The arrival of the GDPR (General Data Protection Regulation) is less than a week away. However, many businesses are still not prepared for the legislation shake-up that could see huge sanctions imposed for non-compliance. Experts at UK based IT support solutions company, TSG, explain for Finance Monthly what the key considerations are when it comes to the finance sector.

If your business is unprepared for GDPR, you are not alone. A Populus survey conducted only this year revealed that 60% of UK businesses do not consider themselves “GDPR ready”. It’s definitely not too late to put measures in place to ensure compliance with the regulation. Following the introduction of GDPR on 25^th May, complying with GDPR will be a continuous journey.

What are the key areas you should be considering in light of the looming GDPR deadline?

Cyber-security tops the list

In this digital world, we produce, store and disseminate huge amounts of data. And a significant portion of that will be Personally Identifiable Information (PII); this is the data that matters under GDPR.

Even if, as a business, you don’t store customers’ sensitive data, you’ll still store the data of your employees. Therefore, all businesses must put measures in place to safeguard that digitally-stored data.

Encrypt everything

Arguably the most valuable cyber-security tool at your disposal is encryption. Not only is it a robust way to keep your data inaccessible to cyber criminals, it’s the only method that’s explicitly mentioned multiple times in the GDPR. Should any PII data you hold fall into the wrong hands – whether deliberately or accidentally – encryption will render it unintelligible. Encryption can operate at a file, folder, device or even server level, offering the level of protection most suited to your business needs.

Review your policies and processes

The GDPR requires you to implement policies that detail how you intend to process personal data and how you will safeguard that data. It also states that data controllers – that’s your business – must “adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.” All new policies, whether specifically related to GDPR or not, must be compiled with a ‘privacy by design’ model. Existing policies, including your data protection policy, privacy policy and training policy should also be reviewed in light of GDPR.

Don’t forget subject access requests

Much of the coverage of GDPR has focused on two areas: data breaches and the potentially eye-watering fines. An area that’s arguably been overlooked is complying with subject access requests. Individuals can request access to the data you hold on them, verify that you’re processing it legally and, in some cases,, request erasure of their data – also known as the ‘right to be forgotten’. Under GDPR you’ll have only a month to respond to these requests, otherwise you’ll be at risk of non-compliance. More guidance on this can be found on the Information Commissioner’s Office (ICO) GDPR guide.

Don’t forget your reporting obligations either

Another element that’s received significantly less coverage is your reporting requirements. In the event of a data breach, businesses must report it to the Information Commissioner’s Office (ICO) within 72 hours of discovery. It’s especially important to note this, as failing to meet this obligation could be considered a bigger breach of the GDPR than the data leak itself. Both Uber and Equifax have come under fire in the past year for covering up breaches, reporting them late and keeping the extent of the breaches under wraps.

A good example to follow is Twitter. Following the discovery of a bug that stored users’ passwords in plain text – which is a bigger deal than it sounds – Twitter not only reported on the breach, but immediately informed its users of the bug, what caused it and the potential repercussions, and advised customers on how to keep their data safe. The second element of this is critical to GDPR too – if the breach poses a risk to individuals’ “rights and freedoms”, the victims of the breach must be informed too.

The key takeaway

The GDPR wasn’t created to punish businesses or to catch them out, but rather to empower individuals and consumers. Whilst there has been a lot of confusion around exactly what has been required for businesses, it’s clear that cyber-security is imperative, as is clueing up on your reporting and response obligations. It’s important to note that simply experiencing a cyber-attack or data breach won’t automatically result in financial punishment; the GDPR clearly states that, should you prove you put in place measures to protect your PII data, you won’t be hit with the most severe fines.

GDPR requires every firm to classify, review and enhance controls around its third parties (ref: GDPR Chapter 4)

As the GDPR go-live date of 25^th May 2018 looms, every CFO and their colleagues responsible for both risk management and third parties should be aware of the importance of third-party relationships. Articles within the GDPR set out the fundamental requirements for ‘Data Controllers’ - about the nature of external contracts, the ongoing relationships with third-party ‘Data Processors’ and governing and managing those relationships effectively. Compliance around personal data is currently ‘centre stage’, but GDPR provides an opportunity for a firm to improve the way in which its relationships with all third parties are managed and controlled, to derive wider value and business improvement.

The impact on business reputation from effective third-party management

Most business sectors rely upon a complex network of interrelationships and interconnected processing - the so-called ‘extended enterprise’, or ‘business ecosystem’. Within such models, trust becomes a key issue. Dealing with an external partner or supplier means there is an implicit exchange of trust, and in doing so, you commit to trust the other party with your own, valued, business reputation. Any firm can transfer some responsibility to handle, protect and process personal data correctly, in line with an agreement between the parties. But it cannot transfer the accountability. This is recognised within GDPR, and also the impending, new UK Data Protection Bill.

