Managing risk in times of crisis

In this briefing note, we take a closer look at the operational risk issues that financial institutions faced during the first months of the Covid-19 pandemic, particularly risk management, governance and anti-money laundering (“AML”). While the first weeks of the Covid-19 pandemic were dominated by the immediate operational challenges of dealing with the unprecedented situation of the world being sent home, the risk management and governance challenges continue to evolve with some employees returning to the office, others working from home and societies tackling further waves of COVID-19 infections.

Operational Risk

The stressed environment of the Covid-19 pandemic increased not only market and credit risks but also the operational risks of financial institutions. The Basel Framework defines operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This typically includes – according to the Basel Framework – legal risk but excludes strategic and reputational risk. It should not be forgotten, however, that in cases where operational risks materialise, institutions are typically also exposed to a reputational risk. The difficulty in assessing and managing operational risk lies in its almost purely “qualitative” nature and its diverse risk drivers, and the fact that operational risk represents to a high degree the “human factor” in the different kind of risks a financial institution faces, makes it a risk that can develop a strong dynamic.   

The impact of the Covid-19 pandemic on the “working environment” of financial institutions is almost a case study for how quickly the operational risk situation of an institution might change. Within days, financial institutions were forced to fundamentally change the way they conduct business by having to send most of their employees to work from home. Consequently, institutions were faced with a material shift in their operational risk situation that required and will further require decisive risk management and governance.

However, the risk management and control functions of financial institutions have themselves been faced with operational strains occasioned by the Covid-19 pandemic. This means that it is not just the operational risk of the business units that changes but also the way in which the business units can be supervised and monitored by the relevant control functions. The broad shift to remote working probably causes the most friction in the supervisory and risk management roles. Especially since supervisory personnel does not have the same oversight and interaction with supervised persons when both – supervised persons and the supervisor – work remotely.

Supervision of Personnel 

The supervision of staff as well as the monitoring capabilities of risk management and control functions in general are significantly impaired by remote working arrangements. Although the technical developments of the last years allow institutions to monitor their employees more closely, even if they work remotely, supervision as known from “on-premises” work is not possible. Financial institutions should therefore closely review and, where necessary, adapt their supervisory and compliance policies and procedures to the current remote working environment. Given the current development of the Covid-19 pandemic as well as the uncertainty of how the situation will evolve in Q1 and Q2 of 2021, these amendments should also reflect the mid-term working scenarios that the institutions expect for them.

Generally, the supervisory functions should test and assess whether their existing tools of supervision were sufficient and where they would need new tools and / or procedures. This goes hand in hand with additional support for supervisory roles by e.g. providing additional coaching to supervisors and staff, sharing regular updates on emerging issues and risks as well as providing them with virtual rooms where supervisors can “pop in” to discuss (potential) issues with risk management and compliance staff.

 

One area which is “traditionally” the focus of attention when it comes to internal supervision is trading supervision. Here, the predominant electronical trading environment of the financial markets allows different approaches to remotely supervise trading staff. This allows financial institutions to remotely oversee trading, including reviews of affiliated, cross and aberrational trading. Nevertheless, the lack of “physical” supervision could lead to gaps which might result in behaviours accidentally or deliberately conflicting with policies and procedures. One area of specific concern in this context could be the supervision of the communication as e.g. the supervision regarding the use of unregistered communication devices is more difficult due to lack of “line of sight” supervision.

Another area of communication that needs closer scrutiny is the communication with clients. To allow a comprehensive monitoring of client communication, financial institutions should emphasise the necessity that its staff must use only firm-provided and approved communication systems and tools, such as firm e-mail, messaging platforms and (soft-) phones with recording capabilities. Ensuring that the institution’s personnel complies with these requirements is of particular importance as only when the communication runs through known channels are institutions able to apply technical supervisory techniques like e-mail review, key word surveillance or phone taping.

