MiFID II legislation applies as of this week. While many financial institutions can breathe a sigh of relief following the mammoth amount of prep work undertaken to comply with the incoming requirements of MiFID II, their programmes around this regulation are far from complete.
MiFID II serves as just the opening act of 2018’s roll-call of regulations. The Second Payment Directive (PSD2) will be implemented later this month, and the General Data Protection Regulation (GDPR) will come into force in May. At the heart of all three is the management of data.
MiFID II has a particular focus on broadening the collection and retention of data. Conceived to improve market transparency and investor protection across all asset classes, MiFID II requires financial institutions to acquire, archive and analyse any communications pertinent to trading activities – regardless of whether the communication is done through digital (e.g. email) or analogue (e.g. face-to-face meeting) channels.
Meanwhile, consumer choice and market competition are the essence of PSD2, which requires banks to open up their Application Programme Interfaces (APIs) and customer data (with consent) to third parties. This is expected to end, or at least to break down, banks’ monopoly over customer data.
Finally, GDPR aims to improve and harmonise data privacy and protection across the EU. Individuals will have new rights to access the data that companies hold about them. Non-compliance with GDPR could result in eye-watering fines of as much as 4% of companies’ global revenue.
This regulatory trinity in 2018 poses several conundrums for financial institutions with the key issue arguably centring on data management. Compared to MiFID II, GDPR is on the other side of the fence when it comes to the treatment of data. While MiFID II requires firms to store information relevant to trading for five years, GDPR mandates that identifiable personal data be deleted when no longer necessary. All the while, PSD2 encourages data sharing with third parties, adding to the challenge of data security.
Contradictions around implementing the regulations aside, there is also an ongoing debate over the nature of data on a broader, societal level. The tension between the individual right and the public good of data use, and the conundrum between the right to be forgotten and the need for data abundance in superior decision-making, are both weighing heavy in the current climate. These add to the uncertainty around future regulatory expectations on business collection and use of data.
The implementation complexities and future regulatory uncertainties around data use highlight the need for organisations to adopt a “Darwinian” style technology architecture. That is, one that has the ability to survive the complex regulatory and business environment; to adapt to new versions of regulatory updates in an agile manner; and to efficiently use scarce resources, be that data or computing power, across the organisation. This will likely require the data storage system to feature lego-like “stackability”, the logic of data architecture to address the evolving business model needs of banks, and the IT infrastructure to bring flexibility and scalability in a cost-efficient manner.
The adoption of new technologies (in particular the Cloud and advanced analytics) will be necessary to promote smart storage and processing of data. But at the same time, the use of new technologies will bring forward new sources of non-financial risks. These risks could sprout from the incompatibility between legacy and new systems, the speed of technology advancement, and the market concentration among key technology providers, for example.
While the much-anticipated MiFID II has reached an implementation milestone this week, a new era of data-centred regulations is just beginning. If the regulatory drive over the past decade since the Global Financial Crisis has been about the prudent management of capital, the next era will be about the prudent management of data.
It is critical that banks and other financial institutions harness their response to the trilogy of MiFID II, GDPR and PSD2 to set best practices and build global competitiveness in the digital banking era. Key to their response is to ask not only what you can do to comply with data regulations, but what data in this new regulatory regime could do for your business.
For further reading on safeguarding your organisation from non-financial risks, please read our latest report; Safeguarding Digital Transformation.
For more information contact:
Phone: +44 (0) 207 100 7575