Recording obligations in the pandemic – the FCA’s view

The most recent edition of the FCA's Market Watch newsletter (MW 66) contains comments from the FCA on the need to record telephone calls and electronic communications at a time when many are having to work remotely because of the COVID-19 pandemic.  The publication signals the end of the forbearance that the FCA was willing to countenance when the pandemic first started.

Quick bit of background - the recording obligations are set out in Article 16 of MiFID2 and were transposed into the FCA rules as SYSC 10A. These include the obligation to record certain communications that are made with, sent from, or received on, equipment

• which the firm has provided to an employee or contractor; or

• the use of which by an employee or contractor has been accepted or permitted by the firm.

What does MW 66 say?

MW 66 highlights that there may be an increased risk of misconduct with so many people currently working from home. Unmonitored and/or encrypted apps are increasingly being used to share potentially sensitive information connected with work and firms are less able to effectively monitor communications using these channels.

Where such apps are used for in-scope activities on business devices, firms will need to ensure that they are recorded and auditable.

This includes activities such as arranging of deals and dealing (as principal or agent) in investments, managing investments, as well as managing a UCITS, an AIF and/or establishing, operating or winding up a collective investment scheme.

What should firms take away from MW 66?

MW 66 contains a number of recommendations for firms to which the recording obligations in SYSC 10A apply. These include in the following areas:

General

• Firms should proactively review their recording policies and procedures every time the context and environment they operate in changes.  In particular, firms need to factor the use of communication platforms that have become more widely used as a result of the pandemic (such as Zoom, Teams, Skype, WhatsApp and Signal) into their internal policies (see below).
• They should also have a rigorous monitoring regime, commensurate to the increased risks, where in-scope activities may be conducted outside the controlled office environment.
• Senior Managers, individually, have an important part to play in embedding the right culture and governance within a firm so its standard of conduct at all levels is continuously improving.

Robust policies

Firms must have effective, up to date recording policies and must be able to demonstrate to the FCA, if required, that these (including those adopted for home working arrangements) meet the recording rules

These policies should identify which phone conversations and electronic communications are subject to recording requirements and should contain procedures to follow where there have been breaches or where gaps have been identified

Any new or amended policies should be clearly set out in writing, documented and signed off as appropriate.

New mediums of communication

MW 66 also states that any necessary additional measures should be implemented before the firm accepts or permits a new medium of communication.

There is no specific restriction on the technologies or apps that firms can use for communications. They must, though, have effective policies, controls and oversight to ensure that these meet the recording obligations.

Bearing in mind the increased use of Zoom, Skype or Teams during the COVID-19 pandemic, firms may need to update their policies to accommodate this change - and would have to choose either to

• record communications made through these channels by certain categories of staff; or
• ban these facilities from being used for order execution or transmission.

Use of privately-owned devices

Firms will also need to look at their policies and controls when it comes to privately-owned devices being used to connect to their systems and accessing potentially sensitive or confidential data.

This will, again, mean considering a policy to ban the use of such devices for in-scope activities where the firm can't record them.

In any case, it should be made clear that employees cannot use new communication mediums to conduct business activities without the firm having first approved this. 

Training

Where a firm introduces new or amended policies, or new technologies are used, they will be expected to make sure staff are adequately trained in their use and in the conduct risks that arise.