So you want to work from home?
The FCA has now issued guidance setting out its expectations for firms considering different working models. Paul Fontes, Partner and Sophie White, Partner at Eversheds Sutherlands comment
In striving for the ‘Best of Both’ for their employees and workers in a competitive labour market, it is important that firms do not overlook the regulatory angle.
Paul Fontes, Partner at Eversheds Sutherlands
Sophie White, Partner at Eversheds Sutherlands
The FCA makes clear that firms considering remote or hybrid working will be evaluated on a case-by-case basis – in other words, there is no one-size-fits-all model. Crucially, firms will need to make sure that the lack of a centralised location or remote working does not or at least is unlikely to, among other things:
- prevent the FCA from receiving information about a firm
- reduce the accuracy of the Financial Services Register
- affect the firm’s ability to oversee a number of its outsourced functions
- cause detriment to consumers
- increase the risk of financial crime
- reduce competition
With this list of expectations, the FCA is aiming to ensure that risk and control are adequately addressed by firms. Now that this is no longer a ‘crisis management’ scenario, firms will be expected to ensure that any remote or hybrid working models are set up along the lines of ‘business as usual’.
Firms need to ensure that their conduct control infrastructure is sufficiently robust and flexible to satisfy the FCA that there is no risk to consumers, the market and the firm itself.
With this in mind, firms may wish to think about refreshing Conduct rules training to take these considerations (and those set out below) into account – for example, it may be helpful to update Conduct rules training to include specific examples of remote-based working scenarios.
The FCA also requires firms to demonstrate that there has been satisfactory planning around remote or hybrid working models. Relevant considerations will include ensuring that:
- a plan is in place that is regularly reviewed to identify risks
- there is appropriate governance and oversight by senior managers, committees and non-executive directors
- policies and procedures can be cascaded to reduce the risk of financial crime
- an appropriate culture can be implemented
- robust systems and controls, including IT functionality, support the above factors
- data, cyber and security risks have been taken into account and minimised
- specific regulatory requirements can still be met such as call recording
- the effect on staff has been considered, including wellbeing, training and diversity and inclusion issues
- where any staff will be working from abroad the firm has considered the operational and legal risks
It is clear from the list that the FCA is keen to ensure that those who work remotely are effectively supervised and managed and that the risk for misconduct is neutralised, conduct and cultural standards are maintained and that security and confidentiality is not compromised.
A mass dispersal of the workforce may entail a separation of teams and skills and the FCA is keen to ensure that firms have thought this through carefully and put appropriate safeguards and procedures in place.
Significant reliance on remote connectivity raises issues of security and risk and pressure on support networks. What are firms doing to identify, assess and manage such risks? Further, do senior managers have visibility of the risks and the conduct of staff working remotely for whom they are responsible? How can firms evidence to the FCA the monitoring of these factors by senior managers?
More challenging may be the management of culture in a remote working environment.
Where the workforce is dispersed, the firm needs to ensure that its messaging is loud and clear. The FCA has repeated its insistence on cultural values being key and it will expect to see that firms have reinforced cultural connections with remote teams and that remote workers understand their obligations in this regard.
The FCA also advises firms to notify employees that the FCA has powers to visit any location where work is performed and employees are based, including residential addresses, for any regulatory purposes. However, it should be noted that the powers of the FCA to enter residential premises are only applicable in certain exceptional circumstances.
The FCA notes that if a firm is proposing to make substantial changes to its existing working model change, then it may be necessary to notify the FCA under Principle 11.
There are additional requirements for firms applying to be authorised or registered.
Firms will need to consider how best to ensure that employees are aware of the FCA’s expectations about their remote-working arrangements; for example, by embedding these in remote working policies if not already included.
Firms will also need to ensure that when considering requests for flexible working arrangements or implementing hybrid working models compliance with the regulators’ expectations can be maintained. For example, does the employee have a secure private space in which to work at home to ensure confidentiality of communications and security of data? Issues may arise where two members of the same family share a home office.
The FCA’s statement of expectations is helpful and will need to be considered alongside the many other considerations that firms will have to take into account when facilitating remote working. How can firms ensure that staff are empowered to speak up when they are not in the workplace? How can individuals voice their concerns about any bullying or harassment? Indeed, are some employees disadvantaged by such working models? Do certain employees find Zoom or Teams calls a difficult forum in which to have their voice heard? How does remote or hybrid working affect an individual’s prospects of promotion or advancement and how does this sit with the firm’s diversity and inclusion aims?
Most firms now accept that remote or hybrid working is here to stay. It is now up to them to demonstrate to the FCA that they can make it work for their business, their customers and their employees.