The leading knowledge platform for the financial technology industry
The leading knowledge platform for the financial technology industry

A-Team Insight Blogs

MiFID II vs GDPR: The Delicate Balance Between KYC and Data Privacy

Share article

By: Fenergo regulatory consultants Ciara Kennedy and Aoife Harney

Already this year, financial institutions have tackled one significant regulatory hurdle in the form of Markets in Financial Instruments Directive II (MiFID II). In May 2018 they face General Data Protection Regulation (GDPR) that threatens to present banks around the world with conflicting and challenging data collection and protection requirements.

The difficulty lies in balancing the apparent anomalies between protecting investors under MiFID II through the collection of more information about them and their respective activities, while respecting their strengthened data privacy rights under GDPR. This effectively puts banks between a rock and a hard place in terms of managing this delicate balance of requirements.

So how can financial institutions manage MiFID II and GDPR’s data management requirements ahead of the May deadline?

Data collection and protection

MiFID II requires the collection and retention of a large volume of client and counterparty information, including all electronic communications data. This data must be made available to regulators within 72 hours of a request. Conversely, GDPR introduces specific data subject rights around the erasure of data.

Data protection regimes between non-European Economic Area (EEA) jurisdictions can also conflict, further complicating compliance. While firms are responsible primarily to their national regulators under MiFID II, who may well apply the rules fairly and proportionately, GDPR has a responsibility to data subjects, who may use their rights from Day 1 to make onerous demands on firms to show the data held on them and/or erase such data from their systems.

Moreover, the penalties of GDPR non-compliance are significantly tougher than MiFID II, with fines expected to reach up to €20 million or 4% of global turnover for the most significant areas of non-compliance.

Record keeping

The huge scale of MiFID II required the work of regulatory specialist teams for several years, with robust new reporting, operational and technical infrastructures needing to be put in place. GDPR may not consist of the thousands of pages that MiFID II does, but its scope is vast and open to interpretation in certain instances. Put simply, for firms that are not well aligned to existing data requirements, it is a much larger task that MiFID II.

Firms must be accountable for the personal data they hold and consider the purposes and period for which the data is retained. Under MiFID II, client email correspondence must be recorded and archived for up to five years, telephone calls for as long as seven years. Data surrounding suitability of investment recommendations, typically the suitability report, must also be retained by firms for a minimum of five years.

GDPR states that organisations may only process data where there is a legitimate basis for doing so and document this accordingly. The regulation also states that personal data is to be stored only for as long as necessary or within the statutory minimum retention periods specified by other legislation. If a client wishes to have data recorded about them deleted within the timeframe set down by MiFID II, for example, the firm will not be compelled to comply.

Conflicting record-keeping requirements and obligations such as these could easily become a logistical headache for firms. To comply here, organisations need to tread carefully and be able to demonstrate that they have considered the principles of necessity, proportionality and data retention at the time of designing their record retention policies.

Reconciling requirements across two regimes

Finding a solution to manage the internal contradictions between these two bodies of regulation is essential. In order to be able to demonstrate a sufficient degree of GDPR compliance, firms will need to ensure they have tested their systems, processes and newly-implemented policies and procedures to confirm that they can comply with enhanced data subject rights and additional obligations under GDPR. As part of this review process, firms should map current and anticipated client data flows and conduct a data audit to evaluate data lifecycle management within the organisation.

Ensuring compliance with both regimes is not only about policy and procedural change. In larger organisations, specific teams will now be required to collaborate on a regular basis to ensure that the collection and processing of data and the retention of records is conducted in a manner that is compliant with both GDPR and MiFID II.

Related content

WEBINAR

Recorded Webinar: Address Emerging Operational Risk and Alleviating Data Blind Spots with AI Powered Risk Management

The digitalisation of financial services is in full flight, as financial institutions strive to offer the same levels of service and improved customer experience that consumer markets have enjoyed for some time. This digitalisation – providing seamless access to appropriate services on demand – requires great emphasis on client data. This changing digital landscape, and...

BLOG

Cloud Data Protection Specialist Clumio Teams up with Microsoft 365

Clumio, a California-based cloud-security start-up focusing on software-as-a-service (SaaS) for enterprise backup, has added Microsoft 365 to its secure backup-as-a-service, providing organisations running Microsoft 365 with a globally consolidated data protection service as the global coronavirus pandemic sees a rapid increase in ransomware attacks and email scams. The two-year old company, which in December 2019...

EVENT

RegTech Summit Virtual

Regtech Summit Virtual will explore how business and operating models have adapted post COVID and how RegTech can provide agile and enhanced compliance for managing an evolving risk and compliance landscape. As the dust settles, we will look at the outlook for the global RegTech industry, where Regulators are focusing as they get back to business, and deep dive into global regulatory priorities for the rest of the year and into 2021.

GUIDE

Entity Data Management Handbook – Sixth Edition

High-profile and punitive penalties handed out to large financial institutions for non-compliance with Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations have catapulted entity data management up the business agenda. So, too, have industry and government reports on the staggering sums of money laundered on a global basis. Less apparent, but equally important, are...