Thanks to the Markets in Financial Instruments Directive (MiFID II), which went into effect at the beginning of the year, banks and other highly regulated industries will be recording and archiving all communication made by phone, email, social media, unified communications, encrypted messaging and any other medium used to correspond with clients for at least five years. Then on May 25, the General Data Protection Regulation (GDPR) goes live, which among many other things empowers customers to demand erasure of their personally identifiable information (PII), including email address, phone number, social security number and other primary identifiers. By this summer, the long-awaited makeover of the EU’s regulatory landscape will be in full effect.
Well, it’s going to be tough to erase every shred of evidence of a customer’s existence if every single correspondence must be kept for several years. So how do companies reconcile what appears to be an inherent contradiction in the two directives? Fortunately, there are processes and technology, not to mention other parts of GDPR, which make this process straightforward. It all starts at the beginning of the client relationship. GDPR also mandates that companies make crystal clear how they are going to use personal data, and it demands that customers grant explicit and unambiguous consent to move forward with the terms described by the organization.
GDPR: “P” is for “Privacy”
It is here that financial institutions must educate their clients about MiFID II. Any would-be day trader or individual seeking a steward for their financial assets must acknowledge up front through the checking of a consent box or similar means that they understand that the companies they are dealing with are legally bound to record and store conversations. It helps both parties’ causes that banks, traders and wealth managers will treat these communications as sacrosanct. Nothing will be used for commercial purposes, at least not without obtaining a second explicit go-ahead to do so. After all, the “P” in GDPR stands for “privacy,” and one of the legislation’s underlying motivations is to put a halt to the practice of selling your information to advertisers and bombarding users with marketing messages against their will ─ things financial services outfits aren’t out to do.
“P” Is Also for “People” and “Processes”
Of course, obtaining the client’s green light at the outset is only the first step in resolving the dissonance between GDPR and MiFID II. As any financial services client services rep knows, there’s plenty of mixing business and leisure in customer service. A voicemail may begin with well wishes for a client’s family member undergoing treatment for an illness, then switch to the business of confirming a trade. An email could be about a child’s travails in school before veering into details about asset reallocation. In even more complicated instances, a transaction may have a direct connection to a personal event, such as a recently deceased loved one.
Banks must have a process for deleting sensitive information that has nothing to do with a trade or other account business. Analytics tools should be in place to detect certain keywords, phrases and sentiment of the communication exchanges that are purely personal in nature. This will only automate the weed-out process so much. Even if your settings are 90 percent accurate, there will still be hordes of messages that will require a judgment call if your company swaps a million messages per day. For these, a third-party review committee consisting of other traders, HR and independent staff members will need to review and determine whether these communications are contract-related or not. Your customer service reps can help reduce this error rate by tagging casual conversation and putting “personal” in the subject header of an email or beginning of a Facebook post.
Of course, it helps to have the best in search, archiving and analytics tools so that you’re not spending time sifting through false positives, and you can recreate a cross-channel conversation in its context. MiFID II and GDPR seem at odds in some respects, but with the right interpretation, technology and processes, it shouldn’t cause too much stress while meeting the intent of the new rules.