Citigroup fine of nearly £13 million highlights ongoing MAR failures

The fine handed to Citigroup this summer is the largest yet for market abuse failures. The FCA found that Citigroup failed both to identify firm-specific risks and to implement effective surveillance. This high-profile case shows that even major international firms can fall foul of market abuse regulation. It’s another timely reminder to regularly revisit your market abuse risk assessment and make sure your monitoring arrangements are up to scratch.

The FCA announced that they were fining Citigroup Global Markets £12.6 million last month for “failing to properly implement the Market Abuse Regulation (MAR) trade surveillance requirements relating to the detection of market abuse.” With a fine of this size, the FCA are clearly demonstrating that they are prepared to go after deficiency wherever they see it.

The regulator found that Citigroup had failed to implement the requirements of MAR when it was introduced in July 2016. The firm took 18 months to identify and assess the “specific market abuse risks its business may have been exposed to” and which it needed to detect. What the FCA refers to as Citigroup’s ‘flawed implementation’ resulted in significant gaps in its arrangements, systems and procedures for additional trade surveillance, according to the press release.

Meeting the requirements of MAR continues to be a widespread issue. Our poll in June 2021 found that more than two-fifths of firms had not submitted a STOR to the FCA in the previous 12 months. This is likely to reflect ineffective surveillance arrangements or the calibration of these systems, underpinned by inappropriate identification of risks. The survey also found that over a third of firms were not confident that their market abuse risk assessment would stand up to scrutiny by the FCA. Given that we know clients continue to receive visits from the FCA, this is a significant cause for concern.

Making sure you’re on the right side of the Market Abuse Regulation

Your MAR framework must be comprehensive and tailored to a detailed risk assessment – it should highlight the specific risks the firm faces, not simply generic market abuse risks. All regulated firms are now expected to have properly assessed, understood and articulated the specific market abuse risks inherent in their business. The market abuse risk assessment is often the first document requested by regulators in a market abuse visit, and failings in the risk assessment may be seen to undermine the entire framework of controls applied.

The risk assessment should then shape the controls selected. Policies, procedures and surveillance approaches should all be closely informed by the risk faced. And expectations around surveillance in particular are rising, with only the smallest firms likely to be able to justify the absence of an automated surveillance system.

When it comes to implementing market abuse surveillance systems, it’s important to understand how systems are calibrated and why they are suitable. The system will also need operational testing to assess effectiveness. Policies and procedures should be fit for purpose and contain sufficient granularity on areas such as escalations. Staff and those performing controls should receive appropriate guidance and training, tailored to the firm.

How we can help

We can carry out health checks on MAR frameworks, to make sure they are effective and aligned to the regulators’ expectations. We also help clients to undertake an assessment of the market abuse risks they face, and then design effective policies, procedures and controls on the back of the assessment. We can test the robustness of surveillance systems and provide training on the key market abuse risks and obligations

In partnership with KRM22, we offer a market abuse surveillance ‘managed service’, which offers both a regtech solution for automatically identifying suspected abuse, as well as compliance expertise and advice. The service is designed to address the fact that MAR compliance is a difficult process that many smaller firms do not have the expertise to carry out effectively. Clients fully outsource surveillance, which the Bovill team manages day-to-day. The only requirement for involvement from the client firm is where a need for escalation has been flagged. In addition, the team can provide monthly and quarterly information packs to risk management committees and provide input on governance structures.