Pandemic Planning - Utah's Credit Unions
Transcript of Pandemic Planning - Utah's Credit Unions
Pandemic PlanningResources and Regulator Expectations
A Rapidly Moving Target
Regulator Expectations
Interagency Statement on Pandemic Planning
• First Issued in 2007• Updated in 2020• Pandemic planning should be a part of every credit union’s disaster
recovery plan• Components:• Preventative program• Documented strategy scaled to the stages of a pandemic outbreak• Comprehensive framework to ensure the continuance of critical operations• Testing program• Oversight program to ensure that the plan is reviewed and updated
Differences Between Traditional Business Continuity Planning and Pandemic Planning
• Disasters are usually short in duration or limited in scope• Disasters typically will only affect a
specific geographic area, facility, or system. • These threats can usually be
mitigated by focusing on resiliency and recovery considerations.
• Pandemics are more difficult to determine because of the difference in scale and duration. • Effects are usually widespread and
threaten not just a limited geographical region or area, but potentially every continent. • Pandemics generally occur in
multiple waves, each lasting two to three months. • Most significant challenge is likely
to be staffing shortages due to absenteeism.
Scale of Pandemic Planning
Pandemic plans should:• Be sufficiently flexible to effectively address a wide range of possible effects • Reflect the institution’s size, complexity, and business activities• Address the potential impact of a pandemic on the delivery of a financial
institution’s critical financial services
Prevent
Develop a preventive program to reduce the likelihood that an institution’s operations will be significantly affected by a pandemic event, including: • Monitoring of potential outbreaks• Educating employees• Communicating and coordinating with critical service providers and suppliers• Providing appropriate hygiene training and tools to employees.
Scaled Strategy
• Scale pandemic efforts so they are consistent with the effects of a particular stage of a pandemic outbreak, such as the 6 intervals described by the Center for Disease Control and Prevention (CDC).• Outline plans describing how to recover from a pandemic wave and
proper preparations for any following wave(s). • Outline plans for re-entering personnel into the workplace.
Define Framework
• Identify the facilities, systems, or procedures that provide the organization the capability to continue its critical operations in the event that large numbers of the institution’s staff are unavailable for prolonged periods.• Implement procedures such as:
• Social distancing to minimize staff contact• Telecommuting• Redirecting customers from branch to electronic banking services• Conducting operations from alternative sites• Visitor restrictions
• Review impact of increased reliance on online banking, telephone banking, ATMs, and call support services. • Consider how actions by public health and other government authorities may
affect critical business functions of the credit union
Test
Ensure that the institution’s pandemic planning practices and capabilities are effective and will allow critical operations to continue.
Update
Ensure ongoing review and updates to the pandemic plan so that policies, standards, and procedures include up-to-date, relevant information provided by governmental sources or by the institution’s monitoring program.
Roles and Responsibilities
• The board of directors is responsible for:• Overseeing the development of the pandemic plan. • Approving the institution’s written plan and ensuring that senior management is
investing sufficient resources into planning, monitoring, and testing the final plan.
• Senior management is responsible for:• Developing the pandemic plan and translating the plan into specific policies,
processes, and procedures. • Communicating the plan throughout the institution to ensure consistent
understanding of the key elements of the plan and to ensure that employees understand their role and responsibilities in responding to a pandemic event.
• Ensuring that the plan is regularly tested and remains relevant to the scope and complexity of the institution’s operations.
Developing the pandemic plan
1. Prioritizing the severity of potential business disruptions resulting from a pandemic, based on the institution’s estimate of impact and probability of occurrence on operations
2. Performing a “gap analysis” that compares existing business processes and procedures with what is needed to mitigate the severity of potential business disruptions resulting from a pandemic
3. Developing a written pandemic plan to follow during a possible pandemic event
4. Reviewing and approving the pandemic plan by the board or a committee thereof and senior management at least annually
5. Communicating and disseminating the plan and the current status of the pandemic to employees.
Communication
• Communicate with critical service providers to ensure continued operation.• Coordinate information sharing efforts through participation in business
and community working groups and develop coalitions with outside parties to provide support and maintenance for vital services during a pandemic. • Consider cooperative arrangements with other financial institutions within
the institution’s geographical trade area. • Coordinate pandemic planning efforts with local public health and
emergency management teams.• Communicate with members and the media is also to ensure that accurate
information is disseminated about business operations.
Identify Triggering Events
• A triggering event occurs when an environmental change takes place that requires management to implement its response plans based on the pandemic alert status. • Alerts may be issued by various organizations that have developed
surveillance systems to monitor the progression of viral outbreaks. • Management should monitor national and international pandemic news
sources in order to be aware of potential outbreaks. • Management should monitor websites devoted to national health care
issues, identify key points of contact for emergency and health care organizations, and assess potential implications for the financial institution if a pandemic occurs. • Management also should communicate to employees and key service
providers the actions it plans to take at specific triggering points.
Employee Protection Strategies
• Promote employee awareness by communicating the risks of a pandemic outbreak and discussing the steps employees can take to reduce the likelihood of contracting a pandemic virus. • Emphasize CDC or other general hygiene programs.• Encourage employees to avoid crowded places and public
transportation systems.• Implement “social distancing” techniques to minimize typical face-to-
face contact through the use of teleconference calls, video conferencing, flexible work hours, telecommuting, encouraging customers to use online or telephone banking services, ATMs and drive-up windows.
