statements. The order was accompanied with statements from Chairman Jay Clayton calling for transparency to investors and cooperation with audit committees and auditors to ensure that financial reporting and audit processes account for known trends and uncertainties associated with COVID-19.
- Investment Companies. The staff of the Division of Investment Management previously issued a staff statement extending prior no-action relief from certain in-person board voting requirements under the Investment Company Act of 1940 through June 15, 2020. In light of the impact of COVID-19, the SEC recently issued an order further extending relief to a broad range of obligations that apply to mutual funds, unit investment trusts, business development companies, and closed-end funds. This most recent March 13, 2020, order covers in-person board voting requirements, the preparation and distribution of annual and semi-annual shareholder reports, the filing of Forms N-CEN and N-PORT, advance notice for calling or redeeming closed-end fund securities, and the timely delivery of registered fund prospectuses.
- Investment Advisers. The SEC issued an order providing an additional 45 days for investment advisers that are required to submit an annual update to Form ADV and distribute an amended Form ADV (or summary of material changes) before April 30, 2020. Investment advisers also have an additional 45 days to file Form PF. The SEC is also actively updating other guidance to address investment adviser regulatory obligations that may be affected by COVID-19. For example, the SEC recently updated FAQs to clarify that advisers do not need to amend Form ADV to disclose temporary teleworking locations as offices and will not be deemed to have custody if the adviser is unable to return securities that it inadvertently receives from a client because the adviser is unable to access its office location.
- Consolidated Audit Trail Reporting. On March 16, 2020, the staff of the Division of Trading and Markets issued a no-action letter indicating that it will not recommend that the SEC take enforcement action against participating self-regulatory organizations (“Participants”) that do not enforce the CAT implementation deadlines against industry members. The no-action guidance recognizes that the response to COVID-19 has placed stress on information technology infrastructure and requires firms to deploy significant resources to implement BCPs. The current no-action position applies until May 20, 2020. In response, the Participants' Operating Committee has acknowledged that Participants will not take disciplinary action against their members for a failure to commence reporting to the CAT prior to May 20, 2020. The Operating Committee also notes that those industry members prepared and certified for reporting may do so within current timeframes.
The relief provided by the SEC may be subject to certain conditions, including notification to the SEC of reliance on the particular order, a brief description of why the firm could not satisfy its filing obligations on a timely basis, and in some cases disclosure (through its public website or, if it does not have a public website, directly to affected clients, shareholders and investors) of the delay. In each case, the SEC indicated that it continues to monitor the current situation and may extend the timeframe for any or all relief, or may issue other relief it determines is necessary or appropriate.
Business Continuity Planning and Regulatory Guidance
In the United States, business continuity requirements differ from regulator to regulator. Entities tasked with maintaining market infrastructure (e.g., banks and broker-dealers) are subject to more detailed and proscriptive rules, but nearly all regulated firms are required to have some form of BCPs. On top of existing legal requirements, business continuity regulation has been shaped over the years by past disasters. The COVID-19 pandemic raises business continuity concerns that differ materially from these past disasters: hurricanes and terrorist attacks involved a temporary significant disruptions for regulated firms followed by long recovery period. The COVID-19 pandemic, in contrast, raises the prospect of a prolonged disruption where firms will need to consider new ways to run their business, supervise employees and remain in compliance with applicable law.
A Checklist for Business Continuity Planning – FINRA Guidance. Amid the developing turmoil, FINRA published Regulatory Notice 20-08, a timely reminder of member firms’ obligations to develop and monitor BCPs that are sufficiently robust to withstand public emergencies and sufficiently flexible to adapt to evolving conditions. Notice 20-08 does not impose any new obligations on member firms. However, it highlights that FINRA Rule 4370 requires member firms to create, maintain, and periodically review and update a BCP that identifies procedures relating to an emergency or significant business disruption. While the FINRA rule applies only to its member broker-dealer firms, the issues identified in Notice 20-08 and Rule 4370 offer a good—and the most current—checklist and guidance for any financial services business.
For starters, Rule 4370(c) lists various topics that must be addressed in a member company’s BCP. At minimum, BCPs should discuss:
- Data back-up and recovery (hard copy and electronic);
- All mission critical systems;
- Financial and operational assessments;
- Alternate communications between customers and the member;
- Alternate communications between the member and its employees;
- Alternate physical location of employees;
- Critical business constituent, bank, and counter-party impact;
- Regulatory reporting;
- Communications with regulators; and
- How the member will assure customers’ prompt access to their funds and securities in the event that the member determines that it is unable to continue its business.
During this uncertain period, firms can actively and continuously evaluate how their BCPs are being implemented in these core areas, whether additional planning or resources are needed, and whether existing systems are operating in a way that will withstand potential regulatory review. Firms should also consider documenting specific ways their policies are being implemented to mitigate foreseeable risks. Regulatory Notice 20-08 (and past guidance from FINRA and the SEC) provides examples of consequences of a public health epidemic which should be contemplated in BCPs, such as staff absenteeism, remote work arrangements, travel or transportation limitations, telecommunication interruptions and slowdowns, vendor unavailability, and surges in customer orders or service requests. On this note, firms can designate responsible teams or individuals in their legal, IT, HR, physical security, finance and other departments best suited to tackle the relevant risk areas and to respond as risks evolve over the course of the pandemic.
