Since the initial publication of this blog post, this article has been further developed into a full fledged SEACEN Policy Analysis Paper, which has been published on the SEACEN Centre Website on 15 May 2020. The paper can be accessed here.

As the world shelters from COVID-19 and attends to those already ill or infected, the primary concern of central banks, stand-alone financial sector regulatory authorities, and deposit insurers (collectively, regulatory authorities or RAs) must be the health and workplace safety of their senior management, staff, and their families.  Beyond that, the RAs have a public policy objective of maintaining confidence in, and the smooth running of, the financial sector, the effects on the real sector of the shutdown of which would be too much for any economy in any jurisdiction to bear.

Maintaining confidence and smooth functioning of the financial sector, in turn, requires attention to the “force multipliers” of a financial crisis:

• Correlation.  The situation where the same negative factor affects most financial institutions (for example, a sharp drop in housing prices or a sharp rise in unemployment).
• Connectedness.  The situation where banks lend to and borrow from one another and/or banks purchase each other’s debt and/or equity securities, causing possible linked failures.
• Contagion.  The situation where events negatively affecting a few banks (usually larger ones) lead to a loss of confidence in other banks, even if these banks are not negatively affected by the same events and there is little or no connectedness.

In any given crisis, any one or all of these force multipliers may be in play. 

In achieving this public policy objective of maintaining confidence and smooth functioning under extremely trying conditions, the RAs must be prepared to address a possible severe financial crisis quickly and effectively.  This goal will require the RAs, together with the Finance Ministry and possibly other government leaders, to prepare and agree upon in advance measures that, if selected, could be put into place without much dissension.  All of the involved organs of government should agree that stopping or at least attenuating a financial crisis, and its concomitant negative effects on the real sector, will necessitate all of the following activities:

• Allocating losses from failed financial institutions according to policies and procedures that, if not already enshrined in laws and regulations, are at least perceived as fair and do not further alarm depositors and other creditors.
• Preventing new losses by reducing connectedness and contagion.
• Bolstering surviving institutions by strengthening capital and liquidity positions, thereby making new lending and refinancing of existing lending possible.

A 2020 financial crisis, should it materialize, will be different from the 2007-2017 Great Financial Crisis (GFC) and subsequent euro-area sovereign debt crisis, because the origin will be an exogenous, real sector shock and not a buildup of vulnerabilities in the financial sector itself.  Even so, the trajectory of a severe real sector shock leading to a financial crisis that reverberates back again on the real sector may necessitate the use of some of the same tools that were used to react to the GFC, but perhaps to an even stronger degree, and may also necessitate the use of new tools with which RAs may be experimenting, and which may have to be adjusted as events unfold.

The questions of transparency and communication

Two common themes of this brief that should be addressed right from the beginning are transparency and communication, which are different but intimately related.  How much transparency should the RAs practice about the intrinsic condition of the financial sector?  And how should these messages be communicated, giving policymakers and the general public the information they need to know, without alarming them?

The main argument in favor of transparency – which includes not delaying the phase-in of accounting and reporting standards that may worsen the reported (but not intrinsic) condition of banks and other financial institutions – is that in the absence of full disclosure and the realization by policymakers and the general public that “adjustments” have been made, they may assume that the condition of the banks is even worse than it really is intrinsically.  Moreover, the effect of relaxed standards on the accounting for and reporting of problem loans, just to take one example, is not evenly distributed across the banks.  The relative ranking of banks in terms of overall financial strength may well change when broad-based adjustments are made in accounting and reporting standards, even if the intrinsic ranking stays the same.  The effect of these changes in relative rankings may be to distort supervisory decision-making, which would be most unfortunate in a time of crisis.

The main argument against transparency, and allowing banks to appear better capitalized and more profitable than they really are, is that policymakers and the general public could become alarmed if they find out that the majority of banks are unprofitable and heading toward capital deficiency or even insolvency.  This concern, which is not to be minimized, stems partly from a confusion about what “bank capital” and “bank insolvency” really are.  Ordinary people tend to confuse capital with cash, and they may interpret a bank’s declining capital position as a hemorrhaging of cash.  In surveys, households often opine that loan-loss allowances are a “fund” that is “drawn down” by a bank in stressful times.  They may also confuse insolvency with illiquidity.

The media often contribute to this confusion, which is why RAs in crisis preparedness mode should devote time and effort to bringing in the media every step of the way in developing or modifying its crisis management program.  Journalists often confuse terms such as defaulted loans, non-performing loans, rescheduling, restructuring, charge-offs, write-offs, and other concepts which have precise and different meanings in the context of banking regulation and supervision.  They may write headlines alleging that the RAs are allowing deadbeat borrowers to go scot-free.  In some parts of the world, they may have become unused to reporting about bank failures or even display a lack of understanding of what it means if a bank is “failing or likely to fail.”  They may question why insolvent banks are allowed to remain open.  All of this confusion of course, can be amplified on social media and produce a situation of general panic.

The same tools of effective communication will have to be used if and when RAs allow reductions in capital and liquidity buffers, such as the countercyclical capital buffer and the high-quality liquid assets required by the Liquidity Coverage Ratio, as some have already done.  Policymakers and the general public must be convinced that these buffers were created with the expectation that they will be used in a stressed environment, and RAs are not asleep at the wheel by allowing thee buffers to be drawn down. 

