Print this article

NEWS ANALYSIS: How To Ensure There Isn't A Clash Between MiFID II And Looming Data Protection Regime

Tom Burroughes

7 June 2017

Not for the first time, wealth industry practitioners are fretting that impending regulations force firms to do diametrically opposite acts, leading to a costly legal mess that might take years to sort out. A senior wealth technology figure says such worries aren’t justified, however.

The latest example of what is feared could be such a stand-off comes from two major sets of European Union regulations: MiFID II - which seeks to improve investor protection and quality of advice (taking effect from the start of 2018) - and General Data Protection Regulation (GDPR), which kicks in from May next year. GDPR sets out strict terms under which organisations collect and store data and forces such groups to clearly explain their actions.

The fear of a clash stems from the fact that while MiFID II requires firms such as banks, brokerages, asset managers and other parties to collect reams of information from clients, so as to help with areas such as investment suitability and anti-money laundering rules, GDPR limits what data can be held and for how long. So at first glance these sets of requirements could create a compliance reconciliation nightmare. The punishments lawmakers can mete out for offenders under GDPR are harsh: fines of up to 4 per cent of annual worldwide turnover can be imposed in the event of a breach. That’s enough to send some players out of business. Squaring these rules with MiFID II is therefore essential.

However, perceptions that there is a clash of the rules is misconceived if understandable and suggests authorities must be clearer in setting out the boundaries, Andrew Watson, head of regulatory change at , the firm that issues the FIGARO front-to-back-office system for wealth managers and other financial organisations.

“There is a lot of confusion. GDPR says you should only keep the data you need for only as long as you need it. If you are doing lawful business then there are data needs associated with that. I don’t see a conflict here,” Watson continued.

"One issue with such regulations is that there is a lack of clarity about how the rules will affect firms until quite late," he said.

MiFID II, which imposes reporting and data collection obligations on firms, is one of the largest regulatory changes to hit European wealth management for years, and is part of the regulatory aftermath of the 2008 financial crisis. With GDPR, meanwhile, the rules play to public concerns about security of client data - a point driven home almost daily by stories of cybercriminals stealing data, or even plain simple losses of information caused by carelessness.

At this news service’s recent conference in London on MiFID II, panelists were asked how and whether firms could reconcile the seemingly very different requirements of legislation.
The general consensus appeared to be that a clash should be avoided so long as bodies collecting data under MiFID II were very clear why they did this. (A fuller report on that conference, held in May, is forthcoming.)

Rights and obligations
The GDPR regime creates new “rights for data subjects”, including around consent and the so-called “right to be forgotten”, he said. “GDPR does not change anything in financial regulation but you do need to take data protection really seriously,” he said.

A key issue is that when signing up for a discretionary wealth management services,the wealth manager must understand the investors situation, goals and objectives as part of a suitability review as stipulated by MiFID II. Despite the rights of the data subject granted by GDPR the investor cannot withdraw consent for you using the data for this purpose. Even if the investor asks for the account to be closed then both MiFID II and Anti Money Laundering legislation require the wealth manager to retain these records for many years afterwards. GDPR does not override this. Wealth Managers do, however, have a responsibility to safe guard this data both externally and within the firm.

Arguably, a greater problem is that the sheer amount of energy and time consumed by firms in getting their ducks in a row before the MiFID II deadline comes is at the expense of other compliance areas, including GDPR, he said.

“The industry is doing a lot about MiFID II and that’s taking up a lot of bandwidth. I am seeing a lot of firms queuing up their GDPR projects behind MiFID II and that’s a mistake,” he said.

Watson argued that companies must take a holistic view of IT spending on compliance, so as to give themselves flexibility and ensure data protection and security is at the heart of everything they do.

A recent survey by Duff & Phelps said that only 36 per cent of firms surveyed were fully confident of being ready for MiFID II next January. Recent media reports have pegged the cost of preparing for MiFID II at around $2.1 billion.

The International Association of Privacy Professionals estimates that as many as 75,000 data protection officers will be needed to manage EU citizens’ personal data around the world.

An additional complication, industry figures say, is that it is not clear to what exact extent the UK’s compliance with the directive will be affected by Brexit; on the current timetable, GDPR will be UK law at least a year if not more before the country quits the EU. Even if that were not the case, the UK is likely to be under pressure to upgrade data protection so as to achieve equivalence with other major jurisdictions as a condition of trade and access.