The UK's Financial Conduct Authority has warned that it is important to understand that it has "powers to visit any location where work is performed, business is carried out and employees are based (including residential addresses) for any regulatory purposes. This includes supervisory and enforcement visits."
In a briefing note on 11 October, the FCA set out its expectations on the rules around working in a remote environment and adapting systems and controls, given the likelihood that many firms will continue post-Covid ways of working.
The FCA also highlighted that international firms should continue to have an establishment or physical presence in the UK.
It said firms should be able to prove that the lack of a centralised location or remote working does not or is unlikely to:
• Affect the firm's location in the UK, or its ability to meet and continue to meet the threshold conditions for the regulated activities it has or will have permission for - or any equivalent requirements, where these do not apply.
• Prevent the FCA receiving information about a firm.
• Reduce the accuracy of the Financial Services (FS) Register for others if, for example, consumers are not able to contact the firm at the principal place of business shown on the FS Register.
• Affect the ability of the firm to oversee its functions including any outsourced functions.
• Cause detriment to consumers.
• Damage the integrity of the market.
• Increase the risk of financial crime.
• Reduce competition.
• A firm must also prove that there is satisfactory planning:
• That there is a plan in place, which has been reviewed before making any temporary arrangements permanent and is reviewed periodically to identify new risks.
• There is appropriate governance and oversight by senior managers under the Senior Managers regime, and committees such as the Board, and by non-executive directors where applicable, and this governance is capable of being maintained.
• A firm can cascade policies and procedures to reduce any potential for financial crime arising from its working arrangements.
• An appropriate culture can be put in place and maintained in a remote working environment.
• Control functions such as risk, compliance and internal audit can carry out their functions unaffected, such as when listening to client calls or reviewing files.
• The nature, scale and complexity of its activities, or legislation, does not require the presence of an office location.
• It has the systems and controls, including the necessary IT functionality, to support the above factors being in place, and these systems are robust.
• It's considered any data, cyber and security risks, particularly as staff may transport confidential material and laptops more frequently in a hybrid arrangement.
• It has appropriate record keeping procedures in place.
• It can meet and continue to meet any specific regulatory requirements, such as call recordings, order and trade surveillance, and consumers being able to access services.
• The firm has considered the effect on staff, including wellbeing, training and diversity and inclusion matters.
• Where any staff will be working from abroad the firm has considered the operational and legal risks.
The FCA said the above was an indicative and non-exhaustive list, adding that it was important any form of remote or hybrid working adopted should not risk or compromise the firm's ability to follow all rules, regulatory standards and obligations, or lead to a failure to meet them.