ISCI – personal data under MiFID II

The challenge

Under MiFID II RTS 22, investment firms must include the natural persons data of the decision maker and/or client responsible for the execution of the transaction in their reports so they can be identified by the regulator.

Where transactions are carried out on behalf of non-EEA clients by trading venues, the venue must submit transaction reports which include clients’ natural persons data.

Under MiFID II RTS 24, trading venues and investment firms operating a Regulated Market, Multilateral Trading Facility (MTF), Organised Trading Facility (OTF) or Systematic Internliser , are required to keep the data, including natural persons details, of all orders for five years.

Transaction reports will therefore contain sensitive personal data and GDPR, which enters into force 25 May 2018, dictates that personal data should be kept in an identifiable format for no longer than necessary, after which it should be anonymised if firms wish to retain it.

The solution

CME Regulatory Reporting have developed a simple, innovative short code identifier service – Industry Standard Common Identifier (ISCI) – designed to protect anonymity, ensure operational efficiency and future compliance with GDPR.

ISCI allows investment firms and trading venues to substitute personal information (PI) and entity information (EI) in transaction reports and order records with unique short codes, so that it will not be possible to identify an individual or entity from the transaction reports submitted to the CME Regulatory Reporting hub for processing or from the order record keeping storage.


  • Short code generation ensures data protection.
  • Automated encryption: Data is both encrypted at rest, and encrypted in real time (using AWS Key Management Service).
  • ISCI service user interface: Entries can be made manually or by csv upload.
  • Multifactor authentication: domain authentification and single sign on (as provided by Okta).
  • Controlled access rights: Access is according to pre-defined user roles and entitlements.


  • Member firms can leverage extensive network of the world’s leading investment firms already connected to the ISCI service, meaning data only needs to be provided and updated once.
  • Easy compliance with MiFID II RTS 22 and 24 whilst fulfilling GDPR requirements.
  • Guaranteed data security with a provider backed up with robust technology.
  • Self-service model promises convenience and speed.
  • Data is never seen by anyone that does not need access to it lowering the risk of a data protection breach.
  • Maximum control over personal and entity data. Access to client data is granted on a ‘need to know’ and ‘least privilege’ basis and is monitored and fully auditable.

How does it work?

Transaction reporting

Our ISCI service is a robust ingestion and enrichment service where users upload, by a separate workflow, sensitive information into a secure and dedicated datastore allowing clients to send short code information only, into the hub to protect their anonymity in upstream processing.

ISCI service

Order record keeping

Clients and counterparties of trading venues, MTFs and OTFs submit the required data on orders referencing the ISCI short code to satisfy the order record keeping obligation.

ISCI service