COVID-19: Crisis management lessons from the financial services industry

Justine Sacarello, head of legal risk management at Lloyds Banking Group, considers why crisis management is most effective in a company that balances a trusting culture against flexible business models.

Justine Sacarello has been head of legal change and legal risk management at Lloyds Banking Group since 2016, prior to that she undertook a similar role at Barclays Bank PLC. She has a demonstrated history of implementing large-scale strategic, legal and regulatory change programmes in various banks and corporates, having designed and implemented legal risk management and enterprise risk frameworks for banks and corporate entities.  One element of her role in managing legal risk at Lloyds is to anticipate and participate in the implementation of legally driven changes in advance of events which could pose a legal risk.  In her words, she “looks forward into the future and advises on what laws and regulations may impact the organisation and ensures that any changes in terms and conditions or ways of working are implemented in order to ensure compliance with applicable law at all times.” 

Having worked in financial institutions during many crises over the years, Sacarello has a plethora of insight and lessons in crisis management for during and after the COVID-19 pandemic across the financial services industry.

The business impact of the COVID-19 pandemic is rapidly evolving with everyone under pressure to minimise market disruption on business-as-usual operations and understand how new developments impact their business. Since the outbreak of the virus, financial institutions have been managing their response to government initiatives, global regulatory change, including regulatory deferrals, and “looking forward to what might be the post lockdown normal.” As a lawyer who focuses on legal risk, Sacarello is “used to deadlines jumping around and last-minute changes are factored into the delivery of programmes she supports” so she has adopted a resilient and flexible mindset to adjust to regulatory change throughout the pandemic.

Dealing with dynamic situations and evolving deadlines is part of the job, Sacarello says, despite the uncertainty and regulatory deferrals, the quality and productivity of work needs to remain high. “Lawyers are resilient to, and very good at, managing change; whether they provide transactional or project support, lawyers are adept at adopting an agile approach to reacting to changes, re-practising their deliverables and, if necessary, revising their advice accordingly,” she says. From her experience in handling legal risk during a crisis, “managing expectations and ensuring that changes are effectively communicated is fundamental to ensuring momentum is not lost and motivation remains high,” she says. “Invariably, it is often the organisational culture that determines the success of managing this sort of change.”

Build a culture of trust

The COVID-19 pandemic has required organisational priorities and mindset to become more flexible to respond to the uncertainty and rapidly evolving eco-system that companies are currently operating in. Therefore, Sacarello emphasises that “it is important that those in risk roles maintain the highest level of vigilance so as to proactively predict and manage both short- and medium-term risks resulting from COVID-19.”

Financial institutions have triggered their business continuity plans, which have involved alternative working arrangements such as split working sites and, in some cases, flexible or rotational working patterns. This evolved into working from home at a scale which reflects the current business continuity status to protect the health and safety of customers and employees.

One of the most significant characteristics that Sacarello has appreciated during the lockdown is a strong corporate culture. In highly regulated sectors like financial services, she has observed some businesses resisting the move to remote working models before the pandemic, due to apprehensions surrounding perceived employee misconduct and risk.

“Many risk experts have raised concerns that the combination of volatile markets and the consequential commercial pressures on margins, together with homeworking has heightened the risk of not only insider trading, unlawful disclosures and other market abuse, but also the risk of such behaviours going undetected,” she says.

Sacarello is proud to work for an organisation that she says has demonstrated strong corporate values as well as acting as responsible corporate citizens in so many ways during this pandemic. “We trust each other and that has been really important” for the effectiveness of the bank’s response to the crisis, Sacarello says, because employees were permitted to work flexibly pre-lockdown, the IT infrastructure and policies were already in place. As a result, it took less time to react to the lockdown and continue providing support to customers and stakeholders than it did for organisations that had to hastily develop the infrastructure and mindset to facilitate secure remote working. The financial services industry should be encouraged to move away from what Sacarello calls an “obsession that if employees are working flexibly they can’t be trusted because they can’t be seen” and remember that trust should be prioritised alongside other traditional controls. 

Some organisations have noted behavioural changes since the global COVID-19 lockdowns were implemented. “It is vital that legal, risk and compliance divisions monitor these occurrences to ensure that there are no legal risks or other risks such as conduct and reputational risk ramifications”, urges Sacarello, because the physiological informality of current working environments may give rise to inadvertent breaches. She points out that comparisons can be drawn with the 2008 financial crisis, when the Securities Exchange Commission pursued hundreds of entities as well as individuals for market abuse infringements. To decrease the risk of future enforcement actions, compliance teams should assess the risks associated with remote working and ensure that their company has the technological infrastructure in place to enable successful remote working that does not compromise access or data security.

The April 2020 WM Morrison Supermarkets plc v Various Claimants decision has raised the question of whether corporates and financial institutions should implement enhanced surveillance systems to protect their data. Significant lessons have been learnt in the last decade. Many investment banks that Sacarello are aware of have addressed monitoring issues by ensuring rigid adherence to matters such as “change of venue” issues so as to guard against the type of misconduct that had been seen in the industry in the 2008 financial crisis.

“Usually when compliance teams are looking at market abuse in trading, many organisations use artificial intelligence (AI) and algorithms to detect odd trading patterns, but unfortunately, during the current lockdown and economic disruption, abnormal trading patterns have become the new normal. So how do you spot market abuse when every day the trading patterns are very odd and the triggers that caused alarm bells to ring previously are not what they are now?” she says. Attestations that information is not being shared and that policies and procedures are being adhered to are, for example, a control that Sacarello is aware certain traders in the City have been asked to provide while working remotely but, this control only goes so far in managing risk.

