Tackling Apparent Contradictions of Compliance versus Privacy

Tackling Apparent Contradictions of Compliance versus Privacy

Shiran Weitzman

CEO and Co-Founder at Shield

Views 328

Tackling Apparent Contradictions of Compliance versus Privacy

30.03.2020 10:00 am

As technology evolves and becomes more complicated, so too do the moral and ethical dilemmas, along with the associated regulations. However, well-intentioned regulations designed to protect people and businesses alike can sometimes seemingly conflict with one another – something which the financial industry is potentially facing with the debate over Compliance versus Privacy.

This apparently thorny issue has been debated in a new report by The Realization Group and Shield entitled: ‘Navigating strict privacy regulations in a MiFID II world’. This report examines the apparent conflict presented by regulations designed to provide greater visibility into financial companies’ operations (including the EU’s MiFID II and UK sibling, the Markets Abuse Regulation), versus regulations to protect personal data (the EU’s GDPR, which is enforced in the UK under PECR and the Data Protection Act). 

Necessary regulations

The 2008 financial crisis was a big wake-up call for not only the financial industry, but also the broader political and social landscape, resulting in an inevitable tightening of regulations. Introduced in 2018 and threatening potential fines of 10% of annual revenue, has had a seismic impact across the financial industry and firms have spent around $2.5 billion globally to make themselves compliant.

However, this strict regime of communications surveillance was brought into question shortly afterwards with the introduction of GDPR, which aims to protect the privacy of ordinary people. This will be further complicated by the forthcoming ePrivacy Regulation which will specifically focus on communications and especially eComms and the associated metadata.

Unsurprisingly, this has caused a lot of concern, as Paul Clulow-Phillips, Managing Director, Co-Global Head of Markets Compliance and Global Head of Capital Markets Surveillance at Société Générale, says in the report, “There was a long period of time where there was just the hands-up-in-the-air panic around the fact that really you have two conflicting regulatory directions of travel. A more nuanced view is evidenced now in most organisations.”

Private or public comms?

As MiFID II prompted firms to tighten up on eComms surveillance, naturally risk-averse firms adopted a ‘more is better’ approach to storing data to prove compliance. GDPR’s potential fines has however led to a complete revision of this approach.

Much of the issue has come from separating personal data (which is protected by GDPR) and business data (which is under MiFID II). As Sam Tyfield, Partner at Shoosmiths points out in the report, “My point has always been, you don’t know what is private and what isn’t. Any conversation that anybody has could lead to, or involve, a transaction of a financial instrument. So, your obligation is to pretty much record everything.”

For many businesses there is a very thin line between privacy and business, particularly on trading, risk-management and research desks which are heavily dependent on personal relationships with counterparties and customers. Often business and social are mixed in the same conversation.

This has been made even more complicated by the increased use of smartphones and mobile devices over the last decade. When all eComms are conducted in-house it’s much easier to control, but with BYOD it is far more complicated. These devices contain huge amounts of personal data and having to delve into them to prove compliance is a potential regulatory minefield.

Some firms have dealt with this by issuing their own mobile devices, the rationale being that any personal data stored within is the responsibility of the user not the business. Other approaches are using isolated apps or separate sim cards to separate private and business data on the same device.

However segregating data can bring its own issues, such as looking for signs of criminal behaviour. There is a big argument for banning any conversations in the workplace that can’t be recorded, purely for simplicity and clarity.  Paul Clulow-Phillips remarks in the report, “In an ideal world BYOD wouldn’t exist. The minute you introduce personal devices and social media into the equation, that instantly becomes more difficult.”

Social media

The use of any of the almost 1,000 social media networks makes the identification of compliant or non-compliant material within eComms even more complex. Even if firms ban their use on in-house systems, mobile devices ensure this enforcement is tricky. Many customers also choose to stay in touch via LinkedIn or WhatsApp and its simply not practical for traders to ignore these platforms, so many firms have been forced to accept this.

Collecting data is also a challenge, with screen scraping proving to be a crude measure when it comes to doing this. GDPR also stipulates that compliance teams must give specific reasons for collecting data from personal channels such as social media – which means compliance officers can’t simply go fishing for potentially incriminating evidence.

Better understanding

Luckily this has evolved in the last few years. Experience and a greater understanding of the regulations has proven to be a valuable asset for financial firms when it comes to finding balance between compliance and privacy.

