Only a few months after the introduction of the MiFID II regulation, a new and comprehensive EU directive is coming into force. How will GDPR affect the Norwegian banking and finance industry?

2018 is a busy year for compliance professionals across the country’s many banking and financial institutions.

On January 1, the MiFID II regulation came into force - with new requirements for recording and storage of communications. On May 25, yet another change is taking place, with the new EU directive: GDPR (The General Data Protection Regulation).

– It might seem overwhelming that both MiFID II and GDPR come into force in such a short time, but in reality, MiFID II will in many ways simplify the requirements of GDPR, tells Bjørn Loe, Business Developed in GuardREC.

He believes that GDPR will not pose a significant difference to Norwegian companies, compared to companies in other European countries.

– Here in Norway, we have had strong privacy laws governed by the Data Inspectorate (Datatilsynet) for a long time, which is why we are relatively far ahead of other countries in this respect. So I don’t think GDPR will lead to too much headache for the Norwegian financial sector.

How will GDPR work in relation to MiFID II?

The purpose of GDPR is essentially to give control of the individual’s data back to each individual person, and to create more openness, transparency and a better overview when it comes to the storage and processing of personal data.

– The first bid when it comes to GDPR is to answer why you are saving certain information, which goes along well with the requirements of MiFID II, comments Loe.

– The true challenge for the bank and finance industry will be to map how GDPR will work in relation to MiFID II, he says.

An example he puts forward is the MiFID II requirement for all institutions engaged with estate, consulting or trading of securities to record all communications which might lead to a transaction.

– This will simplify things remarkably in terms of content of personal data storage according to GDPR, because a conversation related to a possible transaction simply cannot be carried out without it being recorded.

You might be interested to read: From reactive to proactive compliance - how to comply with MiFID II in a simple and efficient way

– The requirement for consent can expire in its entirety

Because MiFID II requires recordings of all communication, new information will be added about a customer throughout the entire customer journey. According to GDPR, this means that new consent needs to be obtained every time new types of information are stored.

However, according to Loe the MiFID II regulations could end up replacing these requirements for consent.

– You could say that the requirement for consent according to GDPR is rendered obsolete by MiFID II. You don’t need consent for admission because you are imposed by MiFID II to record all communications across all channels. But you are, of course, obliged to inform the customer that the communication will be recorded.

MiFID II and the guidelines from the Financial Supervisory Authority of Norway (Finanstilsynet) clarify not only what to record, but also how the data needs to be searchable.

– The regulations state that the data needs to be searchable in terms of customer identification, broker identification and period of time. It also defines what kind of personal identifiable information is stored, explains Loe.

Data security is a focal theme

Data security - and more specifically how data is stored and processed - is a central topic in both GDPR and MiFID II.

– All data must be processed in such a way that they meet the requirements that are imposed by the Financial Supervisory Authority through MiFID II, while at the same time safeguarding the security of personal data according to GDPR, states Loe.

Two of the most important questions you need to be able to answer according to GDPR and MiFID II are:

• What kind of information is recorded and stored?
• Who has access to this information?

Avoid expensive errors

Loe believes the first thing banking and financial institutions can do to comply with both GDPR and MiFID II - and to avoid making expensive errors - is to organize all their data in one central system, where the one responsible for compliance monitoring has full control.

– This system needs to document who has access to what, how the data is stored, and for how long the data is stored, he continues.

– In addition, the system should have a «Data Life Management» feature to make sure that no recording or other data will be stored too long. It would also track who has entered the system and watched, listened to, checked or retrieved any data throughout the entire life cycle.

A system like that will make sure that you comply with the MiFID II requirement for a comprehensive audit trail, ensure that all data and recordings are deleted when they are dated, and at the same time make sure that you have control of all stored information according to GDPR.

Is your company really as compliant as you think it is? Take our quick test to find out!

Who should have access to the information?

One of the most important elements that a centralized system for data storage can help you with is to give you control of who is able to view, and access, the stored data.

All data needs to be stored in a secure manner, and encrypted in a way so that no unauthorized people are able to manipulate the information.

– A compliance officer who is responsible for monitoring the data needs to have full control of who has access. According to MiFID II, no one should be able to enter the system and delete three lines of an email or one minute of a phone call. That’s why all actions need to be logged in an audit trail, highlights Loe.

These are the greatest pitfalls

Although Loe believes the country’s financial industry will find good solutions for complying with both MiFID II and GDPR, he remarks that there are numerous pitfalls that need to be avoided.

He lists three of the biggest and most common pitfalls:

1. Unsafe data storage

– Perhaps the biggest pitfall of them all is to store data in a way that makes it available to unauthorized people, either within your company or externally, without a good system to track who has access to the information.

2. Fragmented information

– If you have the information stored in different systems, fragmented across multiple servers or in different locations, you will have problems when you need to give control authorities or customers access to the relevant data.

3. No automated processed for access

– One of the biggest mistakes companies make is that they don’t set up automated processes for how to give customers and control authorities such as the Financial Supervisory Authority visibility into the information they request. If you get 1000 requests for access a month, it would obviously be a great burden to the company if it has to be done manually. That’s why automated processes are required, ideally in a password-protected web portal or the like.

Information related to communication becomes a dilemma

One of the greatest dilemmas that banks and financial institutions will need to deal with are inquiries from customers who, according to GDPR, demand visibility and access to all the data the company has stored about him or her.

– It’s a little unclear how to solve this when it comes to calls made between a broker or advisor and a customer. If a customer asks you to extract all information about him, this also includes recordings of all communication. But because a conversation always includes two or more parties you would then automatically give the customer access to private information about your broker or advisor, explains Loe.

The challenge is that the broker or advisor is also entitled to full control of their own personal data.

– Any information about an employee that is stored in the system must of course be regarded as personal information. Even though the customer has the right to gain access to the communication, you also need to protect your broker. In a situation like that, the GDPR regulation ends up under the heel of MiFID II, because of the broker’s rights to privacy.

– Customers can't demand recordings to be deleted

GDPR also dictates that a person has the right to retrieve, move or share personal information that a company has stored about him or her. Additionally, they can demand to have all of their stored data deleted.

This, however, brings up two new dilemmas for companies that are subject to MiFID II regulations.

– When it comes to retrieving and moving data, a customer has a right to this according to GDPR. But at the same time, the information related to the communication is also tied to a broker, so you end up in a locked position. After all, you can’t disclose confidential information about the company to competitors, explains Loe.

– Similarly, a customer can’t demand that information related to communication with a broker or advisor be deleted, even though they have this right according to GDPR.This is because MiFID II, on the other hand, dictates that all recordings, of all information, needs to be stored for exactly five years. According to the requirement for a complete audit trail, you’re not allowed to delete parts of this communication.

Loe uses these dilemmas as just two examples of the dangers the players in the financial industry need to overcome until new, tangible standards are established.

– These are interesting dilemmas that will set aside parts of either GDPR or MiFID II, and that future judicial proceedings need to find answers to, he concludes.

Is your company really as compliant as you think it is? Take our quick test to find out!