Remote and hybrid working: the FCA’s Expectations
Reflecting the fact that many firms are likely to adopt or continue to operate remote/hybrid working methods as a result of the COVID-19 pandemic, the Financial Conduct Authority (FCA) has, in a note published on Monday 11 October 2021, set out its expectations of firms in relation to such working arrangements which are intended to enable firms to plan and continue to meet their regulatory responsibilities. These expectations, which the FCA indicates will evolve as more is understood about how firms intend to operate, apply to existing firms, firms applying to be regulated, and firms proposing to submit further applications with regard to issues such as change of control. Existing firms considering remote or hybrid working will be evaluated on a case-by-case basis and should consider the various issues outlined by the FCA.
Operational considerations
A firm should be able to show that the lack of a centralised location or remote working does not lead to various adverse consequences. These include affecting the firm’s ability to continue to meet the threshold conditions for its regulated activities, preventing the FCA from receiving information about the firm, affecting the ability of the firm to oversee its functions, and increasing the risk of financial crime.
Planning
In ensuring that remote or hybrid working does not risk or compromise a firm’s ability to comply with all applicable rules, regulatory standards and obligations, the FCA expects firms to be able to prove that they have conducted satisfactory planning in relation to a variety of specific issues – which are not considered by the FCA to be exhaustive. The specific issues identified for firms to address include:
- having a plan in place before temporary arrangements are made permanent and which is reviewed regularly;
- appropriate governance and oversight – by senior managers under the SMCR and committees such as the Board and non-executive directors where applicable – being in place and capable of being maintained;
- an appropriate culture being put in place and maintained;
robust systems and controls being in place including IT functionality; - data, cyber and security risks being considered and appropriate record keeping procedures put in place;
- the firm being able to cascade policies and procedures to reduce any potential for financial crime arising from its working arrangements;
- control functions such as risk, compliance and internal audit being able to carry out their functions unaffected such as when listening to client calls or reviewing files;
- the nature, scale, and complexity of the firm’s activities does not require an office location;
- meeting and continuing to meet any specific regulatory requirements, such as call recordings, order and trade surveillance, and consumer access to services;
- examining the effect that remote/hybrid working may have on staff, including wellbeing, training and diversity and inclusion matters; and
- considering the operational and legal risks of staff working from abroad.
Engagement with the FCA
Any material change to how the firm intends to operate may need to be notified to the FCA first, consistent with Principle 11 of the FCA’s Principles of Business which requires firms to disclose anything of which the FCA would reasonably expect notice.
Firms are also expected to contact the FCA if any details on the Financial Services Register need to be updated – for example, where the firm plans to use a private residential address as its principal place of business.
The FCA should be able to access firms’ sites, records and employees and its guidance emphasises the importance of firms being prepared and taking responsibility to ensure that employees understand the FCA’s powers to visit any location where work is performed for regulatory purposes – including residential addresses.
Applying to be authorised or registered
Firms applying to be registered or authorised will need, amongst other things, to address:
- their arrangements for remote working;
- their consideration of the legal implications of such arrangements;
how key functions will be performed and overseen, and where they will be based; - the location of senior managers and their plans for oversight of the business;
- the duration of the arrangements in question (if they are not to be permanent);
business continuity plans; - the risk of information, such as home addresses, becoming out of date;
- systems and controls with regard to issues such as records and the location, security and access of physical documents;
plans for communication with staff with regard to FCA visits to their homes; and - plans for compliance reviews.
Conclusions
Many of the issues addressed by the FCA in its expectations will have been addressed by firms in any event during the COVID-19 pandemic as they have considered the confidentiality, data privacy, and employment law issues arising in relation to remote and hybrid working along with their ongoing regulatory responsibilities. Nonetheless, the FCA’s expectations reinforce the need for firms to engage in detail with the legal, operational, and practical aspects of remote and hybrid working and to be ready and able to demonstrate their ongoing compliance with their obligations not just in terms of their documentary records of the steps taken to consider and address the issues presented by remote and hybrid working, but also in their practical implementation.