The Impact of Coronavirus on the Operations of Financial Institutions: Key Guidance Issued by U.S. Financial Regulators

April 21, 2020

Click for PDF

Since the early stages of the coronavirus (COVID-19) pandemic, U.S. financial regulators have issued a flurry of guidance.  This Alert analyzes select guidance from regulators to date on three key issues:  (1) the additional planning that financial institutions should undertake going forward, (2) how financial institutions should adjust day-to-day banking operations during coronavirus, including complying with their Bank Secrecy Act/anti-money laundering (“BSA/AML”) obligations, and (3) how COVID-19 affects oversight of financial institutions, including supervisory priorities and deadlines.[1]

Key U.S. financial regulators presently appear focused on ensuring safety, soundness, and liquidity, but are acting with flexibility given the operational challenges facing, and the increased demands imposed on, U.S. financial institutions.  We will continue to monitor developments, including whether regulators maintain this approach over the long term with respect to any COVID-19 performance gaps, as well as potential supervisory and enforcement options.

1. Planning

In the initial response to coronavirus, financial regulators have issued guidance regarding how financial institutions should plan for pandemics, the financial risks posed by them, and the specific areas of responsibility for boards of directors and senior management.

Pandemic Planning and Preparedness

FFIEC, on behalf of its member agencies, issued an update to earlier guidance on how federally regulated banks and credit unions should plan and prepare for a pandemic.[2]  The new guidance explains the pandemic-related information that needs to be included in a financial institution’s business continuity plan.  Specifically, the plan should include, among other things, a preventative plan to reduce the impact of a pandemic, a documented strategy for scaling a response to pandemic efforts, and a comprehensive framework of facilities, as well as testing and oversight of the program.  This planning should be accompanied by a business impact analysis of the potential effects of a pandemic and appropriate risk assessment and management.

DFS issued guidance requiring “New York State Regulated Institutions” to submit a report describing their pandemic preparedness.[3]  The term “New York State Regulated Institutions” is not defined and appears to apply broadly to all DFS-regulated entities.  The report must describe the financial institution’s “plan of preparedness to manage the risk of disruption to its services and operations.”  The report is required to cover, “at a minimum,” preventative measures to mitigate the risk of operational disruption, a documented strategy addressing the impact of the outbreak in stages, an assessment of all facilities, an assessment of potential increased cyberattacks and fraud, an assessment of the preparedness of critical outside-party service providers and suppliers, employee protection strategies, and development of a communications plan, as well as testing and governance.  And, on cybersecurity specifically, DFS issued additional guidance instructing regulated entities to “assess” and “address” a number of cybersecurity risks posed by working arrangements adopted during the pandemic, including ensuring secure connections, configuring remote working video and audio conferencing applications to limit unauthorized access, revisiting phishing training and testing “at the earliest practical opportunity,” and coordinating with critical third-party vendors to determine how they are adequately addressing new risks.[4]

Financial Risk Planning

DFS issued another piece of guidance requiring the same “New York State Regulated Institutions” to submit a second report regarding assurance relating to the financial risks from COVID-19.[5]  The report must “describ[e] the institution’s plan regarding managing the potential financial risk” arising from coronavirus.  Specifically, the plan must include an assessment of: (i) the credit risk ratings of the customers, counterparties and business sectors impacted by coronavirus; (ii) the credit exposure to customers, counterparties and business sectors impacted by coronavirus arising from lending, trading, investing, hedging and other financial transactions; (iii) the scope and the size of credits adversely impacted by coronavirus that currently are in, or potentially may move to, non-performing/delinquent status; (iv) the valuation of assets and investments that may be, or have been, impacted by coronavirus; (v) the overall impact of coronavirus on earnings, profits, capital, and liquidity; and (vi) reasonable and prudent steps to assist those adversely impacted by coronavirus.

