As businesses emerge from the Covid-19 pandemic, a key operational consideration will be the approach to remote or hybrid working arrangements and whether those arrangements are made permanent. The move to hybrid and home-based work is a positive cultural step, but one that needs to be carefully managed to mitigate the associated risks. The FCA has released new guidelines outlining their expectations for remote or hybrid working, to help businesses plan ahead and continue to meet their regulatory responsibilities.
In this article, we explore how the evolution from temporary work-at-home arrangements to permanent work-from-home arrangements is multifaceted, forcing companies to reflect and revise their policies and procedures, reconsider programs, systems and controls. operational resilience and manage potential conflicts.
The suitability of the companies’ remote or hybrid working arrangements will be assessed by the FCA on a case-by-case basis. As part of this assessment, companies will need to be able to demonstrate that working arrangements do not have, or are unlikely to have an impact on their ability to meet regulatory obligations, or even on FCA’s ability to regulate the business.
In summary, this means that a company’s agreements should not (among other things) (i) prevent the FCA from receiving information about the company; (ii) affect a company’s ability to oversee its functions, including outsourced functions; (iii) harm consumers; (iv) undermine the integrity of the market; (v) increase the risk of financial crime; or (vi) reduce competition.
Companies are required to demonstrate that they have undertaken satisfactory planning before making temporary arrangements permanent, and that these plans can be reviewed periodically to identify emerging risks. Relevant considerations in this regard include (among others):
- Governance : appropriate oversight by senior management and committees, both of which must be maintained.
- Robust systems and controls: to include required IT functionality, but also to mitigate the risks of financial, data, cybersecurity and security crime (including when staff are working overseas).
- Business continuity: the need to ensure that control functions can function without being affected, that the company can continue to meet any specific regulatory requirements (for example, with respect to call recordings, monitoring and consumer access to services) and that appropriate record keeping is in place.
- Culture: establish and integrate an appropriate culture for remote working, taking into account issues of well-being, training, diversity and inclusion.
There is clear evidence that these expectations will change as there is a better understanding of how businesses intend to operate. The FCA has also reminded companies to notify the regulator of any material changes in how they work.
Wider considerations for businesses and employees
Access to devices and information
Businesses will need to ensure that they have the right to access residential property to reclaim business ownership. However, to the extent that employees can use their own devices to access work systems, this exposes companies to challenges in terms of being able to shut down those devices and extract the information (especially if it is saved locally) that is may be necessary to comply with regulatory obligations.
This is because the potential use of encrypted communications applications (such as WhatsApp) to share sensitive work-related information may impact a company’s ability to effectively monitor communications (for which the FCA has issued an update). separate publication earlier this year – https: //www.fca .org.uk / publications / newsletters / market-watch-66).
Additionally, the use of their own device can impact a company’s ability to control and monitor staff use of social media or browsing sites.
Companies should therefore ensure that policies and procedures regarding the use of private devices and social media are reviewed and updated as necessary to mitigate these risks, and to ensure that they provide sufficient scope to effective monitoring and recording.
The FCA has indicated that it has the authority to visit “any location where work is performed, business is carried on and employees are based (including residential addresses) ” for regulatory purposes, including monitoring and enforcement visits (which may be unannounced). He entrusted companies with the responsibility of making sure employees understand that such visits can take place if they are working remotely. The implications associated with this responsibility are broad and will require companies to consider current work from home employment policies and contracts in determining approach to the following issues:
- So the company should itself include the right to carry out spot checks on residential premises as part of its broader framework of systems and controls. The possibility of home visits opens up the possibility for FCA to identify broader issues of which the company may not have already been aware. This, in turn, can be viewed as a failure of systems and control on the part of the business. The implementation of the right to carry out spot checks can mitigate this risk.
- The extent to which the company can require employees to allow FCA to enter their premises must be weighed against the employee’s right to respect for his or her private and family life, and whether this is denied by the employee’s choice to work remotely.
- The extent to which a person or company can request that a company representative be present during the visit (i.e. regulatory liaison).
- The involvement of the firm, if necessary, in the preparation of the visit. This may include, for example, ensuring that relatives or friends are not on the premises at the time of the visit to ensure that confidential information about the visit is not disclosed.
Whether an employee’s refusal to allow entry would be considered a lack of cooperation and a disciplinary matter. The FCA guidelines do not specify whether the refusal would be viewed by it as a failure to cooperate on the part of the individual, the company, or both. However, the fact that the guidelines give companies the responsibility of ensuring that employees understand that these visits could take place indicates that the FCA expects companies to take steps to ensure that employees do not. conform to it.
A company’s approach to hybrid / remote work will need to be factored into its broader operational resilience agenda. It will be necessary to conduct a mapping exercise to identify those employees who are essential to provide important business services, including those who may be involved in scenario testing, and to determine if remote working is feasible for these people in terms risk and business continuity.
If it is necessary for a company to adopt different working arrangements for different categories of employees, this can create a tension that the company will have to manage.
As the FCA guidelines state, there is a risk that remote working may actually facilitate employee misconduct.
Staff being “out of sight, out of sight” on a more permanent basis can present challenges in effectively monitoring actions and performance. Any disconnect between managers and employees could have an impact on behavior. Indeed, dishonest employees may see remote arrangements as an opportunity to make a mistake without being detected.
These issues will need to be carefully considered and appropriate mitigation strategies will need to be put in place. This may include introducing new processes and controls and updating existing policies.
The pandemic has demonstrated that there can be potential cultural benefits to remote working, including well-being, productivity and connection. However, in the long run, it is more likely to lead to isolation and lack of supervision.
The FCA has previously expressed the view that companies need to find a balance going forward that works for both employees and the business (A Regulatory Perspective: Measuring and Evaluating Culture, Now and in the Future, the role of the objective and the importance of D&I | CAF). This will be a difficult problem for businesses to overcome, given the different and evolving perspectives and needs. FCA considers this balance essential to ensure the psychological safety of employees, which in turn contributes to a healthy and sustainable culture.
Companies must therefore ensure that they have a range of tools in place (i) for staff to express their opinions and make contributions; and (b) measuring and monitoring culture, which should be supported by appropriate governance and oversight.
It is clear that the FCA will be monitoring how companies intend to operate in the long term over the coming months and the associated risks. Companies must therefore ensure that all planning decisions taken are balanced and justifiable, taking into account the competing interests of regulators, the company and its employees, with appropriate risk management systems and controls.