Operational Risk

The stressed environment of the Covid-19 pandemic increased not only market and credit risks but also the operational risks of financial institutions. The Basel Framework defines operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This typically includes – according to the Basel Framework – legal risk but excludes strategic and reputational risk. It should not be forgotten, however, that in cases where operational risks materialise, institutions are typically also exposed to a reputational risk. The difficulty in assessing and managing operational risk lies in its almost purely “qualitative” nature and its diverse risk drivers, and the fact that operational risk represents to a high degree the “human factor” in the different kind of risks a financial institution faces, makes it a risk that can develop a strong dynamic.   

The impact of the Covid-19 pandemic on the “working environment” of financial institutions is almost a case study for how quickly the operational risk situation of an institution might change. Within days, financial institutions were forced to fundamentally change the way they conduct business by having to send most of their employees to work from home. Consequently, institutions were faced with a material shift in their operational risk situation that required and will further require decisive risk management and governance.

However, the risk management and control functions of financial institutions have themselves been faced with operational strains occasioned by the Covid-19 pandemic. This means that it is not just the operational risk of the business units that changes but also the way in which the business units can be supervised and monitored by the relevant control functions. The broad shift to remote working probably causes the most friction in the supervisory and risk management roles. Especially since supervisory personnel does not have the same oversight and interaction with supervised persons when both – supervised persons and the supervisor – work remotely.

Supervision of Personnel 

The supervision of staff as well as the monitoring capabilities of risk management and control functions in general are significantly impaired by remote working arrangements. Although the technical developments of the last years allow institutions to monitor their employees more closely, even if they work remotely, supervision as known from “on-premises” work is not possible. Financial institutions should therefore closely review and, where necessary, adapt their supervisory and compliance policies and procedures to the current remote working environment. Given the current development of the Covid-19 pandemic as well as the uncertainty of how the situation will evolve in Q1 and Q2 of 2021, these amendments should also reflect the mid-term working scenarios that the institutions expect for them.

Generally, the supervisory functions should test and assess whether their existing tools of supervision were sufficient and where they would need new tools and / or procedures. This goes hand in hand with additional support for supervisory roles by e.g. providing additional coaching to supervisors and staff, sharing regular updates on emerging issues and risks as well as providing them with virtual rooms where supervisors can “pop in” to discuss (potential) issues with risk management and compliance staff.

One area which is “traditionally” the focus of attention when it comes to internal supervision is trading supervision. Here, the predominant electronical trading environment of the financial markets allows different approaches to remotely supervise trading staff. This allows financial institutions to remotely oversee trading, including reviews of affiliated, cross and aberrational trading. Nevertheless, the lack of “physical” supervision could lead to gaps which might result in behaviours accidentally or deliberately conflicting with policies and procedures. One area of specific concern in this context could be the supervision of the communication as e.g. the supervision regarding the use of unregistered communication devices is more difficult due to lack of “line of sight” supervision.

Another area of communication that needs closer scrutiny is the communication with clients. To allow a comprehensive monitoring of client communication, financial institutions should emphasise the necessity that its staff must use only firm-provided and approved communication systems and tools, such as firm e-mail, messaging platforms and (soft-) phones with recording capabilities. Ensuring that the institution’s personnel complies with these requirements is of particular importance as only when the communication runs through known channels are institutions able to apply technical supervisory techniques like e-mail review, key word surveillance or phone taping.

Business continuity

The first days of the lockdown were dominated by the need to shift swiftly from an on-premises setup to a remote working setup. During this period, not only the business continuity plans of financial institutions but also the resilience of the IT systems and technical infrastructure were put to the test. Given the size of the task, the transition of the financial sector was generally considered successful, although some follow-up work seems inevitable.

For example, regulatory guidance and business continuity plans have not generally reflected a pandemic scenario on such a global scale. Consequently, some of the measures included in the plans were not always suitable in the specific circumstances of the Covid-19 pandemic. To address this issue, the European Central Bank (“ECB”) requested the banks under the Single Supervisory Mechanism to assess the extent to which the plans included pandemic scenarios and how quickly measures foreseen under the pandemic scenario could be implemented. Going forward, the inclusion of a pandemic scenario is therefore likely to become a requirement in contingency plans.

