The movement to remote work during the early days of the COVID-19 pandemic was swift and sweeping. For regulated financial services firms, the migration to remote work required careful consideration of the compliance risks related to the use of new technologies for everything from collaboration and communication to transaction execution and customer support. While regulators broadly tolerated compliance growing pains during the abrupt and unanticipated transition process, all indications are that this grace period is now over.
Given the ongoing uncertainty about the Delta variant and the extent to which a full return to office is feasible in the coming months, regulators are issuing guidance requiring compliance controls for remote work to be equivalent those in the office. Since work from anywhere looks to be a permanent arrangement for some percentage of financial services staff, it should come as no surprise that regulators’ earlier flexibility has waned.
The FCA issued guidance in October titled “Remote or Hybrid Working Expectations for Firms,” (the “FCA Guidance”) outlining its expectations for compliance with its regulatory framework and effectively signaling the end of any reprieve for dispersed workforces. Below are a set of compliance best practices based on the FCA Guidance, which provide a roadmap for firms as they incorporate remote work protocols into their existing risk programs.
As an initial matter, the FCA’s Guidance outlines broad expectations for firms operating remotely, reminding them that these work arrangements cannot cause detriment to customers, damage the integrity of the market, increase the risk of financial crime, or reduce competition. The ramifications of these statements are quite impactful as they effectively encompass most regulated financial services activity and eliminate previous leniency or ambiguity regarding a mandate to essentially treat remote work and compliance controls the same for both in-office and outside-of-the-office staff.
In addition to the operational requirements described above, the FCA outlines several areas where firms must implement satisfactory planning for the nuances of remote work. These mandates include more granular directives that align to existing rules such as MiFID II, MAR, and the SMCR. A selection of the critical points mentioned in the FCA Guidance include instructions to firms to ensure:
There is appropriate governance and oversight by senior managers under the Senior Managers regime, and committees such as the Board, and by non-executive directors where applicable, and this governance is capable of being maintained.
An appropriate culture can be put in place and maintained in a remote working environment.
Control functions such as risk, compliance and internal audit can carry out their functions unaffected, such as when listening to client calls or reviewing files.
It’s considered any data, cyber and security risks, particularly as staff may transport confidential material and laptops more frequently in a hybrid arrangement.
It has appropriate record keeping procedures in place.
It can meet and continue to meet any specific regulatory requirements, such as call recordings, order and trade surveillance, and consumers being able to access services.
As is clear from this assemblage of instructions, the FCA is quite specific regarding the equivalent controls it expects to be deployed in remote work environments. What follows are a set of compliance best practices for communications, cybersecurity, risk assessment, and culture that firms should consider as they incorporate the FCA Guidance.
Capture, retention, and supervision of collaboration, chat, and voice data
The collaboration and dynamic chat platforms like Zoom, Microsoft Teams, Cisco Webex, and Slack that connect firms internally and with clients and counterparties present new and novel considerations for compliance teams. The use of visual features such as screen sharing, webcams, and whiteboards as well as the ability to conduct polls, chat, and send files have introduced new modes of communicating that fall under the FCA’s SYSC 10A.1.6, MiFID II, and MAR.
Moreover, since retention and supervision of telephone conversations have long been mandated under FCA rules, the use of telephones and virtual calling applications like Zoom Phone, Ring Central, Microsoft Teams, Cloud 9, and Verint must be recorded and monitored. Voice recordings are explicitly called out several times in the FCA Guidance and parity of remote controls in this domain are essential.
Theta Lake’s 2021 Modern Communications Survey Report found that 91% of financial services firms are using two to six different collaboration tools for business communications and 83% of firms are disabling features like whiteboards and screen sharing due to compliance concerns. Firms must tackle both of these challenges head on by enabling the critical screen share, whiteboard, file sharing, and dynamic chat features of collaboration platforms to increase productivity while also deploying sophisticated, AI-enabled compliance tools purpose built to capture, retain, and supervise video, voice, chat, and file transfer content.
Firms should also ensure that communications data captured from collaboration, chat, and voice platforms is securely stored and accessible to other control functions such as internal audit and risk.
Update risk assessments to determine compliance gaps with a focus on financial risk and customer interaction
A core requirement for any compliance program is conducting and refreshing risk assessments to identify problematic activities and develop compensating controls. In light of the FCA Guidance, firms should update existing risk assessments to incorporate the unique risks of remote work.
Updates may include assessing the use of new systems for trading or customer support, and the modification of such systems to support hybrid workers. Assessments should consider system access and update protocols to ensure that critical technology platforms are secured and available to remote employees. Processes for collecting customer account opening documentation and know your customer activities should be assessed to ensure they operate effectively given the FCA’s focus on the prevention of financial crime. Furthermore, a survey of incident reporting and response protocols may need revamping to incorporate new contact details, telephone numbers, or email addresses to enable issue reporting from outside the office.
Consider relevant IT systems and related cybersecurity protocols
Whether due to the incorporation of new collaboration tools, trading, or customer engagement technologies that support remote work, cybersecurity must be top of mind for FCA-regulated firms. As the frequency and severity of ransomware attacks and unauthorized access to data rises, firms must take meaningful steps to protect the security, confidentiality, and availability of firm and customer data. Cisco’s Global Hybrid Work Index determined that malicious remote access attempts grew 2.4 times during the pandemic.
As part of combating hackers and ransomware, firms must consider increasing or augmenting the frequency of vulnerability scans and penetration tests for critical systems supporting work from anywhere. Adding cycles for vulnerability scans and tightening timeframes for the remediation of critical or high security issues will strengthen cybersecurity controls and demonstrate to the FCA that your firm is proactively considering the new risks of remote work. Additionally, firms should ensure that they routinely test system backup and recovery protocols as well as other busines continuity processes to limit downtime of core systems and allow for seamless restoration in the event of a data loss or leakage event.
Reinforce compliance culture and staff wellbeing through manager engagement, training, hybrid activity, and flexibility
Firm compliance culture can be difficult to maintain even when employees are in the office, so firms should carefully consider methods to stay connected with remote employees and consider their wellbeing. Cisco’s Index found that “[a]n overwhelming majority of respondents agree that personal health and wellness, along with flexible work arrangements, are non-negotiables as we move into the future of hybrid work.” Firms must consider how to encourage dialogue and participation during hybrid meetings and activities.
Increasing informal manager one-on-one check ins as well as opportunities for casual brainstorming and feedback should be embraced. Moreover, firms may need to provide additional manager and employee training on issues related to managing hybrid employees and the relevant compliance, cybersecurity, and HR pitfalls while working away from the office.
Cumulatively, the compliance best practices above will put your firm on the path to meeting FCA expectations as remote becomes a permanent workforce strategy in financial services. Building compliance frameworks to account for the complexities of hybrid work will serve to futureproof controls, at least until the next tectonic industry shift.