Covid-19 is still firmly with us, and, at time of writing, the figures are getting better. Vaccine delivery is up and infection rates going down.
The world has changed, however, and the ‘New Normal’ is starting to become just that. Many financial service firms have stepped down their business continuity teams and are starting to develop processes that rely more on home working.
The FCA, too, is preparing us for a return to the ‘Old Normal’, one where firms are expected to fully meet the requirements of the FCA sourcebook and the ‘Covid-19’ excuse just won’t cut it when a firm is found to be in breach of regulation.
The recent announcement from the FCA on call recording is a case in point. An announcement from the FCA saying that regulated firms should follow their regulations would be surprising normally, but these aren’t normal times. When you start to lose access to your Starbucks benefits because you haven’t visited them for a year, it’s not normal. (at least for me)
The ’Market Watch 66’ communication from the FCA explains what they expect in relation to call recording at regulated firms. What’s surprising is that this is nothing new, but only tells firms to follow the rules, no matter where the staff are working.
A few months ago, on the FCA’s ‘Coronavirus (Covid-19): Information for firms’ page, they made clear that they expect firms to meet the normal recording obligations detailed in SYSC 10A while staff are working remotely.
This is a formal acknowledgement that we should no longer be operating under business continuity conditions but should accept that business models need to be adapted to service clients properly, protect staff and meet regulatory requirements.
It’s the very nature of the unusual circumstances, combined with its long-term nature, that heightens the risks from misconduct increased by homeworking. The use by some staff of unmonitored or encrypted communication apps such as WhatsApp for sharing potentially sensitive information has already led to fines being imposed by the regulator.
Firms need to make sure they can effectively monitor communications with clients and ensure that the only channels being used are approved by the firm.
Firms need to be able to review the communications, verbal and electronic, and be able to tie them back to any sale or application, as well as an individual.
In this case, the FCA are simply seeking compliance with the current rules. By flagging it, they are telling firms that as time goes on, and more and more customers could be affected by a sub-standard service, the risk to the firms increase too. The risk of financial loss or regulatory censure, both with the associated reputational risk.
All firms need to have effective, up to date recording policies and procedures, and they must be able to demonstrate to the FCA their management oversight regime meets the standard expected. Most obviously, this includes policies and procedures adopted for home working arrangements.
The FCA do indicate that where new or amended recording policies are needed, these should be properly signed off under appropriate governance arrangements- effectively making this business-as-usual.
Where firms haven’t currently got robust policies relating to the use of privately owned devices to access work-related systems and potentially sensitive or confidential data, steps will be required to ensure that these are effectively recorded and are secure. Where this isn’t possible, the use of privately owned devices should not allowed.
This FCA communication is only one of the many we can expect. The ‘New Normal’ will be anything but, for a long time to come. What the FCA does expect is for firms to consider their current situation and find ways to ensure that all regulatory requirements are met, even if this means changing staff responsibilities, teams, and working practices.
In many cases, firms have now outsourced building security to a five-year-old that tells mummy there’s someone at the door. This may be a feeble attempt at humour but is a reality for many working families.
Sensitive data that used to be held in locked rooms and accessible only to certain staff is now sitting on a kitchen table, perhaps next to someone from a rival company. Many couples originally met at work, in the same section of the same industry, and now work for competitor firms. I, personally, am aware of at least three couples in exactly this situation.
This conflict needs to be acknowledged within firms, and practical solutions put in place to minimise the risk from even the most trustworthy staff, such as locking down the ability to home print, or copy data from a laptop to memory sticks.
This situation is new to all of us, and there are going to be accidental data losses, broken breadcrumb trails in client records and deliberate fraud.
Just as the advent of computers was expected to change working practices decades ago, the true arrival of the home office is now on the horizon. This means different procedures, different regulations and different team relationships. We will learn, but there is going to be pain along the way- the FCA are already flagging it- Comply or Die.
The Access Group’s industry-leading governance, risk and compliance regulatory content for financial services is produced, updated and maintained in partnership with our regulatory experts UK Finance, FSTP (Financial Services Training Providers) and Chartered Insurance Institute (CII).
Discover more about our Introduction to the FCA and Senior management arrangements, systems and controls eLearning courses in our GRC eLearning for Financial Services training suite, to support compliance with FCA regulations.