Launching on the 3rd January 2018, MiFID II aims to strengthen protection for investors, prevent market abuse, increase transparency and re-establish consumer trust by introducing new requirements and reinforcing the existing ones.
Under the final MiFID II rules, investment firms have an obligation to record any telephone conversations or electronic communications that are intended to result in:
Communications are to be recorded even if ultimately they do not result in the conclusion of such transactions or the provision of such services.
Investment firms must take all reasonable steps to record relevant telephone conversations and electronic communications that are made with, sent from or received by equipment provided to the employees (any type and any level).
Other than protecting client data, the communication recording is predominantly being deployed in order to:
It is mandatory that the investment firm makes every reasonable effort to inform the clients if a call or electronic communication will be recorded, silently monitored or intruded into.
The European Securities and Markets Authority (“ESMA”) has addressed the application of the MiFID II telephone taping obligations in its investor protection Q&As (ESMA/2016/1444). These ESMA Q&A states the following:
Insight Local Sample: UK
The Financial Conduct Authority (“FCA”) (the UK regulator) confirmed that “anything communicated from either the client or the adviser that could influence the client’s decision should be captured” to comply with MiFID II.. In addition, the FCA transposing the new MiFID II guidelines on recording and tracking of face-to-face meetings. Some of the items that should be captured according to the FCA are as follows:
On top of the above 5 minimum criteria, the FCA expects the main points of the conversation are recorded in order to provide a degree of consumer protection. The FCA has also advised that companies should share the notes made of relevant phone calls with clients on a regular basis to ensure accuracy of the same.
Synergies with the DPA in UK
Recording electronic communication has direct synergy and dependency on the Data Protection Act (“DPA”), and therefore must comply with the following 8 principles:
Given the above, DPA doesn’t clearly include the term “call recording”, however the Act does explicitly refer to the ‘processing’ of information or data as “obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:
Data controllers, like Apex, must ensure that any processing of personal data for which they are responsible complies with the Act. Failure to do so risks enforcement action, even prosecution, and compensation claims from individuals.
It is therefore advisable that companies protect call recordings in the same way they would protect any digital or written data where the customer can be identified.
It is also important to reiterate that the recording of the call must be advised to the counterparty, in both incoming or outgoing communication.
Due to recent developments and the increasing aggressiveness of cyberattacks, new regulations and strategies have been put in place to ensure cyber security methods are improved in order to both detect and prevent attacks and the risk of damage or unauthorised access to data and/or systems.
It is now widely understood that the consequences of a cyber attack can be devastating for both firms and consumers from a reputational, financial and data protection perspective, particularly in light of the increasingly sophisticated nature of the offences. Securing networks, information systems, computers, programs and personal data is therefore key to keeping the online economy running and to ensure the data of both clients and investors is securely stored and processed.
In May 2017, European Union Agency for Network and Information Security (“ENISA”) issued a common position paper on cybersecurity to address and prioritise standardisation, certification plus security processes and services as key elements to accelerate the process of trust from the citizens, consumers and business.
On the 13th September 2017, the ENISA announced that the President of the European Commission, Jean-Claude Juncker, confirmed a proposal for a regulation, referred to as the Cybersecurity Act (‘the Draft Cybersecurity Act’) in his State of the Union 2017 speech.
The Draft Cybersecurity Act aims to increase resilience and ensure readiness of EU State Members to implement robust controls and defences against cyberattacks, as well as strengthening ENISA’s role, including with regard to the Directive on Security of Network and Information Systems (Directive (EU) 2016/1148) (‘the NIS Directive’) the upcoming EU Cybersecurity Blueprint for cyber crisis cooperation and information and communication technology security certification. Moreover, the Draft Cybersecurity Act would repeal Regulation (EU) 526/2013.
New Regulation Key achievements:
Upcoming EU policies shall always contain cybersecurity initiatives, with particular attention to new technologies and emerging sectors.
Data protection & Cybersecurity
Developing cyber security technology might involve the use and analysis of large amounts of personal data from different sources. Developers, project managers and compliance officers therefore face a variety of data protection compliance challenges, including providing appropriate notice to users and ensuring data is only used for the purpose it was initially collected.
Due to the synergies between the development and deployment of cybersecurity techniques and tools and data protection obligations, a key cornerstone of the data protection law has been envisaged to implement “appropriate” security to protect personal information.
The ultimate aim is to improve the security for the entire financial sector and educate financial institutions on how to avoid making some of the common mistakes listed below:
By clicking the button you confirming that you’re agree with our following Terms and Conditions