The European Markets in Financial Instruments Directive (MiFID) and the General Data Protection Regulation (GDPR) are two initiatives designed to bring European markets into alignment. But, could the two initiatives be pulling in different directions?
MiFID – or in its latest form – MiFID II, is a European directive that is intended to harmonize the varied investment companies that exist across the 31 states of the European Economic Area, including three non-EU states, Norway, Iceland, and Liechtenstein. The original plan was to level the playing ground, making the financial markets fairer for the end users who power those markets.
The GDPR is a further European edict that is fully and wholly concerned with the fair use of consumer data. Its motivation is to give the control of financial and personal data back into the hands of the persons who own that data. Questions arise concerning what data is being collected, who owns it, who will have access to it, and how can privacy and protection be insured.
Recently, there has been a concern that MiFID2 and the GDPR may actually be pulling in different directions. While MiFID is promoting greater transparency and visibility, GDPR is trying to make data management more tightly controlled and monitored. There seems to be a conflict between openness and privacy at play here. So, is that really the case?
One misunderstanding about GDPR is that far from restricting access to customer data, it is only interested in setting up rules and standards about how customer information can be shared. The main drive of the directive is to ensure strong data security, while enforcing that data is only seen by those persons and organizations entitled to see it.
And MiFID2 and GDPR aren’t paper tigers. No, they can bite. Potential fines up to 4% of a company’s global annual revenue wait for those who choose to ignore these directives.
So, while MiFID2 and GDPR may attend to two individual aspects of Europe’s plans for financial market regulation, it seems reasonable to believe that these are two sides of the same coin. And if financial organizations are going to avoid punitive charges, they will have to step into line and follow the new rules. However, there are steps that financial institutions can take to make the journey a little easier.
First, you must define your company’s data plan, which involves the accurate mapping of your clients’ information. Data is like quicksilver—without control, it just gets everywhere. Customer and financial data ends up on network drives, servers, external hard drives, and USB drives. Without tight data control, information can be difficult to find, or at worst, lost. The electronic nature of data used in banks and brokerage houses makes it easy to transfer and receive, but it is equally easy to lose it, or send it to the wrong place. The current solution to such data management challenges is to provide clients with access to their data via secure web servers. Clients are supplied with password-controlled access to their data, which they obtain as they require it.
Next, financial organizations must put procedures in place to manage those occasions when things go wrong. This can be events associated with human error and mismanagement – from employees taking data home on laptops, to events involving cyber-attacks of a company’s servers or networks. Customers should be assured that the companies to which they have entrusted their assets can be trusted to know what to do during a crisis.
Finally, financial institutions must train their staff, making them aware of data security issues, from within the company and without. Key to the success of this training is the appointment of an experienced and responsible Data Protection Officer (DPO) whose job it is to make sure the company abides by the European compliance rules and report any aberrations to senior management. The DPO must be highly trained and up-to-date with financial data technology, as well as being the go-to person who maintains the company’s crisis mitigation plan.
MiFID2 came into force on July 2014, and GDPR will go live on May 25, 2018. The two directives will ensure that European investors will be fairly treated when trading in the international financial markets. And to back up that activity, they can also rest assured that their financial and personal information is available and secure.