The Financial Conduct Authority (FCA) has today ruled that investment bankers and asset managers will be required to record all phone calls, voicemails and instant messages as part of the EU's Markets in Financial Instruments Directive (Mifid II) to make the trading of securities more transparent.
The FCA said it would soften its approach for smaller financial advisers, who will be allowed to tape conversations, or make written notes of them.
The ruling has come a day after the FCA fined former Jefferies banker Christopher Nieuhaus £37,000 for sharing confidential information on WhatsApp.
Companies in the financial sector have long recorded landline calls and have clamped down on employees using their private mobile phones for work. But ensuring compliance can be hard, as the case of Nieuhaus has illustrated.
MiFID II represents the biggest shake-up of regulatory legislation in the European financial sector for over a decade. Its purpose, amongst many things, is to strengthen investor protection, prevent market abuse, increase transparency and re-establish consumer trust.
Its implementation had to be delayed by a year because firms — and regulators themselves — did not have their systems in place to comply with it. It now takes effect in January next year, in January 2018.
There is an undoubtable crossover between MiFID II and the upcoming GDPR, legislation designed to bring current data protection laws into the 21st century. They are both huge pieces of regulation which affect what and how data is stored, for example, there are requirements for transaction reporting in MiFID II and data storage under GDPR.
This crossover might demonstrate how both sets of regulations are working against each other. On the one hand, MiFID II demands that firms record and store all communications that lead to a transaction for up to five years.
On the other, GDPR requires data to be kept no longer than is necessary and to record conversations that are specific to the transaction. Similarly, the right to be forgotten under GDPR allows people to have their records deleted. These examples are among many where regulations have significant crossover but divergent aims and requirements.
As MiFID II applies from 3 January 2018 and GDPR not until 25 May 2018, commentators have said GDPR is being left as an afterthought by financial services.
Ralph Lovesy, head of financial regulation at law firm Kemp Little, told SC Media UK: “It is undoubtable that both MiFID II and the GDPR will present challenges to regulated firms. While the GDPR will strengthen the existing restrictions on holding personal data, MiFID will essentially require more record keeping than ever. To date, the FCA and ICO have provided little guidance on how this potential conflict might be resolved. It seems likely that this will require a technological solution, which will enable employees to indicate which phone calls are pertinent to business, and perhaps even categorise phone calls automatically. It would be prudent for firms to determine the most appropriate way to comply with these new regimes well before the implementation dates.”
Much like with the GDPR, there is a misconception that because of Brexit, MiFID II will not apply to firms based in the UK. This is said to be inaccurate for several reasons, including the timing of the law; even if the UK has left the EU before MiFID II becomes effective, the scope of MiFID II extends to businesses based outside the EU that wish to trade with entities within the EU; and this means that if UK firms wish to continue to trade with or provide services to European entities they must be able to demonstrate regulatory equivalence with MiFID II. As a member of the G20, the UK dismissed tackling these reforms in isolation, choosing instead to adopt a European-wide policy – a decision which it is highly likely to uphold post-Brexit.