Going back to first principles:  how to deal with the technical insolvency of the entire banking system in the aggregate

It’s instructive to look at the worst-case situation and measures to handle it, then work back to the factors that may lead to such a situation.  With economies essentially stopped or frozen, RAs may contemplate a banking system that in the aggregate is insolvent (assets less than liabilities) quite possibly in a market-value sense, and even in a book-value sense.  (As RAs seldom make decisions based on the market value of institutions, this brief will assume insolvency is on a book-value basis.)

Banks, individually and in the aggregate, can continue to operate for months, or even years, in a situation of negative capital, though this condition is hardly desirable.[ii]  Some of the decisions RAs will have to make over the next few weeks and months will be:

• Do we close banks with negative capital, or, even more severely, close banks when capital is still positive but below regulatory minima?
• Do we adjust accounting and/or reporting rules to make insolvent banks appear solvent?
• What kind of disclosures are required?
• Should we recapitalize insolvent banks with public money?

One possibility is for RAs to be completely transparent about the situation of industry insolvency, communicating to policymakers and the general public that this is the condition facing the entire industry, and the health of the banks in the aggregate is a concern that the RAs are monitoring closely.  It is instructive that this was not the approach taken in the early 1980s in the United States, when the entire savings and loan (savings bank) industry was insolvent, and accounting rules and regulatory capital reporting were jiggled to make the industry appear solvent.

The move was not transparent, but it was transparently political to anyone paying attention; few astute industry observers were fooled.  CEOs of these intrinsically-insolvent institutions also responded to these acts of grace by taking on even more risk, so that several years later, when the accounting and reporting rules were changed again in the direction of greater (though not perfect) reality, the “hole to fill” was much bigger than it would have been if the regulators had been transparent from the very beginning.

An argument can also be made for keeping a large number of intrinsically-insolvent banks open to serve community needs during the crisis and obviate additional complex decisions on which of them, and which parts of them, provide “critical services” to the real economy.  To that extent, and with some adjustments (described below), an entire insolvent banking sector can be kept open and functioning almost as a public utility.

Of course, in many jurisdictions there are laws and regulations requiring RAs to intervene when a bank’s capital falls below a certain level.  Situations described by terms such as “failing or likely to fail,” “point of non-viability,” “critically-undercapitalized,” etc., have mandated supervisory action such as beginning resolution procedures, revoking the banking license, placing the bank in conservatorship or receivership, or even liquidating the bank.  As part of crisis preparedness, RAs may elect to approach lawmakers, or may change their own regulations autonomously, for authority to waive these mandated actions in order to keep troubled banks functioning without any kind of disruptive intervention.

Recapitalizations of individual banks with public money may also be an option.  As mentioned above, a financial crisis more often than not spreads to the real economy, causing a decline in the level of economic activity.  Therefore, one goal of financial crisis preparation and management is to keep banks adequately capitalized and thereby able to continue lending to the real economy.  From both an asset-liability management perspective and a liquidity perspective, recapitalizing banks may help replace interest-bearing liabilities (some of which may have run off) with an interest-free (though not necessarily cost-free) source of funds, perhaps boosting bank profitability while keeping the size of the balance sheet constant and avoiding painful deleveraging.[iii]

Meeting the liquidity needs of banks

Much has already been written in the national and international media about various measures adopted by central banks, such as easing requirements for discount window borrowing and long-term refinancing, to sustain the liquidity of commercial banks, which will not be covered in this brief except to remind readers that an insolvent bank can remain open for a long period of time, while an illiquid bank must be closed (or resolved) immediately.  Central banks may also elect to support entire markets for certain classes of securities, such as commercial paper or the activities of broker/dealers, to keep the liquidity of the system flowing, a practice known as “eligibility easing.”

In the broader markets, central banks should be alert to reports of unusual activity by banks to sell these certain classes of securities.  Fire-sales of assets to meet immediate liquidity demands can push a bank or banks from an illiquidity position to an insolvency position, and may cause the markets for these certain classes of securities to freeze up completely.

However, in crisis preparedness steps, RAs and banks must also remember that there are two, not one, main sources of liquidity disturbance that tend to erupt at the onset of a financial crisis:  panic withdrawals of deposits and drawdowns by customers of available credit under lines of credit.  RAs may elect to encourage banks to “know their customers,” that is, review their credit lines and their sources of deposits and try to anticipate the drawdown and withdrawal responses of the most stressed enterprises and households.  Some of these enterprises and households may be calmed by communications from the banks that their needs will be met.  Deposit insurers, in particular, have a special responsibility to calm the public and gently discourage depositors from withdrawing more than the necessary amounts of funds from their accounts.

Deposit insurers, supported by government policymakers, may also elect to raise the covered amount, as was practiced by several deposit insurers at the onset of the GFC.  RAs may also choose to pause any discussions that may have been started over “bailing in” uncovered depositors.  It may also be necessary for deposit insurers to commit (with fiscal backing, if required) to immediate depositor payout from accounts at a closed bank if immediate payout is not yet a long-standing practice in that jurisdiction.  All of these measures may help to avoid a rush to cash out of accounts or stop a rush that is already in progress.

