MiFID II: What IT and Compliance Teams Need to Know

April 16, 2019 Security and Compliance, MOVEit

MiFID II signifies the continuing onslaught of financial market regulations that demand transaction transparency. Such regulations burden compliance and IT teams who have to ensure their companies meet increasingly stringent security standards.

The impact thus far has been huge. Before MiFID II went into effect in 2018, preparation cost firms an estimated $2.1 billion—according to a report by Expand and IHS Markit. That figure underscores the priority IT teams at financial industry firms are giving to MiFID II.

The Scope and Purpose of MiFID II

Issued by the European Union, MiFID II is an updated version of the Markets in Financial Instruments Directive, which went into effect in 2007. MiFID II broadens the scope of MiFID to include increased transparency at every stage of a transaction—from when orders are first placed until they are reconciled. Every trade must be closely monitored at every phase.

Because of the global nature of the financial industry, MiFID II impacts firms around the world that deal either directly or indirectly with Europe. The regulation pertains to investment, insurance and banking firms that deal with an EU investment firm or trading venue. Firms with investments or ownership of companies outside their domestic market are thus likely subject to the regulation.

MiFID II was issued to improve the functioning of financial markets and to restore confidence after weaknesses were exposed in various sectors of the European financial system. MiFID II imposes more reporting requirements and tests—particularly to verify financial institutions are reducing the use of dark pools and over-the-counter trading. The regulation also targets high-frequency trading.

How MiFID Impacts Data Management

One key area of MiFID II on which IT and compliance teams need to focus is automated trading. Algorithms must be registered, tested and have circuit breakers. Brokers also have to provide more detailed reporting on their trades, including price and volume information, and they need to store all communications—including phone conversations.

Another key area is data management. Here’s a quick rundown of what IT should zero in on:

  • Ensure data feeds support micro-second time-stamping.
  • Source pre- and post-trade data only from systematic internalizers, approved publication arrangements, and trading venues.
  • Set alerts to determine if systematic internalizer thresholds are breached
  • Publish all asset classes.
  • Report transactions by the close of the following business day.
  • Document who distributes financial products.
  • List transaction fees and research charges separately
  • Apply benchmarking to best-execution and transaction-cost analysis

Financial firms must also be able to compile data from multiple systems and transform the data into a coherent format that clearly depicts the entire journey of each transaction at any step in its process.

Key IT Functions to Scrutinize

Given the data management requirements of MiFID II, IT teams will have to build and integrate new functions with their IT systems. This is particularly challenging in environments where technology solutions have been developed independently and have changed frequently on top of legacy infrastructures.

The foundation of any solution lies in the proper application of connectivity, integration and data management:

  • Connectivity—industry standards enable systems to exchange data with each other—both inside the firm and with trading partners. Order information should be linked to transaction data and followed as it moves through the buy/sell lifecycle. Connectivity with regulatory technology is also critical so regulators can monitor transactions and recall data from any part of the process.
  • Integration—data should be accessible through market tools and regulatory technology, and presented in the proper context for each user according to their role—whether they are someone within the firm, external clients or regulators.
  • Data Management—the data should also be formatted to mandated specifications, and systems must be able to receive data from multiple sources and then normalize the data into a common structure.

Meeting these MiFID II requirements will require multiple technologies. One of the key solutions is event log storage and analysis. All the key regulatory compliance mandates imposed by MiFID II as well as HIPAA, SOX, FISMA, PCI and II and others require the tracking of access to scoped systems—those containing regulated data. The leading event log management solutions will help you identify which log data to collect as well as how to manage log storage, retrieval and analysis.

Satisfying Clients Just as Critical

MiFID II certainly presents major challenges, but it also gives IT teams at financial firms the opportunity to take a fresh look and plan for new architectures, which can lead to a better technology foundation for the future. In that sense, the changes driven by MiFID II compliance can contribute to IT systems that operate more efficiently with less complexity and can move data faster—while also improving security postures.

And while it’s critical to protect data and execute financial transactions securely from a compliance perspective, it’s just important from the perspective of your clients. Demonstrating compliance with MiFID II goes a long way in building trust in your clients that you are doing everything you can to protect their sensitive data.

Greg Mooney

Greg is a technologist and data geek with over 10 years in tech. He has worked in a variety of industries as an IT manager and software tester. Greg is an avid writer on everything IT related, from cyber security to troubleshooting.

Read next How to Simplify a Compliance Audit