These are unprecedented times. The COVID-19 pandemic is wreaking global havoc and impacting the financial services industry in significant ways, forcing institutions to take immediate actions to mitigate new and increasing operational and compliance risks. The industry is having to adapt to the rapidly changing environment and adopt flexible practices in response to these unexpected new threats.
Many institutions are performing daily monitoring, shifting to a remote workforce, and making changes and preparations while increasing capacity to serve customers with sudden needs for financial services and assistance. The demands are daunting and increasing at an unparalleled pace. Sorting through so much information from the media, lawmakers, and regulators on the current and expected adverse impacts of COVID-19 is challenging. It is natural to feel panicked, overwhelmed, and uncertain about how to face this threat, both personally and at work. However, the industry cannot (and will not) stick its head in the sand and wait the pandemic out. On the contrary, the industry must be a key player in providing relief and assistance to affected consumers.
Treliant convened a virtual panel of its experts in business continuity, financial crimes compliance, consumer protection, cybersecurity, privacy, consumer compliance, and lending operations to discuss risk management for financial institutions during the COVID-19 pandemic. Participants included Prasad Chintamaneni (Managing Director, Global Financial Crimes Compliance), Deborah Grissom (Senior Director, Mortgage Operations and Compliance), Tina Shaver (Senior Director, Regulatory Compliance), Lynn Woosley (Senior Director, Fair and Responsible Banking), Ellen Rose (Senior Director, Mortgage Operations and Compliance), Jason Sarfati (Director, Privacy and Data Ethics), and Richard Hudson (Senior Manager, Cybersecurity and Business Continuity).
Key questions, answers, and insights from the discussion are highlighted below.
What are the key risks arising from the pandemic?
RH: Currently, the top risks include risks to employee health and safety; technology risks related to capacity planning; miscommunication with clients, the public, the media, partners, and employees; and a lack of adequate cross training and succession planning.
PC: A variety of fraud schemes and imposter crimes are expected to increase, including:
- Investment scams, such as promoting investments in firms that claim to be able to prevent, detect, or cure COVID-19.
- Product scams promoting products that claim to prevent or cure COVID-19.
- Imposter scams, such as those seeking donations for fake COVID-19-related charities or spoof websites of the Centers for Disease Control and Prevention (CDC) or World Health Organization (WHO) that install malware when those websites are visited.
- Insider trading by front-running discoveries or news releases.
TS: Financial institutions are being impacted by temporary closures, reduced hours, decreased staff, and a transition to a remote workforce, which can greatly affect branch-banking offices, back-office functions, and day-to-day compliance efforts. This could result in a backlog of compliance activities as well as potential noncompliance.
ER: Mortgage originators already had a backlog from high volumes in the third and fourth quarters of 2019. Moving office staff to remote working has further stressed operations and processes that depended on in-person interactions. Time to close has gotten longer, so mortgage lenders are taking steps to manage borrower expectations. The prioritization of purchase money over refinances has also been instituted to ensure that consumers with purchase deadlines are not negatively impacted.
DG: On the servicing side, there are challenges related to communication with borrowers. Servicers are training additional remote staff and specialized teams to deal with increased needs for communications and assistance, while also allowing staff to work remotely or relocating staff to business-recovery sites in less affected areas. Business units are disrupted as current staff deals with issues related to the pandemic, so servicers are seeking assistance and temporary employees to fill key roles. There may not be enough trained and experienced staff to monitor the risks associated with federal and investor deferrals that have been announced and other programs that are sure to come.
LW: Both consumer and commercial customers will need assistance due to unexpected interruptions in income. This leads to another critical area of concern: balancing regulatory requirements with efforts to provide customers relief (e.g., loan modifications, forbearances, overdrafts, and emergency loans) while encouraging customer and employee health and safety (shifting branches to drive-up banking only, limiting the number of customers in the branch lobby, and using remote-work locations). Institutions should take measures to ensure that customer-relief efforts do not create any unintended fair-lending or UDAAP risks. In addition, institutions must ensure they comply with regulations for work locations, although fortunately some regulators have temporarily relaxed or waived those restrictions.
JS: If an employee is diagnosed with COVID-19, institutions may find it tricky to balance the privacy rights of that employee with the need to inform their broader workforce that it has been exposed to the disease. Current guidance from the U.S. Equal Employment Opportunity Commission[1] and other regulators continues to treat employee-health-related information as private. This includes COVID-19-diagnosis information and any other information that relates to the COVID-19 status of an employee. This means financial institutions are still precluded from sharing the identity of employees who test positive for the virus; infected employees’ privacy and confidentiality need to be respected throughout the duration of the pandemic. Specific names or other identifying details should not be given to co-workers, except executive leadership, as appropriate.
