Mifid implementers run head first into GDPR
Collect everything and store it for ever, or only collect some data and destroy it as soon as possible? That is the question facing bank compliance officers struggling with Mifid II and GDPR.
Bankers in charge of creating and implementing systems to comply with the second Markets in Financial Instruments Directive (Mifid II) have been turning to the General Data Protection Regulation (GDPR), which comes into effect in May. Data collection and protection requirements appear to be in conflict under the two regimes, and some banks may even have to overhaul their new Mifid II systems to comply with GDPR.
On February 8 the UK’s Financial Conduct Authority issued a joint statement with the Information Commissioners Office stating that, in the agencies’ opinion, upcoming requirements regarding personal data privacy and security under the EU’s GDPR are not “incompatible with the rules in the FCA Handbook” – a statement taken by many to imply Mifid II, which requires banks to collect and store vast amounts of personal data.
That might come as a relief to project teams charged with creating and implementing Mifid II systems. But there was a slight caveat to the FCA announcement: “However, we recognize that there are still ongoing discussions to ensure specific details of the GDPR can be implemented consistently within the wider regulatory landscape.”
David Lawton, managing director at consultancy Alvarez & Marsal and former director at the FCA, thinks that caveat a little loaded.
“What they’re saying is that you won’t find one rule in GDPR that flatly contradicts Mifid II,” he says. “But in order to comply with GDPR, you have to collect, store, process and dispose of data in specific ways, and that you may have built your Mifid II systems in ways that may not be compatible with that.
“I read that announcement about how to ensure GDPR can be implemented consistently with other regulation and what that says to me is: ‘We’ll get back to you.’”
Regulators have been aware of industry concerns for some time. Lawton notes that the FCA had originally wanted bank transaction reports to include the National Insurance numbers of people involved in each transaction, but the banks fought back arguing that such personal information would be protected under GDPR.
Alvarez & Marsal
Lawton and others advising banks have said there are real concerns that Mifid project teams have been working in silos and that there may need to be overhauls of those systems in some cases to comply with GDPR.
“When you talked to some clients in early January about how Mifid II implementation had been going, they’d say resources were moving on to the next thing, which is GDPR,” says Lawton. “It’s the nature of deadline-driven project teams.”
There is no consensus on the scale or even the exact areas of the tensions between the two regimes. Only one of the 10 large banks Euromoney contacted was able to comment definitively on whether or not its Mifid II systems were GDPR compliant.
Tellingly, one Mifid II manager at a big bank declined on the basis that he was not very familiar with GDPR.
It may well be that these banks simply do not see any conflicts. An executive at a leading international bank told Euromoney that while implementing Mifid II solutions, his teams were not working towards GDPR compliance, but that they are now tweaking their Mifid systems to be GDPR compliant.
“We’re not perfect yet, but I’m confident we’ll get there,” he says.
Big banks with international frameworks for data collection, transmission, processing and protection are likely to have fewer hurdles to jump. But smaller institutions and those with a country-by-country approach to data could have serious challenges ahead.
“Some [banks] seem more concerned than others,” says the banker.
But global policies can be troublesome too, says Lee Stonehouse, chief executive of Venncomm, which provides Mifid II-friendly communications solutions.
“Overarching policies are challenging because they then inhibit some ways of doing things that are efficient,” he says. “Simple policies that sort of work as a cover-all might solve one problem but cause mass inconvenience for tech, risk management and other employees.”
At issue are the basic data collection requirements of Mifid II and the articles that govern similar areas under GDPR.
“Fundamentally Mifid II requires that everything electronic be recorded and stored for ever, effectively,” explains Stonehouse. “GDPR says you can only collect certain information for stated purposes only, and that you have to destroy that information as soon as possible.”
Mifid II requires banks to collect and store communications data across all media: landlines, mobile phones, social media, Bloomberg chats and email. And all of it has to be available to regulators within 72 hours of a request and in a form that is “useful” to them, says Stonehouse.
“When compressed and then decompressed, you have to be able to tell who it is that’s communicating and what they’re saying.”
GDPR, on the other hand, is essentially about the right to be forgotten. Regimes between jurisdictions can also conflict, Stonehouse says, further complicating compliance.
Under Mifid II, a client call, for example, would have to be kept for a minimum of five years. But, says Stonehouse, other requirements in the regime effectively mean it would have to be stored for ever. Tax laws require, for example, that transaction data be stored for seven years from a transaction’s expiry. But a bank might have a 50-year swap attached to a transaction, so effectively the data is stored for all that time.