2. Banking Practices During an Emergency

Financial regulators have also issued guidance on how financial institutions should conduct  operations during this pandemic.  Three key issues the guidance has covered are remote work arrangements, providing payment relief to customers, and complying with BSA/AML obligations.

Remote Work Arrangements

As explained in a recent Gibson Dunn alert, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) issued updated guidance outlining which employees in the financial services sector, among others, are considered essential.[6]  In the financial services sector, this includes employees needed to process transactions, maintain orderly market operations, and provide business, commercial, and consumer access to bank and non-bank financial services and lending services.  These workers “should be encouraged to work remotely when possible” but, if remote work is not possible, financial institutions should use strategies such as offsetting shift hours and social distancing to reduce the likelihood of the spread of COVID-19.

The FRB, OCC, and Treasury Department have all issued statements recognizing the CISA classifications.[7]  The FRB, for example, advises that supervised financial institutions should provide essential employees and contractors with a letter explaining that the identified worker is an essential critical infrastructure worker who needs to be allowed access to their place of work.[8]  DFS has issued guidance permitting employees to work from home,[9] and FINRA has temporarily suspended the requirement to maintain updated Form U4 information for registered persons who are temporarily working in alternate locations due to COVID-19.[10]  DFS has also issued guidance providing that New York State-chartered institutions may conduct meetings by teleconference or videoconference during the declared Disaster Emergency and 60 days thereafter.[11]

Lending, Borrower Accommodation, and Customer Assistance

The U.S. financial regulators have also issued extensive guidance encouraging financial institutions to assist consumers that may be struggling financially due to COVID-19.  The FDIC and OCC issued similar guidance, which is consistent with the FRB’s pre-existing guidance regarding responses to major disasters or emergencies, encouraging financial institutions to try to  provide relief to customers affected by the pandemic.[12]  The FRB, FDIC, NCUA, OCC, and CFPB issued a joint statement encouraging banks, savings associations, and credit unions to offer responsible small-dollar loans to both consumers and small business.[13]

The guidance from all these regulators generally follows a similar pattern of (1) acknowledging the likely financial hardship for individuals and small businesses due to the pandemic; (2) encouraging financial institutions to do their part to alleviate the adverse impact caused by COVID-19; and (3) providing suggested measures that financial institutions may take to do so.  Examples of suggested measures include offering payment accommodations, waiving overdraft and ATM fees, easing credit terms for new loans, waiving late fees for loan balances and credit card balances, increasing ATM daily cash withdrawal limits, waiving early withdrawal penalties on time deposits, and increasing credit card limits for creditworthy customers.  The FRB, DFS, the FDIC, and OCC also provided assurances that prudent efforts to modify the terms on existing loans for affected customers will not be subject to examiner criticism.[14]

Although the above guidance is voluntary, some consumer relief guidance is not optional.  DFS promulgated regulations requiring banks to grant 90-day forbearances on residential mortgages for borrowers that are suffering financial hardship as a result of the COVID-19 pandemic and also to waive ATM, overdraft, and credit card late payment fees.  Those regulations were previously summarized by Gibson Dunn here.

Bank Secrecy Act Compliance

U.S. regulators, notably FinCEN, have issued a number of pieces of guidance on how financial institutions should continue to comply with their BSA/AML obligations during the pandemic.

FinCEN issued guidance stating that compliance with the BSA “remains crucial to protecting our national security by combating money laundering and related crimes, including terrorism and its financing,” and, as such, “FinCEN expects financial institutions to continue following a risk-based approach” and “diligently adhere to their BSA obligations.”[15] At the same time, FinCEN “recognizes that certain regulatory timing requirements with regard to BSA filings may be challenging during the COVID-19 pandemic and that there may be some reasonable delays in compliance.”  Nevertheless, financial institutions are advised to “contact FinCEN and their functional regulator as soon as practicable [regarding] concern[s] about any potential delays in [their] ability to file required Bank Secrecy Act (BSA) reports.”[16]  To that end, FinCEN has created a new mechanism to contact the agency through its website for COVID-19-related issues.[17]  Such communications “are strongly encouraged but not required.”[18]  FinCEN also encourages financial institutions to contact their regulators or examiners “as soon as practicable if a financial institution has BSA compliance concerns because of the COVID-19 pandemic.”

