Interactive Brokers market abuse fine re-emphasizes wider regulatory messages
6 February 2018
The £1m fine levied upon Interactive Brokers for market abuse failings may not have made the same headlines as some of the eye watering financial crime related fines over recent years, however the messages coming out of the FCA should make all firms sit up and take action. Although market abuse focused, failings identified have direct applicability to a number of financial crime related controls.
At the core of the issue was the trade surveillance controls. In the first instance this was performed by a Group entity in the US. The FCA criticised the firm for not having input into the design and calibration of a control to monitor UK related activity. The control was a Group control that did not distinguish between jurisdictions and therefore was not tailored to the UK. In addition there was a lack of testing to assess the effectiveness of the control as well as a lack of oversight of the Group function in the US who performed the first level monitoring.
The fine relates to market abuse but this could easily be substituted for transaction monitoring, sanctions screening, or PEP screening to name 3 controls. The FCA has sent out a clear message that where controls are performed outside of the UK, for example in the Head Office country, UK firms need to:
- understand how systems are calibrated and why they are suitable for the UK firm
- perform operational testing of the system to assess effectiveness to the UK firm
- undertake QA in relation to controls executed outside of the UK
- ensure policies and procedures being used by teams outside of the UK are fit for purpose and contain sufficient granularity on areas such as escalations
- ensure those performing controls for UK firms have appropriate guidance and training that is tailored to the UK firm
Questions senior management of UK firms should be asking themselves are:
- Which controls are performed overseas?
- What input have we had into the design and calibration of controls that we are relying upon?
- Have we tested the effectiveness of systems?
- What oversight do we have of the outsourced activity (particularly as we retain responsibility)?
- Do we have clear SLAs in place to manage outsourced activity?
- Are the policies and procedures used by the outsourced function relevant and practical to the UK?
- Have we provided appropriate training and guidance suitable to the UK to those performing controls on behalf of the UK?
If you would like to discuss practical approaches to managing your control framework please get in touch.