Regulations at Odds: How Firms are Reacting to Potential MiFid II and GDPR Conflicts
The Markets in Financial Instruments Directive II (MiFID II) goes into effect in January 2018 with an emphasis on transparency to help protect investors. But in May 2018, the General Data Protection Regulation (GDPR) also goes live with its own strict requirements and penalties regarding data privacy.
This year, the scope for penalties is significantly bigger which makes compliance a top priority for many financial firms. The problem lies in the potential conflicts between the two pieces of legislation.
GDPR places strict parameters around the kinds of data companies can collect, how long they can store that data, and under what conditions data usage is appropriate. Its scope applies to any company that provides goods and services to EU citizens.
To comply with MiFid II, banks and financial institutions will have to keep a stringent record of transactional data, presenting some questions about how that data will be treated under GDPR and how to differentiate it where needed.
While MiFID II applies exclusively to the financial sector, GDPR applies to any organization holding personal data— including financial firms. This has drawn scrutiny from industry leaders claiming that the two regulations were drafted by two separate parties, neither with insight into the other’s requirements, making the probability of conflict quite high.
Earlier this year, Opus VP Dov Goldman and Opus Solutions Consultant Richard Saville were featured in a Global Risk Regulator article outlining the industry’s concerns over conflict between the two regulations. Here we provide an overview of three of those concerns and how financial firms are reacting.
Private conversations and recorded calls in the workplace under MiFid II & GDPR
A key best practice under MiFid II is for financial firms to require that employees leave personal devices at home and only use company-provided devices while in the office. Doing so ensures that all transactional-related communication is recorded for MiFid II reporting and compliance.
As with most regulations, it’s important to remember that humans are well, human. So what happens when an employee, who is likely going to want to reach a personal contact at some point during the work day, stores the names and contact information of friends or family within his or her company-provided phone?
The complaint here rises around what some are calling a lack of clear guidance on how the potential conflict can be resolved.
Richard Saville notes that financial firms don’t need specific permission to record calls relating to transactions. “Insider trading is one of the key reasons why MiFID II requires conversations to be recorded and those rules are there to prevent and detect criminal offences,” he says. These considerations, he says, should take precedence over some of GDPR’s requirements, as long as firms can show proportionality and demonstrate the ability to securely manage personal data.
How long can data reasonably be stored?
MiFID II requires data to be stored for at least five years, while GDPR stipulates that data should only be stored for a “reasonable” length of time.
So what constitutes reasonable? There hasn’t been a clear definition, and until there is, many firms will continue to feel on edge.
Another concern is the GDPR’s “right to be forgotten” for consumers. Under GDPR, there are five instances where processing personal data without explicit consent is lawful. Two of these apply to financial firms collecting and holding customer personal data:
- The personal data is necessary for the performance of a contract. In this instance, consent is given upon entering into a contract.
- The data needs to be processed for what is considered legitimate purposes, for instances in the framework of anti-money laundering or know your customer regulations.
The “right to be forgotten” does not necessarily overpower the language in any given financial firms data regulations. In most cases, once you sign up as a customer, you’ve already agreed to share your data. Because these two instances are clearly outlined, MiFid II and GDPR aren’t as at odds as some industry stakeholders have argued.
Managing Third-Party Risk under GDPR
A major part of GDPR compliance requires that companies only send personal information to third parties that are GDPR compliant. When a third-party data breach occurs (and they will: just check out the headlines and you’ll see reports popping up almost weekly), a company will not get away with just blaming its vendor or supplier. The penalty applied will be steep.
“Firms in the US are looking at GDPR, because they outsource so much of their efforts, so they are looking at what needs to be done for third parties to be GDPR compliant,” Dov Goldman says in the article.
But for better or for worse, some firms are assessing which regulation, MiFid II or GDPR, offers the least risk when it comes to non-compliance.
In just a few short months, we’ll enter into an important period in which concerns over MiFid II and GDPR conflicts will be tested—and hopefully — resolved. To learn more about these potential conflicts, read the full Global Risk Regulator article.
Find this post helpful? You’re invited to a breakfast briefing on managing third party risk in-line with GDPR. Join us in London on October 10th, 2018.