As the pressure builds at financial services companies, and the MiFID II (Markets in Financial Instruments Directive) deadline of 3rd January 2018 rapidly approaches, those in the office trenches are hoping to put some clarity on its 200 directives. Their mission is to find suitable solutions for managing the mammoth task that is transparency, transaction and reference data reporting, and many are now battening down the hatches in the hope that their game plan doesn’t come unstuck in the final hours.
Teetering on the edge of the commercial cliff meanwhile is the quest to implement a set of suitable data collection and storage solutions that not only meet the legislative requirements posed by MiFID II but can also be aligned with other key components of a financial firm’s obligations. Throw in PRIIPs (Packaged Retail Investment and Insurance-Based Products) and MAR (Market Abuse Regulation) and it’s enough to get even the savviest of city suits breaking out in a sweat as they seek to conquer the cataclysm and avoid being severely stung by hefty fines that stretch into the millions.
Meanwhile, as those in the financial services industry grapple with what all this means to their IT operations, data storage, and cybersecurity requirements, the additional complication of the upcoming GDPR legislation is another item looming large on the to-do list, and a further grenade being thrust over the parapet.
But what exactly does this all mean to how a business collects and stores data? And what should they be doing to ensure they are fully compliant by the deadline dates?
Daren Oliver is an IT solutions specialist at Fitzrovia IT currently helping a variety of clients operating in the financial sector to implement effective data collection and storage to meet the required legislation. He said:
“Naturally the data being collected and stored by financial firms is going to be incredibly sensitive by its very nature, so fully understanding exactly what MiFID II entails and how it fits into the jigsaw of legislation requirements is essential to understanding what remedies need to be put in place for a company’s IT infrastructure.
“Taking a holistic approach to appropriate IT solutions is essential to ensure that every possible angle is carefully considered – not just as a result of the changes being brought about by MiFID II, but also so that they are aligned with other directives such as GDPR.”
“Whilst there are a number of software vendors claiming to have systems that will help control things such as suitability and appropriateness checks, this is often subjective and requires a firm to effectively create a workflow to determine what route they should follow for each client. Unfortunately, there is no off-the-shelf software package that will guarantee compliance with the host of new regulations.”
With our growing reliance on technology and IoT, companies are more exposed than ever before. From employees using their own personal mobile devices to the dependence on messenger systems there is a plethora of potential pitfalls waiting to become major problems. Particularly since part of MiFID II is to ensure financial firms are recording all conversations, messages and exchanges relating to transactions.
Daren’s recommendation for mitigating the risks of interception, foul practice and cybercrime, whilst remaining complaint, is to implement an MDM (Mobile Device Management) solution. He said:
“An MDM solution will provide as much control as possible to mobile devices and data that is stored or processed by a company. Often companies do not know what devices are being used so this is key to providing visibility of precisely what is being operated. Businesses should also look at forming a policy that would allow individuals to use personal devices without compromising data security.
“Ultimately the easiest answer when it comes to data storage and compliance is for companies to limit where conversations are taking place so that they fit within the technical solutions. It may be that chat, IM or other mediums outside of the IT solutions carry a disclaimer. As with all cybersecurity solutions, it should be constantly reviewed and tested to ensure it still protects a company’s business practices as well as changes in workflow or governance.”