01 Jun 2007, Ellen Davis, Operational Risk & Regulation
The volumes of data that firms are going to have to handle in complying with Mifid are substantial. How should firms deal with this data volume, and what are some of the biggest risks that firms should be conscious of and looking out for?
Richard Gissing (founder and chief technology officer, Gissing Software):
It's certainly going to be the case that the volumes and sources of data will increase significantly. One of the major impacts of this is going to be whether people's market data platforms can actually cope with this increased volume of data because, obviously, Mifid isn't the only thing that's creating higher data volumes. There are a lot more instruments being quoted.
One of the key things that I think people have to plan for is making sure that either their market data platforms can cope with this data and deliver it to whatever people and whatever systems need it in a timely fashion, or they need to think about implementing some sort of system that can pre-filter the data and only make the data available to the downstream systems they actually require. That's certainly one aspect that needs looking at. The other alternative, of course, is to take the data from a pre-consolidated source that provides that filtering functionality for you – one of the data vendors, for example.
Trevor Barritt (head of compliance, Actimize Europe):
I certainly agree with all of that. One or two examples – I spoke in the best-execution area of the need to capture the market and the need to consider other locations outside your policy if there is a danger that they will, for a significant proportion of the trades, actually be providing best execution even if they're not within the policy. If we take both of those factors – in terms of market capture, you will need to capture all of the order books, or all of the quotation screens, or whatever it may be for each particular location at the time the transaction is entered into, and to keep every single one of them for five years in case a client comes back to you and asks you to prove best execution. That's an enormous increase in the amount of data the firm would be expected to keep.
The second area, of course, is that you would probably need to have other feeds coming in even if you don't trade in those markets, in order to ascertain whether or not another execution location would give you best execution. Again, that has to be kept as well. Certainly, organisation is going to be a key factor here – making sure the information is accessible, having a proper search function available so that when a client turns up and asks you about a bargain you [struck] three years ago, you actually don't spend the next six weeks trawling through millions of data items to try and find the information you need to support it.
Thank you. Trevor, in your presentation you mentioned the discoverability of policies and related documents. Are there specific areas that are more vulnerable to litigation than others?
I'm not sure that anything I spoke about is going to be a particular red flag, not in comparison with some of the things I've seen over the years where people have sent rather silly emails or said silly things over a recorded line. I think it's at [least medium risk] by which I mean – for example, the best execution policy – you need to be quite careful in your drafting of the best execution policy. If you go into more general terms like "we will execute in any location where there is sufficient liquidity" or something of that nature, you need to be careful you actually say what you mean because, of course, the literal interpretation of that is every single market, every single systematic internaliser and whatever else there may be out there as well must be in your policy, and you must consider them. You need to be quite clear in terms of drafting your policy, such that you don't get challenged at a later date and accused that what you actually do is not consistent with what your policy says you're going to do.
Looking at the issue of standards and transaction reporting, regulators in the industry seem to be debating about what this should be. What do you think the outcome of these discussions will be, and how do you think those discussions are progressing?
Unfortunately, the answer is we still don't know. This is an area that has exercised the various parties in the Mifid joint working group over several months – trying to get some sort of clarity from the Committee of European Securities Regulators (CESR), from the EU, about what these standards are. There are a number of issues. There's the fact that certain regulators are asking for different data, so on top of the basic set of data that's required by Mifid, the regulators are still allowed to specify additional things. Some are asking for two or three extra fields, some are asking for 20 or 30 extra fields. If you're trying to create a system for your investment firm that has to support different regulators, for example, then there's an issue there. There's also the issue of how you deal with the fact that if you're reporting through one regulator to another and the regulator you're sending the data to is expecting only 30 fields, but the one that it ends up with needs 50.
