Seven things you need to know about MiFID II and GDPR

Source: FTSE Global Markets

Novelist, Alice Walker, wisely said “time moves slowly but passes quickly”. It’s a common sort of witticism that applies to many things in life, including the countdown to MiFID II (The Markets in Financial Instruments Directive) and GDPR (the General Data Protection Regulation – two regulatory beasts, coming into effect in early 2018. Both pieces of legislation will have a significant bearing on the financial services industry. From a preparation point of view, this is the eleventh hour. Making the necessary arrangements for immediate compliance is a significant undertaking, involving the synchronisation of many moving parts.

Our tips hone on the prerequisite to record, store and protect all telephone conversations related to a financial transaction. Of course, there are many other areas to consider but by breaking down the task into a series of manageable assignments, you can make significant progress over the course of a year.

Before forging ahead, it’s important to dispel any confusion about the task at hand as trying to knit together two legislative behemoths would certainly create a degree of bewilderment.

For instance, while MiFID II insists that financial services companies hold more data about customer transactions than ever before, GDPR demands greater refrain and leans towards a more measured approach – erring on the side of curtailing the amount of identifiable customer data companies collect, rather than encouraging them to amass more. I hope the following tips provide clarity and a realistic roadmap for compliance.

Capture all conversations
Under MiFID II companies will need to record all conversations related to a deal – even if the conversations do not lead to a transaction. These conversations include exchanges over a personal mobile phone and face to face meetings – so it’s all-encompassing instruction.
The legislation doesn’t specify how to capture face-to-face meetings, so you could infer a degree of flexibility here. However, written notes probably wouldn’t cut it. Scribbles are often eligible and trying to decipher other people’s notes can be a painful task.
Typed notes would be better but the typing speed of the person in the meeting could be a problem and typing might not be practicable if they’re on the move. Moreover, written and typed notes can be doctored. If their interpretation is insufficient or deemed as spurious in any way, a company could find itself in breach of the regulations. A voice recording is probably the most reliable, discreet option.

All aboard the cloud
In light of MiFID II, companies’ storage demands will go through the roof. On-premise storage is finite, expensive and insufficient. Only the cloud will be able scale to these volumes. To date the financial services industry has been the most conservative adopter so far. This will need to change. Thankfully Gartner has debunked the cloud security myth, explaining that the cloud itself is secure. Businesses have 12 months to act on this security appraisal and enter into a storage arrangement that would both store and protect their voice data.

Lock-up your jewels
It’s a well-known saying that data is a company’s crown jewels. With MiFID II companies are going to have more jewels than ever before. With so much precious data and a regulator with increased powers to punish data loss, a top-notch security vault is in order. By using a cloud-based voice recording solution that encrypts data in transit, as well as rest, and then organises, indexes and stores the data in an impenetrable online vault, nothing is left to chance.

A guiding hand
Most businesses won’t be forced to appoint a chief protection officer under GDPR but policymakers considered making it mandatory for good reason. Given the scope of the legislation, there is a strong but voluntary incentive to appoint someone to the role. Companies don’t need to get caught-up with job titles. Someone in the risk and compliance team might have the right skills at their disposal, or a company might outsource the responsibility to a third party. Either way, a guiding hand should be considered a necessity.

Five-year term
This is where GDPR and MiFID II collide. MiFID II stipulates that all recordings should be stored for five years. GDPR is vaguer and simply states that personal data shouldn’t be kept for longer than needed. It’s not clear whether five years would be deemed too long for a simple telephone conversation that didn’t lead to a transaction (but might have done). When it comes to data security and compliance, certainty is important. While assuming the right hand knows what the left hand is doing isn’t ideal, companies can now access technology that counters this uncertainty.

Quarantine personal calls
BYOD is no longer a new trend – it’s the norm. The lines between business and consumer devices have blurred. People use their personal devices for work calls without even thinking about it – and vice versa. While this is convenient for the user, it does mean far more devices now fall under a company’s remit. This is an accountability issue.
Under MiFID II businesses will need to capture all conversations about a transaction, irrespective of what device they use. But under GDPR, they’ll be prohibited from recording and storing their employees’ personal conversations – doing so would be considered an invasion of privacy. So rather than casting a wide net, firms need to consider how they’re going to record and quarantine some calls but not others. By using a service which enables you to run two telephone numbers from one phone and applying certain policies to the device, it’s possible to segment usage from day one, in a completely automated and stress-free way.

Brexit is not an excuse
Finally, the spectre of a hard Brexit is not a get-out clause. Both legislations will come into force in 2018, irrespective of an exit from the EU. Yes, we might not be subject to GDPR in two years’ time but if we want to continue to trade with Europe, we’ll need a UK equivalent. The Information Commissioner’s Officer (ICO) has confirmed that if the UK wishes to trade with the EU single market on equal terms, post Brexit, it will need to prove ‘adequacy’. And of course, businesses will need to keep the cogs turning in the interim.
MiFID II demands a degree of transparency and accountability not seen in the financial services industry to date. Since the financial crisis, regulators have sought greater control and answerability. They wanted to be flies on the walls. Now they can be the earpiece in peoples’ phones. Thanks to advances in technology they can demand greater levels of reporting and tracking. Naturally it’s the businesses’ call as to whether they take advantage of secure vaults in the cloud, encryption, data indexing and duo persona. Or they can try to muddle through, drop some balls along the way and hope that no one notices – while coming out in shingles.

Leave a Reply

Your email address will not be published. Required fields are marked *
You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>