Apex Regulatory Update: October 2017


Share on facebook
Share on twitter
Share on linkedin


MiFID II – Recording of electronic communications – Updates

Launching on the 3rd January 2018, MiFID II aims to strengthen protection for investors, prevent market abuse, increase transparency and re-establish consumer trust by introducing new requirements and reinforcing the existing ones.

Under the final MiFID II rules, investment firms have an obligation to record any telephone conversations or electronic communications that are intended to result in:

  • transactions concluded when dealing on own account; or
  • the provision of client order services that relate to the reception, transmission and execution of client orders

Communications are to be recorded even if ultimately they do not result in the conclusion of such transactions or the provision of such services.

Investment firms must take all reasonable steps to record relevant telephone conversations and electronic communications that are made with, sent from or received by equipment provided to the employees (any type and any level).

Other than protecting client data, the communication recording is predominantly being deployed in order to:

  • Provide evidence of a business transaction
  • Corroborate and support a compliant case
  • Ensure that a business complies with industry standards and regulatory procedures,
  • See that quality standards are being met,
  • Prevent or detect crime, including frauds, marked abuse, etc.
  • Investigate the unauthorised use of a telecommunications system
  • Training purposes
  • Quality Monitoring

It is mandatory that the investment firm makes every reasonable effort to inform the clients if a call or electronic communication will be recorded, silently monitored or intruded into.

Legal Framework

The European Securities and Markets Authority (“ESMA”) has addressed the application of the MiFID II telephone taping obligations in its investor protection Q&As (ESMA/2016/1444). These ESMA Q&A states the following:

  • firms may permit employees to use mobile devices in connection with services that are within the scope of the telephone taping rules, however the firm must take all reasonable steps to prevent a relevant person from making, sending or receiving in-scope telephone conversations and electronic communications on devices which the firm is unable to record or copy;
  • Under MiFID II, data subjects are able to request access to recorded telephone conversations and electronic communications. The request might be subject to charge, which is at the firm’s discretion however the charge must be reasonable in order to not discourage clients from making such requests.[1]
  • a client’s right to request recordings of telephone conversations and electronic communications extends to internal conversations and communications between employees and contractors of the firm in relation to the provision of services in connection with the client’s order;
  • when implementing the MIFID II requirements to engage in periodic monitoring of relevant telephone conversations and electronic recordings, any monitoring arrangements should be appropriate to the nature, size and complexity of the business and the likelihood of misconduct and non-compliance;
  • it is not necessary for a firm to establish a control function that is separate from the compliance function to engage in periodic monitoring;
  • ESMA will not produce an exhaustive list of communications that are captured by the term “electronic communication”, but it includes, amongst other forms of communication, video conference, fax, email, SMS, instant messaging, business-to-business devices and mobile device applications; and
  • recording of telephone or electronic communications will be considered a critical or important operational function for the purposes of MiFID rules on outsourcing.

Insight Local Sample: UK

The Financial Conduct Authority (“FCA”) (the UK regulator) confirmed that “anything communicated from either the client or the adviser that could influence the client’s decision should be captured” to comply with MiFID II.. In addition, the FCA transposing the new MiFID II guidelines on recording and tracking of face-to-face meetings. Some of the items that should be captured according to the FCA are as follows:

  • the date and time of the meeting,
  • the location of the meeting,
  • the identity of the attendees,
  • the initiator of the meetings, and
  • relevant information about the client order including the price, volume, type of order and when it shall be transmitted or executed.

On top of the above 5 minimum criteria, the FCA expects the main points of the conversation are recorded in order to provide a degree of consumer protection. The FCA has also advised that companies should share the notes made of relevant phone calls with clients on a regular basis to ensure accuracy of the same.

Synergies with the DPA in UK

Recording electronic communication has direct synergy and dependency on the Data Protection Act (“DPA”), and therefore must comply with the following 8 principles[2]:

  1. Data can only be used for the explicit purpose for which it was gathered.
  2. Data cannot be released to a third party without the consent of the individual it refers to, unless there is a lawful reason to do so – for instance, the prevention or detection of criminal activity
  3. Citizens have a legal right to access any data held about them in most circumstances. Exclusions might apply if information is held for the prevention or detection of criminal activity.
  4. Personal data cannot be kept for longer than is necessary and must be kept up to date.
  5. All organisations that process personal data must be enrolled onto the Register of Data Controllers database. Only a few organisations that conduct the simplest forms of processing are exempt from this rule.
  6. If personal data is factually incorrect, the individual that information pertains to has a legal right to see that it is corrected.
  7. Any organisation or individual holding personal data for anything other than domestic purposes is required to have appropriate technical and organisational measures in place. These might include technical security features such as network firewalls and organisational security features such as the provision of relevant staff training.
  8. Personal data cannot be transferred outside the European Economic Area unless the individual it pertains to has given their consent, or unless the country or territory it is being sent to can ensure adequate protections are in place.

