FCA sets out expectations: Monitoring & Supervision of Voice and Electronic Communications in the Office and Home Working.
13th January 2021 by Brielle Hewitt
Market Watch 66 synopsis |11 Jan 2021 | Market Watch 66 | FCA
This week the FCA has set out its expectations for Firms to maintain control of their entire operating environment since the COVID pandemic has forced large numbers of UK staff to work from home. Here is a quick synopsis setting out precisely what the FCA deems to be the greatest operating risks for the Firms it regulates, and the requirements that must be met to ensure your Firm’s compliance.
- USING UNMONITORED COMMUNICATIONS CHANNELS FOR BUSINESS DEALINGS WhatsApp, Microsoft Teams, Slack or other messaging & collaboration tools
Use of such communication channels can present challenges and significant compliance risks, as your firm may be less able to effectively monitor communications through these channels.
- PRESENTING OPPORTUNITY FOR EMPLOYEE MISCONDUCT
Because of the risk of not monitoring of communication channels or ineffectual processes, risks from misconduct may be heightened or increased.
- INEFFECTIVE RECORDING & MONITORING CONTROLS
There is a real risk of loss of monitoring and surveillance capability, and the absence of protection through loss of evidence to resolve disputes between your Firm and your Clients over transaction terms.
- HOME WORKING AND PRIVATELY OWNED DEVICES
Risks from misconduct may be heightened or increased by homeworking. Also, Firms need to be aware of Sensitive or Confidential information being resident on a Privately Owned device that is not under the Firms direct control
FCA REQUIREMENTS AND EXPECTATIONS
- RECORDING OBLIGATIONS IN SYSC 10A MUST BE COMPLIED WITH
As set out in the “Senior Management Arrangements, Systems and Controls sourcebook (SYSC 10A)” – even when employees are working remotely.
- EFFECTIVE RECORDING & MONITORING OF ‘IN-SCOPE’ ACTIVITY
Recording Requirements include conversations and communications made with, sent from, or received on, equipment and channels or software provided or permitted to be used for business purposes.
‘In-Scope Activity’ covers a broad range of activities including, and not exhaustive to:
- Arranging of deals and dealing (as principal or agent) in investments
- Managing investments
- Managing a UCITS
- Managing an AIF and/ or
- Establishing, operating or winding up a collective investment scheme.
The recording and monitoring of this ‘in-scope’ activity applies to both external interaction (with your Firm’s clients and other third parties) as well as internal interaction with your Firm’s employees, relating to ‘in-scope’ activities.
- Recording telephone conversations
- Keeping a record of electronic communications, including and not exhaustive to:
- Direct Message
- Instant Message
- Web Conferencing
- Collaboration tools
- Approved Communication Apps
- EFFECTIVE MONITORING OF APPS & NON-TRADITIONAL COMMUNICATION CHANNELS
If your Firm chooses to use communication apps like WhatsApp, MS Teams, Slack or Bloomberg MSG or IB to conduct ‘in-scope’ activity, you will need to ensure that these channels are recorded effectively and are auditable.
- AVOIDANCE OF APPS THAT CANNOT BE MONITORED
Firms should not be using Telegram, Signal or any other point to point encrypted App.
Importantly if your firm cannot record MS Teams Chats, Channels, Voice, Video & Screen Share (Slack similarly) then Users should be blocked from accessing that channel.
Web based channels such as LinkedIn, Twitter, Facebook & Instagram should also be archived & monitored if used for an in-scope activity. Finally, CRM activities and Mass Mailings should also be archived and supervised.
- ROBUST RECORDING POLICIES
Your Firm must have effective and up to date recording policies and must be able to demonstrate to the FCA, on request, that your policies, procedures and management oversight meet the recording rules. This includes policies and procedures adopted for home working arrangements. Your Firm’s policies should identify which telephone conversations and electronic communications are subject to recording requirements.
- CLEAR PROCEDURES FOR BREACHES
Your Firm’s recording policies must also contain procedures to follow where breaches or gaps have been identified.
- REGULAR REVIEW OF RECORDING POLICIES, PARTICULARY IF THERE IS AN OPERATIONAL CHANGE
It is important for your Firm to proactively review its recording policies and procedures every time the context and environment in which you operate changes. The FCA expects firms to have a rigorous monitoring regime, proportionate to increased risks, where in-scope activities may be conducted outside the controlled office environment.
- EMBEDDING A COMPLIANCE LED CULTURE
Individual Senior Managers have an important part to play in establishing and embedding the right culture and governance within firms to continuously improve the standard of conduct at all levels.
- IF ITS NOT PERMITTED, DON’T USE IT OR DO IT
The FCA has acted against individuals and firms for misconduct which involved the use of non-permitted communication channels, such as WhatsApp and other social media platforms to arrange deals and provide investment advice. This included transmitting lists of trades to copy (‘trading signals’) and making other investment recommendations to clients. Orders were sought preventing such individuals from carrying out these activities in the future.
How can Fingerprint help your firm meet its regulatory monitoring and supervision obligations?
Despite COVID Home Working guidance, the FCA regulations have not changed. If you are a regulated firm, you MUST record and monitor ALL ‘in scope’ activity.
Our Software automates this for you. All approved channels are captured, simplified and made searchable, each item of communication is individually risk ranked against your criteria, so your compliance and risk teams can review only the exceptions in a much greater volumes of communication. Risk ranking is systematic and repeatable, and our identification and investigation workflows are simple and easy to manage.
No more random sampling, and archaic manual processes – it is not enough to sample 100 messages a quarter across the tsunami of data from multiple communication channels now being used by firms (It is clear from the FCA that Random Sampling of a tiny set of your data will no longer meet your firm’s regulatory obligations)!
Speak with one of our supervision and monitoring experts today to find out how we can help your firm satisfy the FCA requirements by replacing your old random sampling approach with full data Risk Rank, Supervision and Investigation software capability, Fingerprint.
Until the next Market Watch!