US firms face uncertainty over EU privacy and trading rules
Businesses need to be aware of the potential conflicts between two of the EU’s largest upcoming regulatory changes, a technology professional has warned. Both regulations are being introduced by European authorities but will affect companies globally.
When Mifid II comes into effect in January 2018, it will transform the way corporate access works and will unbundle the research traditionally produced by sell-side firms as an integrated part of their offering. The European Parliament has stated that Mifid II will increase transparency in the public markets, and UK financial regulator the Financial Conduct Authority has, with the new directive in mind, moved to require investment banks and asset managers to record all phone calls, voicemails and instant messages.
Meanwhile, the General Data and Protection Regulation (GDPR) will put significantly tighter restrictions on the way companies collect, process and store data about people living in any of the EU’s current 28 member states. It comes into effect in May 2018 and carries a maximum fine for non-compliance of €20 mn ($23 mn) or 4 percent of global annual turnover, whichever is greater.
At the heart of the two regulations there appears to be an ideological conflict that may pose particular problems for financial institutions, with Mifid II striving to create greater transparency in the markets on one hand and GDPR boosting the privacy rights of EU residents on the other.
‘We are going through a period of regulatory turbulence in the financial services industry,’ says Mark Holmes, chief executive of Waymark Technology. He warns that one of the biggest problems facing compliance officers ‘is finding exactly which parts of these new regulations apply to their firm and which don’t, and – crucially – if they take action to do one thing, whether they are falling foul elsewhere.’
Holmes says companies that are working to comply with both regulations should ensure their efforts aren’t occurring within isolated silos, but that could be easier said than done. Several law firms declined to provide commentators for this article on the grounds that the regulations are covered by attorneys from different practice areas within their organizations.
According to Holmes, some of the areas of conflict between the two regulations are:
• As part of Mifid II’s stated aim of increasing transparency, investment banks and asset managers will be required to record and store all records that lead up to a transaction. But article five of GDPR stipulates that companies can store only personal data that is ‘relevant and limited to what is necessary’. Further, EU residents will have the right to know what data is stored about them and the right to request its deletion under GDPR, which could pose further challenges for complying with data storage requirements under Mifid II
• Once a financial institution has gathered the records related to trading activity, the firm must store the data for up to five years so that it can be accessed by regulators. Yet GDPR’s article five states that data must be kept for ‘no longer than is necessary’. Holmes says there is a gray area between the two regulations. ‘It remains quite wooly as to whether five years is too long,’ he says
• Article 33 of GDPR also requires that companies report any cyber-security breach they suffer within 72 hours. If the company is encrypting its data, however, it can avoid the reporting requirements, Holmes says. While this loophole may appear attractive, it can drive problems with Mifid II compliance. ‘If companies do this, how will they provide a regulator with access to encrypted data?’ Holmes asks.
By understanding these potential conflicts ahead of time, the financial services industry can co-ordinate a response, Holmes says. He points to the work that Project Sentinel, a collection of financial companies in London, did to generate greater understanding and a response to Mifid II. ‘It saw a real cost benefit and is now pushing tools and technology to assist with Mifid II compliance,’ he says.
The Association of Executive Search and Leadership Consultants has formed a similar working group for GDPR compliance, producing an EU-approved code of conduct for the industry.