Asian market participants are concerned that transparency requirements in new EU legislation may put them in breach of data privacy laws outside Europe. And a clarification from the Monetary Authority of Singapore, obtained today by IFLR Practice Insight, will exacerbate those concerns.
The Markets in Financial Instruments Directive (Mifid) II and its accompanying regulation Mifir hope to bring light to previously opaque markets with the end goal of better-protecting the end user. But firms in Asia are concerned about a potential conflict between the directive and local data privacy laws. They are essentially being asked to either break data privacy laws in their or their clients’ home jurisdiction, or risk noncompliance with Mifid II.
Meanwhile EU regulators’ position has been that if the counterparty is unable to provide the data needed, the trade cannot be executed.
“We’re hearing that these data points might be inconvenient or uncomfortable for clients to give up, but also that they could be protected under local laws,” a Hong Kong-based source told IFLR. “At the very least, Asian clients are annoyed they will now have to disclose things they didn’t before. I don’t think anything has looked at it in much detail yet either.” In-house sources who spoke to IFLR Insight on the subject refused to go on the record.
Mark Parsons, TMT partner at Hogan Lovells in Hong Kong, said the challenge Asian firms face is that where data protection laws are in place, they operate on a consent-driven process. And while there are exemptions available, these typically only apply in relation to local laws, not foreign.
A spokesperson for the Monetary Authority of Singapore told IFLR Practice Insight that the authority has "no planned legislative amendments to facilitate reporting under Mifid II", adding: "In general, where confidentiality requirements apply, customer consent can be obtained to facilitate reporting", dashing any lingering hopes for a break in the law to aid compliance.
A practice known as data masking is already in use by dealers to get around reporting rules under the European Market Infrastructure Regulation (Emir). But Mifid II and its supporting regulation, Mifir, go significantly further than those mandated by Emir, including protected personal information such as passport numbers.
- Market participants in Asia are concerned that compliance with the EU’s new Markets in Financial Instruments Directive will put them in breach of local data privacy laws;
- This issue already exists under Emir and is being reviewed by the FSB with no immediately obvious solution;
- Understanding of the issues posed by Mifid II has been slow to take off in Asia with many believing they would be unaffected and others unhappy with the prospect of giving away reams of personal data to foreign regulators;
- Equivalence with Asian exchanges is also less likely in light of the discrepancies, as Asian participants may not be able to meet Mifid II’s transparency and reporting requirements.
Considering the issue arose when Emir was first enacted in 2012 and is yet to be resolved – and the data required by Mifid II is significantly more invasive – concerns are running high.
Plus, a Financial Stability Board paper from June 2017 says that the masking of newly-reported transactions must be discontinued once the existing barriers are removed, so it’s highly unlikely to be a solution to the Mifid problem.
It also suggests that where such barriers exist, they should be removed ‘with respect to reporting pursuant to domestic and foreign requirements’, but it’s unclear if work on this has begun.
"There’s definitely a natural reticence in Asia towards handing over all this information"
Some firms have explored the option of scrambling the data, or tagging trades with a separate identifier that allows the receiver to look up the data if required. But Parsons is doubtful this would avoid a conflict with the increasing number of data protection laws that have been passed in the region in recent years.
He explained that the receiver must be able to identify the individual requesting the order, and so have possession of a key enabling the data to be decrypted. And once the data is decrypted it will be personal data in the hands of the receiver – so either way, it’s going to be personal data.
Consent procedures vary between jurisdictions. While Singapore’s regime provides scope for implied consent, others like South Korea are stricter with separate requirements for disclosure to third parties and exports to other jurisdictions. Hong Kong sits somewhere in the middle; explicit consent is generally not required, but ‘something affirmative’ would be.
“It helps that so much is done electronically these days as digital interactions create opportunities for some form of consent,” said Parsons. “The practical challenge is more in relation to those that interact with brokers over the phone, and might not respond to requests to sign documents.”
