09 February 2021 - Post by:
The UK Financial Conduct Authority (FCA) has emphasised in the latest edition of its Market Watch Newsletter its expectations for firms to record telephone conversations and electronic communications in light of the increased use of alternative working arrangements by employees such as increased homeworking. The FCA has highlighted that risks from misconduct may be heightened or increased by remote working and, in particular, has commented on the increased use of unmonitored and/or encrypted communication applications such as WhatsApp to share potentially sensitive business information.
The FCA’s published expectations in this regard form part of a consistent theme by the regulator to ensure that firms are complying with their regulatory obligations and paying attention to new and/or increased conduct risks during the Covid-19 pandemic.
The risks arising from alternative working arrangements
The Covid-19 pandemic continues to mean that many firms’ employees are continuing to work from remote locations. The FCA has been quite vocal about the increased conduct risks that are associated with remote working and that certain types of misconduct could be facilitated by a remote-working environment. For example, last summer the FCA expressly highlighted the risk of supervisors being unable to ensure that their employees are not ‘colluding inappropriately over WhatsApp’ or taking ‘picture[s] of privilege data on a screen when there’s nobody sitting next to you to ask what you’re doing’.
With these risks in mind, in its newsletter the FCA made it clear that firms must ensure that they comply with their regulatory obligations to record relevant telephone and electronic communications and that they need robust policies and training in place to ensure that these requirements are observed by employees. This is because the FCA is concerned that firms will not be able to effectively monitor or undertake surveillance in relation to telephone and electronic communications if employees use, for example, personal devices and apps.
- WhatsApp: The FCA draws on “WhatsApp” as an example of an application where communications may not be encrypted or monitored. Firms must ensure that apps and technologies deployed by employees are recorded and auditable. The FCA highlights in its newsletter that it has taken enforcement action against individuals and firms for misconduct which involved the use of WhatsApp and other social media platforms to arrange deals and provide investment advice and that the FCA ‘expects this to remain an area of focus’.
- Effective recording and monitoring controls: The FCA is concerned that there is a real risk of loss of monitoring and surveillance capability due to the increase in remote working arrangements by employees and that this may lead to a loss of evidence to resolve disputes between firms and clients, for example, in relation to transaction terms.
- Supervision: The absence of effective control mechanisms also reduces the FCA’s ability to perform its supervisory function in both deterring and detecting misconduct such as market abuse and in facilitating enforcement.
Communications that must be recorded
In its newsletter, the FCA reminds firms that the recording obligations in the FCA Handbook (SYSC 10A) apply to conversations and communications made with, sent from, or received on, equipment provided or permitted to be used for business purposes.
Accordingly, the FCA requires firms to which the recording obligations apply to:
- take reasonable steps to record telephone conversations and keep a copy of electronic communications of relevant activities; and
- ensure their recording policies can identify communications that directly relate to the in-scope activities of the recording obligations.
In addition, the FCA has stated that firms should also identify communications intended to lead up to these activities being performed, or where there is a reasonable prospect of such activities being performed.
What should firms be doing in response?
- Robust policies: Firms must have in place effective and up to date communications recording policies which have been adapted for alternative working arrangements. These policies should be proactively reviewed as and when the context and environment in which they operate changes (e.g. through continued remote working arrangements). Firms’ policies in this area should clearly:
- identify which telephone and electronic communications are subject to the FCA’s recording obligations;
- identify what methods of communication (e.g. WhatsApp) and devices (e.g. personal devices) employees are or are not permitted to use for business purposes; and
- set out procedures to be followed in the event that breaches of those policies or gaps are identified.
In the event that firms decide to update their communications recording policies, any such changes should be documented and signed-off under appropriate governance arrangements. If these changes permit new methods of communication to be used by employees, the FCA has made it clear that firms must have implemented any additional measures that may be required to comply with the FCA’s recording rules before employees are permitted to use these new methods of communication.
- Privately owned devices: Firms should assess control mechanisms for the use of privately owned devices by employees to connect to their internal networks and potentially access sensitive or confidential information. If firms are unable to record relevant communications on employees’ privately owned devices for relevant activities that fall within the scope of firms’ recording obligations then the use of such devices may need to be prohibited by the firm.
- Training: Firms should check that their existing employee training programmes cover which methods of communications are and are not permitted. To the extent that any firms decide to change their policy requirements in this area, these changes should be reflected in refreshed training that is provided to employees.
- Senior Managers: The FCA has also emphasised the role that they expect individual Senior Managers to play in establishing and embedding the right culture and governance within their firms to continuously improve standards of conduct at all levels, including in relation to the proper and authorised use of electronic communications for business purposes.
While there are no set prescribed or prohibited technologies that firms are able to deploy for employees to work remotely, it is important that firms take steps to ensure that their regulatory obligations, including their recording obligations under SYSC 10A, are complied with through the use of effective control mechanisms to reflect the use of alternative working arrangements during the Covid-19 pandemic.
This article appeared on the Allen & Overy Investigations Insight Blog – sign up to the blog to receive updates on important developments and business crime and financial services investigations – email Investigations.Insight@allenovery.com.