Legislating against threats
eolas looks at some of the key European legislation introduced to aid the management of increased cyber security threats.
One of the EU’s most ambitious and contentious sets of financial reforms will have effect from January 2018. The second instalment of the Markets in Financial Instruments Directive (MiFID 2) has been framed as the widest reaching change to financial market regulation within the industry and will affect almost all firms dealing in or processing financial instruments across Europe with the aim of promoting transparency, competitiveness and financial stability.
The reforms basis lies in preventing a repeat of the market turmoil directly after the financial collapse and will tighten the organisational requirements for investments firms and trading venues, while introducing extensive changes to reporting around transactions and transparency requirements. While many of the new regulations focus on banks, asset managers will now encounter regulations, many for the first time.
The revised MiFID framework adopted by the European Commission back in 2014 consist of the directive, named MiFID 2, and the regulations, named MiFir.
The aims of MiFID 2 are summarised as:
- ensuring that organised trading takes place on regulated platforms;
- introducing rules on algorithmic and high frequency trading;
- improving the transparency and oversight of financial markets – including derivatives markets – and addressing some shortcomings in commodity derivatives markets; and
- enhancing investor protection and improving conduct of business rules as well as conditions for competition in the trading and clearing of financial instruments.
While MiFIR aims to introduce requirements on the organisation and conduct of actors in these markets and sets out requirements on:
- disclosure of data on trading activity to the public;
- disclosure of transaction data to regulators and supervisors;
- mandatory trading of derivatives on organised venues;
- removal of barriers between trading venues and providers of clearing services to ensure more competition; and
- specific supervisory actions regarding financial instruments and positions in derivatives.
Among the main contentions by those gearing up for the introduction in January is cost, with the value of increased cost for compliance across the industry estimated to be up to €730 million in the UK and €2.5 billion across Europe.
The legislation also requires a more stringent recording, ensuring that all telephone conversations and electronic communications between buyers, sellers and investment intermediaries are captured and stored for minimum of five years. For many companies, of all sizes, this will require significant investment in technology and increased security measures.
Another issue, especially for asset managers, appears to be major changes to payment for research, which is often the basis for investment decisions. Under the new laws, industry players are expected to budget separately for research and trading costs. Unbundling will leave a major whole for some operators in funding for research costs and will require them either to absorb costs or pass them on to their investors. It has also been suggested that the move could automatically drive up research costs, hurting the smaller players.
The banning of commission payments (the practice of asset managers paying commissions to financial advisors in return for product recommendations) will be a major change for others within Europe but this element of the regulation is seen to have been copied from laws introduced by the UK financial regulator back in 2013.
A further major issue that has been identified with the aim of creating greater liquidity is that bond markets, fund houses, investment banks and brokers will be required to disclose bond trading prices in advance and could spark a retreat by investment banks if they witness less potential to generate money.
GDPR
The EU General Data Protection Regulation (GDPR) directive first released in 1995 has been long-outdated by the growth and evolution of the digital era. In an increasingly data-driven world, the requirement for refreshed regulation to protect EU citizens from privacy and data breaches was met in April 2016 through the approval by the EU Parliament. Member States now have until 25 May 2018 to comply with the regulations. Some of the key changes in the evolution of GDPR include:
- Increased Territorial Scope: Probably the biggest change is that the regulation now applies to all companies processing personal data of EU citizens, irrelevant of the company’s location. GDPR will also apply to those processing EU citizen personal data been if they are not established in the EU and will require them to appoint a representative within the EU.
- Penalties: Organisations can now be fined up to 4 per cent of annual global turnover or €20 million (whichever is greater). GDPR has set up a tiered approach to fined and has extended to both controllers and processors, meaning clouds are included in enforcement.
- Consent: The conditions for consent have been strengthened and must now be requested in “an intelligible and easily accessible form”, preventing the use of long illegible terms and conditions full of legalese. Consent is required to be distinguishable for all other matters and must be easy to withdraw.
Data
Major breach notifications are being enforced as mandatory and must be done within 72 hours. Processors will be required to inform their customers after first becoming aware of the breach. In a shift of transparency, data subjects are being empowered through expansion of rights relating to the ability to obtain from controllers whether or not their personal data is being processed. The controller will now have to provide a free, electronic copy of personal data on request.
GDPR strengthens the much-awaited right to be forgotten. Those seeking to have their personal data erased by controllers to prevent it being passed on to other parties can request it and controllers are then required to compare the subjects’ rights to “the public interest in the availability of the data”.