While employers across various industries and sectors face certain common challenges in resuming business operations during the COVID-19 pandemic, financial services businesses — including registered entities (e.g., exchanges), individual registrants and trading firms — also need to consider unique regulatory and compliance obligations. Among other issues, it appears that at least some firms in the financial services industry will not mandate that all employees return to work at a single time. Rather, firms will phase in the return of employees to offices, utilizing at least a combination of formal main and branch offices, business-continuity locations and employee home offices for some time. Indeed, some commentators speculate that having a significant portion of employees permanently or at least on a part-time basis working from home may be the new normal even after the COVID-19 pandemic has passed.1 Transition and new business-as-usual (BAU) arrangements will likely require regulators’ assistance in extending expiration dates of relief granted throughout the COVID-19 pandemic.
Katten published a “Returning to Work Amid COVID-19: An Overview of Issues” checklist that provides a comprehensive overview of general workplace safety and workforce management issues and key considerations for all employers as they navigate through this unprecedented time. This advisory supplements Katten’s workplace safety and workforce management checklist by providing a non-exhaustive list of additional compliance-related considerations for financial services businesses as they reopen their offices and transition from utilizing mostly remote-working arrangements to a combination of working arrangements as a phase-in stage or as part of BAU operations. In particular, this advisory addresses:
- updating BAU policies and procedures;
- updating business continuity plans (BCPs);
- notifying regulators after returning to work, as appropriate;
- addressing employee supervision and branch office matters;
- enhancing cybersecurity of remote-office workplaces generally and safeguarding confidential client information specifically;
- ensuring books and records are properly maintained; and
- completing regulatory filings.
Updating BAU Policies and Procedures
Many financial businesses responded to the pandemic without the benefit of time to consider the longer-term implications of implementing alternative policies and procedures. As financial services businesses start to return to work, they should consider updating their compliance policies and procedures to account for any changes to business processes resulting from the COVID-19 pandemic. If working from home is likely to become a bigger part of a financial services business’s BAU, all BAU policy and procedures should be updated to consider the impact of such arrangements on:
- logistics (e.g., what technologies and infrastructure are necessary to support remote working);
- supervision (e.g., how to supervise employees working from home; how remote surveillance and supervisory staff should supervise employees working at diverse locations, including BCP sites and working from home); and
- security (e.g., what adaptions, if any, may be required to authorize employees to use non-company-issued phone service, computers, printers or other electronic devices).
Updating BCPs
Many financial services businesses activated their BCPs at some point during the outbreak. These businesses should:
- consider whether to continue activating their BCPs and whether to modify BCPs as some employees return to work in the financial services business’s main or branch offices and, in some instances, some employees continue to work remotely;
- review and modify their BCPs to ensure consistency with any process changes adopted during the pandemic and continue to benchmark their BCPs against new or emerging threats to normal business operations (e.g., among other things, BCPs should formally anticipate employees working from home); and
- if required, notify regulators that temporary branch offices and BCPs are no longer activated.
Notifying Regulators After Returning to Work, as Appropriate
Financial services businesses that notified their regulators of certain events should consider whether returning to work or maintaining a hybrid arrangement triggers additional notifications and/or relief. For example:
- Financial Industry Regulatory Authority (FINRA) members firms were encouraged (but not required) to notify FINRA that they activated their BCPs. Those firms that notified FINRA (and others, if appropriate) should consider contacting their FINRA Risk Monitoring Analyst as they return to work. If they do, they should discuss how any issues they were facing were resolved or if they are ongoing.
- Some Commodity Futures Trading Commission (CFTC) regulatory relief was conditioned on registrants returning to ordinary compliance with all CFTC regulations and guidance covered by the relief once the pandemic abates. For example, the earliest CFTC staff no-action letters granted certain registrants time-expired relief from otherwise applicable telephone recording, order-time stamping, and introducing broker registration requirements. (For a comprehensive list of all CFTC COVID-19 related releases, as well as the releases of other regulators, review Katten’s Financial Markets Regulation COVID-19 Resource Center.) If a firm or individual decides that its pre-pandemic operations model will no longer be applicable, the firm or individual should notify the CFTC as well as their designated self-regulatory organization to discuss its proposed model.
