Two significant pieces of legislation are set to impact the investment management industry in the coming year; Mifid II and the General Data Protection Regulation (GDPR).
On the surface they appear to have conflicting aims, with the enhanced monitoring requirements under Mifid II seemingly incompatible with the enhanced data protection requirements of GDPR. Firms must consider how they will balance regulatory obligations under these two significant pieces of legislation to ensure compliance.
The Taping Regime
Mifid II brings a much higher set of expectations around conversation monitoring than previous legislation. As well as more firms being in scope, including discretionary fund managers, a much wider range of communication channels are covered. These include video conferencing, messaging and web chat applications, email and both landline and mobile telephones.
As part of their preparations, firms are in the process of designing monitoring programmes which are proportionate to the size, nature and complexity of their operation. This must also take into account the personal data being processed as part of this requirement, and ensure the procedures in place also cover the rights individuals have under GDPR.
As part of this, firms will need to ensure they have either a legal basis, legitimate business interest or clear and unambiguous consent for processing the personal data they are collecting. Privacy statements and terms and conditions will need to outline in clear and plain language why the data is being collected, what it will be used for and for how long it will be retained.
We’re all used to phoning companies and being informed that our call is being recorded for training and monitoring purposes. However, if a firm’s monitoring practices go beyond this, for example by analysing conversations to uncover trends in the type of transactions being made via each channel, it must be clearly disclosed upfront and within any terms and conditions, and explicit consent obtained.
For firms considering outsourcing the recording function the FCA has deemed this to come under the scope of critical outsourcing, which comes with its own and more prescriptive systems and controls (SYSC) requirements. For outsourced record keeping arrangements firms must also ensure that all third parties acting as data processors comply with GDPR provisions and retain robust records and oversight of the processing activities undertaken on their behalf.
Under Mifid II, firms are required to store recordings of pertinent conversations for five years – significantly longer that the six-month retention period stipulated by the original Mifid legislation. On the other hand, GDPR mandates that personal data should be kept in an identifiable format for no longer than necessary.
After that period it should be securely wiped, or anonymised if firms wish to retain it. Data destruction processes need to be robustly evidenced and regularly reviewed to ensure that they remain fit for purpose.
A key consideration when designing record keeping procedures that are compliant with both pieces of legislation is whether records can be stored confidentially, ensuring only the business and those authorised within it can access these records.
Firms should also consider how to ensure the integrity of the records for the life of the retention period, ensuring they cannot be tampered with or deleted. For firms using call recording technologies to capture conversations relating to transactions, appropriate organisational and technical arrangements will need to be in place to distinguish these calls from others where consent to record would be required under GDPR.
Ultimately, record keeping provisions will need to be regularly reviewed, not only for compliance with FCA expectations, but also considered within the context of GDPR and privacy rules. Firms will need to demonstrate how the proportionality, necessity and data retention limitation principles have been taken into account when designing or extending recording processes.
GDPR is good business sense: it will provide greater customer assurance and result in increased customer confidence. However, ensuring that the data protection principles are met alongside a firm’s other regulatory obligations could present an ongoing a challenge for investment management firms.
Phil Deeks is technical director at TCC