GUIDANCE NOTE ON PANDEMIC PLANNING FOR THE BANKING SECTOR MARCH 2020

Guidance Note On Pandemic Planning For The Banking Sector

PART I Preliminary 1.1 Title 1.2 Authorization 1.3 Application 1.4 Definitions and Abbreviations PART II Statement of Policy 2.1 Background 2.2 Purpose 2.3 Scope 2.4 Responsibility PART II Business Continuity Planning for Pandemic Planning for the Banking Sector 3.1 Governance 3.2 Phased Approach and Resources Allocation 3.3 Health and Safety 3.4 Facilities Management 3.5 Communication and Education 3.6 Use of Technology 3.7 Holding of Annual General Meetings (AGMs) PART III - Reporting Requirements Annex I High Level Contents of a Pandemic Response Plan Annex II Pandemic Incident Record (Immediate) Annex III Pandemic Incident Record (Quarterly)

Part I: Preliminary

1.1 Title – Guidance Note on Pandemic Planning for the Banking Sector. 1.2 Authorization - This Guidance Note is issued pursuant to Section 33(4) of the Banking Act and Section 48(2A) (b) of the Microfinance Act, 2006, which empower the Central Bank of Kenya (CBK) to issue guidelines to be adhered to by institutions in order to maintain a stable and efficient banking sector.

1.3 Application - This Guidance Note applies to all institutions licensed under the Banking Act (Cap. 488) and Microfinance Act, 2006.

1.4 Definitions - The terms and acronyms used in this Guidance Note are as defined in the Central Bank of Kenya (CBK) Prudential Guideline on Business Continuity Management (CBK/PG/14). Other terms are defined below: 1.4.1 A contact for the purpose of implementing quarantine is defined as a person1- Providing direct care without proper personal protective equipment for patients with communicable diseases; Staying in the same close environment with a patient with communicable disease (including workplace, classroom, household, gatherings); Traveling together in close proximity (within 1 meter) with a communicable disease patient in any kind of conveyance within a 14 day period after the onset of symptoms in the case under consideration.

1.4.2 Business Continuity is a state of continued and uninterrupted operation of a business.

1.4.3 Business Continuity Management (BCM) is a holistic business approach that includes policies, standards, frameworks and procedures for ensuring that specific operations can be maintained or recovered in a timely manner in the event of disruption. Its purpose is to minimize the operations, financial, legal, reputational and other material consequences arising from disruption.

1.4.4 Business Continuity Plan (BCP) is a comprehensive, documented plan of action that sets out procedures and establishes the processes and systems necessary to continue or restore the operation of an organization in the event of a disruption.

1.4.5 Call Tree means a system that enables a list of persons/roles organizations to be contracted as part of an information/communication plan.

1.4.6 Contagious2 means a communicable disease that can spread rapidly from person to person through direct contact (touching a person who has the infection), indirect contact (touching a contaminated object), or droplet contact (inhaling droplets made when a person who has the infection coughs or sneezes).

1 World Health Organization reference number: WHO/2019-nCov/IHR_Quarantine/2020.1 2 https://aidsinfo.nih.gov/search?q=CONTAGIOUS&c=site 1.4.7 Critical Services means any activity, function, process or service, the loss of which would be material to the continued operation of an institution.

1.4.8 Institution means a bank or financial institution or a mortgage finance company or a microfinance bank.

1.4.9 Isolation3is the separation of ill or infected persons from others, to prevent the spread of infection or contamination.

1.4.10 Quarantine of persons4is the restriction of activities or separation of persons who are not ill, but who may be exposed to an infectious agent or disease, with the objective of monitoring symptoms and early detection of cases.

1.4.11 Pandemic is the worldwide spread of a new disease that has spread over several countries or continents usually affecting a large number of people.

3 World Health Organization reference number: WHO/2019-nCov/IHR_Quarantine/2020.1 4 World Health Organization reference number: WHO/2019-nCov/IHR_Quarantine/2020.1

Part Ii: Statement Of Policy

2.1 Background

Pandemic risks have increased over time mainly due to increased global travel and integration, urbanization, and greater exploitation of the natural environment5. Consequently, it is imperative for institutions to formulate policies aimed at preparation and management of pandemics. Traditionally, institutions have prepared Business Continuity Plans for operational disruptions with minimum focus on pandemic planning. Pandemic planning presents unique challenges, which include: - Economic damage through multiple channels, including short-term fiscal shocks and longerterm negative shocks to economic growth.

