Navigating conflicts between Mifid II and GDPR

GDPR somewhat contradicts Mifid II when it comes to personal data, according to Teleware chief executive Steve Haworth

In March 2017 former investment banker, Christopher Niehaus was fined £37,198 by the Financial Conduct Authority (FCA) for using WhatsApp to share confidential client information. That was before the weighty Mifid II directive came into force at the beginning of the year. Articles 9 & 16 of the directive expressly cover the recording of all client trading communications.

When firms were preparing for Mifid II, a strong onus was placed on them (although already standard for the vast majority of financial institutions) to ensure all relevant voice communications are recorded and available for retrieval for up to seven years. Also, individual conversation threads were required to be reconstructed upon request from the regulator, which makes time-stamping of communications essential.

What complicated matters for many firms was the introduction of the EU General Data Protection Regulation (GDPR) in May. Both Mifid II and GDPR have conflicting requirements but come with similarly hefty fines for non-compliance.

Mifid II vs GDPR for communication

Under Mifid II, communication surveillance requirements increased massively. Monitoring and recording employee communications now provides the evidence needed for compliance purposes, whilst also protecting businesses and their employees in the event of any regulatory investigation.

GDPR, in some ways, contradicts Mifid II by putting power in the individual’s hands over what firms can do with their personal data.

It supports an individual’s right to privacy and embodies principles around consent for the storage of personal data and the right to erase it. Such consent must be freely given. Personal data should only be kept for as long as necessary, and only when it relates to business communications.

Compliance with contradictory regulation

Both Mifid II and GDPR have required firms to overhaul significant areas of their operations, processes and controls. Specifically, processes and policies based on communication recording.

However, a recent survey we conducted of 2,000 UK employees revealed 40% of financial services firms do not have effective processes in place to capture, record and consequently retrieve information relating to business communications, leaving firms open to significant regulatory fines for non-compliance.

Regulators are looking for capture and recording across all forms of communication – email, fixed line, mobile, instant messaging, video and face to face. Whilst in the office, this is relatively easy to control however outside, this can be more of a challenge, especially where employees may be working from multiple locations and devices.

The solution for compliance with Article 16 of Mifid II could lie in employees’ hands – literally. The growth in ‘bring your own device’ (BYOD) in recent years has been driven by convenience and cost. But the management of hardware has created complications for compliance teams and IT alike. Installing a mandatory recording solution can ensure compliance, but the solution needs to consider employees’ private and business use to satisfy both Mifid II and GDPR.

Capturing cross-channel communication effectively

When it comes to mobile communications recording, firms have two options if they want to show they’re being compliant; SIM-based recording or app-based recording.

SIM-based recording provides arguably the most compliant and frictionless means of recording calls and SMS. With SIM recording, no user intervention is required to maintain compliance or to upgrade to the latest version of the recording software. This method of recording is most appropriate with a business-supplied device because it can demonstrate compliance for all communications for work related subject matter.

App-based recording provides greater flexibility for users who have requirements to record selected communications. Calls and SMS made and received using the app will be recorded, whereas those made using the native dialler and messaging app on the device will not. App based solutions will work across multiple mobile networks as well as BYOD deployments.

MORE ARTICLES ON