As regulated businesses grapple with the challenge of new ways of working during the COVID-19 crisis, it is important that regulatory compliance remains a top priority along with protecting the safety of the workforce and maintaining client service. So what are some of the key regulatory risks faced by regulated businesses in respect of COVID-19 and how can these be approached?
Businesses should review existing risk management systems and identify whether these are adequately recorded and any new or increased risks have been identified and appropriate risk mitigation strategies. This would include, for example, increased awareness of cyber-hygiene.
If any critical activities have been outsourced, businesses should seek assurances that the service provider is able to continue to meet the agreed service levels. If this is not the case, businesses should be considering what action can be taken to protect the interests of its clients and its ability to continue to meet its ongoing legal and regulatory obligations.
Hard copy documents
Remote working potentially increases the risk of data breaches and the inadvertent disclosure of confidential information, such as when hard copy documents are kept at home or scanned on home scanners, rather than in the office with the necessary systems and controls in place. Employees should be encouraged to work digitally as far as possible, minimising the creation of handwritten notes of calls or virtual meetings they attend; typed notes should instead be encouraged.
Regulated businesses should also remind employees about keeping their working environment as secure as possible.
Colleagues should be reminded to work in a private environment where conversations of a confidential nature cannot be easily overheard and computer screens cannot be easily seen by third parties. The importance of ensuring that computer screens are locked when unattended (even within one’s own home) should be reinforced.
It is likely that regulated businesses have seen a significant uptake in the use of virtual meetings. Most of these platform providers have the ability to ‘share your screen’. This function should be used with extreme caution, especially if external parties are involved.
Policies and Procedures
Consideration should be given as to whether any policies and procedures need to be updated to facilitate personnel working from home. It is also important to identify whether any existing policies and procedures may be vulnerable to employees finding work-arounds that are not wholly in compliance with those policies and procedures. A failure to comply with existing policies and procedures, even to accommodate difficult circumstances, could have serious regulatory ramifications. It is therefore essential that those risks are identified and any changes required are implemented as soon as possible. One policy and procedure that is likely to require immediate attention is a regulated business’s anti-money laundering procedure.
Supervision and Monitoring
Most regulators require regulated businesses to have adequate procedures for the supervision of employees. This is particularly important when the workforce is working remotely. Regulated businesses should ensure that regular supervision meetings continue to occur to ensure that work and workloads are being monitored to ensure the quality of output. Visibility of senior staff is important to ensure that juniors feel able to raise questions and concerns and to encourage open and frequent communication channels.
During this time, it is very important to be open and co-operative with regulators. Regulators should be notified of any issues or circumstances which may concern it. We would encourage regulated businesses to consider whether or not the following notifications ought to be made:
- Any matter that might reasonably be expected to affect your registration/licence or be in the interests of your clients or investors to disclose;
- Any decision relating to business activities that is likely to have a material effect on your business or its profitability;
- If your compliance officer, money laundering reporting officer or money laundering compliance officer will be temporarily unavailable to fulfil their responsibilities or if the business will be unable to meet its ‘four eyes’ or ‘six eyes’ requirements, as appropriate, as a result of substantial absence amongst senior personnel.
To download this briefing note please click here.