The MIFID II Countdown Checklist
By Robert Powell, Global Head of Compliance at IPC for Global Banking and Finance Review – first published July 25, 2017
With MiFID II implementation high on financial firms’ agendas, there is going to be a major change in the way that trading communications are recorded and stored. Both mobile and electronic trading communications have increased significantly over the last few years, which is reflected in the new rules that extend the scope of communication recording and surveillance to include all types of interactions, including text, IM, email, mobile, and social media.
Once these regulations have been enforced, financial firms will need to capture data from all their regulated users, whether they are involved in pre-, during and post-trade activities; and this includes communications from far beyond the trader’s turret. Now – with just months until MiFID II comes into force – any organisation which is implementing MiFID II or still needs to begin the process, should consider creating a checklist to achieve compliance with the new rules.
Here are seven steps firms should be considering in preparation for MiFID II:
1. Understand record retention regulations
First, it’s worth combining a few technical standards published by the European Securities and Markets Authority (ESMA)into the first checklist:
- Have a designated compliance officer/director/manager
The Financial Conduct Authority (FCA) has listed the following controlled function (CF) registration types that might be a suitable person: CF1 Director, CF2 Non-Executive Director, CF3 Chief Executive, CF4 Partner & CF29 Significant Management. This person should be heavily involved with creating written policy and the policy procedures along with testing the policies and procedures for effectiveness. They should also be the person who conducts the annual record keeping review.
This should be relatively easy to achieve, but businesses need to focus on two fundamentals – who and what.
First, who needs to be recorded? As a start, this should include all traders and sales people, and anyone who has the potential to commit the firm or discusses any kind of transaction with clients or counterparties. This list needs to be validated by the business and compliance team, and should include how long they need to be recorded for.
Second, what communications methods should be permitted to be used and how should they be recorded? Starting with the easy and obvious: email, Bloomberg, Thomson Reuters and instant message will be the norm for most firms. By recording fixed line phone calls, mobile calls and text messages, approximately 95 percent of firms will be covered. Specialist tools like ICE Chat and Slack should also be addressed. For each system, organisations need to understand how they are recorded and retained. Businesses can consolidate recordings to a single archive reducing surveillance, recovery challenges and costs. For MiFID II purposes, record retention is critical. If a company is outsourcing, they should subject third-party suppliers to additional scrutiny that they may not have encountered before.
- Communications “intended to lead to a transaction”
Organisations may need to increase the “recorded population” if, for example, policy is used to prevent employees from taking client orders or making transactions on their personal devices. In this case, organisations will need to extend mobile recording to cover their calls and texts. Also, looking at internal calls will also be vital. This will likely be covered, but it’s worth raising it as a discussion item among business, compliance and IT departments to ensure full compliance with the new rules.
2. Extend the retention period
The unification of the records retention period is the cornerstone of one of the new rules under MiFID II. Firms will be required to retain communications data for five years unless the local regulator requests retention for seven years. Most organisations already retain emails for at least five years, however it’s worth checking that all types of communications used are captured for the right period. Voice calls, fixed line and mobile, will be a different matter.
There are five key things to check:
- Find out how to extend a fixed-line recording retention period. It’s important to look at how the data is stored and if it is tamperproof or on WORM (write once, read many) storage.
- For mobile, are all users recorded? Additionally, where are these calls stored? If the calls and other data comes to an organisation’s on-premise infrastructure, they will need to check the retention period and make sure calls by new users are set to be retained for five years.
- Is the firm under litigation or regulator hold for deleting records? What is covered and can these holds be reviewed prior to MiFID II coming into effect?
- Are there different archives for different media types, and is now the time to look at a holistic archive that contains all communications records? And, will it allow management and retention periods, users, litigation holds, and search and recovery with centralised, accessible storage?
- US organisationsin business with European-based firms, may need to look to extend the voice recording retention periods per CFTC to include others that do these trades, even if they are not based in Europe.
3. Have a plan in place to manage system failure
Next, systems fail. It is a fact that is widely recognised. When systems fail, organisations can find out more about their systems, procedures, technologists and partners than they would when business runs smoothly. MiFID II requires investigation of system failure. It’s not explicit, but an investigation of any failure should offer solutions and track the implementation of that solution.
In addition, organisations should try to formulate a list stating what was missed while the system was down. This way, when regulators call, organisations have proof that they prevented a recurrence of the problem; along with a good idea of the calls or messages that were not captured while the problem existed. Firms should keep their written investigation for five years, the same as capturing the original records.
4. Clarify what complete, quality and accurate means
It is very important to understand key terms at the beginning of an organisation’s journey to MiFID II compliance. When it comes to record retention,some argue that the requirement of “complete, quality and accurate” records is vague. Defining them can give a clear understanding of what the regulator expects.
Complete – this means organisations should know all types of communications used and by who, as well as having fit-for-purpose capture and retention mechanisms and processes in place.
Quality – this means the ability to reproduce records in as near original quality as possible. It applies to the ‘original form’ for electronic communications and for the actual voice quality for voice or video calls.
Accurate – this means organisations should be confident in not only the records’ content, but also the all-important meta data that shows when messages were sent or calls made.
5. Implement training programmes
There is a new emphasis on continuing compliance training for employees at financial firms. This is common with all new financial markets regulations where the regulator is keen to prevent employees claiming they were not aware of the changes and thought they were acting reasonably. At the very least, the training should protect the firm and show that it has complied with its obligations to inform its employees – and provide examples of – good and bad communications behaviour.
Recently, UK regulators have taken action for inappropriate use of WhatsApp. Training should be very clear about which communications devices are company approved to conduct business and that anything outside of these communications devices is strictly prohibited from using to transact. The allowed list is much shorter, while the unpermitted list grows every day, which means emphasis should be placed on informing users which communication channels are allowed or not.Indeed, employees should be aware of the risks of having a zero-evidence messaging system on their devices. Law enforcement may assume fire when they see this smoke.
6. Regulate non-recordable devices
It is very hard for firms to prevent the use of non-recordable devices. The training mentioned above, combined with a culture of compliance, will go a long way towards achieving peace of mind. The IT team should ensure the main, non-recorded communications capabilities are blocked from use on the network and mobile devices.
One item – often left until last – is the ability to link together all the hard work in creating and implementing policies for communications use, retention and surveillance. MiFID II requires management oversight, written policies and the ability to regularly review and show that implemented policies are effective and adhered to not just when organisations perform a recovery, conduct surveillance or add another communications technology.
7. Conduct surveillance
Surveillance is another difficult area in which to provide satisfactory documentation to regulators. It’s not possible to look at every message or listen to every phone call so technology selected to achieve this purpose should be adaptable and well understood by anyone using it. In addition to monitoring key words and phrases to reveal concerning behaviours, organisations should be thinking of surveillance that will uncover evidence of non-recorded use and confidentiality breaches. If found, these can be quickly remediated and used to demonstrate the programme’s effectiveness.
MiFID II compliance is going to turn a lot of organisational practices upside down, but by starting with management oversight, knowing and understanding your estate and communication methods, and addressing the extension of records retention, firms can be on the right track to meeting these regulations before they are implemented in January 2018.
