Trending publication
Special Edition Nutter Bank Report: Pandemic Preparedness
Print PDFHeadlines
1. Business Continuity Planning for a Pandemic Event
2. Board and Senior Management Responsibilities
3. Communication and Coordination with Third Parties, Including Critical Service Providers
4. Employee Protection Strategies
5. Emergency Branch Closing Procedures and Restrictions on Customer Access
6. Special Considerations for Borrowers Affected by a Pandemic
7. Cybersecurity Awareness: Avoiding Traps and Other Malicious Activities
8. Annual Meeting Considerations
The FFIEC recently issued updated guidance on actions that banks should take to minimize the potential adverse effects of a pandemic. The Interagency Statement on Pandemic Planning (“Interagency Statement”) released on March 6 emphasizes that bank regulators expect that, as part of normal business continuity planning, banks should have plans in place to operate in a pandemic environment and be ready to execute those plans as conditions demand. While traditional business continuity planning requires management to follow a cyclical process of planning, preparing, responding, and recovering, pandemic planning requires additional actions to identify and prioritize essential functions, employees, and resources within the bank, and critical service providers and suppliers. As challenges arise from the nationwide spread of the COVID-19 virus, regulators will expect banks to be prepared to mitigate the reasonably foreseeable effects of the pandemic and continue to provide critical financial products and services to the public without endangering the health and safety of customers, bank employees, or property. Click here for a copy of the Interagency Statement.
1. Business Continuity Planning for a Pandemic Event
According to the Interagency Statement, a bank’s business continuity plan (BCP) should provide for a preventive program to reduce the likelihood that the bank’s operations will be significantly affected by a pandemic. Bank regulators expect a BCP to include plans for monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriate hygiene training and tools to employees. Banks should consult the recommendations made by the Centers for Disease Control and Prevention (CDC) and state and local public health officials to employers for advice about planning, preparing, and responding to exposure to the COVID-19 virus. Click here for the CDC’s interim guidance for employers, as well as cleaning and disinfection recommendations.
Bank regulators expect that banks will have the capability to continue critical operations even in the event that large numbers of staff are unavailable for prolonged periods, according to the Interagency Statement. Specifically, the Interagency Statement recommends that a BCP address preventive measures, such as social distancing (e.g., limiting large groups of people coming together, closing buildings, and canceling events) and allowing employees to telecommute. The BCP should also address under what circumstances the bank will impose restrictions on visitors accessing the bank’s facilities and redirect customers from branch offices to electronic or telephone banking services. A bank should consider how its response measures will impact customer reactions, and plan for potential increased demand for, and reliance on, online banking, telephone banking, and ATMs. Banks should consider circumstances under which some functions should be conducted from alternative sites, and how the bank will respond to possible actions by public health and other government authorities that may affect critical business functions, such as quarantines.
Nutter Notes: The Interagency Guidance notes that certain public health measures, such as closing schools and quarantining households, would likely increase rates of employee absenteeism. Bank regulators expect a BCP to include a written strategy that will scale the bank’s pandemic response consistently with the effects of a particular stage of a pandemic outbreak. The Interagency Guidance suggests that pandemic planning consider the six stages of an infectious disease outbreak described by the CDC’s Pandemic Intervals Framework, which describes the progression of a hypothetical influenza pandemic. The Interagency Guidance advises that rates of employee absenteeism during the initiation and acceleration of a pandemic wave—stages three and four of an outbreak—will depend on the severity of the pandemic. A BCP should include planning for absenteeism in a severe pandemic attributable not only to illness, but also the need to care for ill family members and fear of infection, as well as plans for re-entering personnel into the workplace. The CDC’s guidance for a hypothetical influenza pandemic estimates that absenteeism may reach 40% during the peak weeks of a community outbreak, with lower rates during the weeks before and after. Click here for the CDC’s Pandemic Intervals Framework.
