The Financial Conduct Authority (FCA) has issued new guidance to companies that are operating a remote or hybrid working model.
The new guidance dictates that firms will now be evaluated on a case-by-case basis and should be able to prove that the lack of a centralised location or remote working does not, or is unlikely to, affect the company’s ability to meet the threshold for the regulated activities it has or will have permission for.
The guidance states that companies should be careful to ensure that remote working does not affect the ability of the firm to oversee its functions, cause detriment to consumers, damage the integrity of the market, increase financial crime or reduce competition.
Other advice contained in the proposals includes the need for companies to have the necessary planning in place. The FCA recommends that firms need to ensure that they have the systems and controls, including the necessary IT functionality, in place to support the above factors being in place, and that such systems are robust.
Additionally, companies should also ensure that they have considered any data, cyber and security risks, particularly as staff may transport confidential material and laptops more frequently in a hybrid arrangement.
Companies are also advised to consider the full legal implications for their business of this type of arrangement and how key functions will be performed, overseen, and based. In addition, companies are also advised to manage systems and controls effectively, including digital capabilities such as the ability to access records/systems, whether the firm in question relies on physical documents and what arrangements have been made for their security and access.
Responding to the guidance, technology expert Sridhar Iyengar, Managing Director, Zoho Europe, said: “The FCA is right to warn financial services firms about the risks associated with hybrid working, particularly around challenges such as regulatory requirements, data compliance and accountability. The Covid-19 pandemic has forced through many positive changes in terms of working practices, yet far too many companies still lack the training & assessment of personnel and the IT infrastructure and systems to ensure complete compliance.
“Moving forward, organisations seeking to build a truly safe and secure hybrid working culture must look towards operating systems that can offer key applications to manage everything from collaboration and finance, to analytics and customer engagement. This will bring a new level of safety and security to remote working, helping to keep companies compliant in line with FCA standards.”
Security specialist Tim Sadler, CEO of Tessian added: “A hybrid working model brings with it huge benefits in terms of employee wellbeing, cost saving and flexibility, but also substantial cyber risks. The FCA is right to raise awareness of the need for companies to carefully consider how they manage remote working operations to ensure they remain compliant at all times. As well as ensuring the right security systems are in place, it’s essential that staff are fully trained about the risks posed in terms of data security around incorrectly addressed email correspondence as well as external threats like phishing emails, ransomware attacks. Financial services organisations manage valuable and critical data, and it’s so important that they do not allow flexible working practices to put them at risk of a breach.”
Cyber expert Chris Ross, SVP International at Barracuda Networks said: “Hybrid working brings with it many security challenges, particularly for firms operating within the financial services sector, so this guidance from the FCA is a welcome step for helping businesses reduce risk. With ransomware attacks on the rise, keeping companies fully aware of their regulatory responsibilities when managing remote working models is an essential step, alongside the necessary security systems and training for staff.
“Our recent research has shown that 81% of IT leaders admitted that their organisation had suffered a security breach in the last 12 months. Worryingly, companies operating a remote or hybrid working model had a substantially higher breach rate, at 85% compared to office-based businesses where the figure was 65%. Worse still, three quarters of those surveyed stated that they had been the victim of at least one ransomware attack. It’s therefore vital that all companies operating hybrid working models remain compliant and acutely aware of potential security risks at all times.”