Paul Foley of Cyprus based management consultancy TCG explains the important considerations of GDPR, MiFID II and how these impinge on regulators and regulated firms in Cyprus and Britain, including a look at ‘passporting’ with a focus on exposure to potential law suits
At the time of writing we have just seen the implementation of MiFID II (Markets in Financial Instruments Directive Part 2) and for a number of the SMEs out there this was not as smooth as they would have liked. These changes are typically known well in advance of implementation but for one reason or another a number of companies didn’t appreciate the complexity of the change or took a ‘Wait and see’ attitude.
For some of these changes a wait and see approach is plausible (although ill-advised) but for others the result could be being shut down or heavily fined. So why am I talking about law suits?
The next big change comes into law in May and it’s called GDPR (General Data Protection Regulation). The headline is that this is the replacement for the Data Protection Act, but that still doesn’t explain the comment about law suits.
When we consider locations to run a forex brokerage from or a number of other financial services businesses, we know that there are several reasons why Cyprus is the destination of choice and in the main it comes down to the barrier to entry, as in the barrier to entry is a lower here as CySec takes a comparatively reasonable approach to licensing. Being CySec regulated does however still provide the opportunity to passport into other European countries.
For those of you who are not familiar with this concept ‘Passporting’ is the ability to obtain a license in one country and then operate in the other territories of the EU.
There is of course one universal truth about the financial services industry, irrespective of location we know that some areas of the industry have a cloudy reputation (which in the main is not deserved) and that this reputation is an active obstacle to the marketing and sales efforts of all companies operating in a given area.
I think it’s fair to say that everyone in the industry understands that there is more kudos attributed to being with the FCA then being with CySec (which is not to say that CySec aren’t doing a good job) but likewise we all know that bad behaviour (or perceived bad behaviour) in one city is interpreted by the general public as being an industry problem rather than a geographic issue.
This may seem a little negative but bear with me. We’ve seen with the banks over the last decade that a reputation is very easy to lose whilst being very hard to rebuild and that a number of the practices that they were involved in were less than desirable. This then is our opportunity to ensure that we don’t suffer the same fate.
The GDPR changes will allow our industry to address a number of issues, including our culture, in order to ensure that we have a more acceptable image and a reputation for transparency and decency. It is however also an opportunity to embrace exactly the same reputational damage that the banks suffered.
GDPR is primarily concerned with the rights of the individual and specifically their rights to know how, where and why data is being used that we hold in relation to them. This change relates to any European citizen (so anyone living anywhere in Europe). There are several noteworthy themes for GDPR:
1. Protection of minors
2. Data retention/storage
3. Data usage/consent
4. Access to data
5. The right to be forgotten
The protection of minors point speaks for itself (or should). In financial services we should not be talking to minors, we shouldn’t be marketing to them and we should be doing what we can to ensure that minors do not gain access to our systems, services or products.
Data retention and storage is perhaps a more interesting point. The new rules state that data must be held in an approved or safe location (approved is pronounced ‘Europe’ unless a specific permission is requested and allowed).
The interesting point here is that data processors (the people you outsource certain functions to) also need to adhere to this – so if you use a processor to provide KYC information via China (as a terrible example) then this would not comply with GDPR requirements and you (as the controller) would be held accountable – unless the data was stored only in Europe or you had permission to store data in China.
In terms of retention the general guideline is that you shouldn’t be keeping data for longer than you need it – it should be noted that the phrase “Because we wanted it!” is not currently envisaged to be a safe comment to use with an auditor or judge.
This brings us neatly to data usage. When an individual deposits data with your company you will need to state what the data is being used for AND obtain their consent to use it for those purposes.
This rule might sound a little one sided but it seems to hinge on the way that lots of companies have abused user data and either sold or rented it to 3rd party companies. It is currently envisaged that inadequate consent or unclear statements used to gain consent will be one of the items that courts will first be looking at (and this is obviously opinion as the rules are not in place yet).
Having now established that data is being stored in a legitimate location and is being used for what it’s supposed to be used for there are a couple of other things that we’re going to need to deal with – namely data access and the right to be forgotten.
In short users will have the right to approach you and ask for any and all data that you hold in respect to them – so the thing that comes to mind immediately are all those little notes that the sales team has been adding to the CRM (personal, subjective opinions that you might be embarrassed if the client were to see) and on top of this the client also has the right to ask you to remove them (all traces) from your systems and to correct data if they spot errors.
The interesting thing to remember here is that your legal obligation as a business takes priority over the clients rights as a consumer. If a client has registered with you and not made a deposit or trade then potentially you could remove them as they requested but if a client has registered with you, gone through the KYC process and subsequently made a deposit (or trade) then you have a legal obligation to hold the data for a number of years.
This then is a very brief overview of the change that’s coming and the impact of this change will vary by company.
Now back to the original point – law suits.
The reason that I started by talking about law suits and pointing out that this is a consumer led regulatory change before mentioning reputation is that the Forex industry, especially here in Cyprus, has always battled with the image that the industry is somehow a little slice of the wild west and that a lot more ‘goes’ here than in other industries (even if that’s not true).
One of the things that has been discussed for over a year now is that potentially in the first year of GDPRs existence there might be a temptation for companies to be targeted in the same way as banks have been targeted for PPI (Payment Protection Insurance) in the UK.
This has been relentless and for the banks involved has cost them dearly. Estimates are currently around the 35 billion mark. Whilst the financial cost may be distressing to individual businesses the reputational damage to a specific territory could be catastrophic whilst the damage to the industry as a whole would also be terrible thus ensuring that for even the ‘cleanest’ broker things would become harder and harder.
But it’s not all doom and gloom.
This is just another project for your IT department to undertake and also provides you with a number of opportunities for the business as a whole. If you don’t have the skills in house to do it or don’t know enough about the subject to understand what your exposure could be then get a consultant in – this is one of those ‘internal’ projects that delivers a reduction in operational risk and could in fact be a silver lining to your business, be part of your ISO27001 certification effort or simply lead to a more secure, professional and capable IT function. It will also not harm your reputation not to be in the press for the wrong reasons.
I hope that this piece has given you an insight into the upcoming change and that it’s also served to illustrate that this is an opportunity, not just a threat.
Paul Foley is a seasoned CIO working in Financial Services with a track record of delivering operational excellence, innovation and remarkable teams. For more information about GDPR visit tcgeurope.com