Financial services firms, like other businesses, must address employees' requests for more flexible work arrangements, including working from home. For broker-dealers, however, longstanding rules formulated around the traditional office structure can make it difficult to accommodate these arrangements. Financial Industry Regulatory Authority ("FINRA") rules require member firms to perform on-site inspections of all locations from which they regularly conduct business, including employees' residences and other places where they are permitted to work remotely. Dispatching examiners to multiple apartments and homes can be resource intensive, costly and personally intrusive, especially for locations not held out as a place of business and where operational functions are limited. However, these burdens may be mitigated through effective technology-driven reviews performed remotely.
FINRA has taken these issues into consideration in proposing to amend its rules to permit remote inspections of residences and other non-branch locations where employees work on a regular basis. The relief should enable firms to permit more of these arrangements. This measure is still pending and FINRA has not indicated whether or when it will finalize the proposal. However, incorporating remote inspections into the review cycle can lessen the on-site work to be done and possibly provide a basis for extending the period between on-site examinations.
Current On-Site Requirements
FINRA Rule 3110 requires member firms to supervise the activities of their associated persons and to conduct on-site inspections of all branch offices and other business locations. The rule defines a "branch office" to mean "any location where one or more associated persons . . . regularly conducts the business of effecting any transactions in, or inducing or attempting to induce the purchase or sale of, any security[.]" The definition contains several exceptions, referred to as "non-branch locations," including an "associated person's primary residence" and a "temporary location" typically used to accommodate employees working from home. Among other things, the location cannot be held out to the public as an office of the firm or used to meet customers or to handle funds or securities. A registered person working from the location must be assigned to at least one appropriately registered supervisor in a branch office or OSJ that is responsible for reviewing his or her activities. The locations must be inspected according to a plan that takes into account, among other things, (1) the nature and complexity of securities activities, (2) customer contact, (3) volume of business, (4) disciplinary history and (5) signs of irregularity or misconduct. There is a presumption that the location will be inspected on-site at least once every three years unless the firm determines that a longer period is warranted and the considerations are set out in the firm's written supervisory and inspection procedures ("Inspection Program").
FINRA's Proposal to Allow Remote Inspections of Residences and Other Locations
FINRA proposes to allow member firms to conduct remote inspections in lieu of on-site inspections of "qualifying offices." A "qualifying office" would include the primary residence or temporary location where an employee works from home, provided the person does not have a "disciplinary history" as defined in FINRA Rule 3170(a)(3) and is not subject to a "statutory disqualification" as defined in Section 3(a)(39) of the Securities Exchange Act of 1934. The firm must have written policies and procedures reasonably designed to determine whether (i) the location is eligible for remote inspection and (ii) the inspection performed is appropriate taking into consideration the factors noted above and whether the person has a disclosure event under items 14(C) through (J) of Form U4. A written report of the remote inspection must be made and kept on file.
On-site inspections of these locations continue to be required pending any adoption of the FINRA proposal or other relief. Meanwhile, remote inspections at appropriate intervals may provide a basis for extending the period for on-site inspections or reduce the amount of work required on-site subject to the results of those examinations and any issues identified during ordinary supervision of the representative's activities. Written policies and procedures for remote inspections should be incorporated in the firm's Inspection Program. The efficacy of those remote inspection procedures should be tested against on-site inspection results.
Policies and Procedures
The following are some issues that firms should consider in preparing policies and procedures for the approval and supervision of employees working remotely, including an Inspection Program that incorporates both remote and on-site inspections of non-branch locations.
Guidelines for Working Remotely
Many firms have guidelines and protocols for employees working outside the office (whether or not on a regular basis); such guidelines may address, among other things, (1) supervisor notification and approval, (2) required use of firm-issued devices and computers, (3) connection to the firm's systems through secure communications links, (4) corresponding policies limiting or restricting the use of personal or non-proprietary devices, communication systems, software or accounts for business purposes, (5) limitations on document production and record storage and (6) restrictions on meetings with customers.
Policies and Procedures for Working from Home or Another Non-Branch Location on a Regular Basis
Firms should have more comprehensive policies and procedures governing arrangements where employees work from home or another non-branch location on a regular basis. Those policies and procedures should incorporate guidelines for working remotely and, in addition, address the following:
Policies may restrict or prohibit such arrangements where the employee has a disciplinary history or a prior statutory disqualification. Conditions or restrictions may apply to persons that have reportable events on Form U4. The firm should consider policies that address whether and to what extent the arrangements are appropriate for senior executives and supervisors, high-level operations, technology or finance professionals, employees performing sensitive or important functions (including those with access to funds or securities), and persons engaged in activities requiring close supervision, such as traders and persons selling complex products or services.
Policies and procedures for approving such arrangements may require authorization from the head of the business unit, the Human Resources Department, and consultation with legal or compliance personnel, in addition to the person's immediate supervisor.
Policies and procedures should be in writing and provide for appropriate documentation of approved arrangements, reviews and inspection of the location as a non-branch location. The firm should record the address of each non-branch location. (The location should not be advertised or held out to customers or others as a place from which the firm conducts business.) The record for each location should include the employee's name, title and registrations, business activities, department, the branch location or OSJ to which he or she is assigned for supervision and the name of his or her supervisor.
Additional Guidelines for Working Remotely
The firm should have additional controls for employees working remotely on a regular basis, potentially including requiring use of firm communication devices, computers and applications, special log-on requirements and installing monitoring software on computers.
Each employee should be assigned to a supervisor in a branch office or OSJ responsible for his or her activities. The employee should adhere to and acknowledge compliance with all applicable firm policies and procedures, including the firm's code of conduct, compliance manual and policies and procedures to protect against misuse of material nonpublic information. The firm should consider whether additional supervisory routines may be appropriate, including procedures to monitor whether the location is identified as a place of business of the firm, enhanced email, log-on and activity reviews, supervisory reports and mandatory attendance at compliance meetings, continuing education programs (possibly, including a module for working remotely) and other important events.
Inspections (Remote and On-Site)
Firms should have an Inspection Program that includes procedures for both on-site and remote office inspections. They should describe the schedule and considerations behind the frequency of inspections. The program for each inspection should take into consideration (1) the office's location, (2) the nature, complexity and scope of the employee's activities there, (3) the volume of business, and (4) the employee's record, including any reportable events on Form U4. In addition to the review of business activities conducted by the person from the location, modules should test for compliance with policies and procedures for working remotely, information and data protection (including cyber-security) and adherence to conditions for treatment of the location as a non-branch office. A written report should be made of the results of each inspection, and the results should be considered in assessing whether any changes should be made to the arrangement, supervision or the timing or substance of future inspections. Remote inspection results should be compared with on-site inspection results to help identify any weaknesses in either set of protocols.