He thinks that a broader (unrelated to Mifid) transparency crackdown following the financial crisis may help larger firms here, as many broadened the scope of their client consent forms – but that’s less likely to be the case for smaller players.
It’s a different story altogether in China though. A new cybersecurity law introduced in June contains a data localisation measure meaning the data cannot leave Chinese borders, applicable to so-called operators of critical information including stock exchanges and large national banks. It’s not yet clear the extent to which the localisation provision will apply to the next rung down, the catch-all network operators, but it’s thought it will be on a self-assessment basis.
China already has an investor-level ID regime in force; trading orders on local exchanges are all tagged.
“I would expect there to be a strong argument that it is necessary to transfer personal data to facilitate trading activities, and so with an appropriate consent and security measures being applied, a transfer should be permitted,” said Parsons. “I don’t think the intention is to stifle international trade.” The final export measures are yet to be released.
“There’s definitely a natural reticence in Asia towards handing over all this information. People feel like their privacy is being compromised,” said Vijay Chander, director of fixed income at the Asia Securities Industry and Financial Markets Association (Asifma).
The association is working to allay the concerns of market participants by pointing out that Mifid II’s transparency obligations are less onerous than the traditional know-your-customer procedure required of them. “There are still plenty of questions of course, but it’s not quite as burdensome as a 200-page questionnaire,” added Chander.
Equivalence: the elephant in the room
The Hong Kong source is also concerned about differences in reporting rules getting in the way of equivalence between Asian and EU exchanges. For business to continue as usual on January 3 equivalence is essential, though with just under two months to go, the clock is ticking.
“EU regulators could use differing reporting requirements, either as an incentive or an excuse, to not deem Asian exchanges equivalent,” he said. “And that would harm EU traders that want to use Asian exchanges.”
Differences in trading obligations may be another thorn in the side of agreement on equivalence.
“The equivalence issue could cause huge problems if Europe can’t execute trades with the US for instance, because the US participant can’t fulfil its regulatory obligations on a European venue, and vice versa,” said Jamie Brigstock, director of G10 rates trading at Citigroup. “But while the US gets a lot of airtime, Asia is also in need of equivalence.”
Chris Bates, partner at Clifford Chance in London, echoed this view. “The US has a trading obligation already, so the concern there is bifurcation. Asia doesn’t have one at all, so EU firms are at risk of a double competitive disadvantage, where not only can they not trade certain products, but they can’t even use a local venue to fulfil their obligation,” he said.
Generally Asian firms are said to have been blindsided by the extraterritorial reach of the new legislation, particularly at the smaller end of the market. Adoption of legal entity identifiers (LEI), a fairly straightforward and absolutely essential part of getting Mifid II-ready, has been low. An August IFLR poll found Asian firms to be highly sceptical of the LEI requirement amid concerns over privacy and cost.
“Some clients are asking the banks to do it for them and perhaps the banks don’t want to do it, so they’re at loggerheads,” said the unnamed source. “It’s probably costing them more to argue back and forth than it would to actually get it done.”
He thinks it’s highly unlikely that all clients and their counterparties will have LEIs before the January 3 deadline. The sheer number of legal entities, including offshore subsidiaries, within one financial institution means some firms will have to obtain multiple LEIs – and it’s not clear the market understands this.
The extent to which firms are affected depends heavily on their internal structure. The non-EU subsidiary of an EU firm is unlikely to face significant changes as it’s technically a separate legal entity. But many firms operate on a branch model, with the majority of trading and booking done in London.
The broad expectation is that for the bigger global players, even if they operate via subsidiaries rather than branches, Mifid standards will be rolled out globally. “The view will be that if we’re doing it for Europe anyway, it makes more sense to do it everywhere,” said the source. “It’s definitely a race to the top.”
This article is published by IFLR Insight, a new service launching soon. IFLR Insight will analyse how financial institutions are reacting to new rules.
For more information on the service please contact Vincent Muths, firstname.lastname@example.org