Regulations at Odds: How Firms are Reacting to Potential MiFID II and GDPR Conflicts

Will staying compliant with MiFID II make following GDPR regulations difficult for financial firms?

MiFID II went into effect January 3rd 2018 with an emphasis on transparency to help protect investors. But May 25th 2018, GDPR also goes live with its own strict requirements and penalties regarding data privacy. This year, the scope for penalties is significantly bigger which makes compliance a top priority for many financial firms. The problem lies in the potential conflicts between the two pieces of legislation. GDPR places strict parameters around the kinds of data companies can collect, how long they can store

that data, and under what conditions data usage is appropriate. Its scope applies to any company that provides goods and services to EU citizens. To comply with MiFID II, banks, asset managers, hedge funds, and all financial institutions have to keep a stringent record of transactional data, presenting questions about how that data will be treated under GDPR and how to differentiate it where needed. While MiFID II applies directly to the financial sector, GDPR applies to any organisation holding personal data – including financial firms. This has drawn scrutiny from industry leaders claiming that the two regulations were drafted by two separate parties, neither with insight into the other’s requirements, making the probability of conflict quite high.

In this week’s blog, I hope to outline the industry’s concerns over conflict between the two regulations. Here I’ll provide an overview of 3 of those concerns and how financial firms are reacting.

Private conversations and recorded calls in the workplace under MiFID II & GDPR – A key best practice under MiFID II is for financial firms to require that employees leave personal devices at home and only use company-provided devices while in the office. Doing so ensures that all transactional-related communication is recorded for MiFID II reporting and compliance. As with most regulations, it’s important to remember that humans are well, human. So what happens when an employee, who is likely going to want to reach a    personal contact at some point during the work day, stores the names and contact information of friends or family within his or her company-provided phone or computer? The complaint here rises around what some are calling a lack of clear guidance on how the  potential conflict can be resolved. Financial firms don’t need specific permission to record calls relating to transactions. Insider trading is one of the key reasons why MiFID II requires conversations to be recorded and those rules are there to prevent and detect criminal offences. These considerations should take precedence over some of GDPR’s requirements, as long as firms can show proportionality and demonstrate the ability to securely manage personal data.

How long can data reasonably be stored? – MiFID II requires data to be stored for at least 5 years for client data and 7 years for regulator data, while GDPR stipulates that data should only be stored for a “reasonable” length of time. So what constitutes reasonable? There hasn’t been a clear definition and until there is, many firms will continue to feel on edge and abide by MiFID rules.

GDPR’s “right to be forgotten” for consumers – This is another concern. Under GDPR, there are five instances where processing personal data without explicit consent is lawful. Two of these apply to financial firms collecting and holding customer personal data:

*The personal data is necessary for the performance of a contract. In this instance, consent is given upon entering into a contract

*The data needs to be processed for what is considered legitimate purposes. For this instances in the framework of anti-money laundering or know your customer regulations.

The “right to be forgotten” does not necessarily overpower the language in any given financial firm’s data regulations. In most cases, once you sign up as a customer, you’ve already agreed to share your data. Because these two instances are clearly outlined, MiFID II and GDPR aren’t as at odds as some industry stakeholders have argued.

In just a few short months, we’ll enter into an important period in which concerns over MiFID II and GDPR conflicts will be tested – and hopefully – resolved. To learn more about these potential conflicts and for further advice, assistance in ways you can increase compliant IT & Technology efficiency and reduce costs at your firm – without sacrificing performance,  Contact Storm IT Financial.

Storm IT Financial FinTech News & Trends picks: Week 22th Jan – 26th Jan 2018

UK ‘Most Well-Prepared’ European Nation for GDPR

Survey says the UK is the most well-prepared European country for the General Data Protection Regulation (GDPR), coming into force May 2018:

https://www.infosecurity-magazine.com/news/uk-nation-for-gdpr/

Fintech won’t be the end of the big banks. Tech-fin might be

Businesses that can primarily be considered tech companies, are now branching out into financial services. ‘Tech-fin’ has been surging:

https://www.capgemini.com/consulting/2018/01/fintech-wont-be-the-end-of-the-big-banks-tech-fin-might-be/#

Are the legal and wealth worlds about to collide?

The world of wealth is overlapping with the legal profession more and more:

http://bit.ly/2DHMZrx

Cybercriminals stole $172 billion from 978 million consumers in the past year

Consumers are confident they’re safe online, but hackers have proven otherwise, stealing $172 billion from 978 million consumers in 20 coun- tries in the past year, report says:

https://www.helpnetsecurity.com/2018/01/23/cybercrime-stats-2017/

FIX Trading Community releases cybersecurity guidelines

FIX Trading Community announces the release of guidelines to assist users of the FIX Protocol meet certain security requirements:

https://www.finextra.com/pressarticle/72303/fix-trading-community-releases-cybersecurity-guidelines

Innovation with Compliance is difficult

Do you believe that the regulators are in the incumbent’s pockets and protect the industry from new competition?:

https://thefinanser.com/2018/01/innovation-compliance-difficult.html/

UBS Investment Views: Who believes in Bitcoin?

:Listen to Paul Donovan, the British economist and Global Chief Econo- mist for UBS Wealth Management:

https://soundcloud.com/ubs-investment-views/20122017-who-believes-in-bitcoin?in=ubs-investment-views/sets/paul-donovans-daily-audio

UK Wealth and Asset Managers Aspire to Catch-up in Advanced Technologies

Innovation is a high priority challenge for the near future of Wealth and Asset Managers:

http://bit.ly/2Fha5S4

What are the governance, risk and compliance trends set to shape 2018?

Cordium, looks at regulations that are affecting money managers:

http://bit.ly/2FGYj4r

The FinTech Big 5: RegTech, Blockchain, InsurTech, AI and Financial Inclusion

Going in to 2018, we have chosen five vital areas of innovation in the financial industry, to focus on:

http://bit.ly/2ndO0fN

Email security in 2018

Things are going to get even crazier…:

http://bit.ly/2Dah4vK

Is it fair to burden users as the ‘last line of defence’ against hackers?

Our recent survey found that 99 per cent of CISOs see users as ‘the last line of defence’ against hackers – but is this really fair to end users?:

http://bit.ly/2DtMobY