How to Navigate Competing Regulations: Unintended Consequences of GDPR
“GDPR and MiFID II can create a tension between retention and protection requirements around communications with clients and customers,” said Jagdev Kenth, a UK-based compliance executive. “To adequately address this, firms need to understand the data they have. Unfortunately, firms often don’t know what client data they have captured and hold across different systems, different servers, and in different locations.”
by Devin Redmond, CEO, Theta Lake
A Nightmare for XYZ Bank
To put this tension into perspective, let’s imagine that John Doe is an active account manager at XYZ Bank who uses email, social media, video conferencing, and his phone to advise his clients and, in some scenarios, take orders. Across different regulatory requirements, including FFIEC, FCA, MiFID II, and FINRA that are designed to protect consumers from malfeasance, John’s communications are required to be reviewed and archived.
As it happens, John is under investigation by the FCA for alleged malfeasance activities. XYZ has been instructed to produce and continue to save all communications involving John while their investigation proceeds. Meanwhile, Sally, who read up on the new GDPR regulations designed to protect her privacy and personal data, emails XYZ Bank asking to be erased from all communications and account information. Unfortunately for XYZ Bank, John was Sally’s account manager.
Now the bank is in a tough situation: two separate regulations, pulling them in two different directions: the FCA and MiFID II require them to keep John’s records, and GDPR requires them to erase Sally’s communications. What can they do?
Questions like these are driving a new conversation in regulatory compliance: how do organizations navigate competing and potentially contradictory regulatory requirements? This conversation also highlights two key considerations: how are organizations managing data and how are organizations tracking who is involved in each communication?
How organizations navigate these requirements is increasingly relevant, according to the Corlytics Barometer Conduct: 2018 report, 40% of misconduct penalties are a result of disclosures and communication errors. The report found that, on average, at least one person has been caught for misconduct each week since 2012.
Responsible Data Management
A clear component of Responsible Data Management is data security. Organizations need to safeguard client information, and actively work to prevent breaches, leaks, and other security issues. Further, they need to establish measures in the event of a breach — rapid response teams, client alerts, and credit monitoring apps are simple reactive levers to maintain data security.
But Responsible Data Management is more than just security. Kenth also points out, “This is also a reason why firms need to break down internal silos and encourage better and effective communication between legal, compliance, risk, DP officers, privacy teams, and HR.” This is especially true with new regulations such as GDPR’s right to be forgotten, it’s important for organizations to coordinate around the data they have to demonstrate their ability to destroy specific data when it is no longer relevant. While electronic communication and record keeping regulations outline a period of time where communication data must be kept, in the current environment organizations often keep that data in perpetuity. Instead, they should start by knowing what data they have. For example, data that doesn’t pose a regulatory risk, has been retained for the appropriate time, and focuses on advertising, advice, promotions, and fair disclosures and disclaimers should likely be removed and erased. Doing so helps to avoid unnecessary retention of any sensitive personal data and prevents that data being exploited in a breach event.
To do this, firms need to develop mechanisms to systematically erase expired data in an effort to preserve client anonymity.
This requires effective tracking and identification of who is involved in each communication. While perhaps simpler for legacy communications like email, this can be a complicated process for video or phone conversations. Luckily, technology is emerging that solves the problem.
Identifying Compliance Risk in Communications through Technology
Video and phone communications pose a significant challenge to organizations: how to accurately identify the participants, subject, and risk potential? Manually identifying this information is untenable from both a cost and time perspective, but luckily new technology is bridging the gap between spoken communication and written communication.
“Although tech has created new compliance challenges for compliance teams with things like video calls or social video, tech can also help resolve new compliance risks and challenges,” said Kenth. “The wrong approach is trying to deal with this manually. Firms need to be willing to invest in new compliance tech to support their risk and compliance teams in the same way they have been willing to invest in tech to support clients and their business. Ultimately the goal of both areas of technology investment is to help the firm and its customers — ensuring regulatory compliance and maintaining positive customer relations.”
There are new tools and technology using AI and machine learning that are capable of parsing these recorded conversations and tracking the relevant information without the need for manual input. This allows for incredible accuracy and speed, enabling organizations to increase compliance and reduce regulatory risk. It also can lead to a clever solution to XYZ Bank’s problem.
XYZ Bank has identified a solution to its issue. Regulators require them to keep John’s potentially fraudulent communications, but they don’t need to have Sally’s specific PII from those communications. Sally invokes her right to be forgotten, but that right doesn’t extend to erasing both sides of the communication, only her identity and PII.
Thus, XYZ Bank is armed with technology that allows it to use deep learning technology to track, attribute, and identify which parts of John and Sally’s communications originated from which person, with AI-powered workflow to simply redact Sally’s information. Technology allows for increasingly clever solutions like these — and will enable organizations to navigate the complex regulatory landscape.