Opinion  

How to handle the FCA’s crackdown on home working

Steven Poulton

Barely a week has gone by in the past 18 months where one of our advisers has not asked me about the dos and don’ts of working remotely. 

Since the UK was first plunged into lockdown, the Financial Conduct Authority made numerous allowances for IFAs having to overhaul their way of operating, but in October it announced moves to monitor businesses looking to make these arrangements more permanent, with more guidance expected by the end of the year.

Quite rightly, the regulator put the onus on business owners to ensure every one of their advisers is compliant and able to deliver high-quality outcomes. However, the news left many across the industry suddenly realising quite how many new liabilities remote working had created for them.

Clearly there is more than one way to be compliant with the rules, and what may work for one firm might not work for another. To help anyone struggling to make sense of where their responsibilities start and end however, we explore some of the key conversations we have had with our own advisers since the start of the pandemic. 

Are there any restrictions around post and advisers conducting meetings at their home address?

IFAs are well within their rights to have a different correspondence address depending on where they are actually working, but any email footers or business cards etc must still feature the company’s registered address. 

Meetings at home are also perfectly acceptable, but bring a number of security considerations into play. If others are likely to be in earshot, then steps should be taken to ensure the home meeting space appropriately soundproofed and that confidential documents do not fall into the wrong hands.

Regardless of how much you trust the people you are living with, a high-quality combination safe would also be a worthy investment to protect any sensitive paperwork. 

What changes do I need to make with regards to data protection? 

The Information Commissioner expects each business to make their own assessments with regards to the level of security needed, so the extent to which each business implements measures is up to them. 

For starters though, every business should have strict password policy in place that requires all staff to change their password at a minimum of once per quarter. All personal and shared devices should be segregated too – no member of staff should have client information on their personal phone, for example.  

Implementing a clear desk policy is also a very good idea. At the end of each working day or when leaving the home workspace for a few hours, all staff should be required to clear their desks of papers and any files containing personal or business-sensitive materials. 

Aside from this, every company should have their business continuity plan reviewed to ensure it is equipped to withstand the host of new risks that come with staff working remotely. Key to this should be having an action plan in place in case a member of staff is burgled or loses a work device containing sensitive files.