Regulatory Scrutiny: Maintain a Controlled Environment
April 20th, 2016
The regulatory fines associated with insider dealing, market manipulation or the misuse of inside information are good sources of information for firms. For example they often show the extent of regulatory scrutiny once a breach has been detected.
Over and above any forthcoming legal, financial and reputational damage associated with a breach against either the Market Abuse Directive (MAD) or the imminent Market Abuse Regulation (MAR) are concerns that any compliance investigation would scrutinize the following: governance arrangements; competency of staff (particularity senior management); systems and controls; policies and procedures; board awareness and culture; and training (horizontally across business lines and vertically up to non-executives at board level).
A brief breakdown of the UK’s Financial Conduct Authority (FCA) recent GBP 1.2m fine and restrictions against W H Ireland Limited (WHI), a firm which at the time of its fines held approximately £2.5bn of assets under management, serves as a good reminder of the expectations the UK regulator has around firms maintaining a comprehensive control environment to protect against Market Abuse risks. For example, breaching FCA’s principles for business (PRIN) and Senior Management Systems and Controls (SYCS) rules will certainly accrue negative points on top of any other uncovered wrongdoing.
There are many points of failure to consider when maintaining an adequate control environment. For example, is your oversight effective or deficient? Are senior management kept informed of the adequacy of MAD (and MAR controls)? Is there timely provision of management information fed by surveillance metrics? When was the last risk assessment conducted on compliance monitoring?
In the case of WHI, the FCA found that the firm’s monitoring was “not based on a proper assessment of the nature and seriousness of market abuse” . WHI’s compliance plan merely set out ways in which market abuse could occur, and it did not detail “the compliance department’s role in relation to market abuse or a timetable of activities to be undertaken…” .
The list of areas to consider continues, with requirements for a formal risk management framework around market abuse risks and effective controls to ensure firms can manage their inflows and outflows of inside information (an important focus of MAR). Firms will need to review policies and procedures including those relating to wall crossing, effective information barriers, conflicts of interest, market soundings, disclosure, personal account dealing (PAD) and separation of research staff from corporate and private client staff.
Firms will also need to assess the capabilities of their surveillance system. For example, determine if detection parameters and thresholds match specific business activities and the full breadth of MAD or MAR risks. Assess if alerts are calibrated appropriately (or for example set too narrowly to be effective). Additionally, ensure the compliance team is able to review exceptions produced by the surveillance system in a timely and consistent manner.
As per the list of areas scrutinised, firms will need to question whether or not governance arrangements extend to clearly allocated responsibilities, reporting lines and accountability.
Firms should assess if they have a formal way of identifying and recording what training has been given and to whom with sanctions in place for non-completion. A good best practice is to ensure training is considered as part of the appraisal process. Additionally an understanding of training should be shared with those conducting surveillance as it may help develop their risk based approach.
Firms can do more to ensure they have coverage regulatory and legal risks. For example:
- Linking Personal Account Dealing (PAD) with knowledge of IT web alerts (e.g. day trading sites);
- Using insight on Outside Business Interests (OBI) to develop surveillance. For example non-declared OBI could give Compliance a soft indicator of individual attitudes towards circumventing policy. Are they in a high risk area? Does their OBI create a perceived conflict of interest?
- Innovate by incorporating HR data, operational loss metrics, and awareness of data migration as well as login access of joiners, mover and leavers into surveillance team feeds; and
- Assessing if surveillance can monitor trades in real time against insider lists or categories of staff whose professional activities have a material impact on an institutions risk profile.
As we all know, getting compliance wrong can lead to serious problems (fines, sanctions, prison). Regulatory fines associated with market abuse, market manipulation or misuses of inside information are a rich source for firms looking to gain an insight into regulatory scrutiny – and where they need to focus strategic change.
Originally written by Mark Follows