Hybrid and remote working in the Covid era

Eighteen months ago, no one would have anticipated that we would still be here... 

That the majority of workers in Scotland would still be working from home, or under a hybrid working model.  But in the spirit of a new year and coming back to the (virtual) office after a hopefully relaxing break, what should financial services businesses be doing to continue to meet their regulatory obligations? 

In this article, we’ll take you through some of the key considerations and plans you’ll need to have in place to tackle this in the hybrid working world.

The first and largest category the FCA has highlighted in their guidance is that firms are required to prove that hybrid or remote working does not affect a firm’s ability to fulfil its regulatory obligations and provide the same service to customers as if they were in the office. 

Operational resilience was identified as a key priority across all markets in the FCA’s Business Plan 2021/2022 and will remain high on the agenda as a result of Covid, throughout 2022 and beyond.

Regulatory

Firms must ensure that their location in the UK and ability to meet the threshold conditions (which can be found in the COND Sourcebook) for their regulated activities is not affected as a result of hybrid working. They must also ensure that any working arrangements do not prevent the FCA receiving information about their firm and its activities. Further, the FCA reminds firms that notwithstanding that we are working in unprecedented times, firms must still comply with their Principle 11 obligation to deal with the regulators in an open and cooperative way.

It is also important that hybrid working does not reduce the accuracy of the Financial Services Register for others. The FCA would be particularly concerned if customers were unable to get accurate information about regulated firms, and the effect any inaccuracies would have on the FCA’s ability to enforce the regulations.

Firms must also prove that there is a plan in place to safeguard against potential harms to consumers as a result of operating their business on a hybrid basis. It’s not just enough to have a plan; it must also be implemented in practice and reviewed periodically to identify new and emerging risks.

Control functions such as risk, compliance and internal audit must be able to carry out their functions unaffected, such as when listening to client calls or reviewing files. There are also data protection implications of this, as further detailed below. The FCA is also looking to ensure that hybrid working does not lead to an increase in financial crime (which was called out as a key focus in the FCA’s wholesale markets priorities in the 2021/2022 Business Plan) so this must also be addressed.

Ultimately, firms need to be able to show that they can operate in a hybrid way, without causing detriment to consumers, and ensuring that they retain the same level of oversight in respect of their employees and any outsourced functions of the firm as they had prior to Covid-19.

Data

Though firms are not excused of their customary data protection and cybersecurity obligations, the ICO has indicated its recognition of the unprecedented challenges that the pandemic poses. This is particularly pressing given the speed that firms are rolling out and continue to develop their hybrid working models.

The ICO will still expect employers to take appropriate action to protect information they are responsible for when employees are working from home. To remain compliant with data protection legislation, we recommend that firms:

• Have the systems and controls, including the necessary IT functionality, to support the transition to a hybrid working model, and these systems are robust.
• Ensure that any IT solutions used to integrate a firm’s hybrid working model, whether its employees are accessing sensitive data using their own private devices or through different cloud service providers for example, are properly assessed for security risks.
• Consider any data and/or cyber security risks, particularly given that staff may transport confidential material and laptops more frequently in a hybrid arrangement.
• Have suitable record keeping procedures in place.

Generally, following the ICO’s guidance for employers should reduce the likelihood of a data protection breach occurring as a result of employees working from home and help firms address any security vulnerabilities. The risk of any potential enforcement action being taken by the ICO remains, but the probability is reduced if firms can show that they have taken reasonable steps to make employees aware of such rules.

Employment

The FCA looks at a number of aspects in its guidance, including the employment angle. The FCA guidance provides that a firm must also prove that there is satisfactory planning to ensure the following:

