New York DFS Grants Temporary Relief and Requires Regulated Entities to Submit Descriptions of COVID-19 Preparedness Plans

For additional guidance in navigating this crisis, visit our Coronavirus (COVID-19) Resource Center.

To download a compendium of our recent advisories and alerts related to the outbreak, click here.  

Preparedness Responses Are Due April 9

The New York State Department of Financial Services (DFS) has taken a number of recent steps in response to the COVID-19 pandemic. On March 11, 2020, Superintendent Lacewell issued an order granting temporary relief and filing extensions to regulated entities with respect to certain regulatory requirements, including the annual certification deadlines under DFS’s Part 500 and Part 504 regulations.

On March 10, 2020, DFS issued letters requiring regulated entities to submit two responses describing their COVID-19-related preparedness plans “as soon as possible” and no later than 30 days (which we calculate as April 9, 2020). Specifically, DFS has required preparedness plans 1) to manage the risk of disruption to a regulated entity’s services and operations, and 2) to manage the potential financial risk arising from the effects of the outbreak. DFS issued similar guidance to virtual currency companies and highlighted special risks that those companies should consider.

Regarding both operational and financial risk, DFS emphasized that boards of directors (or their equivalents) at each regulated institution are responsible for ensuring that appropriate preparedness plans are in place and that sufficient resources have been provided to implement such plans. For their part, senior management are responsible for ensuring that “effective policies, processes, and procedures” are in place to execute the plans and communicating them consistently to employees.

We describe DFS’s actions in more detail below. For additional resources and real-time updates regarding new legal developments in connection with COVID-19, please visit Paul, Weiss’s Coronavirus Resource Center.

DFS Order Granting Temporary Regulatory Relief

On March 11, 2020, Superintendent Lacewell issued an order recognizing that COVID-19 may present compliance challenges for certain regulated entities under New York’s Banking and Financial Services laws and regulations.[1] The order provides the following regulatory allowances and directives, which are in effect until further modified:

• Relocation and closing of locations: Banks, licensed lenders, money transmitters, and other enumerated companies are authorized to “temporarily relocate any of their authorized places of business, and close any of their branch offices or locations, if adversely affected by the outbreak of COVID-19,” without complying with prior notice or application requirements. However, regulated entities must provide “prompt written notice” of these actions to DFS. All activities conducted in new locations will remain subject to DFS regulation and supervision.
• Employees working from home: The order states that persons employed by or working for regulated entities who are conducting licensable activities from their personal residences or other temporary location “shall remain subject to the full supervision and oversight of such regulated entities.” Regulated entities shall maintain “appropriate safeguards and controls,” including with respect to data protection and cybersecurity.
• Board or committee meetings: For board of director or committee meetings, telephone or video-conference participation where all persons in the meeting may hear each other shall “constitute presence in person at a meeting.”
• Extension of filing deadlines: The order extends by 45 days various enumerated filing deadlines for regulated entities “unable to meet filing deadlines due to the outbreak of COVID-19.” These deadlines pertain to, among other things, the annual reports of various regulated entities, as well as the certification deadlines under Part 500 (cybersecurity) and Part 504 (transaction monitoring and filtering programs). The order states, however, that these extensions do not apply to the reporting of cybersecurity events under Rule 500 and the submission of LIBOR transition plans pursuant to the DFS’s December 23, 2019 industry letter.

Regulated entities would be well advised to document the COVID-19-related circumstances and hardships requiring reliance on the regulatory relief in question.

Operational Risk Preparedness Plan

On March 10, 2020, DFS issued guidance and a “request for assurance” that DFS-regulated institutions have preparedness plans in place to address operational risk posed by the COVID-19 outbreak.[2] The DFS letter requires that each institution submit a response describing its plan of preparedness to “manage the risk of disruption to its services and operations.” The responses are due “as soon as possible” and in no event later than 30 days from March 10 (April 9).

DFS stated that a preparedness plan should be “sufficiently flexible” to effectively address a range of possible effects that could result from an outbreak of COVID-19, and “reflect the institution’s size, complexity and activities.” DFS enumerated the following elements that a plan should include “at a minimum”:

1. Preventative measures tailored to the institution’s specific profile and operations to mitigate the risk of operational disruption, which should include identifying the impact on customers, and counterparts;
2. A documented strategy addressing the impact of the outbreak in stages, so that the institution’s efforts can be appropriately scaled, consistent with the effects of a particular stage of the outbreak, which includes an assessment of how quickly measures could be adopted and how long operations could be sustained under different stages of the outbreak;
3. Assessment of all facilities (including alternative or back-up sites), systems, policies and procedures necessary to continue critical operations and services if members of the staff are unavailable for long periods or are working off-site, including an assessment and testing as to whether large scale off-site working arrangements can be activated and maintained to ensure operational continuity. This would also include an assessment and testing of the capacity of the existing information technology and systems in light of a potential increased remote usage;
4. An assessment of potential increased cyber-attacks and fraud;[3]
5. Employee protection strategies, critical to sustaining an adequate workforce during the outbreak, including employee awareness and steps employees can take to reduce the likelihood of contracting COVID-19;[4]
6. Assessment of the preparedness of critical outside-party service providers and suppliers;
7. Development of a communication plan to effectively communicate with customers, counterparties and the public and to deliver important news and instructions to employees, along with establishing forums for questions to be asked and addressed;
8. Testing the plan to ensure the plan policies, processes and procedures are effective; and
9. Governance and oversight of the plan, including identifying the critical members of a response team, to ensure ongoing review and updates to the plan, including the tracking of relevant information from government sources and the institution’s own monitoring program.

