Key issues
Financial intermediary performing a custody function? Seeking to comply with SRD2? You must be worried about SRD2 and phishing and cyber risk?
SRD2 goes live today. The regulation obliges intermediaries to disclose shareholder identity within 24 hours when requested to do so and to check that this request has come from a legitimate source – i.e. that you are not the subject of a phishing attack. You may think this unlikely, but who owns a company is potentially price moving information - phishing and inadvertent disclosure could be catastrophic for your business and are cyber risks that must be addressed.
Financial intermediary performing a custody function? Seeking to comply with SRD2? You must be confused and worried about the conflict between SRD2 and GDPR!
Whilst well-meaning, EU regulators have failed to think through SRD2 and the implication for security and the risk of phishing. In pursuit of laudable aims for shareholder and investor engagement, the regulation ignores the compliance conflicts between SRD2 and GDPR. Safe data disclosure is paramount to avoid cyber risk but also to protect client data.
Financial intermediary performing a custody function? Seeking to comply with SRD2? Risk of financial penalties… How much for non-compliance?!
SRD2 fines are under review. In Italy the maximum fines are up to €5m but GDPR in the EU potentially much higher at €400m. Avoiding fines is the least of your worries – disclosing sensitive data incorrectly could destroy your reputation – potentially for ever. So, it boils down to - Information security or a fine? We can improve the former and avoid the latter.
Financial intermediary performing a custody function? Complying with SRD2 within a 24-hour window seems impossible, right?!
Today there is no simple way to respond securely. Whilst SWIFT have done a great job defining the new ISO 20022 MX 45-49 message standards, these cannot in themselves ensure that data forwarded through the chain has been transposed correctly or check whether the reply address has been spoofed (as with a phishing attack). Neither is there any specific detail in the regulation that provides clear instruction on what kind of checking would suffice. Compliance therefore requires painstaking and time-consuming research and if not on the SWIFT network, no secure reply channel that ensures data cannot be intercepted.
Financial intermediary performing a custody function? Seeking to comply with SRD2? Will we drown in a sea of Shareholder Identity Disclosure requests?
We predict an increasing number of requests for disclosure which could turn into a deluge. It is logical to assume that for maximum transparency prior to AGMs and EGMs, all issuers will make requests twice a year – as their default position. You can also assume that intermediaries will try to cover themselves by forwarding requests to anyone who might have an investor on their books either past or present because it takes time to update the investment book of record. If it were my responsibility, - just to cover my back, I would send blanket requests to any/everyone potentially resulting in hundreds of thousands of requests from multiple intermediaries. That’s a huge number which you will have to deal with manually. And then what if the regulation is extended from equities to bonds which is also on the cards – wow! Even at this early stage, some asset managers are predicting to have to manually respond to tens of thousands, perhaps hundreds of thousands of requests annually. Translated into cost, one FTE is likely to only be able to check 15 disclosure requests per day with any reliability, so if you received 50,000 requests a year that’s an extra 15 full time employees!
Financial intermediary performing a custody function? You are not going to try and comply with SRD2 by sending confidential shareholder information via email in un-encrypted form, are you? Are you?!
The regulation envisages responding via SWIFT, email or posting to URL. SWIFT is no doubt secure but how many issuers can receive a message through SWIFT? Email is demonstrably insecure and responding to an unknown recipient via URL would be like posting a sensitive message into a digital bottle and casting it into the ether – a certain nightmare for your IT security team. An unconscionable approach for such sensitive information.
Financial intermediary performing a custody function? Validating the source of an SRD2 disclosure request sounds easy enough but exactly how will you do that? Will you have a high degree of confidence in your solution?
Making the right decision over and over will not be rewarded. Making the wrong decision once will be remembered…..The regulation does make one small concession for the need for security – it requires you to check that the request originated from the issuer not just from the entity immediately before you in the disclosure request chain (presumably recognising the potential security risk of impersonation). However, it does not tell you how to do this, what the minimum standards should be and today there is no obvious way to do this. So, you have to decide for yourself what an appropriate solution is and then potentially show the regulator how you arrived at this decision upon request. If you request validation from the reply address – and receive no coherent response, what then? Perhaps you are unsure and need to do more thorough checks, you’ll need to be able to disclose your audit procedures to the regulator and may still be open to fines.
Financial intermediary performing a custody function? SRD2 and ongoing GDPR obligations to control data once disclosed – once you’ve pressed ‘SEND’, how will you securely delete it after a reasonable period of time? How would you recall it if a mistake was made?
Today the elephants in the room are the Global Data Protection Regulations. Even though under SRD2 you are obliged to disclose shareholder identities – SRD2 trumps GDPR – you still have an obligation to comply with the data control requirements for GDPR. SRD2 requires the recipient of disclosed data to delete it after 12 months – but how can they prove this? How can you help them to actually do this so that you can show your client you have responsibly controlled their data? Also, SWIFT messages provide for passing the data back up the chain, (so it may be necessary for you to do so too). How can you manage and/or control the data that you receive in this scenario in a GDPR compliant manner? More importantly, what happens if you make a mistake and find out that you have omitted to include investors or correct identities? How can you correct these so that you can demonstrate best endeavours? And then there is your client – the most important person to you. How can you assure your client that their data is being properly managed and not being disclosed inadvertently in a public arena where there might be data disclosure cock-ups going on all around you?
