Protecting your Compliance during COVID-19

Organisations in regulated industries need to follow regulatory requirements and honour their commitments, despite the impact of COVID-19

The dynamic nature of the spread of COVID-19 and the uncertain developments ahead of us are creating difficulties for all of us. Along with its effects on people, the coronavirus is rapidly disrupting business and consumer activity in all kinds of areas.

The Compliance function is an important gatekeeper in protecting the reputation, financial and operational resilience of organisations. Regulators across industries have recognised the significant impacts that the spread of COVID-19 may have on the markets, organisations, and consumers. Concurrently, organisations are navigating the usual and new compliance challenges resulting from COVID-19.

To help you, we have created an overview of scenarios, suggested activities and guiding questions for responding to the crisis and recovering the business. As the progress of COVID-19 is hard to predict you might find your business switching between these two phases.

Phase 1: Respond

The Compliance function is an important gatekeeper in protecting the reputation, financial and operational resilience of organisations. In these times of crisis, with the high degree of change, uncertainty and disruption, there may be increased activity that puts your organisation at risk – for example financial crime, fraud or other illegal activities. In addition, if you are in a regulated industry, your organisation will still need to adhere to regulatory requirements and honour the regulatory commitments.

At the same time, Compliance organisations are also impacted by the crisis. You may be experiencing restrictions with working remotely, reduced workforces, technical disruptions or increased volumes. We recommend identifying and ringfencing the services that are critical to protecting your organisation and meeting regulatory expectations.

Key questions to consider

There are a number of areas that may be affected. Here are some questions for you to consider:

Do you have access to up-to-date KRIs/KPIs that show what is happening in your areas of responsibility?
Are you able to detect trends, such as increased alerts, quickly?
Are you reliant on service providers for critical services – for example, technology platforms or external providers for surveillance activities?
Do you have back-up options, for example manual protocols or alternative suppliers?
What is the workforce situation for your critical services?
What cross-staffing options do you have? How about leadership?
Are there projects, initiatives and other activities that can be de-prioritised?
Are you in contact with your key regulators?
Have you established working protocols and escalation points?

Critical Services

Observations have shown that the following services might be interrupted due to COVID-19.

Financial Crime Compliance

Monitoring and Surveillance

Regulatory Affairs

Investigations

Control Room / Information Barriers

Description

Financial crime is a major risk for many organisations. In times of crisis, there is a risk of increased illicit activity that may go undetected.

Monitoring of AML/transactions, trade and fraud risks are focus areas.

In times of crisis, regulators may increase supervision. In addition, the organisation may lose focus on regulatory commitments.

Driven by the potential increase in illegal activities, the investigation functions needs to be able to respond to internal and external requests.

Conflicts of interests are another major risk for many organisations. In times of crisis, there is a risk of increased illicit activity that may go undetected.

Consequences if interrupted

Regulatory fines

Financial loss

Reputational damage

Regulatory fines

Risk of undetected fraudulent behaviour

Financial loss

Regulatory enforcement and scrutiny

Regulatory fines

Risk of undetected fraudulent behaviour
Regulatory enforcement and scrutiny

Regulatory fines

Risk of undetected fraudulent behaviour

Financial loss

Coronavirus scenarios and mitigation for Compliance

COVID-19 will affect organisations to different degrees, requiring several actions.

Details	Majority of the workforce working from home with minor disruptions. Some of the workforce out on sick leave. Limited increase in AML alerts, limited increase in other surveillance volume.	Some of the workforce out on sick leave for extended periods, including suppliers. Increased surveillance volumes. Increased requests from regulators, including reporting.	A large part of the workforce out on sick leave, including suppliers. Disruptions to technology. Increased regulatory supervision and crisis management.
Functional impact	Limited initial impact, however impact of preparing for potential worsening of the situation.	Inability to maintain full Compliance mandate. Delays in surveillance and regulatory commitments.	Inability to maintain Compliance mandate. Inability to meet some regulatory commitments, delays in surveillance activities.
Proposed actions	Prepare for medium and major scenarios. Identify and ringfence critical services. Identify backup options for critical providers. Contact key regulators to establish working protocols.	Ringfence the critical services of the Compliance mandate. Reassign resources to these critical mandates, postpone other activities. Prepare sourcing options for potential worsening of crisis.	Continue to ringfence the critical services of the Compliance mandate. Source external workforce for critical services. Follow escalation protocol established with key regulators.

