Whitepaper
RegTech TradingTech
Financial Markets Operations Response to COVID-19: Best Practices for Working from Home
commissioned by
@ATeamInsight Search A-Team Insight
www.a-teaminsight.com
2 | Financial Markets Operations Response to COVID-19: Best Practices for Working from Home
INTRODUCTION The COVID-19 pandemic is creating perhaps the greatest global challenge of a lifetime, with ramifications far beyond the obvious health impact. Business is being hit across the board. Personnel are being relocated - to secondary sites and to their homes - in an effort to keep them both safe and working. Amid all the uncertainty the coronavirus brings, one thing is clear: Firms can’t merely rely on a small number of key workers to keep things going. This is about the whole business. And unlike other recent disruptive situations, this one is global and it’s likely not to be a short-term event. For those charged with running trading and investment operations that rely on a fully integrated and imbedded IT architecture, the coronavirus poses a unique set of challenges, as staff are expected to deal with sustained high market volumes, ongoing market volatility and a continuing rigorous stance from the regulators. The robustness of a firm’s business contingency planning (BCP) processes will be key to the survival and success of the business in these circumstances. Firms are finding that it’s no longer feasible to switch resources and services to a single and well-prepared disaster recovery (DR) site. As teams get dispersed, a distributed working model has evolved requiring staff to adapt to working in unfamiliar and often ill-equipped locations - most likely their own home. Working from home represents, in many cases, the only solution to maintaining service to clients and continuing as a business. But regulators have made it clear they expect high levels of compliance to existing transparency and reporting rules, despite the obvious challenges.
THE REGULATORY SITUATION The FCA, PRA and ICO have stated that they expect firms to be able to continue to service their customers and that robust procedures/controls must still be in place. There is some allowance to permit delays, but not for breaches. The FCA has said: “As firms are moving to alternative sites and working from home arrangements, they must consider the broader control environment in these new circumstances … this could include enhanced monitoring, or retrospective review once the situation has been resolved. Firms should continue to record calls, but we accept that some scenarios may emerge where this is not possible. We will continue to monitor for market abuse and, if necessary, take action”. They expect firms to have mitigation plans in place to take all reasonable steps to ensure their regulatory obligations are met, including transaction reporting,
RegTech TradingTech www.a-teaminsight.com
3 | Financial Markets Operations Response to COVID-19: Best Practices for Working from Home
financial reporting, compliance, risk monitoring, and so on. It’s worth noting that the FCA expects firms experiencing difficulties in submitting their regulatory reports to maintain appropriate records during this period and submit them as soon as possible. To meet client and regulatory demands, financial services operations teams need to ensure staff working from home are as well prepared and equipped as possible, and have in place the safeguards and security they need to continue to function in a performant and - critically - compliant way. Even in instances where markets have eased their requirements due to the circumstances - ICE Futures, for instance, has waived its requirements for voice recording and time-stamping in the expectation that the CFTC will relax its rules in this area - this is likely to be a temporary position, and firms need to plan for a return to usual levels of rigour.
KEY QUESTIONS FOR HOME-WORKERS As firms increasingly rely on home-based personnel to sustain operations, key questions need to be asked - and answered: •
Have BCP ‘work from home’ processes been fully tested? Firms may have tested for key workers, but it’s unlikely they’ve experienced large numbers of employees working remotely.
•
Do the chosen communications media scale to accommodate large numbers of employees on simultaneous sessions? And if not, how can the firm keep staff connected and on the same page?
•
Does the firm have the right organisational and governance structures in place to properly manage fragmented teams? Many firms are dedicating their well-equipped BCP facilities to functions that most need them. In many cases, this means trading teams and their immediate support staff, leaving data, operations and compliance teams to work from home. But some are still rotating staff between sites. Are they set up to shift between sites as required?
•
Are homeworkers equipped to continue working outside the office? Do they have laptops and are they full up to date and secure? If required, are they set up to record and store their conversations?
•
What provisions have been made for third-party services? This is particularly important for staff using software applications or financial information services. Do current licenses cover working from home or will it incur additional costs?
