While the pandemic has given us many personal and professional challenges and considerations, a broader question for compliance professionals is: How has the pandemic impacted my firm’s compliance program?
Many months ago firms transitioned to work from home mandates and implemented their Business Continuity Plans (“BCP”). Now that temporary work from home arrangements have extended past temporary, firms should be thinking about the longer term impact of the pandemic on their compliance programs.
If firms have not already reviewed their policies and procedures, they should. Written procedures are the crux of what regulators use to examine firms. So you want to ensure that you have updated your policies to accurately reflect how your firm is doing business.
During unprecedented events, such as the COVID-19 global pandemic, firms may deviate from standard policies and procedures. While these policy exceptions may be necessary and permissible during an actual crisis, firms still need to assess, monitor, re-assess and document all changes to existing policies and procedures.
5 questions for Compliance Professionals
1. Do you have a process in place to notify and engage with regulators, proactively?
Many regulatory bodies have encouraged firms to reach out to discuss changes to compliance programs, delays in meeting any regulatory requirements and any impact to their existing capabilities. Create a communication plan and designate a contact to facilitate seamless engagement with regulators.
2. Do you have a back-up plan for your BCP?
Firms should consider a back-up plan for their BCP. While no plan is fool-proof, firms should start considering what if their remote plan is interrupted. Should essential and critical staff be required to ensure they have a back-up power source such as a power pack or a generator? Create a back-up plan and be prepared to implement.
3. Do you need to enhance your vendor oversight?
Firms should be identifying their critical vendors and ensuring that those vendors have appropriate business continuity plans to continue to provide the contracted services, have appropriate cybersecurity mitigation strategies and prevention detection. It is a best practice to ensure you have obtained alternative contact information, such as cell phone or secondary email addresses for key relationship contacts, for all critical vendors. Create a plan to ensure there are no service disruptions from your critical vendors.
4. Have you documented any deviations from pre-pandemic policies and procedures?
Firms should remain vigilant regarding their compliance programs and ensure that they are appropriately documenting any temporary workarounds with a concise memo to file specifically addressing the pandemic related impact. Firms should be mindful of ensuring that their documentation clearly articulates the pandemic-related hardships and not unnecessarily fail to meet filing deadlines or other regulatory obligations solely because relief was provided. Create a memo to file to address the pandemic impact to your firm.
5. What is the impact of critical tasks that are now being performed remotely?
Firms need to consider and re-assess the impact of remote work arrangements present for their compliance programs. Increased use of personal devices, social media and alternative communication platforms, access to sensitive information and documents printed at remote locations, recordkeeping practices and supervision present enhanced risk to the firm. Create a plan to identify and review all critical tasks and assess remote work processing impact.
With the continued spread of COVID-19 and the threat of resurgence, firms should continue to monitor and evaluate the adequacy and effectiveness of their compliance programs and remain flexible in dealing with uncertainty and unforeseen consequences of the pandemic on their compliance programs.