A recent study from Aeriandi of IT decision makers and Risk & Compliance managers within UK financial services businesses, has revealed a concerning lack of preparation and understanding of the requirements of MiFID II legislation coming into force in January 2018.
The study, carried out in January 2017 shows that managers and decision makers within these institutions have little understanding of the severity of potential penalties and are struggling to apply the legislation to their businesses. However, comparing the responses of IT professionals and those responsible for managing Risk & Compliance within a business shows IT teams have a better overall understanding of the consequences of non-compliance. 62 per cent of Risk & Compliance managers admitted to not knowing a company can be fined up to five million euros or 10 per cent of annual turnover, compared to only 42 per cent of IT managers and decision makers.
It would appear however, that a countdown to compliance has begun. Organisations are now starting to invest time and money in preparations. 30 per cent of respondents say that budget has been allocated this year to help with preparations, and more than a third (36%) report that policy and procedure have now been developed.
The revised Markets in Financial Instruments Directive, commonly known as MiFID II, is due to come into force in January next year. First introduced by the EU in response to the 2008 financial crisis, MiFID II is a set of sweeping reforms for the financial industry designed to prevent history from repeating itself. The new legislation governs everything from where and how derivatives can be traded, to measures for reducing volatility and policing potential conflicts of interest among financial advisers. Achieving compliance is no mean feat and certainly will not happen overnight. Indeed, MiFID II is widely considered to be one of the most sprawling pieces of financial legislation ever devised, and as a result it presents numerous challenges for those looking to achieve compliance ahead of the deadline in early 2018.
One of the more contentious aspects of the new legislation is the change in requirements relating to the recording and archiving of telephone calls. The Financial Conduct Authority (FCA) currently mandates that only the telephone conversations of individuals directly involved in trading need to be recorded. MifID II broadens the scope considerably to include anyone involved in the advice chain that may result in a trade. Naturally, this has a significant impact regarding the scope of whose conversations must be recorded once the new legislation takes effect. Conversations between the likes of wealth managers or independent financial advisors and their clients will now all fall under this scope. Furthermore, the legislation applies to both fixed line and mobile conversations, and all calls must be stored and accessible for a minimum of five years after taking place (seven in some instances).
This particular portion of MiFID II is causing a certain degree of consternation. Before MiFID II was announced, few financial institutions had the infrastructure in place to meet the new requirements. Many are still working on how best to achieve compliance and are looking to third party solutions to increase their call recording and archiving capabilities. Leveraging third party expertise enables organizations to achieve ‘out of the box’ compliance.
Choosing the right third party technology can prove difficult without necessarily knowing what to look for in a solution. There are, however, a number of key requirements that should be considered when assessing call recording and archiving solutions, which will ensure the technology meets the requirements set out by MiFID II:
- Coverage of all required telephone platforms
MiFID II mandates that calls must be recorded across both mobile and landline platforms, so ensuring the solution has the capability to do this is crucial.
- Easy implementation and scalability
Will implementing the new solution result in business down time and therefore, loss of revenue? Many cloud-based recording and archiving solutions no longer require any on-site installation. This can eliminate potential disruption during integration. Scalability is also a major factor. Can the solution scale both up to cover busy periods, whilst scaling down to save the organization money during quieter periods? If not, organizations will likely end up overpaying for excess recording capacity, or having to buy additional capacity at premium pricing on short notice.
- Access to call recording archives from anywhere
Cloud-based recording and archive solutions offer the ability to access call recordings and archives from anywhere, at any time via a secure online portal. This is particularly beneficial to organizations spread over multiple sites or countries. Vendors specializing in on-site recording and storage often cannot deliver this level of flexibility in terms of recording accessibility, so be careful to ensure any solution being considered can match the needs of the organization.
- Secure storage and encryption to protect recordings
MiFID II mandates that call recordings relating to a financial transaction must be stored for five years after the transaction was made. This is a significant rise from the six-month period currently mandated by current FCA legislation. Not only does this impact heavily on storage resources, it also presents security challenges, particularly if the recordings contain sensitive financial information. After all, five years is a long time to keep data safe. Only recording and archive solutions that offer the latest levels of data encryption and provide guarantees about who is able to access recordings should be considered. If a technology includes outdated encryption or the company does not offer ongoing guarantees regarding upgrades to security as/when they become available, it should be avoided at all costs.
- Compliance with additional data standards
The primary driver for implementing a suitable call recording and archiving system is to achieve MiFID II compliance. Many solutions, however, also offer additional layers of compliance such as the Payment Card Industry Data Security Standard (PCI DSS) and BS10008; governing whether recorded content is legally admissible in court if required. These data standards can bring additional return on any investment made and should be considered when choosing a suitable solution.
With less than a year to go until penalties for non-compliance will kick in, you would hope that those responsible for delivering compliance would be completely prepared. However, our research demonstrates that for many, planning is still at a very early stage. Organizations must understand the key areas of impact on their business and start to plan for change. Detailed risk analysis needs to take place along with mapping out the required processes and procedures for MiFID II compliance. Only then can a business determine whether their existing solutions will be adequate, or if it needs to roll out a new set of tools and supporting processes.