Remote trading presents many challenges for firms, not least remaining compliant with laws and regulations while balancing the need for employees’ privacy. In this article, we look at the FCA’s stated expectations of firms, some of the solutions firms are using and how to ensure a correct balance is struck.
What have the regulators said in respect of remote trading?
In its information for firms relating to coronavirus (available here), the FCA noted that firms should:
- consider the broader control environment in relation to new working from home arrangements;
- continue to record calls (noting that there may be some scenarios where this is not possible, and firms should notify the FCA where they are unable to record calls);
- take steps to mitigate outstanding risks if unable to comply with obligations to record voice communications (including enhanced monitoring, or retrospective review when the situation is resolved);
- submit regulatory data (noting that where a firm has difficulties, the firm should maintain appropriate records for that period, submit data as soon as possible and notify the FCA of any concerns); and
- take steps to prevent market abuse risks (including enhanced monitoring, or retrospective reviews).
In a public statement relating to coronavirus (available here), ESMA restated its Q&As noting that:
- firms may permit the use of mobile devices (including devices which are personally owned and used to make relevant conversations) to undertake activities relating to transactions concluded when dealing on their own account, and should take reasonable steps to prevent a relevant person from making, sending or receiving relevant telephone conversations and electronic communications on devices which the firm is unable to record or copy; and
- firms must establish, implement and maintain an effective recording telephone conversation and electronic communications policy covering, amongst other things, the fact that data must be retained for at least five years, and relevant persons must not delete records.
ESMA confirmed that if such arrangements cannot be put in place, firms are required to adopt alternative arrangements to ensure full compliance with existing regulatory requirements such as the use of recordable electronic communications as an alternative to telephone conversations.
However, ESMA recognised that considering the exceptional circumstances created by the pandemic, some scenarios may emerge where the recording of relevant conversations may not be practicable citing sudden remote working by a significant part of staff or lack of access by clients to electronic communication tools as examples. In such scenarios, ESMA expects firms to consider temporary alternative steps including the use of written minutes or notes of telephone conversations.
What challenges are firms facing in relation to remote trading?
The challenges have been numerous. Not only are firms dealing with the practical implications of remote working – slow trading speeds, which can be strained in a home working environment, but also how to remain compliant in a very new environment.
During the first phase of the pandemic, firms focused on setting up remote working capabilities. With this first hurdle now overcome, there remains the challenge of balancing firms’ regulatory obligations with their traders’ right to privacy as they explore various new technologies that can help their compliance teams effectively monitor employees.
Taking steps to monitor market abuse has been particularly challenging. It is clearly much easier for traders to engage in abusive market practices when working at home, free from the physical supervision and monitoring that goes with being on a trading floor. In a remote trading environment, traders’ family members or other cohabitees may be nearby, able to hear calls or see screens with market sensitive information; this is particularly challenging where those third parties may hold professional positions or have interests that clearly conflict with the trader’s work – although confidentiality is key in every remote situation. Traders may also have their personal electronic devices to hand, unlike on a trading floor where such devices may be banned.
The security of new technologies has also been problematic, in particular, for some video conferencing applications. In its Q&As on MiFID II and MiFIR investor protection and intermediaries topics, ESMA confirmed that the term “electronic communication” covers video conferencing and so the recording obligation under MiFID II would apply to video calls. Firms are therefore grappling with how to record relevant video conferences and how to ensure such calls are kept private.
The challenges are not just at a firm level but also apply to Senior Managers who need to take reasonable steps to ensure that the business of the firm for which they are responsible is controlled effectively and complies with the relevant regulatory requirements and standards. In addition, under the Senior Manager Conduct Rules, not only must delegation be to an appropriate person, but Senior Managers must take reasonable steps to oversee the responsibilities which have been delegated, which is more challenging in a remote working environment.
What can firms do to monitor compliance in a remote trading environment?
As noted above, the FCA expects firms to consider the broader control environment in relation to new working from home arrangements.
In the first instance, this might include a work station assessment – understanding where a trader is located, whether they are working privately in a room away from other members of their household, and it may include asking for information on their cohabitees (for example, their names, professions and firms they work for).
As remote trading becomes an embedded practice, firms are considering various forms of monitoring technology to detect and evidence unusual or potentially abusive behaviour. For example, technology may be deployed to monitor absences during active trading sessions, such as audio or video monitoring to ensure a trader is at their desk for the full trading session. Video recording may detect when another person is in the room during an active trading session. “Always-on” audio monitoring technology is another tool that firms may deploy, if they can navigate the privacy risks (see below). Amongst other things, always-on audio monitoring could pick-up side conversations that may happen on traders’ personal devices and could transcribe that recording into text for compliance monitoring purposes.
However, the increase in data captured through mobile recording, video recording and always-on audio recording can itself be problematic for firms who rely on individuals (rather than an automated process) to sample those recordings. As more data is captured, firms may want to consider the use of more automated tools for compliance monitoring and increase emphasis on outcomes-based analysis and trade reconstruction.
How can firms protect their employees’ privacy?
From a data protection/privacy perspective, the law allows firms to monitor their traders’ work and behaviours – including in the enhanced ways described above – provided that those potential privacy intrusions are carefully planned and managed and carried out in a proportionate manner. This starts with a “privacy impact assessment” for any new monitoring policies and technologies the firm is proposing to use, which should document clearly the firm’s interests in using those monitoring measures (for example, compliance with particular regulatory rules) and the individuals’ interests in having their homes and working environments protected from unnecessary intrusions (for example, would the firm do more of a “background check” on a cohabitee whose professional interests impact on the trader’s work than for a cohabitee with a clearly unrelated job?)
Once a privacy impact assessment has been documented and approved by an appropriately senior level of management, the firm must implement any authorised controls in a way that minimises the privacy impact for individuals, especially since the solutions would be used in a home environment and potentially affect not only the trader but also other members of their household. This should be guided by data protection principles including that: the collection and monitoring of personal data is lawful, fair and transparent (meaning the firm will have to provide clear notices to all affected individuals); there are access controls in place to limit who at the firm can view any such personal data; and the firm only implements such monitoring to the minimum extent required for its documented, legitimate purposes.
What steps should firms take?
In addition to privacy impact assessments and careful implementation of new controls, firms should update privacy policies and compliance policies to reflect new working practices, give staff training on new policies, and ensure that staff understand and have read these policies. Firms may also want to embed remote trading compliance into their performance management policy.
For Senior Managers, steps to consider include:
- holding minuted virtual meetings/calls (with a pre-set agenda which records the topics to be discussed) to discuss the challenges faced in relation to remote trading and the steps that the firm and the senior manager is taking to overcome those challenges;
- formally reviewing and approving updates to policies and control frameworks in relation to remote trading; and
- ensuring that management information is updated to reflect information about enhanced monitoring and challenging management information received where that is not sufficient and where further information may be needed.
This will be particularly important for individuals with the SMF16 (compliance and oversight function), SMF6 (for those heads of trading where this is a key business area), and SMF4 (chief risk function).
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, May 2020