What has happened?
In October 2021, the FCA set out its expectations concerning working in a remote environment and firms adapting their systems and controls as a result so that they can plan and continue to meet their regulatory responsibilities. These expectations apply to:
-
- existing FCA regulated firms,
- firms applying to be FCA regulated, and
- firms proposing to submit further applications, such as a waiver, variation of permission or change of control.
What do you need to do?
These FCA expectations are expected to evolve as more is understood about how firms intend to operate in a remote environment. Firms considering remote or hybrid working will be evaluated by the FCA on a case-by-case basis and they should consider the following requirements.
Firms should be able to prove that the lack of a centralised location or the use of remote working does not or is unlikely to:
-
- Affect the firm’s location in the UK or its ability to meet and continue to meet the threshold conditions for the FCA regulated activities it has or will have permission for, or any equivalent requirements, where these do not apply,
- Prevent the FCA receiving information about a firm,
- Reduce the accuracy of the Financial Services Register if, for example, consumers are not able to contact the firm at the principal place of business shown on the Register,
- Affect the ability of the firm to oversee its functions, including any outsourced functions,
- Cause detriment to consumers,
- Damage the integrity of the market,
- Increase the risk of financial crime, or
- Reduce competition.
A firm must also prove that;
-
- There is a plan in place, which has been reviewed before making any temporary arrangements permanent and which is reviewed periodically to identify new risks,
- There is appropriate governance and oversight by senior managers under the Senior Managers regime, and by committees such as the Board and by non-executive directors where applicable, and this governance is capable of being maintained,
- It can cascade policies and procedures to reduce any potential for financial crime arising from its working arrangements,
- An appropriate culture can be put in place and maintained in a remote working environment,
- Control functions such as risk, compliance and internal audit can carry out their functions unaffected, such as when listening to client calls or reviewing files,
- The nature, scale and complexity of its activities, or legislation, does not require the presence of an office location,
- It has systems and controls, including the necessary IT functionality, to support the above factors being in place, and these systems are robust,
- It has considered any data, cyber and security risks, particularly as staff may transport confidential material and laptops more frequently in a hybrid arrangement,
- It has appropriate record-keeping procedures in place.
- It can meet and continue to meet any specific FCA regulated requirements, such as call recordings, order and trade surveillance, and consumers being able to access services,
- It has considered the effect on staff, including their well-being and training and diversity and inclusion matters, and
- Where any staff will be working from abroad, the firm has considered the operational and legal risks.
Firms should also consider whether their details on the Financial Services Register need updating. For example, if a firm intends to use a private residential address as its principal place of business, it should consider the effect on any individuals and obtain the necessary approvals. This includes anyone living at the property who is not an employee.
The FCA expects to be able to access firms’ sites, records and employees, and considers it important that firms are prepared and take responsibility to ensure employees understand that the FCA has powers to visit any location where work is performed, business is carried out and employees are based (including residential addresses) for any regulatory purpose. This includes supervisory and enforcement visits.
Any material changes to how a firm intends to operate may require it to notify the FCA first.
Where a firm is applying to be authorised or registered, while the information required has not changed, the FCA explains that it is important that the application covers the following specific details, if applicable:
-
- The arrangements that the firm will have for remote working, including any presence in any other jurisdictions,
- That the firm has considered the legal implications for its business of this type of arrangement,
- How key functions will be performed and overseen,
- The location of senior managers and their plans to oversee the firm’s activities,
- Confirmation that processes and procedures reflect the arrangements,
- The period the arrangements are expected to last (if not permanent),
- The arrangements that the firm will make for consumer access; for example, how it will be ensured that consumers without access to electronic communications can communicate with the firm,
- How the firm will address complex consumer needs, such as ensuring there is access to appropriate locations to hold face-to-face meetings,
- The arrangements for customer authentication and vulnerability assessments,
- Business continuity plan requirements, including when using home networks,
- How the firm will manage the risk of information becoming out of date, such as where staff move addresses,
- Where and how any FCA supervisory or enforcement visits would be carried out and how this is documented in the firm’s processes,
- Systems and controls, including:
- To what extent will the business digitise?
- The ability to access records/systems.
- If the firm relies on physical documents, what arrangements have been made for their security and access.
- Where files and paperwork will be located.
- Systems being used – are they recognisable and protected appropriately against cybercrime?
- How the firm intends to communicate with staff that FCA visits could potentially take place in their homes, and
- Plans for compliance reviews to ensure the dispersed working model is functioning properly.
We believe that the FCA would also be able to apply these requirements to Appointed Representatives if it so chose.
How can we help you?
If you’d like to know more about how we can help you with your remote or hybrid working arrangements, including Senior Manager responsibilities, or with becoming FCA regulated, our expert team is here to help.
Contact us today on 0207 436 0630 – or email info@thistleinitiatives.co.uk.