ICAEW.com works better with JavaScript enabled.

Working from home in financial services: finding the new normal 

As the working world digests the impact of the coronavirus lockdown, the enforced working from home setup is creating a need for real flexibility in working types and patterns. As the pandemic progresses, lesson learning may be vital as working from home becomes more necessary, writes ICAEW Financial Services Faculty commissioning editor Brian Cantwell.

The working-from-home (WFH) setup has slowly blended into the financial services working world. 

Senior managers and junior staff alike have used it as a tool to manage busy lives and commitments.  

First conceived in 1962 by F International, a computer company, its uptake has been slow; in 2013, Yahoo famously banned it to drive up productivity. 

Since then, it has reentered the office culture as flexible working and life and work balancing has seen it used as a tool for inclusion, while advancements in monitoring, IT, and tech culture in financial services have become more progressive. 

It has also become more accepted in the financial services hierarchy, even with supervision and compliance restrictions, owing to its occasional use and how workflows could be managed around it.  

But the sheer scale of the COVID-19 lockdown and its longevity have posed an existential question for how we work and how we work at home.  

As I write, the government guidance is slowly being leaked into the mainstream press about how long we could be balancing our working personas at the kitchen table.

At the start of May, the Financial Times reported white-collar workers were expected to keep working from home for several months to prevent public transport from being overwhelmed.

Financial services teams will be staggered from working in the office: many teams will already be doing this.  

Irrespective of whether lockdown lasts a few months, or for the rest of 2020, it is not exactly clear if there will be a return to ‘normal’.  

And what is normal may have changed completely.  

Forced to change  

The government guidance will not signal a return to the old office-based format and setup for many banks, insurers and investment managers.  

At the end of April, Barclays warned that the pandemic could cost it £2.1bn in defaults, while 70,000 of its staff worldwide were working from home. Heavy defaults were expected, transactional revenue was falling, so cost cutting would be key for survival.  

Chief executive officer Jes Staley warned that expensive city offices “may be a thing of the past” and told the press that the bank was rethinking its long term “location strategy”.  

Barclays was re-evaluating how much office space it needed, as staff “working from their kitchens” were now helping to deliver its participation in the raft of government lending schemes set up for the coronavirus crisis.  

Staley told the press that future retail branches outside of London could be used by investment banking and call-centre staff.  This would remove the long commute for many, although social distancing restrictions may still hinder mass office occupancy and mass commuting for years to come.  

But the message was clear: get used to working from home. Many other firms will be thinking this too.  

A crisis for business recovery  

In the heady days at the start of the crisis, financial services firms deployed their crisis management and business recovery plans.  

For some like those at Goldman Sachs, this included a business relocation for office-based workers from the well-heeled world of Fleet Street to a crisis management site near Croydon.  

Many crisis management plans perhaps expected terrorism-related events, as per September 11, 2001, or the London bombings of 2005.  Or a financial-type disaster as per the global financial crash in 2007 to 2008.  

But it was the nature of this crisis, where we all must be isolated from one another but connected, that has really set the tone for WFH to come of age.  

Business recovery sites are as likely to refer to backup servers and cloud computing in years to come, rather than to a physical location. 

It has not gone unnoticed by the financial regulators, especially with the recent emphasis on operational resilience.  

In a City briefing in April, Financial Conduct Authority (FCA) interim chief executive officer Chris Woolard said the regulator had seen very little disruption to operational resilience for regulated financial services firms. The big firm’s reliance on third parties and overseas workers will be reviewed by firms after the crisis, he promised, however there would be “a big focus” on homeworking and crisis recovery sites.  

The test that firms face is on recovery issues related to working from home, said Woolard, but crucially “most business recovery plans did not anticipate the size of working from home in this crisis”.  

Where the old world meets the new world  

Nowhere is this more evident than from the point of view of IT providers working to service the financial services industry.  

One tech chief, Brad van Leeuwen, co-founder of software-as-a-service provider Cledara, summed up some of the logistical problems that financial services firms faced while moving the lion’s share of their operations into their employee’s homes.  

In a series of tweets covering anecdotal evidence of banking clients who had asked people to work from home, he said most staff work from desktop machines, not laptops, making work flows much slower.  

Many employees must use their phones and tablets and do not have access to a computer at home, and none of the employee’s software was cloud-based, so they needed access to Virtual Private Networks (VPN).  

According to Leeuwen, there were compatibility issues where the VPN software used did not support IOS or Chromebook, and bankers attempting to use Society for Worldwide Interbank Financial Telecommunications (SWIFT) machines vital to payments needed direct physical access. Access to backup machines was therefore restrictive.  

Corporate support teams in these banks were struggling to manage the various operating systems that employees had under Bring Your Own Device (BYOD) policies, and there the only regulatory compliant form of real time communications was email, which caused delays in response times.  

Added to this, sensitive IT processes like the authorisation of material payments were never designed for home working set-ups, requiring multiple people to work on site.  

All of these problems were causing headaches for back-office teams, but the front office was also affected, said Leeuwen.  

When combined, they drastically slowed down the speed of work across the affected banks.  

One director of a UK Cloud IT and hosting provider, who spoke to ICAEW in anonymity, as many of its clients were managing the COVID-19 changes, said many businesses were caught on the hop.  

“WFH is now the default crisis management tool to keep the economy going,” he said.  

“We have had clients turn around to us and say they need to move servers and IT resources into our building, as they do not have the physical capacity where they are to cater for their staff to work from home.  

“Some do not have even half the capacity they need and have not planned for this mass WFH eventuality.”  

