And Just When You Thought the Worst was Over – MiFID Connection to GDPR

Integral reports

The following article was written by Adinah Brown, content manager at Leverate.


Oh, great… more regulations—just what the financial markets need. However, MiFID II and GDPR, due to come into force early 2018, are likely to change the financial landscape for the better.

The GDPR, or General Data Protection Regulation to give its full title, is intended to provide a measure of data protection to financial market participants of the European Community. The plan is to return security and privacy control to investors and financial market players by uniting the varied regulations governing financial activity throughout the EC. MiFID, or Markets in Financial Instruments Directive is an EU law that is designed to harmonize rules for investment institutions that exist throughout the European Economic Area.

However, with regulations, comes questions. What data is actually being collected? Who will have access to this coordinated data? How can protection and privacy be assured?

MiFID, well, actually MiFID II, as this is the second version of this set of financial rules, is designed to protect individuals and assets alike from the vagaries of fraud and the machinations of wild and erratic markets primarily by targeting best trade execution. Its authors just want to see buyers and sellers of financial assets get the best deal. Nothing wrong with that, you might say. And the onus is now put squarely on the shoulders of the organizations that fulfill these deals. Again, not such a bad objective.

However, it is data collection where the GDPR and MiFID come into possible contention. MiFID calls for all client transaction calls to be recorded, for deal checking purposes. However, GDPR supports individuals’ rights to privacy. Could this end in tears…? Timeframes for maintaining call records are critical. For example, if a new account starts trading, but closes that account after two years, MiFID insists that recorded calls be kept on record until seven years have passed, while GDPR requires those records to be disposed of on the client’s request. This scenario will require technicians from both regulatory camps to get together and thrash out a workable agreement.

Of course, not all calls that are recorded on these recording machines are business calls. What about private calls? Naturally, employees will be advised that all calls are recorded, but no systems are watertight and personal recorded information could possibly be placed into a location where it could be accessed. Policies could be put in place, for example, rules stating that all personal calls are to be made on private mobiles. However, many deals are performed when traders are away from their desks – via mobile. This is clearly an area of concern for both MiFID and GDPR regulators.

Consultation will be required between both these agencies if workable, meaningful regulation is to be put in place. Without a watertight plan, not only could traders and investors potentially suffer, but large company reputations are at stake. With violations of MiFID II regulations incurring fines and GDPR breaches being even more heavily penalized, it is in everyone’s interest—customers, traders, and company executives, to coordinate the smooth transitioning into this new regulation era.

Read Also: