The FCA has published details on its expectations for firms who plan to institute or continue remote or hybrid working arrangements. In essence, remote working will not equate to regulation at one remove.
The guidance applies to:
- firms already regulated by the FCA.
- Firms applying to be regulated.
- Those firms who are planning to apply for a change in their regulation.
While the expectations list is described as indicative and non-exhaustive, it is quite extensive and detailed. It is split into two sections:
(a) Negative – firms must be able to prove that remote working will not result in XYZ.
(b) Positive – firms must be able to prove that they have satisfactory plans in place to deal with a range of issues that may be affected by remote working.
Negative
Firms should be able to prove that remote or hybrid working will not impair its ability to comply with Regulations. both specifically and in general.
Specific
Firms must prove that remote working will not:
- Affect the firm’s location in the UK, or its ability to meet and continue to meet the threshold conditions for the regulated activities it has or will have permission for – or any equivalent requirements, where these do not apply.
- Prevent the FCA receiving information about a firm.
- Reduce the accuracy of the Financial Services (FS) Register for others if, for example, consumers are not able to contact the firm at the principal place of business shown on the FS Register.
- Affect the ability of the firm to oversee its functions, including any outsourced functions.
General
Firms must prove that remote working will not:
- Cause detriment to consumers.
- Damage the integrity of the market.
- Increase the risk of financial crime.
- Reduce competition.
Positive
Firms must be able to prove that there is satisfactory planning in place, so that suitable governance, risk management, IT functionality, security and corporate culture will continue in the remote working environment.
Governance
Firms must demonstrate that:
- There is a plan in place, which has been reviewed before making any temporary arrangements permanent, and is reviewed periodically to identify new risks.
- There is appropriate governance and oversight by Senior Managers under the Senior Managers regime, committees such as the Board, and by Non-Executive Directors where applicable, and this governance is capable of being maintained.
- A firm can cascade policies and procedures to reduce any potential for financial crime arising from its working arrangements.
- An appropriate culture can be put in place and maintained in a remote working environment.
- The nature, scale and complexity of its activities, or legislation, does not require the presence of an office location.
IT
Firms must demonstrate that:
- They have the systems and controls, including the necessary IT functionality, to support the above factors being in place, and that these systems are robust.
- They have considered any data, cyber and security risks, particularly as staff may transport confidential material and laptops more frequently in a hybrid arrangement.
- They have appropriate record keeping procedures in place.
- They can meet, and continue to meet, any specific regulatory requirements, such as call recordings, order and trade surveillance, and consumers being able to access services.
Culture
Firms must demonstrate that:
- They have considered the effect on staff, including wellbeing, training, diversity and inclusion matters.
- Where any staff will be working from abroad, the firm has considered the operational and legal risks.
The list above is non-exhaustive, the fundamental principle being that any remote or hybrid working arrangement should not put at risk firm’s abilities to comply with all regulations.
The page also provides specific details which must be covered in an application for authorisation. The following list affords useful guidance for already-regulated firms, at least to the extent that they are not currently compliant. New applications are expected to contain details of the following:
The arrangements your firm will have for remote working, including presence in any other jurisdictions.
That the firm has considered the legal implications consequent on this type of arrangement.
How key functions will be performed, overseen and based.
The location of senior managers and their plans to oversee the firm’s activities.
Confirmation that your processes and procedures reflect the arrangements.
The period the arrangements are expected to last (if not permanent).
The arrangements your firm will make for consumer access. For example, how will you ensure that consumers without access to electronic communications can communicate with your firm?
How your firm will address complex consumer needs. This could include ensuring you have access to appropriate locations to hold face-to-face meetings.
The arrangements for customer authentication and vulnerability assessments.
Business continuity plan requirements, including when using home networks.
How your firm will manage the risk of information becoming out of date. For example, staff moving addresses.
Where and how any FCA supervisory or enforcement visits would be done and how this is documented in your processes.
Systems and controls, including:
To what extent will the business digitise?
The ability to access records/systems.
If your firm relies on physical documents, what arrangements have been made for their security and access?
Where files and paperwork will be located.
Systems being used – are they recognisable and protected appropriately against cybercrime?
How your firm intends to communicate with staff that FCA visits could take place in their homes?
Plans for compliance reviews to ensure the dispersed working model is functioning properly.
Conclusion
While there is dust still to settle, it’s clear that the pandemic has effected a profound and likely permanent change to working arrangements for many regulated firms. As with any rapid change, it is perhaps too early to precisely identify the consequent benefits or problems.
However, in the absence of the right tools, the existential concern of regulatory compliance is best performed, monitored and evidenced from a central location. The rapid rise of remote working is not simply another list of boxes to tick or simply an added complication. It represents a significant change in how regulated firms operate, how they will be regulated and in how they must comply.
Compliance with complex regulations is a challenge for one central office, even more so when the FCA is empowered to inspect the home offices of Senior Managers. If the “compliance by spreadsheet” coffin needed a final nail (it didn’t) this should be it.
If you’re concerned that your existing methods of evidencing compliance aren’t up to the challenges of hybrid and remote working – why not drop us a line? We can help.