Finally, there's the issue of what the actual content of some of these fields need to be – standardising in terms of simple things like decimal separators, how you label something as a buy or a sell, formats of dates and times and that sort of thing. We should really have these things pinned down by now. We need to be creating these systems and testing them fairly soon. It's very frustrating for the banks and technology providers such as us to still not know what the detail of this type of thing actually is at this late stage in the game. Hopefully, they will be agreeing on open standards. The main thing is not so much what standards are used, but the fact that they agree something as soon as possible so that we have a hope of actually implementing something in time for November.
Industry associations have been very involved with Mifid implementation. What have they done well and what areas are there for improvement?
I think it's fair to say that some firms are a lot more advanced than others. By now, one would expect to see, particularly in a larger firm, several different working parties working on different aspects of Mifid, where there would be representation on those working parties from various different people representing different areas of banks. I was talking to a friend last night who was a compliance consultant, and he was talking about a particularly large firm where he found that the people on the Mifid working group are still involved in their day jobs. That is not really something that is going to lead to proper Mifid implementation.
This project is far too big. You need to properly second a large number of people to represent the various different departments of the bank, but take them away from their day jobs – give that responsibility to someone else in the interim – so that these people can concentrate full-time on the wider issues of Mifid implementation, bringing their particular knowledge and skills to the table. I think one of the things that firms are doing badly is implementing Mifid in too pragmatic a way and also not allowing people the freedom of time to actually devote themselves to Mifid rather than [to] their day jobs.
Why do you think Mifid has got this second-class status?
I think for a number of reasons. First of all, and I have to say that I was guilty of this when I first looked at Mifid two or three years ago. If you don't look at Mifid in detail – if you just scan the main directive – it is very easy to think, particularly if you are an FSA regulator, "well of course I've done 90% of this anyway, because 90% of this is already in the FSA rules." Actually, it isn't. There's a lot of detail there and the more you look at Mifid and the implementing directives, the more you realise that this is going to be a major event, even for FSA-regulated firms.
I think the second thing is that we have had so much notice of Mifid. It was published in 2004 and is not going to come into force until the end of this year, or nearly the end of this year. Before publication, everybody was talking about ISD2 and so on and because people have [known] for so long that Mifid is coming, it's been very tempting to say "we've got plenty of time." You can delay a lot of the implementation hiding behind, as Richard pointed out, "we don't know the full details yet and we're less than six months away now." I think a combination of those factors has led to that happening.
I would agree with that. I think one of the main things has been that the EU, or CESR, consistently missed its own deadlines for publishing guidelines and so forth, so I think there was a general assumption among the market that the date would be pushed back because everything was running behind. People were waiting for information to come out and for things to be clarified, and assuming there would be plenty of time to deal with it once that had happened.
I think that's right. Certainly, there continues to be a presumption among firms that there will be a delay, even if it just happens at the very last minute with Mifid, although European regulators don't seem to be in agreement with that, nor do the FSA. They just seem to be saying "there will be no delay – period."
I think that is a very dangerous thing to think. I was talking to a compliance officer from a major firm yesterday [who was] saying "well, the FSA will not, of course, implement on time because nobody else will implement on time and the FSA wouldn't dare to implement alone." I'm not sure if I agree with that stance. The FSA has made it very clear they will implement on time and to take the view that they may not mean what they say, I think, is a very dangerous thing to do.
Yes, I would agree with that. There was a very good point earlier about what the situation will be if some countries are ready and some are not – how that would be dealt with. I had a conversation with somebody at a French bank, and they seemed to be very far behind on their Mifid programme. Their attitude was "until this goes into law, until it's transposed, we don't know exactly what it is so we can't finalise our Mifid programme." Clearly, they have been working on certain aspects of it, but to hear that kind of thing being said is quite worrying.
Yes, we heard this, didn't we, with the implementation of the market abuse directive – "the FSA hasn't published its final, final rules, so we can't possibly do anything." The FSA published its final rules for the market abuse directive about a week before it came into force. To be fair to the FSA, it didn't have much choice in that for various reasons, but the fact is that the FSA implemented the market abuse directive on time.