Phase 2: Recovery for Financial Services

Regulators across industries have recognised the significant impact that the spread of COVID-19 may have on markets, organisations and consumers.

At the same time, organisations are navigating the usual and new compliance challenges resulting from COVID-19.

This page provides news, strategies and insights to help organisations navigate changing regulatory requirements and new challenges for compliance departments for the upcoming “Recovery” phase.

Routine approaches or action plans may not be effective in unprecedented times. Compliance and risk officers will be called upon to collaborate on strategic responses and address compliance programme challenges amid a multitude of broader considerations, an evolving environment and an unknown tomorrow.

Key questions to consider when recovering your business:

Does your organisation’s systems and technology infrastructure enable the new remote operating model?
Are your employees able to perform their daily tasks remotely? Are digital signatures used? Can they approve processes without encountering physical constraints?
Does your organisation have the appropriate processes, controls and clearly defined roles, which – along with appropriate measures of performance and risk – facilitate BAU compliance in the new environment?
Does your organisation have the right oversight and management in place to restore commercial activities, while maintaining the corresponding compliance monitoring?
Are there any controls in place to prevent theft of data by employees working remotely?
Did you include anyone from the compliance/legal team in the crisis response task force?

Suggested next steps to tackle the recovery

If you find your business moving from the response to the recovery phase of the crisis the following key considerations and recommendations might be useful to you.

1. Reassess compliance risks and redesign compliance plan accordingly	2. Organise, prioritise and implement the necessary changes	3. Focus or expand fraud-mitigating measures	4. Reassess the shift of resources and its consequences	5. Innovating for the new normal
Important considerations for the business to start the “new normal” plan include compliance risk reassessments, monitoring adherence to the compliance plan and revising the plan if needed; these should include contingency plans and recovery/exit strategies.	With limited resources, leadership must prioritise. As financial institutions try to adapt to the "new normal", the hurdles and obstacles are substantial: it is important to have a clear focus to effectively organise, prioritise and implement the necessary changes.	Organisations should not overlook their ability to identify, mitigate and respond to a change in fraud risks as a result of this disruption. The combination of financial and health threats makes people more vulnerable and generally creates opportunities for fraudsters.	Business models have been challenged and more focused on operational measures than compliance, with the focus and budgets being reduced for any activity considered ‘non-essential’ - it is time to reassess these shifts.	Begin to innovate for the new normal, in order to participate and seize the upsides, address the short-term changes and innovate for long-term value.

Guidance for the next phases

The next steps to deal with the “new normal” vary based on job roles and companies. We have created an overview with possible actions and suggestions on planning and getting ahead for upcoming phases of the crisis.

	Short-term	Medium-term	Long-term
Internal Stakeholders: Board Members, Leadership, Employees, etc.	Offer overview of starting position, baseline and crisis in the context of compliance Identify and report compliance challenges emerging during the crisis and immediate post-crisis period: backlog, loss of resources etc. Ensure that safety practices in the workplace are communicated, trained, and monitored effectively	Conduct compliance risk reassessments, assess adherence of monitoring to the compliance plan and consider revising the plan if needed: define activity plan to restore BAU and clear possible backlogs Balance legal requirements with response actions to ensure safety: assess the impact of interruption to operations	Post-acute-crisis analysis to enter the “new normal” era: Identify weaknesses, draw learning points and establish the consequences of the new normal Support the transition of resources away from crisis-prioritised positions Review policies, practices and controls, and tailor them to the new working environment
External Stakeholders: Auditors, Regulators, etc.	Approach regulators, particularly if general and/or firm-specific dispensations are needed in case requirements cannot be met	Consult activity plan to restore BAU and clear possible backlogs with regulators Engage in discussions on trade-offs between contingency measures and risk appetite to ensure these are well-considered – key considerations include data security, fraud, cybersecurity and privacy, especially safeguarding personally identifiable information	Design or amend measures for future operational resilience and align with regulators’ expectations Seek approval for amended work-from-home model: regulatory clearance and robust technical testing should occur pre-emptively

