In the first half of 2018, two major data-related EU regulations—the Markets in Financial Instruments Directive II (MiFID II), which went into effect in January, and the General Data Protection Regulation (GDPR), which will be implemented on May 25th—are changing how financial services firms manage data. Although legislated in the EU, these two regulations apply to organizations that conduct business in Europe, requiring global firms to come up to speed on compliance.
Meanwhile, other countries face their own regulatory changes and proposals, such as:
• Prudential Standard CPS 234 Information Security in Australia
• The Information Security Technology – Personal Information Security Specification standard in China
• Individual Accountability and Conduct in Singapore
• Customer Due Diligence Rule in the US
• Expansion of the Senior Managers and Certification Regime in the UK
• Updates to the Personal Information Protection Act (PIPA) in South Korea
• Updates to The Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada
As these regulatory shifts occur, organizations would be well served to focus on data optimization, which encompasses data management, analysis and reporting. Such an effort helps ensure that organizations can easily adapt to comply with new legislation, saving both time and resources. Even in cases where firms aren’t bound by regulatory requirements, following a path of data optimization can yield competitive and reputational benefits.
INCREASING DATA PRIVACY AND TRANSPARENCY REQUIREMENTS ACROSS REGIONS
New regulations such as GDPR impose tighter record-keeping and datamanagement requirements for all companies with EU clients. GDPR focuses on ensuring that individuals better understand and consent to how companies store and use their data. Although this legislation applies across industries, it is particularly relevant in the financial services sector with its high volume of client data.
Other regions are proposing, adding and updating their own data privacy laws. In Australia, for example, the national financial services regulator proposed Prudential Standard CPS 234 Information Security in March, which aims to enhance cybersecurity practices among financial services organizations in order to protect customer data.
In Canada, an existing data privacy law, PIPEDA, which is similar to GDPR, has been expanded to include new disclosure rules regarding data breaches. This legislation will take effect on November 1, 2018. South Korea updated a similar law, PIPA, last year to strengthen consumer protections over personal information collection.
China is also tightening up data privacy policies, such as with the Information Security Technology – Personal Information Security Specification standard that went into effect on May 1st. This standard calls on companies to gain consumer consent to collect personal information. Although the regulation is not mandatory, the change is part of a global trend toward increased consumer data protections. Financial services firms in China and other jurisdictions may want to comply with data privacy laws even if they aren’t mandatory, in order to keep up with competitors in other regions and to capitalize on changing client demands.
In addition to data privacy laws, many jurisdictions are adding regulations that aim to improve the strength of the financial sector overall. In Singapore, the Individual Accountability and Conduct guidelines, proposed in April, aim to ensure that senior managers and directors practice ethical behavior and responsible risk-taking. Similarly, the UK is expanding the scope of its Senior Manager and Certification Regime to improve accountability. The changes include extending the regulation to insurers. These will go into effect at the end of 2018. The US Customer Due Diligence Rule also recently went into effect to strengthen antimoney-laundering rules. And globally, financial organizations face new international requirements, such as the Common Reporting Standard (CRS) that emerged in 2014 as a way to fight tax evasion through cross-border data sharing. This year, a number of new countries committed to start exchanging this data, ranging from Brazil to New Zealand, and over the next few years more plan to join.
DEALING WITH DATA CHALLENGES
As new regulations take effect, companies that are not prepared will probably need to invest in additional resources to better manage the changes.
“Asset managers need to invest senior management time and financial resources into implementing GDPR,” explains Latha Balakrishnan, director of compliance and regulatory consulting at advisory firm Duff & Phelps. “This includes investment in technology resources to cope with additional data breach identification, management, reporting and escalation.”
She adds that firms will need to upskill their existing employees to manage new data requirements and bring in relevant data experts.
Adding technology resources and expertise can help companies adapt to other regulations beyond data privacy laws, which often require new reporting.
Following MiFID II implementation, for example, “trade reporting has proved more onerous, with significant infrastructure and operational expense required from buy-side firms,” says William Yonge, funds partner at law firm Morgan Lewis.
Covering the cost of new data requirements is just one challenge. A fixed income research report from global trading network Liquidnet found that although 86% of respondent firms had the technology to meet January’s MiFID II deadline, “over half of the respondents are still struggling to collect accurate data and provide it to the correct party.”
“The data is not very clean as firms sort out who is meant to be doing what,” says Niki Beattie, founder and director of advisory firm Market Structure Partners. “It hasn’t helped that regulators have struggled with their own systems that collect and assess data. We are not yet at a point where [financial services companies] have been able to digest all this and work out what” new regulation means for their operations.
Beyond MiFID II, companies globally face new investing and reporting regulations, such as the Investment Company Reporting Modernization rule, which will take effect for mutual funds in the US over the next two years. In addition, China will allow foreign investment management firms to take controlling stakes in companies offering funds to mainland investors. These types of changes favor firms with flexible technology capabilities, for example, through the use of regtech platforms that enable firms to understand what changes apply to them and to more easily fulfill reporting requirements.
DIVERGENCE BETWEEN MARKETS CAUSES CONFUSION, CREATES OPPORTUNITIES FOR EARLY ADOPTERS
While companies look to comply with new regulatory requirements around the world, the variations between jurisdictions can sometimes cause confusion.
For example, Ms. Balakrishnan says several US-based organizations “frequently ask whether they fall within the scope of GDPR.” She identifies a perception among firms that since the GDPR is not a US regulation they are not bound by the GDPR rules, failing to grasp the extra-territorial nature of the regulation.
Similarly, many firms initially lacked the ability to adapt to MiFID II, though compliance is now improving. “After a tumultuous 2017, [global firms] have transitioned relatively smoothly to the MiFID II regime,” says Steven Stone, head of financial institutions at Morgan Lewis.
To avoid these rocky starts and alleviate the burden of preparing for regulatory change, companies are investing more in compliance expertise. This often dovetails with using automated, customizable data management and reporting platforms rather than having to rely on legacy systems that may not be equipped to comply with new laws.
And although companies are not always obliged to follow regulations like GDPR or PIPEDA, they may find that it makes commercial and operational sense to do so. These regulations set a tone for where the industry is headed. As more jurisdictions enact similar laws, early adopters may enjoy a competitive advantage over those that do not demonstrate strong data management and reporting capabilities. Being proactive enables companies to be more prepared when new data practices become mandatory.
Transparency and data protection are the future, as evidenced by the slew of new regulations that are continuing to emerge globally.
“Regulation in the past century has seen a series of peaks and troughs, as the pendulum swings between tighter, stricter regulation on the one side, and deregulation on the other. There’s no doubt that the pendulum has swung a long way towards the former,” says Nick Bayley, managing director at Duff & Phelps’ compliance and regulatory consulting practice.
As these swings occur, companies that focus on data optimization will be more prepared to manage the changes.
Download PDF version of the article below.