Given the above, DPA doesn’t clearly include the term “call recording”, however the Act does explicitly refer to the ‘processing’ of information or data as “obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:

  • organisation, adaptation or alteration of the information or data
  • retrieval, consultation or use of the information or data
  • disclosure of the information or data by transmission, dissemination or otherwise making available;
  • alignment, combination, blocking, erasure or destruction of the information or data.”

Data controllers, like Apex, must ensure that any processing of personal data for which they are responsible complies with the Act. Failure to do so risks enforcement action, even prosecution, and compensation claims from individuals.

It is therefore advisable that companies protect call recordings in the same way they would protect any digital or written data where the customer can be identified.

It is also important to reiterate that the recording of the call must be advised to the counterparty, in both incoming or outgoing communication.

Cyber Security

Due to recent developments and the increasing aggressiveness of cyberattacks, new regulations and strategies have been put in place to ensure cyber security methods are improved in order to both detect and prevent attacks and the risk of damage or unauthorised access to data and/or systems.

It is now widely understood that the consequences of a cyber attack can be devastating for both firms and consumers from a reputational, financial and data protection perspective, particularly in light of the increasingly sophisticated nature of the offences. Securing networks, information systems, computers, programs and personal data is therefore key to keeping the online economy running and to ensure the data of both clients and investors is securely stored and processed.

In May 2017, European Union Agency for Network and Information Security (“ENISA”) issued a common position paper on cybersecurity to address and prioritise standardisation, certification plus security processes and services as key elements to accelerate the process of trust from the citizens, consumers and business.

On the 13th September 2017, the ENISA announced that the President of the European Commission, Jean-Claude Juncker, confirmed a proposal for a regulation, referred to as the Cybersecurity Act (‘the Draft Cybersecurity Act’) in his State of the Union 2017 speech.

The Draft Cybersecurity Act aims to increase resilience and ensure readiness of EU State Members to implement robust controls and defences against cyberattacks, as well as strengthening ENISA’s role, including with regard to the Directive on Security of Network and Information Systems (Directive (EU) 2016/1148) (‘the NIS Directive’) the upcoming EU Cybersecurity Blueprint for cyber crisis cooperation and information and communication technology security certification. Moreover, the Draft Cybersecurity Act would repeal Regulation (EU) 526/2013.

New Regulation Key achievements:

  1. Increasing cybersecurity capabilities and cooperation:
    • All EU Member States should now be aligned in the development and deployment of their cybersecurity capabilities.
  2. Making the EU a strong player in cybersecurity:
    • Ensuring that EU citizens and companies (public and private) have access to the latest digital security technology – which is interoperable, competitive, trustworthy and respects fundamental rights including the right to privacy.
    • Fostering a unique and harmonised model for the European cybersecurity industry.
  3. Mainstreaming cybersecurity in EU policies:

Upcoming EU policies shall always contain cybersecurity initiatives, with particular attention to new technologies and emerging sectors.

Data protection & Cybersecurity

Developing cyber security technology might involve the use and analysis of large amounts of personal data from different sources. Developers, project managers and compliance officers therefore face a variety of data protection compliance challenges, including providing appropriate notice to users and ensuring data is only used for the purpose it was initially collected.

Due to the synergies between the development and deployment of cybersecurity techniques and tools and data protection obligations, a key cornerstone of the data protection law has been envisaged to implement “appropriate” security to protect personal information.

The ultimate aim is to improve the security for the entire financial sector and educate financial institutions on how to avoid making some of the common mistakes listed below:


Share on facebook
Share on twitter
Share on linkedin

Get in touch with our team

Submit your query

Cookie control
This website uses cookies so that we can make your experience better. If you wish to change your cookie settings please refer to our Privacy Policy. Otherwise we will assume you’re OK to continue. Privacy Policy