For further information,
please contact:
Legal Alerts

Maintaining Operational Resilience in the COVID-19 Outbreak: What Should Banks Do Next?

Legal Alerts
Banking & Finance
Financial Institutions

Banks were required to adapt their operations in line with economic and social impacts of the COVID-19 outbreak. Consequently, they have taken measures such as remote working and limited physical banking. With limited physical access to banking services, a reinforced and resilient operational and internal system is essential to prevent service interruptions in services and to financially stabilize banks.

This alert concentrates on possible measures and key points to strengthen banks’ operations against the pandemic’s financial impacts.

Banks’ Internal Systems

Information Systems

Banks must establish information systems based on the criteria set out in the Regulation on Banks’ Internal Systems and Assessment of Internal Capital Adequacy (the “Internal Systems Regulation“), the Regulation on Banks IT Systems and Electronic Banking Services (due to enter into force in July) (the “IT Systems Regulation“) and the Communiqué on the Principles of Banks’ Information Systems Management (the “Information Systems Communiqué“).

Accordingly, they must review and update their risk management policies on information systems.

As information system risks are closely associated with other operational risks banks may face, banks should review their current information systems policies to conserve a well-functioning operating system.

The senior management must scrutinize the improvement and update of information systems and the control mechanisms established to ensure the confidentiality of and access to data stored in information systems.

Bank must meet the minimum requirements set out in the Information Systems Communiqué and incorporate an information systems continuity plan into their business continuity plan elaborated below.

Outsourcing of Information Systems

In order to outsource information systems, the senior management must establish a surveillance mechanism to assess and manage the risks associated with outsourcing, as well as an effective relationship with the support service providers.
In this respect, the senior management must put together a plan paving the way for uninterrupted procurement of support services and substitution of such services in case of any interruption. Banks must ensure the establishment of an adequate system enabling them to immediately start providing outsourced services on their own if the service is interrupted.

Online Banking

The importance of online banking has significantly grown due to remote working and limited physical access to branches. In order to fulfill demands for online banking, banks should ensure a solid online banking system to prevent any interruptions in the flow of work.

Pursuant to the Information Systems Communiqué, banks must ensure that they have an effective audit trail mechanism, business continuity and recovery plan.

The Information Systems Communiqué will be abolished on July 1, 2020 and the IT Systems Regulation will enter into force on the same date. For more information, please see our legal alert dated March 18, 2020.

Business Continuity Plan

Any interruption in the flow of business may have severe effects on banks’ operations. Therefore, banks must establish a business continuity plan that would enable continuity and recovery of operations in case of an interruption. As such, banks should reconsider the following:

  • Business Impact Analysis: The presence of a business impact analysis is essential in case of an interruption in a bank’s business process or operations. In that respect, banks must consider factors that may cause possible interruptions, their possible implications on business and revise their recovery strategies, if needed.
  • Emergency and Contingency Plan: Banks are obligated to incorporate an emergency and contingency plan to their business continuity plan. As markets are currently more unpredictable, banks may consider updating their emergency and contingency plans.

The Banking Regulatory and Supervisory Authority announced that it will re-inspect banks’ business continuity plans. For more information, please see our legal alert dated March 20, 2020.

Risk Management

Internal Control Mechanism

Internal Control Operations: Internal control procedures constitutes a part of banks’ daily operations. Banks must have written policies and implementations procedure that mainly addresses to the following:

  • Control of operations.
  • Control of communication channels, information systems and financial reporting systems.
  • Compliance controls.

We believe banks may review these procedures to ensure their already-established systems are sufficient in handling the current economic scenario; if they are not sufficient, banks must make the necessary improvements.

Reporting: Another internal control mechanism is reporting. Banks are obligated to prepare reports concerning extraordinary conditions, suspicious transactions, breaches and general performance, and submit said reports to the senior management on a daily, weekly or monthly basis. Given the overall impact of the COVID-19 outbreak on the market, banks may consider submitting these reports to the senior management more frequently.

