As firms navigate out of the Covid-19 pandemic, one key operational consideration will be the approach to remote or hybrid working arrangements and whether those arrangements are made permanent. The move to hybrid and home working is a positive cultural step but one that needs to be managed carefully to mitigate associated risks. The FCA has issued new guidance setting out its expectations in respect of remote or hybrid working, in order to assist firms in their planning and in continuing to meet their regulatory responsibilities.

In this article we explore how the evolution from temporary to permanent home working arrangements is multi-faceted, requiring firms to reflect on and revisit their policies and procedures, reconsider operational resilience programmes, systems and controls and manage potential conflicts.

FCA expectations

The suitability of firms’ remote or hybrid working arrangements will be assessed by the FCA on a case-by-case basis.  As part of that assessment, firms will need to be able to prove that working arrangements do not, or are unlikely to, impact on their ability to meet regulatory obligations, or indeed the FCA’s ability to regulate the firm.

In summary, this means that a firm’s arrangements must not (amongst others) (i) prevent the FCA from receiving information about the firm; (ii) affect a firm’s ability to oversee its functions including any outsourced functions; (iii) cause detriment to consumers; (iv) damage market integrity; (v) increase the risk of financial crime; or (vi) reduce competition.

Firms are required to prove that they have undertaken satisfactory planning before making any temporary arrangements permanent, and that such plans are capable of being periodically reviewed to identify emerging risks. Relevant considerations in this regard include (amongst others):

  • Governance: appropriate oversight by senior managers and committees, both of which must be maintained.
  • Robust systems and controls: to include the required IT functionality, but also to mitigate financial crime, data, cyber and security risks (including where staff are working overseas).
  • Business continuity: the need to ensure control functions can operate unaffected, that the firm can continue to meet any specific regulatory requirements (for example, in relation to call recordings, surveillance and consumers’ access to services) and that there is appropriate record keeping in place.
  • Culture: establishing and embedding an appropriate culture for remote working, taking into account wellbeing, training, diversity and inclusion matters.

The guidance is clear that these expectations will evolve as more is understood about how firms intend to operate. The FCA has also reminded firms that they should notify the regulator of any material changes to their working arrangements.

Wider considerations for firms and employees

Access to devices and information

Firms will need to make sure they have the right to access residential property to recover firm property.  However, to the extent that employees are able to use their own devices to access work systems, this exposes firms to challenges in terms of the ability to cease those devices, and extract information (particularly if saved locally) which may be needed in order to comply with regulatory obligations.

Indeed the potential use of encrypted communication applications (such as WhatsApp) for sharing sensitive information connected with work can impact a firm’s ability to effectively monitor communications (for which the FCA released a separate publication earlier in the year - https://www.fca.org.uk/publications/newsletters/market-watch-66).

Further, own device use may impact a firm’s ability to control and monitor staff use of social media or browsing sites.   

Firms should therefore ensure that policies and procedures regarding the use of privately owned devices and social media are revisited and updated where necessary to mitigate such risks, and to ensure they provide sufficient scope for effective monitoring and recording.  

Home visits

The FCA has indicated that it has the power to visit “any location where work is performed, business is carried out and employees are based (including residential addresses)” for any regulatory purposes including supervisory and enforcement visits (which may be unannounced). It has placed the responsibility on firms to ensure that employees understand that such visits may take place if they work remotely. The implications associated with this responsibility are wide reaching, and will require firms to consider current working from home policies and contracts of employment with a view to determining approach to the following issues:

  • Whether the firm should include a right itself to undertake spot checks on residential premises as part of its wider systems and controls framework. The potential for home visits opens the possibility of the FCA identifying wider issues of which the firm may not have already been aware.This may, in turn, be regarded as a systems and control failing on the part of the firm. Implementing the right to undertake spot checks may mitigate this risk.
  • The extent to which the firm can require employees to allow the FCA to enter their premises, needs to be balanced with an employee’s right to respect for private and family life, and whether this is negated by employee’s choice to work remotely.
  • The extent to which an individual or the firm can request that a representative from the firm be in attendance during the visit (i.e. regulatory liaison).
  • The firm’s involvement where necessary in preparations for the visit. This may include for example, ensuring that relatives or friends are not in the premises at the time of the visit to ensure confidential information about the visit is not leaked.

     

If an employee’s refusal to permit entry would be classed as a failure to cooperate and a disciplinary matter. The FCA’s guidance is silent as to whether refusal would be regarded by it as a failure to cooperate on the part of the individual, the firm or both. However, the fact that the guidance places responsibility on firms to ensure that employees understand these visits could occur signals that the FCA expects firms to take steps to ensure employees do comply.   

Operational resilience

A firm’s approach to hybrid/ remote working will need to be factored into its wider operational resilience programme.  It will be necessary to conduct a mapping exercise to identify employees who are essential to deliver important business services, including those who may be involved in scenario testing, and consider whether remote working is feasible for those individuals in terms of risk and business continuity.    

If it is necessary for a firm to adopt different working arrangements for different categories of employees, this may create a tension which the firm will need to manage.

Misconduct

As alluded to by the FCA guidance, there is a risk that remote working may actually facilitate misconduct by employees.

Staff being ‘out of sight, out of mind’ on a more permanent basis may present challenges around effectively monitoring actions and performance.  Any disconnect between managers and employees could have an impact on behaviours. Indeed, rogue employees may see remote arrangements as an opportunity to commit misconduct while going undetected.

These matters will need to be carefully considered, with appropriate mitigation strategies put in place. This may include introducing new processes and controls and updating existing policies.

Culture

The pandemic has demonstrated that there can be potential cultural benefits to remote working including wellbeing, productivity and connection.  However, in the long term there is more chance it may result in isolation and a lack of oversight.

The FCA has previously expressed the view that firms need to strike a balance moving forward which works for both employees and the firm (A regulatory perspective: measuring and assessing culture, now and in the future, the role of purpose and the importance of D&I | FCA). This will be a challenging issue for firms to navigate given differing and evolving views and needs.  The FCA views this balancing act as key to ensuring the psychological safety of employees, which in turn contributes to a healthy and sustainable culture.      

Firms should therefore ensure that they have in place a range of tools (i) for staff to raise views and make contributions; and (b) to measure and monitor culture, which should be supported by appropriate governance and oversight.

It is clear that the FCA will be monitoring how firms intend to operate in the long term over the upcoming months and any associated risks.  Firms should therefore ensure that any planning decisions made are balanced and justifiable, taking into account the competing interests of the regulators, the firm and its employees, with appropriate risk management systems and controls employed.

If you want to discuss any of the issues raised in this article please contact Chantal Peters on the details below.   

Authors: Chantal Peters and Ibrahim Patel

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at November 2021. Specific advice should be sought for specific cases. For more information see our terms & conditions.

Date published

24 November 2021

GET IN TOUCH

RELATED INSIGHTS AND EVENTS

View all