The OCC has issued guidance supporting FinCEN’s approach to BSA/AML compliance, stating that it “encourages all banks to follow a risk-based approach to managing their BSA compliance programs.”[19]  Specifically, “[w]hen evaluating a bank’s BSA compliance program, the OCC will consider the actions taken by banks to protect and assist employees, customers, and others in response to the COVID-19 pandemic, including any reasonable delays in BSA report filings, beneficial ownership verification or re-verification requirements, and other risk management processes.”[20] Again, banks are encouraged to contact examiners if they anticipate delays.

At a more granular level, FinCEN has also issued guidance regarding filing SARs for COVID-19-related activity and complying with beneficial ownership obligations when dispensing loans under the Paycheck Protection Program (“PPP”).  As financial institutions continue to monitor transactions in compliance with their obligations under the Bank Secrecy Act and relevant anti-money laundering laws, FinCEN has specifically identified various COVID-19-related scams that may occur, including companies selling unapproved or misbranded products making false health claims and bad actors soliciting donations or stealing personal information by impersonating health-related government agencies, international organizations, or healthcare organizations.[21]  In the event that financial institutions detect any of these typologies or suspect suspicious transactions linked to COVID-19, they are asked to enter “COVID19” in Field 2 of the Suspicious Activity Report (“SAR”) template.

Regarding loans issued under the PPP, analyzed in detail in a separate Gibson Dunn client alert, FinCEN issued guidance clarifying that if PPP loans are being made to existing customers and their necessary information was previously verified, it does not need to be re-verified for FinCEN Rule CDD purposes.[22]  As for new customers, FinCEN clarified that, for all natural persons with a 20% or greater ownership stake in the applicant business, collection of their owner name, title, ownership percentage, TIN, address, and date of birth will be deemed to satisfy applicable BSA requirements and FinCEN regulations governing the collection of beneficial ownership information.

Relief on CECL Implementation

Even before the effects of the pandemic began to make themselves felt, the new current expected credit losses (“CECL”) methodology promulgated by the Financial Accounting Standards Board concerned many banking institutions, which feared pro-cyclical effects on credit loss allowances, and ultimately, reductions to capital.  In 2019, U.S. banking regulators modified their capital rules to permit banks to phase in over a period of three years the day-one effects of the transition to CECL, to smooth out those effects over time.

On March 27, 2020, the U.S. regulators issued an interim final rule that provided alternative relief, by permitting banking organizations to phase-in over a period of five years the effects of the transition to CECL that occur during the first two years of implementation.  Under this approach, no effects of CECL implementation will be recognized for the first two years; banking organizations will phase in the effects over years three through five.[23]  In addition, Section 4014 of the CARES Act provides banking organizations with the option not to comply with CECL until the earlier of the end of 2020 or the end of the COVID-19 emergency.[24]  On March 31, 2020, the banking regulators issued a statement to the effect that the regulatory relief and Section 4014 are not mutually exclusive; a banking organization that elects to use the statutory relief may also elect the regulatory capital relief after the expiration of the statutory relief period.  The two-year period in the regulatory relief would be reduced by the number of quarters that the banking organization made use of the statutory relief.[25]

3. Supervisory Priorities and Deadlines

U.S. financial regulators have also provided guidance on how COVID-19 will affect examination priorities and reporting deadlines.

Regarding examinations, the FRB released guidance stating that it “is reducing its focus on examinations and inspections at this time” and that “[a]ny examination activities will be conducted off-site until normal operations are resumed.”[26]  For supervised institutions with less than $100 billion in assets, the FRB intends to cease all regular examination activity unless there is an urgent need, or it is critical for consumer protection.  The FRB intends to reassess its approach in the last week of April.  Supervisors are also focusing efforts to ensure that supervisory findings are still relevant and appropriately prioritized in light of changing circumstances.  And, as noted above, the FRB, DFS, the FDIC, and OCC have provided assurances that prudent efforts to modify the terms on existing loans for affected customers will not be subject to examiner criticism.

