It’s now only a couple of weeks until MiFID II is officially introduced, so what can firms still do to prepare themselves?
By now, most firms will be implementing call recording– hopefully using a solution that ensures compliance, retains call quality, provides ease of use and has adequate storage requirements. However, have you considered what’s needed in terms of your mobile phone policy in light of MiFID II?
Here we answer some of the most common questions we are being asked:
What changes are needed to my IT department’s current mobile policy?
An aspect that’s often overlooked is the deployment of the call recording solution to all mobile devices – which should be an imperative part of the new mobile policy.
The installation and configuration of an application-based solution can add a significant layer of cost to the business. However, a network-level call recording solution means there are no apps to install and configure on mobile devices. Hence, you will never have to schedule installations, worry about compatibility with updates or even consider which devices are compatible with your call recording solution. This situation means you can effectively almost remove any onus on IT from your call recording considerations.
Should storage be part of my mobile policy?
MiFID II requires all records to be kept in a durable medium that allows them to be searchable, retrievable, replayed and copied, but which prevents the original from being altered or deleted. Therefore, the mobile policy, as well as the call recording solution, should strictly control access to these records as well ensuring the quality and accuracy – and so provide an audit trail for every single communication from creation to disposal.
What happens if my firm has a BYOD policy?
Since MiFID II was announced, there’s been some confusion about which devices and phone numbers are covered. However, the directive applies to the content of a conversation or communication, not the device or number it’s conducted on. Firms are still liable if the call is carried out on a personal device.
A recommended approach would be to ban the use of personal devices for business purposes – and stipulate in the mobile policy that only company-owned numbers and devices can be used to conduct business. This approach prevents issues around having to record employees’ personal calls as well – and helps ensure all corporate conversations are tracked.
What happens if my firm uses instant messaging for business, such as WhatsApp?
Many instant messaging solutions are now used in business, as mobile devices have become more and more prevalent. However, an enhanced consumer need for privacy has led to all the popular instant messaging platforms, such as WhatsApp, encrypting their data so that it cannot be monitored by internal systems.
Therefore, if organisations cannot monitor these communications, they can’t be compliant with MiFID II. These can be banned as part of the mobile policy – and, as a step further, the installation of these apps can be prevented completely via Mobile Device Management solutions for company-controlled devices.
It’s important to accompany a revised mobile policy with a delicate education lesson. Letting personnel know why they cannot use some of the devices and apps they would normally wish to use, and are accustomed to using – in assisting with compliance and protecting company reputation – is a worthwhile exercise.
Ultimately, mobile policies need to help organisations close as many loopholes and conversation streams as possible to prove – in the instance of an indiscretion – that the user went so far out of the way that the blame lies solely with them, and not the company.