Compliance
As an institution subject to the German Banking Act (KWG), you are not only obliged to record telephone and video consulting calls, but also any electronic communication that relates to the processing of client orders in the securities sector.
The legislator associates the obligation to record with a whole series of complex requirements, which can be fully guaranteed with the MiFID Recorder. Thus, the archiving of the records must be audit-proof, subsequent changes must be traceable at any time, compliance with deletion periods must be ensured and access to the records must be easily and quickly possible from the customer’s business premises.
Only when these and other criteria are met will the records be legally secure and stand up to scrutiny by the relevant control bodies (BaFin, auditors).
As a financial investment intermediary with a 34f/34h license, you are obligated since 01.08.2020 to record not only consulting meetings, but also any type of electronic communication with your customers in connection with your activity as a financial investment intermediary.
The legislator combines a whole series of technical requirements with the recording obligation, which can hardly be implemented by the individual.
Thus, the archiving of records must be audit-proof, subsequent changes must be traceable at any time, compliance with deletion deadlines must be ensured, and access to the records must be easily and quickly possible from your business premises upon request. Only if all these criteria are fulfilled, the recording will really be legally compliant and stand up to an external audit. With the MiFID Recorder, all these requirements can be met without any problems.
Only with a solution that has been comprehensively verified by independent bodies can the outsourcing company have sufficient security to classify the outsourcing partner as trustworthy, and comply with the very strict requirements of the EBA guidelines on outsourcing.
The appropriate means for this are IDW audits (German Institute of Public Auditors’ audits) by an auditor, and relevant ISO certificates, which validate all processes in the company and around the service.
In this context, MiFID-Recorder GmbH has the following certificates:
– IDW PS 880 for software products
– DIN ISO/IEC 9001:2015 (quality management)
– DIN ISO/IEC 27001:2017 (information security)
The MiFID Recorder does not archive the recordings within a cloud, but exclusively on its own hardware dedicated solely for this purpose and operated in a highly secure data center (in Frankfurt am Main) in Germany. The infrastructure works with a so-called WORM sealing, making subsequent modification just as impossible as deletion before the set storage period has expired. The data records are encrypted and stored redundantly, and auditability is ensured by an expert report prepared by KPMG.
Optionally, geo-redundant storage on the same hardware is possible in a second data center (Aschheim near Munich), which is also certified to the highest standards.
The recording and archiving of consulting meetings need to be assessed as substantial outsourcing in the case of contracting out to an external service provider, hence it must also comply with the EBA guidelines on outsourcing accordingly.
The MiFID Recorder solution is technically, administratively, and contractually aligned to the requirements of customers’ compliance departments. MiFID-Recorder GmbH proactively provides the proof of the regulatory requirements: all necessary proofs and certificates can be provided.
MiFID-Recorder GmbH fulfills in this context all requirements to be accredited as a trustworthy outsourcing partner, and has always successfully passed the corresponding review process by customers’ compliance and legal departments, without any objections. The service is used on the basis of an outsourcing agreement, in which MiFID-Recorder GmbH also explicitly confirms compliance with the provisions from the EBA guidelines on outsourcing.
The effort to review the outsourcing service provider is therefore minimal by the customer.
The MiFID Recorder meets the highest requirements in terms of data protection and data security.
These include, among other things, compliance with the requirements of the DSGVO, as well as the operation of the entire infrastructure exclusively in certified carrier data centers in Germany. Thus, all data and processes are additionally subject to telecommunications secrecy in accordance with the TKG and are therefore protected to the maximum.
Finally, data security is confirmed by certification in accordance with ISO 27001 (information security). The documents on which the certification is based, such as the declaration of applicability, data protection concept or emergency plan, can also be made available on request as part of the accreditation process.