The communication between financial advisor and client is taking place in an increasing number of communication channels. The new EU directive requires that you have a complete overview of all of them.

In short, the very comprehensive EU directive is designed to increase the customers’ rights as well as the openness across the financial markets in the EU, and enhance the competitiveness by standardizing the regulatory requirements for information.

- An important change that comes with MiFiD II is that all of the companies that provide investment advice now are required to have a proactive monitoring of their processes and compliance to regulations, tells Business Developer Bjørn Loe in GuardREC.

- Before, it used to be enough to collect the necessary information and then locate what you needed when the need arose internally or when requested by the customer or the Financial Supervisory Authority. Now, you are obliged to show that all processes are good, that all information is recorded, inform the customer that communication will be recorded and make sure that the customer can easily get access to all the relevant information you have in your possession.

– The new requirements for recording are far more stringent

Banking and financial institutions have since the introduction of the Regulations to the Securities Trading Act in 2007 been required to record all calls made by landline. With the introduction of the MiFID II regulation in January 2018, these requirements are further sharpened and enhanced.

– The new requirements for recording are far stricter. Now, you are required to make recordings of all types of customer communications in all channels, emphasizes Loe.

This includes, among other things:

• Landline

• Mobile phone

• SMS and MMS

• Email

• Web meetings (e.g. via Skype Meeting Broadcast)

• Chat (on own websites or through services such as Symphony)

• Social media (e.g. LinkedIn)

Loe clarifies that the new requirements for recording not only apply to the transaction itself - the regulation also embraces all customer communication which COULD end up with a transaction.

– Could mean that companies end up with a very long audit trail

– For investment companies that offer consulting, this could mean that they suddenly get a  very long audit trail from the start of the customer journey and until the transaction is conducted, says GuardREC’s MiFID II expert.

He points to a typical scenario as as example:

En finansinstitusjon arrangerer et nettmøte med 100 deltakere, og presenterer en investeringsmulighet. Interesserte parter tar kontakt over telefon noen dager senere, og ber om mer informasjon.

A financial institution arranges an online meeting with 100 participants, and presents an investment opportunity. Interested parties contact the firm over phone a few days later, and requests more information.

The broker sends the information via email to the interested party, who then responds in a short SMS that he wants to get to know more about the risks around the investment. A consultant in the company calls the prospect and arranges a meeting.

Only after a number of contact points – across several different channels – an agreement is made, and the transaction is carried out.

– According to the MiFID II regulation all of this communication, across all the channels, needs to be recorded and stored, Loe points out.

The most important factor for proactive compliance

The new EU directive has created, and will continue to create, great upheaval in how banking and financial institutions handle customer data. There is particularly one group that has really needed to adapt to a new working day:

Compliance officers.

The MiFID II regulation requires you to have full control at all times and that everything that gets done is done according to the regulations - a responsibility which falls on the company’s compliance officer. People in this role are therefore dependent on working efficiently with verifying and documenting all steps in the customer journey.

– The most important criterion in order to work effectively with proactive compliance is to have control over your data, and to ensure successful recording of all communication channels you are required to document, highlights Loe.

Gather all communication in one central system

The biggest challenge for a compliance officer is getting an overview of all of the contact points between multiple people on both sides, distributed on a wide range of channels  – especially when this information is scattered around in different systems.

– The only sustainable solution in order to achieve a complete overview like that is to have a central system which can collect, store, search and play all communication to create a complete audit trail. Then the compliance officer can enter and search across channels to verify that everything is done correctly, says Loe.

– The system should also make it possible to generate templates for compliance reports that provide complete information about what has been controlled, who carried out the control and so on. This way the system also contributes to making the reporting far more efficient, he adds.

Data-driven assessment of risk

Without a central system, the process of collecting all the necessary information would be highly time consuming and inefficient.

– In an ideal world, the company’s compliance officer would have had time to go through and listen to all communication between broker and customer. In reality, this is an impossibility, as it would require that you had one compliance officer per broker, explains Loe.

The logical option for a compliance officer is therefore a risk-based approach, where you identify and prioritize focal points with the greatest risk.

– When all of the information and communication is collected in one and the same system, the system can offer suggestions to which calls should be prioritized based on a data-driven assessment of risk. The system will easily be able to identify aberrant trading patterns or high-risk transactions, such as first-time purchases or high-volume deals.

The valuable big data effect

A centralized solution for recording and data management will make a compliance officer’s work easier by allowing you to add comments, tag important segments and classify the different conversations so that they can be found quickly at a later time.

– In addition, you get access to extra information about who the customer is, which broker he has talked to, when the call took place and what they talked about across the various channels, comments Loe.

– We should also not forget the valuable big data effect you can take advantage of when all data is centralized. When you have access to that much information in one place, you can do a lot more when it comes to statistics and data mining than when it is fragmented in different systems, he adds.

What do you do when the Financial Supervisory Authority comes knocking on your door?

Even if the financial industry has to be proactive in their compliance work you will still have to deal with the control authorities.

The Financial Supervisory Authority provides a license to Norwegian investment firms, and will occasionally perform controls. This often happens in the form of on-site supervisions, where they knock on the door to investigate everything from the course of events around a specific transaction to a list of all communications that have been made over a certain period of time.

– If a compliance officer needs to retrieve information from multiple systems, and in multiple formats, the process gets unnecessarily complicated. With a central system, you can extract specific segments, and provide the Financial Supervisory Authority visibility into the exact data they requested, explains Loe.

– Important to restrict who has access

One last point GuardREC’s expert emphasizes is the importance of good data security.

– When you record and store all this data, it is important to place restrictions on who actually has access to and visibility into the data. Who in the company should be able to watch and listen to the recordings?

According to the MiFID II regulations no one should be able to modify or delete data in an audit trail.The information needs to be monitored, but it should only be available to those who make up the control function in the company.

– One thing I often hear in the industry is that the people in IT management often have global admin rights. This essentially gives them access to all information, which they should not have. The solution you use should be built in a way so that those who are responsible for making everything work as it should have access to all features, but without actually being able to access the information itself, says Loe.

Summary:

In order to work efficiently with proactive compliance in accordance with the new MiFID II directive, the company’s compliance officer is dependent on a centralized system for data management and recording of all communication across channels.

By gathering all the information in one place, you get easier access to a continuous audit trail that monitors everything that has been done in a specific customer relationship - as well as ensuring that the organization is compliant with the new regulations.

Such a system will also give the company's compliance officer additional security in their task of verifying and documenting every step in the customer journey, and provides a data-driven assessment of which calls and interactions that should be prioritized.