The coronavirus (Covid-19) pandemic has resulted in many firms adopting remote working for some or all employees. Indeed, some of you reading this article right now might well be in a kitchen or home office, in permanent dress down mode (remember when that only happened on the last Friday of the month?) and perhaps even with a glass of wine within easy reach.
It is likely many firms will continue at least some element of remote working after the UK returns to whatever will pass for normal post-Covid-19. Some firms will anticipate a full return to office based working at some point, if not already there. Many, it would appear, intend to operate a hybrid model, with (some) employees operating remotely for some of the time. Others are reported to have quit formal business premises entirely. To reflect this new reality, the FCA has published details of its expectations of firms in relation to home/remote working.
The expectations apply to:
- Existing firms
- Firms applying to be regulated
- Firms proposing to submit further applications, for example variation of permission or change of control
Firms considering or operating remote or hybrid working will be evaluated by the FCA on a case-by-case basis. Such firms should be planning around the following non-exhaustive list of points.
Firms should be able to prove that the lack of a centralised location or remote working does not or is unlikely to:
- Affect the firm’s location in the UK, or its ability to meet and continue to meet the threshold conditions for the regulated activities it has or will have permission for – or any equivalent requirements, where these do not apply.
The threshold conditions are described in the COND section of the FCA Handbook. Among other aspects, COND addresses the requirements around the location of offices (for which read places where work is done) and around ensuring adequate supervision, which could be more challenging if firms have remote working staff.
- Prevent the FCA receiving information about a firm.
- Reduce the accuracy of the Financial Services Register for others if, for example, consumers are not able to contact the firm at the principal place of business shown on the FS Register.
- Affect the ability of the firm to oversee its functions including any outsourced functions.
- Cause detriment to consumers.
- Damage the integrity of the market.
- Increase the risk of financial crime.
- Reduce competition.
A firm must also prove:
- That there is a satisfactory plan in place, which has been reviewed before making any temporary arrangements permanent and is reviewed periodically to identify new risks.
- There is appropriate governance and oversight by senior managers under the Senior Managers regime, and committees such as the Board, and by non-executive directors where applicable, and this governance is capable of being maintained.
- A firm can cascade policies and procedures to reduce any potential for financial crime arising from its working arrangements.
- An appropriate culture can be put in place and maintained in a remote working environment.
- Control functions such as risk, compliance and internal audit can carry out their functions unaffected, such as when listening to client calls or reviewing files.
- The nature, scale and complexity of its activities, or legislation, does not require the presence of an office location.
- It has the systems and controls, including the necessary IT functionality, to support the above factors being in place, and these systems are robust.
- It’s considered any data, cyber and security risks, particularly as staff may transport confidential material and laptops more frequently in a hybrid arrangement.
- It has appropriate record keeping procedures in place.
- It can meet and continue to meet any specific regulatory requirements, such as call recordings, order and trade surveillance, and consumers being able to access services.
- The firm has considered the effect on staff, including wellbeing, training and diversity and inclusion matters.
- Where any staff will be working from abroad the firm has considered the operational and legal risks.
Engagement with the FCA
Firms should consider if their details on the FS Register need updating. For example, if a firm intends to use a private residential address as its principal place of business, it should consider the effect on any individuals and obtain necessary approvals, including from any non-employees living at the property.
The financial press reported that the FCA will be visiting firms but this is not explicitly stated in the press release – merely a reminder to firms that the FCA has powers to do so.
“We should be able to access firms’ sites, records and employees. It’s important that firms are prepared and take responsibility to ensure employees understand that the FCA has powers to visit any location where work is performed, business is carried out and employees are based (including residential addresses) for any regulatory purposes. This includes supervisory and enforcement visits.”
Notifying the FCA of changes to working arrangements
Firms must notify the FCA in advance of any material changes to how it intends to operate.
SUP 15.3 sets out additional rules and guidance about when the FCA would expect notification.
Firms applying to be authorised or registered
The information the FCA will require from firms hasn’t changed. Applications should include the following specific details (if applicable):
- The arrangements the firm will have for remote working, including presence in any other jurisdictions.
- That the legal implications for the business of this type of arrangement have been considered.
- How key functions will be performed, overseen and based.
- The location of senior managers and how they will oversee the firm’s activities.
- Confirmation that the firm’s processes and procedures reflect the arrangements.
- The period the arrangements are expected to last (if not permanent).
- The arrangements the firm will make for consumer access. For example, how will consumers without access to electronic communications can communicate with the firm?
- How the firm will address complex consumer needs where, for example, suitable locations for face-to-face meetings could be required.
- The arrangements for customer authentication and vulnerability assessments.
- Business continuity plan requirements, including when using home networks.
- How the firm will manage the risk of information becoming out of date. For example, staff changing addresses.
- Where and how any FCA supervisory or enforcement visits would be done and how this is documented in the firm’s processes.
- Systems and controls, including:
- To what extent will the business digitise?
- The ability to access records/systems.
- If the firm relies on physical documents, what arrangements have been made for their security and access.
- Where files and paperwork will be located.
- Systems being used – are they recognisable and protected appropriately against cybercrime?
- How the firm intends to communicate with staff that FCA visits could take place in their homes?
- Plans for compliance reviews to ensure the dispersed working model is functioning properly.
Other things to consider
The FCA expectations are unsurprisingly focused around regulatory matters under their remit, principally around ensuring continued consumer protection. Consideration also needs to be given to insurance or taxation issues that can apply where an employee is working from home.
There are passing references to related aspects such as the impact of remote working on the employees and in relation to data protection. It is worth expanding on each of these a little.
Firms are obliged to ensure the security and privacy of personal data wherever it happens to be located. Firm’s data protection processes may well be geared towards that data being stored and processed in an office location. Where some data will be stored/processed elsewhere, for example an adviser’s home office, those arrangements need to be reviewed and, if necessary, amended to ensure continued adherence to data protection requirements. This will include consideration of:
- How access to the data will be restricted from any other individual living at the property, including any paper files
- The security of IT arrangements at the property – up to date malware protection etc.
- Whether the remote working employee will have a dedicated separate area (office) to work in that can be secured or will be working in a shared space
Health and safety
Finally, the long existing health and safety requirements around home working must also be addressed. These include ensuring that employees have an appropriate place to work and appropriate equipment to work on and, not least that any wellbeing concerns are addressed.
We will not go into the health and safety aspects in detail here as there are numerous sources of information available online. Here are some useful links.