Regulators have also extended various reporting and submission deadlines.  A selected list of reporting deadlines that have been extended to date is included in the table below.  Please consult the website of your financial regulators to confirm current deadlines and extensions.  In general, if a financial institution will not be able to meet a submission deadline as a result of COVID-19, the best practice is to contact your financial institution’s regulator.[27]

Table 1 – Deadlines Extended by U.S. Financial Regulators

Agency Task Extension / Deadline
FDIC Q1 2020 Regulatory Report Filings 30-day grace period[28]
FDIC Reports of Condition and Income (Call Report) due March 31, 2020 30-day grace period
FinCEN FIN-2020-R001 ruling on CTR filing obligations when reporting transactions involving sole proprietorships and entities operating under a “doing business as” (DBA) name Indefinitely
FRB Deadline for remediating existing supervisory findings unless the FRB notifies the institution otherwise 90 days
FRB Revised Control Framework for determining when one company controls another company for purposes of the Bank Holding Company Act and Home Owners’ Loan Act Effective date delayed six months, until September 30, 2020[29]
FINRA Comment Period for Regulatory Notice 20-05 May 31, 2020
FINRA Comment Period for Regulatory Notice 20-04 May 15, 2020
FINRA Annual Reports 10-day extension for reports related to fiscal years ending January 2020 through March 2020
FINRA FOCUS Reports 10-day extension for FOCUS reports related to periods ending in February 2020 through April 2020
FINRA · Rule 3120 Report
· Rule 3130 Certification
Deadlines that fall between March 1 and May 1, 2020 are extended until May 31, 2020
FINRA Fingerprinting requirements for FINRA members and employees Temporary exemption until May 30, 2020
FINRA Timeframe for individuals designated as principals under FINRA Rule 1210.04 prior to February 2, 2020 to pass appropriate examination(s) Extended to May 31, 2020
NY DFS Annual stockholder meetings Institutions will have seven months instead of four months from the beginning of an institution’s fiscal year end if the prior deadline for the stockholder meeting occurs during the disaster emergency
NY DFS · Annual reports and comparative statements of commercial banks
· Annual reports of licensed lenders
· Quarterly reports of budget planners
· Audited financial statements of budget planners
· Annual reports and audited financial statements of check cashers
· Certifications of compliance with cybersecurity requirements
· Transaction monitoring and filtering
· Volume of operation reports
· Volume of servicing reports
· Quarterly financial statements of virtual currency licensees
· Annual reports of student loan servicers
45-day extension


   [1]   This alert covers select guidance issued by the Federal Reserve Board (“FRB”), the Federal Financial Institutions Examination Council (“FFIEC”), the New York Department of Financial Services (“DFS”), the Office of the Comptroller of the Currency (“OCC”), the Financial Industry Regulatory Authority (“FINRA”), the Federal Deposit Insurance Corporation (“FDIC”), and the Financial Crimes Enforcement Network (“FinCEN”).  It does not cover every COVID-19-related guidance issued by these regulators nor does it discuss guidance issued by the U.S. Department of Justice, the Securities and Exchange Commission, or state financial regulators other than DFS.

   [2]   Federal Financial Institutions Examination Council, Interagency Statement on Pandemic Planning (Mar. 6, 2020),  The member agencies of the FFIEC are the FRB, FDIC, OCC, and the National Credit Union Administration (“NCUA”) and the Consumer Financial Protection Bureau (“CFPB”).

