Market participants are grappling with possible security and privacy issues over the requirement to include personal identifiers of dealers in transaction reporting under new financial regulations in Europe from 2018.

MiFID II regulations increase the number of fields that have to be reported for trades from 23 to at least 65 and for the first time, require dealers’ personal identifiers such as date of birth and the equivalent of a passport number.

Shashin Mishra, a London-based director with the solutions team at consultancy Sapient Global Markets, told Markets Media that the personal identifiers are causing issues as they are stored in human resources systems, not trading systems, and because of the possibility of leaks.

“You could get the date from the HR system for each trade but how will that be controlled,” he said. “Or you can add the data manually to each trade which could lead to inaccuracies and fines.”

In an article in the Sapient magazine, Mishra and colleague  Mahima Gupta, wrote that each piece of personal information can jeopardize a person’s identity if it reaches the wrong hands.

“This information can also be misused to execute wrongful trades on the person’s behalf, thus compromising his or her integrity and career,” said the article. “Every entity in the MiFID II reporting chain – including banks, venues, third-party reporting service providers, APAs [approved publication arrangements], ARMs [approved reporting mechanisms] and regulators – must have the requisite security measures in place to protect the identities of the industry personnel involved.”

ARMs could offer several options to firms such as encryption of the channel over which data is transmitted or encryption of individual files. Or trades could be reported to ARMs with codes which identify individual dealers and ARMs could then add the personal identity details, which they store.

This month the FIX Trading Community, the non-profit industry standards body, announced that FIXProtocol will be developed so the messaging standard can be used to transmit MiFID II transaction reports to ARMs. In a poll at the recent FIX EMEA Trading Conference, nearly 70% of respondents said they would prefer to use the FIX Protocol to send reports.

Len Delicaet, head of regulatory report strategy at reporting service Trax, said in a statement: “MiFID II transaction reporting extends the reporting obligation in three meaningful ways to include 1) a new group of financial participants including the buy-side, 2) a much broader set of in-scope instruments and 3) a deeper set of required data fields. The ability for firms to connect to the Trax ARM via the common FIX language will be of great value as the industry prepares for regulatory change.”

In addition to queries on personal identifiers, reporting firms have also been asking if data will be stored in the cloud or in a physical data centre. This is because the European Union has agreed a new data protection regulation that is likely to come into force in the first half of 2018, when MiFID II is also scheduled to have gone live. The regulation harmonizes requirements across member states as data increasingly flows across borders.

Law firm Allen & Overy said in a note this year that the General Data Protection Regulation will replace the current directive and will be directly applicable in all member states without the need for implementing national legislation. The note said that, as a result of the new regulation, firms need to ensure that privacy is embedded into any new processing or product that is deployed.

“The GDPR imposes some direct obligations on processors which you will need to understand and build into your policies, procedures and contracts,” added the law firm. “You are also likely to find that your customers will wish to ensure that your services are compatible with the enhanced requirements of the Regulation.”

For international data transfers, including intra-group transfers, it will be important to ensure there is a legitimate basis for transferring personal data to jurisdictions that are not recognised as having adequate data protection regulation.

“This is not a new concern, but as failure to comply could attract a fine of up to 4% of annual worldwide turnover, the consequences of non-compliance could be severe,” added Allen & Overy. “You may want to consider adopting binding corporate rules to facilitate intra-group transfers of data.”

More on MiFID II trade reporting:

• FIX Preps for ARMs Reporting
• No Delay for MiFID II Prep
• Trade Reporting in Focus