Compliance considerations in an era of hybrid working
Following the publishing of the FCA's expectations on remote working, we consider the implications for regulated firms.
Through the most disruptive phases of the Covid-19 pandemic, many firms (and their employees) had their eyes opened to the benefits of remote or hybrid working. But for managers, IT departments, HR and compliance functions, new ways of working also create a wide range of challenges – some of them obvious, some of them less so.
The FCA recently published a document detailing its expectations of what firms should be doing to continue meeting their regulatory responsibilities with staff working either part-time or full-time away from the office. In a sense, what this requires firms do is go back over their compliance policies, procedures, systems and controls and ask ‘How is this affected if someone is working from a different location?’
Some of the answers are easier to work out than others. Unfamiliar situations are sure to arise. How, for example how would a supervisory or enforcement visit work out when when affected staff are home-based? Or what should you do about keeping track of where – even in which country or jurisdiction – remote employees are working at any time, with all the regulatory, legal and data security implications that could have?
The FCA needs to know that remote working will not compromise a firm’s ability to oversee its functions – including any outsourced functions, which could, let’s not forget, potentially now be being handled by remote-working employees of the outsourced firm – putting them a step further still from the regulated firm’s direct control.
Any FCA-regulated firm needs to ensure that new ways of working do not aversely affect its ability to meet any of the threshold conditions for the regulated activities it has permission to carry on. Remote or hybrid working should not prevent the regulator receiving information about the firm, nor impact the accuracy of the Financial Services Register as – as it potentially could if, for example, consumers were not able to contact the firm at its registered principal place of business.
Before making permanent any temporary arrangements that have evolved during the pandemic, the FCA expects firms to have a properly considered plan in place that takes full account of the implications of offsite working. The FCA will also expect to have been notified in advance of any material changes proposed to how a firm operates, as set out in Principle 11 of the FCA’s Principles for Business.
This would include governance and oversight issues, as defined by the Senior Managers regime. There is also the question of culture – something so central to the FCA’s supervisory approach. Firms need to be able to show how they intend to prevent any dilution of their ability to establish and maintain an appropriate culture in the context of remote or hybrid working.
In the intersection between compliance and IT, there are clearly questions to be answered, and measures to be implemented, in terms of managing the data, cyber, and security risks potentially created with staff increasingly working outside any centrally maintained IT infrastructure.
The full text of the FCA’s statement of expectations is well worth reviewing and absorbing carefully. It raises many more issues than we’ve had space to touch on here. Even then, it makes no claim to being exhaustive. Little is said, for example, about the potential implications for employee privacy raised by the need for companies to manage and monitor how their staff are working from home.
There’s no doubt, however, that hybrid and remote working is likely to play a significant role in the workplace of the future. With most firms still at an early stage in the process of coming to grips with its challenges, it can all seem like a bit of a minefield. But it needn’t! If you’d like some help getting to grips with any of the issues raised here, please do get in touch: our expert consultants are here to help.