The complexity of implementing MiFID II and GDPR

Complying with new regulations always creates challenges for a business, but the difficulties increase rapidly when two major changes happen at the same time.

This is the situation facing financial services firms today. Not only are they in the process of implementing the latest version of the Markets in Financial Instruments Directive (MiFID II) but they also must comply with the General Data Protection Regulation.

There are, however, some misconceptions about the nature of those challenges. For example, there are concerns these two pieces of legislation will create conflict because they make contradictory requests of how data is treated.

Conflicting requirements?
MiFID II requires financial services firms to monitor conversations more thoroughly than earlier versions of this legislation and covers a wider range of communications. Firms will have to keep a record of video conferencing, web chats, and email, as well as both landline and mobile phone conversations.

While MiFID II requires any communications — which have the potential to lead to a trade — to be recorded and stored, GDPR requires the firm to have the client’s consent. This appears to create a conflict.

Another area of confusion arises around the right GDPR gives customers to be forgotten. In other words, individuals can ask a company to delete their data. This appears to be a direct clash with MiFID II, which says financial service firms need to keep all data for at least five years.

Potential problems could also emerge around data storage. GDPR says all information must be deleted as soon as it no longer has any business purpose. Yet, MiFID II says data must be kept for at least five years.

Resolving these challenges is possible
Fortunately, these conflicts are less acute than they first appear. For example, putting systems in place to ensure the customer has informed consent, and ensuring this consent complies with the new data legislation, can resolve difficulties around storing client communications.

While GDPR legislation does give an individual the right to require all personal data be deleted, this right is not absolute. If there is a legitimate reason for the company to retain the information, it will not be deleted. In other words, MiFID II requirements can trump those of GDPR.

Other challenges exist
A focus on the potential conflicts between the introduction of MiFID II and GDPR ignores the greater challenge of compliance: the immense governance and logistical burden this places on companies.

The bigger the company, the greater the challenge it faces from GDPR. The first step is to ascertain which systems contain personal data. The scale of this task cannot be underestimated: large global banks can have more than 150,000 different IT systems across multiple regions.

Committees need to be established to ensure the firm can meet these new data management standards. A strategy must be established for the whole organisation, then translated into the steps each department should take and assigned to individuals within those departments. For example, the steps an organisation must take if they discover a client’s personal information has been sent to an employee’s home computer or personal email.

MiFID II places a lower logistical burden on firms as it does not affect every department. For example, it has no impact on back office functions. But for trading operations, it is vital to comply with this legislation as the regulator can impose high fines and even shut down the business and revoke the bank’s licence.

Implementing the necessary systemic changes to comply with MiFID II is less about the expense of new IT systems and more about the cost of implementing these changes.

For example, taking an FX trader offline for an hour to modify the systems could cost an investment bank millions of pounds. That forces firms to make the changes out-of-hours to minimize these costs but there’s no guarantee that glitches won’t reappear when trading resumes.

Complying with a single regulation like GDPR or a directive such as MiFID II is already a significant challenge for financial services firms. Implementing both at the same time only compounds the difficulties.

Cost-cutting further compounds the difficulties
Declining profits have forced many investment banks to cut costs. Financial service firms must navigate this significant regulatory burden while compliance departments continue to shrink. Managing a smaller workforce with a greater workload is a major challenge. Ever more efficient and effective supervision solutions are required to offset this challenge.

The cost of regulatory compliance has now become onerous and operating in these markets could become uneconomic for smaller companies. Even if organisations within the UK manage to stay on top of the myriad challenges presented by MiFID II and GDPR, they might be pushed over the edge later this year when they have to comply with the Data Protection Bill.

There’s no easy shortcut to regulatory compliance, but our free checklists on GDPR and MiFID II compliance can provide your organisation with a helpful guide on how to ensure you’re headed in the right direction, whether you’re still plotting your compliance strategy or are seeking new insights into your compliance efforts to date. MiFID II Checklist
GDPR Checklist

Share this post!

Smarsh

Contact Us

Tell us about yourself, and we’ll be in touch right away.