However, this restriction does not prevent financial institutions from implementing procedures to mitigate the risk of infection. Employers can and should share when an anonymous employee(s) has tested positive. They can notify an entire office or wing of a building of such information. Concerned employees can thereafter pursue the option of contacting a healthcare professional.
How are cyber criminals trying to take advantage of the COVID-19 virus?
RH: Cyber criminals are looking to take advantage of firms and individuals who have not implemented adequate security. Ransomware attacks have occurred. Phishing emails are also circulating around the internet.
PC: Cyber criminals are preying on fear. They are targeting individuals and industries across the globe, attempting to hack into computer systems and steal confidential information for illicit activities. The number of phishing emails has skyrocketed, often infecting the computer with malicious malware when links are clicked. Common scams may refer to:
- Accessing a cure from doctors.
- A COVID-19 tax refund from the government.
- COVID-19 safety measures from WHO.
- COVID-19 warnings from CDC.
- Donating to help the CDC in the fight against COVID-19.
How can firms protect themselves and their customers from these cyber scams?
LW: Banks and regulators alike are moving to raise consumer awareness and alert customers to fraud-related schemes, many of which are new, such as fake sales of medical supplies (e.g., testing kits) or bogus government-relief schemes. Others are sharing tips on how to protect personal information from criminals. The Department of Justice (DOJ) on March 21 filed its first enforcement action to suspend the operations of a fraudulent website offering COVID-19 vaccines. The DOJ is also encouraging the public to report suspected COVID-19 fraud schemes by calling the National Center for Disaster Fraud (NCDF) hotline at 1-866-720-5721 or by emailing the NCDF at disaster@leo.gov.[2]
RH: To guard against cyber scams, institutions should ensure that employees working from home during the pandemic have the same cyber controls in place that they would if they were physically in the office (e.g., web and content filtering). Additionally, firms should notify customers and employees about how the firm will contact them (e.g., most firms will not call their customers directly) and be aware of impersonators who may try to use social engineering to get personal information from customers.
PC: Institutions should focus on cybersecurity and potential breaches of core systems. From an external perspective, they should look at identity theft and focus transaction monitoring on wire transfers to charities, investment accounts, etc. They should also enforce multifactor authentication prior to settling transactions over certain thresholds (for both individual and corporate accounts). Finally, they should choose safety over speed.
What are some of the challenges of alternate work arrangements? Do firms have enough capacity to handle most employees working remotely or are they having to utilize critical staff only?
RH: Typically, firms are prepared for situations where staff considered “critical” must work remotely. Expanding the scope beyond critical staff may require more technical infrastructure, such as additional remote access tokens or other multifactor authentication means, as well as testing to ensure there is enough bandwidth to support online demands of the firm’s network.
DG: Many mortgage originators and servicers have plans to move operations to an alternate location in the wake of a geographically limited natural disaster. They do not have plans to run a large origination or servicing business from the homes of their employees. There are concerns that the lack of face-to-face interactions with borrowers could lead to increased fraud. In addition, the risks of cybersecurity events, insufficient internet bandwidth, and inadequate cellular connectivity increase with the volume of telework. Furthermore, market uncertainty and remote-work efforts combined with record-breaking origination backlogs and forecasts are a reminder that we all need to slow down and take a look at origination business processes and controls. For instance, TILA-RESPA Integrated Disclosure (TRID) was a hot topic for mortgage originators prior to the pandemic. Add the struggles of processing and closing originations in a remote-work environment and it is inevitable that missteps will happen.
PC: Financial firms are scrambling to make remote working a feasible option for the majority of their workforces. Security breaches when provisioning remote access on short notice are a big threat.
TS: Institutions are struggling with balancing unprecedented changes in work arrangements with the need to maintain effective compliance and risk functions. A few key steps to take include:
- Above all, prioritizing the safety of employees and customers.
- Being nimble and flexible; there are many creative work arrangements and tools, including staff rotations, reduced hours, reduced staff in locations, remote work, and telephone and video conferencing.
- Prioritizing compliance responsibilities and focusing efforts and resources on higher-risk areas.
- Planning now for how on-hold and delayed compliance work will be completed.
