The expectations are evolving. In their current form they apply to:
- existing firms
- firms applying to be regulated; and
- firms proposing to submit further applications (e.g. a waiver, variation of permission or change of control)
The FCA accept that we all had to adapt during the lockdowns of the Covid-19 pandemic. However, firms may not appreciate that if their temporary plans are to be made permanent, it is not just a case of "let's continue as we are". The FCA expect firms to put a plan in place first. This plan should be reviewed before any temporary arrangements are made permanent. The plan should be reviewed on a continual basis so that new risks are identified.
If we're honest with ourselves, we know that in some cases there was a bit of a fudge to keep things going through the pandemic. Given the circumstances everyone did their best. It is also true to say that remote and hybrid working leaped years ahead due to the pandemic. But what was accepted as we muddled through will not automatically meet the FCA's expectations today.
The FCA has made clear that they expect firms to be able to meet the threshold conditions for their regulated activities. The integrity of the information on the Financial Services Register should not be detrimentally impacted. The core objectives on competition, the integrity of the market, preventing customer detriment and preventing financial crime remain paramount. You can't just say "it's all good", you have to be able to prove to the FCA that the lack of a centralised location or remote working is not likely to impinge on the strategic objectives.
Looking at this at a more granular level, firms need prove that they have put in place satisfactory planning on things like:
- maintaining an appropriate culture in a remote working environment
- having robust systems and controls, especially IT support
- managing data and security risks e.g. if staff are travelling more with laptops
- meeting specific regulatory requirements like call recordings and consumers being able to access services
- the effect on staff: this includes their wellbeing, training and diversity and inclusion matters.
That all seems quite obvious. Perhaps less obvious is that if a firm updates their principal place of business address on the Financial Services Register to a residential address then the FCA expect that the firm has considered the impact on private individuals, e.g. people that live there that are not employees.
Pre Covid-19 most firms would accept that, to be an effective regulator, the FCA need to be able to access firms' work sites, records and employees. A lot of employees would be non plussed by that. In the new working environment this has different meaning. The FCA expect firms to "take responsibility to ensure that employees understand that the FCA has powers to visit any location where work is performed, business is carried out and employees are based (including residential addresses) for any regulatory purposes. This includes supervisory and enforcement visits."
At a regulatory handbook level firms need to keep Principle 11 (PRIN), SUP 15.3, COND and SYSC at front of their minds. At a people management level, communicating to employees that the FCA could visit a residential home should be done as soon as possible.