Due to the coronavirus (Covid-19) pandemic, firms are already familiar with working in a remote environment and adapting their systems and controls. It is likely many firms will continue these new ways of working. We set out our expectations so firms can plan and continue to meet their regulatory responsibilities.
These expectations apply to:
- existing firms
- firms applying to be regulated
- firms proposing to submit further applications, such as a waiver, variation of permission, change of control etc
These expectations will evolve as more is understood about how firms intend to operate.
International firms should continue to have an establishment or physical presence in the UK. See our approach to international firms.
We will evaluate firms considering remote or hybrid working on a case-by-case basis. Your firm should consider the following.
How firms operate their business
Firms should be able to prove that the lack of a centralised location or remote working does not or is unlikely to:
- affect the firm’s location in the UK, or its ability to meet and continue to meet the threshold conditions for the regulated activities it has or will have permission for – or any equivalent requirements, where these do not apply
- prevent the FCA receiving information about a firm
- reduce the accuracy of the Financial Services (FS) Register for others if, for example, consumers are not able to contact the firm at its principal place of business shown on the FS Register
- affect the firm's ability to oversee its functions including any outsourced functions
- cause detriment to consumers
- damage market integrity
- increase the risk of financial crime
- reduce competition.
A firm must also prove it has satisfactory planning, as follows:
- The firm has a plan in place. The firm has reviewed it before making any temporary arrangements permanent. The firm reviews it periodically to identify new risks.
- The firm's senior managers have appropriate governance and oversight under the Senior Managers regime, and through committees such as the Board, and by non-executive directors where applicable. This governance is capable of being maintained.
- The firm can cascade policies and procedures to reduce any potential for financial crime arising from its working arrangements.
- The firm can put in place an appropriate culture and maintain it in a remote working environment.
- Control functions such as risk, compliance and internal audit can carry out their functions unaffected, such as when listening to client calls or reviewing files.
- The nature, scale and complexity of the firm's activities, or legislation, does not require the presence of an office location.
- The firm has the systems and controls, including the necessary IT functionality, to support the above factors being in place, and these systems are robust.
- The firm has considered any data, cyber and security risks, particularly as staff may need to transport confidential material and laptops more frequently in a hybrid arrangement.
- The firm has appropriate record-keeping procedures in place.
- The firm can meet and continue to meet any specific regulatory requirements, such as call recordings, order and trade surveillance, and consumers being able to access services.
- The firm has considered the effect on staff, including wellbeing, training, and diversity and inclusion matters.
- If any staff will be working from abroad, the firm has considered the operational and legal risks.
The above is an indicative and non-exhaustive list. It's important that any form of remote or hybrid working you adopt should not risk or compromise the firm's ability to follow all rules, regulatory standards and obligations, or lead to a failure to meet them.
Firms’ engagement with the FCA
Firms should consider if their details on the FS Register need updating. For example, if your firm intends to use a private residential address as its principal place of business, it should consider the effect on any individuals – including those living at the property who aren't employees – and get the necessary approvals.
We should be able to access firms’ sites, records and employees. It’s important that firms are prepared and take responsibility to ensure employees understand that the FCA has powers to visit any location where work is performed, business is carried out and employees are based (including residential addresses) for any regulatory purposes. This includes supervisory and enforcement visits.
Notifying us of changes to your working arrangement
Any material changes to how your firm intends to operate may require you to notify us first. Under Principle 11 of the FCA’s Principles for Businesses, firms must deal with the FCA in an open and cooperative way and to disclose to us anything relating to the firm which we would reasonably expect notice of.
SUP 15.3 sets out additional rules and guidance about when the FCA would expect notice of matters relating to a firm. You should continue to monitor any changes and speak to your usual supervisory contact with any questions.
Regarding all the regulated activities for which firms have or will have permission, they need to continue to meet the threshold conditions in Schedule 6 Part 1B of FSMA (or equivalent requirements, where these do not apply). See guidance on the threshold conditions in the COND sourcebook.
While the information we require from firms hasn’t changed, it’s important that your application covers the following specific details (if applicable):
- The arrangements your firm will have for remote working, including presence in any other jurisdictions.
- That you’ve considered the legal implications for your business of this type of arrangement.
- How key functions will be performed and overseen, and where they will be based.
- The location of senior managers and their plans to oversee the firm’s activities.
- Confirmation that your processes and procedures reflect the arrangements.
- The period the arrangements are expected to last (if not permanent).
- The arrangements your firm will make for consumer access. For example, how will you ensure that consumers without access to electronic communications can communicate with your firm?
- How your firm will address complex consumer needs. This could include ensuring you have access to appropriate locations to hold face-to-face meetings.
- The arrangements for customer authentication and vulnerability assessments.
- Business continuity plans, including when using home networks.
- How your firm will manage the risk of information becoming out of date; for example, staff moving house.
- Where and how any FCA supervisory or enforcement visits would be done and how this is documented in your processes.
- Systems and controls, including:
- to what extent will the business digitise?
- the ability to access records/systems
- if your firm relies on physical documents, what arrangements have been made for their security and access
- where files and paperwork will be located
- systems being used – are they recognisable and protected appropriately against cybercrime?
- How your firm intends to inform staff that FCA visits could take place in their homes?
- Plans for compliance reviews to ensure the dispersed working model is functioning properly.
The above is an indicative and non-exhaustive list as the information we need will depend on your business model and how your firm intends to operate.