Temporary and tailored modifications to insolvency regimes to obviate closing banks and throwing borrowers into bankruptcy

In many jurisdictions, failed banks are handled by collective insolvency proceedings which entail the partial or total divestment of a debtor (the failed bank) and the appointment of a liquidator or an administrator normally applicable to banks under national law and either specific to those institutions or generally applicable to any natural or legal person.  Some jurisdictions have special provisions for banks, whether they are systemic or not.  Sometimes they are self-contained and bank-specific (like in the United States).  That approach is preferable, in that it keeps failed banks as much as possible out of the court system, where resolution may drag on for months or even years.  Other jurisdictions use the ordinary bankruptcy or company law but with special provisions for banks, which leads to confusion in many instances.

Whichever approach is used – and there may not be time or political appetite for emergency changes to insolvency regimes – RAs may try to speed up the handling of failed banks during the COVID-19 crisis by adopting some of these modifications:

• Suspending the duty by bank directors to file for bankruptcy in those jurisdictions where corporate directors are subject to this duty.  This duty seems irrelevant, and possibly could provoke alarm, if RAs have an explicit policy of allowing insolvent banks to keep operating.
• Suspending the duty, if it exists in a jurisdiction, to recapitalize or liquidate companies.
• Suspension of creditors’ rights to file an involuntary bankruptcy petition against a bank.
• Prohibiting critical third-party vendors of a bank from terminating contracts with the bank due to missed payments, when COVID-19 is the reason.
• Relaxing liability of directors and officers of banks hovering in the zone of insolvency due to COVID-19, to enable them to implement recovery plans (if they have them) without distraction or interruption.

It should be clear that in the wider commercial environment these measures may be applied to bank borrowers, as well as to the banks themselves.  If enterprises that are viable but for COVID-19 interruptions are not automatically thrown into bankruptcy proceedings, the banks that have lent to them can pursue loan workout strategies with the existing management structure and asset mix, possibly speeding their recovery when economic activity begins to resume.

The impact of borrower distress, loan rescheduling and restructuring, repayment moratoria, and accounting and reporting practices on bank profitability and capital adequacy

Many jurisdictions around the world have encouraged or required their banks to reschedule loans for all or certain classes of borrowers who will find it difficult or impossible to make scheduled principal and interest payments, as a result of a generalized economic shutdown due to COVID-19.  (Rescheduling is to be carefully distinguished from restructuring.  The former refers to stretching out the timeline of required payments of principal and/or interest on a loan; the latter refers to actually reducing those payments, through waiving part of the principal and/or reducing the interest rate.  Sometimes a loan modification combines both rescheduling and restructuring.)

In both rescheduling and restructuring, the intent of the bank should be that the borrower will be able to meet the revised schedule of principal and interest payments.  For loan classification and regulatory provisioning purposes, under a pre-IFRS 9 or transition period regime, the loans could be upgraded to “performing” or “standard” status, once the borrower emerges from any “grace period” embedded in the new contract and actually begins to make payments according to the revised schedule.

Things get complicated when the transition to IFRS 9 and COVID-19 reschedulings and restructurings are occurring simultaneously.  Most jurisdictions that have implemented loan repayment moratoria in response to COVID-19 have done so on a blanket basis (or at least targeting certain industries that are likely to be most affected), not individual borrowers.  Moratoria have also been combined with governmental guarantees, particularly for loans to small- and medium-sized enterprises (SMEs).  In general, RAs have taken a lenient attitude toward accounting and reporting for these loans, not requiring them to be considered “non-performing” and not requiring, from an IFRS 9 perspective, to be treated as having experienced “a significant increase in credit risk,” which would otherwise have necessitated a move to “Stage 2” and an increase in required loan-loss allowances.

The philosophy behind this relatively lenient attitude, especially with regard to the blanket moratoria, is that IFRS 9 could envision a “long-long” term approach to firm viability, so that the current dire situation is viewed (from a discounted net cash flow basis) as just a “blip” in a long chain of expected payments.  Especially when combined with government guarantees, loans whose required repayment is stretched out over a 10-year (or longer) period in a near-zero interest-rate environment would hardly even require more loan-loss allowances.

Restructurings, on the other hand, pose a different set of challenges.  When principal and/or interest payments are actually reduced, and not just stretched out over longer time periods, discounted cash flows can decrease substantially even with ultra-low interest rates.  In that situation, RAs may elect to apply existing accounting and reporting rules with less or no leniency.

As time goes on, with COVID-19 looking like a long-lasting, devastating hit to the level of economic activity, some RAs may begin to advocate delaying the implementation of IFRS 9 (or other expected credit loss regimes).  In the United States, for example, the Chair of the Federal Deposit Insurance Corporation (FDIC, which is a banking supervision agency, resolution agency, and deposit insurance fund all at the same time) wrote to the Financial Accounting Standards Board (FASB, the standard-setter for the accounting regime used in the United States) asking for a delay in implementing the Current Expected Credit Loss (CECL) regime, a stricter and simpler variant of IFRS 9, for banks currently subject to the transition.  Her reasoning was so that banks could then “better focus on supporting lending to creditworthy households and businesses.”[iv]

There is no doubt that IFRS 9 and CECL are more complex than earlier rules for determining loan-loss allowances, and there may be some merit in the argument that banks, many of whom may soon be operating with diminished staff numbers, should focus on the provision of basic services and not on implementation of complex accounting rules.  However, RAs should exercise extreme caution in advocating for a delayed transition on the grounds that it would make (reported) capital and (reported) profitability look worse (to be fair, the FDIC Chair was not making that argument), or that a delayed transition would result in more loans being originated than under the current transition.

