COVID-19. Recommendations for FinTech market participants

31/02/2020

The coronavirus pandemic poses real threats to the Lithuanian and global economies. The European Central Bank (ECB), the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the Bank of Lithuania have issued temporary measures and recommendations envisaged to help banks continue to finance the economy and mitigate its adverse effects.

Temporary measures and recommendations issued by ECB, EBA and ESMA

Banks will be allowed to temporarily cease to comply with capital recommendations under Second Pillar (P2G) and liquidity buffer requirements. Opportunity will be given to use lower quality capital instruments to cover requirement risks under Second Pillar (P2R). Efforts will also be made to ensure that supervisory measures are applied flexibly, depending on the situation of each bank.

Due to coronavirus, the EBA has decided to postpone this year’s stress testing of banks across the European Union to 2021, so that they can focus on ensuring that their customers are properly served, including lending to individuals and businesses. The ECB emphasized that banks would continue to need to ensure that the risks they take are managed without lowering prudential standards, with due recognition and writing-off of non-performing debt positions, and further responsible planning of capital and liquidity needs.

EBA noted that competent authorities should, when needed, make full use of the flexibility provided by existing legislation.

Information of Bank of Lithuania

The Bank of Lithuania, taking into account the situation caused by the coronavirus, has made it possible for electronic money and payment institutions subject to the Law on Financial Institutions of the Republic of Lithuania to submit the set of annual financial statements, auditor’s conclusion, the decision of the general meeting of shareholders on the distributions of profit (loss) and audit report later, but not later than May 5, 2020.

The Bank of Lithuania also noted that electronic money and payment institutions must assess and implement appropriate measures to manage and measure the risk associated with coronavirus and foresee their management in their internal risk management documents, the risks related to coronavirus must be assessed in accordance with customer funds protection requirements.

Regarding operational and security risk and business continuity management process

According to December 20, 2018 Resolution No. 03-264 of the Board of the Bank of Lithuania, confirmed by point 8 of the Operational and Security Risk Management Requirements for Payment Service Providers (hereinafter – Description), payment service providers must create appropriate organizational structure and processes to help:

  1. manage operational and security risks;
  2. perform continuous monitoring of operational functions, supportive processes and information resources;
  3. ensure consistent and integrated monitoring, management and a follow-up research of operational and security incidents;
  4. identify and continuously monitor operational and security threats that may have a significant impact on their ability to provide payment services;
  5. provide assistance and advice to payment service users and to raise their awareness of security risks related to payment services.

In point 40 of the Description there is a requirement for payment service providers to install an appropriate business continuity management process to ensure uninterrupted payment service provision and limit losses in the event of business disruption.

Based on internal and / or external data and scenario analysis, payment service providers must thoroughly analyse the rising significant risk of business disruption and to quantify and qualify its potential impact. Taking into account identified and classified critical functions, processes, systems, operations and interconnections, payment service providers must foresee actions that assures business continuity, prioritizing actions that address the highest risks identified by payment service providers.

Based on the finished analysis of business disruption risk and its impact, payment service providers must:

  1. have a business continuity plan which ensures that payment service providers will be able to appropriately respond to unforeseen critical situations and to continue to perform critical operations;
  2. install risk mitigations measures to be taken by payment service providers in cases of disruption of payment services and / or termination of existing contracts concluded with third parties, in order to avoid adverse effects on payment systems and payment service users and to ensure the execution of pending payment transactions.

In the event of a disruption or emergency situation, implementing a business continuity plan, payment service providers must have installed effective communication tools for crisis management to ensure that all relevant internal and external stakeholders, including external service providers, are informed in a timely and appropriate manner.

What should be included in the Business Continuity Plan considering the COVID-19 situation?

The plan must include measures to be taken by the financial market participant in the event of an unforeseen scenario, that actually disrupts the normal critical operation of the company, in order to continue to provide its significant services to clients. At present, the focus should be on ensuring a sufficient level of financial and human resources, which would enable the financial market participant to continue its activities.

Each financial institution needs to realistically asses how their current clients may be affected by the economic slowdown, global quarantine and closing of borders, and anticipate the possible consequences. Consideration should be given to raising capital, providing new payment services to keep the financial institution in the market, if the current financial situation would deteriorate and would substantially differ from one in the business plan.

Each financial institution needs to realistically asses how their current clients may be affected by the economic slowdown, global quarantine and closing of borders, and anticipate the possible consequences.

Also, financial market participants need to assess whether they have a strategy for replacing workers / providers in case of illness. Of particular importance are employees / service providers whose functions are related to money laundering prevention, regulatory compliance, information security and other financial institution operational activities.

Financial institutions should ensure a possibility to as many of its employees to work remotely as recommended by the Government. However, it should not be forgotten that it is important to follow good common practices of information security, because when trying to protect oneself against a threat it is easy to become the subject of another. Financial institutions need to provide secure access to the information database, protect accounts with passwords, install anti-virus systems and similar tool for their employees.

All documents and plans must be kept up to date and updated. Not only does this provide greater definability, but it can also be a competitive advantage over other financial market participants. Financial institutions that have a strategy in place to manage a situation similar to the COVID-19 pandemic will have a real opportunity to test whether it works and how it works. Those market players who did not foresee any similar situation in its business continuity plans, or who do not have a business continuity plan at all, should take immediate steps to prepare it and comply with it.

Financial institutions should ensure proper communication with the Bank of Lithuania and, to the extent available and within the existing restrictions, provide services to clients. Financial market participants who encounter difficulties in complying with supervisory requirements or ensuring business continuity must immediately inform the Bank of Lithuania.

Get in touch