That some unfortunate incident will arise somewhere within the web of business relationships around your own firm is increasingly probable. Through GDPR, the general public is becoming more informed and increasingly concerned about privacy. Anyone potentially impacted by any incident involving personal data, plus also the wider ‘court of public opinion’, will seek answers to fundamental questions, e.g. should the firm have considered the possibility of such an issue arising?  Could the firm have done more to mitigate the issue? This becomes more complex when third parties are involved in the business value chain.

The Information Commissioner’s Office (ICO), who may suddenly be alerted to your existence, would start any enquiries with such fundamental questions. If you struggled to meet the ICO’s expectations about senior management being accountable for understanding, and being assured about how personal data is processed and managed, including by any appointed third parties, doubtless you would be on the back foot.

As any breach involving personal data manifests, unfolds and becomes public, it is highly probable that your business reputation will be impacted in some way. Typically, significant management time will then be required to attempt to rebuild that reputation, with consequent impact on the bottom line.

Organising and prioritising GDPR work on third parties

Driven by GDPR, your corporate inbox may reflect letters from various third-party suppliers, often including proposed changes to contractual terms. A piecemeal approach to responding is unlikely to be sensible or efficient. As a minimum, the CFO, or fellow responsible executive, should lay down three very straightforward challenges:

The challenge is usually far larger than initially expected, i.e. there may be third-party relationships managed disparately across the firm, some with no formal contract; little understanding about how you might classify those relationships for data protection purposes; or an over ambitious estimate of the effort required to become compliant.

Identifying ‘processors’ and compliant contractual terms

The classification of each third-party relationship is vitally important. Fundamentally, not all a firm’s ‘third parties’ are Data Processors from a data protection perspective. For those relationships that involve personal data, many may actually be ‘controller to controller’. A few others may be in the ‘joint controller’ category.

Only the balance will be ‘controller to processor’, which then invoke the specific GDPR requirements on the management of, and assurance around, Data Processors. The ICO website provides useful guidance on the characteristics of the relationship to help determine this classification.

Although you should ideally be proactive in doing your own inventory and classification work, third parties writing to you should make it clear how they classify their relationship with you. You must verify this carefully. Some considerations here include: which party collects what type of personal data, according to what lawful basis; and which party(ies) is (/are) determining the purpose and how the personal data gets processed. Further detailed analysis is required in each specific case.

If you identify another party as a ‘processor’ of personal data, it is a key priority to ensure that a suitable, compliant contract exists. The predecessor to GDPR, the DPA 1998, set out two minimum contractual provisions i.e. re a processor acting on the controller’s instructions; and provisions to be in place to implement security over personal data.

For GDPR, the ICO website includes guidance on a further six key provisions that now need to be reflected in contracts with third-party processors. This complex area has not been understood or applied well in practice, so this guidance is helpful.

Ongoing responsibilities regarding privacy, oversight & assessment

A working definition of third-party risk management is ‘the implementation of policies, strategies and processes to identify, assess, manage, and control risks presented by external third parties throughout the life cycle of relationships’, i.e. certainly not a one off compliance exercise for GDPR, but an ongoing responsibility and an imperative for effective management, both of commercial outcomes and business reputation.

Crowe’s view is that there components are required for an effective third-party risk management approach that incorporates privacy risks. A comprehensive understanding of how personal data is handled across all business functions is a pre-requisite.

1. Third-party privacy management approach

The firm’s privacy policies and notices should have been reviewed and be compliant for GDPR. But the privacy management approach should include a process to manage privacy risks across the supplier lifecycle. It should include: a classification of third parties, by third-party type and business risk; an appropriate privacy impact assessment if required; the standard and execution of privacy due diligence; the requirement for periodic assurance on privacy elements; and privacy-aligned contractual clauses to be incorporated.

For high-priority third parties, you need to be clear on how the control framework at the third party operates, including how they would respond to any incident involving personal data.

2. Third-party oversight and control framework

Firms benefit from implementing a holistic oversight and control framework around their third parties. Taking privacy as just one of the components, this framework should incorporate all aspects required to manage third parties, including all required policies and standards. It should also include a formal reporting process, covering issues to be managed and escalated.

Definition of expected minimum standards for third parties is key, e.g. IT processing – ongoing ISO 27001 certification; core business processing – ongoing evidence through SOC reports; and payment processing – ongoing PCI-DSS compliance. Clearly, the specific standards and required controls will vary by type of third party. The involvement of the Finance function in monitoring key control standards can be essential.

3. An ongoing third-party assessment programme

An effective management and governance approach for third parties requires a tiered assessment programme, using a risk-based, ‘triage’ concept for the nature and frequency of that assessment. The programme should reflect how those reviews and visits get executed e.g. questionnaire, third-party site visit etc.

When it’s done right, it’s never done

Effective management of third parties is complex. It has become a ‘core competence’ in many firms, and a competitive differentiator between firms. A holistic approach means delivering ongoing assurance around third parties, within a structured and risk-based framework. Getting it right can bring commercial returns, but can also help to protect the firm’s reputation - including where events or incidents arise.

