Brokers must comply with both the GDPR and several financial regulations. But what do you do when the requirements clash?
This article is part 2 of a 6-section whitepaper on ensuring proactive compliance in an increasingly rigid regulatory environment. Fill out your details below to download the complete whitepaper. |
This article is part 2 of a 6-section whitepaper on ensuring proactive compliance in an increasingly rigid regulatory environment.
In May 2018, merely five months after the introduction of MiFID II, a new comprehensive EU directive came into force in the European market: GDPR, the General Data Protection Regulation.
In broad strokes, the purpose of the GDPR is to give control over one's data back to the person, as well as to create more openness, transparency, and overview when it comes to the storage and processing of personal data.
Simply put, the GDPR boils down to answering one important question: Why does your organization store specific personal information?
How does GDPR work with financial regulations?
In 2018, the introduction of two comprehensive EU directives in less than six months presented several challenges for the banking and finance sectors. The biggest challenge – mapping how GDPR works with MiFID II and other regulators – is still an ongoing process three years later.
In practice, directives such as MiFID II may in many ways simplify the requirements of the GDPR. The requirement that all institutions engaged in the brokerage or trading of securities must record all communications that may lead to a transaction will simplify the process of consent to the storage of personal data under the GDPR because a call related to a possible transaction can not be conducted without recording.
According to GDPR, consent must be obtained each time a new type of information is stored, but because the requirement to record all customer communication means that new information will be added continuously throughout the customer journey you may be exempt from this requirement in some scenarios.
Additionally, financial regulations state that stored data must be searchable on customer identification, broker identification, and time period. They also define what kind of personally identifiable information is to be stored. In other words, the requirement in e.g. MiFID II trumps the GDPR legislation. However, you are still obliged to inform the customer that they are being recorded.
Data security is a key topic
Data security, and more specifically how data is stored and processed, is a topic that is central to both GDPR and financial regulations such as MiFID II.
All data must be processed in such a way that they satisfy the requirements imposed on you by financial supervisory authorities through directives, while also safeguarding the security of personal data per the GDPR.
Two of the most important questions you need to be able to answer according to GDPR and MiFID II are:
- What kind of information is recorded and stored?
- Who has access to this information?
Regulations state that no one should be able to change or delete data in an audit trail. All data must be stored securely and encrypted so that no unauthorized persons have the opportunity to manipulate the information. The data must be monitored, but should only be available to the control function within the company.
In other words, a compliance officer responsible for monitoring the data must have full control over who has access and insight, so that no one can enter the system and delete e.g. three lines of an email or one minute of a phone call.
Information related to communication – a dilemma
According to the GDPR, a customer may, in principle, demand access to all their personal data in a company’s database. However, when looking at conversations between a broker or advisor and a customer it is a bit unclear how to cater to this demand.
If a customer requests to have all information about them retrieved, this would also include recordings of all communication, but because a conversation always includes two or more parties, you will then automatically give the customer access to private information about the broker – who is also entitled to the protection of their personal data.
In this situation, how to best comply with both the GDPR and the recording requirements of directives such as MiFID II may propose a challenging dilemma.
The customer can not demand the deletion of data
Per the GDPR, a person has the right to retrieve, move, and share any personal information kept by a company, and may also demand that all stored data be deleted. This raises two new dilemmas for companies that are subject to the MiFID II regulations.
Personal information linked to communication with a broker may be considered confidential company information that should not be disclosed to competitors. As such, retrieving or moving this data may be complicated.
Similarly, a customer can not demand that information related to communication with a broker or adviser be deleted, because certain regulations, e.g. MiFID II, stipulate that all recordings of all communication must be stored for exactly five years. To comply with the requirement for a complete audit trail, you are not allowed to delete parts of this communication.
These are just a few examples of the dilemmas that the banking and finance industry is still in the process of investigating, and which must be interpreted individually until a firm precedent is set.
3 largest GDPR pitfalls
- Insecure data storage
Perhaps the greatest pitfall of all is storing data in a way that makes it accessible to unauthorized persons, either internally within the company or externally, without a good system for tracking who may acquire the information. - Fragmented information
Storing fragmented information across multiple systems, on several servers, or in different locations, may make it challenging to provide authorities or customers access to relevant data. - No automated processes for inspection
One of the biggest mistakes companies make is failing to integrate automated processes for providing customers and supervisory authorities access to the information they request.
Questions to reflect on:
- What routines and guidelines does your company have for the collection and transfer of personal data per the GDPR?
- Do you have a good system for restricting and tracking access to stored information?
- Do you have automated processes for providing customers and financial supervisory authorities access to relevant data?