What MiFID will mean for your business

1. What are the key risks within firms' businesses, processes and systems that op risk and compliance executives should be aware of, during MiFID implementation?

For many firms, given the limited time to prepare for MiFID, the main aim is going to be simply to achieve compliance with the new regulation by November 2007. Such a targeted tactical approach will leave little scope to address existing risks. What is more likely is for firms to amend the requirements and timeframe of current and planned projects that have a significant overlap with areas of MiFID. There are three key areas being addressed by a number of banks at this time where I would expect this to happen:

• Records management - MiFID will change the data-retention period to five years in most cases. It requires transaction data to be stored in a manner that cannot be tampered with (Write Once, Read Many), and changes the data set required for storage. Following some key US legal cases, many investment banks have launched wide-ranging global data-management programmes to address data-retention in all its forms (versions of Excel spreadsheet pricing models to regulatory reports). These are multi-year programmes with $100 million-plus budgets. Such programmes should seek to accelerate key elements of the European part of the data-management programmes to address the requirements of MiFID. If this cannot be done then a shorter-term tactical fix may be required, possibly using an external party to source and store the data.

• Transaction reporting - MiFID amends, and increases, the data required to be reported to the regulators for market abuse surveillance purposes. The consultation paper from the Financial Services Authority (FSA) has identified 26 fields required, and the expectation is that the German regulator Bafin could request significantly more. Earlier this year, the FSA issued public fines for transaction reporting, thereby launching projects to address this issue. Some other banks identified the issue to the regulator themselves and have also committed to address their deficiencies. These programmes should address the requirements of MiFID, in addition to addressing their current reporting deficiencies.

• Client classification - the client on-boarding and KYC (know your client) will have to be amended to classify clients as Retail Clients, Professional Clients and Eligible Counterparties. The on-boarding process may also be affected by some of the fact-find data required to support Suitability and Appropriateness tests. In addressing operational inefficiencies, or issues related to Patriot Act (and related) compliance exposures, many banks have live programmes that re-engineer some of these processes. Again, such projects should be leveraged to achieve compliance with MiFID where possible.

2. How can op risk and compliance executives provide value-add to the business within their MiFID projects?

There are two significant opportunities for compliance executives to create significant value for the business. Firstly by helping to identify strategic opportunities, and secondly by identifying areas where spend can be limited or delayed.

Strategic opportunities can best be identified through educating the business on MiFID and explaining to executives where this may create potential strategic opportunities. If the business wishes to pursue any of these opportunities, they should own them going forward. These opportunities may include:

• New growth in existing business areas, such as outsourcing back-office services;

• Using elements of the requirements of MiFID as a competitive advantage, such as a best execution service provided by a retail broker;

• Product enhancement - reviewing the impacts of MiFID on particular product areas to identify how the market may favour certain product sets post-MiFID; and

• Entirely new revenue streams, such as utilities developed to address certain MiFID requirements.

Some firms will spend whatever is required to comply with MiFID, driven either by a focus on minimising any potential brand risk, or because they have fallen foul of the regulators in recent years. For others, compliance itself may be a series of strategic decisions. Project areas may have to be prioritised taking into account the risk of delay, or non-compliance with certain elements of MiFID. This should take account of the potential brand risk, regulatory risk and legal risk of non-compliance. When such risks are mapped against the cost of change required, it can help executives with limited budgets to identify high priorities, quick wins and candidates for delay.

3. What should the regulators be doing to help firms implement MiFID in a way that provides the most benefit for the costs that will be incurred?

Given where we are with regulation in the UK (post-publication of the new conduct of business rules by the FSA), there isn't much scope for fundamental changes to the regulation to improve the benefits to firms, their clients and the market as a whole.

The greatest benefit that the regulators could provide at this point, would be to offer flexibility in terms of implementation schedules. Flexibility may provide significant benefits in terms of allowing existing programmes to take on the burden of achieving MiFID compliance.

Paul Barry

MiFID Programme Leader

Financial Services Sector NE IOT

IBM Global Business Services

As a managing consultant in our risk and compliance consulting practice, Paul is programme leader for MiFID in the UK. Paul and his team work with investment banks and regulators as a result of the introduction of regulatory change.

Prior to joining IBM to work in this role Paul had spent over 10 years in investment banking in a variety of front-office roles with both Citigroup and HSBC. This included establishing a Business Process Outsourcing and IT Services advisory team, running a mergers and acquisitions team, establishing a capital markets execution function and working within corporate broking.

Paul is a qualified chartered accountant and has a B.Eng Hons in electrical and electronic engineering.