GDPR brings new energy, which, although just focused on the personal data management imperative, can be helpful in highlighting that third-party risks have typically not been well managed to date. GDPR brings an ongoing responsibility for compliance, but also for firms to continue to implement effective governance, control and accountability over their network of third-party relationships.

Website: www.crowehorwath.com/UK 

Crowe Horwath LLP is a member of the Crowe Horwath International (CHI) network of accounting, tax, risk and performance management firms. Crowe has years of experience implementing regulatory and compliance changes and helping firms refine their approach to risk management. Justin Baxter is a Partner in the London office and together with Neil Adams, and Neil Mockett, they are leading the development with clients of practical and pragmatic approaches to the challenges presented by GDPR and third-party risk management.

In July 2014 FBME Bank Ltd's Cyprus branch (FBME) was resolved by the Central Bank of Cyprus (CBC). This is a very interesting case for several reasons, as it touches on the nature of legal powers conferred on financial regulators in the area of Anti-Money Laundering and Combatting the Financing of Terrorism (AML/CFT), on the use and misuse of these and other powers, on the openness of proceedings and on the rights of response and redress of their targets. Robert Lyddon, international banking expert, explains for Finance Monthly.

There is also a perspective around the application of legislation unevenly across large and small banks, with small banks suffering resolution and even closure, and large banks escaping with impressive-sounding fines that do little to inhibit their ability to carry on business as usual.

CBC's intervention came immediately after FBME had been served with a Notice of Finding on 17th July 2014 citing FBME as an institution of "primary money laundering concern" by FinCen, the Financial Crimes Enforcement Network of the US Department of the Treasury.

Under its own governing laws, FinCen only needed to have "reasonable grounds" for its concerns, and the evidence of there being such grounds was confirmed by a judge sitting "in camera". This is not the same as having those allegations proven in an open court of law, with recourse to courts of higher instance. A lower level of proof was required in order for a sanction to be imposed which had a devastating effect on the target bank and its depositors.

FinCen proposed the imposition of its "fifth special measure": this precludes US banks from running a US$ account for the target bank or handling its US$ payments via intermediate correspondents, thus de-banking the target bank in the USA and cutting it off from the international banking system. This is tantamount to putting the target bank out-of-business.

Similarly the designation of certain categories of financial institution - Money/Value Transfer Networks - as "high risk" by the Financial Action Taskforce (FATF) has resulted in these institutions being de-banked and unable to operate. The evidence upon which FATF came to this conclusion is opaque, and there is no public forum for their designation to be challenged, FATF itself being the ultimate source of AML-related legislation.

In the case of FinCen’s notice on FBME, FBME had 60 days in which to file a response but the subject’s prudential supervisor – CBC – denied them this by resolving the branch and immediately offering it for sale to another local bank.

Allegations of AML infringements would have needed to be put through a legal process in Cyprus involving the Cypriot financial crime intelligence unit (MOKAS) as well as the AML supervisor (CBC itself), and would at most have resulted in sanctions such as fines, after due process had been gone through. It is unusual that CBC as a central bank be both the "competent authority" for matters relating to AML Directives and the "prudential authority" for bank capital and liquidity adequacy: in the UK these powers are separated.

Instead CBC cut off any due process by using, against FBME, the Law on the Resolution of Credit and Other Institutions of 2013, which was passed to resolve Cyprus' two largest banks - Bank of Cyprus and Laiki Bank - within the context of the €10 billion bailout of Cyprus by the so-called "Troika" of the European Commission, European Central Bank and International Monetary Fund.

CBC misused these powers as FBME was not a case of a bank failure. The preconditions for resolution are cumulative and are that an institution must have a shortfall of capital and of liquidity, and be systemically important i.e. its failure must do harm to the country it is in. FBME did not meet these tests: it had adequate capital and liquidity, and it was small and did not have a significant number of Cypriot depositors.

FBME was, however, an irritant to the Cyprus authorities: it was involved in challenging - commercially and in the courts - the high interchange fees applied by indigenous banks to card transactions, thereby disrupting the income stream of the major local banks.

The interconnection of FBME's case to the 2013 bailout is important because - as a quid pro quo - the Cyprus authorities agreed to remedy concerns about Cyprus' AML regime. These concerns were documented in a report dated 24th April 2013 by MoneyVal, the inspection and evaluation arm of the FATF. MoneyVal interviewed a large part of the Cypriot banking sector: 13 out of 41 banks, holding 71% of deposits and 76% of loans in the system, and including the 7 largest banks.

The 2013 MoneyVal report pointed to substantially the same issues as it had noted in the 2011 report on its Fourth Assessment Visit to Cyprus: that report's findings included that "the main risks emanate from the international business activities at the layering stage, money laundering activities usually taking place through banking or real estate transactions". These were sector-wide issues, not confined to any one bank - let alone just one small foreign bank. FinCen raised its own concerns about the AML regime in Cyprus direct to CBC in 2011.

