FCA 'gold-plates' EU rule, hits BYOD across entire UK finance sector
You delete one word and then this happens
Exclusive The UK's Financial Conduct Authority has quietly transposed an EU rule without including a crucial bit of detail, thus effectively banning BYOD policies in all financial services organisations across Blighty.
The UK version of the rule, which came into force on January 3, prohibits any business regulated by the FCA from letting its employees communicate with each other or the outside world "on privately owned equipment which the firm is unable to record or copy".
However, the original version of the rule, contained in the European Union's Market In Financial Instruments Directive (MIFID II), restricted this only to investment firms – not applying it to the entire financial sector.
The FCA regulates financial services firms ranging in size from behemoths such as Goldman Sachs right down to independent financial advisers who tell ordinary folk where best to put their savings and investments.
The body uses powers contained in the Financial Services and Markets Act 2000 (FSMA) to implement conduct and prudential rules, among these directives received from EU. It then sets out these rules in its handbook.
This is how what should have been a BYOD rule affecting only part of the market has been turned into a blanket ruling on BYOD affecting everyone – right down to self-employed advisers.
James Hogbin, a director of IT services biz IP Sentinel, told us: "I run IT for a number of financial services companies and I don't have a clue how I'm going to do it. You can't block FaceTime. What about LinkedIn or Skype chats? Audio you can do, that's easy, but the text?"
The Register understands that neither certain high street banks nor other major financial institutions were expecting a BYOD ban, to the point that at least one institution still has live plans to adopt BYOD across the entire thousands-strong business. In addition, small businesses are still offering BYOD-based options for implementing MIFID II, as this sample blog post shows.
Vodafone's advice on MIFID II-compliant recording of mobile conversations has also stated: "MiFID II applies to the content of a conversation or communication, not the device it’s conducted on," which is not what either the EU or FCA rules say.
The FCA handbook rule in question reads:
A firm must take all reasonable steps to prevent an employee or contractor from making, sending, or receiving relevant telephone conversations and electronic communications on privately owned equipment which the firm is unable to record or copy.
That rule implements the EU MIFID directive. Precise wording of the EU ban on investment firms using privately owned equipment can be found in article 16(7) of MIFID at the eighth (unnumbered) paragraph. The EU wording, however, limits the scope of the ban to "investment" firms only. It stated:
An investment firm shall take all reasonable steps to prevent an employee or contractor from making, sending or receiving relevant telephone conversations and electronic communications on privately-owned equipment which the investment firm is unable to record or copy.
We understand that an "investment" firm, in financial regulation, has a specific meaning which narrows the scope of the ban as originally set out by the EU directive.
The point of the new MIFID rules is to set out what calls and messages to and from financial bodies must be recorded, in case regulators want to investigate consumer complaints or allegations of criminal wrongdoing.
"For those firms caught in the call recording net," said Hogbin, "unless you can control your users' personal devices and explicitly turn off or block WhatsApp, FaceTime, iMessage, Snapchat, Instagram, Facebook, LinkedIn, Twitter, Slack, HipChat, o365 Teams, personal email, text messaging, and also perform web blocking so users can't access the browser-based versions, the only thing you can do is have a policy stating smart and mobile phones are banned."
The FCA declined to comment. ®
EU Member States have large discretion when implementing EC directives – "gold-plating" means going above and beyond what a directive intends rather than contradicting it.
Since the publication of this story, the FCA has been in touch to say: "Individuals can bring their own device, but firms should take all reasonable steps to prevent an employee or contractor from making, sending, or receiving relevant telephone conversations and electronic communications on privately owned equipment which the firm is unable to record a copy."
Sponsored: Becoming a Pragmatic Security Leader