MiFID II is one of the most complex regulatory initiatives in many years, and it’s not just Europe’s problem. Its spectre looms large over all sides of the pond, as U.S. financial institutions operating in the U.K. or EU must either strengthen processes and procedures, or create entirely new ones to deal with a slew of new requirements.
Due to its complexity, many companies aren’t fully aware of how to prepare their businesses for the drastic communications compliance changes that MiFID II will bring, and are vulnerable to a slew of new fines.
In assessing your company’s readiness for MiFID II, consider the following areas:
It’s the content, not the channel that matters: Firms must capture records, in context, across multiple channels. It won’t matter whether your employees are communicating through Skype for Business, Facebook, or a rotary telephone—if their conversations fall under those regulated under these compliance mandates, they must be archived.
Of course, the immense variety of communication tools can make it seem like an overwhelming task to capture everything. You can begin to get a handle on this by clearly defining who can access what services on which devices, educating employees about policies and procedures. But ultimately this mandate covers too much ground to be addressed through company handbooks; look to technology to automate both the recording of channels and the enforcement of policies.
Be “vocal”: One of the trickiest things about MiFID II is that it mandates not only the capture of regulated conversations occurring over virtually every written channel, but that it also requires the oversight and archiving of voice conversation as well. This introduces a whole slew of new challenges, not only when it comes to data storage, but especially to the ability to find and deliver such records to regulators on demand. So, in assessing your capabilities, be sure that you can not only monitor and record, but also search voice conversations.
It won’t matter whether your employees are communicating through Skype for Business, Facebook, or a rotary telephone—if their conversations fall under those regulated under these compliance mandates, they must be archived.
Prove you’ve got control (over a vast and unwieldy system): Firms now must be able to demonstrate effective oversight and control over policies and procedures relating to regulated communications. While you may believe that you already have this, consider that the new regulations expand the mandate to include communications that are intended to lead to a transaction.
For most firms, this may vastly increase the volume of communications data required for review, straining current IT resources and raising the risk of missing signs of market abuse. Companies can address this by looking to the cloud to leverage scale-out technology for archiving.
Be able to reconstruct the past: MiFID II will require that firms be able to supply regulators with communications associated with a specific trade. This may be incredibly tricky, as these conversations are likely taking place over multiple channels, and at diverse times. It was a lot easier when everyone was just using e-mail (and most legacy archiving systems were designed for e-mail). So as you develop your processes and solutions, make sure that you’re treating interactions as conversation threads, rather than separate messages, and that the meaning of the conversation can be quickly and easily discerned.
Retain a long and accurate history: MiFID II requires that records be made available to regulators for up to seven years and, if you want to be safe, you should probably consider even longer periods of retention. But you also must ensure that it’s an accurate history. In the old Soviet Union they loved to rewrite history, and some of your employees may share that penchant. Conversations can be manipulated post hoc, so it’s not enough to archive them a few times a day—you must capture them in real-time.
Make it easy to find, yet thoroughly tamper-proof: MiFID II, and other regulations in both Europe and North America, require that records be stored in a manner that prevents them from being altered or deleted. Yet, they must be able to also make them available on demand, which requires that they be searchable. This presents a problem with traditional storage mediums, as requests typically increase the risk of introducing a point of failure within a storage system. So consider maintaining a full copy of data in a permanent place or using legal hold features within archiving technologies to ensure the integrity of the data.
By now it should be clear that MiFID II compliance will not be accomplished by legacy storage and an updated employee handbook. It’s too big for that. Look to the latest cloud-based technologies in archiving to implement the aforementioned best practices, so that your employees can continue productive communication and collaboration with partners and customers.
In addition to addressing scalability issues of the exponentially growing volume of communications, the cloud takes the cost associated with conducting the numerous hardware upgrades required to retain such data long-term, and rolls it into your licensing agreement. It also opens the door to integrating your archiving capabilities with various analytics tools, so that you can derive additional insight and value from your data.
MiFID II presents challenges, to be sure, but it doesn’t have to be a roadblock to success if you approach it the right way.
Robert Cruz is director of information governance at IT security company, Actiance.