The Covid-19 pandemic has paved the way for a new normal in everyone’s life. Employees were asked by their companies to work from their homes, within an overnight. This was the only way that the virus could be arrested from being spread over larger masses. But, re-planting the business from office to home was surely not a simpleton task. Especially in the finance and credit industries, where secure communication channels and strict cybersecurity policies were executed, the work from home practice posed serious security and compliance risks.
In view of the above-said confusions, regulatory notices were issued by agencies such as FINRA to explain the best practices that can be adopted while engaging in remote trading. Let us examine the key points explained in this notice.
FINRA Regulatory Notice 20-16
With this regulatory notice issued on May 28, 2020, FINRA shares the best practices that can be implemented by firms for a smoother transition to remote work, and also the methods to supervise this remote work culture. These are the common practices that FINRA has seen certain firms adopt for an easier transition to remote trading. Owing to the words by FINRA itself, “certain firms that relied on web-based tools, electronic document management systems and cloud-based services, and regularly tested their remote connectivity, capacity, work processes, and trading capabilities believed they faced fewer difficulties transitioning to a remote work and supervisory environment”. Certain other firms who were not prepared for such a shift in the work environment and supervisory measures had to put a furthermore effort into such a transition.
Measures Adopted to Ease Remote Trading Transition
- Customer assistance was provided by offering the customers back-up contact information about the firm, branches, and associated persons. Queries of any sort were addressed in this manner so that any confusion from the customer’s end could be avoided.
- Remote work protocols were executed where the employees were asked to report their location to their managers, and they were expected to get prior approval before their relocation. Employees were also provided with a list of updated contact information for all their communications with compliance, legal, operations, and other departments.
- Extended support and communication towards the staff were offered to maintain a good rapport between the firms and employees. Adequate guidance was provided to the employees and all employee grievances were addressed. Additional technology tools if required were also provided.
- Confidentiality and Cybersecurity were maintained throughout the process. Employees were given training and were reminded of the importance of maintaining client confidentiality and being responsible for the company network. On an additional effort, third-party oversight teams were deployed to assess cybersecurity issues, if any.
Supervisory Measures Adopted for Remote Trading
- Additional testing was conducted by the firms on their remote supervision capabilities to test their preparedness for the situation.
- Additional guidance and resources were offered to supervisors to remind them of the importance of remote supervision. Periodic meetings were set up for all senior leadership and supervisors to address the ongoing scenario and updates were sent to them for creating new modes of electronic supervisory checklists.
- Risk analysis was done to identify if new potential threats are being created.
- Feedbacks are an integral part of where the current practices are evaluated for their success and any lesson learned from previous experiences is also shared.
- Remote trading prescreen was adopted, that required traders to complete attestations agreeing that they will comply with the policies set forth by the firm. This also included testing the trader’s remote trading capability.
- Trade reports and alerts were requested more frequently for ensuring better trade surveillance.
- Communication compliance was given high priority where employees were required to use modes of communication that made it possible to record mobile messages and monitor phone calls, such that any malpractice could be avoided. Also, supervisory checks were done via e-mails and video conferences that allowed supervisors to constantly check the activities of the traders. Keyword surveillance was performed to ensure that business communication was not taken outside the approved medium of communication.
- Remote inspection procedures were adopted replacing the conventional method of branch inspections. Instead of physically visiting the location inspections were performed using video conferencing, electronic document review, and other technological tools.
Regulatory Notices Issued by Other Agencies
Certain other regulatory agencies have also issued regulatory notices, explaining the policies to the following while engaged in remote trading. Such policies make the workflow transparent, and foresee that the compliance requirements are met. Notices issued by all these regulatory agencies are similar, where they explain the best practices to be adopted while engaged in a remote trading scenario.
U.S. Securities and Exchange Commission (SEC)
The notice issued by SEC dated November 5, 2020, recommends the joint working of SEC and FINRA for modernizing the internal inspection requirements of FINRA Rule 3110(c) for providing firms the flexibility of conducting remote technology-assisted inspections. The same partnership is also entrusted with revising its office registration and inspection requirements. The SEC also recommends its partnership with North American Securities Administrators Association (NASAA) and FINRA for making permanent remote testing capabilities for Series 6, 7, 63, 65, 66 securities licenses, and also the expansion of online testing capabilities for covering all qualification exams. For making its existing relief from the in-person voting requirements for mutual fund boards permanent, the SEC recommends the issue of exemptive or interpretive relief.
National Futures Association (NFA)
The NFA in coordination with Commodity Futures Trading Commission (CFTC) issued three notices concerning remote trading. The first notice encouraged the member firms to review their business continuity plans to check if they suited the requirements for working amidst the Covid-19 situation. The second notice was issued to remind the swap dealers of their regulatory reporting obligations. The third one offered member firms (other than swap dealers) a temporary relaxation to work from home or a remote location not under the supervision of a branch manager, or any other location that has not been listed as a branch office under the member firms’ Form 7-R.