JS: When prioritizing which employees should be moved to remote work, employers must refrain from asking whether employees suffer from a preexisting medical condition that might make them more vulnerable to COVID-19. If an employee voluntarily discloses that he or she has a specific medical condition that puts him or her at increased risk of COVID-19 complications, the employer must keep this information confidential. The employer may ask the employee to describe the type of assistance they think they will need (e.g., telework or leave for a medical appointment). As a general best practice, employers are advised to pursue liberal remote-work policies during the pandemic. A general invitation for vulnerable employees to take advantage of telework policies is also appropriate.
What unexpected challenges need to be considered in planning and responding to the crisis?
RH: In the last three to five years, most firms have done limited to no pandemic planning and testing as part of their business impact analysis (BIAs) and business continuity plans (BCPs). In the absence of live exercises (i.e., working from home or remote locations), firms have learned they must at least consider tabletop testing of pandemic scenarios.
TS: Firms that have not typically used telework arrangements are struggling with the transition to a remote workforce. Printing and mailing customer welcome packages and disclosures in a timely fashion without normal operations centers are difficult. Some institutions have found their BCPs are inadequate for a pandemic.
ER: Some BCPs are based on regional disasters, and this pandemic impacts a far greater area than assumed in those firms’ disaster planning.
PC: All countries impacted by COVID-19 are also expecting increases in organized crime, as closed borders and lifestyle restrictions hamper the usual methods criminals use to obtain money. Organized crime groups will seek new ways to fund illegal activities (e.g., drug trafficking, smuggling contraband, human trafficking, obtaining counterfeit goods, and burglaries), exploiting the vulnerabilities caused by the pandemic.
LW: Desperation and anxiety may lead employees to commit fraud or other criminal activities that result in financial harm to customers. Even though normal business operations are disrupted, financial institutions must continue to monitor complaint and exception trends, ensure business justifications for relaxed standards and increasing exceptions are well documented, and involve compliance in temporary changes to policies and branch hours.
JS: Some institutions did not adequately plan for notifying customers and employees how the business will process and maintain information regarding their COVID-19 status. Notice has always been one of the foundational principles of privacy. Employees should be regularly informed of any updates regarding the organization’s BCP for the coronavirus, or how health information will be treated should they come forward with a positive diagnosis. A general notice is also appropriate for a business’s customers.
LW: Regulatory applications and filings may be an unexpected challenge, since many BCPs relied on alternate work locations instead of telework. Fortunately, several federal regulators have temporarily relaxed some requirements and have taken other steps to assist financial institutions during the pandemic.[3]
DG: State registry requirements can be a hurdle to remote work for nonbank mortgage companies. Some states have restrictions on work locations for Nationwide Multistate Licensing System (NMLS)-registered staff. Although some states have temporarily waived that restriction, others have not. In addition, certain state and local relief efforts, such as payment or foreclosure suspensions, might impact operations.
With such widespread business disruptions, the numbers of consumer and business borrowers needing assistance are likely to increase. How can lenders and servicers help their customers?
ER: The Department of Housing and Urban Development (HUD) announced that it has suspended all evictions and foreclosures until the end of April. On March 18, Fannie Mae and Freddie Mac announced they would do the same for a minimum of 60 days.[4] Many lenders are also placing borrowers on forbearance plans. Servicers have enacted disaster plans and associated processes while working on longer-term solutions for streamlined assistance. Consumers are being told to contact their servicers for assistance; servicers should expect higher volumes of requests and inquiries.
DG: Help your customers, but watch for scams and fraud. Be aware that verifying employment and obtaining property valuations could slow originations. It will take good communication with customers and employees to keep things moving, so use technology, including automated call centers and email communications, to its fullest extent to keep consumers informed. Consider partnering with staffing firms or consulting firms to enhance internal measures to handle increased volumes. Most importantly, focus on keeping your workers informed and happy—those working with consumers will need to be extra patient as consumers experience long wait times and grow increasingly concerned about making their mortgage payments.
TS: Many banks are proactively reaching out to their consumer and small-business customers to offer assistance. Banks have pledged more than $160 million in grants for medical assistance and community relief. To support customer and staff safety, financial institutions are enhancing their cleaning practices for facilities and ATMs and encouraging digital banking.
LW: Financial institutions are offering many forms of financial assistance, including fee waivers, loan extensions or forbearance, payment reductions or skip-a-pays, rate reductions, temporary credit line increases, emergency loans, early withdrawal of certificates of deposit, and moratoria on foreclosures and repossessions. With the passage of the CARES Act, lenders can expect a large increase in SBA loan applications, and should be prepared to handle the volume.
What else would you like to share with our readers?