There is a long-standing dispute in banking and bank supervision and regulation over the idea that a strict regime of loan-loss provisioning leads to less lending, and a more relaxed regime leads to more lending.  The idea has a certain plausibility, but cracks in the wall of certainty appear as soon as one considers that no loan-loss provisioning regime can alter the occurrence or the magnitude of credit losses, only the timing of these losses’ recognition.  Loss recognition can be upfronted, or it can be pushed forward in time; but the magnitude of the loss results only from the ability and willingness of the borrower to repay the loan on time and in full.  Most loan officers will say that the provisioning regime in force has no impact on their decision to approve a loan or not, only the contours of the bank’s overall credit policy and his/her assessment of borrower ability and willingness.

Another argument against delaying the transition to IFRS 9 or CECL is that “temporary” measures to address reported (though not intrinsic) bank capital and profitability have a way of becoming permanent, long after the crisis conditions have abated.  The combined efforts of international standard-setting bodies and RAs throughout the world to introduce tougher requirements to bolster the resiliency of banks and lessen the probability of another financial crisis have already required enormous adjustment, much of it successful, on the part of the banks.  It would be a shame if the banks used the tragedies of the current crisis to successfully advocate for a permanent relaxation of capital, liquidity, accounting, reporting, or disclosure requirements.

Conclusion:  Prepare, be transparent, and seek legislative authorization for extraordinary measures

RAs around the world are in an extremely difficult position.  They are going to be required to make rapid-fire decisions, spurred on by capital and liquidity stress conditions at banks and other financial institutions, in an environment in which senior officers and staff – at both the RAs and their regulated institutions – may be absent or incapacitated.  That frightful situation brings into even sharper view the necessity for RAs to prepare for crises, and get their crisis management tools ready and sharpened, for rapid deployment.

In the long run, the legitimacy of RAs will depend on how, and how well, they used their delegated authorities from their constitutionally-enacted legislative frameworks.  Extraordinary measures, such as allowing banks to remain open with negative capital, should have legislative authorization, so that post-crisis inquiry commissions (What did the RAs know?  When did they know it?  Did they take appropriate and timely action, given their authority?) do not result in constraints on these RAs’ future abilities to respond to crises nimbly and effectively.

And finally, transparency does matter.  Policymakers and the general public have the right to know the true condition of individual banks and the banking sector as a whole.  Perverse as it may sound, one of the benefits of the waves of financial crises that have washed over the world in the last 50 years is that the public may be less sensitive to negative news coming out of the financial sector, and more accepting of the reassurances given by RAs and governments.  But they will not be fooled by accounting and reporting manipulation that has fooled them too often in the past.

References

[i] This brief is intended to lay out issues and options for regulatory authorities.  It is not intended to provide technical advice or advocate for the adoption of laws, regulations, and policies.  The phrase “may” is to be construed in the subjunctive sense and not the permissive sense.  The situations described are hypothetical and should not be construed as predictions. 

[ii] Drawbacks of leaving an insolvent bank open are well-known:  first, the incentive for bank directors and officers to take on much higher credit, market, and liquidity risk in order to “win the bet” and return to solvency; second, the difficulties faced by an insolvent bank in staying profitable with far fewer interest-earning assets than interest-bearing liabilities, perhaps increasing the “size of the hole” to fill; third, the possible loss of confidence of bank depositors and other creditors as the insolvency drags on; and others. 

[iii] An encouraging example of bank recapitalization came from the United States, where at the height of the GFC the Treasury bought shares in 707 banks between March and December 2009, spending $205 billion.  Eventually, as the markets recovered, the vast majority of those shares were repurchased by the banks, returning over $220 billion to the Treasury.  The program, called the “Capital Purchase Program,” was not a complete success:  32 banks that had received capital injections still failed. 

[iv] Letter from Jelena McWilliams, FDIC Chair, to Shayne Kuhaneck, Acting Technical Director, FASB, “Request for Delay in Transitions to and Exclusions from Certain Accounting Rules,” 19 March 2020. 

This blog post is Part B, and is divided into two main sections: (1) the intensification of regulatory, supervisory and resolution activity the authorities can expect, while at the same time running on reduced manpower; and (2) thoughts on a new crisis management framework to put in place when the current crisis has passed and economies start to recover.

Intensified regulatory, supervisory and resolution activity: challenges of “scaling down”

During the period when COVID-19 is spreading rapidly, regulatory authorities will have to perform a kind of heroic double-duty: the authorities themselves may need to implement BCM while, at the same time, keeping an eye on the regulated FIs’ implementation of their own BCM programs (if they have them at all). Beyond that, the authorities have to keep an eye on the spillover effects from the real economy on their regulated FIs and consider running screens to determine which of them are the most exposed to the most affected sectors, such as autos, logistics, energy, transport, tourism and retail. Keeping an eye on the financial industry while the authorities’ own functions are constrained, due to a lack of manpower, will be a big challenge – intensifying the need for risk-based supervision. There has never been a greater need, and a more important role, for off-site supervision than there is today.

