Compliance Blog

Mar 11, 2020

FFIEC Updates Pandemic Planning Guide

A little while ago, NAFCU blogged about the NCUA’s business continuity planning guidance and the Federal Financial Institutions Examination Council’s (FFIEC’s) 2007 Pandemic Planning Guide. In light of the spread of Covid-19 a.k.a. the coronavirus, the FFIEC updated its Interagency Statement on Pandemic Planning (the guide), identifying “actions that financial institutions should take to minimize the potential adverse effects of a pandemic.” In a related press release, the federal financial institution regulators encouraged financial institutions, including credit unions to continue meeting the financial needs of members affected by coronavirus.

The guide begins with a discussion of the unique challenges presented by a pandemic in comparison to other disasters. The guide then explains how to incorporate pandemic risk into a credit union’s business continuity management, including the business impact analysis, the risk assessment, and risk monitoring and testing. Let’s briefly touch on each phase:

The Unique Challenges of a Pandemic

In order to effectively serve members, it is important to tailor a credit union’s traditional business continuity plan (BCP) to address the unique challenges posed by a pandemic. The guide explains that a credit union’s BCP should provide for:

-          A preventative program to reduce the likelihood of being affected by a pandemic event, including monitoring of potential outbreaks, educating employees on hygiene training and other tools, and coordinating with critical service providers.

-          A documented strategy for scaling the credit union’s pandemic response efforts so they are consistent with the effects of each stage of a pandemic outbreak. For example, credit unions may consider aligning a strategy with the Center for Disease Control and Prevention’s (CDC’s) 6 Pandemic Intervals Framework.

-          A comprehensive framework of facilities, systems, or procedures that enable the credit union to continue critical operations in the event certain staff members are unavailable for prolonged periods of time. For example, credit unions may consider social distancing, telecommuting, alternative sites, telephone banking, or electronic banking services.

-          A testing program to ensure pandemic planning practices and capabilities will allow critical operations to continue.

-          An oversight program to ensure ongoing review of the pandemic plan, incorporating up-to-date, relevant information from medical and governmental sources.

A pandemic involves significant risks to the entire business model. Thus, the guide recommends involving senior management from all functional areas in pandemic planning. In particular, a credit union’s board of directors is responsible for overseeing the development and approval of the pandemic plan. Senior management is responsible for developing the plan, translating it into specific policies, processes, and procedures, and communicating the plan to employees.

Pandemic Risk and the Business Impact Analysis

The BCP business impact analysis (BIA) evaluates the potential effects of a disaster on the credit union’s essential business functions, processes, and supporting resources. The guide explains that incorporating pandemic risk into the BIA involves additional complexity since typical disaster or emergency response mechanisms may not be feasible. In particular, the guide refers to both internal and external factors. From an internal perspective, the impact analysis should involve forecasting employee absenteeism which may be attributable to illness, the need to care for loved ones, or the fear of infection during a community outbreak. Externally, the guide recommends assessing the impact of certain public health measures, such as school closings, quarantining measures, altered public transportation schedules, travel restrictions, or other disruptions to external services.  The guide recommends looking at the Department of Homeland Security’s list of 12 planning assumptions that businesses should consider when developing the BIA (page 17 of the pdf).

Risk Assessment/Risk Management During a Pandemic

A credit union’s risk assessment process is critical to the success of business continuity efforts.  The guide notes that a risk assessment involves prioritizing the severity of potential business disruptions resulting from a pandemic based upon the credit union’s BIA. The guide recommends performing a “GAP analysis” that compares existing processes with what is needed to mitigate the severity of potential business disruptions. In doing so, the guide explains the importance of developing a written pandemic plan that is communicated to employees and reviewed by the board of directors at least annually.

More specifically, the guide recommends that a risk assessment include the identification of triggering events to implement elements of a credit union’s pandemic response plan, employee protection and hygiene strategies, and mitigating controls. Mitigating controls may include cross-training employees, developing succession plans, or increasing remote access capabilities. The guide also encourages coordination with third parties, including business and community working groups, local public health and emergency management teams, and critical service providers.

Risk Monitoring and Testing

The guide concludes by explaining how a robust pandemic plan should remain sufficiently flexible to incorporate new information and risk mitigation approaches as information from medical and governmental experts evolves. Generally, a robust program will incorporate testing roles and responsibilities of management, employees, key suppliers, and customers. A robust program will also assess key pandemic planning assumptions and incorporate testing increased reliance on online banking, call center services, remote access and telecommuting capabilities. The guide requires test results to be reported to management, with appropriate updates made to the pandemic plan and testing program. Given the unique challenges presented by a pandemic compared to traditional business continuity planning, the guide also provides a list of alternative testing solutions.

Additional resources

For additional information, please join us on Tuesday, March 17, 2020 for a webinar entitled Pandemics: What They Mean For You and Your Credit Union. The following additional resources may also be helpful to your credit union’s pandemic planning efforts:

-          The CDC’s Pandemic Planning Checklists and Guidance

-          The Occupational Safety & Health Administration’s Guidance on Preparing Workplaces for an Influenza Pandemic

-          The U.S. Department of State’s Travel Advisory List

-          The World Health Organization’s Pandemic Preparedness publications

-          The U.S. Department of Health and Human Services’ Pandemic page

NAFCU Urges Removal of Regulation D’s Transaction Limits

In light of the unique risks and uncertainty posed by Covid-19, NAFCU has asked the Federal Reserve to reconsider its 6 transaction limit on savings deposit accounts. A proactive measure by the Board may provide members with greater financial flexibility and access in a time where the chances of emergency health-related costs are heightened. NAFCU will continue to advocate for Reg D reforms that better reflect modern monetary policy. Check out the full letter here.