KEY POINTS
- Katten analyses the UK's Financial Conduct Authority's (FCA) approach to Business Continuity Plans (BCPs) and outlines some best practice for FCA-regulated firms to follow.
- The FCA Handbook mandates BCPs for many FCA-authorised firms, and recommends that other firms develop plans. The FCA Handbook also provides for "emergencies" in which firms would not be in contravention of FCA rules if it is "impracticable" for them to comply with the Handbook.
- In a recent review, the FCA emphasised the importance of good planning, quick reactions, constant monitoring and proactive remediation in the event of business disruption.
- With regards to COVID-19, the FCA expects firms to take "all reasonable steps to meet their regulatory obligations." The FCA has not explicitly exempted firms from regulatory obligations, but is working towards "understanding the pressures [firms] are facing" and will "keep … guidance under review as necessary."1
- In terms of practical guidance, we recommend a pragmatic and measured approach — one which emphasises regular communications with employees, clients and key-third parties, including service providers upon whom the firm relies in the conduct of its regulated activities and client services.
FCA Review of Retail Banks
As a ‘case study’ on BCPs within a subset of FCA-authorised firms, in July 2019 the FCA published the results of a multi-firm review into BCPs among small and medium-sized retail banks, payments institutions and electronic money institutions (the Review).12 In the Review, the FCA wanted to assess the approach taken by firms to:
- plan for and manage business continuity events;
- implement business continuity contingencies including communications;
- recover and return to normal service following an event; and
- identify potential or actual consumer harm and remediate where necessary.
In the Review, the FCA identified both best practices and areas for “enhancement”, which are featured in the “Practical Guidance” section of this advisory.
In general, the FCA highlighted the importance of having a comprehensive plan that can be adjusted so that the firm can respond swiftly to situations as they change. The FCA also felt that firms could do more to improve their communications with employees, customers and other stakeholders during an incident. Finally, the FCA noted that it expects firms to proactively contact their clients and customers in order to understand and mitigate the impact of the situation.
Introduction
In light of the recent outbreak of the novel coronavirus, now known as COVID-19, and its spread around the globe, many UK-based financial services firms are reviewing, and even acting upon, their BCPs. BCPs are a regulatory requirement for many FCA-authorised financial services firms, and the FCA has provided detailed requirements of what such plans should contain. The regulator also has provided further guidance in recent publications such as its statement issued on March 4, 2020 (the Statement).2
In this advisory, Katten reviews the FCA's approach to BCP and suggests some best practice points for firms to follow in the event that the current situation in the UK escalates and a shut-down is enforced by the UK Government.
FCA's Approach to BCP
The FCA's approach to business continuity is set out in the Systems and Controls (SYSC) section of its Handbook. These rules apply to "common platform firms"3 operating from the UK including banks, broker-dealers, proprietary trading firms, fund managers and investment advisers. Such firms are required to "take reasonable steps to ensure continuity and regularity in the performance of [their] regulated activities" and "must employ appropriate and proportionate systems, resources and procedures."4
In addition to this, firms to which the Capital Requirements Regulation (CRR) applies must "establish, implement and maintain an adequate business continuity policy aimed at ensuring, in the case of an interruption to its systems and procedures, that any losses are limited", as well as ensuring "the preservation of essential data and functions, and the maintenance of its regulated activities…or, where that is not possible, the timely recovery of such data and functions and the timely resumption of those activities."5 This obligation also applies to management companies with regard to their collective portfolio management activities.
Finally, the FCA notes that other FCA-authorised firms should treat the rules outlined above as if they were guidance.6 The outcome of this is that the FCA expects all FCA-authorised firms to have appropriate and proportionate BCPs. This expectation was reiterated in the Statement regarding BCP in light of the novel coronavirus.7
The FCA expects a BCP to address the following:8
- resource requirements such as people, systems and other assets and arrangements for obtaining these resources;
- the recovery priorities for the firm's operations;
- communication arrangements for internal and external concerned parties (including the FCA, clients and the press);
- escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information;
- processes to validate the integrity of information affected by the disruption; and
- regular testing of the firm's BCP in an appropriate and proportionate manner.
Key Considerations
In the Statement, the FCA noted that it expected firms to take "all reasonable steps" to meet their regulatory obligations, including an ongoing requirement to enter orders and transactions into systems promptly, using recorded telephone lines when sending client orders by telephone, and ensuring ongoing and adequate compliance support. The FCA stated that it has no objection to firms operating from backup sites or to staff working from home. It is therefore critical that if remote working becomes a requirement (such as if the UK government mandates a full or partial shut-down in the style experienced in China, Italy and elsewhere), firms should consider:
- Can the firm continue to conduct its regulated activities if the COVID-19 outbreak worsens significantly?
- Can services to clients be maintained at an appropriate level?
- Can front-office staff work remotely, and if so, can they enter orders and transactions promptly, and can their telephone calls be recorded at home?
- Can the firm's support functions/back-office services be provided by staff working from home?
- Do staff have access to technology and infrastructure to allow them to effectively continue doing their jobs?