Financial Conduct Authority (FCA)
The FCA in its information for firms published on March 17, 2020, asks firms to consider a broader control environment because of the current work from home scenario. They also ask to continue to record phone calls, submit regulatory data, and initiate preventive steps to cease market abuse. This notice specifically asks the firms to monitor phone calls to prevent market abuse. Firms are expected to perform mobile recording, so that all communication, including voice calls, outside the office, can be monitored. In any case, where there is a hindrance to comply with the requirements mentioned above, the FCA asks the firms to report such instances immediately.
Also, the FCA has reiterated their expectation for firms to comply with the recording obligations in their Senior Management Arrangements, Systems and Controls sourcebook (SYSC 10A), through their recent newsletter. The FCA has found an increase in the usage of mobile messaging applications like WhatsApp for business communication. Sharing potentially sensitive information through such unmonitored and/or encrypted applications could pose serious compliance issues. Since the absence of an effective recording and monitoring control may lead to illegal trades and loss of transaction evidence between firms and clients, FCA requires firms to enable WhatsApp archiving solutions. Hence all electronic communications within the scope of the recording rules are expected to be monitored and recorded.
European Securities and Markets Authority (ESMA)
The ESMA in its public statement dated March 20, 2020, allows the firms to permit the use of mobile devices for business communication. But the firms must ensure that they can execute a communications policy for recording any business-related text or phone call. The firms must also make sure that the concerned people do not delete these records, and this data must be retained for at least five years. Even though these regulatory measures have been issued, ESMA understands the practical difficulty in its execution, owing to the pandemic. Hence, if it is not possible to record such communication, the ESMA expects the firms to consider temporary alternative measures that include written minutes or notes of telephonic conversation.
Australian Securities and Investments Commission (ASIC)
The ASIC through their newsletter had notified financial firms of the need for an effective business continuity plan to run the business amidst the Covid-19 crisis. The ASIC requires firms to identify critical staff and system, and ensure backup arrangements. The firms must periodically test their technical capability to ensure their proper operation. Potential disruption of services and functions must be expected beforehand and contingencies for the same must be planned. Services must be outsourced for increased operational efficiency. Such third-party service providers must also be tested for maintaining fair, honest, and efficient operation of the business.
Additionally, ASIC expects the firms to have written supervisory procedures where the management structure is clearly defined. The management structure is expected to have provisions for monitoring all employees while working from home. Supervisors are also expected to host regular meetings to ensure compliance with regulatory standards while working from home. Firms are required to use an archiving tool that will monitor phone calls and record mobile messages. Policies should be framed, and their execution must be ensured so that all employees communicate through channels that are monitored by such an archiving tool.
Securities and Exchange Board of India (SEBI)
SEBI considers any location used by a stockbroker for trade operation as the broker’s branch office and requires them to set up name boards and display stock broker’s certificate among other things. Such locations must be registered with SEBI before conducting any business. Hence, working from home was not an option until recently. With the outbreak of the Covid-19 pandemic, the regulatory agency started thinking about alternative measures to allow credit firms to continue their business. Out of the many mandates that SEBI put forth, communication compliance is by far the major one. Changes in modes of communication from emails to instant messaging tools were seen for a long time. But while employees started working from home, a surge in the use of IM applications like WhatsApp and WeChat were observed. Owing to this shift in communication tools that may lead to serious compliance issues SEBI has notified the firms to monitor and record all communication done by their employees for business purposes. This includes WhatsApp monitoring, WeChat monitoring, and recording of calls and messages.
This circular further says, “When a dispute arises, the burden of proof will be on the broker to produce the above records for the disputed trades”.
Hong Kong Monetary Authority (HKMA)
The HKMA has also issued a newsletter explaining the regulations to be followed while working from home. In this newsletter, the HKMA requires the digital transformation of firms to incorporate remote access solutions as well as collaboration platforms. This is required to host online meetings and provide data security while sending and receiving files through networks. Further inclusions in this notice are the automation of granting Covid-19 financial reliefs, and social distancing and contact tracing solutions. One another important inclusion will be the communication compliance required by credit firms to ensure proper communication between the brokers and customers. Since not all banks were able to provide their employees with remote access to certain internal systems like the company email, most employees have resorted to personal messaging applications like WhatsApp and WeChat for their business communication. But the HKMA also mandates that the employees of the firm must use a single, bank-approved platform to communicate with customers. The firms must ensure to use a tool that can monitor calls and messages that their employees make with the customers, relating to the business.
TeleMessage captures and retains mobile content, including mobile SMS messages, voice calls, and WeChat conversations from corporate or BYOD mobile phones to ensure compliance with various data protection regulations. The messages are securely and reliably retained within TeleMessage servers or forwarded to your choice archiving data storage vendor.
Our mobile archiving products securely record content from mobile carriers and mobile devices for various ownership models (BYOD, CYOD, and employer-issued). With our multiple archiving solutions, you can always find the right tools or blend for your requirements:
TeleMessage offers cross-carrier and international mobile text & calls archiving for corporate and BYOD phones. Visit our website at www.telemessage.com to learn more about our mobile archiving products.