Home Alone 2.3: The FCA Visit

The FCA has updated its guidance on remote and hybrid working – firms (and applicants) need to ensure they are up to speed with the revisions.

On 11 October 2021, the FCA published an update on its guidance to firms (and applicants) on remote and hybrid working models. During the height of the Pandemic and lock-down, the FCA’s guidance was:

• it expected compliance and back-office to be able to operate “business as usual”, albeit that firms were permitted some leeway in determining how that was to be achieved;
• firms were to review and update their internal monitoring and compliance programmes to ensure that they were appropriate to the new paradigm and for the new risks that were emerging;
• the FCA had noticed a material drop in the number of suspicious transactions and order reports (“STORs”) and would follow-up to determine whether this was due to a failure by firms to monitor their and their clients’ activities sufficiently closely;¹
• the baseline expectation was that firms would not insist that their staff came into the office: there was some confusion regarding the FCA’s use of the term “key worker” (which has a very specific meaning and, contrary to the position in the United States, the financial services industry was not treated as a “key” business in the UK); this lead to the FCA questioning either why so many staff attended the office or the opposite, depending on the firm involved; and
• firms had some flexibility to “rotate” senior management functions without formal pre-approval in the event of illness.

In the updated guidance, the FCA makes it clear that firms must be able to demonstrate that there has been “satisfactory planning” for “business and usual” arrangements where some/all staff are permitted to work from home or to benefit from hybrid working. The FCA has focused heavily on firms’ diversity & inclusion efforts and firms’ ability to monitor (and assist) in their staff’s health and wellbeing. These issues are paramount in any firm’s “satisfactory planning”. The other and rather more contentious point is that the FCA “reminded” firms of its right to attend, enter and examine firms’ places of business which, in extremis, would include individual staff members’ residential premises (with or without prior notice).

If one applies a reasonable, objective standard to the exercise of the FCA’s supervisory and enforcement powers, it should remain unlikely that firms which maintain office premises and where a majority of their staff are working a majority of the time should expect home visits for staff. If a firm does not maintain an office presence or most staff work from home on a regular basis, there is a risk that the FCA will insist upon access to staff residential accommodation. Bearing in mind the issues generally, not just by the FCA, that have been highlighted arising from working from home (physical security of data, the risks of information leakage, access to non-work and unrecorded communications), a potential visit from the FCA should be taken extremely seriously.

Firms show a natural (and welcome) reluctance to have too-an-obtrusive presence in their staff’s non-working lives. In the same way, however, that firms really should conduct workplace health and safety assessments for their staff’s home working environments, firms should consider making home visits on staff to ensure that (should the FCA knock on the door) the firm and the staff member(s) know what to expect.

On a related topic, at the end of September, the former employer of the infamous Redditor, “RoaringKitty” was fined USD4m by its state regulator (in the United States) for failing to “adequately supervise” his online activities in certain “memestocks”. The implication for firms is that they may need to take additional and unwelcome steps to access or control their staff members’ use of social media or outside work interests. This raises the spectre of dystopian oversight of staff member’s personal lives and personal data. Firms are rightly anxious and unhappy about this prospect. It is (commonly) “good enough” to have policies and procedures regarding own-device and social media use and access which, when breaches are discovered, are dealt with properly. This may change regulators’ views of “good enough” to both firms’ and staff members’ disadvantage. 

¹As it happens, the FCA released data subsequently which indicated that the number of STORs was as could have been expected in the volatile market conditions.