• Oversight: Firms will need to carefully consider how to ensure effective supervision in a remote working environment as well as determining whether any current procedures and practices need to be amended in order to achieve that. In addition, senior managers will need to consider if there any operational risks created by staff working in a different location and how those risks can be addressed remotely. As we have noted above, data security may be a key area for businesses to consider given the sensitivity of some data processed by financial services firms.
• Culture: The FCA requires firms to maintain an appropriate working culture, even where working remotely. This may involve communicating with staff more regularly or in a different manner than normal. Regular opportunities for engagement with and feedback from staff can help to ensure that an appropriate culture is being maintained and that any concerns can be addressed. In addition, staff should continue to have access to all policies, procedures and resources that govern their work and employment notwithstanding that they are working remotely, and be kept informed of (and if necessary trained on) any updates to these.
• Employee wellbeing: The negative impact of working from home on mental health and career progression for some groups of employees has been widely reported during the pandemic. The focus on employee wellbeing is a reminder from the FCA of the potential for impact in these areas. Wellbeing, and diversity and inclusion implications should be carefully considered, including any actions to address these, with policies and procedures being updated accordingly. Training is often overlooked when working remotely and it is important that firms continue to identify and ensure that training needs are met. Any failure to fully consider the effect of remote working on staff can lead to both a personnel and a business service risk.
• Working abroad: The FCA is keen to point out that whilst hybrid and remote working may offer greater flexibility to individual employees, there could be potential pitfalls for businesses, including tax implications as well as continuity issues if staff are not readily able to attend the office from time to time. In addition, staff may acquire employment rights in the other jurisdiction. There is also the SMCR aspect to consider, so if working from abroad results in a change to a senior manager’s duties, this needs to be reflected in their statement of responsibilities and/or the firm’s management responsibilities map.

A robust plan will help show that the firm and its senior managers have taken reasonable steps in the event of any future investigation into the firm, and a senior manager should be given responsibility for overseeing implementation of the plan. It is also vital that any changes to the firm’s business arrangements are clearly communicated to all staff and it is made clear that any such arrangements are subject to the ever changing environment.

Regulatory

Firms should consider if their details on the Financial Services Register need updating. For example, if your firm intends to use a private residential address as its principal place of business, it should consider the effect on any individuals and get the necessary approvals. Firms may also have to consider whether any individuals living at the property, but who are not employees, would need approvals.

It appears that the FCA is taking a location neutral approach to regulation – firms must be able to operate in the same way as they have done in the past, albeit in a remote or hybrid way.

Employment

As the regulator of financial services businesses in the UK, the FCA has the power to visit any location where work is performed, business is carried out and employees are based. This includes any residential addresses. Firms are responsible for ensuring their employees understand that such visits may take place. At this point, the FCA has only raised this as a possibility, and it’s not yet clear under which particular power any visits would be carried out, but it is clear that it is in the FCA’s mind that they may do this in the future.

It is likely that firms already have working from home policies or terms of employment which provide that they can enter an employee’s home for a number of reasons e.g. health and safety, to maintain property etc. However, it is unlikely that these policies and terms would be specific enough to cover the type of situation envisaged by the FCA.

The FCA’s power should be clearly communicated and explained to employees. Policies and employment terms should be updated in accordance with normal employment law rules. Any implications of an employee refusing to allow the FCA to enter the property e.g. potential disciplinary action, should be made clear in the relevant updated documents.

Data Protection

The FCA’s latent power to visit any location where work is performed means that employees and firms should act now to ensure compliance with data protection and cybersecurity legislation. At the very least, we would recommend that firms:

• Have robust firm policies and procedures in place: We would encourage firms to implement a working from home policy, as well as, at the very least, a clean desk policy and a usage policy for firm owned equipment. Moreover, this should be accompanied by regular training on best practices and guidelines to adopt for data protection. Employees should avoid the temptation to do things in a way that is more convenient, such as sending emails through personal accounts or using the video conferencing app that you use with friends for work calls.
• Ensure that employees take care with any confidential and personal information: At the office, it is likely that employees can use confidential waste bins, which are not available at home. Employees should follow their organisation’s guidance or safely store print outs until they can be disposed of securely. To avoid loss or theft of personal data, we would recommend firms encourage staff to put print outs and devices away at the end of the working day if possible. If employees are sharing home working space with other family members or friends, we would encourage firms to recommend that employees try to hold conversations where they are less likely to be overheard and that screens are positioned where they are less likely to be overseen.
• Ensure that employees use approved technology: Where possible, we would encourage firms to provide staff with required hardware or software with appropriate protections in place and that employees use the software. This will provide the best protection for personal data.
• Keep software up to date: Security software should be kept up to date to prevent any cybersecurity issues or data protection leaks.

The above is a non–exhaustive list and we would encourage firms to consider further guidance published by the FCA on the issue, accessible here.