The purpose of Mifid II, which came into force on January 3 this year, is to provide a strengthened financial services regulatory framework with improved transparency requirements for the benefit of investors. As a result, large sets of data, often including personal data, are processed by investment firms to comply with the rules. For example, firms are required to keep records for at least five years of client orders and decisions to deal, transactions, and order processing details to aid regulators in their crackdown on market abuse. As part of these transaction reporting and order record-keeping obligations, firms must collect and process personal data of individual traders and clients, including their full name, date of birth, and a unique identifier, such as an ID number, passport number or a concatenated code. 

In addition to the collection and storage of this data, Mifid II places requirements on investment firms and trading venues to submit reports to national regulators that detail the trades and personal information of the trader and client by the end of the next working day, either directly or through Approved Reporting Mechanisms (ARMs) or trading venues.

Mifid II also requires firms to record all electronic communications and telephone conversations relating to activities intended to result in the conclusion of a transaction or the provision of client order services, even if they do not. These records must be stored in a manner that allows them to be accessible for future reference, readily available if regulators request them, and must be retained for a minimum of five years, and in some cases, up to seven years. 

Meanwhile, GDPR, which will come into force on May 25 this year, brings in new rights for data subjects governing how their data is stored and used, and enshrines in law the “right to be forgotten”—whereby a person can request that firms delete all personal data held on them. 

A key principle of GDPR is that the ownership of personal data is deemed to remain with the individual and not with the data controllers (financial institutions that determine the purpose of the processing) or processors (external vendors who process data on controllers’ behalf, such as cloud technology vendors or outsourcing providers).

GDPR provides, among other things, that any personal data that can be used directly or indirectly to identify a person, should: be relevant and limited to what is necessary in relation to the purposes for which they are processed; be kept for no longer than is necessary—and after that, data should be securely destroyed, or anonymized if firms wish to retain it; be processed lawfully, fairly and in a transparent manner in relation to the data subject; and be obtained for specified and lawful purposes. 

The fundamental difference of GDPR is the overarching principle of accountability. Organizations must not only comply, but must also be able to demonstrate that they comply. And the stakes are high: GDPR gives regulators the means to impose hefty fines for serious breaches of the regulation totalling 4 percent of a firm’s annual global turnover, or €20 million ($25 million), whichever is higher. Where firms suffer a data breach, as a result of a cyber-attack, for example, they will be required to notify their regulator within 72 hours—something regulators hope will remedy current under-reporting of cyber breaches.

The regulation assigns to data processors many of the same legal responsibilities that apply to data controllers, although controllers have full responsibility for their processing relationships, and they are liable for the actions of the processors they select. GDPR is also explicitly extra-territorial and regulates the protection of personal data of all European Union subjects during processing, no matter where in the world the business takes place, which means US and Asian financial institutions that service European clients, as well as the subsidiaries of firms in other countries, will also have to comply with the regulation. 

Reconciliation

It is understandable that the two regimes appear to conflict: Mifid II includes an enhanced data gathering, retention and reporting regime with personal data caught in its net, while GDPR hands individuals more control over their data. On closer inspection, however, the two rule sets can be reconciled with careful thinking and consideration, legal experts and regulators say. 

“Investment firms have to reconcile the processing of personal data under the requirements of GDPR with what they actually need to hold and how they need to maintain and disclose information and keep records as required under Mifid II. One thing I always go back to is that within Mifid II there is language that says that the processing of personal data pursuant to the directive must be carried out in accordance with personal data protection rules in the EU—and it makes reference to the Data Protection Directive [which GDPR will replace],” says Nathaniel Lalone, a partner at law firm Katten Muchin Rosenman UK. 

In a similar vein, the UK’s Financial Conduct Authority (FCA) issued a joint statement with the Information Commissioner’s Office in February, stating, “We believe the GDPR does not impose requirements which are incompatible with the rules in the FCA Handbook”—a statement viewed by some to include the requirements of Mifid II. “Indeed, there are a number of requirements that are common to the GDPR and the financial regulatory regime detailed in the Handbook,” the FCA-ICO statement says.

