The implementation of the second Markets in Financial Instruments Directive (MiFID II) was largely successful for the financial services industry. Most were more than prepared for the implementation when it was introduced on 3 January, running with a batton of new functionality and systems being used to help meet the new regulatory obligations.
But, now comes a brand new race, the General Data Protection Regulation (GDPR), which replaces the EU Data Protection Directive, originally established in 1995.
The new rules, which kick in on 25 May, cover how organisations process personal data and extend to the activities of non-EU organisations that offer goods or services to people located in the EU.
With such a big change, there is no time to take a slow jog around the track. The financial services industry should all be picking up pace and making their way to the finish line. This year is already a busy year in terms of regulation, how will the rollout of GDPR affect the financial services industry?
Runners, take your places
In a recent survey, carried out by Claranet, 69 percent of businesses were found to be lacking in terms of proper data management, casting doubt on their ability to comply GDPR in time for the May deadline.
The survey, which asked 750 IT decision-makers, identified that security is an area that many are struggling with.
Almost half (45 percent) said they were encountering challenges around securing customer details when trying to improve the digital user experience for customers.
Commenting on the findings, Michel Robert, Claranet’s UK managing director, says: “GDPR is on our doorstep, but it is clear that many organisations have their work cut out if they are to comply with the regulation.”
“Thinking more broadly, the fact that almost seven in 10 organisations can’t guarantee the security of their customer data is particularly concerning.”
Get ready
A reason for this could be the overshadowing implementation of MiFID II, which despite being implemented in January, still requires attention from the financial services industry.
According to Robert Angel, head of regulatory solutions at Northern Trust: “Whilst it’s surprising the effort spent by the industry on regulatory compliance is expected to increase, MiFID II will require ongoing efforts for the duration of 2018. GDPR is fast approaching and with many fund managers focused on other regulatory change, the significance and work required for [the regulation] is likely to only being focused on now.”
From the same stance, the Financial Conduct Authority (FCA) stated the imperative need for firms to prepare for GDPR as soon as possible.
The FCA explains: “Compliance with GDPR is now a board level responsibility, and firms must be able to produce evidence to demonstrate the steps that they have taken to comply. The requirement to treat customers fairly is also central to both data protection law and the current financial services regulatory framework.”
It added: “When the FCA makes rules, we take into account how our requirements will affect the privacy interests of individuals such as firms’ customers and employees. However, we recognise that there are still ongoing discussions to ensure specific details of the GDPR can be implemented consistently within the wider regulatory landscape.”
Jon Trinder, fund services product manager at Linedata, says: “Firms should have carried out a full data inventory by now and should be in the final stages of implementing their response plans.”
But, Trinder warns: “With all the spinning plates that firms have at the moment, there is a real danger that one of them is going to be picking up the porcelain. The consequences of non-compliance under GDPR can be fairly punitive, up to €20 million, or 4 percent of global turnover, whichever is the greater. So [GDPR] is very significant indeed and the burden of proof lies with the firm to prove compliance.”
Get set, and...go!
To prepare its members for the GDPR implementation, The Alternative Investment Management Association (AIMA), based in Canada, has published its own GDPR implementation guide.
AIMA’s guide examines and explains the requirements for all controllers and processors, enhanced rights of data subjects, minimum cybersecurity measures, and breach detection, as well as notification and sanctioning regimes.
Jack Inglis, CEO of AIMA, said: “[Our] guide will help to inform members of their obligations and hopefully reassure them where certain misunderstandings may exist. It is important that our members are able to demonstrate that they have a clear understanding of what personal data is in their possession, why it has been obtained and how it is used.”
Similarly, Andrew Denham-Davis, business development director at investment management firm Brooks Macdonald, has released an analysis on GDPR and what advisers should be doing to be complaint.
The analysis examines 12 different areas that advisers should take into account when ensuring compliance.
These 12 points include considering staff training or communications programmes to educate those involved in the processing of personal data about the new requirements and processes in place, as well as getting advisers to clarify whether personal data will be passed on to third parties.
It states: “Where both parties are data controllers, they should ensure that any contract clearly sets out each respective responsibilities.”
The Brooks Macdonald analysis also states: “Advisers need to ensure that any personal data they hold, whether physically or digitally, stored in archive facilities, in their customer relationship marketing system, back-office systems, or platforms, is relevant and accurate.”
“Processes should be in place to keep such data secure, up to date and compliant with the rights of their clients.”
Brooks Macdonald says that professional advisers “are likely to be considered as ‘data controllers’ under GDPR”.
It says because of this, “[advisers] will therefore need to be able to fulfil individuals’ requests to see the personal data which is held on them and to comply with additional rights of individuals”.
A further concern for advisers is avoiding data breaches, Denham-Davis, says “confirming the authenticity and legal entitlement of individuals making such requests will be vital”.
Denham-Davis concluded: “If advisers wanted to set up a data sharing arrangement with a third party, or wanted to install new IT systems, they could consider the technical solutions available and the cost of implementation [...] to ensure personal data is safeguarded and the rights of individuals whose data will be processed are protected.”
