The onset of the pandemic in March 2020 forced financial institutions (FIs) across the world to change their working practices. Large numbers of employees moved from working in an office five days a week to working from home as countries locked down. Today, it appears unlikely that FIs will return to their previous working models and regulators will expect them to adapt their systems and controls to comply with applicable legislation and guidance.
In October 2021, the Financial Conduct Authority (FCA) set out its expectations for firms that intend to have a portion of their workforce continuing to work remotely (link here), stating that “it’s important that any form of remote or hybrid working you [a FI] adopt should not risk or compromise the firm’s ability to follow all rules, regulatory standards and obligations, or lead to a failure to meet them.”
The FCA made it clear that it would evaluate FIs on a case-by-case basis, but it expects firms to have in place a written plan that identifies risks to their business and that shows how they will continue to meet regulatory requirements. Certain factors the FCA will expect to see FIs address in this plan include:
- having appropriate record-keeping procedures in place;
- ensuring specific regulatory requirements, such as call recordings, order and trade surveillance continue to be met;
- ensuring control functions such as risk, compliance and internal audit can carry out their functions unaffected; and
- ensuring that there is sufficient consideration of data, cyber and security risks, particularly as staff may need to transport confidential information more frequently between their homes and offices.
Under the Senior Management Arrangements, Systems and Controls sourcebook (SYSC 10A) in the FCA Handbook, regulated FIs have an obligation to preserve phone conversations and electronic communications related to “activities in financial instruments” and “must take all reasonable steps to prevent an employee or contractor from making, sending, or receiving relevant telephone conversations and electronic communications on privately-owned equipment which the firm is unable to record or copy.” This is to ensure regulators can maintain market integrity and identify fraudulent or anti-competitive practices with ease.
However, when employees communicate by text message on personal phones, by personal email or on platforms such as WhatsApp, Signal and Telegram, it is difficult for FIs to maintain sufficient records of the correspondence. Consequently, these methods of communications can mean that FIs are in breach of their regulatory requirements and can pose difficulties for FIs in complying with regulators’ requests for communications records, as evidenced by the US$200 million fine the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) imposed last year on a major U.S. investment bank.
According to the CFTC’s statement regarding the fine, “employees, including those at senior levels, communicated both internally and externally on unapproved channels…None of these written communications were maintained and preserved and they were not able to be furnished promptly to a CFTC representative when requested.”
The increase in home working has made FIs’ ability to monitor how their workforce communicate more difficult and so increases the risk of FIs breaching their regulatory requirements. To mitigate this risk, FIs should train employees not to use unauthorised methods of communication and create tailored platforms that allow them to archive communications data in a manner that complies with regulatory requirements. As said by the SEC Chair, “As technology changes, it’s even more important that registrants ensure that their communications are properly recorded and are not conducted outside of the official channels.”
In accordance with the recent FCA guidance, FIs should also ensure that they regularly update their data maps to understand where their data is stored and by whom. In the event of a dawn raid for example, an FI may need to access an employee’s laptop, and so it must understand whose laptops and devices can be accessed remotely. In particular, FIs should be aware of the location of sensitive legally privileged material to make sure that this can be isolated quickly if necessary.
FIs and regulators are still acclimatising to the new normal of remote working; however, what is clear from the FCA’s new guidance is that its expectations of firms remain the same and are, if anything, more demanding than before the pandemic. FIs will need to adapt to the guidance and ensure that they have suitable internal compliance procedures, training and data processes in place to avoid regulatory sanctions.
Pamela Reddy is a white-collar crime and investigations partner based in London. She has extensive experience of domestic and cross-border fraud, bribery and corruption, market abuse and money laundering investigations, and frequently acts on some of the most serious, complex and high-profile cases involving the UK and foreign regulators, including the SFO, NCA, CPS, FCA and DOJ.
Annie Birch is a white-collar crime and investigations associate based in London whose experience includes investigations into bribery and corruption and civil and criminal law proceedings before international regulators, including the FCA, SEC and DOJ.
The authors would like to thank Matt Roderick, Norton Rose Fulbright trainee, for his assistance with this blog post and series.