Proposed investor protection requirements in Europe represent a seismic shift in the way that European regulated firms deal with records retention.

European compliance officers are facing a raft of new proposals driven by MIFID II. These range from transparency and data publication through to investor protection mandates. Inside the investor protection proposals are some subtle, but important, changes to records retention requirements.

The proposals form part of the consultation and discussion paper issued by ESMA following the politically agreed text of the MIFID II European Directive. Although the records retention changes are just a small part of the discussion, they represent a seismic shift in the way that European regulated firms deal with records retention.

Retention policy has, until now, mostly been owned by the IT department or voice team and was implemented as “bare minimum” rather than “best of breed.” These new proposals raise the responsibility to board level and require a written policy to govern the retention of telephone calls (both fixed line and mobile) along with electronic communication (email and IM, etc.). They require a uniform retention period of 5 years across the 28 member states. Firms are also required to be aware of when their records retention policy fails, investigate the failure, and keep the details of the investigation for possible review by the relevant regulator.

The greatest change is in the proposed requirement for monitoring and surveillance. Where previously European human rights legislation has prevented many compliance teams from contemplating monitoring and surveillance, MIFID II has recognized the importance of surveillance to the stability of the financial markets. The new proposals will require the monitoring of communications by these firms.

Communications monitoring is not new to the financial markets. In the United States, “supervision” has been part of the responsibility of the compliance team since 1992. But the introduction of surveillance and monitoring in Europe will need to be handled with sensitivity. Compliance officers and users alike will have to make some adjustments to the content of messages along with information that may be discovered about employees during surveillance.

Fortunately, there are very good tools that can be used to flag messages or calls that might contain behavior that might need further investigation. With the regulatory focus shifting, these new tools promise to give compliance teams a powerful insight into both the “conduct” of their employees as well as the “culture” of compliance in their organization.