Having a cohesive business continuity plan (BCP) is part of the essential documents for most businesses. Amid the global health crisis surrounding the coronavirus and COVID-19, many BSA/AML officers are tasked with implementing their business continuity plans (BCPs) while continuing their everyday duties without much of a warning. If your financial institution has not reviewed your BCP in a while, you may feel overwhelmed with this task, in addition to struggling to keep up with daily regulatory deadlines with already stretched resources. How will your BSA program continue to operate smoothly during so much uncertainty?
Coronavirus and AML/CFT – Is Your Financial Institution Prepared?
FinCEN issues response to concerns with regulatory deadlines
This is a question on the minds of many BSA/AML professionals during the current pandemic. On March 16, the Financial Crimes Enforcement Network (FinCEN) released a response to President Donald Trump declaring a national emergency related to the coronavirus. The communication states that a financial institution that has concerns regarding the ability to meet BSA regulatory deadlines in the face of a global pandemic such as the coronavirus should contact FinCEN and their regulator. FinCEN also stresses to remain alert to illicit and/or fraudulent financial activity. Fraudulent activity increases during disasters, and the coronavirus pandemic is not an exception. Institutions have already reported increases in scams, charity fraud, benefits fraud, and cyber-related fraud relating to COVID-19.
FFIEC issues guidance to help with pandemic planning
The Federal Financial Institutions Examination Council (FFIEC) has issued guidance identifying actions for financial institutions to take to minimize the potential adverse effects of a pandemic. Financial institutions are required to include pandemics as part of their overall BCP describing how they will manage during such an event. BCPs are intended to minimize disruption during disasters, both natural and man-made. Pandemic planning is a unique challenge for financial institutions because unlike other disasters which are usually short term, a pandemic may come in waves, each lasting several months. The many unknowns of COVID-19 make the current challenge even more difficult for financial institutions to manage.
Consider these "What ifs" when writing your BCP
Many financial institutions are realizing that their pandemic BCP has not accounted for all aspects of the current reality. How can we manage our BSA obligations while ensuring client and employee safety? The what ifs seem to continue to grow. What if:
- …the BSA Officer becomes ill and/or hospitalized. Who will perform the duties of BSA Officer?
- …a significant percentage (or perhaps all) staff becomes ill?
- …staff must stay home to care for ill children, or children home from school or daycare?
- …staff must stay home to care for other family members or elderly parents?
- …front line staff is minimized and unable to conduct required BSA reports, such as Currency Transaction Reports (CTRs), and questionable activity communications?
- …you are unable to approve and/or file suspicious activity reports (SARs) on time?
- …the Board discontinues regular meetings; how will SAR review continue?
These are some of the serious questions that should be answered within an institution’s BCP plan, but as rapidly as the coronavirus has affected business and lives, was the banking industry prepared? It is not too late to launch corrective action with a revised BCP if a financial institution comes up short in a real situation.
Follow CDC guidance for public safety
For many industries, working from home is a new norm and is a critical part of their BCP. The financial industry, however, has historically been more conservative on implementing work from home policies, as many employees are client-facing and handle an enormous amount of private information and client data on their computers. During a pandemic, increased telecommuting could put a strain on remote access capabilities and some employees may not be set up well at home to accommodate this. If an institution finds that telecommuting is the best option to weather this pandemic, here are some best practices for employers for limiting security risks:
- Ensure that employees use a non-stored password to connect during each session, especially for virtual private network (VPN) access
- Create reasonable session time-outs for sensitive applications
- Limit program/file access to only the areas absolutely needed by that employee
- Reserve the right to terminate employee access at any moment
- Provide services for remote file storage and other tasks rather than relying on individuals to use their personal files and applications
- Encrypt sensitive data in emails and on your device
- Increase awareness of information technology support mechanisms for employees who work remotely
In addition to what the CDC recommends for individual protection, employees working from home should follow these best practices:
- Avoid public Wi-Fi; use secure internet connections or hotspots to encrypt your web connection
- Family members should not use your work devices – treat your work-issued laptop, mobile device and sensitive data as if you were sitting in a physical office location
- Ensure that your AML software is up to date with applicable permissions
- Keep your physical workspace secure – while virtual security is important, its equally important to make sure that your home office is physically secure
- Follow company policies– report any suspicious behavior to IT immediately and follow basic “computer hygiene” standards such as up-to-date operating systems, antivirus/malware, and regular scanning
Ensure your virtual network stays secure amid new work conditions
The Cybersecurity and Infrastructure Security Agency (CISA), a Department of Homeland Security, has issued risk mitigations for VPN access and encourages organizations to adopt a heightened state of cybersecurity as increased coronavirus-related cyber fraud and scams have been documented. The CISA recommendations include:
- Updating VPNs and devices used for remote work with the latest software patches and security
- Alert employees to the increase in phishing attempts
- Ensure IT security staff are prepared VPN support
- Implement multi-factor authentication (MFA) on all VPN connections
- Ensure IT security staff tests VPN limitations to prepare for mass usage
- Contact CISA to report incidents, phishing, malware, and other cybersecurity concerns
What if your work from home policy erupts with illness and/or hospitalizations? What if a significant amount of staff is unable to work, even from home? Since the severity of COVID-19’s impact on U.S. businesses is unknown, institutions must prepare for this situation and document it as part of your BCP. Outsourcing, especially for unexpected staffing issues, is a common part of a BCP. Staff augmentation is an important safety net and unfortunately hiring temporary employees from your local staff placement company will not yield experienced BSA/AML professionals. Partner with a company that can give you immediate BSA/AML experience in the form of an interim or supplemental BSA officer and investigators who can work suspicious activity alerts, analyze cases, create and file SARs and CTRs, and perform OFAC and other screening scans. Abrigo’s industry-certified advisory services staff is trained on different AML systems and ready to step in and supplement your BSA department at a moment’s notice. For more information on partnering with Abrigo Advisory Services, contact us.
Abrigo cares about you, your financial institution, and your community. With these recommendations, we’re confident you will increase the odds of your staff, clients, and communities remaining safe and healthy. We sincerely wish you all have a successful experience during these unchartered and historic times.