A surge of new solutions is emerging to help firms meet the data challenges of Shareholder Rights Directive II (SRD2), which came into force on September 3, 2020 despite pleas from the industry for a delay due to Covid-19 pressures.
“We ask you to consider, as a matter of urgency, a delay in the implementation date of the Shareholder Rights Directive II and the Implementing Regulations by twelve months, to 3 September 2021,” begged a joint letter sent in April to the European Commission by a consortium of post-trade groups including The European Banking Federation (EBF), the Association for Financial Markets in Europe (AFME), the International Securities Lending Association (ISLA), the Association of Global Custodians (AGC), the European Central Securities Depositories Association(ECSDA), and the Securities Market Practice Group (SMPG).
The associations warned the regulator that it would be “difficult, or nearly impossible, to meet the implementation deadline of 3rd September 2020,” but they now have little choice in the matter. Firms providing share custody are now obliged to disclose client identities and positions when requested to do so by issuers. But fortunately, a wave of new solutions are now emerging onto the market to help them do just that.
This week, data provider Instant Actions joined the fray, with a targeted and ready-to-implement authentication solution to address the data risks created by SRD2. The new service provides globally verifiable company announcement information to the markets and protects intermediaries and shareholders from the risk of unauthorised phishing by authenticating both the validity and identity of the requestor. Once authenticated, the intermediary places the requested shareholder data in a secure, GDPR compliant Data Safe Haven ready for the issuer to retrieve.
Explains James Zorab, CEO of Instant Actions: “Intermediaries can now mitigate against potentially catastrophic reputational and financial risk. Knowing who owns a company is valuable information. Plenty of stock traders watch the activity of company insiders and major institutional shareholders, while investment banks have thrived on intermediating information about shareholders. Securities borrowing desks depend on brokers knowing who owns what so they can source the stock. Which is why the well-informed pore over stock ownership disclosure forms, looking for information on which to trade. It will therefore come as no surprise if unauthorized phishing becomes prevalent on the back of ostensibly legitimate requests for shareholder identity disclosure. We have found ways to protect intermediaries from that threat.”
He adds: “While well-intentioned, the legislation does not sufficiently address the issues of confidentiality, secure communication or the control of this data and so could give rise to the possibility of phishing and fraud. At its worst, firms could be exposed to data breaches on an epic scale.
“There is a very real risk of bad actors masquerading as issuers and obtaining highly sensitive shareholder data. Both the financial consequences and the reputational impact could be crippling for businesses. We were shocked to learn that some intermediaries are planning to communicate this data un-encrypted and by email. Our solution provides a secure, auditable way of locking out bad actors.”
SRD2 requires firms to respond with shareholder data within 24 hours, a very short time to allow them to check that the request has come from a legitimate source, particularly when the request may have been forwarded to them and has not therefore come direct from the original issuer. As a result, the best a financial intermediary can do is to check with the firm above them in the chain of communication that they have carried out their own validation checks. But what happens if the data is inadvertently disclosed? Whose fault will it be? Who will be liable? And how will disputes be resolved?
SRD2 refers to ‘appropriate’ security defences and insists that firms should check whether the request has originated from the issuer. But it does not explain how this should be done, nor does it recognize that such a seismic change in industry workflows might require secure counterparty communications that simply don’t exist today.
And as Zorab points out, GDPR complicates the risk: “How will firms simultaneously satisfy their obligations to disclose data under SRD2 and seek customer consent to keep data private under GDPR? If they get it wrong, they face fines of up to €5m for SRD2 and up to €400m or 4% of turnover for GDPR.”
Instant Actions is not the only firm seeking to help meet these concerns. At the start of September digital investor communications platform Proxymity also launched its new shareholder disclosure solution, Proxymity ID, across all EU markets – with State Street and Citi among the first clients. The first new product to launch from the London-based FinTech since its initial investment raise of $20.5 million earlier this year, it automatically verifies that disclosure requests come from an authorised source, which prevents unsolicited and unapproved requests from being processed. The new disclosure solution complements Proxymity’s core proxy voting solution, Proxymity PV, which was launched last year in Europe and Australia.
“We’re confident that Proxymity ID will make it easier and more cost effective for custodians and intermediaries to manage the new burdens imposed by SRD II,” says Dean Little, CEO and CoFounder of Proxymity. “With Proxymity’s enhanced technology and digital onboarding experience, intermediaries can sign up and start using Proxymity ID within 24 hours and immediately comply with the SRD II legislation, without having to develop their own solution.”