Financial institutions have made great strides in terms of implementing cultures that drive positive behaviours and in turn, contribute to good governance and compliance, a lesson which other industries could benefit from.

Despite the malicious actor who featured in the Morrison’s case and the perception by certain organisations that remote working may lead to market abuse, the main cause of data breaches remains accidental “fat-finger” breaches and cyber-attacks. COVID-19 and the lockdown has amplified these possibilities, with threats ranging from the well-publicised personal data breaches experienced by users of video platforms like Zoom, to more sophisticated corporate-focused COVID-19 phishing and ransomware attacks. A remote workforce may be more susceptible to opening attachments or clicking on hyperlinks than they would have been in an office environment. During a single week in April 2020, Google reported in excess of 18 million malware and phishing COVID-19 related emails for example, and financial institutions have sensibly increased their employees’ vigilance of cybersecurity attacks, together with emphasising best practices and controls to avoid them since the crisis began.

It is vital that financial institutions establish a digital method of reminding employees of the requirements of all policies and procedures. Desktop alerts (ie, digital pop-up notification messages which appear on employees computer screens and handheld devices) are an effective and eye-catching method of drawing employees attention to actions and controls that they need to implement or consider as they undertake their various roles. Equally, compliance with those policies and procedures is always closely monitored and such monitoring needs to be amplified at this time with extra controls being imposed if necessary, such as delayed sending of outbound emails, blocking outbound emails to certain addresses, increased use of encrypted communications and setting up two-factor authentication, Lockdown will be an interesting period in which to observe whether the behaviours engendered by a strong corporate culture are more effective at mitigating risk than extending controls such as surveillance, according to Sacarello. 

Communication and business continuity

In addition to ensuring the right corporate culture is in place, a strong and well-communicated business continuity plan is also crucial to deterring business partners and third-parties from non-compliant behaviour during the pandemic disruption, Sacarello says. She says plans should be “drafted in simple user-friendly language, accessible to everybody and easily found” so employees and third parties are familiar with what they need to do and what the wider company’s response is. “Mandatory training for all involved in the organisation, not just for primary employees but contractors as well, will ensure everybody has a high level of familiarity with what they need to do and how to do it in a situation like COVID-19,” she says.

While the recent crisis has demonstrated the need for businesses to create and implement comprehensive crisis management plans that are thoroughly tested and reviewed on a regular basis, it has also highlighted the need for these plans to allow flexibility, which is key to adapting quickly to the dynamic nature of crisis situations as they develop. For example, when the European Banking Authority (EBA) postponed the first ever EU-wide stress tests  to “allow banks to focus on and ensure continuity of their core operations” during COVID-19, this meant that months of preparation work conducted by legal teams at banks was suddenly not necessary. Dealing with high-risk and frequent change is all part of a legal risk lawyer’s core role, Sacarello says, so flexibility is key. The value of this has been demonstrated during COVID-19, Sacarello says: “we’ve really seen that flexibility came into its own as lawyers utilise their skills to support prioritised work streams, and I think that’s been massively satisfying for the careers of lawyers as well as delivering for customers.” Indeed, the UK’s trade association, UK Finance, has highlighted that the financial services industry has provided financial relief to many hundreds of thousands of consumer credit customers whose finances have been impacted by COVID-19 pandemic.  Stephen Jones, chief executive of UK Finance said: “Many people across the country are facing financial pressures due to the coronavirus, and lenders are taking decisive action to help them through these tough times.”

She concludes that “it took the financial crisis of 2008 for stakeholders to realise that lawyers can add value at the beginning of a transaction or a programme as partners,” and COVID-19 can have equally positive lessons for the financial services industry. “It is difficult to predict what the post-COVID-19 operating model will look like, but culture and purpose will undoubtedly feature significantly in the new normal. It seems likely that the long-term ramifications of the pandemic include revisions to existing operating models which are digital-by-design and customer-centric models, as well as encapsulating resilient flexible work arrangements and an acceleration of migration to digital channels and connectivity,” Sacarello explains.

While these initiatives are not revolutionary to the financial services sector, Sacarello explains that they reflect the pre-COVID-19 direction of travel of the industry as a whole. “As financial institutions move from crisis management continuity planning to a focus on the “new normal”, the lessons learned from the COVID-19 pandemic may well be a catalyst for change, not just with regard to their physical and digital infrastructure but also with regard to cementing their positive culture”, she adds, concluding: “The mind-set has changed for many [in the financial industry…] and I think people have to become more resilient, more trusting and realise they can work very effectively in many different ways when the economy hopefully is in a healthier place.  That can be utilised in a very successful way, I think, to put the industry at the forefront again.”

Lexology PRO Compliance is including articles relating to COVID-19 in the main Lexology newsfeed in order to provide in-house counsel users with practical information and first-hand experiences on how to navigate the current market.

Explore Lexology PRO Compliance

Lexology Pro Compliance, a unique information platform for chief compliance officers, general counsel and their teams. With a focus on anticorruption, antitrust and data protection -three core compliance areas for businesses around the world, Lexology PRO Compliance provides users with analysis, interviews, legal research, know-how materials, global comparative tools and more.

Find out more by clicking here.

Get unlimited access to all Global Banking Regulation Review content