While in the US regulators are clamping down on the basics, in Europe it’s still unclear who is compliant with what. In a recent conversation around the US enforcement actions on message channel capture, 1LoD was told in no uncertain terms by a senior Global Markets Compliance Surveillance professional at a major German bank that ‘in Germany we are not allowed to do e-Comms surveillance’.
We have previously been told that significant US and other European institutions follow the same policy in Germany and that there are similar coverage gaps in France, some Nordic countries and elsewhere.
So does Europe have its own, worse, coverage problem? Should we be worrying about new channels like WhatsApp and the surveillance of the video embedded in collaboration tools, or advanced AI-driven analytics, if in reality banks are not yet capturing and analysing basic e-Comms or voice?
And since the regulators know about these coverage gaps, why do they not have more to say about them at a time when their counterparts in the US and UK are becoming stricter? It seems unfair that banks in the US face $200 million fines when in Europe far more significant coverage gaps result in no action.
It’s also simply not true that privacy laws automatically provide an excuse what would appear to be non-compliance with core European anti-market abuse and anti-financial crime legislation.
Now it is certainly the case that German law makes e-comms surveillance more complicated, particularly if employees are allowed to use BYOD or work-supplied devices for both work and private communications.
But the answer to that is to mandate the use of corporate devices for all business communications and to ban any private communications from those devices. This is in fact what some banks outside Germany believe they may also have to do to deal with the recent enforcement actions around messaging in the US.
Some banks in Germany have also successfully negotiated with their works councils (Betriebsräten) to ensure they are able to carry out their duties under MiFID II and MAR and German law permits surveillance if it has been negotiated into a works agreement or a collective bargaining agreement.
It is also possible for an employee to give their consent to specific data processing requirements contractually though there are legal wrinkles to this.
Similar work-rounds are available in other countries. So, the real question is why the regulators – and potentially legislators – have not been more like their US counterparts in enforcing compliance around market abuse?
Some banks say that the difference is cultural, with the US regulators taking a hands-off approach until they find something wrong, when they then come down hard, and European bodies engaging in more continuous dialogue that obviates the need for sudden clampdowns. That may be true, but it doesn’t explain tolerance of widespread failures to surveil the communications of regulated employees. Perhaps it simply isn’t a priority for Europe’s regulators. If so, what is?