by Robert Powell, Director of Compliance, IPC
This is the fourth in a five-part series to help capital markets firms manage records retention adherence for MiFID II regulations. To date, our checklist has looked at:
- Part 1 – Management oversight, knowing your estate, communications ‘intended to lead to a transaction’
- Part 2 – Extending your retention period, systems failure and achieving a complete, quality & accurate record
- Part 3 – Employee training, non-recordable use and a firm’s abilities to demonstrate that policies, procedures and management oversight are working
In Part 4, we will discuss: Face-to-face conversations, types of storage and how the General Data Protections Regulation (GDPR) might affect your retention policies.
I believe the requirement to document face-to-face conversations has caused a lot of discussion among capital markets participants. From these discussions several things that have become clear:
First, the need here is for a record of location, attendees, time and date, the initiator of the meeting and any substantial decisions regarding the client’s account or business that are made in the meeting.
Second, while this requirement is undoubtedly aimed at the more retail end of the financial markets spectrum, firms should add this record-keeping requirement to their policies and make sure people actually make a note of meetings when they take place.
Third, remember that for these purposes, a face-to-face meeting is one in which you physically meet anyone with who you transact transact business.
My advice would be to keep it simple. Create a process that records the content of these meetings as an email with a special header or a form that can be completed and scanned for retention. What you don’t want is to be asked by the regulator for meeting records and not be able to produce them.
Types of Storage
MiFID II extends MiFID rules that require records to be tamper resistant by ensuring they be immutable and able to track changes. There are no situations where records can be corrected except – possibly – for the record of a face-to-face meeting where people disagree with the recorded version of events when they are circulated (as mentioned above). As far as our checklist goes, you need to look at the following for storing all electronically recorded communications:
- Have more than one copy, to protect from technical or facility failures
- Show how you have protected your records from being tampered with.
- All records should be encrypted “in transit” and “at rest”.
This checklist item provides the opportunity to review your current practices. Look at how your data is archived and see if it meets the requirements listed above. In particular,
- Does your archive solution system have enough geographically dispersed copies of the data?
- If you lose a datacentre, does your archive still exist?
- Is data encrypted?
You should be able to prove immutability, either by showing your process that protects your data or by using more sophisticated methods that will create a hash value that is associated with each file as it enters the archive.
Hosted or cloud-based archive solutions are now so sophisticated that they nearly always provide better solutions than maintaining a disk in your own environment.
The Impact of GDPR
The General Data Protection Regulation (“GDRP”) is scheduled to become effective in May, 2018. While the full impact of its requirements is beyond the scope of this short piece, there is something I would like to mention: One GDPR concept is that firms should delete data once they no longer need it. This adds another dimension to the data retention conundrum that financial markets firms face with regard to the long-term records retention of communications data.
There is much discussion about how to handle personal information if it is contained in electronic communications. For example, if an email contains a customer’s address or if a voice recording has someone speaking about another individual’s personal data while on the call. Most certainly, this does happen. As such, firms need to be aware that this data should be protected accordingly.
Legal holds are another area where firms routinely retain large parts of their archives for periods longer than customary. The MiFID II requirement to delete data no longer needed after five years could be in conflict with a firm’s records retention policy as the firm’s policy might be longer. These factors need to be considered when utilizing a program that destroys records when they are no-longer required.
The final thing to bear in mind, where GDPR is concerned, is the right to be forgotten. This right will require firms to remove or delete data held about an individual so they are no longer identified in their systems. How this will reconcile with a firm’s record keeping obligations has not been fully understood, but it’s clear that a firm’s use of artificial intelligence and advanced analytics might be compromised if they are required to ‘forget’ the details of someone they have done business with.
Next time, in the final part of the checklist, I will combine all the items discussed to date in this series into a simple checklist you can use to discover your firm’s current state against its target state – and then you can more easily develop a roadmap to get your firm between the two.