Business Conduct

Another aspect that needs increased vigilance is the potential aggravation of financial conflicts of interest that could be caused by high volatility in the markets but also financial pressures, not only on the side of the clients but also on the side of the financial institutions, e.g. to compensate for lost revenue. This could lead to situations where some employees exploit the uncertainty in the financial markets when advising clients on transactions in financial instruments with the aim to generate “high-cost” business. Another way could be to utilise the urgent funding need of clients during the Covid-19 crisis to leverage their position in an inappropriate way which could have regulatory, legal and / or reputational consequences. An example of such crisis-related “problematic” behaviour of bank employees was reported by the UK’s regulator, the Financial Conduct Authority (“FCA”), in a “Dear CEO-Letter” dated 28 April 2020. In that letter, the FCA alleged that some lenders might utilise the current need of corporate clients for rescue financing or the immediate increase of credit facilities to secure more lucrative equity mandates for the future. The FCA considered such behaviour as conflicting with several regulatory requirements, e.g. to act in the best interests of the clients, preventing and managing conflicts of interest or even with the Market Abuse Regulation, if information would be shared between lending and underwriting units. In addition, such behaviour would pose a material reputational risk for a bank.

Antitrust compliance and inspections 

Ensuring antitrust compliance is another critical element for managing risk in the era of remote or hybrid working. Employees, under increased pressure to generate revenues, may be tempted to take greater risks in relation to antitrust compliance. With staff supervision impaired and work processes less transparent, it is inevitably more difficult to detect or prevent breaches of antitrust policy and procedures. With staff less visible to colleagues and management, whistle blowing / internal reporting of any breaches is also likely to decrease.  Therefore, firms need to ensure that compliance rules are still observed, and that staff receive regular training that is adapted to the realities of the new working environment. 

For competition authorities investigating potentially illegal conduct, the focus will shift from inspecting business premises to conducting “raids” remotely (for example, through issuing a statutory notice requiring companies to provide documents relevant to identified issues) or in some cases, inspecting private residences. Firms should set clear guidance around archiving of physical documents at home, as well as rules regarding the use of private equipment (tablet, smartphones), ephemeral messaging and third-party platforms for business purposes. 

Legal and logistical support should be ensured for personnel that are subject to a raid at their homes and ensure that communications with the firm, particularly with the IT department, is quick and efficient. Ideally, tailored guidance should be given to help staff deal with unannounced inspections which take place “off-site”. 

Institutions should also be prepared for “on-premises” inspections and make sure there is enough staff present to ensure cooperation with authorities.

Business continuity

The first days of the lockdown were dominated by the need to shift swiftly from an on-premises setup to a remote working setup. During this period, not only the business continuity plans of financial institutions but also the resilience of the IT systems and technical infrastructure were put to the test. Given the size of the task, the transition of the financial sector was generally considered successful, although some follow-up work seems inevitable.

 

For example, regulatory guidance and business continuity plans have not generally reflected a pandemic scenario on such a global scale. Consequently, some of the measures included in the plans were not always suitable in the specific circumstances of the Covid-19 pandemic. To address this issue, the European Central Bank (“ECB”) requested the banks under the Single Supervisory Mechanism to assess the extent to which the plans included pandemic scenarios and how quickly measures foreseen under the pandemic scenario could be implemented. Going forward, the inclusion of a pandemic scenario is therefore likely to become a requirement in contingency plans.

Cyber Security

Cyber-attacks on the IT infrastructure of banks and their employees working from home were one of the most significant external operational risks institutions faced during the first weeks of the Covid-19 pandemic. As an example, ransomware attacks are considered to have significantly increased over recent months with the financial sector being one of the top targets. The challenges for financial institutions in this context are exacerbated as many, if not most, employees work remotely which provides cyber criminals with more potential points of attack to access the banks’ IT systems. 
IT systems of financial institutions are primary targets of cyber criminals. Thus, the ongoing investment in a resilient IT infrastructure as well as the continuous improvement of the cyber security of institutions will remain a core focus from a risk management perspective. Training employees on cyber security risks in working-from-home situations will be another way to mitigate these risks in the future.

