As technology evolves and becomes more complicated, so too do the moral and ethical dilemmas, along with the associated regulations. However, well-intentioned regulations designed to protect people and businesses alike can sometimes seemingly conflict with one another – something which the financial industry is potentially facing with the debate over Compliance versus Privacy.
This apparently thorny issue has been debated in a new report by The Realization Group and Shield entitled: ‘Navigating strict privacy regulations in a MiFID II world’. This report examines the apparent conflict presented by regulations designed to provide greater visibility into financial companies’ operations (including the EU’s MiFID II and UK sibling, the Markets Abuse Regulation), versus regulations to protect personal data (the EU’s GDPR, which is enforced in the UK under PECR and the Data Protection Act).
The 2008 financial crisis was a big wake-up call for not only the financial industry, but also the broader political and social landscape, resulting in an inevitable tightening of regulations. Introduced in 2018 and threatening potential fines of 10% of annual revenue, has had a seismic impact across the financial industry and firms have spent around $2.5 billion globally to make themselves compliant.
However, this strict regime of communications surveillance was brought into question shortly afterwards with the introduction of GDPR, which aims to protect the privacy of ordinary people. This will be further complicated by the forthcoming ePrivacy Regulation which will specifically focus on communications and especially eComms and the associated metadata.
Unsurprisingly, this has caused a lot of concern, as Paul Clulow-Phillips, Managing Director, Co-Global Head of Markets Compliance and Global Head of Capital Markets Surveillance at Société Générale, says in the report, “There was a long period of time where there was just the hands-up-in-the-air panic around the fact that really you have two conflicting regulatory directions of travel. A more nuanced view is evidenced now in most organisations.”
Private or public comms?
As MiFID II prompted firms to tighten up on eComms surveillance, naturally risk-averse firms adopted a ‘more is better’ approach to storing data to prove compliance. GDPR’s potential fines has however led to a complete revision of this approach.
Much of the issue has come from separating personal data (which is protected by GDPR) and business data (which is under MiFID II). As Sam Tyfield, Partner at Shoosmiths points out in the report, “My point has always been, you don’t know what is private and what isn’t. Any conversation that anybody has could lead to, or involve, a transaction of a financial instrument. So, your obligation is to pretty much record everything.”
For many businesses there is a very thin line between privacy and business, particularly on trading, risk-management and research desks which are heavily dependent on personal relationships with counterparties and customers. Often business and social are mixed in the same conversation.
This has been made even more complicated by the increased use of smartphones and mobile devices over the last decade. When all eComms are conducted in-house it’s much easier to control, but with BYOD it is far more complicated. These devices contain huge amounts of personal data and having to delve into them to prove compliance is a potential regulatory minefield.
Some firms have dealt with this by issuing their own mobile devices, the rationale being that any personal data stored within is the responsibility of the user not the business. Other approaches are using isolated apps or separate sim cards to separate private and business data on the same device.
However segregating data can bring its own issues, such as looking for signs of criminal behaviour. There is a big argument for banning any conversations in the workplace that can’t be recorded, purely for simplicity and clarity. Paul Clulow-Phillips remarks in the report, “In an ideal world BYOD wouldn’t exist. The minute you introduce personal devices and social media into the equation, that instantly becomes more difficult.”
The use of any of the almost 1,000 social media networks makes the identification of compliant or non-compliant material within eComms even more complex. Even if firms ban their use on in-house systems, mobile devices ensure this enforcement is tricky. Many customers also choose to stay in touch via LinkedIn or WhatsApp and its simply not practical for traders to ignore these platforms, so many firms have been forced to accept this.
Collecting data is also a challenge, with screen scraping proving to be a crude measure when it comes to doing this. GDPR also stipulates that compliance teams must give specific reasons for collecting data from personal channels such as social media – which means compliance officers can’t simply go fishing for potentially incriminating evidence.
Luckily this has evolved in the last few years. Experience and a greater understanding of the regulations has proven to be a valuable asset for financial firms when it comes to finding balance between compliance and privacy.
In the report Balavernie Sritharan, a Technical Director at Deloitte states, "The reason people tend to perceive there’s a conflict is a lack of understanding between how these regulations work together and why they are here in the first place. I’d say that privacy laws are really not there to create a burden on business it is just there to make sure that the consumers’ or business customers’ privacy rights are not compromised.”
Since MiFID II and GDPR went live, firms have become far more savvy and have incorporated failsafes, such as informing employees they’re being monitored to Data Subject Access Requests and other conditional rights, such as their personal data to be removed from company servers. These measures ensure firms don’t deliberately or accidentally over-stretch their surveillance remit.
However, one of the biggest lessons for financial firms has been the need to form considered policies and governance regimes, to equally balance their own interests with those of employees and customers. This means avoiding blank data gathering and instead identifying the data they need – all backed up with robust and enforceable policies.
It has become clear that regulators don’t expect firms to spot every single piece of non-compliance, but they do expect to see a sensible process in place to identify and prevent it from happening.
Improving data management
Unfortunately, many firms have been on the back foot when it comes to meeting the new regulations because their technology infrastructure is not suited to the sophisticated and selective monitoring required.
It is essential that firms get their eComms data storage managed properly in the first place, so their compliance systems can work across multiple channels, finding the data that is required, with minimum disruption, and is able to avoid the potential privacy pitfalls at the same time.
It's all about getting the basics right, maintaining a robust holistic eComms compliance practice that combines multiple channels and understands the correlation between them. Once firms have got their own house in order, they can be confident about meeting all compliance requirements, whilst protecting privacy and being prepared for future regulations as they arrive.