One of the first pillars of most BCM programs is “scaling down” activities. But in the event that the economic fallout from COVID-19 spills over into generalised weaknesses in the financial sector, then central banks and other regulatory authorities will have to make many quick decisions on many fronts. This is the opposite of “scaling down.” The regulators may have to meet for long hours, some working from remote locations, to put into effect contingency plans to shore up banks’ capital, cash supply and liquidity. Some key staff may not even be available remotely, while undergoing treatment.

Some of the urgent measures that either could or are already being taken to shore up financial stability, apart from monetary policy decisions which are not the subject of this blog post, could be: (1) for central banks, the creation of additional lines of credit or reducing collateral requirements and/or expanding the range of acceptable collateral on existing lines of credit to support specific markets (such as the broker-dealer market), certain industries or certain classes of firms such as SMEs (these measures are often collectively referred to as “eligibility easing); (2) also for central banks, the outright purchase from FIs of securities, the liquidity of whose markets has dried up; and (3) for finance ministries (but in consultation with the regulatory authorities), the purchase of shares newly issued by FIs to bolster their capital bases.

That last intervention, it should be noted, was practiced on a very wide scale in the United States at the height of the Great Financial Crisis. Policymakers realised that it was necessary to keep banks lending, which would be practically impossible in an environment where capital positions were very thin or non-existent. Over 700 banks issued shares that were bought by the US Treasury, which gradually sold the shares back to the banks when the markets and the overall economy recovered. A decade later, this intervention is still recognised as the single most effective measure taken anywhere in the world to prevent a generalized financial sector collapse.

Implementing all of these measures is very labour-intensive, at a time when senior management and staff of the regulatory authorities may be working remotely or not working at all. Regulators may also have to meet with directors and officers of FIs to discuss and agree on urgent measures. These meetings may also have to be held remotely, which is difficult in the best of times.

One subject that is attracting increasing attention is regulatory relief. Pressures on the authorities for regulatory relief, which are present even in more normal times, will intensify the longer the virus looms as a threat, requiring long and possibly contentious meetings with elected officials in many countries. Regulatory relief could take the form of allowing FIs to allow their Pillar 2 or systemic capital buffers to be drawn down, relaxing provisioning requirements on assets exposed to heightened credit risk or delaying by months or years the full implementation of Expected Credit Loss (ECL) methods of determining loan-loss allowances, encouraging or even requiring FIs to reschedule or restructure loans without immediately recognizing losses, delaying the implementation of the Net Stable Funding Ratio (NSFR, a key mandate of Basel III), and other measures that in normal times would be criticised as “forbearance.”

In fact, regulatory and borrower relief have already been implemented in Italy, Europe’s hardest-hit country. For example, Italy has declared a moratorium on mortgage payments, with the state ultimately guaranteeing these payments. How are these programs going to be implemented by understaffed regulators, and how are their impacts on financial institutions going to be assessed? What happens if shortages of staff at banks result in reduction in the supply of critical data? Many banks are now in the process of preparing their annual financial statements for 2019. Although these statements won’t reflect the effect of COVID-19 on their operations, the reports and the auditors’ opinion on these reports may be delayed for weeks, or even months, along with delays in the transmission of more current data.

Conclusion: A look into the future

If a serious global financial crisis is precipitated by the COVID-19 pandemic, and large-scale measures are taken to reduce the intensity and impact of the crisis, there will inevitably be second-guessing and cries that the regulatory authorities favoured this or that group, didn’t act quickly enough, exceeded their legislative authority or made other crucial errors. As difficult as it may be during a crisis in which many senior officials may be absent, it is essential to document the discussions and rationale for the decisions taken. Without this documentation, regulatory authorities will face crises of legitimacy long after the actual financial crisis has been abated.

In the new post-crisis world, stress testing and contingency planning will rise even further on the list of essential activities by both regulatory authorities and FIs to maintain financial stability. Pandemics will have to be added to the list of risk factors that today are mostly macrofinancial in nature. Stress tests that envision the widespread unavailability of electricity or telecommunications may have to be added to the analytical mix, as well as the failure of a major financial market infrastructure or major FI whose connectedness to the entire financial system poses a risk to every other FI.

COVID-19 has already taken lives and caused suffering in many countries around the world. The human tragedy should always be first in our minds as financial sector regulators, as we discuss ways to maintain financial stability, of which business continuity management (BCM) of central banks, stand-alone financial sector regulatory authorities, deposit insurance agencies (collectively, regulatory authorities), and financial institutions (FIs) themselves plays a central role.

The threat of the virus has put everyone on alert as governments, regulatory agencies and health professionals provide guidance and possible restrictions on movement and gatherings to prevent the spread of the virus. Central banks and policymakers have also taken sizable and coordinated monetary policy and economic measures to mitigate the impact of COVID-19 on the global economy.

Regulatory authorities globally continue to monitor and assess the impact COVID-19 will have on FIs. Recently, it was reported that US financial regulators were preparing contingency arrangements, including travel restrictions and home-working, to ensure they can effectively oversee the financial markets as the virus closes in on the US capital. Many have instituted rules and regulations as well as relevant guidance to assist FIs in implementing or augmenting their BCM programs to minimise the potential adverse effects of a pandemic, including COVID-19.

This blog post consists of three (3) main sections and is published in two (2) parts: Part A and Part B. Part A is the first section, and presents a discussion of the steps regulatory authorities can take to implement their own BCM programs, and what they can expect from their regulated FIs, during the current pandemic. Part B consist of two (2) main sections: (1) the intensification of regulatory, supervisory and resolution activity the authorities can expect, while at the same time running on reduced manpower; and (2) thoughts on a new crisis management framework to put in place when the current crisis has passed and economies start to recover.

