Covid-19 pandemic tested all businesses and government organizations ability to adjust to the pandemic driven challenges. The Committee of Experts on the Evaluation of Anti-Money Laundering Measures and the Financing of Terrorism has conducted survey and produced interesting report on how EU regulators handled the pandemic crisis and what are the lessons learned with regard to Business Continuity planning. We, at Reporta, believe there are interesting discoveries made that are relevant to Fintech companies as well. Please see the report link bellow and enjoy a quick summary by Reporta team.
Business Continuity Plans (BCP) proved to be a useful tool to helping countries swiftly overcome crisis situations. It is evident that those countries that had engaged in business continuity management earlier and developed a more formalized approach - be it by adopting a Crisis Management Plan (CMP), a Business Continuity Plan (BCP) or establishing a Crisis Committee - had ensured minimal disruption to their operations. In order to effectively address crisis situations, several jurisdictions mentioned the creation of dedicated Crisis Management Committees, comprising at least one member of the senior level management. Due to the physical movement limitations, and the need to make use of the virtual meetings and other forms of communication, involving IT and internal security departments in the development of business continuity strategies and plans and in their implementation appeared to be a good practice.
Supervisors during the COVID-19 pandemic have faced new challenges, mainly related to the proper assessment of emerging risks and communication with the obliged entities on appropriate mitigating measures to be taken. The primary challenge for supervisory authorities, as for most of the other entities, was the transition to generalized remote working during the lockdown and the other extraordinary measures implemented by governments in order to prevent the pandemic from spreading.
The majority of the responding supervisory authorities declared having BCPs already in place when the COVID-19 pandemic started, which included various kinds of possible crisis scenarios, such as natural disasters, state of war, terrorist attacks, outages, technical system failures or cyber-attacks. However, the pandemic/outbreak scenario was (rarely) mentioned and only one country had a specific pandemic scenario covered in their BCP.
The majority of surveyed supervisors are now conducting hybrid on-site inspections where information/documentation is requested electronically and then meetings are held by commercially available video communication methods with representatives of reporting entities or if a physical on-site inspection is required that those inspections are undertaken in strict compliance with all anti-epidemic measures.
Supervisors from different jurisdictions have found different solutions to ensure data security and specific IT security measures were implemented. The pandemic crisis prompted both the private and public sector to rapidly increase digitalization of their core functions in order to maintain operational continuity. Multi-factor authentication was added as an extra security layer. In addition to VPN (Virtual Private Network), which refers to a secure communication tunnel between two online locations, supervisors have used privileged user control and connection encryption service systems, that make it possible to establish secure, isolated remote sessions, log all access information and record all activity during that session. To limit the risk of hacking, stealing or disclosing sensitive data, supervisors restricted settings for downloading data from remote computers to or printing on personal devices and also disabled USB’s and CD drives from the work laptops.
BCP without training is just a paper or a file in the company. Training all employees on BCP scenarios, roles and responsibilities increased efficiency and reduced losses.
So to sum up, the key success factors for handling the unexpected crisis are:
- Preparing and testing a BCP plan
- Setting and training crisis management committee
- Involving IT department in the BCP preparation and testing
- Periodically training employees on company BCP
Σχόλια