As everybody knows, we are currently living and working in uncertain and somewhat surreal times. The impact of COVID-19 has already been far reaching, affecting all our lives and it is expected to be so for some time.
Working in a regulated environment is challenging enough at the best of times. These challenges are going to increase as we find our way through the current crisis and even with the best and most detailed business continuity plans, there will always be that something that was not thought of or recognised as potentially being an issue.
Using our experience of advising clients in the regulated sector, we have compiled below a number of pointers to assist in ensuring that compliance with the regulatory requirements can be met when business is subject to disruption and staff may be working from home’
- Identify the key roles and look to resource appropriately to ensure robust controls remain in place and appropriate levels of compliance can be maintained.
- Implement and test controls and protocols to ensure data security and confidentiality for staff who are working from home.
- Ensure that the compliance and risk functions are working closely with IT to identify any technology gaps, particularly where technology is facilitating working remotely
- Review all compliance and control procedures to ensure that control specifications and four-eyes reviews and sign offs are being maintained and that dual control can actually be evidenced, particularly if these are traditionally ‘on premises’ sign offs.
- Consider Board Meetings if individuals cannot travel. How will such meetings be facilitated and documented to ensure that mind and management is appropriately maintained?
- Consider key legal and regulatory expectations such as AML Training and CPD. Unfortunately, the situation we are in does not change the law and if the matter is prolonged for a significant period of time, which it may well be, then appropriate steps in this regard will need to be implemented.
- Ensure that risk management frameworks are updated to reflect the risks that the virus brings to your organisation. Remember, in particular, the Technology Risk Assessment required by the Code as you may start to use new technologies which will need to be incorporated into it.
- Plan for how compliance monitoring will be achieved so that the business keeps on top of any matters arising and identifies any breaches at an early stage
- Keep the Regulator informed of any significant changes to your business particularly if this involves staff generally working remotely. If you are going to close your offices for service of documents, it is critical that the Regulator and the Financial Intelligence Unit are aware.
- Undertake scenario or stress testing so that you can predict at an early stage the impact that the virus may have on the business’ ability to meet the financial resources and solvency requirements. Monitor this on a regular basis so as you can have an early conversation with the Regulator if you need to.
Summary
Despite what we are going through, the regulatory obligations on licence holders still apply. The regulators expect that licence holders will have implemented their own business continuity plans which should be proportionate to the requirements of the licence holder’s business.
It is recommended, however, that any licence holder who foresees any problems with maintaining their business continuity plan or indeed any aspect of their regulatory obligations that they proactively discuss this with the regulator. DQ are on hand to provide advice and guidance in all aspects of regulatory compliance so please get in touch if we can assist.
Michael D Nudd