Business continuity management during a pandemic: a new twist on a very old practice

If there is one important, critical function of the regulatory authorities in the face of widespread possible disruption in financial services, it must be to maintain the confidence of individuals, households, businesses and investors in the financial system. If suppliers of funds to FIs lose confidence, massive asset sales and deposit withdrawals could result, a kind of forced deleveraging that would require extremely large injections of liquidity by central banks to revive moribund financial markets and preserve the smooth functioning of payment systems, without which declines in the level of economic activity will be exacerbated.

Maintaining confidence, of course, requires also that deposit insurance agencies set up programs to immediately pay out depositors of failed FIs. In an acute, long-lasting crisis, the desired currency-to-deposit ratio might rise sharply as households and firms hoard cash, necessitating a rapid upscaling of banknote printing and distribution.

It’s a good thing that many of the critical banking functions have been automated over the last few decades, requiring less human involvement. But human involvement is still necessary to screen and flag reports, turn equipment on and off, maintain equipment, control access to key infrastructure and so forth. FI staff or third-party vendor staff will still be necessary to keep ATMs functioning, for example.

As a possible downside of increased automation, requiring intensified vigilance by FI senior management and staff (and not only in the server room), cyber criminals and fraudsters may take advantage of a chaotic situation at one or more FIs to strike, believing that management is distracted by issues related to the virus. The current stressful period is no time to scrimp on resources devoted to ITC risk management, of which cyber risk management is an integral part. Beyond pure cyber risk, FIs may face power outages and interruptions to telephone and internet service if unavailability of manpower begins to affect key utility providers.

Post-2008 financial regulatory reforms emphasised the importance of FIs and identified critical business functions and operations in their crisis management, resolution and recovery planning. A strategic analysis of the firm’s essential and systemically important functions is necessary for resolution planning and for assessing resolvability. It should help ensure that the resolution strategy and operational plan include appropriate actions that help maintain continuity of these functions while avoiding unnecessary destruction of value and minimising, where possible, the costs of resolution to home and host authorities and losses to creditors.

Given the particular features of a pandemic, however, including a potentially longer duration than envisioned in many traditional crisis management scenarios, the critical business functions identified in the traditional BCM program may not always provide sufficient guidance for conducting operations in a pandemic scenario. Explicit identification of the highest priority critical business functions and operations will help to ensure they receive appropriate resources. These functions and operations could be defined as activities which, if not performed or maintained for more than a very short period, would cause the FI to be in default on its obligations or otherwise threaten its financial soundness.

For example, FIs may consider it appropriate to focus on servicing existing customers and completing transactions already in progress, and closing or minimising risk positions. They may choose to defer or suspend activities such as new business development, opening new accounts, undertaking special or new projects or any internal non-essential systems changes within the organisation. These activities may be progressively scaled back based on the phase of the pandemic or available resources.

The most commonly cited critical business functions of regulated FIs, which would also be consistent with governmental priorities for public confidence, generally include (but are not limited to):
• Core risk management functions — particularly market, operational, credit and liquidity risk monitoring;
• General ledger/finance capabilities to allow monitoring of the overall financial (including capital) position of the FI;
• Call centres handling customer transactions and enquiries (excluding, for example, outbound or sales calls); and
• Data centres, recovery sites and critical third-party suppliers supporting critical functions.
• Cash supply and currency distribution, including operation of automated teller machines (ATMs);
• Retail payments and banking systems that provide existing customers with access to funds, including EFTPOS, bill payments, credit cards, telephone banking and Internet banking;
• Automated direct entry payment processing for existing customers, including government payments and payroll processing for corporate customers, as well as payments to suppliers and staff;
• Credit functions, in particular those processing functions necessary for managing retail, corporate and institutional access to credit, particularly for pandemic-affected borrowers;
• For larger FIs, wholesale payments clearing and settlement activities, including interbank settlements, securities settlements and custody, particularly where these functions are provided to other FIs; and
• Limited trading functions for FIs active in markets operated by exchanges as well as over-the-counter — in particular, those functions necessary for completing transactions for existing customers and managing liquidity of the FI.

It should be noted that FIs are already taking action. In light of these acute challenges, FIs in the United Kingdom and United States are sending hundreds of staff to their UK and US disaster recovery sites, installing big screens in traders’ homes and pushing regulators for a reprieve on trading rules so they can keep their businesses running through a COVID-19 outbreak.

The efforts by big global banks including Goldman Sachs, JPMorgan Chase, Morgan Stanley and Barclays are an escalation of BCM program implementation that has already prompted them to segregate staff in Asian cities at the initial epicentre of the COVID-19 outbreak.

Of course, the real difficulty with the current situation is that even working from remote sites will not be possible as they too are open to becoming contaminated. So, the clearest way forward will be to allow all critical staff to be able to work from home remotely. In fact, these moves are being forced upon many banks, including central banks, given the lockdowns being implemented in various countries across Asia (such as the Philippines and Malaysia). The recent moves to cloud technology can help, as we note that even whilst in the office, many staff are logging onto remote servers containing all their files and data. The move to work from home for extended periods should therefore be something that is quite easily achievable.

