Operational resilience of market intermediaries during the COVID-19 pandemic
December 2020
In March 2020, we published our expectations of market intermediaries regarding business continuity and the supervision of staff during the COVID-19 pandemic.
During 2020, we continued to engage with market intermediaries, including market participants, investment banks, securities dealers and retail over-the-counter derivative issuers, during the pandemic to understand the effectiveness of their business continuity and supervision arrangements. Outlined below are some of our key observations and better practices.
Observations on operational approaches during the pandemic
Australian financial markets remained resilient during the pandemic, with market intermediaries generally adapting well to the changed work environment. This demonstrates the resilience of the Australian financial market system.
In any rapidly evolving environment, it is important that market intermediaries continually review their risk appetite and risk frameworks to ensure they address new risks and work arrangements. Experience from the pandemic suggests this should include controls to address outsourcing, information and data security, supervision and conflicts of interest when working remotely.
Market intermediaries used existing governance structures to establish, oversee and implement an effective approach to respond to any disruptive events through the pandemic.
No significant changes were made to risk management frameworks, including adjustments to risk appetites as a result of COVID-19. However, many had increased focus on stress testing, scenario analysis and some adjusted risk limits. There were also some global initiatives to address risks, with a plan to troubleshoot the current and emerging risks from COVID-19. The key risk themes identified included off-premises trading, fraud, structured products, credit risk management and operational resilience.
Market intermediaries relied on existing control frameworks and implemented additional controls to address the risks associated with remote working. However, some market intermediaries did not attempt or were unable to adequately assess the effectiveness of these new controls. Other market intermediaries displayed better practices, with a proactive internal audit function involved in reviewing the control framework and supervisory routines of sales and trading employees working from home.
Operational challenges during the pandemic
Technology-related issues posed an initial challenge for many market intermediaries, with deficiencies in critical infrastructure. Many market intermediaries were not prepared for local staff or those in offshore operations to work from home. This posed an initial challenge in ensuring staff had adequate computer equipment and Wi-Fi connections to continue working. The use of secondary sites also highlighted a gap, which was the need for fit-for-purpose equipment in business continuity plan (BCP) sites. Outages and latency were also an issue during COVID-19 and resulted in increased client complaints.
There were deficiencies in e-communication surveillance controls at several intermediaries. This was remediated with communication retrospectively being run through monitoring tools. An example of this included some quickly deployed or extended e-communication tools like Microsoft Teams for remote working. However, the communications were not fed into an e-communication surveillance tool.
There were reports of operational delays from manual processes, such as managed fund creation and redemption processes and account opening practices that required wet signatures and sight of original documentation.
There was an increase in trade settlement failures that coincided with a large increase in trading volumes between March and April. Some settlement failures resulted from inadequate back-up arrangements relating to staff working from home. There were also multiple failures around capital raising events when clients were unable to locate stock to borrow.
Despite the increase in capital raising activity at the height of the pandemic, we did not receive reports of an increase in compliance issues. Controls were implemented to manage risks associated with conflicts of interest and confidential information for equity capital markets (ECM) and sales teams working remotely. There were some concerns that new controls implemented to address risks associated with remote working were largely self-regulatory and the risk of miss-selling was not being adequately addressed.
There were minimal issues reported with third-party vendors, with many market intermediaries monitoring performance regularly. Where IT support was received from an offshore third-party provider and there were some initial concerns due to technology issues, market intermediaries temporarily increased onshore help desk resources to assist. Some market intermediaries chose to bring processes performed by third-party vendors back in-house to reduce risk.
Cyber security risk was heightened during COVID-19, with attacks more prevalent. Measures were put in place to address the enhanced risk, including system enhancements, staff awareness and training.
The length of time that staff were working remotely was longer than initially expected. BCP generally did not adequately account for this and further changes to address large numbers of remote working will be incorporated into BCP going forward.
The prolonged period of remote working has also had an impact on staff, with many market intermediaries expressing concerns and anticipating future challenges regarding maintaining social capital. Some market intermediaries noted an increased level of staff fatigue, while others noted a greater preference for flexible working arrangements, which will require greater emphasis as market intermediaries transition back to the office.
Future focus areas for market intermediaries
We encourage market intermediaries to:
- back-test tactical solutions and changes that were risk accepted during the pandemic under pressure. This is to ensure they are robust to avoid any inadvertent exposure to undue risk of misconduct or breach of law
- assess the ‘new normal’ – the enduring impacts of the pandemic – on flexible working practices and implications for the control environment
- review risk appetites and risk limits, including for offshored and outsourced functions, and adjust them where appropriate
- use stress testing and scenario analysis as effective risk management tools
- update BCPs to incorporate key changes, including the possibility of longer periods of remote working
- reflect on technological challenges encountered during COVID-19. Strengthen technological resilience and plan for any changes or improvements to existing systems and infrastructure
- assess the adequacy of measures that were implemented to address cyber security risk during COVID-19 and prepare for the risk of more attacks.