MIFID II and GDPR are no longer discussed in the framework of “what’s next?” Both of these pieces of regulations have now come into force. Wealth industry players are drawing first conclusions on how this is affecting the businesses.
- With MIFID II having been implemented, GDPR most recently came into force, and with the challenges associated with these pieces of regulation, participants expressed the view that the wealth management industry now has more regulatory responsibilities than ever.
- It is clear that the latest regulations present many challenges to firms, both on the local and international levels and these challenges adversely affect the competition.
Key issues and challenges:
- The discussion started with setting the scene. In general, there has been significant regulatory turbulence. With MIFID II, there are still ongoing bugbears still, particularly around reporting and there are other elements on the radar.
- Brexit is fast approaching, and the worry is around pass-porting post-Brexit. Brexit has implications on outsourcing and back-office management, particularly operators of UCITS. Firms are thinking of setting up in the EU in order to have boots on the ground, in the so-called “letterbox authorities”.
- There is the SM&CR extension to asset management, rolled out on a proportionate basis. Approximately 130 firms will be subject to an enhanced regime, other firms will be part of the core regime. It requires involvement from HR and a review of internal policies, tying in discrepancies etc. FCA activity in the robo-advice area is another thing to monitor.
- Firms should also keep in mind the revised prudential framework and the implications of it on capital requirement.
- Additionally, GDPR has come into force recently. As one of the participants put it, “The point of GDPR is that it doesn’t stop.”The challenges are linked to overseeing data management properly; it is an ongoing process.
- Meanwhile, MIFID II is also ongoing, and the industry is now perceived to have more regulatory responsibilities. There is still ongoing education with employees, which has been a culture change and monitoring is being put in place. Access controls to information are being introduced, which can be frustrating for staff.
- GDPR has a global reach. Specifically, firms have started getting requests from American firms on the implications of GDPR. Also, there are requests from firms in Asia and other overseas territories keen to know how to process data for their EU clients.
- Another outcome, though maybe unintended by the regulator, is that some American firms no longer wish to service EU clients anymore. This creates an issue for competition in the wealth management space. Moreover, GDPR is incompatible with some other jurisdictions. An example of this is Hong Kong, where rules say you have to process data for particular reasons. The other difficulty is around national security and reporting to law enforcement authorities in another jurisdiction.
- Another of the unintended consequences brought by GDPR is disputes from unions on data requested on members. A data subject’s right to know what is held on them is now weaponised and used in litigation tactics, for example.
- While GDPR is supposed to protect the rights of the individual to access their own information, in contrast, the right of the firm to do business as usual seems to be under threat. Specifically, there is potentially damaging information that is disclosed as a result of the requests under GDPR. Participants felt there was a lack of guidance on enforcement regime.
- Data breaches were also on delegates’ mind. These are regarded a security breach, and once it happens, the firm has to comply with layers of reporting to the FCA. However, in the event of an international breach, it is not clear which data breach regime is applied, who to report to first, and who is strictest.
- Another scenario discussed was about consent for marketing purposes. While it currently applies to consumers and individuals, the participants were worried this might apply to business contacts. The requirement for clear consent has an impact on firms’ privacy statements that might need to be reworked. However, the consensus is that for now, firms can rely on the notion of legitimate interest.
- Next the issue of how to treat a prospect’s data before on-boarding was raised. The regulations specify a notification protocol to be followed when the firm gets data about a person from a third party. For the participants, it wasn’t clear how this was going to work in real life. Firms say that it’s complicated and presents a credibility issue. And the solution is to try your best to comply.
- Some participants were framing a potential issue as not being about the regulator targeting the firm, but more around if an individual complains about data usage and GDPR compliance.
- Another related issue indicated during the discussion was related to a situation when it drifts beyond strict data processing. When someone has already processed information for one regulator, other people in the organisation think they can do what they like with it.
- Connected to the treatment of prospects is the matter of background checks. When an AML check is performed, a person is not told about it during the process, only after. The common view was that the regulator understands AML checks are legitimate business interests. Yet another questions raised as to what constitutes an adequate form of notice. The understanding in the room was that it must be provided in very clear terms. Firms must use clear language to specify what they will do with an individual’s information, and not expect them to find out about it on their website.
- Participants noted that there has ultimately been a fundamental change in the business model: distinguishing between EXCO and advice. The regulatory pressure on the suitability assessment front means that lines have to be clearly defined. “Front line staff report that clients say that the firm previously provided the car, but now only the components.”From the cost perspective the change is welcome.
- Technology now allows a firm to book trades, so the advisors can focus on the more profitable parts of the proposition. Yet suitability assessment, especially in the robo-advice space, is a difficult challenge and already proven to restrict the firms’ abilities to offer advice. For many, it poses a question as to whether they should cease offering advice. Yet clients are looking for advice, so the demand is there, but the regulations are affecting the supply.
- Participants expressed concerns that the FCA will go after the big firms first when enforcing the new regulatory regime, and there will be no time left for small and medium sizes operators. This creates an incentive for them to cut corners the regulator thereby creates the lack of competition. This is where online platforms come in. “There is an entrepreneurial squeeze happening on some really good investment opportunities that wouldn’t make its way to the person who could be interested in it”.
Conclusions and solutions:
- The participants expressed concerns around the fact that the guidelines offered by most recent regulations are not providing enough clarity and the industry is not sure how the regulations will be enforced.
- The current regulations create confusion and firms believe they are conflicted. This was particularly evident when discussing the GDPR as it applies internationally.
- Additionally, the regulations are seen as restricting the ability of wealth management companies to offer the products and services that their clients are looking for, particularly when it comes to advice.
Expert: Andy Peterkin, Ian De Freitas, Farrer & CO