IFRS 9, MIFID II, GDPR…: The Treasurer Facing Regulatory Constraints
These last few months have been marked by the implementation of various regulations that have an impact on the financial professions, including IFRS 9 and MIFID II in January 2018, GDPR in May 2018, to which are added the older French TRACFIN measures (2009) aimed at developing the Anti Money Laundering Fight and Combatting the Financing of Terrorism (AML/CFT). These systems, often heterogeneous and incompatible, tend to complicate the tasks related to the processing of financial data, but are a necessary step towards greater transparency and a strengthening of the rights of individuals. Close up on these regulations.
IFRS 9, after IAS 39
IFRS 9 introduced changes to IAS 39, which revised the accounting classification of debt in the event of a “significant” change. Under IAS 39, it was sufficient to recognise the gain or loss relating to this change directly in profit or loss for the period.
The new standard requires the recognition of debt to be reviewed whenever there is a change, regardless of its significance. In addition, it becomes imperative to eliminate the original debt and replace it with the new debt discounted to the date of amendment.
This standard leaves the choice between two valuation methods for financial assets:
- At amortised cost: this scenario preserves the stability of the income statement and can only be applied to debt instruments (trade receivables, loans granted, bonds, etc.); it is the most favourable method if the company wishes to hold this asset until maturity.
- Fair value: unlike amortized cost, fair value reflects the volatility of these assets and their impact on the income statement. This method reflects risk exposure and is used in the event that the company wishes to sell these financial assets before maturity.
NB: By default, financial assets are carried at fair value.
To apply amortized cost two conditions apply:
- The SPPI test (acronym meaning Solely Payments of Principal and Interests): this condition is met only if the cash flows categorised as assets consist solely of the repayment of the initial loan and the interest granted on the remainder of it.
- The business model: 2 scenarios govern this condition.
The first is the “hold to collect” business model, which consists of holding financial assets to receive their contractual cash flows, rather than selling the assets to generate cash flows. However, financial assets do not have to be held to maturity.
The second case is “Hold to collect and sell”, whose objective is to collect the contractual cash flows and sell the financial asset. Unlike the first model, the objective is to collect contractual cash flows, but also to sell financial assets.
Now more extensive, its scope covers hundreds of thousands of financial instruments, such as bonds, derivatives, carbon emission allowances, ETFs, listed funds, etc.
This Regulation defines the responsibilities between producers and distributors of financial instruments more explicitly, the aim being to provide the final client with more reliable information. In this perspective, several new features can be distinguished, such as the obligation for companies to contract all investment service offers, to assess clients’ ability to bear the risk, to inform clients about all the costs and charges associated with these acquisitions and about possible variations in the instruments offered depending on market conditions.
In addition, the regulation is firm on the necessary data retention (5 years for customers, 7 years for authorities) to allow, among other things, to trace all communications, including the order of actions and communications carried out during the life of the operation.
The GDPR is a regulation that reinforces the protection of personal data by giving natural persons undergoing processing the right to greater protection and transparency.
Companies now have an obligation to designate a controller and to keep a processing register if their number of employees exceeds 250 or if the data they process are at risk. In addition, they must carry out an impact study (PIA for Privacy Impact Assessment) on the risks associated with these treatments and the possible compromise of the data.
The GDPR (General Data Protection Regulation) is binding on the treasurers, the processing of all personal data by the various tools must be expressly consented to by the persons concerned, and legitimised by means of a concrete explanation entered in the processing register.
Cash management tools, such as a payment factory or a TMS, are likely to contain huge volumes of personal information, and regularly include risky data (e.g. bank identities), and therefore require the treasurer to take this new regulatory system into account.
The software publisher has a responsibility as a subcontractor and is therefore likely to process the same data, both in the context of application maintenance and quality assurance.
The contract that binds the subcontractor to the client must contain the journey made by the data (the different countries where the subcontractors are located, as well as their contact details, even more so if they are outside the EU), the security measures taken to protect these data, its responsibility to fulfil its obligation to respond to requests made by individuals in the context of the exercise of their rights with regard to personal data, its responsibility to alert in the event of compromise of these data, as well as all the necessary information to demonstrate compliance with these obligations.
Your editor can facilitate this compliance by offering efficient ways to manage this data, anonymization tools and automatic data deletion mills after the data has been processed.
AML/CFT (Anti Money Laundering / Combatting the Financing of Terrorism) is a KYC (Know Your Customers) regulation that governs all structures dealing with financial transactions, forcing them to increase their vigilance and knowledge of their customers within the framework of the French TRACFIN systems and its European equivalents. This vigilance must be accompanied by the denunciation of their clients in the event of suspicion of money laundering or terrorism financing.
The Regulation also provides for several actions to be taken: freezing of assets, increased vigilance towards politically exposed persons, internal training and awareness-raising of staff.
A treasurer being led to process this type of information daily is thus directly concerned. He can decide to use a dedicated AML/CFT module, which will allow him to connect to a Web service or an internal database, which will reveal if a sender/receiver is on a black list or not, therefore if an operation (payment or collection) can be carried out at its end.
A Hard Compliance…
These regulations, covering finance and markets as well as any interaction with a natural person (GDPR), make the Treasurer’s work more complex, requiring very precise segmentation of data and particularly active legal monitoring. If the case law has not yet defined whether the GDPR was likely to take precedence over the financial regulations, one can guess that this will not be the case. Indeed, it seems unlikely that the deletion of personal data could fully apply to a company’s financial information system, which could provide information on financial transactions (and on the various parties involved) to authorities hunting fraud (AML/CFT, MIFID II…).
In this matter, a laborious work was made by the actors concerned by the respect of the IFRS 9 and MIFID 2 regulations which already entered into force at the beginning of 2018. As for the AML/CFT, which has been in existence since 25 June 2009, it has forced the concerned parties to comply already, but technologies (blockchains in particular) and innovations are beginning to emerge, aimed in particular at helping to comply with these standards, and even to automate these treatments, and are expected firmly by the treasurers by 2020.