   [3]   N.Y. Dep’t of Fin. Servs., Re: Guidance to New York State Regulated Institutions and Request for Assurance of Operational Preparedness Relating to the Outbreak of the Novel Coronavirus (Mar. 10, 2020),

   [4]   N.Y. Dep’t of Fin. Servs., Re: Guidance to Department of Financial Services (“DFS”) Regulated Entities Regarding Cybersecurity Awareness During COVID-19 Pandemic (Apr. 13, 2020),

   [5]   N.Y. Dep’t of Fin. Servs., Re: Guidance to New York State Regulated Institutions and Request for Assurance Relating to Potential Financial Risk Arising from the Outbreak of the Novel Coronavirus (Mar. 10, 2020),

   [6]   Cybersecurity and Infrastructure Security Agency (CISA) of the Dep’t of Homeland Security, Memorandum on Identification of Essential Critical Infrastructure Workers During COVID-19 Response (Apr. 17, 2020),

   [7]   For example, the Treasury Department also includes “key third-party providers who deliver core services” in its definition of essential financial services sector workers.  U.S. Department of the Treasury, Memorandum: Financial Services Sector Essential Critical Infrastructure Workers (Mar. 22, 2020),

   [8]   Bd. of Governors of the Fed. Reserve Sys., SR 20-6: Identification of Essential Critical Infrastructure Workers in the Financial Services Sector During the COVID-19 Response (Mar. 27, 2020),

   [9]   N.Y. Dep’t of Fin. Servs., Order (Mar. 12, 2020),

  [10]   Financial Industry Regulatory Authority, Regulatory Notice 20-08: Pandemic-Related Business Continuity Planning, Guidance and Regulatory Relief,

  [11]   N.Y. Dep’t of Fin. Servs., Order (Apr. 16, 2020),

  [12]   Fed. Deposit Ins. Corp., Regulatory Relief: Working with Customers Affected by the Coronavirus, FIL-17-2020 (Mar. 13, 2020),; Office of the Comptroller of the Currency, Pandemic Planning: Working With Customers Affected by Coronavirus and Regulatory Assistance (Mar. 13, 2020),; Bd. of Governors of the Fed. Reserve Sys., SR 13-6 / CA 13-3: Supervisory Practices Regarding Banking Organizations and their Borrowers and Other Customers Affected by a Major Disaster or Emergency (Mar. 29, 2013),

  [13]   Joint Statement Encouraging Responsible Small-Dollar Lending in Response to COVID-19 (Mar. 26, 2020),  This March 26 guidance follows a March 19 joint statement from the Federal Reserve, FDIC, and OCC stating that the agencies will look favorably on retail banking and lending activities that meet the needs of small businesses and farms, in connection with the Community Reinvestment Act.  See Office of the Comptroller of the Currency, Pandemic Planning: Joint Statement on CRA Consideration for Activities in Response to COVID-19 (Mar. 19, 2020),

  [14]   In the FDIC’s “Frequently Asked Questions for Financial Institutions Affected by the Coronavirus Disease 2019,” the FDIC stated that it would be acceptable for a bank to offer borrowers affected by COVID-19 payment accommodations, such as allowing borrowers to defer or skip some payments or extending the payment due date.  See Fed. Deposit Ins. Corp., Frequently Asked Questions for Financial Institutions Affected by the Coronavirus Disease 2019 (Referred to as COVID-19) – As of April 15, 2020,  Additionally, on April 7, 2020, the FRB, the CFPB, the FDIC, NCUA, and OCC issued an updated statement “encouraging financial institutions to work prudently with borrowers” affected by COVID-19 and providing additional information regarding loan modifications.  Specifically, the agencies “encourage financial institutions to work prudently with borrowers” and “will not criticize institutions for working with borrowers in a safe and sound manner[] and will not direct supervised institutions to automatically categorize all COVID-19-related modifications as TDRs (troubled debt restructurings).”  Bd. of Governors of the Fed. Reserve Sys. et al., Interagency Statement on Loan Modifications and Reporting for Financial Institutions Working with Customers Affected by the Coronavirus (Revised) (Apr. 7, 2020),