DG: During market turmoil, investors seeking out traditionally “safer” asset classes such as the 10-year Treasury note cause yields on these notes to fall. Historically, this leads to lower mortgage rates, but mortgage originators are now faced with the challenge of processing and closing loans remotely as workers are sheltering in place. In some instances, mortgage originators are slowing the origination pace with increases, rather than decreases, in rates. Other mortgage lenders are suspending certain product types in specific states or requiring additional documentation. Originators should be prepared to keep borrowers informed during slower-than-normal processing.
ER: There could be liquidity issues for mortgage servicers resulting from federal- or state-mandated deferrals of mortgage payments. Handling the deferred payments, an uptick in loss-mitigation efforts, and the potential for property devaluation also pose risks to servicers.
LW: Although we’ve focused mainly on compliance and operational risk in our discussion, the pandemic also carries credit and liquidity risk. Federal banking regulators have provided some guidance and relief in those areas as well, including guidance on how to properly identify troubled debt restructurings and encouraging access to the discount window to promote liquidity.[5] In the long run, working prudently with financially stressed customers now will be better for lenders than charging off a significant number of loans.
JS: Employers must remember that historic privacy and data protection principles still apply to employees’ COVID-19 status. Employers should aim to collect the minimum amount of information necessary and retain that information only for as long as it is relevant. Access to such information should be further limited to those within the organization who need to be made aware of a potential diagnosis, with strong data governance standards continuing to apply to that information moving forward. In addition, employers should not assume that all disabilities increase the risk of complications. Many disabilities do not increase this risk (e.g. vision or mobility disabilities), so affirmative inquiries to employees who are visibly disabled should be avoided.
RH: Firms who have not yet migrated key operations to the cloud should begin having those conversations. Remote working will be even more critical to keep certain businesses operational. BCPs have to be revisited as testing of critical staff and operations must be expanded to the broader workforce. The cloud offers many advantages to help firms achieve business continuity and increased capacity very quickly.
TS: Don’t be afraid to seek guidance from regulators, trade associations, and consulting partners. This is a challenging time, but we are risk professionals and can do this!
The coronavirus pandemic brings multiple threats to the financial services industry. Institutions should review their BCPs, develop or enhance a risk-response plan, and establish ongoing communications within the organization and with customers, employees, regulators, and vendors. One approach might be to temporarily create a working group with experts from various teams (risk management, compliance, human resources, business continuity, technology, privacy, fraud, Bank Secrecy Act/Anti-Money Laundering) to collaborate on solutions and risk management strategies. One thing is certain: The risks facing financial institutions as a result of COVID-19 are rapidly increasing, so the time to act is now.
[1] U.S. Equal Employment Opportunity Commission, “Pandemic Preparedness in the Workplace and the Americans With Disabilities Act,” –Updated March 21, 2020 https://www.eeoc.gov/facts/pandemic_flu.html#4
[2] Baylor, Brenda. Treliant Takeaway, “Mitigating Fraud in the Wake of the Pandemic,” –March 23, 2020 https://www.treliant.com/knowledge-center/treliant-takeaway-mitigating-fraud-in-the-wake-of-the-pandemic/
[3] Federal Reserve Board, Federal Deposits Insurance Corporation, and the Office of the Comptroller of the Currency, “Joint Statement on CRA Consideration for Activities in Response to COVID-19,” (March 19, 2020)
[4] Woosley, Lynn. Treliant Takeaway, “HUD, FHFA Suspend Foreclosures and Evictions,” –March 24, 2020 https://www.treliant.com/knowledge-center/treliant-takeaway-hud-fhfa-suspend-foreclosures-and-evictions/
[5] See, for example: Woosley, Lynn. Treliant Takeaway, “Interagency Statement on Loan Modifications and Reporting for Financial Institutions Working with Customers Affected by Coronavirus,” –March 23, 2020 https://www.treliant.com/knowledge-center/treliant-takeaway-interagency-statement-on-loan-modifications-and-reporting-for-financial-institutions-working-with-customers-affected-by-coronavirus/; Federal Reserve, “Federal banking agencies encourage banks to use Federal Reserve discount window,” –March 16, 2020 https://www.federalreserve.gov/newsevents/pressreleases/bcreg20200316a.htm; Federal Reserve, “Federal banking agencies provide banks additional flexibility to support households and businesses,” –March 17, 2020 https://www.federalreserve.gov/newsevents/pressreleases/bcreg20200317a.htm; Federal Reserve, “Federal bank regulatory agencies issue interim final rule for Money Market Liquidity Facility,” –March 19, 2020 https://www.federalreserve.gov/newsevents/pressreleases/monetary20200319a.htm