Difficult to determine the impact of a pandemic since pandemics generally are not limited to a geographical region and may be prolonged.

Some pandemic mitigation measures can cause significant social disruption due to absenteeism over significant periods, which may arise from the illness itself, from official or other attempts to limit its spread or impact, or from widespread panic.

The need to review risk assessment and management plans to cover the possibility of widespread economic disruptions and their impact on (i) loan and other asset performance; (ii) asset prices and credit spreads; and (iii) demand for liquidity.

2.2 Purpose

This Guidance Note provides minimum standards to ensure that institutions have resilient frameworks to effectively address emerging pandemic risks in the banking sector.

The purpose of this Guidance Note therefore, is to: Establish a co-ordinated approach to manage the potential impact of pandemics in the banking sector.

Evaluate the identification and protection of institutions' critical functions to enhance effective business continuity amidst the crises that occur in a pandemic situation.

Highlight the need to ensure safety of institutions' employees and customers in service delivery.

Maintenance of public trust and confidence in the banking sector.

5Jones K E, Patel N G, Levy M A, Storeygard A, Balk D., and others. 2008. "Global Trends in Emerging Infectious Diseases." Nature 451 (7181): 990–93 This Guidance Note sets the minimum standards that institutions should develop to establish sound and effective business continuity management practices to address pandemics. The Guidance Note should be adopted to supplement the existing business continuity plans as required under the Central Bank of Kenya (CBK) Prudential Guideline on Business Continuity Management (CBK/PG/14). This Guidance Note does not replace nor supersede existing legislation, regulations and guidelines that institutions must comply with as part of their regulatory obligations, particularly in the areas of risk management, corporate governance and business continuity management. This Guidance Note provides recommendations on how institutions can identify and escalate levels of response across three general phases of a pandemic, which could be: i. Phase 1 - No human-to-human outbreak reported. Institution can initiate low cost activities, including some stockpiling of critical supplies and establishing task forces in key areas for detailed planning, coordination and testing.

ii. Phase 2 - An outbreak is identified in a region. More costly measures implemented. Activities in that region isolated, activities shifted to other locations where possible, and staff removed from the area.

iii. Phase 3 - Activities initiated when outbreak is affecting a broad area/country and key production areas or crucial facilities. The full range of the institution's plans are implemented.

2.4 Responsibility

The Board of Directors of an institution are expected to formulate pandemic preparedness planning strategies, policies, procedures, guidelines and set minimum standards for an institution. Senior Management on the other hand is required to implement the pandemic preparedness plans, strategies, policies, procedures and guidelines. All these must be documented and made available for review by internal audit, external auditors and CBK.

3.1 Governance

Board members should understand the nature of their institution's business and the pandemic threats they may be exposed to. In this regard, institutions are required to provide adequate resources in planning, monitoring, responding to, and recovering from a pandemic.

3.1.1 The Responsibilities Of The Board In Relation To Pandemic Planning Include: -

(i) Oversee development and approval of the pandemic strategy, policy and framework whose purpose is to identify, manage and mitigate pandemic risks in a comprehensive and integrated manner.

(ii) Allocate and approve sufficient resources towards development and testing of the pandemic strategy, policy and framework as well as translating it into specific policies, processes, and procedures.

(iii) Oversee implementation of the Pandemic Response Plan by senior management.

(iv) Establish a special Board committee with full delegated authority to provide strategic leadership, make appropriate recommendations and deal with any emerging crisis.

(v) Set the right tone from the top to guide preparedness and response measures.

(vi) Formulate Human Resources and Succession Planning Policies relating to testing and isolation of staff who have been affected by a pandemic such as a communicable disease that has been declared pandemic. In addition, the policy should cover procedures for temporary or permanent transfer of authority, if senior management or board members are incapacitated.

3.1.2 The Responsibilities Of The Senior Management In Relation To Pandemic Planning Include: -

Senior Management of an institution is responsible for implementing and maintaining policies to ensure the resilience and continuity of an institution in the event of disruptions caused by pandemics.

(i) Appoint representatives to participate in risk assessment and response coordination meetings between banking sector players and relevant government agencies. The meetings promote collaboration between the various government agencies and private sector in managing the pandemic across the country.

(ii) Implementation of the business continuity plan by periodically conducting a business impact analysis, an enterprise - wide risk assessment, risk management and risk monitoring to identify the mission critical activities and potential for major disruptions.

(iii) Formulation of work plans to identify work that may be done in the office and that can be done from home to reduce staff congestion with the aim of minimizing and curbing the spread of the pandemic.