Cyprus received the Troika's €10 billion but there is no evidence of the cessation of the state of affairs described by MoneyVal in 2011 and again in 2013, commonly termed the "Cyprus business model": Cyprus features in several schemes disclosed in the "Panama Papers", the "Paradise Papers", and the "Russian Laundromat" that post-date the bailout.

Instead FBME has been removed from the marketplace, ostensibly as a scapegoat for the allegations levelled against the Cyprus banking sector as a whole. FBME conveniently fitted the bill, and could be attacked in an area where the evidence against it need not stand up in court, and indeed where there was no open court in which FBME could defend itself.

Was the punishment inflicted as an example to the remainder of the Cyprus banks to warn them to remedy their AML deficiencies? Or was it a signal to the Troika and the US authorities, to lead them to believe that Cyprus was delivering on its side of the bailout bargain and cleaning up its act on AML?

Whether CBC had the legal power to resolve FBME, or conveniently mixed its usage of powers - applying its powers as prudential authority to an AML case where it happened also to be the competent authority - is a matter of ongoing dispute.

Of equal concern is whether financial institutions can be resolved or otherwise put out of business through the application of powers conferred on financial regulators for AML/CFT matters where the burden of proof is lower and where a subject institution's rights of appeal are inadequate. Once FinCen has issued a notice against an institution or once FATF has classified an institution into a "high risk" category, the institution is de facto out-of-business, and these authority bodies are not subject to detailed and open scrutiny as to whether their determinations are proportionate, objective and non-discriminatory.

By Kevin Murcko, CEO, CoinMetro and FXPIG

The digital asset economy has seen extraordinary growth over the course of the last year, as seen by the success of Bitcoin. Such rampant activity means that people will often forget that this economy is still developing. Regulations are yet to be imposed on the cryptocurrency market and it remains unknown how it will be affected when countries and governments decide to implement legislation. However, the recent history of the foreign exchange (forex) offers us a look at what the future might hold for the developing digital asset economy.

Forex trading occurs electronically, and is based on a decentralised market that is accessible globally. Despite differences in mechanisms and technology, this is not dissimilar from the decentralised and international structure of the cryptocurrency market. With this in mind, it is not unreasonable to believe that cryptocurrencies will follow the path already trodden by forex when it comes to regulation in future.

In the beginning…

Before Bitcoin and alternative cryptocurrencies were established in the late 2000s, the forex industry was facing radical change as the internet opened up the market to the public. New retail brokers started to appear alongside the traditional banks, providing new services and competition. As forex trading made the move online, there was an element of the “Wild West” culture that has also characterised the early stages of cryptocurrency. As both markets have experienced a similar introduction to the trading space, the future development of regulations for cryptocurrencies will mirror that of forex trading 10 years ago.

Forex regulation evolves

Traders now operate in a vastly different way, compared to in the past. Thanks to regulatory developments in the established forex space over the last 12 years, the current markets are built around protecting individual investors and market stability. The current conditions enforce businesses to jump through a variety of hoops - such as meeting minimum capital requirements, establishing audit requirements, and adhering to reporting and bookkeeping - before becoming a licensed forex broker. Thanks to this detailed process, regulators are able to weed out fraudulent brokers before they get to market.

On a national scale, individual financial institutions have their own measures for forex regulation as well, to further protect customers and prevent market abuse. For example, in Australia, the Australian Securities and Investments Commission (ASIC) brought in new regulations in 2009, which imposed new restrictions on over-the-counter (OTC) derivatives trading. This then provided the basis for other countries to reform their own forex regulations regarding OTC trading.

Australia is particularly careful when it comes to regulations, having felt the repercussions of deregulation in the 80s and 90s. The Australian regulatory environment is considered to be one of the most robust and effective in the world. There, modern forex brokers are required to maintain an ASIC license, which demands they hold, “at least the sum of $50,000; plus five per cent of adjusted liabilities between $1 million and $100 million; plus 0.5 per cent of adjusted liabilities for any amount of adjusted liabilities exceeding $100 million.”

Like Australia, Japan has implemented minimum capital requirements as part of its licensing framework for forex brokers. In fact, since first making an amendment to include forex in the Financial Futures Trading Act in 2005, the Japanese Financial Services Agency (FSA) has updated it policies on a number of occasions. In 2007, it found issues with highly leveraged transactions, which required increased regulation on the margin requirement ratio of some transactions. More recently, in 2016, Japanese regulators decided to update margin requirement policy again, but included it for all types of forex transaction.

How the past will affect the future of cryptocurrency

The past year has seen cryptocurrencies shoot into the mainstream, consolidating their status as a new asset class. However, with this growth in adoption, the prospect of regulation for the digital asset economy has become a more pressing issue. As the regulatory landscape for cryptocurrencies is far from established, investors are currently waiting to see the impact regulation will have on the market, as one nation’s implementation of regulation may have a bigger impact on the market, and on a global scale.