AML & Financial Crime

With institutions focusing on the immediate actions and support measures required to continue business through the Covid-19 pandemic, regulators and criminal prosecution authorities have become concerned that this might expose gaps or weaken defences in the financial system where AML prevention and detection is concerned. One potential gap is the need to balance proper know your customer (“KYC”) and AML risk assessments with the need for swift access to funding, particularly for public support programmes. For example, for KYC requirements in the context of supporting government measures – which frequently were criticised as too slow – regulators communicated that flexibility within AML rules should be used. As an example, the German Federal Financial Supervisory Authority, BaFin, stated in its FAQs on supervisory and regulatory measures, that it will “not raise objections, if for the purpose of granting state-aided loans, institutions carry out identification procedures that are based on simplified client due diligence and if any risk of money laundering or terrorist financing is addressed by means of appropriate and ongoing client and transaction monitoring during the business relationship”. This flexibility, however, needs to be balanced with appropriate controls to ensure it does not lead to proper checks taking place.

Further, according to the Financial Action Task Force, FATF, the measures to contain Covid-19 also impact the criminal economy and change criminal behaviours so that profit-driven criminals may move to other forms of criminal conduct. For example, one of those specific Covid-19-related concerns relates to the misdirection of government funds or other financial assistance. Therefore, as new threats and vulnerabilities develop, the current risk management systems may not be able to recognise such “new” approaches.

As the fight against money laundering was already a top priority by regulators over the last two years, it can be assumed that this will remain an area of increased scrutiny in the future. It is included in the envisaged action plan for a comprehensive Union policy on preventing money laundering and terrorism financing by the European Commission, for example.

Operational capacities to deal with distressed debtors

In an economic environment where the number of distressed debtors is expected to rise, the performance of financial institutions will inter alia depend on how well they have set up their operational procedures. This also has a strong staffing aspect as, depending on the number of distressed debtors, the financial institutions might be required to reallocate their staff capacities to meet short demand in e.g. problem loan units. This shows how the Covid-19 pandemic forces institutions to reconsider existing procedures and the allocation of capacities not only to keep the business going but to meet the expectations of the competent regulators.

On 28 July 2020, the ECB published a letter to the managing directors of the significant institutions (“SIs”) under its supervision. It sets out operational expectations for institutions in dealing with distressed debtors in the context of Covid-19 so that SIs can support financially distressed companies while ensuring at the same time the quality of the banks' loan portfolios. The ECB identified three key measures as well as some specific operational elements to support the actions. 

First, SIs need to have effective risk management practices in place to enable them to efficiently and promptly provide sustainable solutions or support to financially troubled but generally viable businesses, while protecting banks from any negative impact on credit risk. Secondly, SIs should proactively identify and contact borrowers with potential payment difficulties so that potential cliff effects can be minimised prior to the expiration of measures granted in response to the pandemic. Thirdly, institutions should have a clear understanding of the risks to which they are exposed to allow them to develop a strategy ensuring that non-longstanding arrears are tackled promptly.

Against this background, the procedures already in place have to be adapted to the pandemic-specific risks. For example, the risk management function should use appropriate IT systems to identify borrowers whose financial position has been affected by the Covid-19 pandemic as well as those borrowers who have received various public and private support measures. The establishment of reporting lines to the management body, including an appropriate early warning system, should help the management to make critical strategic decisions on the basis of information which particularly reflect the extraordinary risk and the developments of the current situation. Further, by a granular portfolio segmentation, institutions can group borrowers with similar characteristics together to identify vulnerable sectors as well as establish a specialised risk management for the respective groups. In addition, SIs shall develop a comprehensive strategy which deals with the specific risks originating from the Covid-19 pandemic and considers short- and mid-term developments. Finally, the ECB considers early arrears management and borrower engagement as crucial to tackle the impact on the portfolio in general. Hence, SIs will have to allocate sufficient resources with appropriate expertise for borrower engagement and risk management.