How Can You Be Compliant with Article 16?
Once MiFID II comes into effect, firms will be legally required to capture and store electronic communications in the pre-, during and post-trading phases of their business' transactions.
It is likely that, as each firm is different, a varying combination of electronic communications may be employed. Therefore in order to understand what you will be required to record, the first stage would be to review all electronic communications that your firm uses and understand what recording processes you already have in place for each. This stage is particularly important in identifying any gaps within your current infrastructure that you need to address immediately.
The next stage would be to understand that all captured records of communication must be "complete, quality and accurate" if they are to be compliant with the Directive.
We've defined these terms below in more detail to help you understand what a regulator will be expecting when reviewing your recorded communications:
- Complete - The organisation will understand and know all types of electronic communications that are used and by whom. Additionally, they will have a system and processes in place to capture and retain the records of those communications.
- Quality - The organisation will be able to reproduce records of electronic communications in their "original form".
- Accurate - Organisations will be fully confident in the recorded electronic communications' content and metadata that shows the exact times and dates that anything took place.
The best execution for achieving the capture and storage of your electronic communications that are "complete, quality and accurate" is by implementing a fully automated and certified archiving solution for your firm.
Why a Backup isn't Legally Admissible
"But aren't we already archiving with backups?"
If your firm is backing up your electronic communications such as your website, you may assume that this is both legally admissible and compliant with MiFID II, Article 16. There is often a misunderstanding between the definitions of a "backup" and an "archive" - and where the law is concerned, this is a disconcerting issue.
"What makes evidence inadmissible in court?"
Whilst anything can be considered as evidence, when it comes to MiFID II, other legislation and regulatory bodies, the rules are more strict for regulated firms and organisations.
- Backups - Backups are used for operations recoveries. So, if you've deleted, overwritten or corrupted a database you can easily recover it and protect the integrity of your data.
- Archives - An archive is a stored version of data that is unchanging and that cannot be changed.
And this is where the difference lies. A backup is able to be manipulated in a number of ways in order to change what's been recorded - which is why a backup is not legally admissible in court because it could be argued that it is refutable. Furthermore, this also means that, according to MiFID II, Article 16, a backup would be non-compliant because the information would not be seen as being "accurate" or "quality" data.
On the other hand, using an archive that is ISO accredited and uses "write once, read many" (WORM) and timestamped functionality, will ensure that the recorded information is fully compliant with the Directive.
Therefore, if you're only backing up your electronic communications, then you need to identify the right archiving solution for your firm and work to implement it quickly.
Why You Can't Rely on Third Parties
As electronic communications include things like websites and social media, it is likely that you will be using a third party provider or platform for these services. For example, your website may be hosted on Wordpress and your social media accounts would be hosted on the relevant social media platforms (Twitter, Facebook, LinkedIn etc.).
However, in accordance with the FCA's guidance on social media and customer communications (FG15/4), it explicitly states that:
"Firms should not rely on digital media channels to maintain records, as they will not have control over this: social media in particular may refresh content from time to time, with the consequent deletion of older material."
Therefore, firms need to be responsible for keeping an adequate record of any significant communications for the purpose of dealing with claims or complaints effectively. So, if you've been under the impression that you would be able to request records of your electronic communications from third parties, you'll need to rethink your approach. You'll want to ensure that the archiving provider you choose will be able to handle archiving the communications that are held on third party sites and platforms, whilst making certain that the archived records are fully compliant and admissible.
What to Do Next: A Checklist for Article 16
With MiFID II only days away, the majority of firms will have already made assessments of their organisation and policies and have identified which areas are required to comply with the new recording rules. However, the FCA has recognised that, due to the scale of what is required for MiFID II compliance, they will act "proportionately" for those firms who are not ready in time. Therefore, the regulator will be looking more favourable on firms which have been making an effort to comply by the deadline compared to those who have not made any real attempt or where obligations have been ignored.
With this in mind, even if you've already started your review process, we've formulated a checklist to break down what needs to be assessed and what needs to be put into place in order to achieve compliance by January 2018:
- Ensure you have an assigned compliance officer/manager who conducts the annual recordkeeping review
- Look at your organisation's current processes of recording information and report on:
▪ What electronic communications your organisation uses where it results in, or could result in a trade
▪ If you are only backing up your electronic communications
▪ What electronic communications you currently record
▪ What electronic communications you need to start recording
▪ Whether your records are legally admissible and compliant
- Lengthen the retention period according to new MiFID II rules and local regulatory requirements (up to seven years)
- Look into an outsourced archiving solution and think about:
▪ How and where data will be stored
▪ If the archives are unchangeable or on WORM (write once, read many)
▪ Whether it requires on-premise infrastructure/training
▪ You are able to manage your archives in any way
▪ You can request archives on demand easily as and when you need them
▪ There are strongholds in place in case of system failure
▪ What investment is required for the solution
- Create written implementation policies for your organisation's electronic communications use, retention and surveillance
- Regularly review and ensure policies have been implemented, are effective and adhered to
- Start archiving your electronic communications according to your newly implemented policies in compliance with MiFID II, Article 16
- Aim to be fully compliant with Article 16 in an ongoing process with your archiving solution
So to conclude, in order to demonstrate best practice for MiFID II, Article 16, your firm requires a full archiving solution to start recording your electronic communications effectively and compliantly.
Even if your firm is not fully compliant by January 2018, in using the above checklist provided, you can at least ensure that you will be taking the right steps in an attempt to comply as fully as possible by the deadline.
For more information on archiving for MiFID II, Article 16, request a personalised demo archive of your business' website today and see how MirrorWeb can help with your organisation's compliance.