“There is clearly intent for the two rule sets to be read in a way so that one is compatible with the other. The question is, how do you do that? From an investment firm’s perspective, when you hold and maintain personal data, you’re meant to, for example, destroy it in an unrecoverable format when it is no longer needed. If you’re an investment firm the question becomes, ‘When does it become no longer needed?’ With Mifid II obligations, firms can say, ‘For this particular type of record it’s five years, or seven years, and potentially longer if there is reason to think that there might be an enforcement action,’” Lalone says. “It requires some careful thinking. It’s challenging, but not impossible [to reconcile Mifid II and GDPR]. In most cases, there is a way of reading one in a way that doesn’t violate the other. With careful consideration and by acting in a reasonable manner, you can get both sets of rules to work together 99 percent of the time.”

There are six lawful bases for processing personal data under GDPR, and four in particular apply to financial institutions. These are: consent, where the data subject has given consent to the processing of his or her personal data for one or more specific purposes; contract, where processing is necessary for the performance of a contract to which the data subject is party; legal obligation, where processing is necessary for compliance with a legal obligation to which the controller is subject; and legitimate interest, where there is a compelling justification to do so.

If firms can assign at least one of these for each process, the requirements of the two regulations can start to be reconciled. For instance, a data subject’s right to be forgotten, where they request that a firm stops the processing of their personal data, must be considered in conjunction with the organisation’s legal obligation for regulatory reporting and to retain records under Mifid II and/or anti-money laundering and fraud regulations. 

“If a firm receives a request from someone asking it to delete personal data, but needs to keep that personal data for a period of time to comply with a specific obligation under other legislation, then it is entitled to retain that data to comply with the legal obligation to which it is subject—that is, the GDPR right to erasure will not apply,” says Joanna de Fonseka, an associate at law firm Baker & McKenzie. “I would make the point, though, that the data will still need to be processed in compliance with GDPR, so a firm would still have to put in place appropriate security measures, for example, to protect that data.”

In other areas such as record keeping, a key consideration when designing procedures that are compliant with both pieces of legislation is whether records can be stored confidentially, ensuring that only the specific people who need to access these records can do so. Lawyers say that banks should also be able to demonstrate that they have considered the principles of necessity, proportionality and data retention at the time of designing or amending their recording procedures.

Where firms are obliged to record phone conversations intended to lead to transactions, personal data disclosed during the course of those conversations will also be retained for the prescribed time by firms under their Mifid II obligations. Lawyers say this should constitute a lawful basis for processing personal data, but that firms will nonetheless have to meet their obligations under GDPR by clearly informing clients and employees about the scope, procedure and potential consequences of recordings.

Outstanding Issues

While the two rule sets can be navigated, there are some aspects that still concern market participants, particularly relating to the storage and transmission of personal information of individual traders and clients under Mifid II’s transaction reporting requirements. 

“One of the aspects of GDPR we keep hearing over and over again concerns consent to the use, transmission and processing of personal data. The consent needs to be clear and specific, and one of the things that is problematic is that transaction reports that capture personal data of individuals get passed from one firm to a platform, perhaps on to an exchange, and then to a regulator. It goes through potentially lots of different steps, and it may be hard to then show that the data subject has consented to each of those steps,” Lalone says.

Jurriaan Jansen, a lawyer at Norton Rose Fulbright, agrees, saying in a presentation that “Mifid II leads to increased regulatory burden… and an increase in data flows, having the potential of making it difficult for individuals to understand what is happening to their data and to control their data.”

There is also concern that the transmission of personal information between firms, ARMs, platforms and regulators increases the risk of cyber breaches and identity theft because hackers have more points of attack. The concerns are particularly pertinent in the context of GDPR, which places a greater onus on data processors and controllers to identify data breaches and notify the owners of the data if there is a risk to their rights and freedoms, including financial loss. 

