Although the objectives of the two European regulatory measures, might sound contradictory, financial firms must find a way to accommodate both, particularly when it comes to recording phone calls. They don’t have much time to create a strategy. MiFID II becomes effective in January 2018 while the GDPR takes effect four months later.
“The data privacy manager in charge of complying with GDPR would need to be in constant contact with the MIFID II compliance team to understand exactly what data is being collected about clients and employees, how it will be stored and protected, and who will have access to it,” says Constantine Karbaliotis, vice president of data privacy solutions for Toronto-based Nymity Solutions. “MIFID II is simply one more regulation which data privacy managers must address.” Nymity specializes in providing research and compliance monitoring tools for data privacy officers.
The second incarnation of the Markets in Financial Instruments Directive (MiFID II) raises the bar for the “best execution” that investors receive for their trades. Financial firms are held accountable for reporting transactions and clearly explaining to investors why they are recommending certain financial products and how they are executing orders. The General Data Protection Regulation (GDPR) focuses on ensuring the privacy of clients and employees. GDPR gives individuals the right to know how their data is being used and to ask a firm to delete their information.
Where MiFID II and GDPR intertwine is the points at which data is collected, stored and accessed. MIFID II stipulates that all communications that lead to a transaction — including calls on mobile devices — must be recorded and stored for up to seven years. Because GDPR supports individual rights to privacy, clients and employees of a financial firm must be aware of any personal data being recorded and stored to comply with MIFID II. GDPR requires that personal data be kept for only as long as necessary, but the timeframe is never specified.
“Financial firms must make clients aware from the time of account opening that the firm must store their personal data for the same time frame required under MiFID II,” says Karbaliotis. “That means that if the client closes an account a person cannot ask for the information to be deleted until the five years are over.” GDPR project managers — typically data privacy officers — need to be aware of the timeframes for data storage under each type of legislation. That includes MiFID II.” MiFID II project managers need to consult with GDPR project managers about the technology required for how any data collected wll be stored and protected.
Given that so many trading transactions are initiated over the phone, financial firms are required to record phone calls. But what happens when company-assigned phones are used by employees for personal reasons? “Human resource departments will need to let employees know they are being recorded and that they should not use business lines for personal conversations,” explains Karbaliotis.
Employees making a personal call on a business phone which is not recorded could create a compliance loophole and put the firm at risk for a fine under MiFID II. That is because regulators might still worry that the personal call is related to a business transaction.
What should the financial firm do? There are a number of options. The firm could require that its employees make business-related calls only on devices assigned by their company and make personal calls only on their own cell phones. “Such an option would require that the company take the employee at his or her word and risk-adverse companies might balk at giving their employees such a high level of trust,” cautions Mike O’Keeffe, a general manager at global regulatory data surveillance firm Corlytics. “Employees could easily decide to game the system and use their personal phones for business reasons.”
Yet another option would be for the company to allow the employee to keep its own device — or its own cell phone– while using two separate telephone numbers — one would be for personal calls and the other for business. The company would record the business calls, but not the personal calls. However the same regulatory concerns appear. “While this solution seems to allow firms to comply with both MiFID II and GDPR, compliance managers might not want to take the chance that an employee wouldnt discuss personal matters on a company line and business matters on another line using the same device,” one compliance manager tells FinOps Report.
Two more solutions: employees would provide the company with a list of phone numbers requesting that they don’t record any phone calls with that number, or employees could allow the firm to record all of its phone calls. “If the employee were to agree to all its phone calls being recorded, the firm could agree to store the data from the recorded phone calls in an encrypted file in a separate location,” says Andrew Fawcett, product manager for TeleWare, a London-headquartered firm specializing in mobile call recordings. “The information would be accessible only to the employee or to interested parties with the employee’s permission.”
However, if an investigation of the employee’s activities were to occur, what then? The employee could be compelled to allow the data to be released to a regulator. “Even if an employee were to consent to his or her personal calls being recorded by the employer, what happens if other parties to the calls don’t?,” questions O’Keeffe who heads up Corlytics’ London office. He cautions that without the explicit approval of all parties to personal calls to record the communications, the firm might unintentionally find itself violating the GDPR.
Compliance managers at several London-based banks and broker-dealers say they are still figuring out which policy to adopt when it comes to recording phone calls. So far, says Fawcett, some Tier One firms appear to be taking a draconian approach to recording phone calls while smaller ones with are being more lenient. “The largest firms are prohibiting their traders from any either making or accepting any personal calls on company-assigned business phones or even their own phones during business hours.”
Karbaliotis recommends that regardless of the decision made, it is critical that they first complete a data privacy impact assessment of their MIFID II compliant activities, including how they handle personal data for clients and employees. “MiFID II and GDPR cannot be considered in isolation,” he says. Privacy impact assessments evaluate and mitigate the risks involved with personal data.
Fawcett suggests that financial firms would be best served if MIFID II and GDPR teams work together. “Data privacy officers should be included as part of MiFID II compliance project teams so that MiFID II managers are aware of any overlap between MiFID II’s recording requirements and GDPR’s data protection requirements,” he says.
Financial firms can’t afford to make any mistakes. Violating GDPR could result in fines of either 4 percent of the firm’s global revenue for the previous year or 20 million Euros, whichever is greater. Violating MiFID II by failing to adequately record any activities leading up to and including trade executions can also generate hefty penalties. “Balancing the two requirements means coming up with careful and reasonable documented procedures that protect the privacy interests of both customers and employees while meeting the policy objectives of MiFID II,” asserts Karbaliotis.