(iv) Establish a Crisis Management Team, consisting of key executives and functional heads of critical operational areas who will be responsible for dealing with crisis management and business continuity during a crisis. This will require the institution to re-prioritize and reallocate resources in order to expedite recovery.

(v) Establishment of remote and redundant facilities for activities that must be done from centralized locations, for instance, dealing rooms and treasury functions which require significant advance preparation.

(vi) Creation of redundant teams for all critical staff functions and ensuring that the teams are well trained to undertake the requisite functions.

(vii) Assess and test the capacity of existing IT infrastructure, with possible consideration of the potential higher reliance on remote banking services.

(viii) Development and enhancement of alternative delivery channels including online banking, mobile banking platforms, use of credit, debit cards and to minimize handling of cash and human interactions, avenues that are susceptible to the spread of the pandemic.

(ix) Ensure recovery sites are in ready mode with recovery facilities including all the necessary backup power generation and supply.

(x) Communicate the pandemic preparedness strategy, policy and procedures to employees and other relevant parties to ensure they understand the plan and their roles and responsibilities.

(xi) Conduct risk assessments to monitor trends of the disease and impact on the institution's strategic objectives, business operations and work plans.

(xii) Constitute a multidepartment emergency response team, for critical functions, should the pandemic accelerate in the future and cause lockdown.

(xiii)Implement robust monitoring and reporting tools capable to collect, report, analyze casebased information.

(xiv) Develop and undertake risk mitigation measures.

(xv) Develop plans and identification of alternate sites that are able to carry out the full spectrum of the institution's business operations in the event that the geographical location of the Head Office is adversely affected by the pandemic.

(xvi) Management to put in place adequate business resilience arrangements for disaster recovery and business continuity after disruption caused by pandemics.

3.2 Phased Approach And Resources Allocation

Institutions are required to consider a range of scenarios on how pandemics could impact their clients' financials and their own operations. Institutions should deploy a phased approach and varied actions to navigate through pandemics. The different phases and scale of action will depend on how the course of the pandemic, such as a disease outbreak, unfolds over time. The four-phased approach as itemised below is a guide on how to effectively address the pandemic's potential impact6: i. Phase I - Definition of scenarios of crisis progression in terms of duration and proliferation of the pandemic. The duration buckets could be estimated as follows: - Two to three months - pandemic effects are resolved in two to three months' duration and business resumes to normal.

6 Oliver Wyman - Responding to COVID-19 Six months to one-year scenario - a no-growth scenario for the economy or a limited recession.

Twelve months and above - wider ripple effects, that may trigger a global recession.

ii. Phase II - Sustainability analysis through the identification of those sectors that are most affected in terms of revenue at risk. Calculate stressed ratios on the identified scenarios and estimate a forward looking profitability and solvency positions.

iii.Phase III - Conduct random analysis of selected counterparties and individual clients in order to have an updated view of their risk rating based on how well they are able to manage the crisis across the identified scenarios in Phase I.

iv. Phase IV - Resultant actions to be taken arising from Phases I, II and III. This may require application of debt restructuring guidelines or other forms of financial support.

This Guidance Note does not recommend which of these scenarios is more plausible but recommends that financial institutions consider all such scenarios and plan accordingly. Each institution should identify internal escalation levels of responses and the type of resources to be deployed in each phase while ensuring seamless business continuity and safety of institution's employees and customers. Management will be required to re-assess the institution's critical activities and how to effectively deploy resources to these activities. Essential services such as delivery channels including digital banking services could be considered critical based on the impact of customer reactions and the potential demand for such services.

Adequate plans should be put in place especially where there may be a necessity to shift business processes and functions to different locations or where key function areas are affected. Any major disruptions requiring notifications should be communicated to CBK on a timely basis.

3.3 Health And Safety

Institutions should strive to protect the health of staff and other persons within their premises. This will involve establishing clear policies that can minimize spread and allay staff fears. At a minimum, an institution's senior management should: i. Establish mechanisms to centralize communication and track illness among staff. ii. Purchase and distribute health supplies such as hand sanitizers and necessary protective items. iii. Establish procedures for staff that become ill during the workday (e.g., mandatory quarantine or isolation).

iv. Develop plans for reducing staff interaction, e.g. by extending working hours and adopting shifts to reduce crowding in the building, closing the business to visitors, working from home, staggering lunch hours and social distancing by adhering to the one-metre spacing rule by staff and customers.

v. Identify specially trained and equipped staff to assist with medical emergencies. vi. Develop a response plan incorporating travel restrictions covering: a) Triggers and procedures for activating travel limitations; and b) Personnel policies concerning staff returning from infected areas (e.g., medical check-ups and/or isolation).

