On the 3rd January 2018, MiFID II (the second Markets in Financial Instruments Directive) will come into effect. It stipulates that anyone involved in the advice chain for an intended trade must record and retain all records of interaction for a minimum of five years. With the official deadline for compliance less than a year away how can you best prepare for this?
While some interactions with customers might be in person, the majority will be over electronic channels and mainly email. With the adoption of cloud-based services such as Office 365 and G Suite, messages have to be protected whether they are sent from a phone, laptop or standard PC. However, there is a gap in record retention strategies that many firms are not aware of. Many teams will rely on their cloud app provider of choice to keep copies of all their messages, but in most cases these services don’t provide full disaster recovery or archiving facilities. Without that proper backup strategy in place, messages could be lost and you risk failing your compliance requirements.
How traders work with clients: The importance of email alongside other recorded interactions
Under the previous version of MiFID, the rule was that you could not take personal mobiles onto the trading floor or conduct trades over mobile phones. To comply with MiFID I when it came into effect in 2011, many organisations stipulated that everything had to be conducted over fixed line communications. Fast forward to today and there are so many more ways for people to interact, as well as more stringent regulations to consider.
Under the changes in MiFID II, “anyone involved in the advice chain” will have to keep records of all interactions with their customers that might influence a trade. This means that all records that influence or lead to a “potential trade” will have to be stored for posterity, rather than the specific messages authorising trades themselves. In terms of working practices, keeping all your records from phone calls to emails will be required.
For bank trading desks and hedge funds, the sheer volume of records that will therefore be counted under MiFID II is huge. However, this increase should not be seen as daunting or a reason to avoid compliance. There are ways to reduce the number of records that have to be kept, and approaches that can keep data both secure and protected over time.
Here are three approaches that should be considered from compliance with MiFID II:
- Control over storage of messages
- Each organisation should have a full record of the messages that traders send to clients, so that any request for those messages can be met over time. Managing this kind of compliance request will mean that data protection and archiving of messages will be necessary, as well as the ability to confirm that each message was sent at specific times and dates.
- To attain compliance here, check your current data retention strategy and that all records are being protected adequately. For most companies, a disaster recovery and archiving strategy will have to be updated to cover MiFID II as Cloud-based data protection services can help protect your data.
- Control over data on devices
- With email available on phones, laptops and PCs, it’s possible for traders to send messages from multiple devices. Similarly, data can be saved down to devices for later use.
- Getting a full overview of all devices and where messages are saved can be difficult without being able to see those devices from a central point. Check with your IT team that they have this level of oversight, and look to fill any gaps that might be discovered. Again, using data protection services that can track data on mobile devices can help.
- Control over applications
- Any interaction with a customer might influence a trade, so popular instant messaging platforms would be covered just as much as formal communications channels like email. These systems often can’t have their transactions saved centrally due to encryption of the messages. It’s therefore important to stop their use for work, as this will then take these services out of the scope of any compliance project.
- To help your organisation meet its compliance requirements, you will have to agree that these services can’t be used for work purposes. This will mean educating traders on why these tools can’t be used with clients, and collaborating with IT to lock down devices so that these applications can’t be installed.
Looking at these three areas should make it easier for banks and hedge funds to attain compliance.
Cloud, compliance and cost
MiFID II will apply to many more people and more businesses across the trading sector, as well as covering more data for more time. For some firms that are now covered by this compliance directive, the focus will be heavily on the increased data storage requirements that are involved. Rather than having to store six months’ worth of data, companies will have to store sixty months’ worth of emails and other records. At the same time, more messages and interactions will be counted as contributing to each trade.
For firms to comply, it is worth looking at the language that is used to describe the storage of all relevant records around a trade:
“… an investment firm shall take all reasonable steps to record relevant telephone conversations and electronic communications, made with, sent from or received by equipment provided by the investment firm to an employee or contractor or the use of which by an employee or contractor has been accepted or permitted by the investment firm.”
On top of this official rule, it’s also worth looking at the technical guidance that has been provided by the European Securities Markets Association:
“Records shall be stored in a durable medium, which allows them to be replayed or copied and must be retained in a format that does not allow the original record to be altered or deleted.”
This storage requirement has to provide a full and durable copy of all transaction records, including email, and can therefore be seen as an expensive outlay. However, cloud storage now offers an alternative option that can meet the “reasonable” data storage and durability elements that are required in MiFID II.
As companies look at moving their applications over to the cloud, so data protection and management will have to follow. This can help firms take advantage of some of the cost savings that cloud can offer. Additionally, companies can now look at public cloud storage platforms as an option for storing this data. The evolution of cloud platforms such as Amazon Web Services and Microsoft Azure to provide greater control over data residency and security has made it popular for more companies, while the cost of cloud storage continues to be lower than deploying traditional storage arrays.
For many companies, the use of cloud services might seem like a challenging shift. However, cloud services have developed extensively since they first launched. The ability to set rules in place around data residency and control over the location of data storage has meant that many more organisations can now use cloud to store sensitive data. For its own MiFID II compliance project around storing trading data, the UK’s own Financial Conduct Authority is using Amazon Web Services as a platform to scale its storage over time. This use of cloud services therefore demonstrates that this is a valid choice for the future.
As the deadline for MiFID II gets closer, more companies are evaluating how their current data and compliance programmes are fit for purpose. Filling the gaps in data protection and information management around all customer interactions will be a necessary part of the planning process that is taking place. Taking cloud applications and mobile working into account as part of your MiFID II compliance programme is therefore essential. At the same time, having a tertiary copy of trading records data that can act as an archive can be a welcome approach to managing compliance from both the cost and availability perspectives.