Preparing for Recovery: A Compliance Strategy for an Uncertain Future

None of us know when the current pandemic will be over, but companies of all sizes are now looking ahead to plan for a time when the crisis measures lift, and business enters a recovery stage.

Despite the turmoil in financial services over the past few weeks, enormous levels of activity have been seen in markets across Europe, with pre-clearance requests spiking at near-record levels. With almost all financial services firms operating from business continuity playbooks and coping with fewer staff spread across numerous locations, organisations are learning how to cope in extraordinary circumstances.

Both supervisory and regulatory bodies have been clear that whilst many of their own activities are either on hold or continuing in the background, all have been consistent that record keeping, regulatory submissions and BAU processes (including call recording) should continue where possible throughout the crisis.

Readers should also be aware of the ESMA announcement with regard to changes in the tick size regime for certain firms. This new approach (postponed until 26th June 2020) has also been agreed with the UK Financial Conduct Authority, with a view that all companies should focus on minimising operational disruption at this time.

We expect frequent updates from our regulatory bodies over the next few weeks – especially if the current social distancing, isolation and lockdown measures continue beyond their current dates.

Managing Risk: Now and in recovery

Risk, Compliance and Ethics teams are currently juggling a MoSCoW list of tasks. For anyone unfamiliar with this technique, here’s a précis:

  • Must Have – Something that’s illegal, unsafe or lacks resilience without doing it.
  • Should Have – Something that is important, but not critical or for which an interim workaround could be found.
  • Could Have – Something which could be postponed, but may lead to some short-term pain, risk or exposure.
  • Won’t Have this time – Deliverables which fall outside of the other rules which can be postponed or cancelled.

All Compliance professionals will be abundantly clear of the must and should haves in our business continuity playbooks. Software or manual controls should be in place to ensure that these aspects of BAU are maintained above all others.

So how does MoSCoW change over the duration of the crisis? We predict that as viral testing becomes more prevalent and those recovering from infections return to the workplace, there will be a slight easing on current staffing levels. Organisations should be aware that their crisis management teams will also need to take breaks, annual leave or even self-isolate – and these potential gaps need to in-built into recovery plans to ensure a smooth transition into recovery phase.

A real recovery may take many months, especially as the wider and macro-economic environment may bear scars of this crisis for a decade or more. We should be prepared for our teams to be dispersed in remote locations for a considerable time, and bear in mind that transport infrastructure (especially international travel) is unlikely to re-open until much later in 2020.

From our position as a RegTech software provider, we believe that 2020 will combine uncertainty and volatility in the financial services market, with a less than steady uptick in conditions.

Whilst none of us can predict how or when the ‘new normal’ may commence or if we return to something akin to our predictions at the start of the year, we’ve created a three-stage plan for firms of all sizes to consider now, with an eye on the future. We’ve called it ICE.


In this phase, firms should identify (or have identified):

  • Processes and procedures which must be continued as BAU.
  • Key Person Dependencies and appropriate mitigation.
  • Mandates, reporting and remote monitoring processes which must be undertaken across multiple platforms.
  • Ensuring compliance with prescribed SMCR Responsibilities, ensuring a buffer for sickness and other restorative absence.
  • Decision-making processes, including nomination of a contact for maintaining relationships with the Regulator, especially with regard to forbearance and other regulatory leniency or consent.
  • Leadership and senior employees with specific talent to lead BAU, Recovery and Strategic workstreams.
  • External and Internal Communications leadership, including the ability to continue dialogue with staff, customers and clients wherever they are located – and on a myriad of devices.
  • Managing records of processes and transactions that have fallen outside of usual compliance activities and ensuring compliance with GDPR or other laws for data storage or processing.
  • Protocols for managing concurrent risks. How would your organisation cope with another incident now – such as cyber threats, system failure, natural disaster or terrorism?


In this phase, all firms should consider:

  • Which employees must remain in offices, or elsewhere in the company to maintain compliance or BAU processes?
  • Can costs be saved by deferring non-critical projects until later?
  • What internal structures can best support recovery? Could larger firms split their resource to include recovery, BAU and strategic implementation?
  • What processes, systems, software or other solutions could be sourced now to help prepare firms for the recovery phase – and beyond?
  • What resourcing and procedural challenges could be faced should COVID-19 distancing measures continue much longer, are increased further, or return later in the year?
  • How may the business operating model change in a low or zero margin requirement?
  • How will the business adapt to potential changes in the regulatory environment during the recovery phase – is your talent in the right place?
  • How do third party providers or internal support mechanisms continue during the crisis?
  • How might your contracts with clients or end-users need to evolve, especially where ‘business days’ or notice provisions are included within?
  • How are manual processes handed over to new personnel or teams unfamiliar with these localised systems?
  • Does your firm have a ‘further contingency’ protocol where failsafe processes fail – especially during a prolonged period of market instability or widening of pandemic restrictions?


In this ‘action’ phase, every financial services operation should develop or have actioned processes to:

  • Maintain effective decision-making during a crisis: at board level and throughout key teams.
  • Provide updates to key personnel to ensure everyone remains informed (and is being looked after) whilst being away from a normally ‘controlled’ environment.
  • Manage and report liquidity and capital requirements (as appropriate by firm or jurisdiction).
  • Mobilise procurement professionals or approve advance purchase decisions for systems, software or resources which could assist in recovery or provide protection against future events, risks or incidents.
  • Ensure key leadership maintain regular contact with third-party service providers to ensure dependent systems or processes are maintained as BAU throughout the recovery period.
  • Commence catch-up submissions and other reporting from multiple locations and as resource becomes available.
  • Provide systems access infrastructure to switch off, or provide access to critical technology or processes for a changing base of human resource.
  • Manage retail clients, or end user customers who may be more vulnerable to emerging risks.  

Is it too early to consider how a RegTech software solution may help with recovery?

Just like many of our clients, the team at ComplySci is working remotely to support our existing customer base as well as looking after the needs of new clients who are looking to establish a compliance software solution within their business.

For many companies, a crisis reveals shortcomings in preparedness and the ability to run a business in extremis. In the current crisis, even the most well-tested and maintained business continuity plans are being stretched, with organisations operating manual or local processes struggling to maintain TCF, Compliance or ML activities.

Now is the time where businesses of all sizes can make decisions to reinforce their compliance activities by undertaking a simple root cause analysis and asking basic questions:

  1. What shortcomings have already emerged?
  2. What systems or processes are unfit for purpose?
  3. Are third-party providers able to support our business in a crisis?
  4. What does our company need to do to catch-up with priority deferred activities?
  5. How quickly can we return to the new-normal BAU?

If your root cause analysis shows emerging risks or issues in any of the above points, now is the time to consider recovery with ComplySci. Our teams can not only help you with your analysis but also coordinate a virtual approach with key personnel to form a step-by-step plan for recovery. If you’ve got time, we’re on your side.

Get in touch with one of our team today. Request a Demo