MiFID II Considerations – Recording Communications and Algorithm Trading Testing Requirements– Are you Ready?

In July 2017, MIFID II will become part of UK law and anyone undertaking MiFID business in the EEA must be compliant by January 2018. MiFID II provides a legislative framework set out by the European commission to leverage disclosure and reporting as regulatory tools, and introduces robust compliance obligations for firms operating within the EU.

Recording Communications

Amidst a considerable increase in compliance obligations, MiFID II delegates that all firms undertaking MiFID business must capture, record and store all electronic communications that intend to lead to a transaction for a period of 5 years (RTS 22).  In addition, stringent guidelines have been introduced that require companies to record and document face-to-face business meetings.

By the time MiFID II goes live, another legislation, The General Data Protection Regulation (GDPR) will come into force in March 2018. The GDPR aims to ensure the protection of all EU citizens from privacy and data breaches in a world that is increasingly data-driven. In the UK’s context, GDPR will reinforce the 1998 Data Protection Act by introducing heavy penalties for organisations that fail to protect individual data. In lieu of implementing MiFID II recording policies, financial services companies will need to leverage technology that will record business calls in a viable way without breaching GDPR requirements.

Now this poses a problem for financial services companies that undertake MiFID II business. First, the requirements in MiFID II will require holding more data relating to transactions with customers and consequently increasing the likelihood for a leak or privacy breach. While MiFID rules require data to be held for at least 5 years, GDPR does not define a holding period and states that personal data should not be held longer than needed.

Although many financial services would prefer to curtail the data collected in line with GDPR requirements, this is not going to be an option with MiFID II.  Given the large variety of communication mediums, financial services firms will need to re-organise and take effective action to be MiFID II and GDPR compliant.

MiFID II Algorithm Trading Testing Requirements

MiFID II regulations on algorithm trading requires that all firms engaging in any form of algorithm trading develop effective and thoroughly tested risk controls for both buy side and sell side of their business in order to mitigate any disturbances that algorithm trading may cause in the markets. In addition, responsibility for testing algorithms are to be carried by senior management upon MiFID II going live. Firms that do not have these risk controls after January 2018 will face heavy fines or cease trading (RTS 6).

Furthermore, trading venues must implement risk controls that ensure that algorithm trading do not cause market disturbances and provide processes that will manage such disturbances if they arise. These risk controls will include systems that regulate order flows and minimum tick sizes.

In order to avoid heavy fines, Investment firms and trading venues are being required to design and implement sufficient testing methodologies to fully meet the new algorithm testing requirements. The regulations interpretation of an algorithm is very broad and covers most of electronic trading. Therefore, each investment firm and trading venue must identify and address this requirement according to the nature of their business.

In addition, MiFID II requires investment firms to test their algorithm against stressed market conditions so as to prevent market crashes. This implies that the algorithms need to be tested in a non-live environment under real market conditions.

Mindful of the escalation of compliance obligations in MiFID II, the additional obligation introduced for algorithm trading activities adds another layer of regulations for firms undertaking MiFID business

The escalation of the compliance obligations in MiFID II requires firms to take necessary measures that include:

• Reviewing the firms’ strategy scope in relation to the algorithmic trading requirements outlines in MiFID II
• Performing a gap analysis in order to assess the differences between MiFID II requirements and the firm’s current technology and business process in order to identify what needs to be done to comply with MiFID.
• Business Analysts and development teams will need to work together to ensure that algorithm systems are fit for purpose. In addition, the systems test coverage must cover the testing specifications and requirements in the regulation.
• Ensuring that the firm is aware of the trading venue requirements and also ensuring the venue has in place necessary mechanisms to handle any potential disturbance the firms’ algorithms may cause.
• Ensuring appropriate record keeping and monitoring functions are in place. These functions should also adhere to GDPR requirements.

References

• http://vinciworks.com/blog/8-principles-data-protection-act-gdpr-guide/
• http://smallbusiness.co.uk/when-gdpr-and-mifid-ii-collide-2535574/
• http://www.nortonrosefulbright.com/knowledge/publications/115236/mifid-ii-mifir-series
• http://www.acacomplianceeurope.com/news/compliance-alert/mifid-ii-considerations-algorithmic-and-high-frequency-trading-firms
• http://www.ftseglobalmarkets.com/news/seven-things-you-need-to-know-about-mifid-ii-and-gdpr.html
• http://westondigital.com/index.php/about-us/news/79-an-introduction-to-the-gdpr