by Robert Powell, Director of Compliance, IPC
Third in a five-part series to help capital markets firms manage records retention adherence for MiFID II regulations. Following our look at retention periods, systems failures and Complete, Quality & Accurate records (Parts 1 and 2 of the checklist), this checklist focuses on employee training, non-recordable use and a firm’s ability to demonstrate that its policies, procedures and management oversight are working.
Training is Imperative
There is a new emphasis on compliance training for employees at financial firms. This is common with all new financial markets regulations where the regulator is keen to prevent people saying they weren’t aware of the changes and thought they were acting reasonably. At the very least, the training should protect the firm and show that it has complied with its obligations to inform its employees – and provide examples of – good and bad communications behaviour.
We’ve recently seen the UK regulators taking action for someone using the “Whats App” inappropriately. Your training should be very clear about what communications devices are allowed and what are not by your business. The allowed list is much shorter, and should be the focus of the training. The unpermitted list grows every day and emphasis should be placed on informing users that if it’s not recorded it should not be used.
Training must be mandatory and employees should acknowledge in writing that they have received the training and understood how important it is. Annual documentation might be a good solution with online tests to show understanding. Finally, employees should be aware of the risks of having a zero-evidence messaging system on their devices. Law enforcement may very well assume fire when they see this smoke.
Use of Non-recordable Devices
It is very hard for firms to prevent the use of non-recordable devices. The training mentioned above combined with a culture of compliance will go a long way towards achieving peace of mind. Your IT team and ensure the main, non-recorded communications capabilities are blocked from use on your firm’s network and mobile devices such as phones and tablets.
One item that is often left until last is the ability to link together all the hard work in creating and implementing policies for communications use, retention and surveillance. MiFID II requires you to have management oversight, written policies and the ability to regularly review that policies are implemented and effective – not just when you perform a recovery, conduct surveillance or add another communications technology.
This checklist item is highly tailored to your business and needs to be owned by a specific department in your business and contributed to by all the stake holders. At a minimum, you should each year, be able to produce a documented review of the policies, procedures and changes made that can be presented to the regulator when requested.
Surveillance is one of the most difficult areas in which to provide satisfactory documentation to regulators. It’s not possible to look at every message or listen to every phone call so the technology you select to achieve this purpose should be adaptable and well understood by the team using it. In addition to the key words and phrases that help you find concerning behaviours, you should be thinking of surveillance that will uncover evidence of non-recorded use and confidentiality breaches. If found, these can be quickly remediated and used to demonstrate your program’s effectiveness.
Next time, in Part 4 of our MiFID Countdown Checklist, we’ll look at face-to-face conversations, types of storage and how GDPR might affect your retention policies.