AML & Financial Crime

With institutions focusing on the immediate actions and support measures required to continue business through the Covid-19 pandemic, regulators and criminal prosecution authorities have become concerned that this might expose gaps or weaken defences in the financial system where AML prevention and detection is concerned. One potential gap is the need to balance proper know your customer (“KYC”) and AML risk assessments with the need for swift access to funding, particularly for public support programmes. For example, for KYC requirements in the context of supporting government measures – which frequently were criticised as too slow – regulators communicated that flexibility within AML rules should be used. As an example, the German Federal Financial Supervisory Authority, BaFin, stated in its FAQs on supervisory and regulatory measures, that it will “not raise objections, if for the purpose of granting state-aided loans, institutions carry out identification procedures that are based on simplified client due diligence and if any risk of money laundering or terrorist financing is addressed by means of appropriate and ongoing client and transaction monitoring during the business relationship”. This flexibility, however, needs to be balanced with appropriate controls to ensure it does not lead to proper checks taking place.

Further, according to the Financial Action Task Force, FATF, the measures to contain Covid-19 also impact the criminal economy and change criminal behaviours so that profit-driven criminals may move to other forms of criminal conduct. For example, one of those specific Covid-19-related concerns relates to the misdirection of government funds or other financial assistance. Therefore, as new threats and vulnerabilities develop, the current risk management systems may not be able to recognise such “new” approaches.

As the fight against money laundering was already a top priority by regulators over the last two years, it can be assumed that this will remain an area of increased scrutiny in the future. It is included in the envisaged action plan for a comprehensive Union policy on preventing money laundering and terrorism financing by the European Commission, for example.

Operational capacities to deal with distressed debtors

In an economic environment where the number of distressed debtors is expected to rise, the performance of financial institutions will inter alia depend on how well they have set up their operational procedures. This also has a strong staffing aspect as, depending on the number of distressed debtors, the financial institutions might be required to reallocate their staff capacities to meet short demand in e.g. problem loan units. This shows how the Covid-19 pandemic forces institutions to reconsider existing procedures and the allocation of capacities not only to keep the business going but to meet the expectations of the competent regulators.

On 28 July 2020, the ECB published a letter to the managing directors of the significant institutions (“SIs”) under its supervision. It sets out operational expectations for institutions in dealing with distressed debtors in the context of Covid-19 so that SIs can support financially distressed companies while ensuring at the same time the quality of the banks' loan portfolios. The ECB identified three key measures as well as some specific operational elements to support the actions. 

 

First, SIs need to have effective risk management practices in place to enable them to efficiently and promptly provide sustainable solutions or support to financially troubled but generally viable businesses, while protecting banks from any negative impact on credit risk. Secondly, SIs should proactively identify and contact borrowers with potential payment difficulties so that potential cliff effects can be minimised prior to the expiration of measures granted in response to the pandemic. Thirdly, institutions should have a clear understanding of the risks to which they are exposed to allow them to develop a strategy ensuring that non-longstanding arrears are tackled promptly.

Against this background, the procedures already in place have to be adapted to the pandemic-specific risks. For example, the risk management function should use appropriate IT systems to identify borrowers whose financial position has been affected by the Covid-19 pandemic as well as those borrowers who have received various public and private support measures. The establishment of reporting lines to the management body, including an appropriate early warning system, should help the management to make critical strategic decisions on the basis of information which particularly reflect the extraordinary risk and the developments of the current situation. Further, by a granular portfolio segmentation, institutions can group borrowers with similar characteristics together to identify vulnerable sectors as well as establish a specialised risk management for the respective groups. In addition, SIs shall develop a comprehensive strategy which deals with the specific risks originating from the Covid-19 pandemic and considers short- and mid-term developments. Finally, the ECB considers early arrears management and borrower engagement as crucial to tackle the impact on the portfolio in general. Hence, SIs will have to allocate sufficient resources with appropriate expertise for borrower engagement and risk management. 

Click here to read our full briefings
Read
x Covid-19 Resource Hub