COVID-19 and Compliance Risks for Financial InstitutionsFinancial institutions, like other businesses, are grappling with a number of challenges posed by the COVID-19 pandemic, including a dramatic market downturn, increased volatility, unprecedented levels of remote working, and other significant business disruptions. While addressing employee and business continuity concerns will be paramount, financial institutions should also remain vigilant about compliance. Financial pressures—whether resulting from a widespread crisis like the current pandemic or from more localized conditions at a particular institution—can lead to risky behaviors. And since the 2008 financial crisis, financial institutions have been subject to an unprecedented level of scrutiny from enforcement authorities globally. Compliance risks may be particularly heightened in the current environment, where (i) competitors may be more likely to be speaking to each other; (ii) markets are highly volatile and unpredictable; and (iii) surveillance and other compliance tools may be less effective due to these conditions. Financial institutions should be alert to the risks and take steps to mitigate them.
The increased scrutiny by enforcement authorities—together with economic and market conditions that may increase the risk of misconduct, and logistical difficulties that may make compliance more challenging—create a number of risks for financial institutions, including the following:
Market manipulation: Traders at financial institutions faced with steep losses resulting from the market downturn and volatility may feel pressure to resort to manipulation to generate returns. Such manipulation has been a focus of enforcement authorities in recent years, and they have developed sophisticated tools for analyzing data and identifying potential misconduct. Enforcement authorities have expressed their expectation that financial institutions, as part of their compliance programs, will similarly collect and analyze their own data. Traditional market surveillance tools, however, may be less effective when markets are particularly volatile or illiquid, potentially allowing misconduct to go undetected. The challenge is heightened as surveillance teams may not be operating at full force.
Mis-marking books: Traders might also make efforts to overstate performance or conceal losses, even for internal purposes. During the 2008 financial crisis, for example, a London-based trader at a global financial institution tried to offset hundreds of millions of dollars in losses by taking on increasingly risky positions in turbulent conditions. Rather than disclose the extent of the losses, the trader mis-marked positions on his trading book, overvaluing his positions, and it ultimately cost the bank nearly a half billion dollars to unwind the trades. Where market conditions are so extreme, this kind of misconduct can become more difficult to identify, increasing the need for vigilance.
Front-running: Similarly, bank employees may experience pressure to trade ahead of customer or counterparty orders, either on behalf of the bank to enhance the profitability of their books or on their own behalf to ease personal financial pressures. Both criminal and civil enforcement authorities have focused on such conduct in recent years, with the Commodity Futures Trading Commission establishing a task force in late 2018 charged with investigating insider trading and other misappropriation of confidential information.
Insider trading: In connection with public financial reports that are either better or worse than anticipated, employees stressed by falling markets may be tempted to trade on inside information before it is made public. The Co-Directors of Enforcement at the Securities and Exchange Commission (SEC) recently emphasized the importance of maintaining market integrity during the current crisis. In doing so, they noted that nonpublic information may hold greater value now than in normal circumstances, particularly if earnings reports or other disclosure filings are delayed due to the coronavirus. They further stated that the SEC is committing substantial resources to protect investors during the crisis, and specifically identified risk involving broker-dealers, investment advisers, and outside professionals with access to public companies’ confidential information.
Disclosure: As the coronavirus crisis unfolds, employees at financial institutions may be tempted to downplay the risks of financial products or portfolios to investors, assuring investors that their investments are more secure than they actually are. Following the 2008 financial crisis, the SEC determined that the risk of certain financial products was not adequately disclosed, and the SEC will likely be sensitive to inadequate disclosure practices during the current pandemic. Special care should be taken to ensure that investment risks are fairly and accurately disclosed. Moreover, disclosures to investors, creditors, and counterparties that downplay actual or potential problems at a financial institution itself could result in allegations of fraud or violations of disclosure or accounting obligations.
AML, corruption, and sanctions: Business disruptions arising from the coronavirus, including remote working and staffing shortages, could impact a financial institution’s ability to conduct anti-money laundering, anti-corruption, and sanctions screening and file reports as required. Bank employees may also feel heightened pressure to onboard new business partners or customers without following appropriate diligence and KYC procedures. The Financial Crimes Enforcement Network (FinCEN) has urged any financial institutions that are concerned about their ability to file timely reports to contact it. At the same time, FinCEN has advised financial institutions to remain alert for schemes that seek to profit from the current crisis, noting a number of emerging trends, including bad actors who pose as government officials to solicit donations, steal personal information, or distribute malware; investment scams involving false claims that products or services can prevent, detect, or cure the coronavirus; the sale of misbranded products that make unfounded health claims; and insider trading.
Cyber and information security: With more employees working remotely than ever before, financial institutions face increased cyber and information security risks. In this new environment, employees may use personal devices that lack the same protections and monitoring capabilities as work devices, and they may be tempted to use online collaboration tools that do not meet security standards. Similar risks exist with respect to hard copies of documents that contain confidential or other sensitive information, given that many employees do not have shredders or other secure means of destroying such copies when they are no longer necessary to retain. Taking steps to ensure that employees maintain sound cyber and information security practices at home is essential.
Antitrust: Antitrust laws remain in full effect. While discussions with competitors about COVID-19’s effects on the financial industry or on the economy are generally permissible, competitively sensitive information—such as current or future prices, salaries or HR benefits, commercial terms, or innovations and other strategies—must not be disclosed to competitors. Interactions with competitors regarding COVID-19 pandemic implications should remain subject to legal oversight and stay within established guardrails.
To mitigate the risk of misconduct in the current environment and the possibility of investigations and related civil litigation down the road, financial institutions should keep compliance risk in focus:
- Executives and managers at all levels should emphasize that the institution’s commitment to compliance remains strong and has not been overtaken by business pressures, ensuring that the right “tone from the top” is effectively communicated throughout the organization.
- Compliance and legal personnel should identify for employees the risks arising from the current crisis and provide reminders of best practices and existing compliance policies. Such communications should target gatekeepers and employees who pose the greatest risk for each type of misconduct.
- Financial institutions should ensure that critical compliance teams can function effectively in the new remote working environment. Relatedly, institutions should ensure that they have identified and prioritized risks arising from the current crisis, including by updating guidance as necessary.
Additionally, financial institutions should take steps to ensure employees follow cyber and information security best practices while working from home, and stay in close touch with FinCEN and other authorities regarding their ability to meet their anti-money laundering obligations. By taking steps to mitigate compliance risks now, financial institutions can help ensure that the disruption caused by the coronavirus itself is not exacerbated by investigations or civil litigation once the current crisis has passed.