A Closer Look at “Effective” Surveillance
By Martin Appiah, Director of Regulatory Affairs, EMEA, Eventus
On 17 May 2022, the U.K.’s Financial Conduct Authority (FCA) published Market Watch 69, its latest newsletter on market conduct and transaction reporting issues. For decades the FCA have been undertaking suspicious transaction and order (STR/STOR) supervisory visits and questionnaires in order to better understand and assess the way in which potential incidents of market abuse are being identified by authorised firms. This latest edition of market watch discusses some of the recurrent themes and observations from the responses to the questionnaires, as well as the FCA’s subsequent follow-up work.
The findings from previous visits and questionnaires, shared with the industry through the FCA’s market watch newsletters, also provide helpful insight into what effective surveillance looks like, from the regulators’ perspective. In this article, we look back at previous supervisory visits and explore key components for a leading surveillance model.
Market abuse risk assessment
It is very clear that firms’ undertaking of effective market abuse risk assessments is of high importance to the FCA. In Market Watch 48, the FCA advised firms to “consider undertaking a detailed assessment of the market abuse risks to which they are exposed before designing a surveillance programme.” In Market Watch 51, the FCA also highlighted findings from their review that “firms who were not conducting regular market risk assessments had difficulty in demonstrating that effective controls were in place.”
Let’s unpack the importance of this message for a second. The key words here are: “before”, “regular”, “difficulty”, “demonstrating”, and perhaps most critically, “effective”. It seems as though the regulators are suggesting that even if you have controls in place, it will be difficult to demonstrate the effectiveness of those controls, if you have not identified and assessed the risks in the first place. Moreover, they also drew attention to the connection between the implementation of systems and controls, and the manner in which these need to evolve as the risks within the businesses evolve, requiring regular review of your market abuse risks.
My favorite word in here is definitely “before”. Far too often have I seen firms rush to implement a surveillance solution with little to no consideration of the firm’s business model and the market abuse risks applicable. The FCA touched on this point in Market Watch 51, where they spoke about sophistication of post-trade surveillance tools varying according to the firm’s size and activities. For example, selecting a surveillance tool built to detect market abuse for exchange traded products, is unlikely to be effective and fit for purpose to detect market abuse in a fixed income or FX business.
I’m sure you’ve all heard of the saying ‘poor data in, poor data out’, (clean version). In Market Watch 48, the FCA “identified concerns around the integrity and completeness of the data being used by firms for their surveillance routines”. And in Market Watch 68, The FCA discussed the monitoring gaps in the fixed income and rates markets and observed, where firms had completed a detailed risk assessment, “these assessments often do not include business entered on a web-based platform, particularly orders which are deleted or otherwise do not result in a trade”. In these cases, the data is not even being identified let alone considering their qulity
At the risk assessment stage, firms should consider the data sources and critical data elements required for each identified market abuse behaviour, across each asset class and business areas. These were also the three main area highlighted in Market Watch 69 for requiring consideration, to achieve “most effective assessments”.
Surveillance system implementation
A key theme from the FCA’s supervisory visits, is a firm’s ability to demonstrate how the risk assessment influences their surveillance programme. The FCA considers “One of the most important aspects of a successful surveillance system appears to be the manner in which it has been implemented.” In Market Watch 48, the FCA saw “firms who appear to conduct the most appropriate and effective surveillance tend to use a market abuse risk assessment to identify where gaps may lie.” As a result, these firms implemented development and improvement programmes in those areas at highest risk, using the findings from their risk assessment to inform the decision-making process.
For this reason, firms must ensure that the risk assessment does not become a tick box exercise, which is carried out when an audit or a regulatory visit is nearing. It is also not uncommon to find situation where a risk assessment has been appropriately mapped to the products traded, however, the processes implemented to identify and control the risks were mainly insufficient. This tends to happen when there has been a lack of or no calibration of the implemented system.
System calibration review
Once your surveillance system has been implemented, in line with your risk assessment, it is time to calibrate your system to ensure the appropriate alerts are being generated. It was noted in Market Watch 48 that “some effective surveillance programmes have involved significant and careful calibration of both the alert parameters and alert logic”, and that “constant refinement and testing of the alerts or surveillance routines has proven important to achieve effective and proportionate surveillance.”
In Market Watch 56, the FCA observed firms using average peer alert volumes as a measure of the appropriateness of their calibration, and expressed that firms “relying on peer standards, such as popular ‘out of the box’ alert settings, average peer parameters and average peer output volumes, will not necessarily satisfy MAR <Market Abuse Regulation> requirements.”
Each firm is responsible for making its own judgements about alert calibration, and firms risk failing to comply with MAR if they assume that because a certain calibration is appropriate for their peers, it must be appropriate for them. It is important for firms to assess their own specific, unique risk, and define the methodology to be used in setting the parameters in order to evidence how and why a parameter is set to a particular level.
Fast forward to Market Watch 69 and the FCA observed that some firms, even when they have identified insider dealing as a key risk and monitor for it, inhibit the surveillance system’s effectiveness by applying inappropriate thresholds to calibration. For a number of reasons, such as resource capacity, some firms use the parameters as a way of reducing the volume of alerts that are generated. In using the parameters in such a way, firms are significantly increasing their chances of missing potentially suspicious activity. In addition, with inappropriate parameter settings, firms may find it difficult to demonstrate that effective systems and controls are in place.
“Effectiveness” seems to be the regulators’ favourite word of late. Throughout all of their messaging to the industry, the main theme is effectiveness. To that end, firms should consider how they assess and demonstrate that their implemented systems and controls are ultimately effective on a regular and continuous basis in order to satisfy MAR requirements.
In Market Watch 47, the FCA suggested the use of management information, (MI), could be used to identify “deviations in alert frequencies that may indicate that alerts are no longer appropriately calibrated.” Coupled with appropriate alert closure criteria’s, MI can be a powerful tool to test the effectiveness of procedures and trigger whether a particular procedure requires a parameter review or a more detailed under the bonnet effectiveness review.
The Risk assessment, Implementation, Calibration and Effectiveness testing and review – or the RICE model can ensure that your surveillance program remains effective on a continuous and ongoing basis.
In the RICE model the risk assessment and the effectiveness testing are the key drivers in achieving effectiveness. The finding from the risk assessment influences the implementation process to ensure that the tool is built to address your market abuse requirements. Once implemented the procedures will require calibration using a previously defined calibration methodology to ensure a consistence and systematic approach is adopted in the calibration process. Once calibrated, and on a periodic basis, the procedures will require testing to ensure they remain effective.
Looking back at all the FCA market watch publications in and around effective surveillance has provided valuable insight into the vision of a leading surveillance process from the regulator’s perspective. Of course, there are other factors that require consideration to achieve effectiveness, such as the independence of your market abuse surveillance function, alert review process and documentation and STOR escalation and submission process. However, the RICE model should be core for the selection, implementation and maintaining continuous effectiveness.