Due to the coronavirus (Covid-19) pandemic, firms are already familiar with working in a remote environment and adapting their systems and controls. It is likely many firms will continue these new ways of working. The FCA HAS set out their expectations so firms can plan and continue to meet their regulatory responsibilities.
These expectations apply to:
- existing firms
- firms applying to be regulated
- firms proposing to submit further applications, such as a waiver, variation of permission, change of control etc
These expectations will evolve as more is understood about how firms intend to operate.
International firms should continue to have an establishment or physical presence in the UK. See FCA approach to international firms.
What existing firms should be planning for now
Firms considering remote or hybrid working will be evaluated by the FCA on a case-by-case basis. Your firm should consider the following.
How firms operate their business
Firms should be able to prove that the lack of a centralised location or remote working does not or is unlikely to:
- Affect the firm’s location in the UK, or its ability to meet and continue to meet the threshold conditions for the regulated activities it has or will have permission for – or any equivalent requirements, where these do not apply.
- Prevent the FCA receiving information about a firm.
- Reduce the accuracy of the Financial Services (FS) Register for others if, for example, consumers are not able to contact the firm at the principal place of business shown on the FS Register.
- Affect the ability of the firm to oversee its functions including any outsourced functions.
- Cause detriment to consumers.
- Damage the integrity of the market.
- Increase the risk of financial crime.
- Reduce competition.
A firm must also prove that there is satisfactory planning:
- That there is a plan in place, which has been reviewed before making any temporary arrangements permanent and is reviewed periodically to identify new risks.
- There is appropriate governance and oversight by senior managers under the Senior Managers regime, and committees such as the Board, and by non-executive directors where applicable, and this governance is capable of being maintained.
- A firm can cascade policies and procedures to reduce any potential for financial crime arising from its working arrangements.
- An appropriate culture can be put in place and maintained in a remote working environment.
- Control functions such as risk, compliance and internal audit can carry out their functions unaffected, such as when listening to client calls or reviewing files.
- The nature, scale and complexity of its activities, or legislation, does not require the presence of an office location.
- It has the systems and controls, including the necessary IT functionality, to support the above factors being in place, and these systems are robust.
- It’s considered any data, cyber and security risks, particularly as staff may transport confidential material and laptops more frequently in a hybrid arrangement.
- It has appropriate record keeping procedures in place.
- It can meet and continue to meet any specific regulatory requirements, such as call recordings, order and trade surveillance, and consumers being able to access services.
- The firm has considered the effect on staff, including wellbeing, training and diversity and inclusion matters.
- Where any staff will be working from abroad the firm has considered the operational and legal risks.
The above is an indicative and non-exhaustive list. It’s important any form of remote or hybrid working adopted should not risk or compromise the firm’s ability to follow all rules, regulatory standards and obligations, or lead to a failure to meet them.
Firms’ engagement with the FCA
Firms should consider if their details on the FS Register need updating. For example, if your firm intends to use a private residential address as its principal place of business, it should consider the effect on any individuals and got necessary approvals. This includes those living at the property who aren’t employees.
The FCA should be able to access firms’ sites, records and employees. It’s important that firms are prepared and take responsibility to ensure employees understand that the FCA has powers to visit any location where work is performed, business is carried out and employees are based (including residential addresses) for any regulatory purposes. This includes supervisory and enforcement visits.
Notifying the FCA of changes to your working arrangement
Any material changes to how your firm intends to operate may require you to notify the FCA first. Under Principle 11 of the FCA’s Principles for Businesses, firms are required to deal with the FCA in an open and cooperative way and to disclose anything relating to the firm which they would reasonably expect notice of.
SUP 15.3 sets out additional rules and guidance about when the FCA would expect notice of matters relating to a firm. You should continue to monitor any changes and speak to your usual supervisory contact with any questions.
If you are applying to be authorised or registered
For all the regulated activities which firms have or will have permission, they need to continue to meet the threshold conditions in Schedule 6 Part 1B of FSMA (or equivalent requirements, where these do not apply). See guidance on the threshold conditions in the COND sourcebook.
While the information the FC require from firms hasn’t changed, it’s important that your application covers the following specific details (if applicable):
- The arrangements your firm will have for remote working, including presence in any other jurisdictions.
- That you’ve considered the legal implications for your business of this type of arrangement.
- How key functions will be performed, overseen and based.
- The location of senior managers and their plans to oversee the firm’s activities.
- Confirmation that your processes and procedures reflect the arrangements.
- The period the arrangements are expected to last (if not permanent).
- The arrangements your firm will make for consumer access. For example, how will you ensure that consumers without access to electronic communications can communicate with your firm?
- How your firm will address complex consumer needs. This could include ensuring you have access to appropriate locations to hold face-to-face meetings.
- The arrangements for customer authentication and vulnerability assessments.
- Business continuity plan requirements, including when using home networks.
- How your firm will manage the risk of information becoming out of date. For example, staff moving addresses.
- Where and how any FCA supervisory or enforcement visits would be done and how this is documented in your processes.
- Systems and controls, including:
- To what extent will the business digitise?
- The ability to access records/systems.
- If your firm relies on physical documents, what arrangements have been made for their security and access.
- Where files and paperwork will be located.
- Systems being used – are they recognisable and protected appropriately against cybercrime?
- How your firm intends to communicate with staff that FCA visits could take place in their homes?
- Plans for compliance reviews to ensure the dispersed working model is functioning properly.
The above is an indicative and non-exhaustive list as the information we need will depend on your business model and how your firm intends to operate.