Despite many people in the crypto community being staunchly against regulations being introduced, governments and institutions are already looking at how they might implement new regulation on digital assets, and previous experiences with developing forex regulation are playing a strong role in this. However, imposed regulation may not necessarily be a bad thing for the digital asset economy. New regulations would mean people would feel safer investing in cryptocurrencies, as fraudulent brokers will be excluded from the market, which should then serve to drive increased adoption of cryptocurrencies in future. This would legitimise digital assets such as Bitcoin, and prove that these blockchain-based currencies could be the future of currency.

Of course, it is impossible to precisely predict what the exact impact of regulation will be on the digital asset economy, but by taking a look back at how the forex industry has been shaped by regulation over the last 20 years, then we can get a rough idea of how everything might play out for a decentralised international cryptocurrency marketplace.

Overwhelmed by demanding new regulations, leading financial institutions are relying on video to manage the flow of critical information to employees. Below Paul Herdman, Vice President of Qumu EMEA, explains how finance teams and compliance officers can make the most of enterprise videos.

With worldwide financial institutions finally beginning to recover from Brexit, and derivatives markets still adjusting to the rollout of MiFID I, the next communication crisis for this turbulent industry is already looming. As political and regulatory regimes continue to extend their influence, firms doing business across the EU must now preparing for implementation of the revised Markets in Financial Instruments Directive (MiFID II)—which reaches beyond banking to impact trading as well—while US-based financial institutions are busy figuring out how to comply with GDPR (the EU’s General Data Protection Regulation).

With both regulations including organisations and their global subsidiaries, greater market transparency in the financial industry is becoming a worldwide mandate. These new directives will have a huge impact on regulated firms in 2018 and beyond and will require financial institutions to upgrade their processes, their compliance operations and most importantly their communication technologies.

A 2017 Thomson Reuters survey revealed the average annual cost of compliance for global financial organisations is $119M per organisation. Additionally, 73% of communication professionals reported that communicating company news to employees is a serious challenge and 37% reported internal silos as the number one challenge for internal communications.

As these companies respond to increasing demands of regulators to meet new directives, many are proactively focusing on developing robust communication programmes. And the centrepiece of these new programmes is, in many cases, an enterprise video platform. Live or on demand, IT executives know that video communication can be fully automated, easily searchable and consumed on any device—making it the perfect communication solution in highly regulated environments. In fact, if managed well, video communication can translate into shorter time-to-compliance, and save financial services firms hundreds, or even thousands, of dollars per year per employee.

But how?

Enterprise video to the rescue

There are many ways using an enterprise video platform can help financial institutions meet compliance directives:

Timely communication: when workforces are dispersed, video messages can be easily created and instantly distributed to employees as regulations change.

Opportunities for feedback: key stakeholders can submit feedback and questions to the executive team, which can be captured and tracked for future resolution, or to identify gaps in the current process.

Timely collaboration: financial institutions can create private communication channels where key team members can share knowledge, insights and outcomes related to their discipline or functional responsibility.

Strategy alignment: video is a great way to present a consistent story across the organisation—before the message is taken externally and any room for misalignment is eliminated.

Increased readiness: video polls can be used to gauge readiness on a specific topic or portion of a new regulation, reinforcing mission-critical compliance procedures.

Documented audit trail: with marketing teams playing a key role in the new directives, automated workflows for approvals and audit trails are key for financial promotions and marketing collateral compliance.

Configurable security: executives can share knowledge quickly across the organisation, privately to specific groups of key stakeholders or to larger audiences with no content restrictions.

Reporting and analytics: a video content management system can provide advanced analytics on content review, meeting attendance and overall engagement with the company message.

In conclusion – broaden your reach

Technology investments in enterprise video are key to mitigating regulatory risk. Not only do they provide a platform to communicate how regulatory changes will impact activity, but they allow financial institutions to quickly adapt to evolving rollouts, and ensure that all financial activities, including trades, remain in compliance. With the right enterprise video platform in place, many global financial institutions have been prepared well in advance for MiFID II and GDPR to happen. Is your company ready?

If you are interested in any small scale company video production in the UK, businesses can reach out to Tell Your Story UK here.

MiFID II came into force at the start of the month/year, but many businesses are still not compliant. Luckily for them, there’s a six month grace period before they’re actually in trouble. With that in mind, here’s 5 top tips for compliance from Joanne Smith, Group CEO of TCC and Recordsure.

MiFID II, hailed as the key to overhauling the financial markets and implementing the lessons learned following the financial crisis, is finally here. The legislation is designed to drive significant changes around transparency, investor protection and effective governance. It also aims to harmonise the various regulatory regimes that exist across the European Union.

With such broad and wide-reaching goals, the legislation, and the changes firms are required to implement in response, are significant and shouldn’t be underestimated. Yes, MiFID II is already in play, but with so much uncertainty in the build-up to implementation, firms may be less prepared than they might have hoped, or uncertain of how to ensure ongoing compliance.

Here are five top tips to help firms set themselves up for ongoing MiFID II compliance and strengthen their business for ongoing commercial success.

