In this second article on the FCA’s culture requirements, we look at the fall out from the pandemic, culture risk factors in light of the increase in hybrid working, and practical actions financial services firms can take to protect workplace culture.
The first article in the series here analysed recent developments in the FCA’s approach to culture within the financial services industry.
Have culture requirements changed during the pandemic?
In short, no. The FCA has been quick to point out the necessity of maintaining a healthy culture within firms, despite the practical issues posed by employees working from home. Firms are still expected to keep the aims and principles of the Senior Managers & Certification Regime (as referenced in article one) and the minimum behavioural standards in the Conduct Rules front of mind when devising and rolling out any new working arrangements.
In October 2020, the FCA’s Director of Market Oversight, Julia Hoggett, gave a speech where she identified potential risks and reiterated the clear message that has prevailed throughout the various UK lockdowns:
“Our expectation is that going forward, office and working from home arrangements should be equivalent.
“We expect firms to have updated their policies, refreshed their training and put in place rigorous oversight reflecting the new environment – particularly regarding the risk of use of privately-owned devices.”
Therefore, the fact that new hybrid working practices will involve senior managers and employees working from split office/home locations, does not change the underlying need to promote and develop the healthy culture that the FCA envisages and expects.
Personal responsibility remains a key factor in this regard, as the 2019/20 Report has flagged. Senior managers working from home are still expected to take personal responsibility for identifying where any harm may arise within the business.
Similarly, all necessary preventative action will also still need to be taken. Practically, this might include liaising closely with HR and compliance teams to improve reporting lines and conduct remote performance management, particularly if recurring performance errors are identified for example.
The risk factors from hybrid working
The risks that may arise from hybrid working clearly have the potential to derail a positive culture and must be seriously considered. The FCA is alert to this and has expressed concern about how well the Conduct rules will continue to influence positive behaviours where the close supervision that an office environment facilitates is missing. We highlight several potential issues:
A lack of direct face-to-face supervision can easily give rise to feelings of reduced accountability in some employees and may over time result in increased risk-taking. This can occur where employees feel insecure about their job and/or believe that they can achieve the same results by cutting some corners along the way.
Employees who are well aware of their regulatory obligations and attuned to conduct requirements may simply feel disconnected from colleagues if the usual office communication channels are no longer available.
Sticking their head round the office door has been replaced with the need to schedule a virtual call/meeting just to run something quickly past a colleague. Unfortunately, this means that the usual informal checks and balances can fall by the wayside and lead to increased conduct risk. Similarly, relaxed conversations with family and friends in the home environment may stray into dangerous insider information territory if an employee feels less alert to the regulatory risks.
Alongside the HR minefield that changing working patterns can create, the necessity of avoiding a two-tier workforce is an important consideration. Any sign of an “out of sight, out of mind” approach from managers should be nipped in the bud at the earliest opportunity. Pro-active and regular engagement with their entire team should be actively encouraged, no matter where their workplace is located.
It remains important to treat the workforce holistically when it comes to firm-wide policies, rather than allow a “them and us” culture to perpetuate when it comes to homeworking. Aside from the conduct risk associated with employees who fall through the net when it comes to appropriate supervision, any perceived disadvantage associated with homeworkers (such as work allocation, decision-making ability, or reduced remuneration) can give rise to the risk of employment claims.
Homeworking may often be favoured by employees with protected characteristics under the Equality Act 2010 (such as women, disabled or older employees), therefore discrimination risk is also a relevant business factor to be aware of.
It goes without saying that a two-tier workforce could quickly lead to cultural fragmentation. While some fragmentation may not always be a bad thing (for example, if it successfully eliminates negative employee behaviour), it remains important to bolster positive behaviour, such as a “speak-up” culture and collegiate approach to compliance awareness.
The risk of employees using personal phones and laptops to conduct regulated activities at home will remain high as hybrid working continues. It is impossible to understand the extent of collusion between homeworking colleagues over Whatsapp, or whether screenshots are being taken of confidential business information.
Any breach of confidentiality and non-financial misconduct leading to a breach of the Conduct Rules could also be inadvertent, or clumsy. An example might be where an employee forwards internal confidential paperwork to a personal email address to allow them to work on it at home.
Monitoring employee behaviour and performance at home is a big challenge for regulated employers and it can be a legally complex issue, given the UK’s data protection regime and employee expectations of privacy at home and to some extent, also in the office.
PwC introduced facial recognition software to employee laptops in 2020 to address its perceived FCA supervisory obligations in this regard but faced public criticism as a result. The myriad of sophisticated monitoring options available to FCA regulated firms can certainly assist with minimising conduct risk, but we would recommend bespoke advice before rolling-out more intrusive technology.
Practical action points to protect culture
As new hybrid working policies bed down for the long-term, HR and senior management teams should keep FCA cultural requirements front of mind. Practical employee relations action points to bolster existing cultural progress might include the following:
Making sure new operating policies contain clear supervisory requirements, controls and risk management which are followed in day-to-day practice. Any ongoing employee absence from the office under long-term hybrid working policies should then have a minimal impact.
Any new communication methods should be approved by a firm’s management team, ensuring appropriate controls are in place. For example, the inappropriate use of privately-owned devices for internal regulated activities should be prohibited under IT and data security policies. This is a significant conduct risk exposure and in the absence of clear employer guidance, employees may become much more relaxed about information management in a casual environment.
Reporting structures and performance review systems should be strengthened to reflect long-term hybrid working arrangements. Meetings should be conducted virtually, rather than delayed to a future date when both parties plan to be in the office. Employee feedback on any homeworking difficulties should be obtained and addressed early. Performance issues can also be dealt with at the earliest opportunity using internal capability and disciplinary processes in the usual way.
Senior managers should be fully aware of their personal responsibilities and the potential challenges posed where their team operates on a hybrid basis. Renewed risk and compliance training will be crucial, so that there is an effective top-down roll out of cultural expectations around new working policies.
Efforts to facilitate a “speak up” culture should be reinforced. Physical distance from colleagues may lead to a reluctance to come forward with regulatory or conduct concerns for fear of retaliation. The FCA has put whistleblower protection firmly on its own agenda with its “in confidence, with confidence” campaign earlier this year (see our earlier HRLaw article here). Aside from formal whistleblowing policies, the 2019/20 Conduct Questions report also identified a persistent and significant lack of psychological safety for regulated employees when it comes to speaking up and challenging business decision-makers.
Finally, it remains essential to deal effectively with any misconduct (whether financial or non-financial) that arises due to hybrid working policies. Since 2018, the FCA has been increasingly interested in non-financial misconduct within firms, identifying behaviour such as bullying and sexual harassment as a significant regulatory concern which the FCA has been clear may amount to a Conduct Rule breach, including Conduct Rule 1, the requirement to act with integrity.
While FCA enforcement action against individual employees is not necessarily a given (to date, this has only occurred in a handful of cases), there is a clear expectation that firms will use internal processes to call-out offending employees and given that Conduct Rule breaches must be recorded on a Regulatory reference, the industry is essentially policing itself.
If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak with your usual Fox Williams contact.
Need more information about the above people and legal expertise? Talk to one of our lawyers: +44 (0)20 7628 2000
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
1 year 1 month 4 days
Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
1 year 1 month 4 days
Google Analytics sets this cookie to store and count page views.
YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.