Supervision of Remote Work ArrangementsNotice 20-08 specifically notes that firms need a system of reasonable supervision of employees and associates who work remotely during a pandemic situation. All firms should be thoughtful about how they supervise company activities that involve significant populations of employees working at remote locations. If it is not too late, firms should plan and stress test remote work infrastructure prior to initiating office closures or other social distancing measures. Firms should ensure that employees are equipped to maintain access to critical systems and also that remote access points such as VPNs will not fold or create vulnerabilities under increased traffic. During pandemic situations (and generally) access to communication systems and remote access should be consistent with written policies and using only company-issued or -authorized equipment and portals.
Cybersecurity MeasuresRemote work arrangements and periods of heightened uncertainty can increase the risk of cybersecurity intrusions such as phishing and IP spoofing attacks. Now is a good time to evaluate whether cybersecurity policies are up-to-date and are being diligently followed within your company. Notice 20-08 specifically recommends that firms (1) ensure that VPNs and other remote access systems are properly patched with available security updates; (2) check that remote system entitlements are current; (3) employ multi-factor authentication for remote associates; and (4) remind associates of cyber risks through education and other exercises that promote heightened vigilance.
CFTC/NFA Regulatory GuidanceIn addition to the SEC and FINRA, the NFA issued guidance that it will not discipline members that permit associated persons to temporarily work from locations that have not previously been disclosed as branch offices without a branch manager (e.g., because of remote work arrangements). Members must, however, implement and document alternative methods to adequately supervise associated person activities and meet recordkeeping requirements. The NFA also noted that swap dealers should notify the CFTC if a swap dealer implements a teleworking plan or activates its BCP where such implementation or activation is for purposes other than testing. On March 18, the CFTC staff provided expanded no-action relief to address concerns of market participants. In particular, the staff created time-limited exemptions from CFTC rules requiring recording of voice trading and telephonic communications and time-stamping requirements when located in remote, socially-distanced locations and relaxed deadlines to file annual compliance reports.
Documenting Trading Activity and the Effectiveness of Automated SystemsDuring significant market volatility and the heavy trading activity that often accompanies such times, it is more critical than ever for financial services companies to require that employees and associates document communications with clients relating to trading activity, and with vendors concerning outsourced systems and security. Firms should consider proactive reminders to customer-facing representatives of their responsibilities to document investment recommendations they have offered, as well as requests by clients to trade particular positions or change their investment strategy. Reminding associates (clearly and in writing) about the importance of preserving client consultations, trading decisions and systems verifications in writing, will help firms to minimize the potential risk of customer complaints and arbitration that generally occur in a volatile market environment.
With respect to client communications, most firms have some form of customer relationship management (CRM) system and automated procedures for documenting client contacts. Firms may want to take steps to confirm that personnel are using these systems to preserve electronic communications and are memorializing oral discussions with clients and the result of those consultations. In periods of extreme volatility, associates may be stressed with a high volume of calls and e-mails, or the general challenges of remote work, and be tempted to conduct business without taking time to follow best practices for memorializing those communications. Likewise, managers of discretionary accounts should take care to document their thought process relating to significant changes their investment strategy during periods of increased volatility. Firms can also provide written warnings to self-directed investors about the risks of trading in a volatile market.
SurveillanceCareful surveillance of customer accounts is also crucial at times of heavy trading and extreme market volatility. Identifying and analyzing customer accounts that have lost significantly more than the market—or, conversely, those accounts that appear to be weathering deep market losses remarkably well—represent key risk controls, and those reviews must be documented. Enforcement agencies identify violations by evaluating outlier accounts. Firms should do the same and be prepared to produce documentation proving that they made reasonable efforts to detect and halt suspicious activity.
Managing Reliance on Third Party Systems and VendorsFirms can also contact vendors to confirm that third party systems and automated controls within such systems—such as trading limits set within order and execution management systems—are in place and operating as intended. Key vendors and service providers can confirm that they have sufficient bandwidth and there are no foreseeable disruptions of service delivery. Firms should also try to validate that providers of essential services have their own emergency preparedness and response plans in place. These systems function in ways that are not always transparent to customers or to regulators. If and when controls fail, documentation can help establish that your firm made reasonable efforts to ensure that controls would operate as planned in a volatile market.
Documenting Electronic Security, Stability, and Incident Response Efforts
Financial services companies also need to protect themselves from unlawful activity, cyber intrusions and other breakdowns that may occur during periods of volatility. It is a good idea to document any and all precautions taken, however obvious they might seem, under your existing systems of controls. Companies can only learn in hindsight which measures were essential to mitigating those threats and failures which have not yet fully emerged. By implementing systems to document all relevant security measures and how they were executed in practice, companies may substantially reduce exposure to regulatory and litigation risks that result from investor losses and system failures during this tumultuous period.