1. Make Culture King

There’s no doubt that culture is one of the most important components of effective governance frameworks. Firms that are focussed on treating customers fairly and delivering the right outcomes are more likely to have greater commercial success and a more positive relationship with the regulator than one with a poor culture, or one which isn’t sufficiently embedded throughout all levels of the organisation. Recent FCA thematic output has identified how firms with objective self-challenge built into their processes are able to more effectively demonstrate that good customer outcomes are central to their business.

Firms should have gained a thorough understanding of their culture prior to making any changes to their business in response to MiFID II. However, culture isn’t static, it evolves over time and so firms will need to continually measure and evidence their culture and the impact it has on consumer outcomes. When assessing this, firms should keep MiFID II’s core aims of transparency and investor protection in mind and assess the extent to which internal practices are aligned.

2. Consider the Impact of MiFID II on Future Strategy

Now that MiFID II is here, firms should keep the requirements front of mind when considering any strategic business changes, as the requirements do impact, whether directly or indirectly, on a significant number of business areas.

In the near future, the industry is likely to see changes in the distribution landscape, with firms exploring direct to client offerings and increased use of digital services to serve clients and offset the increased costs the legislation will bring.

3. Get Reporting Systems in Order

The reporting requirements of MiFID II gives firms and regulators greater insight into the market, enabling them to monitor and identify emerging threats and potential instances of market abuse. Given the FCA’s more proactive regulatory approach in recent years, firms should expect to see the regulator pay close attention to how firms are utilising the information collected as part of their MiFID II compliance programmes and its own work to increase the effectiveness of its supervisory approach.

Firms should review their reporting systems and data infrastructure regularly to ensure that they are meeting regulatory expectations. Making full use of the insights available can also be used to inform strategy and ensure appropriate outcomes are being achieved.

4. Keep on top of staff training and communications

Many employees are facing large scale changes to the way they perform their duties in the wake of MiFID II. It’s important that firms think beyond any initial training requirements and have plans in place to monitor compliance, reinforce expectations and deliver refresher training when issues or knowledge gaps are identified.

It’s also important that employees have a clear understanding of the standards and rules that apply to them and are held accountable for their conduct, particularly as the FCA turns its attention to rolling out the Senior Managers & Certification Regime (SM&CR) to the wider industry in the coming months.

5. Explore the wider benefits of the legislation

In the face of such wide-ranging changes, it can be very easy to focus on the changes needed to comply with the regulations and forget to explore the wider benefits those changes could bring to the business and its bottom line.

Take MiFID II’s conversation recording requirements as an example. Having records in a secure and accessible format is key to demonstrating compliance, providing evidence in the event of a complaint and ensuring appropriate oversight of business activity, but the benefits don’t end there.

The data provided by recorded conversations can highlight areas where process efficiencies can be made, provide greater customer insight and can drive staff training and performance management programmes. The management information (MI) from conversation recording can also help firms identify where future risks lie across the business, not just those areas MiFID II impacts.

MiFID II is now in force, but firms shouldn’t relax just yet. In order to maintain compliance and meet regulatory expectations, firms need to be regularly reviewing their arrangements to ensure they continue to meet the appropriate standards and deliver consistent outcomes.

There are three core principles for Open Banking. This video explores those three principles and talks about the risks and opportunities involved.

The 3 key principles of Open Banking are:

1. Real time sharing of data, including statements and transactional data

2. Real time initiation pf payments, that allows other organisations to initiate payments for you

3. Information of products and services that allows comparison

Open Banking brings opportunities to work with new organisations and provide consumers new and innovative solutions but also creates new compliance and governance questions to ensure that organisations can protect consumers' privacy and support consumers to get the value out of their data.

Last week marked one month until the deadline for compliance with Second Payment Services Directive (PSD2). Coming into effect on 13^th January 2018, the legislation will enable consumers across Europe to instruct their banks to share their financial data securely with third parties, making it easier to transfer funds, compare products and manage their accounts.

Currently, the levels of individuals looking to switch accounts is relatively low. Figures by the banking authority CMA highlight that 57% of people have held their personal current account for more than 10 years, while 37% have not switched in more than 20 years[1].

However, opening up the front-end of payments initiation and information services has the potential to dramatically shift the competitive landscape. According to research by Accenture, banks are at risk of losing up to 43 percent of retail payment revenues by 2020[2], as the market place opens up to smaller, more sophisticated digital banks that break the industry’s traditional boundaries.

Pini Yakuel, CEO of customer relationship experts Optimove, comments: “The disruption coming with the Open Banking initiative will have a marked impact on customer engagement. Customers will be able to compare the value that each financial services company offers them quickly and easily. Banks will have a real fight on their hands to retain a generation of smartphone-empowered, brand-agnostic consumers.”

“As the financial services industry grapples with the implications of PDS2, one aspect that remains unaddressed is the need for better communications between banks and their customers. Traditional banks will have to respond to this new, more consumer-focused market, and develop successful marketing strategies to make sure they do not lose customers.

