Next year is abundant with new EU regulation for firms to get to grips with.
From the EU’s General Data Protection Regulation (GDPR), to the second Markets in Financial Instruments Directive (MiFID II) and the second Payment Services Directive (PSD2) all set to have a substantial impact across sectors, 2018 will be a banner year for regulation.
These new rules impose significant changes and contain potential inter-regulatory conflicts, leaving firms with the unenviable task of implementing the new requirements while still lacking clarity as to what regulators expect of them.
Data sits at the heart of these regulations. MiFID II aims to improve quality of advice and investor protections, and in doing so requires extensive data recording.
GDPR sets strict rules regarding the collection and storage of data. PSD2 breaks down banks’ monopoly on their users’ data, allowing other businesses to retrieve data from customers’ bank accounts.
Here’s five tips to help you navigate through this regulatory minefield.
Don’t lose sight of the deadlines: MiFID II and PSD2 come into force in January, with GDPR following in May. Failure to comply with GDPR could lead to a fine of up to 4 per cent of a firm’s global revenue, a price which could prove catastrophic, particularly for smaller businesses.
Exact penalties for non-compliance with MiFID II have yet to be announced, but failure to comply will risk firms being unable to trade, facing significant costs and potential reputational damage.
Firms looking to implement policy ahead of PSD2 face a similar lack of clarity. But those which delay implementation risk being left in the dust by more nimble competitors who embrace the legislation early on.
If it is looking likely that you won’t be compliant in time, notify the relevant regulator and ensure that you have contingency plans in place.
MiFID II and PSD2 do not sit well with GDPR, as they contain seemingly contradictory obligations. As GDPR carries the biggest penalties, data protection and security should be at the heart of any implementation policies.
If you are uncertain about the interrelationships between the regulations, seek specialist advice and talk to your regulator. The worst thing you can do is nothing.
Don’t just think about what you need to do with your data in terms of regulatory compliance, but instead what your data can do for you. When putting systems in place, think about how you can leverage data for the benefit of your business.
For MiFID II, this could mean drilling into the data to gain valuable insight into trading behaviours. A large portion of GDPR compliance will involve fine-tuning your databases and prioritising quality of data over quantity.
The broad scope of the upcoming regulations requires buy-in from all levels within affected firms. Ensure any new policies and systems are properly communicated to staff well ahead of implementation.
Senior stakeholder engagement will be fundamental to ensuring that all policies and procedures are designed with business considerations in mind, and will encourage the required cultural changes.
If you’re not certain of the impact these regulations will have on your business or how to implement them, consider seeking advice from independent specialists.
Third-party consultants can assist firms in assessing their readiness and help identify areas of risk and potential non-compliance.
They are also available to help firms ensure compliance once the regulations have been implemented.