Share the article
twitter-iconcopy-link-iconprint-icon
share-icon
Western EuropeOctober 30 2017

Data protection rules set to clash with MiFID

Disparate regulatory frameworks clashing is nothing new, but the EU’s General Data Protection Regulation, which was not drafted specifically with banks in mind, is going to clash with other frameworks such as MiFID II, writes Justin Pugsley.
Share the article
twitter-iconcopy-link-iconprint-icon
share-icon

What is happening? 

From January 2018, the EU’s second Markets in Financial Instruments Directive (MiFID II) goes live with its emphasis on transparency to drive investor protection. Five months later comes the General Data Protection Regulation (GDPR) with a focus on privacy and even the right to be forgotten.

Reg rage anxiety

For the most part, these two imposing regulatory tomes are unrelated. However, MiFID II imposes massive new data requirements on financial firms, some of which include personal details of market participants. 

For instance, the stipulation to record conversations is required under MiFID II, and as long as those conversations are business related that is fine under GDPR.

The problems arise when private conversations are recorded, say between employees and their family and friends. The same applies when personal contact details of private individuals are stored on devices issued to the employee by their employer (some banks ban the use of personal phones at work). 

The problem is that these details and conversations are being stored without the consent of those private individuals. Other niggles include how long data can be stored for. GDPR states that it should be for a reasonable length of time (i.e. as short as possible). MiFID II requires five to seven years.

Why is it happening? 

Effectively, the EU wants everybody to be as safe as possible, whether they are eating in a restaurant, transacting investment business or handing over their personal details to an online retailer.  

However, this emphasis on safety, combined with frameworks often devised in isolation of each other, means that they can be overly prescriptive and clash with each other in unforeseen ways. 

So while MiFID II requires transparency, it potentially clashes with other frameworks such as GDPR on certain specific areas with its aim of protecting personal data. And of course infringements of either framework come with some potentially bruising penalties. 

It gets worse. Both MiFID II and GDPR give individual member states a degree of leeway on applying some aspects of the rules. So on privacy, Germany will likely gold plate GDPR, making it harder for banks to comply with MiFID II. 

What do the bankers say? 

Frameworks clashing with each other is nothing new. In time, regulators and the industry find ways to smooth out the wrinkles. However, the European Securities and Markets Authority has so far only provided high-level guidance on GDPR/MiFID II overlaps, which the industry finds inadequate. 

A certain number of potential clashes can be resolved, by, for instance, a bank requiring its customers to give consent on the use of their data. To an extent that can mitigate the right to be forgotten, likely resulting in the data being stored separately so it is no longer used for marketing purposes. Indeed, GDPR does allow financial firms some latitude on data for anti-money laundering rules, because it relates to fighting crime.  

So storing recordings of trader conversations, done to detect insider trading, is acceptable. But there are still questions over how long personal data can be reasonably stored for and what happens to the recordings of conversations involving private non-regulated individuals who have not given consent. 

But even once those issues are addressed, GDPR will still make compliance with MiFID II harder and more onerous due to its penalties for data breaches and misuse. In the UK, there is also the Senior Managers Regime to consider when a data-related incident occurs, as a senior manager could be held responsible. 

Will it provide the incentives?

No doubt banks will find ways to keep personal data safer (they should anyway) while being transparent for MiFID II purposes. But it comes at a huge cost, which can only be partly mitigated with the help of technology. 

And of course GDPR does not just conflict with MiFID II, but also with another key EU financial regulatory framework: the Payment Services Directive 2 (PSD 2). To stimulate competition and improve financial services, PSD2 emphasises the sharing of data between, say, a bank and an eco-system of innovative fin-techs. 

So on their own these frameworks should incentivise behaviours desired by the regulators, but combined they could instead raise costs for the real economy, see financial firms drop certain lines of business, and see the lawyers and compliance personnel take more control and therefore playing very safe with innovation and competition potentially suffering.

At some point, European regulators will probably need to rethink the regulatory frameworks they have created in the past 10 years and ponder whether their aims can be achieved in simpler and less cumbersome ways. But as one senior bank compliance officer says: “I wouldn’t hold your breath on that one.”

Was this article helpful?

Thank you for your feedback!

Read more about:  Reg rage , Regulations , Western Europe