To curb this risk, some industry participants have developed a way of substituting personal data with unique numbers known as short codes. Nex Group, for instance, last month launched its Industry Standard Common Identifier (ISCI) short code service, which can be used by trading venues and investment firms that use Nex Regulatory Reporting as their ARM. But so far, largely because of pressing regulatory timeframes, there is no common industry approach to developing standardized short codes, and they have not explicitly been approved under Mifid II, despite working well from a GDPR perspective.

To-Do List

Notwithstanding these issues, financial services firms are facing a huge task of reviewing how they handle, process and govern the use of personal data across their entire organization. Keeping records of processing activities and compliance practices are among their key requirements, and have forced them to undertake vast data mapping exercises.

“Generally speaking, the first step to GDPR compliance is to understand the personal data held by the organization—who the data custodian is, the sources of data, where the data is being sent, how it is used, purposes of collection, location of the data, and much more. For large companies, such data mapping is challenging… and some still struggle with this data-mapping exercise,” says Ron van Wezel, a senior analyst at Aite Group and author of the report, Data Protection in the Board Room: The Impact of the GDPR.

“From a GDPR compliance perspective, firms should also be mapping out the processes they’re using for Mifid II compliance and documenting these,” adds Georgina Kon, a partner at Linklaters in London. “From an accountability perspective, it’s important that there is a clear trail of what they are doing, why they think those steps are necessary and proportionate for the aim they’re pursuing. So, for example, are there controls that they can put in place to make sure that only the minimum amount of data is processed and that only people who need to see it, see it? How will subject rights’ requests be treated? These are all normal data protection compliance steps, and should not be a bar to firms achieving Mifid II compliance in a sensible way.”

Lawyers at UK law firm Burges Salmon also highlight the importance of drafting and maintaining new policies that are sufficiently compliant with different legal regimes, such as Mifid II and GDPR, and say these will require “continuous consideration.” In a legal update, they add that “in order to be able to demonstrate GDPR compliance, regulated firms will need to ensure that they have tested their systems and processes, and newly implemented policies and procedures, to ensure that they can comply with enhanced data subject rights and the new obligations under GDPR (for example, relating to breach reporting).”

In other areas more generally, being able to demonstrate whether client consent to retain data has been sought is a challenging task, lawyers say. Obtaining an individual’s consent may seem an easy way to establish a legal basis for processing, but it is not as straightforward as it seems. 

“Some banks have hundreds or thousands of clients—not all of whom necessarily are going to be responsive or like what is written, so any repapering exercise like that can take a long time,” Lalone says.

Kon says she has seen banks and other clients moving away from consent as a lawful basis for processing because of the difficulties associated with collecting valid consent, particularly with the new higher GDPR threshold where firms need an express affirmative action. “Instead, firms are finding alternative legal bases for processing—for example, where there is a legitimate interest to do so, or because they need to comply with a law such as Mifid II, or because it is necessary for the performance of a contract. There are different ways firms can frame what they are doing,” she says.

Central to every bank’s compliance efforts will be the updating of contracts with existing third-party data processors—another vast “repapering” exercise. GDPR requires the insertion of specific clauses into contracts setting out the subject matter and duration of processing, its nature and purpose, and the type of personal data involved. Contracts must ensure that those processing data are doing so under a confidentiality obligation, that processors encrypt data as appropriate, they obtain prior written consent from controllers if they wish to sub-contract work out, and they delete or return personal data at the end of the agreement. 

“One of the biggest challenges is time. To update existing processor agreements for GDPR compliance, financial services firms need to review and redraft the relevant provisions in their current agreements and will likely also need to allow for some negotiation time with processors,” de Fonseka says. 

According to some of the lawyers spoken to by Inside Data Management, regulators are cognizant of the amount of work involved in meeting GDPR requirements.   

“It’s an open secret that most large, global organizations will not have their GDPR compliance programs fully completed by May 25 because there is simply too much to do, and regulatory guidance and local laws are evolving, even now at this very late stage. Regulators understand this, and they have indicated that in the first few months after May we can expect them to be helpful rather than on the lookout to impose large fines,” says Kon. “However, that’s certainly not a ‘get out of jail free’ card. If a firm has done nothing to comply with GDPR in high risk areas, then that type of flagrant breach will not go down well.”