Adopting a zero-tolerance compliance culture

By Robert Powell, Global Director of Compliance at IPC for Fund Technology – first published April 2017

With the Markets in Financial Instruments Directive (Mifid II) deadline extended to January 3, 2018, European firms are now at various stages of readiness, with most on schedule to be compliant with the new rules when, or soon after, they go into effect.

Although Mifid II is an ostensibly EU-based directive, financial firms in other regions that trade with European counterparties are held accountable by European regulators to remain compliant with some of the new rules.  An example of this is in the communications retention space where, despite Mifid II bringing greater parity in retention periods, U.S. firms may lack compliance in several areas.

The Commodity Futures Trading Commission, like Mifid II, requires telephone calls – land line and mobile – to be captured and retained for five years in Europe and one year in the U.S.  Retention periods, media types and the use of policy to prevent certain behaviour are all treated differently by European regulators than by their U.S. counterparts.

The table below outlines some of the differences in requirements between the new Mifid II rules and the current U.S. equivalent rules.

For a long time in the U.S. policy has been employed in conjunction with attestation, which is not widely used in Europe where policies are typically required to be tested as being effective. In the telecommunications space, it is particularly hard to test rules where “bring your own device” policies are in place without running into privacy issues if you ask an employee to divulge details of personal calls placed on personal devices an employer has no right to inspect. But MiFID II dictates that firms must take reasonable steps to prevent the use of personal devices that cannot be recorded. The regulatory pull and the privacy rights of an employee will make this almost impossible to enforce through policy.

Firms that deal with European counterparties or clients will be expected by regulators to be compliant with the new rules to participate in the market.  That will include how you handle research and record retention.

What is the risk for U.S. firms that aren’t preparing for Mifid II?  A U.S. firm could be asked by a European regulator to produce records and be required to explain its actions in the European marketplace but because without consistently recorded communications, they will be unable to produce defence records.  With the new rules, the European regulators may have more data than the firms they are questioning, as the call will almost certainly have been recorded by the European firm as part of their MiFID II record-keeping obligations. This may place a U.S. firm at a disadvantage.  Trying to defend yourself without this data may prove difficult.

One of the easier ways to mitigate risk in this new era of greater global regulation is to adopt a zero-tolerance compliance culture.  That means any employee who violates company policy is subject to termination. It begins with training that is constant, audited and evolves as the organization matures in its compliance culture. Before adopting this kind of environment it is important to clearly communicate your firm’s rules and requirements. Working closely with compliance, legal and human resources, a firm should conduct a thorough audit of internal policies to ensure they are aligned with a zero tolerance Innovation and adoption of new technology should be continually verified to be in line with the organization’s rules.  Technology can provide greater efficiency and understanding for improving processes while also used for zero-evidence application.

Non-compliance can mean millions of dollars in fines for companies not wise enough to take it seriously.