RegTech TradingTech www.a-teaminsight.com
4 | Financial Markets Operations Response to COVID-19: Best Practices for Working from Home
THE INDUSTRY RESPONSE: KEY CONSIDERATIONS As they plan their response to the ongoing health emergency, operations staff at financial institutions need to take into account a number of key areas of focus. These range from the way their businesses are organised, through governance processes, policy and controls, communication, contractual obligations and data security. By methodically addressing each of these areas of concern, firms can optimise their response and ensure their home working teams operate to their maximum potential both safely and compliantly. Organisation & Governance: Governance is key to managing any disaster situation – and the coronavirus certainly qualifies. It’s critical to assign and broadly disseminate ownership of the firm’s response to COVID-19. The board has to be central to this, but one person should have the overarching responsibility for the COVID-19 response to ensure its success. However, it’s essential that firms don’t lose sight of their responsibilities under Senior Managers Certification Regime (SMCR) rules during this time. For most firms, the first step in their approach to COVID-19 is to assemble a Rapid Response team, led by a member of senior management and encompassing all disciplines across the business: IT, Compliance, Legal, HR, Trading, Support, Operations, and so on. For speed of response, implementation and attaining success, this team should to function outside of the normal reporting lines. The team should operate under ‘constructive challenge’ rules in order to make best use of members’ abilities. Too often in emergency situations, bad decisions may be railroaded through because ‘we do not have time to discuss this’. The team needs to take into account the bigger picture. The team should adopt a two-stage operating model: Phase 1: Emergency Response - To get processes working to enable the initial BCP to work, relocating staff to DR sites, home working and so on, the team needs to: •
Identify human resources needed to work at home and those staying on site
•
Ensure resources available to support staff, both physical (laptops, phones) and virtual (email, video, IT system access).
•
Ensure governance backup is in place if any of the core team fall ill.
Phase 2: Continuity - To deal with the anticipated long-term nature of COVID-19 and its evolving challenges, the team will need to be in place for months, before business can return to normal. During this period, it needs to:
RegTech TradingTech www.a-teaminsight.com
5 | Financial Markets Operations Response to COVID-19: Best Practices for Working from Home
•
Communicate both upwards to the Board and downwards across the business.
•
Address the issues, requirements and risks faced by the firm, and issue responses to maintain a stable operating environment during the medium to longer term (3, 6 or 12 months).
•
Monitor the situation and receive intelligence from ground level to assess the effectiveness of ongoing responses and implementations.
The Rapid Response team needs to meet frequently to assess and evaluate the changing situation. Elsewhere, the firm’s response needs to include other key elements: Policy & Control: Firms need to look beyond the BCP policy to adapting all functional areas to the new reality. This is a paradigm shift for most firms, whose operating models and policy, process and controls are structured around an officebased environment. Identifying the key task, roles and controls, along with how to transfer them to a new remote working model, is essential. Again, this probably needs to be phased as no-one wants to spend months re-writing policy, but key changes and areas need to be documented to ensure they can be communicated, consistent and monitored. Communication: This may seem obvious but it’s often overlooked. Key considerations include: •
BCP/DR: Ensure staff are fully aware of what to do, and what to expect, under the firm’s BCP process. Avoid gossip and misinformation. Establish a regular communications process/medium that is accessible to all. Keep clients fully aware of what is happening and what changes they may expect. For example, if normal office contact numbers are no longer usable, clients should be given access to mobile numbers where appropriate. Meanwhile, keep third-party service and technology providers fully informed, and ensure they reciprocate.
•
Contact Lists: Are they up to date for all staff? Do you have emergency BCP contact numbers for third parties, in particular key external contacts? Suppliers will be going through the same exercise, so their usual numbers may not work. And, as always, it’s important that sharing the list does not breach any GDPR requirements.
•
Regular Updates: Ensure that there are regular meetings, updates and coordination from the response team and that there is a robust governance structure in place.
•
Secure Communications: A significant element in any firm’s communications will involve the movement of confidential information, whether it’s instructions/orders from clients or to service providers, personal client data, or even information about staff. It’s imperative that these communications remain secure, whether delivered via email encryption systems like Galaxkey, or market messaging systems like Bloomberg, Refinitiv or Symphony.
