Compliance Supervisory - Assessing the Impact of Remote Working
As a result of the outbreak of Coronavirus disease (COVID-19) and unprecedented periods of potential business disruption, FINRA recently released guidance related to Rule 4370 business continuity planning.
The guidance suggests that FINRA-registered broker-dealers should evaluate the current supervisory control framework and determine if it’s “reasonably designed to supervise the activities of each associated person while working from an alternative or remote location during the pandemic.”
The following table outlines selected examples of controls areas within the FINRA Supervisory Framework that should be tested, updated and monitored to support remote working activities:
Control Area
|
Considerations
|
Oversight
|
- Supervision: FINRA-registered supervisors that typically sit on a trading desk or within close proximity of associated person should determine if the required level of oversight can be maintained electronically while working from an alternative location. Supervisors may consider increased monitoring of group chats or video conferences conducted by associated persons.
|
Communications
|
- Customers: Verify that supervisory control policies and procedures are able to mitigate risks that may arise due to the inability to communicate with customers.
- Internal: Confirm that front, middle, and back-office communication channels are established to effectively escalate compliance issues to the compliance team. Supervisors may consider defining and distributing phone trees to ensure proper coverage and communications.
- FINRA: Update contact information. Member firms are encouraged to review their emergency contacts to ensure that FINRA has a reliable means of contacting each member.
- Regulatory Filings: Determine if the firm can continue FOCUS filings, Supplemental FOCUS Information, Form Custody filings, etc.
|
Recordkeeping
|
- Personal and Private Data: Determine if client and employee PII is secure. Supervisors may consider protecting client data by prohibiting remote printing or storing.
- Client Statements: Confirm that the custodian has the required information/is able to provide customer statements.
|
Cybersecurity
|
- New Cyber Threats: Identify new vulnerabilities based upon remote working environments and provide training to encourage heightened awareness of possible threats during remote working.
- Technology Controls: Verify that (1) virtual private networks (VPN) and other remote access systems are properly patched with available security updates; (2) system entitlements are current; (3) multi-factor authentication is in use for associated persons who access systems remotely; and (4) associated persons are aware of best practices to protect the firm.
|