As the deadline for the implementation MiFID II fast approaches, financial firms are under growing pressure to take steps to ensure they’re fully compliant. A common issue, however, is that many organisations are still unclear about the full impact MiFID
II will have on their organisation. According to recent research conducted by IPC, while 77 percent of financial firms believe they are ‘prepared’ or ‘very prepared’ for these regulations, 45 percent admit that they need to undertake additional research to
understand how the new rules will affect the way trading communications should be recorded and stored.
Documenting all communications will be key, and this means capturing data from all regulated users, whether they are involved in pre-, during and post-trade activities. It will therefore be important to have clearly defined and effective systems of record
retention and storage. Firms also need to be aware of the General Data Protection Regulations (GDPR), which also come into effect next year, as these will have a big effect an organisation’s retention policies.
The requirement to document face-to-face conversations has generated considerable discussion among capital markets participants. From these discussions, several things have become clear. Firstly, there will need to be a record of location, attendees, time
and date, the initiator of the meeting and any substantial decisions regarding the client’s account or business that are made in the meeting. Secondly, while this requirement is undoubtedly aimed at the more retail end of the financial markets spectrum, it
would be wise for firms to add this record-keeping requirement to their policies and ensure people make a note of any meetings that take place.
Businesses will need to keep it simple. For example, creating a process that records the content of these meetings as an email with a special header or a form that can be completed and scanned for retention. Businesses won't want to be asked by the regulator
for meeting records but not be able to produce them.
Types of storage
How data is stored will also be key. MiFID II extends existing MiFID rules that require records to be tamper resistant by ensuring they be immutable and easy to track. There will be no situations where records can be corrected except – possibly – for the
record of a face-to-face meeting where people disagree with the recorded version of events when they are circulated. Organisations need to ensure they can undertake the following when storing all electronically recorded communications:
- Have more than one copy, to protect from technical or facility failures
- Show how records have been protected from being tampered with
- All records should be encrypted “in transit” and “at rest”
It’s crucial that organisations review their current practices now in order to make changes by January next year. Questions need to be asked. In particular, does the archive solution system used have enough geographically dispersed copies of the data? If
a data centre is lost, will the organisation still have an existing archive? Is the data adequately encrypted?
An organisation will need to be able to prove immutability, either by proving there is a process in place that protects its data or by using more sophisticated methods that will create a hash value that is associated with each file as it enters the archive.
Moreover, hosted or cloud-based archive solutions are now so sophisticated that they nearly always provide better solutions than maintaining a disk in the organisation’s own environment.
The impact of GDPR
The GDPR is scheduled to become effective in May 2018. While the full impact of its requirements will be extensive, there are key aspects that should be considered in the context of MiFID II. One concept of GDPR is that firms should delete data once they
no longer need it. This adds another dimension to the data retention conundrum that financial firms face with regards to the long-term records retention of communications data.
There have long been discussions about how to handle personal information if it is contained in electronic communications. For example, when an email contains a customer’s address, or when a voice recording features an employee discussing an individual’s
personal data. Most certainly, these instances do happen. As such, firms need to be aware that this data should be protected accordingly.
Legal holds are another area where firms routinely retain large parts of their archives for periods longer than customary. The MiFID II requirement to delete data no longer needed after five years could conflict with a firm’s records retention policy if
the company policy is to keep data for longer. These factors need to be considered when utilising a program that destroys records when they are no-longer required.
The final aspect for businesses to bear in mind where GDPR is concerned is the right to be forgotten. This will require firms to remove or delete data held about an individual so they are no longer identified in their systems. How this will reconcile with
a firm’s record keeping obligations has not been fully understood, but it’s clear that a firm’s use of artificial intelligence and advanced analytics might be compromised if they are required to ‘forget’ the details of someone they have done business with.
The journey to MiFID II compliance is not straightforward, but organisations can begin by clarifying and ensuring their records retention practices are in order by addressing face-to-face documentation, the different options for data storage and making sure
they are aware of the impact of GDPR.