Increased risks from homeworking: FCA updates firms on recording telephone conversations and using apps

Homeworking: risks from reduced monitoring

The FCA has recently highlighted how risks from misconduct may be heightened or increased by homeworking. This includes increased use of unmonitored and/or encrypted communication apps such as WhatsApp for sharing potentially sensitive information connected with work. The FCA considers that use of these apps can present challenges and significant compliance risks, since firms are less able to monitor communications using these channels effectively.

The FCA expects firms to continue to comply with the recording obligations in the Senior Management Arrangements, Systems and Controls sourcebook (SYSC 10A). Firms need to ensure that if apps are used for in-scope activities on business devices, they are recorded and auditable. A broad range of activities are covered by the recording obligations, such as arranging deals and dealing (as principal or agent) in investments, managing investments, as well as managing a UCITS, an alternative investment fund and/or establishing, operating or winding up a collective investment scheme.

Why is this important?

The FCA considers that without effective recording and monitoring controls, there is a real risk of losing monitoring and surveillance capability. The loss of evidence would make it more difficult to resolve disputes between a firm and its clients over transaction terms. Monitoring is also important to help with the FCA’s supervisory work, specifically in detecting market abuse, and any subsequent enforcement that the FCA deems necessary.

In enforcement terms, the FCA has acted against individuals and firms for misconduct involving use of WhatsApp and other social media platforms to arrange deals and provide investment advice. This included transmitting lists of trades to copy and making other investment recommendations to clients. The FCA expects this to remain an area of focus.

Which communications must be recorded?

The recording obligations apply to conversations and communications made with, sent from, or received on, equipment provided or permitted to be used for business purposes.

A firm subject to the recording regime must take reasonable steps to record telephone conversations and keep a copy of electronic communications of activities falling within scope of the recording rules. Firms must ensure that their recording policies can identify calls and communications that directly relate to the performance of in-scope activities.

Firms will also need to identify communications intended to lead up to these activities being performed or where there is a reasonable prospect of such activities being performed. Depending on the circumstances, this may also include internal conversations concerning in-scope activities.

What does this mean for FCA regulated firms?

• Robust Policies - Firms must have effective, up to date recording policies and they must be able to demonstrate to the FCA, on request, that their policies, procedures and management oversight meet the recording rules. This includes policies and procedures adopted for home working arrangements.
• Identification of relevant communications - Policies should identify which telephone conversations and electronic communications are subject to recording requirements. They must also contain procedures to follow where breaches or gaps have been identified.
• Governance - Where new or amended recording policies are needed, these should be clearly set out in writing, documented and signed off under appropriate governance arrangements. Any necessary additional measures should be implemented before the firm accepts or permits a new medium of communication.
• Privately owned devices - Firms should assess policies and controls on using privately owned devices to connect to their organisational networks and to access work-related systems and potentially sensitive or confidential data. They need to ensure that these provide sufficient scope for effective recording. In all cases, it should be clear that new communication mediums must be approved by the firms before employees use them to conduct business activities. 
• Review - Firms should review their recording policies and procedures every time the context and environment they operate in changes. Individual Senior Managers are specifically identified as having an important part to play in establishing and embedding the right culture and governance within firms to continuously improve the standard of conduct at all levels.
• Training - If new or amended policies are introduced, or new technologies used, firms should provide enhanced or refreshed training to staff covering the use of new technologies and conduct risks arising.

Summary

There is no specific restriction on the technologies or apps firms can use for communications. However, in all cases firms must understand the recording obligations and have effective policies, controls and oversight to ensure that these obligations are met.

Doyle Clayton’s combination of leading employment lawyers and regulatory expertise means we are well placed to support our clients. Please contact Charlie Herbert or your usual Doyle Clayton contact if you have any questions on this issue.