“Understanding behaviours, preferences and needs more clearly is key to developing the kind of emotionally intelligent communication with customers that makes them feel comfortable with their bank, helping them to make good financial decisions. Those banks who can offer something back at each stage of their relationship with each customer will set themselves apart under the intense scrutiny of Open Banking.”

“To keep ahead of their competitors, they will need to tailor services to support customers more effectively, offering real value that appeals to each customer personally. Artificial Intelligence which reveals what value looks like to each customer, will provide banks with a clearer understanding of their customer’s preference and affinities. Enabling them to cater to their needs accordingly and provide true value to each of their customers.”

(Source: Optimove)

Below Dan North, Chief Economist at Euler Hermes North America, lists several updates and thoughts on the latest matter surrounding the US federal reserve.

1. 1. A rate increase is a lock this week.
   2. We have been saying there will be 2-3 hikes in 2018, but now there seems to be pressure towards 3-4.
   3. We expect that the dreaded “dot-plot” the worst communications device ever, will also show a bit more of a lean to 4 hikes next year as recent economic data has been solid, and prospects for tax reform appear good (but we’re not there yet).
   4. The solid data will likely lead to a slight increase in the Fed’s GDP forecasts.
   5. Many wonder why the Fed is raising rates when we are still in relatively slow growth with no inflation. But it’s not about inflation today, it’s about inflation tomorrow since monetary policy acts with a lag of 3-5 quarters. And there is inflation – it’s just that it’s in assets like stocks, not consumer prices. Fed officials have expressed concerned about the risk of asset prices being overvalued.
   6. There is a problem though, Houston. The yield curve is flattening, and it may be because of the Fed. Clearly markets expect the Fed to keep driving the overnight rate up, and that could be pushing up the short end of the curve. And if you believe Fed actions will hold down inflation that could be pushing down the long end. That’s not a good sign for growth.
   7. Let’s not forget, when the Fed raises rates, it’s trying to slow the economy, and it works.
   8. Expectations are that there will be little change in posture next year under Powell’s command since he has never dissented as a Board member since 2012. He gave a relatively dovish testimony at his Senate hearing, suggesting he would basically be following in Yellen’s footsteps of raising rates gradually. But he also cautioned, as has Yellen, that hiking too slowly could cause inflation to overheat and force the Fed to hike rates faster.
   9. Interestingly Powell indicated that banking regulations implemented after the financial crisis were strong enough, but that it was also time to make the rules more efficient and less burdensome. “"We want regulations to be the most intense, the most stringent for the very largest, most complex institutions and want it to decrease in intensity and stringency as we move down through the regional banks and the community banks,"” Regional banks have been caught up in regulations designed for the larger banks, hampering loan growth. Relief for them could help the economy, and their stocks have rallied sharply since his testimony.
   10. Of course it’s Yellen’s last press conference. Will we hear a farewell, or some fond reminiscences?

With MiFID II looming, finance businesses across the UK will be reviewing their practices to ensure the way they work complies with the new regulations. Here, Alex Tebbs, Founder at VIA, explains what the regulations mean for the way we communicate as businesses, and how your business can comply come January 2018.

MiFID II is a targeted regulation update that aims to improve transparency and better protect both providers and customers of the finance sector.

In that sense, it exists to make things better for everyone; but with the January deadline looming and uncertainty still rife around the impact of Brexit on the update, many in the finance industry are still considering the best way to achieve compliance in their business.

It’s a regulation update made up of many facets, one being the requirement for businesses to record their communications in any instance where that conversation results in, or intended to result in, a transaction. Those communications must be retained - and be accessible when called upon - for five years after the event.

Creating a post-MiFID communications plan

In many ways, the communication requirements of MiFID II make a lot of sense. By recording our conversations, we can be sure that we are serving our customers in the best way, and that they are protected from any potential misunderstandings or misdemeanors.

But in today’s multi-device, multi-location business landscape, compliance isn’t so simple. While once we would have communicated on one device (likely a landline) and from one office, the reality of business today is that we often use multiple devices (and even encourage colleagues to bring their own devices) and operate across multiple locations, including remote working from home, offices in different countries and communications on the move.

This presents a challenge for finance professionals. How do we achieve compliance in this complex communications landscape?

The best place to start is with a review of your existing communications plan as a business. You’ll need to work out what platforms and devices are used to communicate, and make a record of all of those, as they will need to be included in your recording strategy. Be aware that this mightn’t be as straightforward as it sounds, and it’s likely to take time to uncover all the comms platforms in use.

The next step is then to work out how best to record those communications. On a landline, this would require hardware such as a microphone plugged into the handset. There are various apps that make it possible to record calls on a smartphone or via clients like Skype.

An alternative to this somewhat clunky process is to invest in a unified communications platform. This brings all your communication tools - smartphones, landlines, Skype, instant messaging, text - onto one platform which can be easily controlled from one portal, making recording and keeping those conversations a much easier, quicker process.

