Market abuse – getting regulator ready

Firms must ensure their market abuse compliance is up to scratch

Market abuse remains a hot topic for the regulator. The FCA is asking increasingly difficult and detailed questions, right down to the individual calibration of alerts and specific field indicators. There have been significant fines in the last couple of years for non-compliance with market abuse regulations, and many of these were for weaknesses in the control environment itself, rather than there being any actual evidence of market abuse occurring.

At Bovill events this year, 37% of respondents said they were either unsure or not confident that their market abuse risk assessment would stand up to FCA scrutiny. There are some key questions you should ask yourself to make sure you’re prepared for an FCA visit.

The market abuse risk assessment

The regulator’s focus continues to be the market abuse risk assessment. This is a de facto requirement through the FCA’s supervisory work. If you don’t have a market abuse risk assessment in place when the regulator comes to visit, it’s likely you’ll encounter significant challenges. There are several elements to think about when completing the risk assessment:

Is the design comprehensive?

Have you thought about all of the abusive behaviours that are identified by the Market Abuse Regulation (MAR)? Have you considered the annexes, the delegated acts, the guidelines, and have been thorough in your approach to identifying all of the risks that could apply in the context of your business? The FCA will also expect a negative risk assessment – that is, if you’ve concluded that something is not applicable, they will want to see the justification for why.

How have you involved front office?

A key element of the risk assessment which is often overlooked is the front office. As the ‘first line of defence’ the regulator expects the front office to be able to demonstrate knowledge and understanding of its role, and when it should escalate to Compliance. Firms need to demonstrate that the front office team have been trained recently and that the training is tailored to the particular needs of the firm. The front office are an excellent resource in identifying both individual cases of market abuse, but also where the risks lie and where the potential weaknesses are. The FCA expects the front office to talk knowledgeably about market abuse risk the firm faces and their obligations to the FCA.

Making sure you’re not generic

The prime watchword when it comes to market abuse risk assessments is ‘generic’. It is not enough to copy and paste everything from the Market Abuse Regulation. Rather, everything you include needs to be contextualised and carefully considered. The regulator will want to be able to draw direct lines between the risks you’ve identified and the controls that you’ve applied. For example, if you’ve identified pump and dump as a risk, do you have a pump and dump surveillance alert? Has it been calibrated in a way that’s appropriate to that risk? If you’re using non surveillance controls, are you being thorough about how they’re documented in training? Firms should make sure to make a clear connection between their uncontrolled risk and the controls applied, and have a view of the level of controlled risk that remains.

Policies and procedures

It wouldn’t be an FCA visit without an examination of policies and procedures. Again, ‘generic’ is the watchword: the FCA expects the risk assessment and the policies and procedures document to reference one another. The policies should be driven as a control to address the risks that result from the risk assessment itself. And, of course, they should be tailored to the business and the specific risks and controls that are applicable in your case.

Suspicious Transacting and Order Reporting (STOR) policies is also an area to look out for. Our research found that 41% of firms said they hadn’t submitted any STORs in the last 12 months. This is a worrying trend, as the regulator will expect good record keeping of your decision making in all cases. At Bovill we have also seen many firms roll the STOR process into a more general market abuse policy, as often the level of coverage around the STOR process can be quite minimal. There is an expectation, however, that firms have a very clear description of the assessment process: what will become a STOR, what won’t and what will become a near miss, and who they will be escalated to and how.

A long-standing area of focus for the FCA on policies and procedures is making the connection between the financial crime guidance AML and market abuse. From the FCA’s point of view, where market abuse occurs, there will almost always be proceeds of crime. Therefore, there’s an increasing expectation that every STOR is accompanied by a SAR and that you’re using information from both processes to form your understanding of individual client risk. In other words, if a client has undertaken high risk behaviour from a market abuse perspective, is that getting fed back to the financial crime team and built into their assessment of the risk associated with that client and vice versa?

Surveillance arrangements

Surveillance is another topic of increased attention for the regulator, evidenced by recent enforcement actions. Firms mustn’t see surveillance as a tick box exercise. ‘Off the shelf’ systems require proper calibration. Questions firms should ask themselves about their surveillance system’s adequacy include:

  • Have you identified which of your risks are relevant for surveillance type controls?
  • Can you draw a link between the specific risks you have and the specific surveillance tests that the system is able to deliver?
  • Have you got other controls in place to ensure risk is properly mitigated in the absence of surveillance?

In March and April last year, we saw many firms caught out by fixed parameter systems which generated a very large of number of alerts as a result of the sudden increase in market volatility. The FCA does expect you to be revisiting your calibration periodically, determining if it’s still relevant in the current market context and updating appropriately.

Right now, this should include consideration of the pandemic and the particular market abuse issues it entails: are people are working from home? Are new technologies being used such as WhatsApp and WeChat and can they be monitored? Ultimately firms need to identify where gaps in their surveillance are opening up due to changes in business practices and technology. This is particularly pertinent to reconsider given the FCA recently published its guidance on remote or hybrid working expectations for firms, acknowledging that the working environment has changed irreversibly.

Governance and culture

Finally, it wouldn’t be an FCA review if there wasn’t at least some examination of governance and culture. The key points we’re seeing the regulator raise are the level of senior management involvement in market abuse oversight. Questions they may ask include:

  • Do senior managers understand the firm’s market abuse risks?
  • Can they articulate what the controls are?
  • Have they been involved in the review of the control framework and satisfied themselves that it is adequate and appropriate?

The regulator will want to know what kind of information senior managers are receiving about the number of surveillance cases and the trend in the number of STORs in market abuse risk within the organisation. Firms need to ensure there’s appropriate information reaching senior management to keep them informed of market abuse risk.

Market abuse is going to remain a focus for the regulator over the coming years. The FCA has a team dedicated to market supervisory work, in particular market abuse risk assessment and surveillance and how the two are linked together. The regulator’s investigations can be disruptive and both time and resource consuming, so we recommend firms spend time now to ensure they are prepared.

Want more insights like this?

Join our mailing list