Don’t fear MiFID II – but start preparing now
MiFID II comes into effect in January 2017, which might seem a long way off, but you need to start preparations now if your institution is really going to benefit writes Mark McAlpine
MiFID II is one of several directives being implemented across Europe at the moment, and all are designed to improve the fairness and transparency of the financial services industry. Setting aside whether or not you agree with the specific measures, they create opportunities and challenges for the IT departments of every financial services organisation.
One of the key benefits for organisations will be the freedom to embrace technologies that in the past have simply been off limits because governance could not be enforced across the assets. It has always seemed peculiar that on one hand financial institutions have some of the most powerful and scalable IT systems used in enterprise environments, and yet traders and other staff are tied to specific machines or office locations to do their jobs. It will be quite something to see how the industry embraces these new found freedoms, made possible by mobile technology.
New technology will ultimately improve the efficiency of financial services operations, but the new MiFID II directive will also require a great deal of automation to produce the data and reporting that then has to be stored in specific locations. While many organisations already have some of these processes in place to ensure they meet the governance and reporting standards of the day, these will change and as a result time needs to be invested in identifying all those impact points. But it is not just automation of reporting that is needed, systems need to be able to identify conflicts of interest that might exist for those advising clients and provide a clear framework within which they can dealt with when found.
In addition, Chinese Walls must be rigorously policed. Systems must be able to identify when people are accessing inappropriate information or services, and when they are communicating with individuals or groups that they should not. Doing this in a passive way through policy rules may have been acceptable in the past, MiFID II requires that this be much more actively monitored.
The new freedoms afforded by mobile technology does come at a cost for financial institutions, but it should be one greatly outweighed by the benefits if implemented correctly. Suddenly traders will be using a range of devices, from any location, to conduct their business. That means that the business has to be prepared in terms of technology, people and processes so that nothing slips through the gaps.
This means every aspect of IT, from provisioning for new employees or devices, right through to when staff leave or hardware is decommissioned, needs to be very closely controlled and documented. But it is not just about the devices, the back-end systems have to be robust and when changes are applied to hardware, specific applications or new software introduced, it will be even more critical that all compliance requirements are adhered to and no reporting or governance processes are ‘broken’ by the changes.
Under MiFID II, institutions will also be required to store telephonic and electronic communications for a minimum of five years and some authorities can enforce as long as seven. In older trading environments where staff where at fixed desks it was easier to do this, but MiFID II is covering technological changes and broader changes in the trading environment that have taken place since 2007. For this reason, the capture and storage of these messages is harder. Staff acting on behalf of investors could be using instant messenger, e-mail, telephone, mobile, video conference, or social media sites such as Twitter to communicate, from virtually any location over Ethernet, broadband or 4G. Broadly communications covering reception of transmission of orders; execution of orders for clients; and any own account related work must be recorded. It doesn’t matter whether the communications resulted in the closure of an agreement, if they were intended to move towards that goal, then they must be recorded. Not only must they be recorded but this must be done in a structured way where the information can be quickly queried and retrieved if concerns are raised about compliance or specific trading activities.
At the time of writing MiFID II is 17 months away, which may seem a long time, but as discussed there are number of major areas of the directive that impact the IT department, its technology and processes. The key to success with MiFID II will be a full assessment of the risks, but it is important to understand that this has to be in the context of other directives such as Basel III and EMIR – the relationship between all pending directives has to be considered, and this is what makes the process particularly complex.
If you outsource any of your IT, then you need to set up a working group capable of assessing the technology and process requirements for full compliance in January 2017. For some, a partner outside that group of suppliers might be the right way to fully audit and manage the introduction of new processes and technology. Either way that risk assessment is simply the first of many steps. It may seem a long way off but any business that thinks it can rush MiFID II is setting itself up for a serious fines and a reputational fall under the gaze of regulators. In an industry that is only just moving out from under the cloud of recent years, that is a risk none can afford.