Difc Compliance Officer & Work-from-home Considerations - 10 Leaves

By Author: Nitya
Total Articles: 82
Comment this article

The concept of working from home (WFH) is not a new. Prior to the pandemic, nearly 40% of businesses in the United States and Europe offered some sort of remote work schedules to employees. However, these schedules were more an incentive, rather than the norm. Once or twice a month was ok, unlike in the post-pandemic world where some functions have been allowed to work from home permanently.

So how does this play out in the United Arab Emirates, especially for
financial firms in the DIFC? Does the DFSA have any rules or regulations
around work-from-home (WFH)?
The short answer is no. While the DFSA does not have any specific rules on work-from-home, financial firms are expected to comply with the DFSA Rules and the internal rules of the firm. Here is where the compliance function takes the lead.

Today’s technology is advanced enough to enable high-speed audio and video connectivity from anywhere in the UAE. However, a compliance officer must review all WFH arrangements to ensure that the requirements as set in the Compliance Policies and Procedures, as well as Business Continuity, Data Protection ...
... and IT and Cyber Security Policies are met and complied with on an ongoing basis.

When employees work from home, they are no longer in a corporate controlled environment that is overseen by managers, team leaders, corporate cameras, and area access controls. So, what should A DIFC Compliance Officer keep in mind for WFH workers?
Here are a few pointers that compliance officers can consider when
evaluating the risk of each home environment. For starters, what does the
environment look like?
1. Validate the designated area that the employee will make use of everyday. Will it be a dedicated space? Or a shared environment, like a coffee shop? Perhaps a compliance form that is used for WFH permissions can capture this information.
2. Conduct suitable training sessions detailing acceptable behaviour and use of corporate assets when working from home. This includes a minimum
dress code when on video calls, compulsory logouts and shutting down of
systems at the end of the workday.
3. Use of Virtual Private Networks (VPN). Secure environments are hard to
create at home, and so corporate VPN must be enforced. Employees
should be able to access company data and work on company material
only though secure VPN access. This ensures compliance with Data
Protection Rules as well.
4. Authentication – Measures such as multi-factor authentication and
OTP-based logins must be made mandatory. Google Authenticator is an
excellent tool in this regard, especially when the DIFC firm uses the
Google Workplace.
5. Conversations and meetings – Calls must be video-first by default.
Headsets should also be mandatory, given that many workplace
conversations are private and firms have a fiduciary duty towards client
privacy.
6. Compliance with Cyber security policies – The DFSA recently published a thematic review on Cyber security. The paper takes into considerations
cyber risks in the workplace, and are as relevant for remote working. The
Compliance Officer must take these factors into consideration as well.
Some measures that must be mandatory include implementation of
firewalls, corporate anti-virus software installation and updating, blocking USB booting and USB-drive access and URL restrictions.
7. In continuation, the compliance officer should also ensure implementation of a Mobile Device Management (MDM) solution for employees who use their own mobile phones and laptops.
8. Session on home-network security – Studies have shown that home
networks are the easiest to crack. This is a potential vulnerability for
financial firms whose employees access company-data from home. The
compliance officer must ensure that a training session is conducted on the basics of home network security. Some of the topics that can be addressed include mandatory change of the default user and password, wireless encryption enabling, setting up a Service Set Identifier (SSID) solely for work purposes, disabling of remote administration (except by the company IT officer) and MAC address filtering.

Compliance officers must also ensure that the senior management is made
aware of the challenges of remote working, so that they can direct the relevant departments in the firm to take precautionary measures accordingly.

The Compliance officer must also recommend that remote working policies and procedures form part of the scope of work for internal audits that happen on a yearly basis.

Working from home is here to stay. Compliance officers of firms in the DIFC will have to make changes to their compliance policies to ensure that all practical considerations are taken into account and all security vulnerabilities addressed in case of remote working.

For More Details on DIFC Compliance officer and Work From Home
Considerations, Contact us here