Complying with Europe’s other data management mandate – MiFID II
While much of the news this year has focused on the EU’s General Data Protection Regulation, there are some significant changes to the EU’s Markets in Financial Instruments Directive that are sure to impact data managers.
MiFID II, as it is known, went into effect at the start of the year. The official Brexit date for the UK to leave the European Union is set for March 29, 2019. MiFID’s new specifications affect any organization that operates and/or does business with firms that provide investment services in the European economic area.
MiFID II – the second version of MiFID – requires that firms put systems and processes in place to capture, retain and reproduce complete records of all services, activities and transactions on firm and client accounts. This includes all telephone calls on fixed and mobile lines, and all forms of electronic communications (text/SMS messaging, social media) related to the transaction, created or received by a company’s employees and contractors.
The MiFID II rules apply to relevant communications from any personal or business devices. The requirement extends to communications that are intended to result in these transactions, even if they do not in fact happen.
Firms should take all reasonable steps to prevent an employee or contractor from making, sending or receiving relevant telephone conversations and electronic communications on personal devices which the firm is unable to record or copy. Firms must store records in a durable medium which allows them to be replayed or copied, and they must be retained in a format that does not allow the original record to be altered or deleted. In this way, the records can be made readily accessible to clients on request.
Why MiFID II Matters
There is no evidence that the UK’s Financial Conduct Authority (FCA) has any intention of changing MiFID II recordkeeping rules following Brexit. Brexit is a key priority for the FCA as it prepares for withdrawal from the EU and seeks a smooth transition to the new UK regime.
Currently, FCA recordkeeping rules are in line with the current MiFID requirements. The FCA has made it clear UK firms must comply with the MiFID II legislation. FCA’s Third Consultation Paper (CP16/29) addresses the changes in the UK regulatory framework. The regulator supports the MiFID II requirements, for example requiring training for staff, maintaining a record of employees using a mobile device, and monitoring records for compliance with regulatory requirements.
Furthermore, the FCA recently published Business Plan for 2018/19 which highlights the key priorities for this year. The Plan outlines seven cross-sector priorities and seven sector-specific priorities that cover financial markets, investment management, retail lending, pensions, retail investment, retail banking and general insurance.
Technology is highlighted throughout the business plan as it plays a pivotal role in delivering financial products and services. FCA notes that technology also plays a central and developing role in wholesale financial markets.
FCA also recently published its proposed fees and levies for 2018/19. It said its annual funding requirement for the year was £543.9m, an increase of 3.2% from the previous year. Reasons cited for the increase included additional ongoing regulatory responsibility and European Union withdrawal costs.
Next Steps as the Brexit Deadline Looms
With MiFID II on the horizon, organizations should efficiently pursue their recordkeeping requirements now and commit to making compliance with the regulatory environment a priority. Data managers should realize the necessity of updating their systems to capture, archive and reproduce service records covering all activities and transactions at both the firm and client levels.
Texting and other electronic communications are now a common business platform for advisors. To keep up with these developments, firms will need to partner with a trusted third-party vendor to capture, retain and supervise all business communications more efficiently. Technology solutions can help with the internal burden of meeting regulatory requirements.
Best practices involve selecting a platform that can provide a unified compliance and e-discovery workflow across the entire range of digital communications, including email, social media, websites, instant messaging, mobile text messaging and voice. Policies and procedures for ensuring adequate supervision and recordkeeping of such business communications is a must for reducing risks to the firm and its advisors. These records are the best defense against claims of fraud and they can provide early warnings of potential violations.
Firms must develop and document that some internal training has been conducted for relevant people who use electronic communications. Training is also recommended to periodically test the firm’s electronic communications channels and ensure that all are messages are being captured in supervisory systems.
In short, the new MiFID II compliance regime should not be perceived only as a burden. It can actually provide an opportunity for companies to move their programs beyond audits and data analysis to achieve a competitive advantage.
With the right technology partner, potential benefits of compliance include the consolidation of specific activities into broader information governance programs and integrating regulatory retention and supervision obligations into the design of business applications and enterprise infrastructure. This process will not only help data managers and compliance teams do their jobs better, it will also improve data practices across the entire enterprise.