  [15]   Financial Crimes Enforcement Network, Press Release, The Financial Crimes Enforcement Network Provides Further Information to Financial Institutions in Response to the Coronavirus Disease 2019 (COVID-19) Pandemic (Apr. 3, 2020),

  [16]   Financial Crimes Enforcement Network, The Financial Crimes Enforcement Network (FinCEN) Encourages Financial Institutions to Communicate Concerns Related to the Coronavirus Disease 2019 (COVID-19) and to Remain Alert to Related Illicit Financial Activity (Mar. 16, 2020),

  [17]   Specifically, parties are advised to go to and select “COVID19” in the “Subject” drop down menu.

  [18]   Financial Crimes Enforcement Network, Press Release, The Financial Crimes Enforcement Network Provides Further Information to Financial Institutions in Response to the Coronavirus Disease 2019 (COVID-19) Pandemic (Apr. 3, 2020),

  [19]   Office of the Comptroller of the Currency, Bank Secrecy Act/Anti-Money Laundering: OCC Supports FinCEN’s Regulatory Relief and Risk-Based Approach for Financial Institution Compliance in Response to COVID-19 (Apr. 7, 2020),

  [20]   Id.

  [21]   Financial Crimes Enforcement Network, Press Release, The Financial Crimes Enforcement Network (FinCEN) Encourages Financial Institutions to Communicate Concerns Related to the Coronavirus Disease 2019 (COVID-19) and to Remain Alert to Related Illicit Financial Activity (Mar. 16, 2020),

  [22]   Financial Crimes Enforcement Network, Press Release, Paycheck Protection Program Frequently Asked Questions (FAQs) (Apr. 13, 2020),

  [23]   Joint Press Release: Agencies Announce Two Actions to Support Lending to Households and Businesses (Mar. 27, 2020),

  [24]   Coronavirus Aid, Relief, and Economic Security Act § 4014, Pub. L. No. 116-136, 134 Stat. 281 (Mar. 27, 2020).

  [25]   Joint Statement on the Interaction of Regulatory Capital Rule: Revised Transition of the CECL Methodology for Allowances with Section 4014 of the Coronavirus Aid, Relief, and Economic Security Act (Mar. 31, 2020),

  [26]   Bd. of Governors of the Fed. Reserve Sys., Federal Reserve Statement on Supervisory Activities (Mar. 24, 2020),

  [27]   The Federal Reserve, for example, has explicitly stated it does not expect to take supervisory action against a banking organization that takes reasonable and prudent steps to comply with the Board’s reporting requirements but is unable to do so in these difficult times.  See Bd. of Governors of the Fed. Reserve Sys., SR 13-6 / CA 13-3: Supervisory Practices Regarding Banking Organizations and their Borrowers and Other Customers Affected by a Major Disaster or Emergency (Mar. 29, 2013),

  [28]   FDIC-supervised institutions are encouraged to contact the FDIC in advance of the official filing date if they anticipate a delayed submission.

  [29]   For more information on the Federal Reserve’s Revised Control Framework, see our previously published client alert on this topic, available at

Gibson Dunn lawyers regularly counsel clients on the issues raised by this pandemic, and we are working with many of our clients on their response to COVID-19.  For additional information, please consult the firm’s Coronavirus (COVID-19) Resource Center.  Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Financial Institutions Group, or the authors.

The following Gibson Dunn lawyers assisted in preparing this client alert:  Matthew Biben, Stephanie Brooker, Joel Cohen, Kendall Day, Mylan Denerstein, Arthur Long, Adam Smith, Joseph Warin, Linda Noonan, Chris Jones, Susanna Schuemann, and Tory Roberts.

*Mr. Jones and Ms. Schuemann are admitted only in New York and Washington, D.C.  Ms. Roberts is admitted only in California.  All are practicing under the supervision of Principals of the Firm.

© 2020 Gibson, Dunn & Crutcher LLP

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.