Firms must constantly review and maintain customer communications content and strategy. There is a regulatory expectation that firms will ensure consumers are adequately protected during severe disruption. This is not only about making business decisions designed to mitigate harm to consumers (for example, responding swiftly to interest rate changes), but also about ensuring customers are adequately informed about how a business is responding to the pandemic and how they are and/or will be affected by any material decisions made.

Best practice will involve:

Firms must know what their most important business services are and ensure these are maintained throughout the disruption caused by COVID-19. This may mean suspending other, less important business services. If a firm has yet to identify its most important business services it should swiftly take steps to do so, and then implement a plan for ensuring these are maintained throughout.

What is important will obviously depend on the nature of a firm's business. However, factors to take into consideration in determining what is most important in this instance might include:

This heightened risk environment presents an enhanced opportunity for criminal wrongdoers to perpetrate hacks and fraudulent activity either against a firm or its customers. Significantly higher volumes of remote working will increase these threats as well as presenting a greater risk of inadvertent data breach as employees may lack the safeguards that we take for granted in the workplace, such as secure access to buildings. Firms, including their lawyers, should be particularly vigilant regarding cyber attacks.

Some quick, simple and crucial steps firms can take to improve cyber preparedness and response, include:

Firms should also note that the Information Commissioner's Office (ICO) has issued some guidance regarding COVID-19 issues and the handling of data subject access requests (DSARs), which indicates a degree of pragmatism regarding DSAR timeframes.

Best practice involves creating and maintaining a crisis response committee, with delegated authority from the board, that meets regularly and maintains a contemporaneous record of materials presented, discussions had and decisions made. This committee should comprise the key business leads and subject matter experts to advise on strategy and approach. It should also be swift of foot and capable of responding in real time as this crisis develops, ensuring a co-ordinated approach to manage internal and external communications effectively.

Firms should also note:

This is not just about insurance and managing potential liability; it is also about mapping key areas of vulnerabilities where the firm relies on third party service providers:

The regulators have been particularly vocal in recent years about the importance of managing employee well-being and the relevance this has to maintaining a healthy culture. The coronavirus pandemic is plainly a highly stressful situation and will inevitably increase the risk to employee well-being.

Key issues that employer firms should be considering to manage the impact on their workforce include:

With a remote working workforce, highly volatile markets and an atmosphere of collective anxiety about job security, market conduct and, more generally, staff conduct could present a material risk, particularly because BCP arrangements will inevitably make it harder for firms to monitor behaviour. Regulators will expect firms to be particularly alive to this risk and to take steps to ensure that crucial data used for monitoring conduct continues to be produced, analysed and acted on where something requires investigation. This applies at both the micro-level of individual staff behaviours and at the macro-level, where the conduct of the corporate in a crisis might conflict with regulatory expectations.

By way of example, the PRA has issued guidance that banks should not increase dividends or other distributions, such as bonuses, in response to the PRA and Bank of England (BoE) policy actions to combat the economic impact of COVID-19. For other financial services firms, there is no doubt the FCA would take a similarly dim view of this sort of conduct.

Fraud can destroy trust between companies and customers, throw carefully laid plans into chaos and undermine an organisation's collective identity, culture and values. Unfortunately, there are opportunists who will seek to take advantage of a coronavirus environment and capitalise on their criminal illicit activity. Scams linked to the coronavirus include telephone fraud, and cyber threats using phishing and malware to target victims. Firms and individual employees should be forewarned to remain alert to these attacks.

Additionally, firms will need to consider the broader financial crime risk exposures. This is a call to action to review the adequacy of the financial crime framework, its effectiveness and suitability to operate within a remote environment. In this situation, firms should consider the effectiveness of their systems and controls to prevent, detect and deter financial crime. In particular, firms should:

COVID-19 is already impacting on availability resource and this situation is likely to become more acute over the coming weeks. Firms may conclude it is simply not practical to allocate significant resource to testing controls in the current environment. In those circumstances, it will be important to consider whether resources can be deployed from other areas. Failing that, it is crucial the firm is able to evidence what steps it has taken to mitigate the risk as a result of a reduction in resource.

If the reduction in resource impacts on remediation activities or regulatory deadlines generally, such as compliance with complaints deadlines under the FCA's Dispute Resolution: Complaints sourcebook (DISP), a firm should communicate this fact to the regulator in a timely fashion, to ensure the firm is meeting its obligations of openness and transparency under Principle 11 of the Principles for Businesses.

Firms also need to be alive to the legal and regulatory risks that can arise from making changes to existing process in response to this crisis. For instance, using electronic signatures as an alternative to wet signatures or creating a remote working solution that inadvertently discriminates against employees on the grounds of disability or gender.