The Compliance Officer’s Plan for Recovery in the Next Phase of COVID-19

June 11, 2020 by ACA Compliance Group


With the reopening phase of the COVID-19 pandemic underway, financial firms are grappling with whether they will return to the office or will continue to work remotely, as well as how those decisions will impact their staff. Perhaps now more than ever, compliance officers need to be strategic and agile in their approach to compliance management. To help you get started on the path to recovery as we enter the next phase of the pandemic, ACA’s team of experienced compliance and risk professionals have developed a checklist of key compliance and risk considerations to keep in mind.

Download Checklist

Policies, Procedures, and Controls

  • Keep informed on the latest regulatory updates in all jurisdictions your firm is subject to
    Financial industry regulators in the U.S. and UK are continuing to encourage the buy side to protect investors and market integrity. Pandemics and other business disruptions do not change or alter the fiduciary standard in which investment advisers are held.

    The U.S. Securities and Exchange Commission (SEC) continues to conduct exams and bring enforcement cases, and they expect firms to continue conducting robust trade and market surveillance. ACA has seen an increase in the number of examinations announced by the SEC’s Office of Compliance Inspections and Examinations (OCIE) staff since the early days of the pandemic and we do not expect any slowdown. These examinations are being conducted by teleconference or video interviews and include specific questions or document requests related to COVID-19 and firms’ business continuity plans (BCP), as well as third-party risks.

    The SEC also announced that June 30, 2020 will remain the compliance date for Reg BI, Form CRS, and other related regulations.

    To stay up to date, the SEC, Financial Industry Regulatory Authority (FINRA), Financial Conduct Authority (FCA), and the Federal Reserve are regularly updating information on their websites.
     
  • Tackle compliance tasks that were put on pause
    If you paused or delayed any compliance activities due to the pandemic and move to remote working, then now is a good time to get back on track. While regulators are sensitive to the impact on both individuals and businesses, the uptick in examinations indicates an expectation that firms should bring regulatory priorities back to the forefront.

    Review upcoming reporting deadlines and confirm that all filings have been made in an accurate and timely manner or are on track to be submitted to the relevant regulators, as required. Ensure you are prepared to meet any enhanced filing requirements and do not assume that any regulatory relief granted by the FCA or the SEC will last forever.
     
  • Continue to maintain comprehensive books and records
    The pandemic has not changed the regulatory requirements on maintaining records, whether in the U.S. or the UK. Regulators will want to understand the reasoning behind the choices your firm is making. Firms have had to rapidly upgrade and stress test their IT infrastructure to ensure records are kept secure while still being accessible. Remote working may have fast-tracked that process for some businesses, however in an increasingly virtual world, it’s key that you ensure your business has a secure data storage and back-up systems.

Operational Resilience

  • Review and adjust your business continuity plan (BCP)
    Potential future waves and spikes in COVID-19 cases into 2021 could lead to repeated shutdowns and business disruptions. While the FCA have always been clear that regulated firms must take all reasonable steps to have a BCP in place, ACA recently noted that the SEC have added a list of BCP and COVID-19-related questions to their exams to ensure businesses are prepared. Now is the time to update your BCP based on lessons learned from the first wave of the pandemic and to account for future disruptions. Download our BCP checklist.
     
  • Enhance cybersecurity and cyber resilience
    Regulators are concerned about and focused on a spike in cybersecurity attacks related to COVID-19, with the SEC, FCA, U.S. Department of Homeland Security, and other regulators issuing alerts and guidance on the need for operational resilience and heightened cyber risk management. Review your firm’s cybersecurity and technology risk assessment with your IT team or provider to ensure all critical items have been addressed. Provide online training for employees. Evaluate your firm’s Information security measures, as information security risk may be heightened when working from home.
     
  • Tighten controls around vendor and third-party due diligence and oversight
    Investment managers should still perform regular due diligence of their key vendors and third parties. ACA recently noted that the SEC added a list of vendor and third-party risk management questions to their exams. The FCA expects firms to understand the risks that third parties may present.

    Revisit and refresh vendor diligence throughout 2020 and beyond. Some third parties may be operating at lower capacity because of COVID-19 – it’s important not to assume operating efficiency for those will stay the same. Do your vendors have key person resiliency plans in place? Can they continue to provide the same level of service if employees are sick or unable to work? Consider how due diligence might change when it is conducted remotely and what challenges off-site diligence exercises present. Plan ahead to ensure appropriate resource allocation, whether you need extra staff in-house, to redeploy existing staff to add responsibilities, or whether you need to rely more heavily on some third parties than before.

Testing and Monitoring

  • Complete compliance testing before year-end
    Compliance testing obligations and expectations are likely to grow given the unforeseen shift to virtual environments. Employees and compliance teams are no longer on the same trading floors, or even a walk down the hall. What information do they have even inadvertent access to due to working in an unfamiliar location? Compliance testing should include new and novel risks specific to today’s working environment. Ensure necessary compliance testing is completed before year-end. Revisit your annual compliance program review results and internal risk assessments and incorporate these into the development of your 2020 testing plan.
     
