How will the regulators be assessing COVID-19 Contingency Plans?

Online Gaming | Financial Services | Virtual Financial Assets Operators (including Exchanges)

Regulated entities are typically concerned on how they can ensure to fulfill their routine mandatory compliance requirements and reporting – so as to keep their operation in good standing, at least in the eyes of the regulators.  Licensed entities in the financial services sector, the gaming sector or the virtual financial assets sector, (including crypto exchanges), invest money and resources in what they deem are the areas of compliance which are more probable of being tested, analysed or inspected upon. 

The ‘live’ compliance matters such as Liquidity ratios, reserve levels, liability statistics, etc are given utmost attention.  However, how much attention is given to ‘quasi tombstone’ requirements?  Every licensed entity, be it a financial institution, betting company, a company service provider, an eMoney institution, or a VFA Exchange, just to mention a few, are required to submit a Business Continuity Plan and a Disaster Recovery Plan as part of their license conditions.  Whilst the technology part of these plans are typically properly sized up, with well thought out risk mitigation strategies and having technology redundancy to address any possible information security attack or data breach, however, little thought is placed for situations of natural disasters, and consequently the risk mitigation strategies for natural disasters are often vague, superficial and with little redundancy in place. 

Why should you have a detailed contingency plan for a natural disaster if for instance you specifically invested in setting up your business in a place such as Malta which is a very low risk country in terms of natural disasters such as earthquakes, hurricanes or tsunamis, and which is classified by the World Health Organisations as one of the least risky countries globally in terms of health hazards?  Well, from a statistical point of view, the probability of these risks occurring in a country like Malta are so minimal that it may be a natural action not to give it so much importance in the Business Continuity and Disaster Recover Plans.  However, here we are, in the middle of a pandemic which did not spare ‘very low risk countries’ such as Malta.

On the 10th March 2020, the Malta Financial Services Authority (MFSA) issued a circular relating to the COVID-19 situation, addressed to entities licensed or authorised by the MFSA, which stated that “The MFSA expects [emphasis added] regulated firms to take all reasonable measures in order to have appropriate contingency plans in place to be able to deal with any eventuality.”  The key word in the statement is ‘expects’ as each licensed entity is required to have a business continuity plan that should have also addressed this eventuality. The statement carries a lot of weight insofar as what could the regulator be assessing in the next compliance inspection, that is, they may in all probability be asking on how the Business Continuity Plan was actioned to address the COVID-19 emergency.  Similarly, even other regulators may have the same expectation such as the gaming regulators in Malta, UK, and Sweden.

What are the 10 elements that need to feature in a COVID-19 Contingency Plan?

  1. Business Travel Policy – How and when to implement a full or partial business travel ban for staff.
  2. Personal Travel Policy – How and when to impose personal travel bans, including how to address this in employment contracts
  3. Reduced Social Contacts – How to shift from having face-to-face meetings to non-face-to-face meetings with non staff members.
  4. Alternative Working Arrangements – How to shift an office based operation to a Home working and teleworking scenario.
  5. Quarantine Management – How to manage issues in relation to voluntary and mandatory quarantine measures, and how to deploy resources to substitute quarantined staff
  6. Cash Flow Management – A plan of immediate, short term and medium term financial measures to decrease cash outflow pressure and increase immediate to short-term cash inflows (such as financing facilities or government schemes)
  7. Service Disruption Mitigation Strategy – A strategy how to ensure minimal disruptions of services offered to customers due to COVID-19 related measures or situations
  8. Employee Retention – A plan (including use of financial buffers, if any) to retain the workforce in a situation of reduced revenues
  9. Total Lock- Down Simulation –An action plan and the carrying out of a dry-run of how to simulate a total lock down situation and keep essential services running.
  10. Lobbying – A list and plan of whom to contact and speak to in State Institutions, Regulatory Bodies and Banks to explain how the COVID-19 is affecting the business and its employees in an effort to be granted ‘compliance and reporting holidays’ in a time of crisis.

With the first cases of COVID-19 in Europe, our Group, GTG Advocates, Afilexion Alliance and Caledo VFA Advisory, augmented its Business Continuity Plans and designed its COVID-19 Contingency Plan.  Should you be a regulated entity, and did not yet design your COVID-19 Contingency Plan, you may need legal, consultancy or technical assistance to develop and coordinate such a plan.  Our Group is uniquely positioned to help your regulated business, address your COVID-19 contingency plan.  Contact our designated COVID-19 Support Advisory Lead by sending an email, including your phone and skype contact details to  Our team will ‘meet’ you ‘virtually’ to discuss your needs.

©2020 – GTG Advocates

This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.