Surveillance: Is Real-Time the Right Time?

MiFID II. MAR. Dodd-Frank. Most regulations have a common focal point – maintaining market integrity. Now more than ever, however, markets are vulnerable to bad actors. And surveillance is the quintessential tool for catching them.

But what if you could actually use surveillance as a way to keep bad things from happening in the first place? Or at least keep them from getting out of control?

Near-real time surveillance is possible today

"We are definitely seeing a push for near real-time in client requests; our clients want to ensure that they’re able to identify and investigate issues as quickly as possible, to reduce their risks," said Amar Bhandari, Sr. Product Manager, NICE Actimize. "Today, we work with several financial services firms using near real-time surveillance, including a top ten bank, and we’re in active discussions to sign additional banks as well."

The fact that brokers are now looking to enhance their surveillance from a routine end-of-day (or next-day) activity to more of a real-time proactive approach shouldn’t be surprising. Firms already monitor other potentially problematic activities as they’re happening. For example, it’s common practice for banks to monitor and hold (or even stop) extremely large orders or order-entry rates above a preset threshold, a practice known as throttling, to minimize risk for clients and themselves.

Having a near real-time surveillance solution would also help assist and mitigate the risk exposure for firms, similar to how circuit breakers are used on exchanges during periods of highly volatile trading activity. These circuit breakers help pause trading in a stock if its price moves beyond certain thresholds.

The real-time trend is being embraced by market operators for market abuse detection as well. "For market operators in particular, because they have the data within their four walls, they’re able to do real-time surveillance more easily," said Paul Cottee, Director, Compliance Line of Business, NICE. "So they’re often able to pick up on something within minutes of it happening. If they see a potential market abuse situation developing, they want to be able to jump on it quickly. With this mindset, we believe that market operators and regulators will inevitably put more pressure on banks and brokerage firms to do the same."

Surveillance: The Move from End-of-Day to Intraday

Today, most firms perform trade surveillance as an end-of-day or next day process (what’s commonly referred to as T-plus-one).

But, Bhandari says, there is an inherent limitation in this approach. "If your firm is only running surveillance as a batch-based program, there are many hours throughout the day where if a problem had occurred, you wouldn’t have been able to catch it quickly and take corrective action." He also points out, end-of-day or next-day batched surveillance just means the alert is there waiting. Beyond that, there’s also additional investigation time required. "The sooner the firm can get the alert into the hands of the analyst, the quicker the issue can be investigated and resolved to mitigate any potential risks," Bhandari added.

With NICE Actimize’s cloud-based surveillance solution, SURVEIL-X, firms have the option to run surveillance on trades and communications at the end of the day or start of the next day (batched), or on a more real-time basis (intraday).

SURVEIL-X’s near real-time surveillance offers all of the same detection capabilities as end-of-day surveillance. The only difference is – it can catch potential problems exponentially faster. In financial markets, where every minute matters, this can make a big difference.

Instead of ingesting and analyzing data at the end of the day, SURVEIL-X marries up trade, communications and market data and runs this data through analytical models as soon as it’s received (typically within 15-20 minutes of an actual trade or communication taking place). How quick the data is analyzed depends on how fast firms can push it out.

Most market abuse behaviors play out over a period of time. Cottee explains: "Depending on the type of abuse you’re looking to detect, for example, if a trader is trying to influence a closing window or benchmark observation period, or ramping or spoofing, it could take minutes or even longer for a scenario to play out. Once the observation window is closed, an alert can be generated."

Cottee says the infrastructure needed to support near real-time surveillance largely exists today. "We’re already getting real-time market data on the exchange side. With respect to banks and brokers - that’s where the bottleneck is more likely to be. Some are really cutting-edge and already doing near real-time surveillance and others are a bit behind."

Making the Case for Near Real-Time

To make the case for near real-time detection, it’s important to consider why firms surveil trades and communications in the first place.

"They do it for two reasons," said Cromwell Fraser, Sales Director, Financial Markets Compliance, NICE Actimize. "First, they do it for regulatory requirements, although at least currently there’s no specific requirement for real-time. There’s just a requirement for detection." But according to Fraser, another strong driver for surveillance is to be able to demonstrate best practices and strong controls, both to the market and to regulators.

"Regulators are watching activity in the market far more often nowadays," Fraser points out. "Data is available to them very quickly, so they are more likely to raise questions when they spot something concerning. If you’re doing end-of-day or next day surveillance, your firm is already on the back foot. That’s why firms want near real-time detection."

