FINRA Shares Practices Implemented by Firms to Transition to, and Supervise in, a Remote Work Environment During the COVID-19 Pandemic
The COVID-19 pandemic significantly affected firms’ day-to-day operations across the securities industry, including requiring firms to transition most or all their staff to remote work environments and implement remote supervisory practices. FINRA is committed to providing guidance, updates and other information to help firms and stakeholders stay informed about the latest regulatory developments relating to COVID-19, which can be found on FINRA’s COVID-19/Coronavirus Topic Page, as well as in recent Notices issued to address COVID-19-related fraud, cybersecurity threats and other emerging issues.
As part of that effort, we prepared this Notice to share common themes FINRA observed through discussions with small, mid-size and large firms about the steps they reported taking to transition their associated persons and supervisory procedures to a remote work environment. This Notice does not represent a comprehensive inventory of all possible approaches taken by firms, nor does it include exam findings or effective practices because we have not yet evaluated these practices in our examination program.
Firms may wish to consider whether the practices described below are applicable to their own circumstances and would enhance their supervisory systems and compliance programs.1 FINRA reminds firms that they must continue to implement a reasonably designed supervisory system appropriately designed for their size and business model. In addition, firms must memorialize in writing any adjustments made to their policies and supervisory procedures as a result of the COVID-19 pandemic.
We encourage firms to contact their designated Risk Monitoring Analyst if they have questions about the practices described in this report, or to discuss any challenges they encounter as a result of the pandemic.
Background and Discussion
I. Transitioning to a Remote Work Environment
Firms discussed the challenges they faced when transitioning to remote work environments, implementing their business continuity plans (BCPs), closing branches and offices and supporting customers with these changes. In particular, certain firms that relied on web-based tools, electronic document management systems and cloud-based services, and regularly tested their remote connectivity, capacity, work processes and trading capabilities believed they faced fewer difficulties transitioning to a remote work and supervisory environment. Further, some firms that had been making continuous updates to their BCPs2 and maintained hot (fully live and connected) disaster recovery sites also concluded that they experienced a smoother transition.
In addition, some firms noted the following additional efforts relating to physical office space and remote work:
- Customer Assistance – Helped customers navigate branch and office closures by providing back-up contact information for the firm, branches and associated persons on firms websites3 and to representatives at their call centers and redirecting phone lines and voicemails to a centralized group. In addition, back-up branch office partner programs were established where calls to a closed branch office were forwarded to an open branch office and in-office appointments were handled by a centralized group.
- Move to Remote Work – Implemented certain remote work protocols to facilitate the transition:
- Location Monitoring – Asking remote staff to report their location to their managers, requiring approval before making changes to their location and keeping a record of the locations of all remote staff; and
- Contact Lists – Providing staff with updated contact information for their assigned points of contact in Compliance, Legal, Operations and other departments.
- Additional Support and Communication to Staff – Provided the following additional information and tools to associated persons and other staff to facilitate working remotely and to minimize the risk they would use personal or unapproved systems and technology to conduct firm business:
- holding firmwide “all hands” calls and videoconferences for all staff so that firm leadership could provide updates on firm operations;
- communicating clear guidance about firm expectations while working from home;
- transitioning to virtual training to continue preparing for upcoming regulatory obligations, such as Regulation Best Interest;
- providing additional technology tools, such as internet boosters, VPN hotspots, remote devices and laptops to better equip staff to work from home;
- making available new digital collaboration platforms and applications; and
- disseminating additional guidance and training regarding use of firm technology, tools and services in a remote work environment.
- Increased Focus on Confidentiality and Cybersecurity – Emphasized the importance of, and provided additional guidance on, obligations that are especially important in a remote work environment, such as:
- Confidentiality of Firm and Customer Information – Using notices and training to remind associated persons about their confidentiality obligations with respect to retail and other customers’ information, including complying with material non-public information requirements; maintaining a private workspace while working from home; and taking extra precautions when working near family members or roommates. If applicable, certain firms also noted that staff should consider whether the employment of family members or roommates working from home may raise a conflict of interest that needs to be reported to the firm.
- Cybersecurity and Fraud – Reminding and training staff about increased cybersecurity vulnerabilities and potential fraud risks in a remote work environment. Certain firms also engaged in additional efforts to monitor and assess critical information technology vendors by, for example, engaging a third-party oversight team.
II. Supervision in a Remote Work Environment
Firms generally acknowledged the challenges relating to remote supervision, but also reported that they were relatively prepared to remotely supervise their associated persons using existing methods of supervision, such as supervisory checklists, surveillance tools, incident trackers, email review and trade exception reports. In particular, certain firms that already maintained comprehensive remote supervision capabilities reported they easily transitioned to supervising their associated persons in the new remote work environment.
Some firms also took the following steps to address the additional concerns relating to remote supervision:
a. General Supervision
- Testing – Prepared to meet their supervisory obligations in a remote work by conducting additional testing of their remote supervision capabilities, in some cases, weeks ahead of when state or local shelter-at-home orders went into effect and performing a gap analysis between normal and remote supervision documentation requirements.
