Whether your firm is already registered or applying to be registered, the FCA has some very specific, and not so specific, expectations as regards remote and hybrid work. We lay those expectations out for you and tell you how StarCompliance can help you meet them
It’s that time of year again. No, not the holidays. (Though it is that time, as well.) It’s time to think about your regulatory expectations as a UK financial firm in light of another fall and winter operating with many if not all of your employees working either entirely remotely or a mix of offsite and on due to the ongoing pandemic. To this end, the FCA recently published details of its expectations for firms using remote or hybrid working models.
Here’s the high-level view from the FCA:
Due to the coronavirus (COVID-19) pandemic, firms are already familiar with working in a remote environment and adapting their systems and controls. It is likely many firms will continue these new ways of working. We set out our expectations so firms can plan and continue to meet their regulatory responsibilities. These expectations will evolve as more is understood about how firms intend to operate.
And here’s a look at what the FCA expects from regulated firms at a more day-to-day, operational level:
TO WHOM THESE EXPECTATIONS APPLY
- Already registered firms
- Firms applying to be regulated
- Firms submitting further applications, such as a waiver, variation of permission, change of control, etc.
- International firms, which should continue to have an established or physical presence in the UK
CONSIDERATIONS FOR ALREADY REGISTERED FIRMS
Firms should be able to prove that the lack of a centralized location or remote-work does not or is unlikely to:
- Affect the firm’s location in the UK, or prevent the FCA receiving information about a firm.
- Reduce the accuracy of the Financial Services (FS) Register for others.
- Affect the ability of the firm to oversee its functions or cause detriment to consumers.
- Damage the integrity of the market, increase the risk of financial crime, or reduce competition.
A firm must also prove there is satisfactory planning, to wit, that:
- There is a plan in place, which has been reviewed before making any temporary arrangements permanent and is reviewed periodically to identify new risks.
- There is appropriate governance and oversight by senior managers under the SMCR, and that this governance is capable of being maintained.
- A firm can cascade policies and procedures to reduce any potential for financial crime arising from its working arrangements.
- An appropriate culture can be put in place and maintained in a remote-work environment.
- Control functions such as risk, compliance, and internal audit can carry out their functions unaffected.
- The nature, scale, and complexity of firm activities does not require the presence of an office location.
- It has the systems and controls, including the necessary IT functionality, to support the above factors being in place.
- It’s considered any data, cyber, and security risks: particularly as staff may transport confidential material and laptops more frequently.
- It has appropriate recordkeeping procedures in place, and can continue to meet specific regulatory requirements such as call recordings, order and trade surveillance, etc.
- The firm has considered the effect on staff, including wellbeing, training, and diversity and inclusion matters.
- Where staff will be working from abroad, the firm has considered the operational and legal risks.
Engagement with the FCA
- Firms should consider if their details on the FS Register need updating: for example, if the firm intends to use a private residential address as its principal place of business.
- The FCA should be able to access firms’ sites, records, and employees.
- Firms must ensure employees understand the FCA can visit any location where work is performed, including residential addresses, for any regulatory purposes.
- Firms must notify the FCA of any changes to working arrangements. SUP 15.3 sets out additional rules and guidance about when the FCA would expect notice of matters relating to a firm.
CONSIDERATIONS FOR FIRMS APPLYING TO BE REGISTERED
For all regulated activities which firms have or will have permission, they must continue to meet the threshold conditions. All applications should cover the following specific details:
- Arrangements the firm will have for remote working, including presence in other jurisdictions.
- That firms have considered the legal implications for the business of this type of arrangement.
- How key functions will be performed, overseen, and based.
- The location of senior managers and plans to oversee the firm’s activities.
- Confirmation that firm processes and procedures reflect the arrangements.
- The period the arrangements are expected to last, if they are not permanent.
- Arrangements the firm will make for consumer access and complex consumer needs.
- Arrangements for customer authentication and vulnerability assessments.
- Business continuity plan requirements, including when using home networks.
- How the firm will manage the risk of information becoming out-of-date.
- Where and how any FCA supervisory visits would be done and how this is documented.
- Systems and controls, including: to what extent the business will digitize; the ability to access records/systems; where hard files and paperwork will be located; and if the systems in use are recognizable and protected against cybercrime.
- How the firm intends to communicate with staff that FCA visits could take place in their homes.
- Plans for compliance reviews to ensure the dispersed working model is functioning properly.
HOW STAR CAN HELP YOU MEET THESE EXPECTATIONS
Like any regulatory body trying to keep its options open and place ultimate responsibility on those being regulated, the FCA ends its official guidance on remote/hybrid work expectations on this unsettling note: “The above is an indicative and non-exhaustive list, as the information we need will depend on your business model and how your firm intends to operate.” So what’s your best defense against a long list of regulatory expectations well, and maybe not-so-well, defined?
Compliance-process automation software, like the STAR Platform, can be a big part of a firm’s best defense. Automation in any space means being able to set a process in motion and comfortably forget about it—knowing that the job is being done properly and that you’ll be duly alerted when it’s finished or anything is found to be amiss. Regulation technology, or regtech, does just this in the compliance space. Compliance officers configure the software for the needs of their particular organization—allowing them to do things like set trading pre-clearance parameters, create insider lists, track political donations or gifts and entertainment spending—and know that critical firm processes are in a safe, reliable pair of hands. Algorithm-driven hands that are far better at staying focused on repetitive tasks than human ones: creating compliance workflows that are not only more efficient but also less prone to error. All of this means that firms that use regtech are bound to run more smoothly, more safely, and more comprehensively in compliance with any set of regulatory expectations they face.