Mifid may not be clear down to the very last [detail], but nonetheless, there is a lot to go on in the various documents to which I have referred. Some of these have been published for some considerable time and, if I were the regulator, I would have little sympathy with a firm that came to me and said "I couldn't implement on time because you didn't publish the last detail of your policies until three weeks beforehand." Well, I'm sorry, the information is there. It may not be in its final form, but it's 80 or 90% there already.
How, in an environment where the compliance officer doesn't control the IT budget, can firms be certain that requirements that straddle project boundaries, eg, the common platform systems and controls, are thoroughly covered?
That's an interesting question. I think the whole thing about Mifid is that to create a successful Mifid project, you have to have involvement from all of the stakeholders. That includes compliance, the business and IT. Any budgeting that's required needs to have input from all those different places. If people are trying to separate those out and not take a cohesive approach to it, I think they're going to get into a lot of trouble. Obviously, if the IT budget is just in the IT area and everything to do with Mifid IT has to come out of that budget, then other things are not going to be done that the IT people want done, so they may be reluctant to release funds for Mifid and so forth. I think it would be disastrous to try and do it that way.
I would like to start my response to that by reading, if I may, a short extract from article 6, sub-article 3 of the directive of August 10 – "In order to enable the compliance function to discharge its responsibilities properly [and independently], member states should require investment firms to ensure that the following conditions are satisfied:
a) "the compliance function has the necessary authority, resources, expertise and access to all relevant information,"
b) "a compliance officer must be appointed and responsible for the compliance function, and for any reporting as to compliance required by article [9 (2)],"
c) "the relevant persons involved in the compliance function must not be involved in the services or activities they monitor." Mifid is very strong on this. It is saying that there needs to be an independent, properly resourced compliance department that has access to the resources it needs.
If I was a compliance officer in that situation, where I was finding that the IT resources I thought the firm needed were not forthcoming, I think I would be having some very difficult conversations with the board. I would have to be saying "look, I'm sorry, these are the requirements of Mifid. I will be carrying the can to a large extent with the regulator if we are not ready, and it may come to it that if there are IT resources that I, in my professional judgement, believe need to be there and are not going to be there, I'll have to consider my position."
What do you think are the key lessons about implementing EU directives in the financial services area that have been learned from the troubles that are being experienced by Mifid?
Hopefully, setting more realistic timetables so that the gap between providing the regulation and the regulation actually going live allows for more slippage on the part of the EU actually publishing the information. Also, hopefully, trying to be a little bit more specific and clear on what some of the requirements actually are at an earlier stage.
I agree with some of that. I think I would put a slightly different emphasis on it however. In terms of a member firm, I think you can no longer rely on the regulator to spoonfeed you. Frustrated though people may become with the FSA in the UK, we are actually extremely well-served by the FSA as an industry, in my opinion – information in terms of the draft rules coming out of consultative papers, discussion papers and so on, particularly when these changes are not constrained by EU timetables is very good. It's a much harder job to get information about a forthcoming rule in a lot of the European countries or, indeed, in the US or some other jurisdictions outside the EU than to get information on new draft regulations from the FSA. I think we've become a little lazy in the UK in just sort of expecting to be spoonfed information. I do agree that regulators – CESR and so on – should stick to timetables, and it is frustrating to be told that guidance and new draft laws are coming out at a particular time when they don't.
Nonetheless, regulators have a huge job to do in implementing these rules, and if I was advising a firm, particularly a firm with the resources to do it, I would say "get someone, or get a team to look at the European Union directives, watch the CESR website, the Commission website and the Treasury website, and also watch the websites of other regulators." The AMF in Paris has got a particularly good website. They are actually quite good as well at giving draft regulations, discussion papers, comments and so on. You've got to go beyond expecting a consultation paper to arrive on your desk, or arrive on the FSA website, and to have time to read it and expect everything to be there. You've got to look wider, and you've got to have a specialist department or specialist person to actually keep track of all these things.
HEAR THIS ONLINE
To listen to the complete roundtable and the entire Mifid e-symposium, visit www.mifid.e-symposium.com and register for free.