Regulatory compliance consulting series: Record keeping

Christian Blackwell: Welcome to our regulatory compliance consulting series. Today, I am here with John Davison, to get his perspective on five reasons why we believe that record keeping is an important thing that firms need to consider.  John, regulatory change is demanding and more complex data requirements.

John Davison: Absolutely right, Christian, and I think MiFID II, at the moment, is a really good example of that. I mean, record keeping has always been a fairly fundamental system control for any organisation, but the problem with that has been that it's been taken for granted by most organisations, so people haven't tended to focus on that. But with more increased complexity of data, with greater responsibilities for reporting to regulators, with more prescriptive requirements on communicating with customers, there becomes a greater reliance on good quality underlying data, and maintenance of that data, so that you can actually deliver the outcomes to your stakeholders that you actually need to deliver. So, I think it is only going to get worse and worse, and harder and harder.

Christian Blackwell: And the need to maintain voice recordings is increasing as well, isn't it?

John Davison: And that's a really good practical example. With how record keeping is extending, so voice trading is becoming more pervasive across the industry. And actually voice recording, again, is a particularly difficult thing, to actually make sure it's sustainable. And it's not so much just the pure capture of actually voice records, but being able to retrieve them when you need to retrieve them. So, there's going to be data retrieval requirements going forward, under different regulations. And I think being able to reproduce a voice recording, when there are multiple types of voice recording being recorded, is a far more complex science than I think many people think it's going to be. And I would always encourage firms to think through the complexity of the IT changes that may be needed in their organisations in this regard.

Christian Blackwell: An increasing reliance on technology means increased IT security risk and compromised data, as well?

John Davison: And that's a really topical conversation for today, Christian, actually, because we've just had the FCA's business plan for 2017/2018, and one of the threats to their objectives is IT security and cyber, which you probably expect. And I think here, you know, as we go through the FinTech requirements, and the FinTech age, and we go back to the MiFID II I talked about earlier, actually it's really important for compliance functions to be able to engage with IT, and to be able to understand those IT security implications, so that they can make sure that actually records are being retained properly, because as IT becomes more of a pervasive requirement for organisations for their core business, so it's more likely the data is going to get fragmented, and to control that data becomes more and more difficult, not just from an organisational perspective, but to make sure it's secure from cyber hacking and for any external unauthorised access. The more systems you have, the more likelihood is you're going to be hacked.

Christian Blackwell: And GDPR is coming as well, what's the impact of that going to be?

John Davison: Well, once people have moved on from MiFID, they've got another Grade 1 to look at, haven't they? I mean, GDPR is -- I mean, you would assume that GDPR is very heavily records related, anyway, but the privacy requirements coming under GDPR are going to be more onerous for firms. There are far more rights for customers, there's actually a much greater requirement to retain, and to and be able to demonstrate and govern the records you keep, and actually to be able to demonstrate how you process personal data. Now, for most organisations, this has been things they have done in the past, under existing legislation, to some degree, but GDPR takes this to another level. And while people are going through record keeping obligations under MiFID, then actually it is sensible to look at whether or not these systems are sustainable for GDPR requirements as well, if that's possible.

Christian Blackwell: And without effective record keeping, it's impossible to perform effective assurance work?

John Davison: It is. So, your second and third lines of defence kind of can't be as effective as you would like them to be, absolutely. I think I would pick on one mistake, that I often see actually, that you know, it's very easy, when you do an audit or an assurance review, to ask for a set of records to actually do your attestation, and your review, and some of those records not be available. And the one thing I've seen happen in the past sometimes, is that functions who are doing those assurance reviews just move on, and actually get a different sample, and actually forget to deal with the fundamental issue that, if the record doesn't exist, it is likely there is a broader system control related issue in the organisation. So, I think records should be part of everybody's review, not as a subject in itself, but actually the importance and speed and accuracy of retrieval of documents, and retrieval of data, I think is pretty fundamental for all assured functions, because let's be honest, management rely on this underlying data to run their business day-to-day as well.