Mickey Rosen is a contributing senior consultant with Global Markets Advisory Group.
Dan Labovitz is Managing Member at Global Markets Advisory Group
Although it feels like longer, it has only been about month since most of New York City – and with it large chunks of the financial services industry – began working from home in earnest. As the crisis developed, firms confidently dusted off and activated their business continuity plans. But as quickly as they did so, many firms had to confront the reality that in this crisis, even the best BCPs would require some improvisational improvements. For firms who were less prepared, the pandemic has been more cataclysmic and existential: it revealed who was, to borrow Warren Buffet’s famous phrasing, swimming naked when the tide went out.
FINRA recognized the problem fairly early, and issued guidance to firms considering asking personnel to work from home, but the guidance was not especially detailed about what FINRA expected a firm to do: FINRA advised firms “to establish and maintain a supervisory system that is reasonably designed to supervise the activities of each associated person while working from an alternative or remote location during the pandemic.” The question of how to do that was left unanswered.
For an event of limited duration and limited in geographic scope, such as a natural disaster, the lack of specific guidance may not be significant, but the length and breadth of the coronavirus crisis makes such guidance critical.
But this crisis also requires the industry to fundamentally rethink business continuity practices and supervisory functions that pre-Corona seemed adequate. Neither the regulators nor the industry have considered how one confidently supervises personnel working from home for an extended period of time, or the challenges for both supervisory functions and risk control functions inherent in remote working set-ups. As this pandemic enters its second full month of disruptions, the entire enterprise needs to have the ability for supervisors to quickly react to issues that arise, whether potential violations of firm or industry rules and/or unforeseen changes in risk profiles.
These issues need to be addressed in several ways. First, it is critical to ensure that supervisory personnel have the bandwidth to stay on top of the operation in a real-time basis. If the supervisor has faulty connectivity or cannot gain access, the controls are relegated to the ether and stay there until someone can access them. In a situation where everyone is using their home internet during prime market hours, firms are quickly finding that there is not enough bandwidth to go around. Even if the network as a whole, is sufficient, multiple users in a single home proves to be a challenge. FINRA’s last guidance on BCP in a pandemic situation was in 2009; at the time, it highlighted a single firm that had selected critical representatives from various groups and departments across the firm to receive dedicated, priority broadband service in their homes. FINRA recommended that firms consider similar measures, but stopped short of requiring them.
Second, the industry should consider ways to reduce or eliminate manual oversight functions by adopting machine learning and other technologies to automate supervision wherever possible. The same is true for compliance surveillance, which tends to rely on groups of analysts manually reviewing and processing alerts to detect bad behaviors. Besides the challenge of operating a centralized command-and-control function with staff who are geographically dispersed, manual reviews that are tuned to “ordinary” market behaviors may not be nimble enough to detect new violative patterns that are outgrowths of the pandemic and the decentralized work environment. The machines, by contrast, may be able to more quickly discern in real time irregular patterns.
Finally, it is critical to re-examine the off-shoring of certain tasks. As an example, firms that have offshored to India are facing significant challenges now that the Indian government has implemented a sweeping locked down of the entire country. How does this affect the ability of the firm to comply with regulations if critical reports or office functions cannot be accessed? If the firm is processing paperwork remotely and the workers cannot access the remote physical mail, work will grind to a halt.
A real-world example may help to illustrate the risks in the three broad operational areas: Front end RIA oversight and compliance, Execution Capability and Middle Office.
The first two are the most at-risk areas since that is where transactions take place and are processed. Unfortunately, the combination of unprecedented volatility in the market and the remote work environment of many front-line RIAs has challenged firms’ ability to conduct real-time remote monitoring of investment decisions to ensure they meet the client’s investment objectives. There has been recent anecdotal evidence, as a result, of an RIA blindly liquidating and re-investing assets for a 98 year old account holder and a 65 year old account holder, without accounting for the differences in their circumstances or the fact that the accounts had different investment objectives. While this is undoubtedly an extreme case – and one that could have occurred in any market condition – firms’ execution systems, for the most part, are not designed to be monitored effectively outside of the order room.
The Middle Office is another critical area since almost all client trade booking and money transfers are made here. One might assume this area would be more resilient to remote work restrictions, since the middle office function traditionally has been distributed to each branch or RIA. Nevertheless, this is an area of risk. Among other things, even though it is distributed, the systems is built around the assumption that everyone involved is in the same office. Once physical distance is included in the system, if there is not an efficient method for communicating and documenting events when people as well as processes are distributed to remote locations, a potential compliance and risk scenario is possible.
So how can a firm address these kinds of concerns while we’re still in the midst of the crisis? Among other things, firms should be sure that they are addressing cybersecurity concerns around working from home, including reminding personnel to only use approved channels for communication, access sensitive customer information only through virtual private networks and on firm-provided equipment if possible, and to be alert to potential issues (phishing, intrusions, practice strong passwords security, etc.). Firms should encourage supervisors to be proactive in communicating with the people under their supervision more often, whether by telephone or video chat. They should particularly focus on things that would ordinarily rely on manual supervision, and to be sure that managers are aware of what their staffs are doing in as close to real time as possible. On the compliance side, firms should consider conducting random sweeps of trading and client interactions that are usually supervised via manual processes, such as comparing orders and executions against client account objectives and risk limits, and monitoring electronic communications to identify potential instances where a conversation moves from the firm’s system to a personal cell phone or email. Firms should also monitor information published by their primary regulators and industry organizations. SIFMA has a particularly useful page that aggregates relevant guidance and recommendations from the industry and regulators (https://www.sifma.org/resources/general/bcp/ ).
In today’s environment, tools that address these issues have been the exception, not the rule. Until now, concerns about the expense of implementing new technologies and a lack of regulatory pressure to commit to them has slowed adoption by the industry. But as the COVID-19 pandemic has spread around the globe, the costs of not committing – and the risks that that introduces – are getting higher. What was once a low-likelihood event with a manageable impact (so the thinking went) has become suddenly a present event that strains the industry’s capacity to function, let alone in a compliant way. (Just ask the NYSE’s Floor Brokers if they were ready for a pandemic that closed the trading floor.). COVID-19 changes (or should change) the industry’s calculus on risk mitigation: Yes, you normally do not need to spend all this money, but in a catastrophic situation when your office shuts down, how much are you willing to lose? This changes the cost benefit equation from theoretical to practical.
The views represented in this commentary are those of its author and do not reflect the opinion of Traders Magazine, Markets Media Group or its staff. Traders Magazine welcomes reader feedback on this column and on all issues relevant to the institutional trading community.