2. Board and Senior Management Responsibilities
Bank regulators expect pandemic planning to involve senior management from all functional, business, and product areas, including administrative, human resources, legal, information technology, and key product lines. Specifically, the Interagency Statement recommends that pandemic risk assessment and risk management planning include a business impact analysis to help incorporate the impact of pandemic risk into the BCP. The Interagency Statement notes that a pandemic involves additional business continuity complexity because disaster or emergency response mechanisms and methods applicable to a natural or man-made disaster may not be available during certain stages of a pandemic. The Interagency Statement advises that a bank’s risk assessment process is critical to pandemic planning, and should include:
- Prioritizing the severity of potential business disruptions resulting from a pandemic based on the bank’s business impact analysis;
- Performing a “gap analysis” that compares existing business processes and procedures with what is needed to mitigate the severity of potential business disruptions resulting from a pandemic;
- Developing a written pandemic plan consistent with the guidance in the Interagency Statement;
- Board or board committee and senior management review and approval of the pandemic plan initially and at least annually thereafter; and
- Communicating and disseminating the plan and the current status of the pandemic to employees.
Nutter Notes: Once the pandemic event has passed, the Interagency Statement recommends that each bank review its BCP pandemic plan to institute lessons learned and better prepare for future events. BCP planning should include testing to ensure that pandemic response capabilities are effective and will allow critical operations to continue, and an oversight program to ensure ongoing review and updates to the pandemic plan so that policies, standards, and procedures include up-to-date, relevant information provided by governmental sources or by the bank’s monitoring program. The Interagency Statement advises that a pandemic plan must be sufficiently flexible to address a wide range of possible impacts from a pandemic, and also be reflective of the bank’s size, complexity, and business activities. Bank regulators expect management to incorporate potential effects of a pandemic into overall business continuity management in accordance with guidance on pandemic planning in the FFIEC’s Business Continuity Management booklet, available here.
3. Communication and Coordination with Third Parties, Including Critical Service Providers
The Interagency Statement recommends that banks coordinate information sharing efforts through business and community working groups and develop coalitions with others to provide support and maintenance for vital services during a pandemic. Banks should also review contracts with critical service providers to determine whether a pandemic constitutes a force majeure event that excuses the service provider from performing, and whether the service provider nevertheless is required to comply with its own business continuity and disaster recovery plans during a pandemic, assuming the contracts so provide.
4. Employee Protection Strategies
The Interagency Statement recommends that banks promote employee awareness by communicating the risks of a pandemic outbreak and discussing the steps employees can take to reduce the likelihood of contracting the virus. Such risk management strategies include publicizing the CDC’s “Cover Your Cough” and “Clean Your Hands” programs or other general hygiene programs, and encouraging employees to avoid crowded places and public transportation systems. The Interagency Statement recommends that banks communicate social distancing techniques to employees, which minimize typical face-to-face contact through the use of teleconference calls, video conferencing, flexible work hours, telecommuting, and encouraging customers to use online or telephone banking services, ATMs, and drive-up windows. The Interagency Statement also recommends that banks review and consider the use of other non-pharmaceutical interventions developed by the CDC, such as encouraging sick employees to stay at home, and cleaning frequently touched surfaces and objects, like door knobs.
The Interagency Statement advises banks to cross-train employees and ensure that succession plans are in place. Banks should be prepared to implement plans already established as part of traditional business continuity planning. The Interagency Statement recommends that banks plan for a high reliance on employee telecommuting, which could put a strain on remote access capabilities such as capacity, bandwidth, and authentication mechanisms. Pandemic planning should take into account that certain employees may not have remote access authority or the necessary technology infrastructure to work from home. The Interagency Statement advises banks to analyze remote access capabilities, map related technology infrastructure to increased employee needs during a pandemic, assess the infrastructure at the neighborhood level, and consider internal and external capacity to help ensure telecommuting strategies will work. According to the Interagency Statement, such strategies should be scaled to the six stages of a pandemic outbreak based on the CDC’s Pandemic Intervals Framework—Investigation, Recognition, Initiation, Acceleration, Deceleration, Preparation—considering that the duration of each interval will vary depending on the characteristics of the virus and the public health response.
Banks should also be aware that federal Occupational Safety and Health Administration (OSHA) recordkeeping regulations require covered employers, including banks, to record certain work-related injuries and illnesses on an OSHA 300 log. While the regulations exempt common cold and flu from such recording requirements, COVID-19 is a recordable illness when an employee becomes infected in the workplace.
Nutter Notes: Pandemic planning should also consider how the bank will handle employee compensation, health care, and other employment benefits questions. For overtime exempt employees absent due to the COVID-19 outbreak, a bank should continue to pay regular salaries in most circumstances. However, a bank typically does not need to compensate non-exempt or hourly workers who are not required to perform any work from home or be on call, even if such an employee remains at home for a quarantine period. Banks should keep in mind that any employees who are part of a collective bargaining agreement (i.e., unionized workers) may have rights to continued compensation or other benefits specified in the agreement. Banks may also choose to pay for some or all of the time that an hourly worker remains absent for morale and retention reasons. Bank employees may choose to use paid-time-off, sick leave, or accrued vacation time during absences where they cannot perform work.
