Law360 (May 23, 2020, 11:41 AM EDT) --
For the financial services industry, the road map for a return to "normal" following the COVID-19 pandemic is no different. When the U.K. government announced its lockdown and social distancing measures on March 23, firms acted swiftly to move business operations to a virtual environment, without any real sense of what was to come.
Now that, on May 11, the U.K. government has released its road map for easing restrictions, we set out in four rules of the road what this means for financial services businesses and their workforces.
Rule 1 — Don't forget it's a long, winding road.
Getting staff back to work will not simply mean flicking a switch and going back to the way things were before the lockdown. The business, social, economic, regulatory and most importantly health and safety environment has completely changed since we were last there. It will be a long time before we return to a semblance of pre-COVID-19 normality.
While the transition to remote working was a relatively short one for most firms, which rightly focussed on retaining the ability to operate as efficiently as possible and minimizing upheaval, the transition back into the workplace is likely to be more drawn out and involve an increased focus on the control environment, operational resilience, and health and safety.
How well firms deal with getting back to work could have long-term financial and reputational consequences. Getting it wrong could adversely impact relationships with customers and clients, staff, service providers and regulators.
Rule 2 – Expect the regulators along for the ride.
At the time of writing, there are no specific statements from the regulators regarding the back-to-work phase, but the main regulatory themes from the pandemic to date — fairness to clients, integrity of markets, and operational and financial resilience — are likely to remain key to the regulatory approach. In particular:
- Firms will still need to have regard to the impact that the pandemic has had and will continue to have on clients (particularly small businesses and retail) and ensure that they embed a sensitized approach to clients in their business practices going forward. This should reflect the slew of new and revised guidance provided by the regulators and firms' own experience in dealing with client concerns during the crisis. Regulators will be particularly alert for signs of poor behavior in the treatment of consumers and small businesses.
- Senior managers should consider whether the back-to-work plan is reasonable having regard to regulatory and operational requirements applicable to their area of responsibility and the safety, welfare and ongoing training needs of employees. They should ensure any concerns are addressed as soon as possible.
- Firms will need to consider the Financial Conduct Authority's guidance on operational resilience, including the recent guidance on financial crime and cyber risks, and reflect the required standards in their back-to-work plans.
- Firms will need to take account of any factors that could give rise to conflicts of interest, increased risk of market abuse and other compliance challenges.
- Firms will need to ensure that they keep frontline staff fully up to date with plans, and provide them with appropriate resources and training.
Regulators are likely to take a keen interest in firms' approach to post-COVID-19 planning as part of their supervisory activities, both in terms of firm and individual accountability. A clear, comprehensive and coherent plan will assist in defending any future challenges from regulators, clients and employees.
Rule 3 – Plan your route in advance.
The route to a successful return will depend on the specific circumstances of each firm: the nature of their physical business premises, workforce, systems, clients, products and services. In planning for the transition, firms will need to consider the following:
Governance and Ongoing Reviews
Firms should establish an appropriate governance structure covering oversight of the plan and implementation, including the provision of management information. Key decision makers in the firm and other senior managers who have been allocated responsibility for COVID-19 matters should be included to ensure continuity of approach and effective decision-making.
Firms should consider whether an independent review of the plan's implementation, for instance by internal audit, is required and the basis for ongoing assessment to ensure continued relevance of the plan in a changing environment.
Timing and Phasing
Most firms will need to implement a phased and/or flexible approach in order to provide an orderly and safe return to work. However, this entails risk:
- Discrimination claims could arise as a result of the firm's treatment of employees considered "vulnerable" due to age or underlying health conditions, or potentially younger employees if required among the first wave back into the workplace. Changes to employment terms required to facilitate a return to work — such as a change in working hours or staff being brought out of furlough — could also give rise to claims. Decision-making will need to be handled sensitively and firms will need to ensure that they can provide a safe environment for all employees from day one.
- Regulatory risk could increase from the creation of "micro cultures" where frontline staff return without appropriate supervision, or where there is inadequate on-site compliance or legal support during the transition period.
- Additional operational risks to service provision and protection of data during the transition period will need to be addressed where employees are working in multiple locations or switching between on-site and remote working, or while on-site operational capabilities are not back to full capacity.
Protective Measures in the Workplace
Health and safety will be top of the agenda. Firms will need to adopt additional safe working practices to protect staff and visitors, and at the same time balance potential employment and data protection implications (for example, from changing employment terms or as a result of the collection of health data). Requiring employees to return to work and permitting visitors on-site inevitably increases the risk of liability should employees or visitors subsequently contract COVID-19.