Even once this is all in place, the real challenge will come when some of the more senior members of staff contract COVID-19. The virus does not discriminate, and we have already seen a number of celebrities and politicians contract it. So how will the market cope if/when a central bank governor, a bank CEO or the Prime Minister or President of a country, or their senior staff, start to contract the virus? Central banks, regulators, governments, and private organisations should also have a clear back-up plan for their chain of command so that they can reassure the markets that there are other experienced staff available to continue running the show and prevent further panic and instability, should the worst occur to their leadership teams.

Technology has given birth to a new era in banking that brings efficiency gains for financial institutions, improved access to services by consumers and fosters financial inclusion. In the field of payments, services are increasingly instant, 24/7 and globally available.  Non-bank participants, meanwhile, are disrupting traditional intermediation.  Artificial intelligence and machine learning are just two of the innovations promising to revolutionise financial services.

However, revolution and evolution create a range of new and partially understood risks that evolve quickly, while not eliminating all the old ones.  In a world that is rapidly becoming more digitalised, reliant on data and increasingly interconnected, a key concern for policymakers is the link between cyber risk and financial stability.  The financial services sector has traditionally been a magnet for cyberattacks due to both the attractiveness of financial gain and access to confidential financial data.

The link between cyber risk and financial stability could be through a range of transmission channels such as interconnectedness, confidence and data integrity.  There is even the potential dynamic of a cyber-triggered bank run.

Post-2008 and the Great Financial Crisis (GFC), regulatory reforms have focused on both individual firm safety and soundness as well as the potential impact that distress at global systemically important banks (G-SIFIs) imposes on financial stability or the global economy.  More specifically, a key focus has been on (1) enhancing the resiliency of individual banks, especially G-SIFIs, to lower the probability of failure or inability to serve as an intermediary of critical services and (2) reducing the impact on the financial system or economy in the event of failure or material weakness.

Cyber Risk Complexities and Challenges

Within this context, cyber risk is viewed through the lens of operational resiliency, where a cyberattack threatens the ability of a firm to provide critical financial services.  It takes into consideration the firm’s immediate business partners, including counterparties and third parties to which certain cyber-security activities, like threat monitoring or data storing, have been outsourced.

However, the true aggregation of risks related to cyberspace goes well beyond other operational shocks such as those related to natural events or human error.  The issue of interconnected networks and the rapid concentration of third-party service providers introduces a new dimension to risk.  For example, there are risks stemming from upstream infrastructure (e.g., electricity, water supply, financial market infrastructures) or technological externalities (e.g., the entry of disruptive new technologies) which are outside the control of individual firms.

While ransomware and malware such as the 2017 Wannacry and NotPetya attacks demonstrated the importance of restricting administrator privileges, they clearly show that the threat is getting ever more sophisticated.  For example, NotPetya malware searched infected systems for common administrator tools which it could then take over.  The attack also highlighted the need for firms to look at other forms of security like endpoint monitoring, network zoning and security intelligence platforms.

Cyberattacks, by definition, involve an intention to steal data rather than solely direct monetary theft.  They are intended to disrupt business operations, or corrupt or destroy data.  They are planned over longer periods, are targeted and are deliberate and intentional.  In addition, during a cyber event, the adversary is likely to evolve and may even actively respond.

Cyber events are also driven by nation states, organised crime and political activists.  In the case of state-sponsored cyberattacks, a bank may or may not be the intended target. To this end, cyber risk management or cybersecurity is not purely about protection but also about response and recovery.

One the key lessons learned from the 2017 NotPetya attack in Ukraine that crippled Maersk, the world’s largest container company by both fleet size and cargo capacity, for almost 14 days, was that business may not be the intended target in cyber warfare.  However, they may be collateral damage.  In fact, Mondelez, the maker of Oreos and Cadbury chocolate, has brought a $100 million lawsuit against Zurich Insurance Group for damages related to NotPetya. In June 2018, Zurich countered that NotPetya fell under an exclusion in the insurance policy covering “hostile or warlike action in time of peace or war,” which meant the insurer did not have to make good on the claim.

In banking and finance, data confidentiality, integrity and availability are paramount. Confidentiality is about making sure information is restricted, so it only reaches its targeted audience and does not fall into the wrong hands.  Integrity involves maintaining the consistency, accuracy and trustworthiness of data.  Availability is about making sure information is available to read and use whenever we want.  In cases of cyberattacks that involve data corruption or destructive malware, a bank may be slow in its response or its recovery may be impaired, and this can have an immediate and devastating impact on public confidence.  For example, the ability to respond and recover may be disrupted if there is data destruction or corruption in a scenario that is also likely to include considerable uncertainty.

How should banks protect themselves and respond to cyber threats and attacks?

An effective risk management framework with appropriate governance and controls is one way to mitigate cyber risks.  Banks and financial institutions must ensure that systems, processes and people are in place to deal with the inevitable attack.  As noted above, a key focus of post-GFC regulatory reforms is to promote financial stability and promote financial resilience.  From this perspective, strong cyber governance and controls are seen as critical to promoting and supporting operational resilience.  To this end, banks and other financial institutions are investing heavily in resource and management capabilities in terms of technology, process and personnel.   According to the 2018 Thales Data Threat Report – Financial Services Edition, global spending on cybersecurity through 2021 is estimated as high as $1 trillion.