Mitigating Controls
• Cross Training• Succession Planning• Be prepared for remote access (capacity, bandwidth, authentication
measures)
Risk Monitoring and Testing
• Risk monitoring and testing of the pandemic plan is important to the overall planning process. • A robust program should incorporate testing: • Roles and responsibilities of management, employees, key suppliers, and
customers• Key pandemic planning assumptions• Increased reliance on online banking, telephone banking, and call center
services• Remote access and telecommuting capabilities
If you’re behind: Where to Start?
1. Model Policy (Policy Pro model policy #2195: Pandemic Influenza Preparedness & Response)
2. List critical functions and who at the credit union can keep them going
3. Implement mitigation strategies to protect critical functions and people
4. Communicate reduced or modified services to your members5. Go back later and fill in the gaps
Branch Closures
Branch Closures
• FCUs: No restrictions or notice requirements (optional to inform Utah DFI)• Advanced notice to members highly recommended
• Utah State Chartered CUs: • May close on any day• Provide “adequate notice” to members of any change from normal business
hours• Utah DFI has also requested notification
• DFI Contact: Riley J. Bergstedt [email protected] of Credit Unions
Annual Meetings
Annual Meetings: Utah State Chartered CUs
Commissioner of the Utah Department of Financial Institutions, Ed Leary:“. . . . if a state chartered credit union is concerned about holding a traditional annual meeting, it could be proactive and avoid a "mass gathering" by using technology. In other words, something as simple as a conference call could be set up rather than having an in person annual meeting.
If a state chartered credit union made this type of technology accommodation or other reasonable efforts to facilitate the Annual meeting with the goal in mind to lower the risk of spreading COVID 19, the department would support the approach.”
Annual Meetings: Federal CUs
• Date and place of annual meeting prescribed in bylaws• “This credit union may permit virtual attendance and participation in
the annual meeting, provided that an in-person meeting complying with the geographic requirements of this paragraph is also held.”• An entirely virtual annual meeting is not permitted• Meetings can be delayed and rescheduled. See guidance
https://www.ncua.gov/files/letters-credit-unions/20-cu-02-ncua-actions-related-covid-19.pdf
Board Meetings
• FCUs: • Must meet monthly• Only one meeting needs to be in person (and only a quorum needs to be
present)• All other board meetings can be virtual
• Utah State CUs:• Virtual meetings are permitted
Explaining the Disruption to Members
Credit Unions Were Made For This
Online and Mobile Services
• Never a better time to encourage member to use online and mobile services• Outline all the online/remote services your credit union offers• Also outline all the ways member can still access their accounts, talk
to credit union employees and visit the credit union during disruptions• Emphasize the safety and reliability of electronic transactions• Withdrawing cash is not necessary• The electronic system is not threatened• Cash is unsanitary
Flatten the Curve
We’re Doing our Part
• Remind member why you are taking this call to action seriously• Observing social distancing protocol and other government
recommended actions to prevent community spread of the coronavirus is to lessen the impact on healthcare services• If we are successful, it will look like preventative measures weren’t
necessary in the first place
Scams
Warn Members About Disaster-Related Scams
FinCEN advises financial institutions to remain alert about malicious or fraudulent transactions similar to those that occur in the wake of natural disasters. FinCEN is monitoring public reports and BSA reports of potential illicit behavior connected to COVID-19 and notes the following emerging trends:• Imposter Scams – Bad actors attempt to solicit donations, steal personal information, or
distribute malware by impersonating government agencies (e.g., Centers for Disease Control and Prevention), international organizations (e.g., World Health Organization (WHO)[2]), or healthcare organizations.
• Investment Scams – The U.S. Securities and Exchange Commission (SEC) urged investors to be wary of COVID-19-related investment scams, such as promotions that falsely claim that the products or services of publicly traded companies can prevent, detect, or cure coronavirus.[3]
• Product Scams – The U.S. Federal Trade Commission (FTC) and U.S. Food and Drug Administration (FDA) have issued public statements and warning letters to companies selling unapproved or misbranded products that make false health claims pertaining to COVID-19.[4] Additionally, FinCEN has received reports regarding fraudulent marketing of COVID-19-related supplies, such as certain facemasks.
Regulator Communications
Regulator Communications
• Contact regulators if you will miss filing deadlines or exam directives due to COVID-19 issues.• FinCEN requests financial institutions affected by the COVID-19
pandemic to contact FinCEN and their functional regulator as soon as practicable if a COVID-19-affected financial institution has concern about any potential delays in its ability to file required Bank Secrecy Act (BSA) reports. Financial institutions seeking to contact FinCEN should call FinCEN’s Regulatory Support Section (RSS) at 1-800-949-2732and select option 6 or e-mail at [email protected].
Regulator Guidance
• NCUA: Working to Meet Financial Needs of Customers and Members Affected by Coronavirus• NCUA Actions Related to COVID-19• Working with Members• Delaying Annual Meetings (FCUs)• Exams• Delays in Call Reporting• Liquidity options
• Utah DFI COVID-19 Statement
Advocacy
• Letter to Chairman Hood• CUNA COVID-19 Resource Page• UCUA COVID-19 Resource Page
How to Touch Your Face Less