  • Review marketing materials
    With the SEC’s proposed changes to its marketing and advertising rules, now is a perfect time to review your firm’s marketing materials to ensure they follow the current rules, as well as to assess any realignment of practices that might be necessary to comply with the proposed rules. Conduct reviews of websites, social media, and marketing materials to ensure all information continues to be accurate and accompanied by necessary disclosures. Make updates to your disclosure and privacy statements used in client communications and marketing. If you’re based in the UK and are communicating on COVID-19 specific performance, or indeed making more regular investor updates as a result of the pandemic, make sure these are still in compliance with the FCA guidelines too.
     
  • Validate investment performance
    Ensure your firm has documented policies and procedures and appropriate disclosures around construction criteria, assumptions, and calculation methodology of performance appearing in marketing materials, advertisements, and client correspondence. Conduct a review of books and records supporting your investment performance. Revisit calculation methodology of presented investment performance to ensure you are following industry best practices or the Global Investment Performance Standards (GIPS®). Consider increased risks – do investor relations or marketing professionals have the same access to performance systems they did previously? Do recent performance returns include accurate disclosures about any shifts in mandate or style drift?

Employee Oversight

  • Maintain a strong culture of compliance
    Remote and distributed workplaces are creating new employee-related risks for compliance and risk teams to address. To effectively tune your compliance program to the current environment, take an inventory of your risks and prioritize them so you are spending time on what is most critical. Make sure these risks are front and center with employees and make compliance easy and accessible to them. Senior management teams have a responsibility to ensure that a culture of compliance exists within a firm and should find innovative ways to maximize staff engagement while in lockdown. How often are you engaging with staff working remotely and how has that changed relative to historical practices? Does lack of engagement promote compliance distancing or an elevated risk or non-compliance?
     
  • Conduct staff compliance training
    With employees traveling less and everything changing so quickly, now may be the perfect time to re-visit employee training to ensure your team has the resources and most up-to-date information available to them. Virtual trainings using online conferencing platforms can be effective for crossing off this annual requirement. Additionally, take advantage of low-cost and free online training offerings that will help you keep on top of things with low effort on your end. To help firms through this process, ACA’s web-based insider trading awareness training course is currently free to use for a limited time. ACA also offers a range of other educational offerings, including web-based training courses, webcasts, and virtual training courses.
     
  • Review and adjust your surveillance and monitoring program
    Insider trading and market abuse continue to be focus areas for regulators in the U.S. and UK, particularly as relates to how firms are monitoring their own trading, employee trading and conduct, e-comms, telephone conversations, and other surveillance practices. Review your firm’s surveillance of electronic communications, firm-wide trading, and employee personal trading and conduct. An increased volume of e-comms and personal trading requests during work from home and volatile markets, respectively, warrant a fresh look at existing surveillance programs. Raise awareness with employees through ACA’s free insider trading awareness training course.

Resources and Budget

  • Review your compliance budget and staffing resources
    Review your compliance budget for the rest of 2020 and evaluate any new resource constraints. Consider all resources needed to maintain current processes, implement new protocols, and increase efficiencies. Review your firm’s business plan for any changes to business lines, products, services, and headcount. Consider whether your firm will require additional resources to fulfill its 2020 regulatory obligations. Establish coverage plans for employees expected to take short-term or long-term leave (maternity, paternity, medical, travel, etc.). If needed, review options for secondment or outsourced tasks in their absence.
     
  • Increase efficiencies with regulatory technology and outsourcing
    Technology is one way to drive efficiencies and help close compliance gaps resulting from remote work. If you don’t have the capacity to implement new technology right now, consider what you already have and ensure you’re using it correctly and effectively. Manual processes or testing protocols take time that may not be available due to other current focus areas. Letting those obligations slip through the cracks can significantly increase compliance risk. Many of your testing obligations can be automated, allowing you to focus attention on the results, rather than the testing.

    Outsourcing is another way to stay on top of compliance tasks while freeing up your team’s bandwidth as well as your own time to focus on strategic matters Tasks that are low priority or low value or one-time tasks that still need to get done are great opportunities for outsourcing. When considering whether outsourcing can help, start by reviewing current processes – what is inefficient, where is the bottleneck happening, what are the pain points? Is it possible to easily engage a third-party expert that can do the job quickly or even just provide guidance on how to do it better and more efficiently?

Conclusion

As we move into the next phase of the COVID-19 pandemic, firms should review lessons learned from the first phase, tackle any compliance tasks that were put on pause, and plan for potential ongoing business disruptions into 2021. With financial markets in turmoil, cyber-attacks on the rise, and employee misconduct risks increased by remote working, financial services regulators in the U.S. and UK expect financial firms to remain vigilant and proactive about protecting investors and market integrity. Compliance officers should review and adjust their firm’s compliance program to ensure compliance obligations are met by the end of the year while adhering to industry best practices.

How We Help

ACA provides a range of solutions designed to help financial services firms achieve operational resilience, meet regulatory obligations, adhere to industry best practices, and increase efficiencies. From outsourced managed services to regulatory technology, to cybersecurity and technology risk management and online training for employees, we can help your firm reduce the burden of day-to-day compliance management. To learn more about how we can assist your firm, please reach out to your ACA consultant or contact us here.

Contact Us

ACA’s COVID-19 Resources

ACA is actively monitoring the developments related to COVID-19 and producing resources to help your firm address the risks and challenges created by this crisis.

Learn More

For more peer insights into how firms are responding to risk and compliance challenges in the age of COVID-19, download our infographic containing polling results from previous ACA webcasts.

Download Infographic