NEX RR announces service to meet data privacy regulation
NEX Regulatory Reporting announced that during the rollout of MiFID II, it successfully launched its short code identifier service the ‘Industry Standard Common Identifier’ (ISCI) to help market participants meet their MiFID II requirements while simultaneously protecting the data of individuals. The short code identifier service will protect anonymity, ensure operational efficiency and future compliance with European data privacy regulation GDPR (General Data Protection Regulation).
Under MiFID II, market participants are obligated to include the personal data of the decision maker and/or client responsible for the execution of the transaction in their reports so they can be identified by the regulator. They must also ensure the provision and storage of sensitive natural persons’ data is done in a secure and effective manner. ISCI enables firms to manage these requirements while also meeting future GDPR requirements (from 25 May 2018) which dictate that personal data should be kept in an identifiable format for no longer than necessary and be anonymised if retained.
ISCI is a venue- agnostic, highly encrypted service where personal identifier information (PII) can be uploaded either via the HTML 5 interface or over SFTP connection allowing for integration with internal HR or middle office systems. The inputted data is validated against ESMA standards as part of the upload process to ensure compliance. ISCI protects PII data (required by RTS 22) until the last point of the process before a transaction is enriched with decision maker detail. Alternatively, if firms are subject to the MiFID II obligation to maintain order records (required by RTS 24) information is held securely until order records are required to be presented to the regulator.
Personal data is stored in an encrypted ‘vault’ and data protection is guaranteed through the highest levels of security available including AWS Key Management Services for encryption and Okta-provided multifactor authentication. Access to data is granted on a ‘need to know’ and ‘least privilege’ basis, is monitored, and fully auditable.
In preparation for MiFID II, approximately 140,000 individual short codes (traders and algorithms) representing 2,140 individual LEIs (firms) were uploaded to ISCI from member firms, for the purposes of transaction reporting and order record keeping. Firms benefit both from a significant reduction of the workload required to provide and update data to multiple sources, and the need to continually reconcile against their internal systems as people join or leave their organizations.