If a bank learns that an employee has been diagnosed with COVID-19, the bank must balance the employee’s right to the privacy of his or her personal health information with the bank’s interest in protecting other employees. A bank should notify all of its employees at any location where an employee has tested positive without identifying the individual by name unless that individual has explicitly agreed to disclosing his or her identity. Such a notice should state that an employee in that location has tested positive for the virus and indicate the last date that employee was in the facility. The bank also should consider asking the infected employee about all of the close contacts he or she has had at work, and provide those individuals with specialized notices. In such a circumstance, the bank should consider whether the infected employee may have contaminated his or her workplace, and whether the bank should temporarily close the location for disinfection. Banks should consider whether to contract with an industrial hygienic cleaning service for such purposes.
If an employee with an underlying health condition wants to stay home from work for fear of being exposed to COVID-19, it would be advisable in the current environment for a bank to permit the employee to take an unpaid leave or use paid time off even if there is no known diagnosis at the workplace. A bank could request a doctor’s note in this circumstance as justification, but it may be the better practice not to impose such a requirement.
5. Emergency Branch Closing Procedures and Restrictions on Customer Access
If a bank’s management determines that conditions arising from a pandemic threaten the safety or security of bank personnel or property at any branch office, management may temporarily close the affected branch office. While Section 42 of the Federal Deposit Insurance Act generally requires a bank to submit notice of any proposed branch closing to its primary federal banking agency prior to the date of the proposed closing, Section 42 does not apply to a temporary interruption of service caused by an event beyond the bank’s control (including a pandemic), if the bank plans to restore services at the location in a timely manner.
Massachusetts law permits a Massachusetts-chartered bank to close any office if the bank’s officers determine that conditions exist which pose an existing or imminent threat to the safety or security of bank personnel or property at the affected office. A temporary branch closing does not have to be reported to or approved by the Division of Banks, but should be duly recorded in the records of the next meeting of the bank’s board with the cause and time of such closing. According to Division of Banks Regulatory Bulletin 2.1-105, Emergency Temporary Closing of Banking Offices, it is the policy of the Division of Banks that only the office(s) affected should be closed and that banks have an obligation to remain open during their normal hours of operation if at all possible without jeopardizing the health and safety of the staff and customers. Therefore, the emergency conditions requiring a temporary closing by officers must be sufficiently documented.
Nutter Notes: While advance notice to regulators is not required, it is advisable to notify federal and state examiners informally of any planned branch closure or any other pandemic response action that would limit customers’ access to banking services. For example, it may be advisable under certain circumstances to close the lobby of a bank branch to the public and limit customer interactions to drive-through only. A bank taking such an action should communicate its plans to federal and state examiners as promptly as possible. It would also be advisable to tie any pandemic response action that would limit customers’ access to banking services to a triggering event based on some government action. According to the Interagency Statement, a triggering event is a change in the pandemic environment that requires management to implement a response plan based on a pandemic alert. Alerts may be issued by government or non-government organizations, such as state and local public health authorities, that are monitoring the progression of viral outbreaks. For example, if a local public health authority announced the closing of public buildings, schools, or roads, a bank may determine that it should close or restrict access to an affected branch office in the area and notify its federal and state examiners of its plans and that such plans were triggered by the local public health authority’s decision.
The Division of Banks also expects banks to make reasonable efforts to notify the public of the emergency temporary closing of any office. At a minimum, such notice should be posted at each affected office, and messages should be recorded on telephone-answering devices notifying callers of the closing. If possible, advance notice is preferable by means of postings in all banking offices, prominent placement on the bank’s website, and news media announcements. A public notification of an emergency temporary closing should contain the reason for closing, the anticipated reopening date (if possible), and contact information for further inquiries. The Division’s guidance warns banks that the wording of the reason for closing must not suggest in any manner or form that the closing is due to the financial condition of the bank. Click here to access Regulatory Bulletin 2.1-105.
