While the coronavirus continues to spread, the German Federal Financial Supervisory Authority (“BaFin”) also published a document on the Minimum Requirements for Risk Management (“MaRisk”) for credit and financial services institutions on March 12, 2020, in which it addresses the issue of activities outside business premises and risk management in the trading sector from a regulatory perspective. Like all other companies, credit and financial services institutions need to take precautions to ensure that business can continue in times of crisis, such as in cases of lack of access to business premises. In view of recent developments, this issue is more relevant than ever; a functioning emergency concept is essential and this is not just a “paper” for BaFin. If they have not already done so, financial institutions should therefore urgently review their contingency plans and adapt them where necessary.
In item AT 7.3, MaRisk stipulates that the contingency planning of credit and financial services institutions must include a business continuity plan, which needs plans to ensure that the relevant employees of credit and financial services institutions have access to alternative solutions for maintaining business operations in the event of an emergency. On the one hand, business continuity plans should clearly state which internal and external communication channels are open to provide the services offered. On the other hand, the business continuity plans should define all steps to be taken after the occurrence of the event causing the emergency.
In BaFin’s view, measures should be designed in particular to enable individuals to quickly switch to work from the home office to reduce the risk of infection. Working from a home office entails further compliance risks in connection with regulatory requirements, particularly for traders. Employees in investment consulting or trading, for example, must be able to record customer telephone calls in a legally compliant manner as required by Section 83 German Securities Trading Act. Additionally, the IT systems of credit and financial services institutions must be designed and suitable for wide-ranging home office work so as not to impair the integrity of the company’s own IT systems.
The IT equipment of the home office must also ensure that work can be performed adequately from home. The type and manner of IT equipment will likely depend on the actual duration of the underlying crisis. While the temporary use of a laptop should meet the minimum equipment requirements for a few days, it seems appropriate to equip traders with additional hardware (such as several monitors) for a longer-term absence (e.g., several weeks). Against this background, the possibility of different absence times of employees should also be taken into account in the business continuity plan.
In its notification, BaFin points out that trading transactions outside business premises are only permitted where clearly regulated by the institution and each transaction is extensively documented, cf. MaRisk, BTO 2.2.1 item 3. In BaFin’s view, it is justifiable from a banking supervisory perspective, “if not necessary in crisis situations,” to relax the strict rules temporarily and to allow home office rules. In the absence of access to office space, it would be necessary to create an alternative to maintain business operations. If institutions had previously excluded such transactions, they would have to explicitly lift the ban and clearly outline under which conditions and for how long the new rules would apply, laid down in work instructions. This would also apply to decentralized workplaces set up as part of crisis management in trading, since all required security measures and controls could be implemented electronically.
In particular, it is necessary to determine the authorized persons, the purpose, the scope ,and the recording of transactions carried out outside business premises. Immediate confirmation by telex must be requested from the counterparty and the trades must be reported by traders to their own institution, specially marked and brought to the attention of the responsible manager or an organizational unit authorized by the responsible manager.
In the end, all financial services providers should have business continuity plans that include clear and unequivocal home office rules for the conclusion of trading transactions. Unless already done, existing internal guidelines should be adapted without delay. Switching to work at the home office is not permitted for employees in trading without corresponding guidelines.
BaFin imposes similar requirements on capital management companies relating to transactions for investment funds. In this respect, we refer to the forthcoming update on investment funds.