Cybersecurity is an ongoing concern to virtually every company and has rapidly become a paramount focus of financial industry regulators. Bad actors know that valuable information is being sent through vulnerable and non-secure channels in high volumes during a crisis. Remote work creates additional vulnerabilities and access points for intruders. As noted above, firms need to redouble their efforts in terms of real time monitoring and prevention of cyber attacks and document how they did so.
It is also prudent to prepare your IT and telecommunications infrastructure for surges in electronic trades and customer inquiries. Firms have experienced notable trading outages in recent days. Even temporary outages can prompt government investigations and private litigation, the costs of which may far exceed investment in infrastructure that is sufficient to handle unusually high trading volumes. Trading platforms should also have a backup plan in the event transactions cannot be accomplished electronically. Firms may be inundated by calls from panicked clients when electronic platforms are interrupted or slowed during periods of heightened market activity. Firms should evaluate (in writing) procedures for diagnosing and responding to outages and fielding customer inquiries at their call centers during outages.
Firms can also document all measures designed to minimize the potential for trading errors during periods of higher trading volume. While it may be impractical to implement capabilities in the midst of overwhelming volume, firms can inventory all controls over trading execution and identify the relevant teams and individuals who are responsible for actively monitoring those controls, performing quality control samples, responding to reports of potential inaccuracies, and so forth.
Disclosure Obligations and Insider Trading Controls for Public Companies
Public companies should remain cognizant of their duty to continuously evaluate whether the actual impacts or foreseeable risks posed by the COVID-19 pandemic are material to investors. If so, companies must undertake difficult decisions about where and when such disclosures should occur, and how to quantify the risks and consequences of a global pandemic that is evolving daily. In addition, significant business disruptions, particularly for public companies with substantial operations in regions impacted by COVID-19, present real challenges to completing work necessary to complete year-end audits and otherwise publish audited financial statements.
As noted above, the SEC recently confirmed it is “closely monitoring” the impact of COVID-19 on investors and capital markets and, subject to certain conditions, will grant a 45-day extension to file periodic reports. During this temporary reprieve, however, companies may still be obligated to publish current reports (e.g., Form 8-Ks) soon after they become aware of supply-chain disruptions, liquidity and cash flow constraints, cost spikes, revenue declines, or other events that may be material to investors. Companies must also take a fresh look at risk disclosures in their recent periodic reports to ensure that material risks related to the COVID-19 pandemic are captured within operative disclosures; as of March 1, more than 600 public companies had already mentioned the new coronavirus in the risk factors section of periodic reports and prospectuses. Judgments about materiality and the content of disclosures are often difficult and companies should consult with in-house and external experts concerning the appropriate course of action.
Insider trading is another area of exposure for companies who become aware of material risks related to COVID-19. Companies should consider implementing (and documenting) special procedures to prevent corporate insiders from trading in company stock prior to such disclosures. While materiality is always a fact-intensive judgment, companies should err on the side of caution during this tumultuous period and consider whether the imposition of heightened restrictions and authorization requirements for trading activity by corporate insiders is appropriate.
Many firms are already in the thick of addressing the challenges posed by COVID-19, but it may be valuable to take stock of how the BCP is performing, especially given the unique nature of this pandemic relative to past business disruptions. After prior disasters, regulators have conducted sweeps of closely scrutinized regulated firms’ actions, and it would be reasonable to assume regulators will do so after the COVID-19 pandemic subsides. Firms should:
- Revisit BCPs and check that all contact details are up-to-date;
- Assess the performance of IT and communications systems, even where no major disruptions have occurred, and be aware of cyber-security risks and unanticipated complications (e.g., Are employees being pushed to work through home e-mail accounts? Are information barriers being respected? Are remote work systems secure?);
- To the extent that remote working continues on an unprecedented scale, consider whether supervisory functions need to be adjusted to provide the appropriate level of oversight;
- Evaluate operations and resources arrangement and consider the need to obtain additional support;
- Evaluate existing contracts and arrangements with customers, suppliers and service providers, consider or implement alternative arrangements to ensure continuity and, where appropriate, consider force majeure provisions to suspend or terminate services;
- Continue to communicate with clients, customers and counter-parties regularly assessing any material developments; and
- Assess any practical difficulties in complying with regulatory deadlines (e.g., filing deadlines) and continue to communicate with regulators.
Baker McKenzie advises a wide range of financial industry participants and public reporting companies regarding best practices for regulatory and enforcement risk mitigation. We hope that the COVID-19 tragedy is short-lived, but stand ready to assist however the path forward develops. To the extent that we can be helpful in thinking through questions or concerns regarding compliance best practices during the COVID-19 pandemic, please do not hesitate to reach out to any of our Financial Regulation and Enforcement practice team or to your Baker McKenzie contact.