While there’s no specific regulatory requirement, Cottee says near real-time surveillance just makes sense. "If someone’s doing something at nine o’clock in the morning, and you can prevent it by nine-thirty, that’s a sight better than going the whole day and not picking up on it. If you wait twenty-four hours, there’s already a day’s worth of damage done."

And, Cottee says, the expectations of market operators are already changing. "If an exchange can detect a wash trade effectively in real-time, then they’re not going to be happy if there’s a rogue trader pumping out wash trades in quick succession and that goes undetected by the firm until the next day."

Cottee believes that as more firms jump on the near real-time surveillance bandwagon, regulatory expectations are likely to change as well. "Today, regulators are being pragmatic and they’re not really pushing it, but like a lot of things, it’s becoming less hard to do," he said. "So, will there be more pressure? I’d say ‘yes.’ Once regulators see it’s possible, they’re going to say firms should be doing it."

The New Normal: Ripe for Near Real-Time Surveillance

Today’s volatile markets, higher trading volumes, and teleworking are creating an environment which is more susceptible market abuse. Can near real-time surveillance provide a better safety net? Fraser believes so.

"The world has changed," he said. "From what we’re hearing, regulators are very nervous about things like insider dealing now because regulated employees aren’t on a monitored trade floor anymore. They’re all over the place. Also, the market’s far more volatile. And of course, the markets need to be protected, that’s the regulators’ role. So, I think everyone is looking for new tactics to see what’s going on in the market so market abuse can be brought to light much sooner."

Bhandari agrees: "With volatility and big price swings, that puts firms at greater risk with every trade." He cites a hypothetical scenario where traders might not intentionally set out to deliberately do something wrong but get caught up in the dynamics of a volatile market.

He explains: "Let’s say a stock price suddenly goes up. Traders might see this massive upward price movement in the stock, and start putting trades in. Before you know it, their actions are actually ramping up the price of the stock, and adding more risk to the market."

With a T+1 surveillance program, this type of activity wouldn’t be detected by the firm early enough to do anything about it, because trading managers wouldn’t know about it until the next day. On the other hand, if trading managers could be alerted through real-time surveillance, they could act before things spin out of control.

"With near real-time surveillance, you can essentially pump the brakes," Bhandari explains. "The ability to identify risks intraday allows compliance analysts to alert compliance managers, and even trading managers of activity that looks suspicious, so they can introduce risk controls immediately, rather than waiting a day or two later."

Catching Collusion and Detecting Intent

Near real-time surveillance on communications can also be helpful in terms of catching collusion and detecting intent.

If you think about it, the intent to engage in bad behavior is often revealed in communications before an action actually happens. For example, a trader might share nonpublic information with a client, or traders might collude with each other via email or chat to ‘talk about’ how they can influence the market to their advantage. If firms can detect these nefarious intentions before trades happen, they can avoid potential fines, embarrassment and legal ramifications.

Cottee reiterates that the purpose of near real-time surveillance is ultimately intervention. "If a bystander saw a car speeding up the street and continually going through red lights and crossing lanes, they’d call the police, who would then either chase the person down or set up a road block to catch that individual before they could do any real harm. That’s the point of near real-time surveillance."

Near Real-Time Surveillance and High Frequency Trading

High Frequency Trading (HFT) is another area of trading where near real-time surveillance is essential.

HFT, a type of trading that uses computers to execute large volumes of orders at very fast speeds, is prone to market manipulation because programs and algorithms can be easily altered by a single ’bad actor’ with malicious intentions. The volume and velocity of programmatic trading can amplify the speed and impact of market manipulation.

For example, if an algorithmic program is set up to do spoofing on a sub-second level, it could be doing spoofs hundreds or even thousands of times a day. By deploying near real-time surveillance in conjunction with HFT, this type of activity can be detected right away before a rogue employee or client has had the opportunity to defraud many more unsuspecting victims.

But near real-time HFT surveillance isn’t just about catching bad actors. Software glitches can be equally damaging.

Paul Cottee, who has conducted surveillance at major buy- and sell-side firms, cited a case where a brokerage firm had detected a high number of alerts for a client (generated for HFT trades). "It turns out the client had adjusted an algorithm, but got a line of code wrong," he said. "The firm didn’t catch it, but the broker did, through their automated surveillance program. The downside is, it was only caught the next day, and by that time the firm had already racked up a lot of illegal trades. Near real-time surveillance would have solved this problem."

In another highly publicized incident, an HFT computer glitch caused a firm to lose a half-billion dollars in under an hour.

"When large volumes of trades are made at the speed of light, firms need a surveillance system that moves at the speed of light too," said Fraser. "This is just one of many powerful use cases for implementing near real-time surveillance with SURVEIL-X."