RegTech TradingTech www.a-teaminsight.com
6 | Financial Markets Operations Response to COVID-19: Best Practices for Working from Home
At the same time, some of these communications - for example those involving trade orders - need to be recorded and retained to meet regulatory requirements, and in a format that is easy to use. To address this issue, managers need to consider what needs to be communicated via a secure and/or recorded medium and what can be left to more ‘relaxed’ channels like regular email or even social media. It is very easy for lines to become blurred in this new crisis situation, as everyone just ‘wants to make it work’. As a start, it’s useful to organise types of message around three categories: 1. Fully controlled, monitorable: firm’s internal email network, secure email/ workspaces (like Galaxkey), third-party messaging platforms (Bloomberg, Refinitiv, Symphony), recorded phone lines. 2. Other internal company systems: these include platforms that may be more difficult to monitor, including Microsoft Teams, Zoom, and so on. 3. Social Media / Unmonitorable: WhatsApp, SMS texts, unrecorded mobiles/cells, social media, etc. Contractual & Legal Obligations: These need to be reviewed both from a client and a service provider / vendor perspective. First, it’s important to understand whether clauses in the firm’s contracts allow for service disruption or changes due to COVID-19: Does the contract define the consequences of a force majeure, and does COVID-19 fall into that? Services must be maintained – as required by the FCA – and any failing in this would be seen as a breach of contract. During this period, it’s important to engage with clients to keep them apprised of any potential changes to services. On the supply side, it’s essential to communicate with technology and data vendors to understand their ability to support their own and their customers’ remote workers. Here, it’s important to know whether vendor contracts are regional or global, since different service levels or terms may apply. Finally, consider dispute resolution. In difficult times, clients may not be so sympathetic to service lapses. There may be differences of opinions, on performance, responsibilities, payment schedules. Are the firm’s systems and controls robust enough to demonstrate fulfilment of contractual obligations? Data Security: This is a significant consideration in terms of risk, with so many people working remotely. The situation creates the potential for a huge data security issue that cybercriminals will look to exploit. Regulators in the UK and US have already highlighted the perceived increase in cyber risk, as phishing and other types of attack mushroom. Security can be compromised in the current situation by staff ‘wanting to be helpful’, changes to work protocols/routines and sometimes remote PCs not matching the normal firm security standards. RegTech TradingTech www.a-teaminsight.com
7 | Financial Markets Operations Response to COVID-19: Best Practices for Working from Home
The Dos and Don’ts of Data Security This is primarily about ensuring the firm’s security standards, including Info Security are still maintained. Again it is about delivering this out across the firm. Do •
Be patient; IT can’t fix the world in a day. This is about long-term security and robust operational models, rather than a short-term knee-jerk reactions.
•
Use a VPN to connect remote workers to enterprise networks and servers.
•
Use 2FA or MFA mechanisms for remote logging into the company network.
•
Implement robust password management for laptop access.
•
Use the malware / virus detection / mail protection software on all remote machines, to the firm’s normal standards; install it even if staff plan to use home equipment.
•
Ensure all devices used at home use full disk encryption (e.g. BitLocker on Windows 10 Pro).
•
Log out or lock the system when it is not in use, even at home. Screensavers must also require a password.
•
Remind staff that a laptop used at home is still company property and should only be used by authorised personnel for company business.
•
Know where to report a data incident. What happens if there is a hack, data breach, etc?
•
Saving company data only on the company network where possible. Avoid lots of local downloads, so data remains secure and avoids version clashes.
•
Restrict printing of sensitive corporate materials unless the reason to do so outweighs the risk.
•
Secure disposal of confidential waste from the home.
•
Remind staff - Not to click on phishing emails, download unknown links, make urgent payments at the request of managers without checking.
Don’t •
Allow staff to work on company laptops in a public place, using public networks (like Starbucks).
•
Rely on social media platforms for secure communications.
•
Allow staff to use their own laptops/mobile devices unless already passed IT security checks.
•
Leave laptops, confidential printouts or other proprietary materials unattended in public places.
•
Insecurely dispose of sensitive and confidential printouts or other hardcopy material.
•
Allow non-authorised persons to access company systems. RegTech TradingTech
www.a-teaminsight.com
8 | Financial Markets Operations Response to COVID-19: Best Practices for Working from Home
HUMAN RESOURCES It’s important not to lose sight of the fact that the primary purpose of current measures is to protect staff, their families, colleagues in other organisations, and society at a whole. As such, what’s required to keep the business running needs to be considered in light of the ongoing health and safety considerations. Essential Staff Remaining On-Site: For many firms, it will be necessary for some essential staff to remain on-site. Key considerations for these workers include: •
Ensure segregation. Do not allow staff to wander around the building. Contain them to only the areas of their business – trading floor, risk management, compliance. Where the firm operates from multiple buildings or locations, staff need to be segregated. They should not, for example, occupy common canteen or coffee areas.
•
Consider splitting staff across their current business location, the DR site and home, in case one goes down with an infection.
•
Consider a rotational shift, where staff are only in the office, say, two days a week.