Cybersecurity is more than protection, prevention and detection.  It includes a comprehensive process to assess cyber-related capabilities; identification of gaps in business resilience requirements such as recovery time objectives; risk monitoring and testing programs; and management reporting to facilitate appropriate prioritization.  Moreover, bank resiliency increasingly depends on the resiliency of third-party service providers.

Cybersecurity is also more than ensuring that a bank’s infrastructure is running up-to-date and fully patched systems.  Banks should consider all critical systems required to keep their business operating as well as consider how to isolate systems that are compromised or may have been compromised in a cyber incident or fast-moving situation.

It also means having competent and qualified IT, cybersecurity, business and products personnel in place.  Cyber security requires a different set of skills and abilities including systems development and acquisition lifecycles; general enterprise architecture and IT governance; and IT service management sub-disciplines such as asset management and configuration management.  Even within the technology fields, cybersecurity efforts involve specialised disciplines that are not usually addressed by general IT experts related to perimeter defence, endpoint security and authentication.  Acquiring and retaining the critical talent for these activities is a growing challenge. Banks should have well-trained staff who are not afraid to blow the whistle when they believe something will threaten the security of the business.

Cyber risk management requires banks to stay up to date with the latest types of attack.  This requires investment in automated and intelligent cyber security management.  Systems must be such that cybersecurity personnel and management are quickly alerted if there are any breaches in security within the first few minutes, or even hours.  Systems must be responsive enough to effectively run during very fast-moving situation as well as provide a record of exactly how the incident unravels.  This will allow banks to further improve defences and responses to the next incident.

Targets should always assume that an attack will get through eventually.  To this end, systems should be properly and frequently backed up.  Frequent fire drills should be conducted to practise restoring everything from back-ups.  Banks should keep a log on how long it would take to get systems, and data, back up and running from those systems.  In the case of Maersk’s, it took more than ten (10) days for the firm to return to normalcy as after the NotPetya attack because even back-up files were contaminated.  In this regard, it is also imperative that banks and other financial institutions have an incident response plan and practise them.  The plan should consider:

• Who will be involved?
• How they will communicate?
• Which partner companies can help in business restoration?
• What will be the impact of a firm’s failure on its business supply chain?
• How prepared are business partners if they get hit?
• Is there a need to talk to regulators or law enforcement?

Finally, protection is important but equally critical is a strong recovery process.  For Maersk, recovery operation relied heavily on human resilience.  Not all cyberattacks are targeted and banks may find themselves the unintended victims (collateral) of these events.  Therefore, banks should not approach their cyber defences as if hackers will specifically target them.

While protecting networks and critical systems is the ultimate goal, equally important is having a data recovery plan in place.  In the event of the worst happening and critical services being knocked out, banks should consider how they would continue to operate and carry on its banking business.  To this end, banks’ management must have the ability to really understand their core business processes.  They need to know everything about the systems and applications which run their operations.

Finally, they must have a good understanding of the criticality of all systems and applications and understand how to protect, secure and recover from cyber events.  This requires more of a balance between the preventative and the recovery measures.

Useful Readings and Reference:

1.         “A handful of cyber – five key issues for international cooperation”, speech by Mr Agustín Carstens, General Manager of the BIS, at the conference on “Cybersecurity: coordinating efforts to protect the financial sector in the global economy”, Paris, 10 May 2019.  https://www.bis.org/speeches/sp190529.htm.

2.         “Thoughts on cybersecurity from a supervisory perspective”, Remarks by Mr Kevin Stiroh, Executive Vice President of the Financial Institution Supervision Group of the Federal Reserve Bank of New York, at SIPA’s Cyber Risk to Financial Stability: State-of-the-Field Conference 2019, Federal Reserve Bank of New York, New York City, 12 April 2019.  https://www.bis.org/review/r190430l.pdf

3.         Bouveret, Antoine (2018), “Cyber Risk for the Financial Sector: A Framework for Quantitative Assessment”, IMF Working Paper WP/18/143.  https://www.imf.org/~/media/Files/Publications/WP/2018/wp18143.ashx.

4.         Grasshoff, Gerold, Bohmayr, Walter, Papritz, Marc, Leiendecker, Jannik, Dombard, Fabien and Bizimis, Ioannis (2018), “Banking’s Cybersecurity Blind Spot—and How to Fix It”.  https://www.bcg.com/publications/2018/banking-cybersecurity-blind-spot-how-to-fix-it.aspx

5.         Accenture (2017), “The Convergence of Operational Risk and Cyber Security”.  https://www.accenture.com/t20170803T055319Z__w__/us-en/_acnmedia/PDF-7/Accenture-Cyber-Risk-Convergence-Of-Operational-Risk-And-Cyber-Security.pdf 

6.         Kopp, Emanuel, Kaffenberger, Lincoln and Wilson, Christopher (2017), “Cyber Risk, Market Failures, and Financial Stability”, IMF Working Paper WP/17/185.  https://www.imf.org/~/media/Files/Publications/WP/2017/wp17185.ashx.

7.         Institute of International Finance (2017), “Cyber Security & Financial Stability: How Cyber-Attacks could Materially impact the Global Financial System”, https://www.iif.com/Portals/0/Files/IIF%20Cyber%20Financial%20Stability%20Paper%20Final%2009%2007%202017.pdf?ver=2019-02-19-150125-767