FCA – Emergency Rules
FCA rules9 recognise that in "emergency" circumstances, a firm may be unable to comply with a particular rule or rules in the FCA Handbook (i.e., that a firm may knowingly breach FCA rules). A government-mandated full or partial shut-down may reasonably be considered to be an "emergency" situation, particularly if the number of cases of COVID-19 increased markedly and the death-toll rose. If a firm is unable to comply with a particular rule because of an "emergency" then the FCA would consider that the firm is not technically in contravention of that rule.
However, this is only permissible where the emergency is such that 1) it is impracticable to comply; 2) the breach could not have been avoided by the firm taking all reasonable steps; and 3) the emergency situation is outside the control of the person, its associates and agents (and of its and their employees). The FCA defines "impracticable" — in such circumstances — as involving a firm going to "unreasonable lengths".10
Notwithstanding the potential ‘permissibility' of a breach, the firm must be able to demonstrate to the FCA that it has mitigated losses and potential losses to its clients (if any), and the firm must have notified the FCA as soon as practicable of the emergency and of the steps it is taking/proposes to take to deal with the consequences of the emergency, and the firm must remain in contact with the FCA to keep the FCA informed of the steps it is taking.11
If any such FCA rule is breached, the firm must take action as soon as is reasonably practicable after the emergency has passed to remedy the relevant breach. For example, if remote working by a portfolio manager under a COVID-19 shut-down had meant that the back-office staff were unable to conduct transaction reporting for the trading activities conducted by the portfolio manager, then as soon as the emergency is over, the fund management firm would have to submit fulsome back-dated transaction reports in a timely manner.
However, even in an "emergency", if a firm does not have a suitable BCP, it is very unlikelythat the FCA would permit a breach of a particular Handbook rule. This is because the FCA would be unlikely to consider such a firm to have taken "all reasonable steps" to avoid the breach — and, indeed, the FCA could take enforcement action not only for the breach itself, but also for the firm's failure to comply with its Systems and Controls requirements, as mandated by Chapter 4 of SYSC (as described above).
Practical Guidance
The following steps are best practices for critical business disruption situations such as a COVID-19 shut-down:
1. Identify (and train) key staff as soon as possible
Firms should identify a senior manager to be responsible for the execution of the BCP — this individual could be a Senior Manager in charge of Operations (SMF 24), if applicable, or the COO. A back-up person(s) who are trained to undertake this role and any other key roles in your BCP also should be designated.
Firms should be mindful that key decision-makers might be unavailable during an incident. Firms should identify who is responsible for such decisions in their absence, and consider the status of such decisions once the incident is over.
Firms also should identify employees who can take on special roles during the incident, such as monitoring news and government or regulatory announcements. Firms should consider using flexible (internal and external) resource plans to ensure that the firm has the capability to quickly move resources to where they are most needed in an emergency.
Employees should be trained and, at times when business continuity is threatened, staff should be encouraged to take their laptops (or other items needed for work) home with them every day. Staff training should remind individuals that risks such as email phishing or spoofing remain present and may be more of a problem during a work from home situation.
2. Identify key third parties
A firm's reliance on third parties and service providers will depend on the nature of its business. At a minimum, firms should contact key third parties to update them on their BCP and find out the status of theirs. If possible, firms should include these third parties in their BCP testing. Firms also should, if possible, develop backup or alternative processes.
3. Testing
Firms should test every element of a BCP, both in theory (such as a table top exercise with the relevant teams) and in practice. Such practical testing should include testing work from home capability, including ensuring that phone lines can be recorded where required, and that staff who are working at home can be monitored where needed. Additional training on using remote access equipment would be best achieved while staff are still on site, or in advance of any shut-down.
Firms must make sure to respond to the results of a test, and have a process for monitoring and confirming that elements have been fixed.
4. Communication plan
Firms should develop a communication plan to keep both employees and clients fully and regularly updated on the status of any business disruption and the steps being taken to ensure business continuity. Rumour and misinformation may exacerbate existing issues.
5. Management
Once a BCP is put into action (i.e., in an emergency scenario that may arise pursuant to a COVID-19 shut-down), firm management should ensure that any response is managed and driven by individuals with appropriate knowledge, experience and seniority. To the extent that it is practical, firms should keep the FCA informed of any ‘emergency' scenarios that could cause a breach of any FCA rules, and let the FCA know the proposed remedy to the breach once circumstances allow.
2 FCA, Statement on Covid-19 (coronavirus), https://www.fca.org.uk/news/statements/covid-19.
3 Being firms to which both the Markets in Financial Instruments Directive (MiFID) and the Capital Requirements Directive (CRD) apply; FCA Handbook, https://www.handbook.fca.org.uk/handbook/glossary/g1967.html.
4 SYSC 4.1.6R
5 SYSC 4.1.7R
6 SYSC 4.1.7AR
7 FCA, Statement on Covid-19 (coronavirus), https://www.fca.org.uk/news/statements/covid-19.
8 SYSC 4.1.8G
9 FCA Handbook, GEN chapter 1.3, https://www.handbook.fca.org.uk/handbook/gen/1/3.html.
10 GEN 1.3.4
11 Under Principle 11 (Relations with regulators).
12 FCA, Retail Banking: Business Continuity Planning, https://www.fca.org.uk/publications/multi-firm-reviews/retail-banking-business-continuity-planning.