Reconciling MiFID II with GDPR

Complying with divergent data protection requirements will be challenging for financial institutions

For asset managers, maintaining the security of information while respecting client privacy is a key objective. At the same time, financial services regulators are introducing measures to mitigate systemic risk, protect market participants and ensure secure data collection.

The Markets in Financial Instruments Directive II (MiFID II), which applies to nearly all financial institutions in the European Union, is designed to prevent market abuse, strengthen investor protection, and increase transparency. Among many other provisions, MiFID II imposes strict record-keeping obligations on in-scope firms and requires them to document and store detailed transactional and client information. 

Key insights

  • Managing the compliance requirements around incoming data protection rules and MiFID II will be a challenge for financial institutions who must ensure they have a timely and viable solution in place
  • It is critical that firms engage with regulators and relevant staff to create a consolidated framework for record-keeping compliance under MiFID II, and GDPR
  • While UK-based financial institutions are addressing a number of regulatory issues created by Brexit, GDPR should remain among those priorities

Just as these regulations impose recordkeeping requirements, the General Data Protection Regulation (GDPR) is introducing strict obligations on data storage and modernizing the existing data protection legislation. Harmonizing the core MiFID II recordkeeping provisions with GDPR requirements is a significant challenge for asset managers and financial service providers.

Harmonizing the core MiFID II recordkeeping provisions with GDPR requirements is a significant challenge for asset managers and financial service providers

Identifying the crossovers

MiFID I provided EU Member States with some discretion as to whether to record phone conversations and retain email exchanges regarding client interactions, but MiFID II does not permit this flexibility. MiFID II requires firms to keep records of all telephone and electronic communications, as well as written documentation detailing face-to-face meetings relating to transactions for a period of five years, irrespective of whether they were executed.1

GDPR, on the other hand, aims to reduce unnecessary collection and storage of personal information. Reconciling the demands of MiFID II with GDPR is not straightforward. As FTSE Global Markets notes: “MiFID II stipulates that all recordings should be stored for five years. GDPR is less clear and simply states that personal data should not be kept for longer than needed. It is not certain whether five years would be deemed too long for a simple telephone conversation that did not lead to a transaction (but might have done)."2

GDPR includes a 'right to be forgotten' provision

In addition, GDPR includes a 'right to be forgotten' provision, meaning that firms holding data must justify to third parties who request the erasure of their personal data why they cannot delete any personal information under their ownership.3 However, there are exemptions to this requirement: for example, if the holder of the data needs the information for compliance with a legal obligation.4 

For privacy reasons, GDPR prevents employers from recording the personal conversations of their employees.5 This may come into conflict with the MiFID II requirement to keep records of client interactions, as the distinction between personal and work devices has become increasingly blurred, particularly as many businesses adopt bring-your-own device (BYOD) policies. As a result, organizations will have to consider how they might address this. They may, for example, secure employees' clear consent to record personal calls on BYOD devices, quarantine business-related calls, or deploy capabilities enabling employees to use multiple telephone numbers from a single phone.6

Are financial institutions prepared?

MiFID II takes effect on January 3, 2018, followed by GDPR on May 25, 2018

MiFID II takes effect on January 3, 2018, followed by GDPR on May 25, 2018. Some commentators suggest that financial institutions are too heavily focused on MiFID II and not devoting the same attention to the imminent data protection laws.7 

Under MiFID II, regulators have various options to invoke sanctions or fines related to non-compliance which are not specified in the legislation. It is possible that they will consider the efforts made by financial institutions in working toward full compliance with MiFID II when considering whether to impose fines or penalties in the event that firms miss the deadline. However, a briefing by law firm Allen & Overy warns that infringements of GDPR could result in fines of either EUR 20 million or up to four percent of annual worldwide turnover, whichever is the higher.8 A penalty of such magnitude means that firms need to be focused and vigilant when aligning their activities to GDPR requirements. 

UK-based financial institutions that may also have been expecting relief from GDPR based on the UK's impending exit from the EU should reconsider that as a potential option, as GDPR will likely take effect before the terms of the withdrawal are finalized. In addition, Britain is aiming to mirror the EU's data protection laws to ensure the free flow of data across borders which is vital to its digital economy. If the UK's exit from the EU involves joining the European Economic Area (EEA), GDPR will still apply to the Should the UK choose not to join the EEA, GDPR will still be applicable to UK-based financial institutions doing business within the EU.


 Sources

  1. Hogan Lovells (2016) MiFID II Recordkeeping and telephone and email recording
  2. FTSE Global Markets (February 3, 2017) Seven things you need to Know about MiFID II and GDPR
  3. Reg Tech (January 27, 2017) Navigating Your Firm through the Maelstrom of the EU's General Data Protection Regulation
  4. Information Commissioner's Office (May 2017) The Right to Erasure (the right to be forgotten)
  5. FTSE Global Markets (February 3, 2017) Seven things you need to Know about MiFID II and GDPR
  6. Ibid.
  7. Financial Times (August 30, 2017) Tech sector struggles to prepare for new EU data protection laws. Diginomica (August 21, 2017) UK government research – 94% of FTSE 350 under prepared for GDPR
  8. Allen & Overy (2017) The EU General Data Protection Regulation