Instant Actions has released a ready-to-implement solution to address the data risks created by the Shareholder Rights Directive II (SRD II).
SRD II, which came into force on 3 September, requires firms providing share custody to disclose client identities and positions when requested to do so by issuers.
James Zorab, CEO of Instant Actions, explained that the new legislation does not sufficiently address the issues of confidentiality, secure communication or the control of data.
Instant Actions’ new service is set to provide globally verifiable company announcement information to the markets.
The service will also protect intermediaries and shareholders from the risk of unauthorised phishing of their data by authenticating both the validity and identity of the requestor.
Additionally, Zorab highlighted that the General Data Protection Regulation (GDPR) complicates the risk. He said: “How will firms simultaneously satisfy their obligations to disclose data under SRD II and seek customer consent to keep data private under GDPR? If they get it wrong, they face fines of up to €5 million for SRD II and up to €400 million or 4 percent of turnover for GDPR.”
According to Zorab, Instant Actions will take in and authenticate identity disclosure requests in any form, including the new ISO standardiSed messages Seev 45-49 developed by
SWIFT.
SWIFT messages are “perfectly secure for point to point communications and adequately prove the source of origin, but they do nothing to prove whether the reply address has been changed, as would be the case in a phishing attack, if these messages are forwarded on to the next intermediary in the chain,” Zorab said.
This obligation to forward requests onwards through the chain is a specific requirement set out clearly in the directive with which intermediaries are obliged to comply.
Zorab commented: “There is a very real risk of bad actors masquerading as issuers and obtaining highly sensitive shareholder data. The financial consequences of this could be
very significant but the reputational impact could be crippling for businesses. We were shocked to learn that some intermediaries were planning on communicating this highly sensitive data un-encrypted and by email. Our solution provides a secure, auditable way of locking out those bad actors.”
