Mifid II will have a profound impact on banks, hedge funds, wealth managers and fund selectors, to name just a few financial organisations. The updated regulation will apply to more than 300 trading venues and 15 million financial instruments, as well as all the businesses that make use of these instruments and venues.
There’s no denying that complete compliance will be a significant undertaking for any company, but can businesses in the financial services sector feel comfortable that their internal efforts to meet compliance are sufficient?
Preparing for the deadline
Mifid II legislation spans much more than the previous directive, meaning that many companies will be implementing a formal compliance initiative for the first time. What’s expected in terms of compliance is greater than ever, so even if a business has a pre-existing programme in place, it’s vital to perform an audit to determine how this needs to change to meet the demands of the updated regulation. False information can put your business at serious risk, and so companies without a designated compliance officer would be wise to take advice at this stage to make sure the directive is interpreted accurately.
Once the requirements of a company’s new compliance strategy are determined and an approach is chosen, it’s critical to form a substantial level of understanding of how the solution works, particularly for call recording. Mifid II requires all email, phone call and messages between a trader and a customer to be recorded, and applies to anyone involved in the advice chain that might potentially lead to a trade. This means that businesses can’t rely solely on in-house solutions that don’t monitor mobile devices. The provider should be transparent about the elements that make up their solution, including where and how the call recording data is stored, and how they will roll that solution out. This will enable you to identify internally any potential points of failure in the proposed solution.
Additionally, a reputable vendor should allow you to trial the solution for yourself – which is invaluable for your compliance personnel who would need to periodically log in and audit call recordings when the solution is in place. Developing these audit skills before the implementation deadline will prepare your business well for a future compliance episode.
Introducing a compliance strategy
Companies can reduce the skills burden of Mifid II compliance in a number of ways. Choosing a provider that can manage, implement and support a solution is recommended – and if the same provider can manage data storage, this will streamline the system and make the audit process much easier.
Call recording on mobile phones is essential. In order to remove the significant IT burden of modifying handsets or introducing call recording apps – which could potentially be circumvented by the user – companies should consider call recording at a network level. This will reduce the internal compliance burden, and the solution will be much easier to manage and implement.
Once a sufficient compliance strategy is formulated, it’s crucial to embed this into the business straight away. Communication across the company is key at this stage.
The nature of the Mifid II requirements naturally means that some unrelated conversations will be captured and inadvertently stored. This can be a difficult issue to broach with staff, and when it comes to change management, the required approach will differ drastically from business to business. Insider knowledge of your company culture will give you many of the skills you need here.
If all members of the workforce are aware of the purpose of these compliance measures and understand the consequences of non-compliance, onboarding a new strategy will be much less complex.
When compliance meets real life
In an ideal world – in terms of compliance – traders and staff would adhere to recorded telephone calls and emails to communicate with customers. However, the reality is that many instant messaging solutions are now used in business. What’s more, an enhanced consumer need for privacy has led to many instant messaging platforms encrypting their data so that it cannot be monitored by internal systems. While organisations cannot oversee these communications, they can prevent the installation of these applications via mobile device management (MDM) solutions for their company-controlled devices. This is likely something that your company already has in place, and so it may be a simple case of increasing the restrictions applied to the handsets, which is a skill that your IT department should certainly have.
Reinforcing the message of the importance of these measures and providing timescales for these changes to employees should make the process run much more smoothly.
Once Mifid II begins, data must be stored for five years and businesses will be required to access stored data and monitor a sample of these records on a periodic basis. Reports will have to be compiled should the FCA request evidence of this compliance activity, and so time and budget need to be dedicated to this as a function of the business. This is certainly something that many companies will be able to take on as an internal process, particularly if data is stored in the cloud.
Though the previous directive only required data to be stored for six months rather than five years, there are benefits to be realised from retaining data for longer periods. The longer you retain records, the more business intelligence you have to draw from and ultimately the more protected you are as an organisation. The budget allocated and potential skills training required for on-going compliance activity can be seen as an investment in improving business processes.
Alex Phillips is head of mobile at Adam Phones