3.4 Facilities Management

Proper facilities management can significantly contribute in the reduction and containment of the spread of infection. Early action will prove effective in curbing the spread of infection and resultant effects on the institution. It is therefore critical for institutions to take early action to ensure facilities are adequately taken care of during the early stages of a pandemic. While planning for facilities management, institutions should consider supply shortages, identification and maintenance of key facilities, formulating quarantine practices and for setting aside specific quarantine zones. Best practices include: (i) Purchasing a minimum quantity of critical cleaning supplies, including sanitisers and soap and water. Availing hand cleaning supplies to everyone physically interacting with the institution.

(ii) More frequent cleaning, focusing especially on desks, phones, keyboards, printers, sinks, railings, door handles, counters, Automatic Teller Machines (ATMs), Process Data Quickly devises (PDQs) and any other surfaces that are often touched.

(iii) Visitor procedures and whether restrictions should be implemented for visitors accessing the facilities.

(iv) Setting up basic health checks for staff and customers, for instance, temperature checks using a non-contact thermometer.

(v) Promotion of good hygiene and social distancing among staff, customers and third parties interacting with the institution.

(vi) Formulation and implementation of a work from home policy for non-essential staff.

3.5 Communication And Education

Effective and efficient communication is critical for mitigating panic and providing clear, timely and relevant information to ensure continuity of critical functions and services. Communication strategies developed in line with Business Continuity Plans (BCP) should be implemented in order to reduce disruption. In particular, (i) Regular communication to CBK and other regulators, customers, third party service providers, investors, and other relevant parties should commence immediately a pandemic breaks out in order to establish trust through provision of balanced and accurate information.

Communication to customers about availability of services should be prioritized and done at least on a weekly basis.

(ii) Institutions should implement their internal and external communication strategies in order to assure customers, promote awareness of the institution's BCP among staff and service providers, liaise with regulators and avoid unnecessary panic.

(iii) Internal communication plans should include clear escalation paths to manage communication and identify decision-makers. These plans should be updated with contacts of key personnel, suppliers, third party service providers and regulators.

(iv) External communication plans should include advice to customers and other stakeholders on a regular basis on the availability of services and health and safety considerations while obtaining services within the institution's premises. External communications strategies should take into account how customers may reach the institutions should there be a disruption in the usual direct line of communication.

(v) Institutions should review existing communication plans and ensure they are current.

Examples of communication issues to consider include: Determining the appropriate method of communication with staff—including cellphone and landline telephone numbers, and personal e-mail addresses. Policies for contacting staff in an emergency situation should be implemented.

Informing staff about the institution's BCP, how the plan would be triggered, and where to monitor the institution's on-going preparation.

Developing platforms for communicating with staff, service providers, suppliers, and customers, as applicable, for timely updates and emergency contact systems using call trees to ensure all stakeholders receive regular updates from senior management.

3.6 Use Of Technology

3.6.1 Institutions are encouraged to utilize conference calls, video conferencing, teleconferencing and webinars for meetings and events.

3.6.2 Part VII of the CBK Prudential Guideline on Corporate Governance (CBK/PG/02) requires that up to 25 percent of the actual board meetings held in a year can be conducted through video conferencing, provided that majority of the directors are physically present. In a pandemic situation and as a precautionary measure to avert the spread of the pandemic, institutions are encouraged to use video conferencing for most of the necessary board meetings. Where such meetings exceed the 25 percent threshold, CBK should be notified at the earliest opportunity before the meeting by email on fin@centralbank.go.ke.

3.7 Holding Of Annual General Meetings (Agms)

Institutions are advised to align their Annual General Meetings (AGMs) with World Health Organization (WHO) guidance on minimizing the spread of pandemic through social distancing by avoiding crowds such as public gatherings. In this regard, institutions are advised to either defer AGMs to a time when the pandemic is brought under control or where their Articles of Associations allow, consider holding virtual AGM meeting. In addition, and where technology permits, institutions should make appropriate arrangements for their shareholders to conduct online voting for critical AGM resolutions including dividends payments, changes in external auditors and directorships, approval of audited accounts and bonus issues in an effort to curb the spread of the pandemic. Institutions should take a proactive approach to minimise the adverse impact that a pandemic may cause to the banking sector and the country at large. In this regard, CBK requires all commercial banks, microfinance banks and mortgage finance companies to: - Update their Business Continuity Plans, strategies and frameworks to include planning for pandemics.