DFS also cited the recently updated pandemic planning guidance by the federal banking regulators, suggesting that DFS-regulated institutions should consider this guidance as appropriate.[5] Similar to the DFS guidance, that federal guidance emphasizes the important role of the board of directors in overseeing the development of the pandemic preparedness plan, approving the plan, and ensuring that senior management is investing sufficient resources into monitoring and testing the final plan.

Financial Risk Preparedness Plan

Also on March 10, 2020, DFS issued another letter requiring assurance that DFS-regulated institutions are “identifying, monitoring, and managing the potential financial risk arising from the spread of [COVID‑19].”[6] DFS noted that institutions may be impacted in a variety of ways, ranging from increased credit risks and defaults and stock market declines to and disruptions to supply chains and service providers. The DFS required the submission of a response describing each institution’s plan for managing the potential financial risks arising from the virus, which is due “as soon as possible” and in no event later than 30 days.

DFS stated that such a risk management plan would include the following assessments, “at a minimum”:

1. Assessment of the credit risk ratings of the customers, counterparties and business sectors impacted by COVID-19;
2. Assessment of the credit exposure to customers, counterparties and business sectors impacted by COVID-19, arising from lending, trading, investing, hedging and other financial transactions, including any credit modifications, extensions and restructurings (including capitalizations of interest);
3. Assessment of the scope and the size of credits adversely impacted by COVID-19 that currently are in, or potentially may move to, non-performing/delinquent status, including consideration of stress testing and/or sensitivity analysis of loan portfolios and the adequacy of loan loss reserves;
4. Assessment of the valuation of assets and investments that may be, or have been, impacted by COVID-19;
5. Assessment of the overall impact of COVID-19 on earnings, profits, capital, and liquidity (including impact on loan-to-deposit ratio) of your institutions; and
6. Assessment of reasonable and prudent steps to assist those adversely impacted by COVID-19. Here, DFS cited to another guidance it issued on March 10, 2020, which encouraged DFS-regulated banks, credit unions, and licensed lenders to “consider all reasonable and prudent steps to assist businesses that have been adversely impacted.” This would include offering payment accommodations such as payment due date extensions or loan adjustments; waiving overdraft fees; and “easing credit terms for new loans.”[7]

Guidance to DFS-Regulated Virtual Currency Companies

On March 10, 2020, DFS issued a similar guidance and request for assurance to DFS-regulated institutions “engaged in virtual currency business activity.”[8] The DFS letter required a response describing operational risk preparedness plans on the same timeframe described above. (The letter did not specifically ask for a response on financial risk, but DFS may view the general letter discussed above to apply to virtual currency companies.)

DFS highlighted a few specific areas of concern for virtual currency businesses:

• DFS emphasized the risk to virtual currency businesses of “increased instances of hacking, cybersecurity threats, and similar events” by bad actors seeking to take advantage of the outbreak. DFS suggested heightened security measures, such as “enhanced triggers for fraudulent trading or withdrawal behavior.”
• DFS also underscored the possibility of “custody risk” and the possible need for special arrangements to move virtual currency from “cold” to “hot” wallets during times when employees may not be working from their usual locations.
• DFS also reminded institutions of their obligations to notify DFS if positive net worth falls below certain thresholds.

We will continue to monitor DFS’s response to the pandemic.

                                                                                                         *       *       *

[1]       DFS’s regulatory relief order is available at https://www.dfs.ny.gov/system/files/documents/2020/03/ea20200312_covid19_relief_order.pdf. 

[2]       DFS’s guidance on operational risk is available at https://www.dfs.ny.gov/industry_guidance/industry_letters/il20200310_risk_coronavirus.  Although this letter was issued by Shirin Emami, the Executive Deputy Superintendent (Banking), the letter is addressed to “New York State Regulated Institutions” and does not define that term.  As a result, the letter appears to apply broadly to all DFS-regulated entities.

[3]       See our memorandum, “Mitigating Cybersecurity Risks Related to the Coronavirus” (March 6, 2020), available at https://www.paulweiss.com/practices/litigation/cybersecurity-data-protection/publications/mitigating-cybersecurity-risks-related-to-the-coronavirus?id=30795.

[4]       DFS cites two resources:  The New York State Department of Health website, available at https://health.ny.gov/diseases/communicable/coronavirus/ and CDC Interim Guidance for Businesses and Employers to Plan and Respond to Coronavirus Disease 2019, available at https://www.cdc.gov/coronavirus/2019-ncov/specific-groups/guidance-business-response.html.

[5]       The federal bank regulator pandemic planning guidance is available at https://www.ffiec.gov/press/PDF/FFIEC%20Statement%20on%20Pandemic%20Planning.pdf.   

[6]       DFS’s guidance on financial risk is available at https://www.dfs.ny.gov/industry_guidance/industry_letters/il20200310_financial_risk_coronavirus. 

[7]       DFS’s guidance about accommodating customers affected by COVID-19 is available at https://www.dfs.ny.gov/industry_guidance/industry_letters/il20200310_support_businesses. 

[8]       DFS’s guidance to virtual currency companies is available at https://www.dfs.ny.gov/industry_guidance/industry_letters/il20200310_coronavirus_vc_business_oper_fin_risk.