In the age of increased regulatory changes, financial services organizations are reexamining how to effectively allocate their resources to comply with imminent regulatory changes like General Data Protection Regulation (GDPR), Financial Industry Regulatory Authority (FINRA), and Markets in Financial Instruments Directive (MiFID) II.
To fully understand the depth and significance of these financial regulations to financial services organizations, let us take a closer look at the fines that organizations are facing for not complying with GDPR, FINRA, and MiFID II regulations.
1. General Data Protection Regulation (GDPR)
Compared to its predecessor, the Data Protection Directive, the GDPR gives data protection authorities more investigative and administrative powers and the authority to levy more substantial fines. The Article 83 (General conditions for imposing administrative fines) specifies the categories of fines and types of breaches which could lead to monetary transactions.
A. Category A Fines – Concerns issues with preparedness and administrative failures in implementing a Data Protection Compliance Program. These failures include but are not limited to:
- Failure to implement a proper Privacy Impact Assessment.
- Failure to designate a Data Protection Officer(DPO), or having issues with the roles and responsibilities of the DPO.
- Issues with Breach Notifications to Data Protection Authorities or to Data Subjects.
- Failure to implement Data Protection “by design and by default”
The maximum fine for this category is €10,000,000 or in the case of an undertaking up to 2% of total annual global turnover (not profit) of the preceding financial year, whichever is greater.
B. Category B Fines – Addresses actual breaches and major failures in compliance. This includes but is not limited to:
- Conditions for consent (in obtaining or processing data such as enterprise SMS, Email, chat logs, etc.)
- Lawful processing of data
- Right of access by the Data Subject (Subject Access Requests)
- Right of erasure (right to be forgotten)
- Right of rectification (accuracy of legally obtained personal data)
- Processing of National Identification Number
- Obligations of Secrecy
The penalties and fines outlined in Article 83 and other parts of GDPR are intended as punitive and dissuasive measures levied against Data Controllers and Processors. However, they do not include compensation for damages that a private individual may have suffered as the result of non-compliance. As such, these matters must be pursued in a separate civil action.
2. Financial Industry Regulatory Authority (FINRA)
FINRA has the authority to “fine, suspend or bar” financial organizations and professionals engaged in any financial planning, counseling, and investment services. Below are the violations and the corresponding fine with regards to recordkeeping requirements of FINRA:
- Nature and materiality of inaccurate or missing information.
- The nature, proportion, and size of the firm records at issue.
- Whether inaccurate or missing information was entered or omitted intentionally, recklessly, or as the result of negligence.
- Whether the violations occurred during two or more examination or review periods over an extended period of time or involved a pattern or patterns of misconduct.
- Whether the violations allowed other misconduct to occur or to escape detection.
- Fine of $1,000 to $15,000.
- Where aggravating factors predominate, consider a fine of $10,000 to $146,000.
- Where significant aggravating factors predominate, consider a higher fine.
A. Responsible Individual – Consider suspending the responsible individual in any or all capacities for a period of 10 business days to three months. Where aggravating factors predominate, consider a longer suspension (of up to two years) or a bar.
B. The firm – Where aggravating factors predominate, consider suspending the firm for a period of 10 business days to two years, or consider the expulsion of the firm.
In September, FINRA fined and suspended firms and broker failing to comply with the recordkeeping requirements of FINRA.
- A broker was fined $5,000 and suspended from association with any FINRA member in any capacity for one month. The broker sent 58 text messages relating to his securities business, including messages about investment strategies and specific securities to 16 customers during the course of a year. The findings stated that by doing so, the broker prevented his member firm from supervising those communications, violated the firm’s policy about business correspondence, and contradicted his attestation that he would use his firm’s email system for all business.
- Also in September, two firms were penalized a total of almost $2 million for allegedly failing to maintain their electronic records in a write once, ready many format – also referred to as, WORM—that could not be altered or destroyed.
3. Markets in Financial Instruments Directive (MiFID) II.
The imminent implementation of MiFID II on January 3, 2018, will introduce new standards that will force financial institution operating within the member states of European Union to re-examine their compliance policies and procedures – including the archiving of corporate mobile messages.
At present, the UK Financial Conduct Authority (FCA) is the only national competent authority (NCA) in the EU that has officially imposed fines on 10 companies/individuals as of 2017. Their 2017 FCA fines list include information about fines published during the calendar year ending 2017. The total amount of fines so far is £225,361,413.
FCA follows five steps for penalties imposed on firms:
1. Disgorgement – The FCA will seek to deprive a firm of the financial benefit derived directly from the breach (which may include the profit made or loss avoided) where it is practicable to quantify this. The FCA will ordinarily also charge interest on the benefit.
2. The seriousness of the breach – The FCA will determine an amount that reflects the seriousness of the breach.
3. Mitigating and aggravating factors – The FCA may increase or decrease the amount of the financial penalty arrived at after Step 2, but not including any amount to be disgorged as set out in Step 1, to account for factors which aggravate or mitigate the breach.
4. Adjustment for deterrence – If the FCA considers the figure arrived at after Step 3 is insufficient to deter the firm which committed the breach, or others, from committing further or similar breaches then the FCA may increase the penalty.
5. Settlement discount – The FCA and the firm on which a penalty is to be imposed may seek to agree on the amount of any financial penalty and other terms.
See also: Recent FINRA Fines
At TeleMessage, we offer our Mobile Archiver that can help financial services leaders to effectively manage data and content including enterprise SMS, emails, and web and social media content, with respect to compliance. Our archiving solution is equipped with versioning and robust governance capabilities that ensure content across all digital channels is compliant and meets global regulatory requirements.
Want to learn more? Check our infographic “Comparing US vs European Mobile Archiving Requirements FINRA vs MiFID II and EMIR” or visit our website at www.telemessage.com