Transitioning from temporary to permanent remote/hybrid working arrangements: ASIC’s view

As a result, as part of its July 2022 Market Integrity Update, ASIC has encouraged market intermediaries to review their operational risk management framework under remote working arrangements. In conducting this review, ASIC expects all market intermediaries to ensure that “well-designed, ongoing systems and controls for managing operational risks are embedded and operating effectively.”

Further, ASIC has highlighted that in the year ahead, they will be reviewing market intermediaries’ supervisory arrangements and controls relating to remote working.

ASIC's focus areas

To supplement the new technology and operational resilience market integrity rules that will come into force on 10 March 2023, ASIC expects market intermediaries to consider the following:

• How do you maintain effective controls and supervision over staff / third-party service providers who are working remotely? What enhancements mitigate additional remote working risks?
• When implementing or changing remote working arrangements, did you follow robust change management and governance processes?
• How do you formalise, and regularly review, policies and procedures relating to remote working and expected staff behaviour?
• Do you, and how do you, regularly assess the effectiveness of existing controls and supervision under remote working arrangements within established risk frameworks and risk appetite?
• How do you train your employees to ensure they understand additional requirements and expectations when working remotely?
• Have you reviewed your BCP plans to ensure they remain effective, considering a transition from temporary to more permanent remote working and hybrid arrangements? Do these reviews incorporate extreme but plausible scenarios?

What we are seeing globally

The UK Financial Conduct Authority 

The UK FCA has set clear expectations for regulated firms so that they can continue to meet their regulatory responsibilities and demonstrate compliance. The FCA has been evaluating, and will continue to evaluate, remote and hybrid working arrangements, much like ASIC has indicated this will be their focus this year.

Interestingly, FCA-regulated firms must be able to evidence a plan in place before any temporary arrangements are made permanent. Evidence includes: 

• adequate governance and oversight by senior managers, committees and boards;
• well-established and appropriate policies and procedures; 
• processes to ensure that control functions can be carried out without impact; and
• rules, regulations, and obligations that can continue to be adhered to effectively (eg call recording, trade and comms surveillance, and record keeping).

WhatsApp communications 

Several banks are currently the subject of US SEC and CFTC investigations involving record-keeping of communications through private platforms, such as WhatsApp. JP Morgan has already been issued a US$200m fine for inadequate record-keeping of employee communications. These fines and ongoing investigations by federal regulators involve non-compliance with record-keeping obligations in connection with business-related communications sent over unapproved electronic messaging channels, or channels and devices that cannot easily be recorded and supervised (eg personal mobile phones). 

Key takeaways 

Remote working and hybrid arrangements exacerbate the challenges that firms face when supervising staff working remotely. This is an area that requires immediate attention by senior management, boards, and any employee acting in a supervisory role.

Financial services firms in Australia must ensure that any move to more permanent remote working and hybrid arrangements meets ASIC's expectations. Regulated market intermediaries must consider whether they can evidence appropriate planning for remote working arrangements, and can demonstrate to ASIC that these arrangements do not compromise market integrity, or cause detriment to customers.