However you choose to manage your communications, one thing is clear; you will need to be able to both record, and keep, those conversations from January when MiFID II comes into play.

Security considerations in communications

It certainly won’t have passed by your attention that another sizeable regulation update is taking place in 2018; namely, GDPR, an update to data protection rules.

With GDPR putting renewed emphasis on security - and with MiFID’s requirements for comms recording - security should be placed firmly atop the agenda of financial firms.

There are various options on how we achieve security in communications. The most universally relevant and powerful is that of end-to-end encryption; with the main risk of unsecured comms being that communications could be intercepted en route, end-to-end encryption removes this risk by making the information, even when intercepted, entirely useless.

For those businesses using a unified communications platform, encryption and many other security considerations are included as standard, with large investments being made by those companies into stress testing their platforms and removing any vulnerabilities as soon as they are considered as a potential risk factor. For those using separate communications channels, a strict security testing strategy will need to be in place to ensure all communications are safe and private.

In terms of retaining those recorded conversations, security is a concern once again. Secure servers and storage areas are a must; consider also who has access to these recordings, and ensure they have a signed agreement in place that complies with data protection rules, and that your business’ data protection processes are up to date - especially as GDPR hits in May 2018.

MiFID II and the communications landscape

There is much left unknown about how MiFID II will affect finance businesses in the long run, and it’s likely that the implementation of its regulations will uncover complexities that need to be clarified as we move into the new year.

With that said, the communications element is prescriptive; finance professionals must record and maintain a record of all communications, regardless of device, platform or location. Is your business ready?

David Clarke, a top 10 GRC influencer discusses the future of risk and compliance facing corporate and banks.

As you may already know, MiFID II is just around the corner and some firms are already well on their way to compliance, however others remain either oblivious, unprepared or facing the many challenges in establishing steps towards compliance. Here Fabrice Bouland, CEO of Alphametry, explains for Finance Monthly what some of these challenges may be and what lies ahead for firms, in particular dealing with the different approaches regulators are taking in respect to the implementation of investment research unbundling.

On 3^rd January 2018, new EU legislation comes into practice, part of which stipulates that investment research will have to be paid for separately. This marks an end to the historic model whereby much of it has appeared to be provided free of charge, or at least bundled in with other costs such as trading commission. Firms are now in a scrabble to the finish line as they put new processes in place and make decisions about how research will be sourced and paid for. Few, if any, are fully MiFID II-compliant and ready for January’s deadline. Yet as the clock ticks down, and daily stories emerge from buy and sell-side firms announcing their research pricing and budgeting plans, one fundamental question is often overlooked – how are asset managers and analysts determining the value of their research to ensure maximum value is generated from whatever approach they have decided upon.

Many asset managers have said they will be footing the bill for external research out of their own pockets. Most recently, BlackRock has joined the growing queue of firms which have decided to take this approach. Its announcement was quickly followed by a number of firms, including Schroders, Janus Henderson Investors, Union Investment and Invesco, backtracking on earlier decisions to pass research costs on to investors – all have now said they will be absorbing the costs themselves. Of course, bearing the cost internally will be much harder for smaller and mid-tier firms, many of which will have to reduce the volume and breadth of external research they have access too.

When it comes to pricing, we’ve seen some eye-wateringly high figures. Barclays outlined a system of tiered packages, starting at £30,000 for a ‘read only’ subscription to European research, rising to £350,000 for its ‘Gold’ package. The larger investment banks will, of course, charge more than their smaller rivals. Canaccord Genuity Group’s sell side unit in the UK released a figure of £75,000 a year for full access to the firm’s investment research and analysts, including dedicated sales and analyst calls and customised research requests. Similarly Alliance Bernstein LP’s is quoting firms around $150,000 a year for access to equity analyst reports and other services.

So what’s missing in this brief overview of the market and regulatory landscape? Better evaluation of research must undoubtedly play a role in how firms consume research in an unbundled world, especially for smaller managers with reduced budgets. Technology has a key role to play in accurately assessing and pricing investment research, as well as demonstrating full transparency in order to meet regulatory requirements. In many ways, this is a market crying out for innovation given that only 1% of research notes sent out are read by the buy-side, according to Quinlan & Associates.

In a digital, data-reliant world, traditional voting systems for research are slow and inaccurate. Evaluation must be bottom-up and data driven if firms are going to establish where reduced budgets need to be focused, and which providers deliver the best ROI. New research platform generation provide an opportunity for managers to better understand what they consume, as well as helping providers hone in on providing the most valuable and relevant content. There now exists a huge opportunity for asset managers to integrate innovative knowledge management solutions so that research can be targeted directly into the heart of firms’ investment process, giving them the best data from global sources, as well as supporting budgeting and payment decisions in a more detailed way

Clearly, there remains a lot to do over the next four months, and into 2018, to ensure firms are ready and compliant with MiFID II. The price discovery process continues to be very painful, not to mention the challenges asset managers face deciphering the varying nuances and interpretations of the legislation by different regulators, and how MiFID II will work globally.