Regulatory and Compliance Considerations of Remote Working

Remote working has changed our working model and while most people will welcome it, firms must ensure they have identified all regulatory risks.

Lockdown has changed the world of work as we know it. Almost overnight firms were forced to shift to a remote working pattern. Although it has generally gone ahead smoothly, research suggests many firms are looking to make the move permanent. This will have significant implications for their regulatory compliance.   

According to PWC, COVID-19 has been game changer for remote work. Before the pandemic, 29% of respondents had 60% of their workforce working-from-home at least once a week. That figure has now grown to 69%. The pandemic proved that it could be successful. The survey also found that 95% of employees switched to remote working and either maintained or improved productivity. Employers said they had found work-from-home measures to be successful and that they supported the idea of working from home at least one day a week going forward. Moreover, 35% of companies said they were happy to go with a full-time work-from-home option.

Compliance implications

At the very least, as companies set their back to work plans after March, they can expect to combine working from home and office for the foreseeable future. This has a number of regulatory and compliance implications. The biggest of these is the question of data and privacy. Having employees working in their home offices multiplies the endpoints coming into the system. This in turn multiplies the risk. 

As the FCA noted in its recent newsletter, home working has companies using unmonitored programs such as WhatsApp to handle sensitive information. It also raised the issue of monitoring employees. Last summer they warned supervisors about the risks of staff colluding inappropriately over chat software or taking pictures of “privilege data on a screen when there’s nobody sitting next to you to ask what you’re doing”. Supervision, compliance, and security become much more complicated in the age of remote working, and the FCA is keen to stress that firms should take measures to continue compliance and understand the risks implied by going remote. One of these risks during the first lockdown was the problem of staff either being stranded overseas or taking the opportunity to temporarily base themselves abroad. This has enormous implications for key members of staff such as anti-money laundering officers who had been working on the assumption that they would be UK-based. 

With the UK having exited from the EU, the transfer of data between countries becomes a more difficult issue as the UK is now considered a third country for GDPR. This means firms must ensure they comply with data protection regulations both here and in the EU. The FCA has shown itself to be understanding of the difficulties firms are facing during this time, however, they still expect firms to comply with regulations. They said, “Remote working is not an excuse for non-compliance.” 

As remote employees become a more permanent fixture in workforces, the potential places for cyber and phishing attacks soar. Inadvertent disclosure of information in public spaces, such as a benign coffee shop, can also have implications and make firms vulnerable. Cross-border transfers of data are yet another issue. Firms are liable to educate themselves on the legalities of sharing data with employees situated around the world, as well as global clients. 

The regulatory concerns are many and considering the number of fines being issued for non-compliance in recent years, RegTech solutions can offer much-needed assistance. A solution can provide firms with up-to-date information to enable them to stay on top of regulatory change and maintain compliance. The ICO says that companies need to have clear policies, procedures and guidance in place for staff who are working remotely. They should cover topics such as accessing, handling and deleting personalised data. 

Firms will be expected to take a full risk assessment of how their proposed changes will impact their standing on compliance. They should ensure data is protected, systems are secure and adequate monitoring systems are in place. So, while going remote is likely to be the norm to a greater or lesser extent, firms must make sure they have considered and addressed all the possible regulatory risks.