Michèle Hess

Partner, Regulatory & Compliance Services
michele.hess@ch.pwc.com
Tel: +41 79 878 0085

Alexandra Burns

Director, Risk, Compliance, Internal Audit
alexandra.burns@ch.pwc.com
Tel: +41 79 878 31 69

Phase 2: Recovery for Trade Industry

As regulators and stakeholders expect companies to act compliant even in times of crisis, organisations are navigating the usual and new compliance challenges resulting from COVID-19. But, regulatory changes could also create opportunities that must be exploited for your company.

This page provides strategies and insights to help organisations navigate challenges and seek opportunities for the upcoming “Recovery” phase to foster your resilience and emerge stronger.

Routine approaches and action plans need to be adopted in unprecedented times. Compliance and risk officers will be called upon to collaborate on strategic responses and work closely together with the business. They will address compliance challenges and support business opportunities amid a multitude of broader considerations, an evolving environment and an unknown tomorrow.

Key questions to consider when recovering your business:

Do you know the biggest compliance risks of your organisation and if they have changed during the crisis?
Does your organisation have clearly defined roles and responsibilities, appropriate processes, controls and relevant data to ensure informed and timely decision-making in uncertain times?
Are there the right controls in place to prevent theft of data from inside or outside of the company?
Did you include relevant personal from the compliance/legal team in the crisis response task force and relevant strategic projects? And do you see your compliance/legal personnel as strategy enablers?

Suggested next steps to tackle the recovery

If you find your business moving from the response to the recovery phase of the crisis the following key considerations and recommendations might be useful to you.

1. Identify and reassess compliance risks

2. Organise, prioritise, and implement the necessary changes

3. Adopt third-party due diligence compliance

4. Focus on or expand fraud-mitigating measures

5. Innovating for the “new normal”

An important step to start the “new normal” includes a compliance risk reassessment (identification of new and/or changed compliance risks) and the initiation of respective actions, where needed.

With limited resources, leadership must prioritise: It is crucial to ensure Compliance while looking for new ways to operate and effectively focus on operational business measures as well as seeking opportunities in an evolving environment.

In cases where the supply chain of organisations is affected, organisations need to reassess their third-party risk and compliance assessments and adapt the process accordingly to ensure operations as well as compliance needs.

Organisations should not overlook their ability to identify, mitigate and respond to a change in fraud risks (within and outside of the organisation) as a result of this disruption.

Innovate for the “new normal”: By using the knowledge gained from your experience with COVID-19 and taking steps to improve the resilience of your organisation; being close to the business and support seizing their needs.

Guidance for the next phases

	Short-term	Medium-term	Long-term
Member of the Board of Directors	Enable reassessment of compliance risk across the organisation Establish protocols for the “new normal” and ensure that safety practices in the workplace are communicated, trained and monitored effectively And if need be, approach regulators, auditors and other relevant stakeholders	Establish monitoring over increased compliance risks– i.e. cyber risks, supply chain risks, health and safety risks, fraud risks, and other risks depending on your industry And if need be, continue to exchange with regulators, auditors and other relevant stakeholders	Maintain heightened monitoring of the environment and key compliance risks throughout the recovery phases Implement revised compliance plan, where needed Strengthen mandate of compliance as business enabler, in line with increased market focus
Compliance / Legal Team	Identify new or changed compliance risks regarding the “new normal” and restarting the business Identify and report compliance challenges emerging during the crisis and immediate post-crisis period: new and/or changed (regulatory) requirements, reported issues etc.	Develop plan to support business regarding new and/or changed requirements and compliance risks Set up measures to ensure monitoring of increased compliance risks Start supporting business as an enabler for adopting the new normal and searching for opportunities	Continue to reassess key compliance risks and implement measures to ensure respective monitoring Work together with the business to raise resilience and exploit opportunities Identify weaknesses, establish lessons learned and determine the consequences of the new normal