Addressing Employee Supervision and Branch Office Matters
Financial services businesses should consider whether registrants operating outside of their normal office locations are no longer required or if in a transition phase or as BAU that employees may operate entirely or partly from remote offices including BCP sites or home offices. This too should prompt financial services businesses to consider whether regulators should be notified that temporary office locations are no longer necessary or may become more permanent. For example:
- The National Futures Association (NFA) issued relief to CFTC registrants from NFA’s normal branch registration requirements and branch office supervision requirements when a manager’s associated persons temporarily work from locations not listed as a branch office or without a branch manager. NFA’s relief was conditioned on a financial services business requiring its associated persons to return to their normal office location(s) once that business is no longer operating under its BCP.
- FINRA temporarily suspended Form U4 filing requirements regarding office of employment address for registered persons who temporarily relocate due to the COVID-19 pandemic and the requirement that firms submit branch office applications on Form BR for any temporary office locations or space-sharing arrangements established as a result of recent events. FINRA member firms that relocated personnel to temporary locations that were not registered as a branch office or identified as a regular non-branch location should have used their best efforts to provide written notification to their FINRA Risk Monitoring Analyst as soon as possible after establishing the new temporary office or space-sharing arrangement. Affected firms should consider contacting their FINRA Risk Monitoring Analyst as soon as possible after relocating from these temporary emergency locations.
Enhancing Cybersecurity of Remote-Office Workplaces Generally and Safeguarding Confidential Client Information
As financial services businesses return to work, they need to make sure appropriate steps are taken to safeguard personal and confidential information. For example:
- Regulators expect firms to protect personally identifiable information and, of particular note, firms that collect information from New York and California residents need to consider compliance with these states’ regulations that protect the security, confidentiality and integrity of private information. If all or some of a firm’s personnel were working remotely, firms should reassess and consider any challenges presented. This may be particularly relevant when some of the firm’s personnel work remotely and some work in the office.
- If a financial services business decides to utilize BCP locations and home offices in a transition phase or as BAU, the business should also consider issues regarding cybersecurity and protecting customer and employees’ personal and confidential information in a more systematic manner. Among other things, these businesses will need to consider policies and procedures regarding employees at non-ordinary offices utilizing personal cell phones, computers, printers and other electronic equipment as company-issued equipment may not always be practical for such locations. Similarly, accommodating work from home arrangements likely requires financial services businesses to revise policies and procedures to address logistical issues of persons working from environments where other persons may be present and potentially having the opportunity to view computer screens, printouts of documents and/or overhear conversations pertaining to non-public information. For more information, see Katten’s advisory titled “Coronavirus Cyberhygiene: Dos and Don'ts for COVID-19 Remote Work,” which provides useful tips to help employers address the security threats and challenges of remote work.
Ensuring Books and Records Are Properly Maintained
At all times, a financial services business needs to ensure that its books and records are complete and appropriately maintained. This process includes retrieving remotely generated and/or manually prepared records as soon as technologically practicable for integration into the financial services business’s centralized books and records system. These remote and manual records must be incorporated in such a way that they are capable of being easily identified and retrievable. For example:
- As a result of COVID-19-related remote-working arrangements, the CFTC and NFA issued temporary relief to various registrants and regulated entities from specific aspects of normal recordkeeping requirements, such as timestamping and oral communication recordkeeping. This relief is conditioned on registrants and regulated entities developing and maintaining written records of oral communications and handwritten notations of time stamps to the nearest minutes. These records are the types that financial services businesses should retrieve and integrate as soon as technologically practicable.
Completing Regulatory Filings
Financial services businesses should consider whether it is appropriate to submit delayed regulatory filings. The Securities and Exchange Commission (SEC), CFTC, FINRA and NFA all gave financial services businesses time extensions to make annual and periodic filings and to respond to inquiries. These businesses should consider whether these extensions still apply and consider whether they need to update and/or make those filings. For example:
- The SEC provided investment advisers with temporary relief from 13G, 13F, Form ADV and Form PF filing and delivery requirements.
- Similarly, the CFTC and NFA have separately provided temporary relief to various CFTC registrants, regulated entities (e.g., swap execution facilities) and even members of regulated entities facing challenges due to the COVID-19 pandemic in the form of extending certain filing deadlines for several standard reports required to be delivered to the NFA and, in the case of commodity pool operators, periodic reports to be delivered to pool participants.