The Covid-19 development in the past month or two has really put the spot light on the importance of a robust Business Continuity Plan (BCP). Many Australian Financial Services Licence (AFSL) holders have either partially or fully rolled out their BCPs. A lot of financial services professionals are now working from their own home as a result.
I am not an online security expert and this article is not intended to be a comprehensive checklist for a licensee’s BCP. Instead, I would like to share a few finer details that may be overlooked in the execution of a BCP.
- Phone Calls
If a licensee has a policy to record all client phone calls for training and compliance purposes, they will need to consider whether the policy can still be effectively adhered to when staff work remotely.
A licensee may elect to have all phone calls to the office landlines forwarded to the relevant employees’ mobiles. A question that may arise is whether these forwarded phone calls will still be recorded.
Another consideration is outgoing calls. Will employees now have to make work calls from their personal mobile phones, which are presumably not recorded? If so, this will not only result in non-compliance with a company policy, it will also affect the effectiveness of the licensee’s monitoring and supervision program.
A ‘soft-phone’ system that will allow landline phone calls to be made and received on a computer may be a workable solution, provided that these calls can be recorded.
- Privacy and Confidentiality
A licensee’s employees may need to discuss personal and financial matters with their clients. They need to be mindful of their surroundings when having these confidential discussions. Can the conversation be over heard? If so, by whom? Is there anything that can reasonably be done to protect the privacy of the client? For example, if the employee lives in a shared household, would it be possible to speak to a client in a separate room away from the others?
Ideally employees should directly work in a cloud environment that runs ample back-ups. Some people might prefer to work on their own computers and only load the relevant documents to their employer’s system once a project is completed. The question is, if the local computer unexpectedly dies right now, can all the relevant work be recovered? If so, how long would that take? It is not just about the final product either. Think about all the other files that the employee has relied upon in the process of generating the final document.
If there is a cloud-based solution, whether it be Dropbox, G Drive, or the licensee’s in-house shared drive that can be accessed through Virtual Private Network (VPN), employees should be required to work directly in the cloud environment to ensure their files are adequately backed up.
- Staff Training
It may be worthwhile to remind staff of some basic security measures to help protect the integrity of the licensee’s network and more importantly, the personal and financial information of the licensee’s clients. A few examples include:
- Devices should always be password protected and locked while unattended.
- Do not use easy-to-guess passwords such as birthdays, anniversaries or phone numbers.
- If commercially viable, consider to have anti-virus, scanning and other security software installed on the devices used by staff to perform their work duties, which may include the employees’ personal devices.
- Mandate regular changes of passwords and two-factors authentication if possible.
Hope the above helps in this challenging environment.
Thank you for taking the time to read this article. Please get in touch if you have any questions, comments or if you need assistance. Please also see AFSL Compliance for details on how we can assist you with your AFSL compliance requirements.
Note: Xiaoshu is not a legal practitioner. This article has been provided for general information purposes only and cannot be construed as legal advice.