Regulations can sometimes lead to completely different kinds of behaviour, which in turn can lead to legal wrangles. Fears that upcoming EU rules will create such a clash are misplaced, however, according to one eminent figure in the industry.

Not for the first time, wealth industry practitioners are fretting that impending regulations will force firms to do diametrically opposite things, leading to a costly legal mess that might take years to sort out. A senior wealth technology figure, however, believes that such worries are not justified.

The latest worry is that there will be a stand-off between two major sets of European Union regulations: the second Markets in Financial Instruments Directive or MiFID II – which seeks to improve investor protection and quality of advice (taking effect from the start of 2018) - and the General Data Protection Regulation (GDPR), which kicks in in May next year. The GDPR sets out strict terms under which organisations may collect and store data and forces such groups to explain their actions clearly.

The fear of a clash stems from the fact that while MiFID II requires firms such as banks, brokerages, asset managers and other parties to collect reams of information from clients, so as to help in areas such as investment suitability and anti-money laundering rules, the GDPR limits the kind of data that firms can hold and the length of time for which they can hold it. At first glance, then, these two sets of rules could create a compliance reconciliation nightmare. The punishments that the authorities can mete out for offenders under the GDPR will be harsh: fines of up to 4% of annual worldwide turnover can be imposed in the event of a breach. This could be enough to put a financial firm out of business.

However, perceptions of a clash between the rules are misconceived, if understandable, according to Andrew Watson, the head of regulatory change at JHC, the firm that issues the FIGARO front-to-back-office system to wealth managers and other financial organisations.

“There is a lot of confusion. GDPR says you should only keep the data you need for only as long as you need it. If you are doing lawful business then there are data needs associated with that. I don’t see a conflict here.

"One issue with such regulations is that there is a lack of clarity about how the rules will affect firms until quite late."

MiFID II represents the regulatory aftermath of the financial crisis that began in 2008. The rules of the GDPR, meanwhile, are an answer to public concerns about the security of clients’ data – a point driven home almost daily by stories of cybercriminals stealing data, or even simple losses of information caused by carelessness.

At this news service’s recent conference in London on MiFID II, panellists were asked how and whether firms could reconcile the two. The consensus appeared to be that a clash could be avoided so long as bodies collecting data under MiFID II were very clear about why they were doing so.

Rights and obligations

The GDPR regime creates new “rights for data subjects” in terms of consent and the so-called “right to be forgotten,” amongst other things. Watson added: “The GDPR does not change anything in financial regulation but you do need to take data protection really seriously.”

Every discretionary wealth manager must understand his investor’s situation, goals and objectives as part of a suitability review as stipulated by MiFID II. Despite the rights of the data subject granted by the GDPR, the investor cannot withdraw consent for the wealth manager using the data for this purpose. Even if the investor asks for the account to be closed, both MiFID II and the EU’s anti-money-laundering law require the wealth manager to retain these records for many years afterwards. The GDPR does not override this. Wealth managers are, however, responsible for safeguarding this data both externally and inside their firms.

Watson thought that the sheer amount of energy and time consumed by firms in getting things in place before the MiFID II deadline might occlude the importance for firms of other areas of compliance such as data protection.

“The industry is doing a lot about MiFID II and that’s taking up a lot of bandwidth. I am seeing a lot of firms queuing up their GDPR projects behind MiFID II and that’s a mistake,” he said.

Watson argued that companies must take a holistic view of IT spending on compliance, so as to give themselves some leeway and ensure data protection and security is at the heart of everything they do.

A recent survey by Duff & Phelps found that only 36% of wealth management firms were fully confident of being ready for MiFID II next January. Recent media reports have pegged the cost of preparing for MiFID II at around $2.1 billion.

The International Association of Privacy Professionals estimates that as many as 75,000 data protection officers will be needed to manage EU citizens’ personal data around the world.

A case of equivalence

An additional complication, industry figures say, is that nobody knows the exact extent to which Brexit will affect the UK’s compliance with the directive; on the current timetable, the GDPR will be law in the UK at least a year, if not more, before the country quits the EU. Even if that were not the case, the UK is likely to be under pressure to upgrade its data protection regime so as to achieve ‘equivalence’ – a word much-used by the EU officials – with other major jurisdictions as a condition of trade and access.

In many EU laws there is a recognised route for people from outside the EU to do business within the EU under an 'equivalence' standard. The US has availed itself of this in the context of reinsurance and central counterparties. The EU's second Markets in Financial Instruments Directive or MiFID II, which takes effect on 3rd January 2018, contains a good example of an 'equivalence' regime for the entirety of investment banking. Other EU laws on various subjects are peppered with ‘let-out clauses’ for ‘equivalent’ regimes; in all cases, it is the EU itself that decides unilaterally and changeably whether a jurisdiction’s rules are ‘equivalent’ to its own.