Financial intermediary performing a custody function? Of course, you want to comply with SRD2. NOT at all costs though!
A chink of light! The one sentence in the regulation that offers some hope is the obligation it imposes on you to check that the request has come from the issuer. This gives you a chance to carry out identity validation checks which, if unsuccessful within the prescribed 24-hour turn around, you can use to explain your tardiness to the regulator. Far from being back at school, you will be able to demonstrate leadership and good governance to your clients by effectively stopping the clock until you are given the necessary tools to respond.
Your decision to disclose or not disclose (!) is the last line of defence. It is your duty and responsibility only to provide the required info to the requestor if it can be done in a manner that is safe. The request might conceivably ask for a response to be deposited in a manner that makes this impossible; for example, posting it to a website URL which is about as insecure as you can get! BTW this exact response vector is envisaged as a legitimate reply address by the regulation – nonsensical! A perfectly reasonable response to this unreasonable request would be to refuse and to postpone a response until the requestor provides you with a reasonable communication method that allows you to do so securely and provide it in a manner that is secure and that ultimately complies with both SRD2 and GDPR.
Financial intermediary performing a custody function? SRD2 Disclosure Requests could lead to chaos. Instead, we could form direct relationships with issuers.
There is a potential silver lining. Instant Actions provides a method for you to ask the originating source (issuer or agent) to communicate directly with you next time. So that you can ignore the plethora of messages you might receive from indirect sources and in future reply easily and quickly. This does not require you to sign up to a proxy voting platform or other such proprietary technology that is not industry standard. But it does allow you to nurture direct relationships with issuers that could bear fruit in many ways in the future. Help IA to help you get accurate and timely information in the future.
Financial intermediary performing a custody function? Seeking to comply with SRD2? Don’t Expose Your Firm to Unnecessary Risk from errors.
You don’t need to expose your firm’s reputation to unnecessary risk. When your reply to the requestor, it should be scrubbed of all identifying references, notifying the issuer that an immutable record of SID communication has been retained (without the content itself being stored outside the intermediary’s control) and putting the issuer on notice that the data provided to them must be controlled under the terms of GDPR. Should sensitive data fall in to the wrong hands after it has been safely deposited with the issuer, there should be a clear audit trail that a breach occurs, it cannot have come from you.
Financial intermediary performing a custody function? Seeking to comply with SRD2. Secure Digital Vault and Data Encryption – if you don’t know what that means, you should!
Why don’t you set yourself up a Secure Digital Vault configured to send Shareholder identity securely, or we can set one up for you? It can encrypt the data at rest until you choose to delete it or until the setting you choose auto-deletes it for you. Encryption ensures that you control sensitive data and the invitation to the issuer or requestor to download it. You own the Secure Digital Vault. No one else can access it. On receipt of confirmation of requestor identity, you control the release of data to the requestor. An audit control dashboard provides proof of compliance when necessary.
Financial intermediary performing a custody function? Seeking to comply with SRD2? You need to understand how Instant Actions Creates a Secure Communication Channel. No Risk of Data Loss or Interception
All confidential responses should be encrypted but this introduces a real communication disconnect between the respondent and the issuer who probably has no company encrypted email channel. SWIFT provides a fabulously secure communication network but issuers are not on it. So what then? Go to Instant Actions to find out how using a Secure Digital Vault tackles identity and the encryption issues while providing a near-frictionless experience.
Financial intermediary performing a custody function? Seeking to comply with SRD2? You need Easy Demonstration of Good Governance to Regulators – The perfect audit trail
The right for issuers to request identity disclosure has existed In the UK since the Companies Act 2006 however SRD2 imposes fines for non-compliance, time lines for responding and extends the regulation globally – so that any entity holding shares issued within an EU constituency must comply. This is a dramatic shift. Firms will need to keep detailed audit trails that are easy to expose to the regulator. These records must also be immutable so that there can be no question that they could be falsified. Blockchain cannot do this on such an extensive scale. Every firm and intermediary would need to host the same blockchain underpinning a specific as yet to be designed audit trail function dedicated for this exact purpose. Then there is identity. There is as yet no common standard for enrolling an entity or personal identity – to a standard that would be verifiable to the world at large. IA incorporates Codel, a simple—to-use identity enrolment application that incorporates an SRD2-driven identity rule set for checking source identities, coupled to a widely available hash registry of digital fingerprints that prove the immutability of every enrolment process and each piece of relevant data. – all exposed within an audit trail dashboard for firms and regulators to check.
Fact sheets
Fact sheet 1 →
Shareholder identity disclosure and the need for a secure communication channel
Fact sheet 2 →
Secure digital vaults for communicating shareholder identities securely
Fact sheet 3 →
Receiving shareholder identification disclosure requests and what to do when you get them. A guide for intermediaries
Fact sheet 4 →
Shareholder identification disclosure - protecting yourself against phishing and employing good cyber security measures
Fact sheet 5 →
Issuer identity checking and referees - trust metrics for intermediaries to rely on identity for SRD2 shareholder identity disclosure
Fact sheet 6 →
About the Shareholder's Rights Directive and its impacts on intermediaries who now need to disclose shareholder identity
Fact sheet 7 →
Codel notarised identity enrolment for support of KYC and AML
Press release →
Instant Actions launches shareholder identity disclosure service