by Laura Cooper, Client Services Director at DataRaze
2018 is quickly shaping up to be a regulatory nightmare for those in the financial services industry. GDPR (General Data Protection Regulation) and recent cyberattacks have forced firms to reconsider their approach to data security, management and protection. However, another regulation that is keeping those in the financial services industry awake at night is MiFID II (Markets in Financial Instruments Directive II).
While MiFID II will come into force on the 03 of January, 2018, those in the financial services industry need to be adapting their processes now to prepare well in advance. Taking a sit-and-wait approach to the MiFID II regulation is simply not an option.
What does MiFID II mean for the financial services industry?
If a firm performs investment services and activities, it is subject to MiFID II. It will affect all categories of dealing, broking, asset management and advisory services provided by banks, non-banks and other service providers. This means that investment firms, market operators, data service providers, third-country firms providing investment services and CCPs (Central Counter-parties) must comply with MiFID II rules.
Under MiFID II, financial services who provide any financial advice to clients over the phone, recommend products or make transactions, must record those calls. In addition, face-to-face meetings must be formalised and minutes taken, recording all transactions which must then be reported and updated on a regular basis.
As a services-based economy, particularly financial services, this is a tremendous amount of data which needs to be recorded and stored.
Of course, the Cloud presents the most suitable option for MiFID II data storage compliance – even the Financial Conduct Authority uses it – but what happens when a data server, in the Cloud or otherwise, reaches end of life and needs to be destroyed? Under MiFID II, it would be better for the financial institution to own that process of data destruction and disposal. This way, the institution has complete control over the process and have a clear chain of custody that ensures they are compliant with both MiFID II and GDPR.
But this does mean overhauling several business elements in the process – so what can businesses do to prepare? No.
How can businesses achieve MiFID II compliance?
- Reassess the business framework –Financial firms will need to reconsider and redefine the products they offer, the platforms they use to trade, how they interact with and categorise clients.
However, a change in processes to protect investors under MiFIDII, will undoubtedly mean the replacement of existing digital infrastructure. Old systems will need to be replaced and disposed of – and data consolidated in one central location for transparency. Therefore, to ensure old data is securely destroyed, financial institutions need to have a third-party, regulatory compliant solution to help them with this process, or an in-house, regulatory compliant IT asset disposal solution which provides complete transparency and chain of custody in relation to destroyed assets.
- Change technology – MiFID II will also encourage firms to alter the technology they use to ensure they meet the regulations requirements. Financial services must consider the refinement of their client database/repository, customer portals, trading activities and post trade reporting transparency. Technology to accurately record costs and charges and provide full disclosure will be key.
With any shift to new infrastructure or a change in technology, many institutions can be quick to adopt the new solutions, but don’t have a strategy in place to dispose of the old ones. Much of the risk therefore, lies in the transition to these new systems. As the old systems reach their end-of-use, institutions need to securely wipe those systems clean, destroy them and dispose of them in a compliant manner. With this in mind, any financial institutions would be wise to enlist the help of ADISA (Asset Disposal and Information Security Alliance) accredited companies to assist with the management, cleansing, destruction and disposal of old IT assets.
- Establish a data governance framework to coordinate activity
The foundation of MiFID II is data – and requires that firms understand data, record it, report on it and store it appropriately. Also, with GDPR, ensuring the quality, availability and transparency of data has never been more important.
By establishing a data governance framework, financial institutions can maintain a high-level of data quality across operations, as well as define the processes involved to ensure complete regulatory compliance. Furthermore, good data governance can support end-to-end planning for new processes regarding data management, as everyone within the institution can clearly see how data is transferred throughout.
Ultimately, achieving MiFID II compliance – like GDPR – should not be looked at as another ‘compliance burden’ but rather an opportunity to overhaul existing infrastructure and processes for a new approach that can deliver more value to the institution and clients alike.
Institutions that are embracing change now to devise the right strategies, will be a step ahead of the competition and adequately prepared for new regulatory changes in the future.