MiFID II Q&A with Jacques Fourie

The Q&A

MiFID II compliance is something a lot of our financial services clients have to contend with, could you explain what it means?

MiFID II is a regulation imposed by the FCA, it comes under European standards. It’s around transactional capturing and reporting. So, what that means essentially is any organisation operating within scope of MiFID II needs to be compliant and recording transactional information. So, I’ll give you some examples. This could be dealers talking about a trade on the phone, using instant messaging, using small message services. Anything like that needs to be recorded and held in a compliant fashion and accessible for compliance requirements should they arise

So that is essentially what MiFID II is – in a nutshell, it’s call recording, which is how most people refer to it. How long we keep it, and the access that the compliance officer has to ensure that we are maintaining compliance as well is a big part of MiFID II.

Looking at our clients, would you suggest that the ones that don’t have to have MiFID II compliance look at some of those requirements to increase their security?

I think in any governance situation, the more historical logs and activity logs that you can capture that can help with H.R. forensics or anything like that is always useful. And also in terms of protection of data, the who and why and what happened is really good. So to give you an example for call recording, Kocho are not in scope for MiFID II, but we do call recording for our own compliance and quality measures

So there might not only be compliance reasons, but it also could be for a quality concern as well – that you might want to record calls. Then you have to control the access to ensure that the data you hold is being kept in the right way as well.

Could you give me a view on what that call recording piece looks like, and is it available through Microsoft Teams?

Not currently, no. Teams in its native form allows you to record calls, but that is optional. MiFID II implies that you have to record everything as compulsory. So what we use at Kocho for our customers who want to use Teams as a telephony solution – because it’s all encompassing from the from the instant messaging and calls – is we use various partners that provide an overlay to capture calls that are made on Teams – that’s external and internal calls – and then keep them encrypted and accessible in a MiFID II compliant database.

If we wanted to use a compliant MiFID II telephony solution – I know that Kocho use 8×8 for example – can I integrate that with Teams so that the users see one interface rather than multiple interfaces?

Yes you can, some partners allow that. And ultimately, what you want to do is match your security and compliance requirements with your desktop and user experience. You don’t want to that to start to impact your operations and how you run your business. So there’s a single pane of glass from an instant messaging and call and conferencing point of view, Teams is obviously perfect for that. So it’s about how do we bolt something on and allow those other partner systems to to capture all the data, all the transactional data that’s going on in Teams that might be around trades or sensitive information and then make sure it’s stored in a compliant way

So that’s basically what we do. Not all partners support it, but that’s become more and more of a trend these days, especially because there is that gap in the native Teams compliance area that other big telephony partners have filled.

Most organisations now are looking at Office 365, if they haven’t migrated to Office 365 already. Can we achieve MiFID II compliance within Office 365, excluding the telephony piece, which you’ve already covered…

Some of the other transactional requirements that have existed pre-MiFID II, for example a big one is email. Emails can also contain transactional information around trades and sensitive things that are in scope for MiFID II. A lot of clients have used smart hosts in the past – what I mean by that is global relay or Mimecast – to provide the email compliance, for four to seven years plus depending on your organisation, if you’re under the PRA or FCA. What we’re seeing is some clients have moved into trying to consolidate their tools in the Microsoft stack and Microsoft do provide out of the box compliance in M365

We were actually having a discussion about it this morning with another client. The out of the box compliance solutions are in form of things called litigation hold and legal hold, where that means we’re allowed to take an email that might have been exchanged between me and you George and then put a hold on it so that it cannot be deleted. Yes, you can delete it out of your Outlook, or you can delete it out of your your Teams session, but essentially, we’ve got a record of that, a compliant record that’s administratively controlled in the background.

So if we had to go back to that for a compliance reason, we’ve got that data stored there for as long as we’ve agreed on and set the policy. So there are a lot of compliance mechanisms within Office 365 that you can use to maintain all that transactional reporting.

What would your advice be to achieve compliance in terms of data backup? Should backups be made within the Microsoft environment or externally?

What we tend to suggest is not an eggs in one basket approach. So the same classic data centre architecture approach still exists with M365. So you’ve got all your email in the 365 platform, all your Teams data, all your Onedrive data. You can obviously use mechanisms within those platforms to keep data for a certain amount of time. But ultimately what we want to do is have a copy of that outside of the Microsoft stack that’s readily available

You need to look at things like encrypting it in flight to wherever it’s going and encrypting it at rest. So Kocho use our own backup for those products in our own data centres. So that means you have a copy of that data for an unlimited retention period that’s encrypted and stored off-site outside of Microsoft. So if, for whatever reason, you couldn’t get that data in Microsoft, it’s available externally. I still wouldn’t shy away from the immediate backup solutions in Microsoft, because obviously, if you want just to do standard restores the fast backup 30 days, 60 days is good to have in the same location as your production data.

But in terms of long term stuff, you want to be taking that off-site and keeping securely off-site so that if anything should go wrong you can get to that data and you’ve got a little bit more control over it that way as well.

Is it possible to go too far and put too many security controls in place, costing more than necessary?

Yeah, I think what I’ve seen is that complex systems go in place to achieve the compliance and then that starts to impact your operations. You’ve got lots of vendors involved. You might have one vendor doing the the calling parts and another vendor doing the recording part. And then they’re hosted in two different places. When that breaks down, when there’s problems there, it opens up the opportunity for you to have gaps in your compliance, which you don’t want. So you want to keep things lean and simple, and I think you need to look at be careful what technology partners or set up you’re looking at to achieve it, because there’s loads of different ways to achieve it.

I also think that technology is not the only answer. You need to have an HR policy and a corporate governance policy that is MiFID II to compliant as well. So the way you are dictating to your employees how they interact with your systems, the fact that they must use corporate systems to exchange information that’s in scope, and transactional data is very important as well. There’s no use having all this fancy phone system, call recording, transcripts and everything, if traders are picking up their personal mobiles and calling each other and discussing sensitive information.

So I think there’s a mix of policy and technology and you’ve got to get the balance right between the two and also staff awareness as well is a big thing. So not only the is compliance officer aware of MiFID II and what it is, and how the technology you’ve put in place meets that requirement, but the staff who are in scope of that need to understand that too, so that they are maintaining compliance. The last thing you want to do is go back to that day and time that you need that compliance information and for some reason that wasn’t used or was stopped, or there was some complicated problem because you had all these vendors involved and then you don’t have those records. And then obviously you’re going to be in hot water from a governance and regulation point of view.