•
Transport restrictions will only increase. Consider the risk of their not being able to travel as easily as they can currently.
Health: Longer term health and safety issues about working from home will be the same things we have in the office. Working through a laptop on your lap is never good posture. You do not want to build up future lawsuits. Boring but to be considered. A Checklist for Keeping Home Workers Working •
Where calls/communications need to be recorded for regulatory requirements (for example, trading and asset management execution functions, support staff, compliance, and so on).
•
Check supply chains for changed service levels and delays,
•
Assess hardware / software requirements in the next period (for example, ordering any laptops for home working.)
•
Allow enough time to locate, configure and distribute any new or spare laptops, or other equipment.
•
There is a higher risk of unauthorised access and data leakage when accessing corporate networks remotely.
•
Remember that employees may engage in behaviour they would never entertain at the office, such as sharing a device with other family members or using the same device for both personal and work activities.
•
Home ISPs and public Wi-Fi services present an attack surface that is outside of your IT or security team’s control.
•
Home bandwidth caps from Internet providers for home workers – employees could get cut off. Do you need to upgrade their Internet packages?
•
Corporate networks straining with increased access from VPNs.
RegTech TradingTech www.a-teaminsight.com
9 | Financial Markets Operations Response to COVID-19: Best Practices for Working from Home
CONCLUSION Now is not necessarily the time to test and run full training programmes on BCP processes. That train has left the platform. Rather, firms need to deploy and enhance those processes. Agility is key. Firms need to be constantly monitoring the situation and reacting accordingly. If you need help to get the best out of your BCP and continuous operational deployment, do it now rather than struggle. Clients will be judging you on your performance, so make the best of a bad situation. If resource or specialist expertise is an issue, then look externally. At 3 Lines of Defence Consulting, we are able to parachute experienced resources in to help establish a concrete response, highlight shortfalls and advise on best practice. In short look to a qualified Emergency Response team. Above all stay vigilant and be prepared to react to an ever-changing scenario.
ABOUT 3 LINES OF DEFENCE CONSULTING 3 Lines of Defence Consulting Ltd (3LDC) is focussed on providing consultancy services to our financial sector, professional service firms and corporate clients. 3LDC works in multiple disciplines with a strong focus around Governance, Regulation, Risk, Operations and Information Security. Current engagements are focused on governance (including SMCR), conduct risk, financial crime prevention, operational resilience, information security and ESG. The success of our strategy has been to deliver a range of options from our team of senior industry practitioners, who have held a blend of C-Suite and Board level roles. Their breadth experience enables the 3LDC Team to provide holistic guidance with business insight, as they have been in the clients’ shoes and walked that mile (or km). Although UK based, 3LDC’s clients are across the globe including Europe, USA and Asia. Clients are drawn to us from across the financial sector and include investment banks, brokers, asset managers and law firms. For more information, contact: Telephone: Email: Website:
+44 (0)20 7129 1270 info@3ldc.com www.3ldc.com
RegTech TradingTech www.a-teaminsight.com
10 | Financial Markets Operations Response to COVID-19: Best Practices for Working from Home
ABOUT A-TEAM GROUP A-Team Group helps financial technology vendors and consultants – large and small – to grow their businesses with content marketing. We leverage our deep industry knowledge, ability to generate high quality media across digital, print and live platforms, and our industry-leading database of contacts to deliver results for our clients. For more information visit www.a-teamgroup.com A-Team Group’s content platform is A-Team Insight, encompassing our RegTech Insight, Data Management Insight and TradingTech Insight channels.
A-Team Insight is your single destination for in-depth knowledge and resources across all aspects of regulation, enterprise data management and trading technology in financial markets. It brings together our expertise across our wellestablished brands, it includes: RegTech Insight focuses on how data, technology and processes at financial institutions are impacted by regulations. www.regtechinsight.com Data Management Insight delivers insight into how financial institutions are working to best manage data quality across the enterprise. www.datamanagementinsight.com TradingTech Insight keeps you up to speed with the dynamic world of front office trading technology and market data. www.tradingtechinsight.com You can tailor your experience by filtering our content based on the topics you are specifically interested in, across our range of blogs with expert opinions from our editors, in-depth white papers, supplements and handbooks, and interactive webinars, and you can join us in person at our range of A-Team Summits and briefings. Visit www.a-teaminsight.com Become an A-Team Insight member – it’s free! Visit: www.a-teaminsight.com/membership.
RegTech TradingTech www.a-teaminsight.com