How banks are managing Mifid data with GDPR compliance

Sign up for Practice Insight's free weekly newsletter, follow us on Twitter or join the Linkedin group

Banks and asset managers are attempting to establish a market-wide approach to managing the great swathes of data created under Mifid II ahead of the EU’s incoming General Data Protection Regulation’s (GDPR) implementation in three months’ time. A consensus is emerging around a system of pseudonyms or tokens for traders, but more work needs to be done.

According to those tasked with implementing the GDPR at banks across Europe, there’s no common market-wide approach to managing data pertaining to both traders and clients once the GDPR becomes effective, in May 2018.

“There’s only a few months left to make sure this data is GDPR-friendly – at the moment it is not, but there are future-proof solutions available,” said one source at a French bank. “There’s still room for a global approach though.”

Top senior management teams are taking an interest in compliance with the new data protection regime. The potentially astronomical fines in case of a breach – up to €24 million, or four percent of global turnover, plus the reputational damage – may have something to do with this. Many feel the two regimes have conflicting aims, with Mifid II forcing increased transparency while the GDPR is focused on better-protecting personal information.

The French bank source said that one solution is creating an anonymised pseudonym or token to identify each trader or decision-maker, which does not contain personal data such as social security or passport numbers – all of which is protected by the data protection framework.

This looks to be the most sensible way for the entire market to proceed as it limits the amount of personal data that needs to be sent back and forth between market participants, but regulatory guidance would be welcome to ensure it does not put firms in breach of either rule.

Under the GDPR firms must prove they have a legal basis or legitimate business interest in processing the personal data they are collecting. There’s little doubt that compliance with Mifid II or its accompanying regulation Mifir qualifies as a legal basis, but consents must still be obtained and procedures adjusted.

Nick Moss, head of product management for post-trade at MarketAxess which operates both a multilateral trading facility and an approved reporting mechanism (ARM), agrees that the token approach looks to be the best way forward.

Sign up for Practice Insight's free weekly newsletter, follow us on Twitter or join the Linkedin group

KEY TAKEAWAYS

  • Banks are calling for an industry-wide approach to ensuring Mifid II data is compliant with the EU’s new data protection regulation ahead of its implementation in May;
  • The best way forward at present looks to be creating a pseudonym or token that masks the truly sensitive information but allows for it to be provided if requested;
  • Data masking in other contexts is generally frowned upon by regulators but market participants say there is no other way to comply with both somewhat conflicting regimes;
  • While most firms are incredibly concerned about data protection – sources say senior management teams are taking an interest in GDPR compliance – in some parts of the market, highly sensitive data is being transmitted over email., which is far from secure;
  • Asian firms facing a similar problem in their home jurisdictions have found a workaround by booking through subsidiaries rather than branches, allowing them to circumvent the stringent reporting rules.

At the moment many trading venues are operating European data stores that allow investment firms to deposit all the relevant information securely, rather than provide reams of personal data with each individual transaction report.

MarketAxess is currently exploring the option of making its own data store available to other trading venues too, which would again ease firms’ obligation to supply the data every time a trade takes place or report is filed. “We’re waiting for industry feedback on this approach, but there was a lot of interest in it when first discussed last year. Firms that trade on multiple venues have to supply this information to every venue they trade on, which can be quite painful for them,” said Moss.

“The ideal would be for the regulators themselves to accept these tokens so it doesn’t have to be passed to any other entity, but we’ve not seen any take-up on that at NCA level,” he added. So the industry will have to find its own solution.

Another issue arises with the GDPR's right to be forgotten. According to Joe Garber, head of product marketing at software firm Micro Focus, if the Mifid II requirement to hold data takes precedence over the right to be forgotten, then it would appear the bank must keep the data until the Mifid requirement expires, then essentially remember to later forget the data. "This places an operational burden on the bank and the risk of unintentional noncompliance," he said. "The solution is to automate retention management and the disposition of data once it's no longer subject to retention, in near real-time."

