Conversations And Computers: The Modern Regulator’s Toolkit
With Greg Yanco, Senior Executive Leader, Market Supervision, and Nathan Bourne, Senior Manager, Market Conduct Team, Australian Securities and Investment Commission
Political uncertainty, algorithmic errors and cyber-attacks can all destabilise a market, but the Australian Securities and Investment Commission (ASIC) believes it has the framework and technology to handle the challenges as they come.
Threats to stability
Recent volatility brought on by political events illustrates how we always want to make sure the industry is prepared to manage volatility. The unexpected Brexit referendum result is a good example, as successful planning by all within the industry meant the subsequent volatility was well managed. Disruptive threats are common, whether a political event, an economic shock, a terrorist attack or even war. ASIC’s role is to help market participants coordinate and communicate effectively with their counterparties in the trading systems.
Working with the Australian Stock Exchange and the Reserve Bank of Australia, we oversee the clearing house for equities, set capital requirements for non-bank financial institutions and monitor the businesses they are in to ensure they manage their risks appropriately.
We are also keen to make sure that firms have the right security layers in place to adjust their intraday risk exposures and reduce positions as needed. We speak to participants about their ability to adjust their risk exposure quickly or in an automated fashion, and Brexit was a good test case, because everyone knew it was coming and the systems worked well. However, the real test is the one people do not expect.
Beyond economic and financial threats, we are reviewing the potential impact of cyber incidents on the financial markets ecosystem, and in particular, critical markets infrastructure providers and participants.
ASIC expects the regulated markets to remain the gatekeepers and strongly encourages them to consider their cyber resilience as a key part of their enterprise risk management obligations. We have published two reports on cyber: firstly, the cyber resilience health-check report (Rep429) which is aimed at raising awareness among our regulated stakeholder population, and highlights the obligations on businesses to effectively manage cyber risks as part of the business risk management processes. Secondly, ASIC published a report (Rep468) on the cyber resilience of the two major Australian market operators, and shared in this report a number of cyber health management governance and “Good Practices” recommendations for businesses to consider in order to improve their resilience. These Good Practices are drawn from wider engagement with investment banks operating in Australia following a self-assessment process conducted by ASIC.
System account hacking occurs intermittently, but we have detected these attacks early on through our market surveillance systems and ensured they were unprofitable.
ASIC has also established an emerging risk committee to examine events in other parts of the world. We, along with other regulators, recognise the risk of a cyber security incident has increased, both in terms of frequency and impact.
Cyber resilience is a high priority for ASIC, and we have developed a strategy that aims to advance awareness and understanding of the cyber threat landscape, and introduced mechanisms for improving resilience across our regulated entities. In particular, our focus in 2017 will be to work with our population of mid- and lower-tier firms to assess their cyber resilience profile through a process of self-assessment. These firms can be more susceptible to cyber threats if they are not able to access appropriate cyber security skills and put in place adequate risk mitigation plans.
Culture and conduct
As a markets and conduct regulator, ASIC sees organisational culture as a significant driver of conduct within firms. Good governance is one of the core elements of a positive organisational culture.
We are incorporating more cultural indicators into our risk-based supervision and will use our surveillance findings to better understand how culture is driving conduct among those we regulate. ASIC is also looking out for cultural indicators that suggest we should take a “deeper dive” into issues concerning poor conduct, for instance, when policies are not aligned with what employees say or do, or there is a lack of action when things go wrong. An example of what ASIC might look for during our surveillance work is how responsive senior management or the Board is when a control team raises an issue for consideration: is the issue taken seriously and dealt with, or is it ignored?
We think that there are a number of key indicators of a healthy culture. These include the tone set from the top, such as core values, which are cascaded to the rest of the organisation, and translated into business practices. These need to be backed up by a true sense of accountability, effective communication and challenge processes, appropriate rewards for staff and strong governance and controls.
We are currently completing a survey of market participants and investment banks on conduct risk and will be providing feedback to individual firms involved in the survey. It examines how regulated entities are actually reflecting the firm’s values in their internal policies, business practices and governance structures. The next step will be to validate those processes through reviews of documentation and interviews.
There is a wide spectrum of firms in our regulated population – from the very small to global institutions. Some of the larger firms have multiple regulators working with them on the same issues, and they have well-structured teams, processes and escalation channels to deal with conduct issues. However, in some cases we have seen evidence where glossy presentations to regulators have not translated into traction at an operational level, that is, to the business practices of staff on a day-to-day basis.
Technology and market cleanliness
ASIC received additional funding for a new surveillance system that enabled us to build on our real-time surveillance to do deeper data analysis. ASIC can now perform analytical work equivalent to that done by other top international regulators and academia. Our recent market cleanliness work is a good example of this, which allowes us to measure the efficiency and integrity of different segments of our market as well as isolate suspicious trading. With improved time series data we will have a better idea of how results evolve, conduct further analysis and accumulate intelligence.
We are also exploring machine learning of natural language and pattern recognition. We are talking to colleagues in other markets about the tools they are building and what they are finding. ASIC first identified latency arbitrage in dark pools 18 months ago, and two other markets have seen the same issue and they might learn something and share it with us. We are a flexible regulator with diverse ways to cut through market activities and more efficiently spot abuse.
In response, we hope the industry takes these capabilities seriously. Most brokers have surveillance over their own activities, so we ask brokers and trading venues to report suspicious activity. When we identify a negative trend or direction, we can bring it to their attention to get them to alter their behaviour. When another problem arises we want the flexibility to respond accordingly.
We’d love to hear your feedback on this article. Please click here