The new EU directive has not resulted in any major changes for Norwegian investment firms, but MiFID II still contains a number of additional elements you should be aware of.Although MiFID II marked a significant change in regulations, the comprehensive directive has not led to too much upheaval for the investment firms in Norway.
We have had solid legislations in this area for a long time - through means such as the Securities Trading Act and the Personal Data Act - which have ensured that most of the players on the Norwegian market have followed relatively strict compliance regimes.
Yet the new regulations involve certain pitfalls you need to be aware of. The requirements have become more stringent in several areas, and there are more considerations to keep in mind.
Several things to consider
The new MiFID II regulation came into force on 1 January 2018 and contains a number of additions related to the Securities Trading Act.
There are more employees who need to be recorded, several types of calls that need to be logged, more information that needs to be stored and multiple channels to keep track of.
In this article I give you five smart steps you can follow to ensure that your company follows the best practice for logging customer calls in accordance with MiFID II.
Step 1: Review existing procedures for compliance
Your company most likely already has routines in place for good compliance according to applicable laws and regulations.
The first thing you should do to follow the best practice is to study the MiFID II regulation and then review the existing procedures together with the new requirements. That way you can determine where you are already covered - and identify potential gaps and deficiencies.
It is especially important to thoroughly go through §1 and §2, which defines investment services and financial instruments, as well as the definition of investment firms and the types of companies that are exempt the legislation.
The definition of investment services and financial services are greatly expanded in the MiFID II regulation. Now it includes a new definition of trading, something which now makes a few companies fall under the legislation even though they were previously exempt the regulations.
It is important to be aware of this, and consider whether there are products, people or departments in your company that are now included in the new regulation. Make sure to expand the existing compliance procedures so that they also include these areas.
Step 2: Get an overview of which channels you are already recording
The MiFID II regulation section 2.8 puts strict requirements for documentation of communication with customers. In the first paragraph of this section, there are two points that are particularly important to take note of.
First of all, there is an addition regarding “electronic communication” in the legal text.
«Documentation pursuant to section 2.7, the first paragraph No. 3, shall include the recording of all telephone calls and storage of all electronic communications in relation to the performance of investment services, and the conduct of investment business...»
This means that it is no longer sufficient to record only telephone calls - you must also log the electronic communications such as email, Skype for Business, SMS, MMS, various instant messaging services and the like.
It is therefore important to make sure to get a complete overview of all the channels the company uses to communicate with customers, and then make sure that your internal regulations and system for recording and storage also includes these.
There are two possibilities here:
- You can make sure that recordings of this/these type(s) are taken care of
- You can make these channels unavailable as a communication medium (ref. §1.8, second paragraph)
A second point worth paying attention to is an extension of the definition of the type of communication which should be recorded or stored. It says further in section 2.8, first paragraph:
«Documentation as specified in the first sentence should also include conversations and communication that is intended to lead to the provision of investment services or exercised investment banking, although these do not lead to such a performance of the services or the exercise of business.»
In practice, this means that not only must one record and store orders, but in fact all communication that could lead to an order.
Step 3: Review procedures for storage and access
The new legislation, in practice, means that there will be significantly larger amounts of information to be stored and managed in a proper and effective way.
With large amounts of information, distributed on a wide range of communication channels, it is incredibly inefficient to store these data in several different places.
A decentralized storage of data will also make it difficult to document that you have taken sufficient measures to meet the requirements of compliance, ref. section 2.7 -"General requirements for the Organization of the business".
In addition, it makes the job of verifying information very difficult for a compliance officer with an already busy working everyday.
Access to the stored information should be controlled and monitored, and that is why you need good systems for access control. If the communication is stored without further measures, such as encryption, those who manage the storage media or system would likely have access to the data - which makes it hard to keep control of who has access.
Moreover, the information should be stored in such a way that it cannot be changed, neither in case of error or deliberate actions.
Recording and electronic communications should now, according to the regulation’s section 2.8, fourth paragraph, be saved for five years - or longer if the Financial Supervisory Authority determines it. This is a positive adjustment of the former requirement of storage for a minimum of three years.
The best solution to ensure compliance with the regulations is to store all recordings - and all the relevant information - in one central system.
This will make it significantly easier to enter the system and verify that you are doing what it takes to protect the client's interest - which is the main point of the MiFID II regulation.
Step 4: Make recordings of internal calls and document all meetings
Another new requirement that came with MiFID II is that now also the internal calls related to a possible transaction need to be recorded and logged.
This can include internal calls where advice is given to an employee, but more importantly: external calls being forwarded internally.
It is important that these type of calls are recorded, and that you can follow the “I will forward you” aspect so that you know who the call is being forwarded to. If your company has internal call loops or a switchboard is it important to ensure that these are recorded correctly.
Meetings and direct communication that is not done over the phone or electronic solutions also need to be documented.
The regulation’s section 2.8, fourth paragraph, stipulates:
«Conversations or communication, as mentioned in the first paragraph, which is not taking place by phone or electronically, shall be documented in a lasting medium. Such calls from individual meetings shall be recorded in written protocols or notes.»
Step 5: Inform the customer about the storage of information
The MiFID II regulation aims to protect the customer's interests in the best possible way, which is why it also contains the duty of disclosing the recording and storage of information.
This is determined in section 2.8, third paragraph:
«Investment firms shall inform their customers that the telephone conversations or electronic communications between the investment firm and its customers will be recorded and stored.»
Again we see that the regulations around electronic communications have been sharpened. In the past, it was common to inform people on the phone that the conversation was recorded, but now you also need to make the customer aware that electronic communications are stored as well.
That is not to say that you necessarily need to do this over the phone, as you could have customers who only use electronic communication channels. In addition, it could affect the customer experience if they are informed of recordings every single time a customer calls in.
The third paragraph adds the following:
«Such information can be given one time before investment services are provided or investment operations are exercised.»
Simply put, this means that you can now incorporate this in the company’s terms, but you need to make sure that the customer has read these. Here it will also be easy to add terms about electronic communications.
When it comes to visibility to stored communications, the regulation says the following:
«The documentation under this section shall upon request be made available to the affected customer...»
Section 10 additionally deals with government transparency. For the best possible compliance with this paragraph you should put in place systems that can easily make relevant information available to customers and regulatory authorities.
This is yet another argument to save all the information in one central system.
By collecting all the data in one place it will be far easier for you to refer and analyze all calls that are recorded, and give the parent authorities visibility into exactly the information they have requested.
5 steps in the right direction
Of course, it is difficult to sufficiently summarize the compliance of a comprehensive directive such as MiFID II in 5 easy steps. However, if you follow the above mentioned steps you are well on your way to ensure compliance with those parts of the directive that deal with the requirements of documentation, and storage of phone recordings and electronic communications.
After all, it's about keeping control of what communication you record, where the data is stored, who has access to the data, and for how long this information will be stored.
The key to efficient storage and handling of information is to relate to one central system, where all the information is easily available to you - and completely unavailable to others.
Is your company really as compliant as you think it is?