Wendy Phillis, Managing Director, Governance and Regulatory Solutions, Europe and Asia Pacific at RBC Investor & Treasury Services (RBC I&TS), discusses the European Union’s General Data Protection Regulation (GDPR) and three key themes relevant to asset managers, and looks ahead to further regulatory change and the impact on innovation.
1. GDPR comes into effect in 2018. What impact this will have on asset managers?
GDPR is about data privacy and protection of the rights of citizens in the European Union (EU) to maintain control over their own personal data. It comes into effect in May 2018 and impacts anyone who maintains personal data of citizens in the EU. GDPR has a wide reach and any company selling or providing services into the EU, from any other country, needs to comply. GDPR requires RBC I&TS and our clients to understand the personal data we retain, how it is used, and how it is protected. It also gives individuals the right to ask for their data to be deleted. To accommodate this, processes will need to be put in place to ensure institutions are capable of doing that, which is probably one of the more challenging aspects of GDPR.
2. What are the three critical elements of GDPR that the asset management sector should be aware of?
The following three key themes will have an impact on financial market participants.
- Data subject rights: GDPR gives individuals (referred to as ‘data subjects’) significant rights over the personal data firms retain and how they use it. Firms will need to be able to demonstrate to data subjects why their personal data is needed and the purposes for which it is being used. Data subjects also have the right to request erasure of their personal data where it is no longer necessary for the original purpose for which it was collected, or to withdraw their consent to retain and use personal data. GDPR also requires firms to disclose to data subjects information on how long their data will be retained.
- Demonstrated compliance: Firms will be required to demonstrate to their responsible regulator that they have implemented adequate measures to ensure they comply with the technological and organizational requirements of GDPR. Firms will need to undertake privacy impact assessments for activities involving large-scale processing of personal data, and activities which use automated processing of personal data to analyze or predict behavior. These impact assessments will need to be reviewed any time processes or systems are changed, so it will be important for firms to keep thorough and up-to-date inventories. Another fundamental change for firms to consider is how they design future processes and systems to ensure they comply with the requirements of GDPR.
- Breach management: The GDPR framework stipulates how and when firms must disclose to their responsible regulator, and to the public, security breaches impacting personal data. Fines and penalties for data breaches can be significant and the most serious breaches may result in fines of up to EUR 20 million, or 4% of global turnover, whichever is higher.
3. Are there any other significant regulatory challenges facing the asset management sector in 2018?
In Europe, asset managers are also focused on the Money Market Funds regulation, specifically the implications around the production of Net Asset Values (NAVs), which comes into force from July 2018. Moving from constant NAV funds to variable NAV funds or revised types of constant NAV funds is intended to increase investor protection and transparency. RBC I&TS is actively reviewing this regulation and its impact, including assessing potential product development requirements to support our clients.
4. Are asset managers being overly burdened by regulation, and, if so, how is it impacting innovation?
Without question, there has been a significant volume of regulatory change since the financial crisis. Dodd-Frank, the European Market Infrastructure Regulation (EMIR) and the recent implementation of the Markets in Financial Instruments Directive II (MiFID II) and others have had an impact on the asset management business. While there may be some regulatory fatigue, the goals and objectives are sound – to improve transparency and protect investors. As the regulatory landscape changes, so is the technology to support compliance, in the form of Regtech initiatives. In fact, I think regulation is enabling innovation.
The additional data that asset managers need to collect and maintain may also help to identify the type of funds investors prefer to invest in and help better monitor the performance of portfolio managers. The challenge for institutions is to develop approaches to leverage that data and use it to their advantage.