The measures must be appropriate to manage and measure the risk associated with coronavirus. Institutions must foresee their management in their internal risk management documents. The risks related to coronavirus must be assessed in accordance with customer funds protection requirements.
Operational and security risk and the business continuity management process
According to resolution no. 03-264 of the Board of the Bank of Lithuania of 20 December 2018, confirmed by point 8 of the Operational and Security Risk Management Requirements for Payment Service Providers (the Description), payment service providers must create appropriate organisational structures and processes to:
- manage operational and security risks
- perform continuous monitoring of operational functions, supportive processes and information resources
- ensure consistent and integrated monitoring, management and follow-up research of operational and security incidents
- identify and continuously monitor operational and security threats that may have a significant impact on their ability to provide payment services
- provide assistance and advice to payment service users and to raise their awareness of security risks related to payment services
Point 40 of the Description contains a requirement for payment service providers to install an appropriate business continuity management process to ensure uninterrupted payment service provision and limit losses in the event of business disruption.
Based on their analysis of business disruption risk and its impact, payment service providers must:
- have a business continuity plan which ensures that they will be able to respond appropriately to unforeseen critical situations and to continue to perform critical operations
- install risk mitigation measures to be taken in case of disruption of payment services and/or termination of existing contracts with third parties in order to avoid adverse effects on payment systems and payment service users and to ensure the execution of pending payment transactions
In the event of a disruption or emergency situation and the implementation of a business continuity plan, payment service providers must have effective communication tools for crisis management to ensure that all relevant internal and external stakeholders, including external service providers, are informed in a timely and appropriate manner.
What should be included in the business continuity plan with regard to the pandemic situation?
The plan must include measures to be taken by the financial market participant to continue providing its significant services to clients in the event of an unforeseen scenario actually disrupting its normal critical operation. At present, the focus should be on ensuring a sufficient level of financial and human resources to enable the institution to continue its activities.
Each financial institution must realistically asses how their current clients may be affected by the economic slowdown, global quarantine and the closing of borders and anticipate the possible consequences. Consideration should be given to raising capital and providing new payment services to keep the financial institution in the market should the current financial situation deteriorate and differ substantially from their business plan.
In addition, financial market participants need to assess whether they have a strategy for replacing workers/service providers in case of illness. Of particular importance are those employees/service providers whose functions are related to the prevention of money laundering, regulatory compliance, information security and other financial institution operational activities, explain the Ecovis consultants.
Financial institutions should ensure that as many of their employees as possible can work remotely, as recommended by the Government. However, it should not be forgotten that it is important to follow information security best practices, because trying to protect oneself against one threat can make it easy to become the subject of another. Financial institutions need to provide secure access to their information database, protect accounts with passwords and install anti-virus systems and similar tools for their employees.
All documents and plans must be kept up to date. Not only does this provide greater definability, it can also be a competitive advantage over other financial market participants. Financial institutions with a strategy in place to manage a situation similar to the COVID-19 pandemic will have a real opportunity to test whether and how it works. Those market players who did not foresee any such situation in their business continuity plans, or who do not have a business continuity plan at all, should take immediate steps to prepare one and comply with it.
Financial institutions should ensure proper communication with the Bank of Lithuania and, to the extent available within the existing restrictions, provide services to clients. Those who encounter difficulties in complying with supervisory requirements or ensuring business continuity must inform the Bank of Lithuania immediately.
Lithuanian financial market supervision during the pandemic and quarantine
Despite the situation in the country, financial institution supervision must continue, and the regulator cannot be closed. With this in mind, the Board of the Bank of Lithuania has decided that all meetings related to the supervision of financial market participants can and will be conducted remotely.
In this difficult time for Lithuanian businesses and the economy, financial market participants should not forget their obligations not only to their clients, but also to supervisory institutions. They should fulfil their obligations in a proper and timely manner in order to avoid negative consequences, say the experts from Ecovis.
For further information please contact:
Inga Karulaityt?-Kvainauskien?, Head of Fintech Group, Attorney at Law, Partner, ECOVIS ProventusLaw, Vilnius, Lithuania