MiFID II will come into force on the 3rd of January 2018. For those of you who have never considered compliance around retention of records, there are several steps that have to be taken. In the fifth blog in our MiFID II series, we will discuss the stages before, during and after the deadline and what skills are required at each point.
Depending on how old your business is, you may already have a compliance programme in place that has to be updated to comply with the new elements in MiFID II. Alternatively, you may be a new organisation that has to implement a formal compliance initiative for the first time. Either way, you will have to carry out some groundwork to prepare for MiFID II.
The first step to compliance involves an audit of the regulation to know exactly what is required. From a skills perspective, compliance experience is the number one priority, but for those without, experience with legal language can help here too.
For the teams involved, compliance planning means looking at the processes that are currently in place and where data has to be captured. For those with established compliance programmes, it involves looking at what new data has to be saved. Those without formal compliance efforts in place will have to go through what is needed and how long it has to be retained for.
For MiFID II, this involves looking at how you manage customer consultations. Any records that might influence a trade have to be kept for a minimum of five years. In practice, this covers any email, phone call or message between a trader and the customer. These records also have to be retained over time. You must build up an understanding of how these records will be saved and how you can access them when you need them.
Making the day-to-day process compliant
Getting compliance efforts in place ahead of the MiFID II deadline is only part of the story. What happens after the deadline passes is actually more important, as this is where compliance requirements come face to face with real life.
For many traders, compliance processes around their interactions with clients may have an impact on how they work. For example, calls on mobile and fixed-line phones between traders and clients have to be recorded. Does the call recording system need the trader to do anything to ensure every call is recorded? If it does, then training around the new process will have to be put in place, and any risks identified
When it comes to implementing call recording, as with any big project, you will have to explain why changes are being made to those affected by them. Change management can be a difficult and potentially “political” task, so setting out why these alterations are both necessary and unavoidable can be just as important.
For example, you may also have to enforce rules on not communicating with clients through “unofficial” channels such as messaging services. Explaining why these services can’t be used is one element; explaining the potential punitive measures for the company and for individuals can also help.
Getting compliance embedded in the business
It’s one thing to make a change, it’s another to make sure it sticks within the business. In practice, this means that any implementation should alter behaviour as little as possible.
For the example of call recording, this means automatically recording all calls as standard. The best solution here is to implement call recording at the mobile network level as opposed to application layer, meaning all calls are recorded automatically and the trader won’t have to alter their behaviour to use the solution and remain compliant.
Other records of transactions such as email should also automatically be captured, so that the copies can be stored. The main challenge here is looking at how compliance requirements don’t get in the way of how people within the business actually work.
The last element here is monitoring. This involves tracking how the compliance programme is operating, and that it is actually doing what it is supposed to achieve. After all, spending a lot of time and attention on how you implement compliance is not useful if people then either ignore the rules or find ways around them.
A good example here is reporting. This is a key requirement for compliance efforts – reports should be put together to demonstrate the compliance is being adhered to. For example, MiFID II has a requirement around sampling call recordings to make sure that they are working and being stored properly. Listening into calls – and more importantly, flagging that this is a standard operating procedure – is therefore something that you should allot time and budget towards.
Putting together a report on compliance efforts is about more than just ticking a box. In the event of a problem, it can demonstrate that you take compliance seriously and are putting your best efforts into meeting your obligations. However, the skillset here goes beyond just one area – a mix of communication, persuasion, building support from the management team and attention to detail are all required.