In many consultative discussions we’ve had with EU financials regarding MIFID2 record-keeping, a common question we hear is “Why WORM storage? The regulation says nothing specific about this, it just says we need to keep our data on a durable medium.” When pressed further, we often get the response that “our audit controls, database and/or backup systems are close enough.” – but are they really?
First, what is “WORM storage?” – The acronym “WORM” stands for “Write Once, Read Many” storage. This type of storage prevents permanent deletion and editing of data copied onto it. In the modern technology era, it is considered the gold standard for maintaining financial records for regulatory and legal purposes.
While it is technically true that MIFID2 does not mention “WORM” as a requirement anywhere in the legislative documentation, ESMA (the pan-EU regulator for MIFID2) has referred to the record-keeping requirement in a “technology neutral” way that leaves it up to the finance and technology industries to implement the regulation in a way that keeps up with fast evolving technology. What evidence is there of this?
The root of record-keeping in MIFID2 are in articles 16(6) and 16(7) https://www.esma.europa.eu/databases-library/interactive-single-rulebook/clone-mifid-ii/article-16-0 in which firms are instructed on which business records to keep and for how long. The short of it being phone calls, electronic correspondence, records and documents relating to a financial transaction for a minimum of five years without deletion or edit. So what we see here is regulatory guidance that records be kept for five years without any guidance on the technology that can fulfill the requirement. This is the sort of thing that drives Chief Compliance, Information and Technology officers crazy. And they were, and the questions for clarity to ESMA began. Fortunately, ESMA was prepared for this process and produced a Consultation Paper to clarify their intent and open a discussion channel for industry feedback. The MIFID2 Consultation Paper put forth (https://www.esma.europa.eu/sites/default/files/library/2015/11/2014-549_-_consultation_paper_mifid_ii_-_mifir.pdf):
Well that was clear! Well, not exactly. It led to many more questions and from the process of the Q&A around the Consultation Paper, ESMA over time further clarified its positions in the Technical Advice of December 2014. (ESMA 2014/1569) and specifically in response to the question of what technology to use to record data:
From Q&A response, we see ESMA deemed that using technology-oriented terms to describe recording systems to not be useful since technology continually evolves. This can be considered a method for ensuring the future resilience of the MIFID2 regulation as storage technology rapidly evolves.
In our next entry, we’ll look further at the “technology neutral” requirements of MIFID2 record-keeping and establish the beginning of the path to WORM storage as the answer to the storage requirement.