The concept of working from home (WFH) is not a new. Prior to the pandemic, nearly 40% of businesses in the United States and Europe offered some sort of remote work schedules to employees. However, these schedules were more an incentive, rather than the norm. Once or twice a month was ok, unlike in the post-pandemic world where some functions have been allowed to work from home permanently.
So how does this play out in the United Arab Emirates, especially for financial firms in the DIFC? Does the DFSA have any rules or regulations around work-from-home (WFH)?
The short answer is no. While the DFSA does not have any specific rules on work-from-home, financial firms are expected to comply with the DFSA Rules and the internal rules of the firm. Here is where the compliance function takes the lead.
Today’s technology is advanced enough to enable high-speed audio and video connectivity from anywhere in the UAE. However, a compliance officer must review all WFH arrangements to ensure that the requirements as set in the Compliance Policies and Procedures, as well as Business Continuity, Data Protection and IT and Cyber Security Policies are met and complied with on an ongoing basis.
When employees work from home, they are no longer in a corporate controlled environment that is overseen by managers, team leaders, corporate cameras, and area access controls. So, what should A DIFC Compliance Officer keep in mind for WFH workers?
Here are a few pointers that compliance officers can consider when evaluating the risk of each home environment. For starters, what does the environment look like?
- Validate the designated area that the employee will make use of everyday. Will it be a dedicated space? Or a shared environment, like a coffee shop? Perhaps a compliance form that is used for WFH permissions can capture this information.
- Conduct suitable training sessions detailing acceptable behaviour and use of corporate assets when working from home. This includes a minimum dress code when on video calls, compulsory logouts and shutting down of systems at the end of the workday.
- Use of Virtual Private Networks (VPN). Secure environments are hard to create at home, and so corporate VPN must be enforced. Employees should be able to access company data and work on company material only though secure VPN access. This ensures compliance with Data Protection Rules as well.
- Authentication – Measures such as multi-factor authentication and OTP-based logins must be made mandatory. Google Authenticator is an excellent tool in this regard, especially when the DIFC firm uses the Google Workplace.
- Conversations and meetings – Calls must be video-first by default. Headsets should also be mandatory, given that many workplace conversations are private and firms have a fiduciary duty towards client privacy.
- Compliance with Cyber security policies – The DFSA recently published a thematic review on Cyber security. The paper takes into considerations cyber risks in the workplace, and are as relevant for remote working. The Compliance Officer must take these factors into consideration as well. Some measures that must be mandatory include implementation of firewalls, corporate anti-virus software installation and updating, blocking USB booting and USB-drive access and URL restrictions.
- In continuation, the compliance officer should also ensure implementation of a Mobile Device Management (MDM) solution for employees who use their own mobile phones and laptops.
- Session on home-network security – Studies have shown that home networks are the easiest to crack. This is a potential vulnerability for financial firms whose employees access company-data from home. The compliance officer must ensure that a training session is conducted on the basics of home network security. Some of the topics that can be addressed include mandatory change of the default user and password, wireless encryption enabling, setting up a Service Set Identifier (SSID) solely for work purposes, disabling of remote administration (except by the company IT officer) and MAC address filtering.
Compliance officers must also ensure that the senior management is made aware of the challenges of remote working, so that they can direct the relevant departments in the firm to take precautionary measures accordingly.
The Compliance officer must also recommend that remote working policies and procedures form part of the scope of work for internal audits that happen on a yearly basis.
Working from home is here to stay. Compliance officers of firms in the DIFC will have to make changes to their compliance policies to ensure that all practical considerations are taken into account and all security vulnerabilities addressed in case of remote working.
For More Details on DIFC Compliance officer and Work From Home Considerations, Contact us here