Formulate a pandemic response plan for close monitoring of the implementation of the Business Continuity Plan. High level contents of a Pandemic Response Plan are outlined as Annex I to this Guidance Note.

Conduct a self-risk assessment of the risks posed by a pandemic to the institution itself, the financial sector based on critical services being provided and the significance to the financial system. Consequently, institutions should notify the Central Bank of Kenya within 24 hours of any pandemics in the format set out as Annex II (Immediate) to this Guideline.

On an annual basis, institutions shall provide Central Bank of Kenya with a report in the format set out as Annex III (Annually) to this Guidance Note, concerning occurrence and handling of pandemic incidences via the email address: fin@centralbank.go.ke.

The Pandemic Response Plan and Self- Risk Assessment should be submitted to CBK by April 6, 2020. In the event of any query or clarification, please contact: The Director, Bank Supervision Department Central Bank of Kenya P. O. Box 60000 - 00200, Nairobi Tel: 0202860000 Email: fin@centralbank.go.ke HIGH LEVEL CONTENTS OF A PANDEMIC RESPONSE PLAN A Pandemic Response Plan should generally contain the following contents: 1. Governance: Mechanisms put in place to establish, implement and review approach to managing pandemics.

2. Strategic planning: Institutions should provide adequate resources in monitoring, planning, responding to, and recovering from a pandemic.

3. Phased Approach and resource allocation: Identification of core activities or basic minimum services. Institutions are required to identify stages of a pandemic and allocate resources depending on the phase of a pandemic.

4. Identification: Institutions should identify critical and non-essential services that may be affected by a pandemic, recognizing that demand for certain services may change.

5. Health and Safety: Protection of the health of an institution's staff and customers is a key concern. In this regard, institutions to constitute a multidepartment emergency response team, for critical functions, should the pandemic accelerate in the future and cause lockdown.

6. Communication and Education: Internal and external effective communication is critical for mitigating panic, strengthening morale, and providing essential information to ensure critical functions continue.

7. Facilities management: Institutions should take early action to ensure facilities are adequately taken care of during the early stages of a pandemic. While planning for facilities management, institutions should consider supply shortages, identification and maintenance of key facilities, formulating quarantine practices and for setting aside specific quarantine zones.

8. Pandemic Incident Management: Pandemic incident response plan should provide a roadmap for the actions the institution will take during and after a pandemic incident.

9. Analytical Tools - Institutions should adopt tools capable to collect, report, analyze case – based information.

Pandemic Incident Record (Immediate) [Insert Name of institution] …………………………...………… [Insert Date and Time of reporting] Date ………… Time …………..

*Number of cases	Actions taken for7
Nature of the Pandemic
Date and Time of Incident	Confirmed	Isolation	Quarantine	Confirmed	Isolation	Quarantine
Cases	Cases	Cases	Cases	Cases	Cases
*relates	to	staff	members	of	institution	and	also	include	isolation	or	quarantine	of

*relates to staff members of institution and also include isolation or quarantine of customers/visitors to the bank's premises

Submit the Pandemic Incident Report within 24 hours after an incident(s) to the Central Bank of Kenya through fin@centralbank.go.ke. Prepared by: Name of duly authorized person ……………………………… Designation………………………………………………………. Signature Authorised by: Name……………………………………………………………... Designation………………………………………………………. Signature Name……………………………………………………………... Designation………………………………………………………. Signature

7 This includes action in respect to visiting customers to institutions premises and requiring isolation.

Annex Iii

Pandemic Incident Record (Annually) [Insert Name of institution] …………………………………..…... Quarter ……………………….

*Number of confirmed cases	Actions taken for8
Nature of the Pandemic
Date and Time of Incident	Confirmed	Isolation	Quarantine	Confirmed	Isolation	Quarantine
Cases	Cases	Cases	Cases	Cases	Cases
*relates	to	staff	members	of	institution	and	also	include	isolation	or	quarantine	of

*relates to staff members of institution and also include isolation or quarantine of

customers/visitors to the bank's premises

Submit this report on the 10th day after the end of every year to the Bank Supervision Department at fin@centralbank.go.ke. Prepared by: Name of duly authorized person ……………………………… Designation………………………………………………………. Signature Authorised by: Name……………………………………………………………... Designation………………………………………………………. Signature Name……………………………………………………………... Designation………………………………………………………. Signature

8 This includes action in respect to visiting customers to institutions premises and requiring isolation.