GDPR and MiFID II: A car crash waiting to happen?
2018 is a big year for financial regulation, with the Markets in Financial Instruments Directive (MiFID II) and the General Data Protection Regulation (GDPR) both coming into force in the first six months. Both regulatory vehicles deal with data management, and both will have a significant impact on the way financial institutions operate. However, whilst MiFID II seeks to improve transparency by encouraging data gathering, retention, and sharing, GDPR mandates more stringent controls around the same activities.
From what I’ve seen, firms are taking a siloed approach to delivery, with many prioritising MiFID II due to the sheer scale of the regulation, as well as the more pressing go-live date. However, apparent contradictions between the two have fuelled industry fears of a headlong collision and, with GDPR non-compliance carrying hefty fines of up to 4% of global annual turnover, a wrong turn on the road to compliance could prove fatal.
Collision sensors as standard
When looking under the hood, it appears that the differences between MiFID II and GDPR could be largely superficial. This is unsurprising given that both are pieces of EU legislation and should therefore be aligned.
For example, Andrew Watson (Head of Regulatory Change, JHC) points to the misconception that the GDPR restriction on data retention directly contradicts the mandated five-year retention period under MiFID II, stating:
In addition, the limitations on the use of personal data imposed by GDPR will have minimal impact on investment firms who are granted exemptions given the MiFID II requirement to gather and retain investor information as part of ongoing suitability reviews. Likewise, the ‘right to be forgotten’ does not apply to trading records covered by MiFID II and / or Anti Money Laundering and Fraud regulation.
Finally, both MiFID II and GDPR seek to ensure that investment firms can control and govern the data they store and process and the regulators are establishing sensible and pragmatic exemptions.
As such, the mechanisms to prevent a collision between the two regulatory vehicles appear to have been built in as standard.
Poor visibility breeds uncertainty
However, with deadlines fast approaching there are still areas where the regulatory fog has yet to clear, creating poor visibility of shared requirements. For example, the GDPR prohibition on recording and storing employees’ personal conversations will certainly complicate efforts to comply with the MiFID II requirement to record all communications relating to a trade. Additionally, it is unclear whether the MiFID requirement to store trade-related communications is justifiable in terms of GDPR where the trade is not actually executed.
With high fines associated with GDPR non-compliance, this lack of clarity is causing concern among investment firms. Earlier this year I attended the Thomson Reuters Financial Regulation Summit, where panellists at the GDPR breakout session were keen to point out the challenges arising from a lack of guidance from the regulators. The main concern was that firms may find it difficult to adapt their rapidly implemented MiFID II data gathering and retention solutions to the GDPR requirements where there are outstanding contradictions. All panellists agreed that it would have made more sense to introduce GDPR ahead of MiFID so that firms could proceed with clear boundaries and within a defined scope.
Of course, sense does not always prevail. With just over six months to go until the implementation deadline of 25th May 2018, GDPR is well and truly in the headlights, just as the MiFID II workload is reaching its peak. Firms must consider how best to tackle the intricacies of GDPR, whilst balancing the demands of one of the biggest Capital Markets regulatory change programmes of recent years.
Undertaking a course correction
Given the shared focus on data quality and control, firms will be able to leverage analysis and investigation already performed on MiFID II to accelerate their efforts on GDPR. Unfortunately, I’ve seen a lack of communication between disparate teams, which has only served to enhance the challenges posed by these two implementations. I’d counsel firms to move towards a more coordinated approach to delivery, with knowledge and best practice being shared. This could be as simple as regular touchpoints between programme stakeholders, or as drastic as embedding a single over-arching programme team with oversight of both deliveries.
The final destination
No matter which route they take, all firms should arrive at a place where meet the transparency and data retention requirements of MiFID II within the constraints of GDPR. The journey has been complicated by a lack of clarity on the rules and the adoption of incompatible and siloed compliance strategies, but we are at a critical junction. Decisions made now will determine the cost of the journey ahead and whether firms arrive on time and unscathed, or even make it at all.
Firms should seek to make the remainder of their journey as smooth as possible by improving communication between MiFID II and GDPR programmes and staying alert to opportunities for combining efforts. Longer term, there are lessons to be learned for future projects; GDPR and MiFID II are not the only vehicles on the road and firms that are able to navigate full regulatory compliance will have a significant advantage over competitors who may get lost along the way.