- Additional Support and Communications to Supervisors – Provided additional guidance and resources to supervisors by:
- underscoring the increased importance of supervision in a remote work environment and coaching their supervisors—and their staff—to “over-escalate” potential issues and concerns;
- scheduling daily or weekly meetings for all senior leadership and supervisors to provide regular updates, which included emerging issues relating to remote work;
- creating regular meetings and, in certain situations, continuously open chat rooms or teleconference lines, for supervisors to discuss concerns and raise questions with compliance staff;
- sending reminders to supervisors about ongoing regulatory responsibilities and applicable firm policies that are especially important in a remote work environment (such as confidentiality and cybersecurity, which are described in more detail above); and
- creating new electronic supervisory checklists with attestations and electronic affirmation via voting buttons.
- Analysis of Emerging Risks – Engaged in analysis of areas where firms received increased alerts, exception reports and customer complaints to identify potential emerging issues or trends that needed to be addressed.
- Feedback – Requested real-time feedback from staff and conducted weekly assessments on remote work and supervision arrangements to determine effective practices and shared lessons learned across the firm.
b. Trading Supervision
Some firms reported that their existing trading systems allowed them to successfully perform remote supervision, compliance monitoring and surveillance. Where necessary, however, firms also implemented new trading tools that replicated or directly accessed traders’ office trading systems from the traders’ homes and provided supervisors with comprehensive remote supervision capabilities.
Some firms enhanced their oversight of trading activity through a number of measures:
- Remote Trading Prescreen and Supervisory Processes – Implemented screening processes and additional supervisory requirements before permitting:
- requiring traders to complete attestations stating that they understand and will comply with relevant policies and procedures, focusing on critical compliance topics relating to remote work, such as information barriers, voice recordings, mobile devices, privacy and recordkeeping requirements;
- implementing a process for senior management to approve each trader to work remotely;
- testing the trader’s remote trading capabilities with an assigned in-office partner;
- having senior management review the test results, including details about the test trades, traders’ work location, pre- and post-trade risk, latency and overall test experience;
- submitting to firm leadership a formal memo describing the remote work arrangement with traders’ information (including remote location and planned trading activities) and feedback from the pilot review;
- requiring all supervisors responsible for monitoring remote traders to complete a special supervisory checklist; and
- maintaining and updating daily a contact list of all remote traders for senior management.
- Trade Reports and Alerts – Increased the frequency of their review, changed the existing thresholds relating to certain trade reports and alerts to increase the scope of their surveillance, or created additional alerts requiring traders to provide their rationale for certain activities.
- Communication Tools – Used new communication tools in an attempt to replicate traditional “line of sight” supervision in a remote work environment, such as keeping cameras, chat rooms, other collaboration tools and conference calls on during the day and scheduling daily rollcalls and multiple check-ins per day.
- Additional Monitoring – Implemented additional central monitoring and reviews of all supervisory activities, such as task and alert intake volumes and completion rates.
c. Supervision of Communication With Customers
Some firms reported that they relied on existing methods to supervise associated persons’ communications with customers, but acknowledged the additional risks of remote work environments and took extra measures to reinforce that associated persons must use only firm-provided and approved communication systems and tools, such as firm email, messaging platforms and softphones with recording capabilities (for staff requiring voice recording).
In addition, certain firms engaged in extra efforts relating to supervision of associated persons’ customer communications, including:
- Email Review – Increased the volume and frequency of supervisory review of email communications.
- Key Word Surveillance – Implemented additional key word search functionalities for their communication surveillance to identify potential communication outside of approved firm systems and tools.
- Recorded Lines – Required all traders to use recorded lines for all conversations relating to transmission of orders, and, in some cases, required staff who were not previously subject to the firm’s voice recording requirements to use phone applications that recorded their conversations.
- Chat Restrictions – Disabled certain features and functionalities of video conferencing platforms, such as chat, that would be subject to recordkeeping obligations that the firms could not fulfill in the remote work environment.
d. Branch Inspections
Firms reported that they adjusted their branch inspection programs to accommodate remote work requirements and travel restrictions. Many firms stopped conducting on-site inspections and, instead, created and implemented a temporary, fully remote inspection plan using video conferencing, electronic document review and other technological tools. Depending on the duration and severity of the stay-at-home orders and travel restrictions, firms were planning to complete the onsite portions of the inspections in the future, and, for high risk branches, to prioritize those inspections.
- This Notice is not intended to create new obligations, nor does it relieve firms of any existing obligations under federal securities laws and regulations.
- See FINRA Rule 4370(b) (Business Continuity Plans and Emergency Contact Information) (requiring firms to update their plans “in the event of any material change to [their] operations, structure, business or location] and conduct an annual review of their BCP to “determine whether any modifications are necessary in light of changes to [their] operations, structure, business, or location”); Regulatory Notice 13-25 (FINRA, the SEC and CFTC Issue Joint Advisory on Business Continuity Planning) (noting that “remote access is an important component of business continuity planning” and firms should “consider their employees' ability to work from home,” including “identifying technology and communications products and services that could increase efficiency” and focusing on “key control functions such as compliance, risk management, back office operations and financial and regulatory reporting”).
- See Regulatory Notice 20-08 (Pandemic-Related Business Continuity Planning, Guidance and Regulatory Relief) (noting that, “[i]f registered representatives are unavailable to service their customers, member firms are encouraged to promptly place a notice on their websites indicating to affected customers who they may contact concerning the execution of trades, their accounts, and access to funds or securities.”).