Outsourced compliance

Adedayo Banwo, in-house counsel at Deutsche Bank said that the extensive records required by Mifid II on things like trade and suitability reports already necessitate a degree of accuracy and retention. “So most firms will likely have relatively robust data retention standards from Mifid II, or even Mifid I remediation, meaning the GDPR overlap shouldn’t pose key challenges,” he said.

But according to Banwo, it’s the outsourcing of key Mifid functions like safeguarding, reporting, investment management and depository functions – all of which have a recordkeeping component – where GDPR implications are most severe, adding an additional layer to that outsourcing relationship that firms may not have considered when entering into them.

“The bank is really not keen to share trader data with third-party vendors like ARMs,” said a regulatory change manager at a Dutch investment bank. “The two regimes are pulling companies in different directions.” He also thinks the pseudonym or token approach, with the information partially withheld unless requested, will catch on.

But just over a month in to Mifid II’s brave new world, how regulators will look on this approach is not yet clear. Dealers have been using a form of data masking for some time now in relation to the European Market Infrastructure Regulation (Emir) – although the general purpose is to get around the regulation, rather than comply with it – but regulators are keen to put a stop to it in this context. A Financial Stability Board paper from June 2017 says that masking of newly-reported transactions must be discontinued.

Banks that outsource critical Mifid functions such as reporting are most at risk of GDPR liability

Banks and investment firms must ensure they have GDPR-proof agreements in place with all their data servicers before May, said Andrew Watson, head of regulatory change at JHC, whose services include reporting and execution to a number of Mifid-regulated firms.

“It’s not exactly a foreign concept to them, but it will all need to be documented and made available to the end investor if they ask for it,” he said. In theory these agreements should not be hard to reach as under the GDPR, both data controller (the investment firm) and data processor (the outsourced firm) are potentially on the hook for a fine if a breach were to occur.

“Obviously the fines are huge, but in financial services especially the loss of reputation is equally frightening, so I’m not surprised that firms are taking this very seriously,” added Watson. “Banks are not the target of the GDPR, but in some ways they are an easy win for a big fine – so if regulators are after a headline win they may go for financial services early on.”

Approaches vary across the market, though. “We know that some firms are not leveraging a centralised data store and don’t have adequate controls in place around the data," said MarketAxess's Moss. "Some are sending highly sensitive information over email, which is not the most secure way of operating. There’s a lot of scope to improve these processes."

Cross-border workarounds

The EU ramping up its own data protection framework only complicates things further for global investment firms attempting to manage their Mifid II obligations. In November IFLR reported that Asian market participants were concerned that Mifid’s transparency requirements could put them in breach of data privacy laws in their home jurisdiction; namely Singapore, where the Personal Data Protection Act shares some similarities with the GDPR when it comes to extraterritoriality and definitions.

And China’s relatively new cybersecurity law, in place since June last year, prevents the cross-border transfer of certain types of personal data, posing a significant challenge to Chinese firms that want to continue doing business with the EU.

But some creative firms have found a way around this, according to Vijay Chander, executive director of fixed income at the Asia Securities Industry and Financial Markets Association.

“One workaround is for the Asian entity to face another Asian entity, even for in-scope Mifid instruments,” he explained. “We have heard anecdotally of a few firms booking trades via their Asian subsidiary rather than branch as they would usually, so that none of the pre-trade or reporting requirements apply.”

That would appear to relieve the privacy issue, but promoting regulatory arbitrage – posing serious questions over the long-term competitiveness of the EU as a financial centre – was unlikely to be the intended effect of the new market directive.

It’s not like the industry didn’t see it coming, though. IFLR reported last March that Asian firms in particular would exit the EU market for venues like Hong Kong and Singapore to avoid the onerous and unprecedented pre and post-trade transparency and reporting rules.

“Esma has made very clear that a branch of an EU investment firm is subject to the same rules as the parent, but we do know that if you’re an Asian subsidiary facing an Asian investment firm then you’re kosher in Mifid terms,” added Chander.

Sign up for Practice Insight's free weekly newsletter, follow us on Twitter or join the Linkedin group

Get in touch with the author of this story

See also

Mifid II: LEI rule already sending issuers abroad

No one is fully compliant with Mifid research rules

Special report: Mifid II & market structure