As part of the back-to-work planning at a national level, the government has now issued specific guidance for different types of workplaces, including offices. All employers with five or more employees need to prepare a written risk assessment and employers with over 50 employees are expected to publish this on their website.
Measures to ensure social distancing is maintained wherever possible include staggered shift and break times to avoid bottlenecks; regulating use of high traffic areas; use of floor tape and one-way entry and exit points; and an avoidance of hot-desking arrangements.
Where social distancing cannot be followed, businesses should consider whether the activity is required for the business to operate and, if so, take action to mitigate against the risk of transmission, such as using physical screens to separate people with back-to-back or side-to-side working (rather than face-to-face) and "fixed teams" to reduce contact between employees.
Other areas firms will need to consider as part of their planning process include:
- What equipment (face masks, gloves and hand sanitizer) to provide to employees — for use in the office and also for the journey to and from work — and when delivery can be made;
- How to reconfigure office space to maintain appropriate social distancing;
- Implementing any health questionnaires and screening, testing or tracing of staff required as part of new safety measures; and
- Ensuring that personal data, specifically health data, collected is not excessive and is appropriately secured and controlled.
Changes to Client Service and Support Levels
While the concept of treating customers fairly has long been enshrined in U.K. regulation, the pandemic has given rise to a renewed and extended regulatory focus on this.
In response to the challenges faced by customers as a result of COVID-19, the FCA has already made a series of interventions to protect consumers, including the temporary adoption of guidance or disapplication of regulatory requirements as required. This approach is reinforced in the FCA's business priorities for 2020/2021, which include, for the duration of the pandemic:
- Protection of the most vulnerable — ensuring that they can get the financial services and help they need; and
- Ensuring fair treatment for consumers and small businesses — ensuring firms give strong and support to customers, recognizing the challenges that everyone is facing.
It is clear from the FCA's approach, that it expects firms to step up their efforts and take into account clients' specific circumstances during this period. As part of their back-to-work plans firms will need to assess whether enhancements made to date are appropriate and sufficiently embedded in their business processes and take steps to close any gaps (for example, by ensuring changes have been reflected in revised policies).
Changes Required to the BAU Operating Environment
Following its statement in March regarding operational resilience during the pandemic and its expectations for firms, the FCA recently provided more nuanced guidance on cyber resilience and financial crime systems and controls.
The back-to-work plan should encompass any changes required to ensure continued operational resilience, including in relation to data and cyber security and monitoring systems, on a return to the office:
- Are changes to systems and procedures required to ensure information is appropriately secured at all stages during the phased process of return?
- Will additional information security measures be required when employees change to work in multiple locations or different locations?
- Are there any risks to the continuity of monitoring during and after the transition period?
Communication with Stakeholders
Firms should consider how, what and when to communicate with clients, staff, service providers and regulators in respect of their back-to-work plans, having regard to their regulatory and other duties to these stakeholders and the impact that the plan will have on their relationships.
Training and Support on New Systems and Procedures
Back-to-work plans should identify training needs, for example in relation to new health and safety procedures, revised regulatory requirements (for instance, regarding the fair treatment of customers) and data protection and cybersecurity risks, and set out how and when training will be provided.
Rule 4 – Keep your eyes on the road.
As with any situation where circumstances are changing rapidly, firms should keep their plans under constant review, and ensure that the governance process is sufficiently agile to enable the firm to respond quickly in real time to developing scenarios.
Firms should also consider high level contingency planning for a range of scenarios (for example, a reimposition of lockdown measures), and ensure they build in flexibility to deal with further prolonged periods of remote working for large parts of the workforce, continued financial volatility, or the imposition of further restrictions on movement or resources.
More generally, firms should also consider integrating the lessons learned from their COVID-19 response into their broader contingency plans while those lessons are still fresh in the minds.
COVID-19 will have an impact for an extended period and firms should not expect the new business environment to be stable for the near term. And as with any journey, there are likely to be bumps in the road that will need to be navigated. While the regulators are likely to be sympathetic to any firm (and senior manager) that has made a genuine attempt to put in place a viable road map, they may well be less forgiving if there has been an obvious failure to take into account the complexities of the firm's business, to update the road map regularly, or to consider adequately the impact of those road maps on customers.
The message is clear: The journey back to whatever the new "normal" looks like is only just beginning, and — rather like the map-reading motorist — firms should be ready to adjust their route in real time as conditions become clearer.
Kim Roberts is counsel, and Penny Froggatt and Marie Hoolihan are associates, at King & Spalding LLP.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
For a reprint of this article, please contact firstname.lastname@example.org.