Control of Communication Channels and Information Systems: Through control of communication channels and information systems, banks ensure reliable, accurate, monitorable and consistent procurement and access to information. Banks have temporarily shut down numerous branches and switched to remote working, or minimized physical banking services in terms of their number of personnel and business hours. Therefore, it is vital to have sound information channels and information systems; banks may review their communication channels and information systems, and update them if necessary.

Risk Management Systems

The objective of a risk management system is to identify, assess and control risk exposure (i.e., consolidated and unconsolidated risks, and transactional risks within the bank’s risk group) through adopted policies, implementing principles and limits concerning risk-yield ratio of future cash flows.

A risk management system also contains stress test programs. Stress test programs are designed to measure financial risks and volatility that may arise due to banks-specific issues or pressured economy.
A stress test program must include the following:

  • Clearly defined objectives
  • Scenarios and assumptions compatible with the bank’s operations and the risks associated with the operations.
  • A solid methodology.
  • Reporting that would support decisions taken in that regard.
  • Continuous and effective review of the stress test process.
  • Managerial measures to be taken in response to stress test results.

In addition to separately addressing each important risk with stress tests, a stress test that holistically assesses all of these risks must also be conducted by banks.

Stress tests concerning market risks, counterparty credit risks and collective liquidity risks must be simultaneously conducted once a month or more frequently. The Senior management is responsible for monitoring results.

Due to the economic impact and volatility of the COVID-19 outbreak, banks may need to conduct stress tests more frequently.

Measuring the Operational Risk

Pursuant to the Regulation on the Calculation and Assessment of Bank’ Capital Adequacy (the “Capital Adequacy Regulation“) banks must examine their operational risks.

Operational risk refers to the probability of incurring losses due to inadequate or unsuccessful internal systems, persons and processes or external factors.

Banks may reassess whether their operational risk management processes meet the requirements enumerated under the Capital Adequacy Regulation, in addition to the criteria set out in the Operational Risk Management Guide.

Internal Capital Adequacy Assessment Process (ICAAP)

Banks prepare an ICAAP report that covers the risk measurements, capital and liquidity plans and the risk management capacity at least once a year. The ICAAP report is prepared according to the procedures and principles set out under the ICAAP Report Guide.

Banks must continuously appraise their ICAAP report to see if they need to modify their risk measurement techniques, capital and liquidity plans and risk management capacities.

Capital and Liquidity Adequacy

Liquidity Adequacy Ratio (LAR)

The Regulation on the Calculation and Assessment of Banks’ Liquidity Adequacy sets out the minimum liquidity adequacy ratio (“LAR“) for banks.

Unless otherwise specified by the Banking Regulatory and Supervisory Board, the arithmetic average of total LAR for the first and maturity segment and the total LAR for the second maturity segment cannot be lower than 100%. Whereas, the arithmetic average of foreign currency LAR for the first and the foreign currency LAR for the second maturity segment cannot be lower than 80%.

Banks may consider continuously appraising their liquidity positions and recalculating total and foreign currency LARs to not fall short of minimum requirements set out in the Liquidity Adequacy Regulation at any time.

Capital Conservation and Countercyclical Capital Buffers

The Regulation on Capital Conservation and Countercyclical Capital Buffers (the “Capital Conservation Regulation“) sets out the calculation method of the additional core capital ratio and measures to be taken in case a bank falls short of said ratios.

Accordingly, a bank must reserve additional capital to prevent its equity from failing to satisfy capital adequacy regulations due to credit expansion that may increase the risk in the financial sector.

In that regard, it is important for banks to continuously assess whether their additional core capital ratios are in line with the ratios and restrictions set out in the Capital Conservation Regulation. Further, banks may also review their capital conservation plans and take additional measures, if necessary.

For additional issues and measures concerning public banks, please see our client alert dated March 27, 2020.

Please stay up to date with further developments through the Esin Attorney Partnership Coronavirus Helpdesk.