Further complicating all of this is the fact that while banks are responsible primarily to the regulator under Mifid II, who may well apply the rules fairly and proportionately, GDPR creates a responsibility to third parties.
“Even if the regulator were to say: ‘We’ll be fair and proportionate in our application of the GDPR rules,’ it still doesn’t stop a third party using their rights to make demands of firms from day one that could be onerous to comply with,” says Lawton.
The European regulator in charge of GDPR, the European Data Protection Supervisor (EDPS), has issued guidance that seems at odds with certain aspects of Mifid II, such as the 72-hour turnover period for data requested by a regulator.
In its guidance on the matter, the EDPS says that even recordings of calls wholly or primarily related to financial transactions or professional activities “include personal data, and access to this information by competent authorities represents a significant interference with the right to privacy,” and that “unless strictly necessary, the measure [ie the relevant law] should explicitly exclude access by competent authorities to the content of communications. Access to communications data by the competent authority should require a prior judicial authorization in the interest of harmonized application of EU legislation across all Member States.”
Euromoney understands that banks have been particularly exercised about the EDPS’s guidance on call recordings, but the EDPS was unable to provide further comment on those concerns.
The accounts of those advising banks show that the challenge of reconciling the two regimes is focusing minds. The huge scale of Mifid II required the work of dedicated teams for years and whole infrastructures were put in place. GDPR may not consist of the thousands of pages Mifid II does (it runs to about 90 pages across 99 articles), but its scope is vast and, for firms that were not well aligned to existing data requirements, it is a much bigger task, says Lawton.
“I met with the chief risk officer of an international bank a few weeks ago,” says Stonehouse. “And it became clear: banks don’t really have complete coherence about what these rules mean for them. They have folks out there trying to solve for Mifid II, and they’d been told essentially not to worry about GDPR in the meantime. Now they’re being told to worry about GDPR, which goes live in May. This is a big problem for some of them.”
And non-compliance can have serious consequences. Under GDPR, the most severe penalty for a breach of compliance can be as much as 4% of global turnover, says Lawton.
This begs the question of whether or not some banks are being complacent. Some believe GDPR is primarily retail-focused and that only data collected on personnel needs to be treated with certain care under GDPR.
Marcus Evans, partner at Norton Rose Fulbright in London, says his firm believes Mifid II takes priority for banks.
“The starting point is that if it’s mandated by Mifid II, then the bank has a legitimate interest in holding information for the stipulated period or providing personal information to the authorities,” says Evans.
Nevertheless, there are a few areas where tensions exist. Regarding transaction reporting, Norton Rose thinks the legal requirement under Mifid II does take priority over GDPR. But it is not clear that transmitting such information to a third party would be covered by the grounds of “legal processing” and the law firm says other grounds may be needed to justify it.
Record-keeping requirements under Mifid II are a logistical headache, but add GDPR into the mix, where personal data must be kept for no longer than necessary and it becomes a nightmare. To comply there, Norton Rose says banks need to take careful steps, including being able to demonstrate: “That they have considered the principles of necessity, proportionality and data retention at the time of designing or amending their recording procedures (and review this periodically),” according to a client presentation.
Complexity and vagueness
There are other areas of complexity and vagueness. Evans sees Mifid’s requirement that firms be able to prove they have taken the necessary steps to evaluate whether the investment advice or portfolio management services they offer are suitable to each individual client as particularly onerous.
“Generally, we’ve found a way through it,” Evans says. “But you need to be very clear on why it is necessary to keep the particular data element [collected to assess suitability], and it would be prudent to document why.”
Then there is the growing use in the workplace of personal devices and social media, which create further headaches for compliance. Venncomm’s solution to that is to provide an app that allows a dedicated business number to be imported to a personal device. The app records all interactions made from that number, whether it is a call, email, or any other form of communication.
But that is only part of a solution to complying with both regimes. Banks need to install precise communications policies alongside the use of such third-party solutions, including banning the use at work of any communications systems that restrict the recording of data. Stonehouse points to WhatsApp as an example.
“You can’t really allow it to be used. There’s no practical, legal way to really monitor and record communications on it,” he says.
For the UK’s part, the FCA and ICO say that they will continue to “collaborate in the coming months to address concerns firms raise and support firms’ preparations for the introduction of the GDPR” in May this year.