Depending on your point of view, this is either a great, or a terrible year to be a banking IT manager. Three major regulatory burdens are in train: the second payment services directive (PSD2), the general data protection regulation (GDPR), and the second markets in financial instruments directive (MIFID2). It renders the European operations of universal banks completely overstretched, and fighting for the same small pool of contractors and management consultancy support.
GDPR seeks to give EU citizens greater control over data held about them by companies and social networks. This includes the right to request deletion, amendment, and disclosure of all information held on them. On the point of disclosure, the regulations require firms to tell customers how their data will be processed. Data requests will be free, unless excessively complex. Data breaches will need to be reported far more promptly.
This is a far cry from Subject Access Requests under the Consumer Credit Act. For a start, financial services firms will have to figure out how to search for, and present securely, the data that they hold on a customer. They’ll each need to come up with new processes and technologies to enable deletion and amendment. They may have to hire more loan underwriters, because the GDPR enables customers to opt out of automated decision making.
PSD2 promotes data portability (and creates a new vulnerability under GDPR’s data security obligations): payment service providers must give payment initiation service providers (think Apple Pay and Android Pay but integrated with your bank statements and direct payees) access to their customers’ accounts so as to facilitate transactions ordered at the customers’ request. In return, payment initiation service providers must observe a number of data security obligations and take on some liabilities in relation to unauthorised transactions they are responsible for. Facilitating access upon request is the sticky problem, with nascent European financial technology firms worried that bank APIs (back-end data access), will lag behind their customer-facing apps and websites. Currently, many of the services which aggregate multiple accounts across multiple providers rely on holding your access credentials, and scraping the data so accessed.
Finally MIFID2 has mopped up what programming and operational change talent is left by requiring firms to submit data on over the counter derivative transactions (having moved these on to regulated trading venues), and extending the number and type of trading venues in the UK (see for instance organised trading facilities). This will hugely increase the complexity of settlement and regulatory transaction reporting.
One exceptionally geeky concern is that trading venues and their members will need to synchronise their clocks (it helps regulators quickly reconcile trades across venues and between organisations). To understand the magnitude of this requirement, readers should note that some systems within a single bank may observe British Summer Time, whilst others may not. Legacy systems might not be capable of recording a microsecond level of precision. Another concern is when to time-stamp: at the time a trade is sent, or confirmed?
MIFID2 and PSD2 come into force in January 2018 (the FCA is already help firms submit waivers to European regulators). GDPR follows in May 2018. The Information Commissioner’s Office has been at pains to explain that it will not be applying fines at their new maximum come June.