Moving to a work-from-home environment has exacerbated the financial industry’s compliance and cybersecurity concerns, and according to one fintech executive, advisors are exhausted.

“The alternative is—what? It’s not like most of them are going to go on vacation or take off and go to the beach in the middle of a pandemic,” said Robert Cruz, vice president, information governance at Smarsh. “For us it’s been quite good. There’s a lot of demand right now around new ways of communicating and collaborating. The whole phenomenon around Zoom and Slack has directly impacted our business in a new way.

As advisors went virtual in the spring, demand for Smarsh’s cybersecurity and compliance services increased, said Cruz.

Then the regulators stepped in.

At the end of May, Finra issued Regulatory Notice 20-16 in response to the number of advisors newly working from home. The notice provided general guidance that advisory firms should follow in the new environment, especially around trading activity.

“There’s legitimate concern about individuals using home computers, sharing their wifi with their three kids (like I’m doing), or using unauthorized apps or freeware,” said Cruz. “Some firms have not properly outfitted their remote workers with the right tools, and all kinds of things were happening.”

Cruze said that while many advisors’ clients are already familiar with working remotely and using tools for remote communication, the industry was behind when the pandemic’s disruption began.

Smaller firms may have an easier time adapting to the new normal of conducting more work remotely than large firms.

“Smaller firms seem to have been more nimble in deploying some of these tools sooner, so they have a head start,” he said. “A large firm may have 80 advisors or reps, 95% of whom are suddenly, almost overnight, working from home. It’s a scale versus complexity conundrum.”

Finra’s guidelines included: how to transition to a remote environment, maintain supervision in a work environment, and preserving compliance for the archiving of all customer communications.

“When working remotely, it’s as if there’s a greater surface area for vulnerabilities,” Cruz said. “There are many more places that people can do stupid things.”

FInra’s notice mentioned that in recent exams, it found that firms that had been making continuous updates to their continuity plans and maintained live, connected disaster recovery sites were also more likely to report having a smooth transition to work-from-home.

 

Best practices for moving to remote work, according to Finra, include location monitoring to make sure staff are using secured connections and maintaining contact lists so that compliance, legal and operations assistance is easily available.

Finra also emphasized the importance of confidentiality and cybersecurity in a work-from-home environment – employees should have a private workspace and take extra precautions if they work near family members or roommates. Potential conflicts of interest with the employersof family members and roommates should also be considered.

Finra also emphasized the importance of adequate supervision around remote trading and client communications.

The biggest challenge for firms, according to Cruz, revolves around hardware. Finra recommends that broker-dealers only use firm-provided and approved communication systems.

“Whether the person is in your eyesight or working from Pismo Beach, Calif., you still have the same regulatory obligations,” he said. “Finra has not said that they’re going to allow latitude for firms that don’t have this together.”

Firms have no way of knowing whether an advisor’s home computer is up-to-date with the software that keeps them secure and compliant, he said, and advisors might be tempted to use computers and tablets that are easily accessible.

Cruz said that ideally, employees working from home would be using a firm’s centralized, compliant email and messaging platforms, and phones with recording capabilities.

“It comes back to this, from Finra’s perspective: If we can’t’ capture it, you can’t use it,” he said. “There are more companies trying to sanction new communication networks with new technologies behind them. Firms need to be making sure they’re aware of which individual is using which stuff, and that they’re not using tools that an 18-year-old kid knows about but I don’t. Prohibited tools have become very familiar and easy for advisors to access, but the list of those prohibited tools gets longer and longer every day.”

In a work-from-hhome environment, firms should be conducting email reviews and keyword surveillance, said Cruz.

They also should be using recorded linnes for all conversations related to trading orders, said Cruz, and place restrictions on video conferences that could be subject to recordkeeping obligations.

“Finra seems to be reacting as if this is not a temporary situation,” he said. “They’re anticipating  that this is going to have a long-lasting effect on the way firms do business, and that’s been echoed in the data that I’ve seen: less than 45% of firms believe that they’re going to go back to the way it used to be. Companies are going to have to invest in continuing to operate in this manner for the forseeable future.”