In the report Balavernie Sritharan, a Technical Director at Deloitte states, "The reason people tend to perceive there’s a conflict is a lack of understanding between how these regulations work together and why they are here in the first place. I’d say that privacy laws are really not there to create a burden on business it is just there to make sure that the consumers’ or business customers’ privacy rights are not compromised.”

Since MiFID II and GDPR went live, firms have become far more savvy and have incorporated failsafes, such as  informing employees they’re being monitored to Data Subject Access Requests and other conditional rights, such as their personal data to be removed from company servers. These measures ensure firms don’t deliberately or accidentally over-stretch their surveillance remit.

However, one of the biggest lessons for financial firms has been the need to form considered policies and governance regimes, to equally balance their own interests with those of employees and customers. This means avoiding blank data gathering and instead identifying the data they need – all backed up with robust and enforceable policies.

It has become clear that regulators don’t expect firms to spot every single piece of non-compliance, but they do expect to see a sensible process in place to identify and prevent it from happening.

Improving data management

Unfortunately, many firms have been on the back foot when it comes to meeting the new regulations because their technology infrastructure is not suited to the sophisticated and selective monitoring required.

It is essential that firms get their eComms data storage managed properly in the first place, so their compliance systems can work across multiple channels, finding the data that is required, with minimum disruption, and is able to avoid the potential privacy pitfalls at the same time. 

It's all about getting the basics right, maintaining a robust holistic eComms compliance practice that combines multiple channels and understands the correlation between them. Once firms have got their own house in order, they can be confident about meeting all compliance requirements, whilst protecting privacy and being prepared for future regulations as they arrive.

Ends

Latest blogs

Ian Johnson Marqeta

UK finance finds that 7.4 million in UK living "almost cashless" lives

These findings show that even before COVID-19 struck, digital banking was increasing exponentially. As more people adopt online and mobile banking, the demand for greater personalisation, flexibility and value that consumers expect from their Read more »

Ian Bradbury Fujitsu UK

UK Finance's UK Payment Markets Report - Comment from Fujitsu

Over the past months, businesses have had to rapidly move away from physical cash in order to provide consumers with a safer service. However, this data shows us that a gradual movement away from cash in society started long before the Read more »

James Turner Turner Little

Protecting yourself against a recession

The coronavirus outbreak has spread to businesses, leaving many around the world counting costs. Notoriously, known as the Great Lockdown, it’s been affecting the world economy since early this year. The predicted recession is considered to be the Read more »

Alan Cole JHC Financial

Every Cloud: Covid-19 and the opportunity for digital transformation

Faced with tighter regulations and changing customer needs, over the last decade Wealth Managers have not had it easy – but with the development of new technologies, many have been able to create efficiencies, reduce costs and shrink operational Read more »

Nabeel Irshad Mastercard

Two sides of the same coin: Financial and digital inclusion

The issue of how to tackle financial inclusion has long been a part of the conversation in banking and financial services circles. Regulations have ledto the UK’s biggest banks having to provide ‘basic bank accounts’ to cater for those who do not Read more »

Related Blogs

Gemma Doswell Paybase

Paybase Predicts...

What we said in 2018 Read more »

Dr Bimal Roy Bhanu Ai XPRT

Are you keeping up with the Regulator?

Not many things in life are certain, but in the financial services industry it’s obvious to all participants that regulators are continually tightening the national and international governance, risk and compliance requirements. The ultimate aim for Read more »

Gemma Doswell Paybase

Retaining Buyers and Sellers Is Easy, Right?

So, you’ve launched your own online marketplace, gig economy or sharing economy platform. What’s next? You need to attract users and, more importantly, retain them. But it’s actually one of the biggest challenges for a platform business to overcome Read more »

Gemma Doswell Paybase

What’s the deal with IR35?

In what feels like an ever-changing regulatory landscape, IR35 is yet another addition to the evolving contract/freelance/off-payroll space. But, as we firmly advocate at Paybase, regulation should not be looked at as a deterrent. It’s put in place Read more »

Gonzalo Hurtado Santander CIB

How to embed technology into old compliance systems

Ever noticed how you reach for your seat belt as soon as you’re in the car, without even thinking about it? Or, on the other hand, how your decision to cut down on sugary snacks always seems to falter when you sit down in front of the TV? That’s Read more »

Magazine
ALL
Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel