A Regulation Conundrum: GDPR and MiFID II

This article was written by Adinah Brown, Marketing Content Manager at Leverate for Finance Magnates.

So you’ve braved MiFID and you’re still standing, that certainly deserves a massive congratulations. However, for many brokers who have finally completed the months of leg work necessary to ensure that they are MiFID II compliant, the next blow is swift in coming, perhaps just as wide in scope and undoubtedly more severe. Welcome to the era of GDPR.

What is GDPR?

That’s right, a few short months after MiFID II comes into effect on January 3rd 2018, GDPR, the General Data Protection Regulation becomes enforceable as of 25 May 2018. The scale to which MiFID II is expected to revolutionize the financial trading industry in the EU, GDPR is expected to do the same in relation to the protection of private data. While both bodies of regulation are projects of the European Commission, the somewhat satirical irony are their numerous inconsistencies and the difficulties that financial firms regulated in Europe will have in complying with both of them simultaneously.

The Incongruities

The differences between the two corpus’ of regulation go beyond their prescribed practices, but relate to their underlying objectives. MiFID is directed towards enhancing investor protection through informational transparency. Towards that end, the directive requires firms to report to their authorized reporting body all transactions with over 65 fields of information, whilst simultaneously disclosing to traders their rate of execution, a status that is to be updated on a real time basis. In contrast, GDPR is focused on the confidential safekeeping of personal information held on individuals. For a firm an individual can be a client, an employee or any third party provider. GDPR also sets in stone the right for people to know how their data is being used and the right for any information to be deleted on the individual’s request.

With these differences in objectives there are numerous circumstances where MiFID II and GDPR coincide and potentially contradict. For instance, according to MiFID II telephone calls needed to be recorded and archived for up to seven years, email correspondence for as long as 5 years. In contrast GDPR stipulates that not only do individuals need to be aware of the circumstances in which data about them is being recorded but the regulation also stipulates that it is to be stored only as long as necessary, a definitive time frame is not prescribed. Therefore, if a client wishes to have data recorded about them deleted within the time frame where it is still required by MiFID, the firm will be compelled to comply.

Why GDPR trumps MiFID

If you operate or manage a financial firm in the EU, neither body of regulation is optional, both are compulsory. However, the ramifications of being caught out according to GDPR is far more severe than what it is for MiFID II. If a brokerage has been found to have lost or mishandled client information, it has 72 hours in which to make itself compliant. Failing to achieve that, a penalty fee is issued to non-compliant operations which is either four percent of the firm’s global revenue or 20 million euro, which ever amount is higher. The consequence of failing to comply with GDPR will have the effect of bringing a company to its knees, while failing to comply with MiFID 2 will be relatively speaking ‘a slap on the wrists’.

The Way Out

The most feasible solution available for a financial firm to be both MiFID II and GDPR compliant is to contract a regulation service that will manage and facilitate all aspects of reporting. By contracting a specialized third party, a broker will have access to the necessary knowledge and contacts with which to set up a reporting data funnel and it will be the third party’s responsibility to ensure that all data is reported in a smooth and stream lined process. The more professional regulatory services follow a process whereby all personal client data that is collected for the purpose of KYC requirements is sent directly to ARMS (the Approved Reporting Mechanism). This means they only collect and hold trading data and the client’s trading account identification number which through the use of specialized software is then reported onwards to ARMs. This approach minimizes the amount of information collected and held, whilst still addressing the data objectives for the two incongruous regulation standards.

Finding a solution to manage the internal contradictions between these two bodies of regulation is essential. A specialized and experienced regulation agency will save your financial business both time and money, as the solution will be applied efficiently and smartly straight from the start. This will free up your brokerage to focus on facilitating the trading interests of your clients, while operating entirely risk free.

Gibraltar Covered in Brexit Tr…