6. Special Considerations for Borrowers Affected by a Pandemic
While the Interagency Statement does not provide guidance on responding to borrowers experiencing difficulties beyond their control because of a pandemic, the federal banking agencies issued a joint statement on March 9 encouraging banks to meet the financial needs of customers affected by COVID-19. In the joint statement, the agencies committed to provide appropriate regulatory assistance to affected banks subject to their supervision. Consistent with the guidance the agencies typically issue for those recovering from a natural disaster, the agencies advised banks to work constructively with borrowers and other customers affected by the pandemic. According to the joint statement, loan modifications, refinancing options, and other efforts that are consistent with safe and sound banking practices should not be subject to examiner criticism. The agencies will expedite requests to provide more convenient availability of banking services in affected communities where operational challenges persist, according to the joint statement. The agencies also committed to work with affected banks to schedule examinations or inspections in a manner that minimizes disruption and burden. Click here for a copy of the joint statement.
7. Cybersecurity Awareness: Avoiding Traps and Other Malicious Activities
There have been a number of public reports that cyber attackers are leveraging fear about COVID-19 to spread malware or gain unauthorized access to computer networks, including banks’ information systems. For example, websites purporting to map COVID-19 outbreaks have reportedly been used as so-called “watering holes” that, when visited, cause malicious computer code to be downloaded to the visitor’s computer. Banks should warn employees to be wary of phishing attacks, disinformation campaigns, and other efforts by cyber attackers to exploit concern about COVID-19 to induce employees to open e-mails or files attached to e-mails, or to click on website links or visit websites that can compromise the security of a bank’s information systems.
8. Annual Meeting Considerations
As annual meeting season approaches for many banks and bank holding companies and as the CDC is predicting that further community transmission of COVID-19 in the United States will likely occur, it would be prudent for banks and bank holding companies to consider some form of alternative plan for their annual meetings of shareholders, corporators, or depositors, as applicable, consistent with the CDC’s advice on social distancing. The method employed to postpone an annual meeting or conduct it by electronic means will depend upon the particular provisions of a banking organization’s by-laws and its charter type. For example, a banking organization’s by-laws may include provisions allowing a special meeting to be scheduled and held later in the year in lieu of the annual meeting. In such cases, a board vote may be sufficient to authorize management to send notice to the members of the voting body that a special meeting is being called and held at a later date in lieu of the annual meeting. It would be appropriate to state in such a notice that the decision to postpone the meeting was made to reduce chances that people might come in contact with infected individuals and thus mitigate community spread of the virus consistent with the CDC’s recommendations. Alternatively, an annual meeting for which notice has already been delivered to the members of the organization’s voting body generally may be adjourned to a later date by a majority vote of the members of the voting body present at the meeting, even if a quorum is not present. Depending on the requirements of the organization’s by-laws, notice of an adjourned meeting may need to be given in the same manner as the notice of the original meeting.
Nutter Notes: Massachusetts mutual banks and mutual holding companies that have elected to incorporate in their by-laws authority provided by Chapter 482 of the Acts of 2014 (the 2015 bank modernization law) to follow the “corporate governance procedures” contained in Chapter 156D of the General Laws of Massachusetts (the Massachusetts Business Corporation Act) may be able to rely on Section 7.08 of Chapter 156D, which permits meetings of shareholders of business corporations to be conducted electronically, subject to certain conditions, if the banks do not already have separate, specific authority in their by-laws allowing meetings of corporators, shareholders, or depositors, as applicable, to be held electronically.
Nutter Bank Report
Nutter Bank Report is a monthly electronic publication of the Banking and Financial Services Group of the law firm of Nutter McClennen & Fish LLP. Chambers and Partners, the international law firm rating service, after interviewing our clients and our peers in the profession, has ranked Nutter’s Banking and Financial Services practice among the top banking practices in the nation. Visit the U.S. rankings at Chambers.com. The Nutter Bank Report is edited by Matthew D. Hanaghan. Assistance in the preparation of this issue was provided by Christopher Lindstrom, Laura Martin, and Heather F. Merton. The information in this publication is not legal advice. For further information, contact:
Thomas J. Curry Tel: (617) 439-2087 | Kenneth F. Ehrlich Tel: (617) 439-2989 | Michael K. Krebs Tel: (617) 439-2288 |
This update is for information purposes only and should not be construed as legal advice on any specific facts or circumstances. Under the rules of the Supreme Judicial Court of Massachusetts, this material may be considered as advertising.