Financial services and working from home
22 October 2021
A large majority of us have now got used to some form of hybrid working and most firms are considering what kinds of working models they will adopt long term, which is likely to include considering some degree of remote working.
The FCA has now issued guidance setting out its expectations for firms considering hybrid working – making it clear that they should not forget their regulatory obligations. It outlines that there is no one-size-fits-all model and firms will be assessed on a case-by-case basis.
Importantly, firms must be able to prove that the lack of a centralised location or remote working does not:
- affect a firm’s location in the UK, or its ability to meet its regulatory “threshold” requirements
- prevent the FCA from receiving information about a firm
- reduce the accuracy of the FCA’s register (e.g. consumers must still be able to contact a firm at the principal place of business shown on the register)
- affect a firm’s ability to oversee its functions, including outsourced functions
- cause detriment to consumers
- damage the integrity of the market
- increase the risk of financial crime
- reduce competition.
Firms will essentially need to be able to show that there is no risk to consumers, the market or the firm itself and should consider whether to update its Conduct Rules training to include remote and hybrid working scenarios.
The FCA also wants firms to be able to prove they have undertaken satisfactory planning, including:
- that there is a plan in place which is regularly reviewed before making any temporary arrangements permanent
- that there is appropriate supervision by Senior Managers under the SMCR regime, committees and the Board
- that a firm can cascade policies and procedures to reduce any potential for financial crime arising from its working arrangements
- an appropriate culture can be put in place and maintained in a remote working environment
- functions such as Risk, Compliance and Audit can continue to carry out their roles unaffected e.g. when listening to client calls and reviewing files. The nature, scale and complexity of its activities, or legal requirements does not require the presence of an office location
- systems and controls, eg IT can support a remote infrastructure
- data, cyber and security risks (particularly staff transporting confidential material and laptops more frequently) have been considered
- it has record keeping procedures in place
- it can continue to meet all regulatory requirements
- the firm has considered the effect on staff, including wellbeing, training and diversity and inclusion matters
- where any staff will be working from abroad, the firm has considered the operational and legal risks.
The FCA makes clear this is not an exhaustive list and essentially, firms should ensure that any form of remote or hybrid working should not risk the firm’s ability to follow rules and regulatory standards, or lead to a failure to meet them. For example a dispersal of teams and skills needs to be safeguarded against and Senior Managers will need to have visibility of staff for whom they are responsible. Similarly, do firms have appropriate IT security in place to deal with cyber threats or to enable a lost laptop to be remotely wiped of sensitive information. Firms will therefore need to consider how they might need to evidence this.
The FCA has also advised firms to notify employees that it has the power to visit any location where work is performed and employees are based, and this includes residential addresses for regulatory purposes (although the power to enter is more limited).
The FCA also notes that if a firm is planning to make material changes to how it operates, it may be necessary to notify them first.
There are also additional requirements for firms applying to be authorised or registered which we have not set out here, but can be viewed in the link below.
Firms will therefore need to consider how best to embed these requirements into policies and procedures and ensure that employees are aware of the FCA’s expectations. If presented with a request to work flexibly or remotely by an employees, firms should think about introducing a “risk assessment” to ensure compliance with the regulator’s expectations can be maintained, for example checking the employee has a private place to work to ensure confidentiality, that appropriate supervision arrangements can be maintained and that employees remain included in a firm’s culture.
Hybrid working is here to stay. But the obligation is on firms to prove they can make it work.
The full guidance can be found on the FCA website: Remote or hybrid working expectations for firms
If you have any questions on the contents of this article, please contact Olivia Toulson via [email protected] or 01223 643145.
Services
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at October 2021.