New normal 

It is hard to characterise the disparate experience of different firms, and the situation is nebulous, as some IT issues are solved, and others created.  

“What does the new normal look like? It’s specific, on a case-by-case basis,” said the Cloud IT director.   

“Some businesses were well prepared and have transitioned to the new normal and are only slightly disrupted. Some firms are looking at their cost bases and thinking they have completely changed and undergone a fundamental shift, and will be looking at office space and if they need it anymore.” 

However, the greatest pain point is at the start of the ‘transformation’, and once transitions have been made and invested in, the hard work is done, said the IT source.  

“Once the [IT recovery] response is created, it is set up forever,” he said.   

“If firms have moved office equipment out into a datacentre, then that is resilience for the foreseeable future.”  

Now is the time to refine the system for those who have it set up. Those financial services firms will need to consider how are they going to integrate staff as they come back into work; how they are going to have access to their files, and what the security is going to be like. 

Transferring and protecting employees who use their home network and then onto the company network will be of key importance to develop the system. 

Familiar threats  

Unfortunately, as financial services firms grow the number of devices and VPN users at home on their networks, the familiar cyber-attack risks grow. 

Employees are now on the front line in the war with scammers and will have more exposure to cyber threats through their equipment. 

The most common forms of attack are phishing emails, impersonation, or employing people as cleaners in offices to steal passwords, according to the IT Cloud company director.

These forms of attack can only evolve as the WFH network extends. 

Critical thinking and education are the greatest forms of defence, especially as workers can be isolated in home offices from a sense check that can debunk phishing attacks. 

It is worth remembering Wi-Fi networks employees use have their own vulnerabilities. 

Internet of Things devices may join the network, and encryption and security should be used on every ‘online’ device. 

Additionally, the volume of working from home and accessing infrastructure remotely will put a strain on the framework and the effectiveness of it.  

WFH: financial regulatory and compliance issues 

It became clear talking to several financial services businesses that the short term of WFH was a fix, but in the long term, firms and regulators will have to pivot to accommodate the new normal of a virtual workforce.

There are a myriad of existing and emerging risk issues and potential compliance issues. 

Many firms see a need to bring new technologies like video conferencing and instant messaging platforms into the scope of existing risk management, control and compliance networks.  

In the longer term, regulators will need to identify whether there are significant issues in their long-term use.  

New technologies that are out there can impact existing regulatory oversight.  

MiFID rules on the recording of telephone conversations for example, in the context of new tech, has raised a lot of considerations for firms, said one partner firm in the banking audit and assurance function at a Big Four firm.  

As another example, due to market volatility from the COVID-19 pandemic, firms in financial services have seen substantial increases in market surveillance alerts, generated by automated systems. 

Those systems are calibrated on what to look out for in normal market conditions.  

The alerts need to be looked at as they cannot be disregarded, and there may be a regulatory or compliance issue about waiting to change them.  

There may be real considerations in ultimately ceasing alerts, said the Big Four source, because that gives rise to its own considerations in the financial services industry, around who has the extra capacity in order to manage that change.  

Now the Senior Manager Certification Regime (SMCR) is in force, a lot of decisions can be revisited in the event of a complaint, which could be used if compliance changes are moved around teams. 

“From a regulatory perspective, firms will look SMCR and scrutinise how it works and how well it was handled. Inevitably, a firm will look back and think are there things that we can do, in taking the future of working forward, in a way of measuring this new environment,” said the Partner. 

And from a supervisory perspective, sales and trading staff have rarely worked from home, and most existing controls around supervision rely on physical presence with supervisors monitoring work.  

“That’s why firms need to look back at existing metrics to monitor supervisory activity, and there’s a lot more emphasis on unusual trading patterns, errors, breaches and in and out hours trading,” he added.  

Audit challenges with WFH 

When staff are not as close to the control framework, compliance and audit teams will see challenges, says the Big Four audit partner.  

Audit professionals will have less frequent access to individuals and to the site, and therefore a remote working framework limits an individual’s ability to access services to maintain assurance and monitoring.  

This could lead to delays to access, information, and data, particularly where frontline staff are dealing with liquidity constraints and market volatility.  

Senior managers will have to look at staffing levels, shortages, and other things that need to be changed as a result.  

“Have internal audits needed to be amended, shifted, cancelled, delayed? Looking at other risk-based solutions and continuous monitoring abilities to reflect that risk is key,” said the Partner.  

“And I think the future of WFH across financial services is going to be pegged as how we view new behaviours as individuals,” he added.  

“We all work in a massive virtual environment right now, but it has highlighted part of the financial services industry that relies on post; on paper.  

“But payments, payment instructions, pack stamping, stamp onboarding, fingerprinting. All of that now needs to be looked at in this context – are there alternatives?” 

The ongoing issue for financial services regulation and compliance when working from home will regard stock market volatility, sources told ICAEW. 2020 has seen the biggest drop in the stock market since 1987.  

Extreme variations in market volumes, liquidities, and securities can affect firms’ ability to accurately risk manage and properly value shares and investments.  

There have been numerous margin calls, all publicly recorded, most noticeably around lenders. 

“Conduct regulators and supervisors have tried to get on the front foot a bit more, in trying to address some of those. And that is difficult for firms, as they are still expected to meet their requirements, even through that market volatility,” said the Big Four Audit Partner. 

With some WFH IT systems struggling to handle simple downloads and SharePoint documents, there will be two reckonings in 2020 for financial services firms. 

One will be the obvious trail of the coronavirus; the other, the health of their new working from home networks.