Key considerations for firms:
- Updating business as usual (BAU) policies and procedures to consider logistics, supervision and security;
- Updating business continuity plans (BCPs);
- Compliance with the Senior Managers and Certification Regime (SM&CR);
- Notifying regulators after returning to work;
- Enhancing cybersecurity of remote-office workplaces and safeguarding confidential client information;
- Ensuring books and records are properly maintained;
- Completing regulatory filings; and
- Training employees.
This advisory provides a non-exhaustive list of considerations for Financial Conduct Authority (FCA)-regulated firms, as they consider reopening their offices and transitioning from mostly remote-working arrangements to a combination of working arrangements as a phased-in stage or as part of ‘business as usual’ operations.
While employers across various industries and sectors face certain common challenges in returning to the workplace during the COVID-19 pandemic, firms in the United Kingdom (UK) financial services industry, including registered entities (e.g., exchanges), individual registrants and trading firms, also need to consider unique regulatory and compliance obligations.
It may be that some firms in the financial services industry will not mandate that all employees return to work at a single time. Rather, firms will likely phase in the return of employees to offices; this would be consistent with broader global trends. For example, in the United States some commentators speculate that having a significant portion of employees permanently, or at least on a part-time basis, working from home may be the new normal even after the COVID-19 pandemic has passed.
We have published several employment focused advisory notes, including “Coming Out of Lockdown — Employment Considerations for UK Offices: What to Expect in This Next Phase of ‘Business as Unusual’”, which provides an overview of workforce management issues and key considerations for employers as they navigate through this unprecedented time, and “Creating a Safe Place to Work in the UK”, which focuses on the obligation of employers to ensure that the place of work is “COVID-19 secure”.
Updating BAU policies and procedures
Many financial services firms responded to the COVID-19 pandemic without the benefit of time to consider the longer-term implications of implementing alternative policies and procedures. As financial services firms start to return to work, they should consider updating their compliance policies and procedures to account for any changes to business processes resulting from the COVID-19 pandemic. If working from home is likely to become a bigger part of a financial services firm’s BAU, all BAU policy and procedures should be updated to consider the impact of such arrangements on:
- logistics (e.g., what technologies and infrastructure are necessary to support remote working);
- supervision (e.g., how to supervise employees working from home, and how remote surveillance and supervisory staff should supervise employees working at diverse locations, including BCP sites and working from home); and
- security (e.g., what adaptions, if any, may be required to authorise employees to use non-company-issued phone services, computers, printers or other electronic devices).
Most financial services firms activated their BCPs at some point during the COVID-19 outbreak and the ensuing ‘lockdown’. The FCA is widely expected to conduct a thematic review into BCPs of a wide range of regulated firms over the summer, with some enforcement action likely and the results of the review expected to be published in the third or fourth quarter of this year. Firms should be mindful that the FCA expects all FCA-authorised firms to have appropriate and proportionate BCPs, and that they should take all reasonable steps to meet their regulatory obligations.1 Consequently, when firms update their BCPs, they should:
- consider whether to continue activating their BCPs and whether to modify BCPs, as some employees return to work, and, in some instances, some employees continue to work remotely;
- review and modify their BCPs to ensure consistency with any process changes adopted during the COVID-19 pandemic and continue to benchmark their BCPs against new or emerging threats to normal business operations (e.g., among other things, BCPs should formally anticipate employees working from home); and
- if required, notify the FCA that BCPs are no longer activated.
For further information on BCPs and guidance for FCA-regulated firms, please see the advisory prepared by Katten, available here.
Compliance with SM&CR
In response to the COVID-19 pandemic, the FCA introduced a number of SM&CR measures to guide senior managers and firms through these unprecedented times. Some of these measures and the actions that firms may now consider taking when returning to work are set out below:
- The FCA confirmed that it does not require a single senior manager to be responsible for a firm’s COVID-19 response. Instead, firms may allocate these responsibilities in a way which best enables them to manage the risk that they face. Firms returning to their offices may consider whether their current allocation of these responsibilities is still effective. In particular, firms may wish to balance such responsibilities between senior managers who are working from home, and those who are physically present in the office.
