Last year was a landmark year for regulatory change across the European financial services industry.
The Markets in Financial Instruments Directive II (Mifid II) came into force on January 3 2018. And with the General Data Protection Regulation introduced just four months later, it has been a busy year for European businesses trying to stay on top of compliance.
Under Mifid II, financial services companies must now have much stricter controls on how they monitor and supervise their communications.
This has forced European companies to completely reassess the way they monitor and capture their communications and collaboration information.
For many, coming to terms with Mifid II has been a challenging process.
Below are the five key lessons that companies have learnt over the past year and why the challenges are set to persist in 2019 and beyond.
1. New communication and collaboration platforms mean increased complexity
Mifid II requires all communications concerning business transactions in the financial services industry to be monitored and stored for at least five years.
This has become harder for many companies due to an increase in cross channel communications and productivity platforms such as Microsoft Teams and Slack – platforms that have become firm favourites of millennial and Gen-Y employees.
Slack and other collaboration tools use a range of file formats, including video and audio messages, emojis, Gifs and hashtags.
Many financial services companies still use legacy archiving systems that were created when email was the primary form of communication among colleagues and clients.
This creates a massive problem for companies looking to archive and monitor these new multi-dimensional communications. Archiving this new wave of communications to Mifid standards has proven a near impossible challenge for those still using these legacy systems.
Unless firms invest heavily in modern archiving systems that can store these myriad forms of communication in a scalable way, they will be faced with a choice: ban productivity-enhancing tools like Slack or risk non-compliance.
2. GDPR requirements appear to be at odds with Mifid II
Financial institutions have, in the past, kept hold of data for longer periods of time than was strictly necessary.
Not only does this create greater exposure for these companies when considering litigation, but additionally with GDPR (and other data privacy regulations), much greater care needs to be taken with respect to how long they can hold onto personal data.
Consider a company being asked by the Financial Conduct Authority for all information it holds regarding two of their traders involved in a dispute. Under Mifid II, companies are required to retain this data for at least five years.
However, under GDPR greater care is required with regards to what personal information is being retained, and whether the company has consent to retain it, as well as whether the data has legitimate business use.