Robert Houghton, founder and CTO at Insightful Technology, explores how financial institutions can remain compliant across a hybrid work environment.
The battle about operating at home, in the office or other locations continues to rage in financial services. Yet in many ways, the debate is irrelevant. The genie is out of the bottle. Ignoring it – even if very few people work from home in an organisation – simply increases risk.
This stems from regulators’ calls for a level playing field across home and office when it comes to compliance. In the UK, the Financial Conduct Authority (FCA) says remote workers must not affect a firm’s ability to continually meet regulations.[i]
With this in mind, leaders must ensure compliance in any work setting. However, this is easier said than done.
A unique problem for financial institutions
Regulated employees use specific software often based on-premises rather than used in the cloud, owing to cost restrictions or legacy. If out of the office, simple or secure access is a hurdle, prompting workarounds.
Suddenly, there’s the chance of regulated activity taking place on unregulated channels such as WhatsApp, Signal and Telegram. This is in breach of the FCA rules about preserving communications related to financial activities[ii], risking fines and reputational damage.
Besides availability and access, the proliferation of locations has thrown a spanner in the compliance works. Remote work scatters the typical working patterns and communication flows. This might create many false alerts simply because of the varying patterns and less contextual insight. If an entire workforce is working remotely, the contextual challenge is multiplied.
Step-by-step: solving the compliance challenge across locations
Solving these challenges isn’t simple, yet financial institutions must act. To achieve this, there are six steps to ensure compliance:
- Provide remote access
To avoid the risk of employees using unregulated tools, there must be remote access to approved systems for all. Everything from IP telephones and Microsoft Teams to mobile phones and email must be available in the cloud (preferably private) so workers can log-in directly and securely.
Alternatively, more traditional solutions could help, such as a Virtual Private Network (VPN) and tunnelling that will allow secure access from a remote location. Multi-factor authentication (MFA) should also be considered for remote workers accessing systems.
- Assure quality of service
Once the tools are available, daily testing is essential to prove the tool not only works, but is transmitting data correctly. If not, calls and messages could go unrecorded, creating a risk.
In doing so, it’s important to ensure compliance teams can record metadata about a communication. This includes information such as author, date created, date modified and file size. Without this, monitoring will be impaired.
- Capture communications
Once tools are securely available, working properly and providing the right data, surveillance technology is needed to monitor every single communication in the same way they would in the office. This needs to capture every call and message, wherever it originated and wherever it was received. Everything must be recorded.
In today’s regulatory landscape, there’s a burden on institutions to always illustrate compliance. In other words, unless a business can confirm the non-existence of misconduct across its entire workforce, it’s potentially guilty until it can show innocence. Regulators might consider a single missing piece of data as non-compliance.
- Monitor communications
Intelligence must be added to the calls and messages to stop any potential issues in their tracks. Systems must use analytics to understand anything out of the ordinary, such as a quiet period in an employee’s routine that could signify a conversation taking place on unregulated channels. In the hybrid world, this needs to be calibrated to suit the individual working patterns of a distributed workforce.
- Train users
Training for the team is vital. Not only to ensure they know how to access and use tools remotely, but to ensure they understand the regulations. In fact, 44 per cent of financial services employees don’t feel very well equipped to protect themselves or their company following mandatory compliance training.[iii]
No system will ever be watertight, and bad actors will persist, but it’s vital staff have been equipped with the knowledge they need.
- Offer remote support
Whether there are hundreds, thousands or just a few remote workers, they will need suitable IT support. The same level of service and support needs to be in place, regardless of location.
Creating a truly compliant work-anywhere environment
These six steps are the cornerstones of compliance in a work-anywhere world. They ensure any financial institution can collect, monitor data and act on it in any given context.
And this is what regulators will be demanding. Because remote working is now a reality regardless of return-to-work mandates. So, whatever a bank decides, it needs to get the processes in place to convince regulators of its innocence.