- The FCA granted, and extended, a modification to consent to the ‘12 week rule’, whereby an individual can cover for a senior manager without being approved for a maximum of 36 weeks in a consecutive 12-month period.2 Since furloughed senior managers retain their FCA senior manager approvals, it may be appropriate for firms returning to the office to now consider whether certain furloughed senior managers are also able to return to work. If so, their prescribed responsibilities should be transferred back to them.
Notifying regulators after returning to work
Financial services firms that notified the FCA of certain events should consider whether returning to work or maintaining a hybrid arrangement triggers additional notifications and/or relief. For example, firms may have notified the FCA of an emergency relating to the sudden requirement from the UK government for all workers (except key workers) to work from home. At the beginning of the lockdown, we understand that many firms encountered difficulties complying with certain regulations relating to the recording of telephone conversations. In such instances, firms that have previously notified the FCA of an emergency, and the steps that they were taking to deal with the consequences of such emergency, may now wish to update the FCA to let them know that they may, for example, now be in a position to record all telephone conversations since those employees will be back in the office. To keep up-to-date with the regulators’ notification requirements, please see Katten’s Financial Markets Regulation COVID-19 Resource Centre.
Enhancing cybersecurity of remote-office workplaces and safeguarding confidential client information
The FCA expects firms to prioritise information security and ensure that adequate controls are in place to manage cyber threats and respond to major incidents. Firms returning to work need to make sure appropriate steps are taken to safeguard personal and confidential information. For example:
- Regulators expect firms to protect personally identifiable information. If all or some of a firm’s personnel were working remotely, firms should reassess and consider any challenges presented, which may be particularly relevant when some of the firm’s personnel work remotely and some work in the office.
- If a financial services firm decides to utilise BCP locations and home offices in a transition phase or as BAU, the firm should also consider issues regarding cybersecurity and protecting customer and employees’ personal and confidential information in a more systematic manner. Among other things, these businesses will need to consider policies and procedures regarding employees at non-ordinary offices using their personal mobile phones, computers, printers and other electronic equipment, as company-issued equipment may not always be practical for such locations. Similarly, accommodating work from home arrangements likely requires financial services firms to revise their policies and procedures to address logistical issues of persons working from environments where other persons may be present and potentially having the opportunity to view computer screens, printouts of documents and/or overhear conversations pertaining to inside information or other non-public information.
Ensuring books and records are properly maintained
Firms must ensure that their books and records are complete and appropriately maintained. This process includes retrieving remotely-generated and/or manually-prepared records as soon as technologically practicable for integration into the firm’s centralised books and records system. These remote and manual records must be incorporated in such a way that they are capable of being easily identified and retrievable. For example, the European Securities and Markets Authority (ESMA) issued temporary relief to market participants from certain recordkeeping requirements, such as recording telephone conversations. This relief is conditioned on market participants taking alternative steps (e.g., written records of telephone conversations) to mitigate any consequential risks. Firms should retrieve and integrate these types of records as soon as technologically practicable.
Completing regulatory filings
Firms should consider whether it is appropriate to submit delayed regulatory filings. The FCA and ESMA have given financial services firms time extensions to make certain annual reports, regulatory returns, periodic filings and responses to inquiries. For example, the FCA provided firms with one to two months delays on certain regulatory returns required under the FCA Handbook3, including returns relating to operational and market risk. Firms should consider whether these extensions still apply and consider whether they need to update and/or make those filings.
The FCA has introduced a number of temporary reliefs in relation to the training of firm employees, which includes carrying over continuing professional development4 and extensions to employees obtaining the appropriate professional qualifications5. With firms restoring a level of normality by returning to the office, it may be worthwhile for firms to reconsider if certain employees are now in a better position to complete their required training. This may particularly be relevant where providers of the professional qualifications may now be in a position to offer exams that had previously been cancelled.
As always, Katten’s Financial Markets and Funds lawyers are happy to provide assistance in reviewing existing policies and procedures to evaluate potential issues, revise policies and procedures, and work with regulators to endeavour to obtain relief from existing regulatory requirements that may be inapplicable to the way business might be conducted after the COVID-19 pandemic has passed.