MIFID II vs GDPR — Heavyweights Face Off

© Mad Magazine

MIFID II struck the financial world like a hangover last month. As GDPR bears down on businesses and organisations with enforcement starting 25th May, what are the similarities between the two regulatory beasts, and what pointers can we take from the post MIFID fallout?

For observers of all things regulatory, a fresh contender, MIFID II, has been stealing column inches from GDPR since 3rd January this year.

Like GDPR, this regulatory ‘monster’ has been accused of threatening jobs and prosperity, but also lauded as a fresh wind of transparency and competition in the opaque world of asset management and financial markets.

As GDPR bears down on businesses and organisations with enforcement starting 25th May, what are the similarities between the two regulatory beasts, and what pointers can we take from the post MIFID fallout?

1. MIFID II is big, complex but nothing ‘new’: a revamped version of the Markets In Financial Instruments Directive, it’s designed to offer greater protection for investors, and inject more transparency into all asset classes. Like GDPR, it’s had a long gestation period (7 years), and is a weighty tome, with more than 1.4 million paragraphs of rules.

2. It wants to create a European Powerhouse; cornerstone of continued EU efforts to build a single financial market for the bloc that could rival the depth and dynamism of US capital markets. With GDPR, the plan is to re-emancipate citizens in terms of their data’s value in the Tech Economy and break the monopoly of the US platforms.

3. It’s Big Bang, and Cross-Border: since 3rd January, if a fund manager wants to buy anything that has an underlying product listed in the EU — like an HSBC option listed in Hong Kong — it falls into MIFID’s scope, no matter where that fund manager is based.

4. Transparency & Audit are key: within MIFID is a regulatory desire to push more trading away from the traditional phone and onto electronic venues, which offer better audit trails. As with GDPR for personal data, institutions need to capture, manage and store data in a structured and robust way, to manage risk and withstand external scrutiny.

5. Busting ‘hidden costs’ of services: one of the most high-profile aspects of MIFID involves how asset managers pay for the research they use (reports, analyst calls) to make investment decisions. These have been ‘free’, but built into trading fees, usually paid by the fund manager’s clients.

This last parallel is most striking; much of the ‘free’ stuff on the internet is currently paid for through the monetisation of consumers’ personal data; if you’re getting something for nothing, then you literally have become the product. Both MIFID and GDPR seek to unbundle and shed light on such practices.

Of course, the big difference is that MIFID II landed the first punch, whereas there are still 100 days until GDPR strikes. So, what has been the impact on the financial world?

Well, the sky hasn’t fallen on anyone’s heads so far, though some institutions were better prepared than others. Several banks struggled to cope with teething problems brought about by the European Markets and Securities Authority’s (ESMA) delay in publishing necessary data.

Short term, investment banks have seen their ‘dark pools’ business — where they trade amongst themselves off exchange — rocket, but if they also offer investment advice, then they will have benefited in that area.

One implicit aim of MIFID was to create a new market of small, high quality providers of research. This has yet to be seen; in fact, short term it appears there has been a flight to a few tried and tested players in fear of contravening the ban on market research.

I believe it will take time for a genuine ecosystem of ‘PrivTech’ providers and intermediaries to develop post GDPR, as the means organisations use to comply and benefit from transparent and ethically-sourced data become more apparent and normalised, as already seen with information security.

With MIFID, we’re entering an interesting phase where market structure starts to adjust to meet the new rules. Already, there is talk of a MIFID III to iron out creases as they become evident in the real world.

GDPR is also getting ‘messier’ as businesses move beyond initial understanding of the legalities and seek to address and operationalise the implications for CRM, HR and marketing activities, their ‘engine rooms’ as organisations.

In both camps, however the trends (and Brexit) play out, 2018 is already looking to be a busy year…

Privacy Technologist & Entrepreneur, Blockchain CEO, Senior Tutor @theidm, lapsed Archaeologist, SE London, bass guitar in @Ton50Band

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store