Nashville, TN – As Tennessee continues to respond to the COVID-19 pandemic, the Tennessee Department of Financial Institutions is issuing this interim guidance to all non-depository financial institutions and individuals licensed or registered with the Compliance Division.
In general, please be reminded that business continuity plans (BCPs) should address the threat of pandemic outbreak and the potential impact on the delivery of financial services.
Unlike business continuity planning, pandemic planning is much more difficult to determine because of the anticipated difference in scale and duration. The most significant challenge from a severe pandemic event will likely be staffing shortages due to absenteeism.
Additionally, open communication with third parties, especially critical service providers, is an important aspect of pandemic planning. Management should have action plans for triggering events, communicate to employees, mitigate risks, and ensure sufficient internal and external capacity is available where needed. Preparation is key in a pandemic event so the need for periodically updating and exercising your plan is crucial for success.
The Department regulates numerous consumer credit licensees and registrants who are required to have a license or certificate of registration for each location from which business is conducted. Specific to all non-depository companies, branches, and individuals licensed or registered by the Department’s Compliance Division, this Interim Guidance is intended to facilitate the ability of licensees and registrants to take precautions deemed necessary to avoid the risk of exposure to or transmission of coronavirus (COVID-19).
Licensees and registrants will continue to be responsible for supervising their employees and for conducting business in a compliant manner. The Department recognizes that some employees may be asked to work remotely from their residence to help prevent the spread of coronavirus (COVID-19).
In such cases, the Department will recognize the decision made by the company to temporarily modify work assignments in order to reduce the risk of exposure to or transmission of coronavirus (COVID-19) during this state of emergency. Members of the public should not travel to an employee’s residence to conduct business.
The following best practices are recommended by the Department for employees working remotely in order to ensure that data and information security is maintained:
- All computers and other devices that contain, or are used to access, confidential information should be encrypted and secure.
- Employees should be required to access the licensee’s or registrant’s secure data system remotely using a virtual private network (VPN) or similar system that requires passwords or other forms of authentication to access.
- All security updates, patches, or other alterations to the individual’s access device should be maintained.
- The employee should not keep any physical business records at the remote location.
- Activity should be conducted in a private environment, rather than a public area.
This Interim Guidance is currently effective until further notice, and is subject to change as circumstances warrant.
The Department continues to work with Tennessee Governor Bill Lee and other state agencies to best address this ongoing situation. The Department is also working with other state and federal regulators and the Conference of State Bank Supervisors to implement appropriate actions to ensure the safety and soundness of the Tennessee financial institution community and all stakeholders.