In October 2020, during a virtual City Financial Global event, Julia Hoggett expressed her views on the challenges presented by surveillance amidst remote work on a personal and professional level. Julia, the director of market oversight at the Financial Conduct Authority (FCA), addressed key areas that the financial sector should focus on with regards to fine-tuning their surveillance strategies, such as: risk assessments; primary markets; surveillance alerts; STOR submission; personal account trading; and data.
It has to be said that, globally, we are all affected by the proliferation of remote work (who hasn’t been accommodating meetings via video conferencing with children running around in the background?). This is the new norm, and one that we have already begun adapting to.
But the global pandemic has pushed weight on market abuse surveillance more than anything before. With everyone working from home, bad actors may be more likely to break firm and regulatory rules under the assumption that no one is watching.
Monitoring for Evolving Risk Exposure
The FCA has approached this new world with “a clear-eyed focus on ensuring markets work well for consumers, ensuring that they are orderly and that they are clean whatever the times and whatever the challenges.” Now—what does this mean for compliance officers?
Julia stressed this repeatedly at various virtual conferences held in 2020: Firms need to work with agility and not solely rely on traditional methods of detecting bad behaviours. She explained:
I understand why it is often tempting for firms to look purely to the behaviours described in recitals in the Market Abuse Regulation (MAR) or to utilise “out of the box” alerts from certain technology providers. However, whilst that may provide assurance that you have followed a process, it may not provide assurance that you have effective controls in place to mitigate the risks that you actually face.
Though the primary markets have been widely affected by high volatility since March 2020, the FCA found it “remarkable how well the core infrastructure and participation in the UK wholesale markets functioned as we all transitioned to a world in lockdown.”
Still, with working environments turned upside down, it became critical for firms to ensure effective controls over insider information and confirm that information barriers were in place. Many compliance officers began by reviewing insider lists and confirming who qualified for surveillance more frequently than they previously did.
As one example of a unique risk introduced by widespread remote work, many firms were challenged this year with controlling insider information and managing conflicts of interest for employees who lived with someone working for another financial institution. Some firms chose to ask these employees to work in approved spaces. In other cases, employees were forced out of specific project areas to maintain effective information barriers.
No matter what approach is implemented in such circumstances, major updates to risk assessments—the heart of any firm’s compliance framework—and communication surveillance strategies moving forward have been necessary.
Surveillance responsibilities of firms also increased when markets became sensitive to the economic effects of COVID-19. Compliance officers were hit with a surge of trade and communication alerts that required further investigation. To address this influx, many firms decided to work closely with surveillance vendors to help reduce false positives and apply new methods of surveillance that could refine the alerts their analysts were receiving.
The FCA advised that firms not only utilise new communication mechanisms but, “before they are used, have controls in place where required and their use be approved by firm management.” Regulators stress that obligations haven’t changed, and therefore firms adjusting to remote work models need to change the methods they use to detect market abuse—and be prepared to do so with agility—rather than change the behaviours they look for.
In other words, firms must further calibrate their surveillance systems and update thresholds more frequently to ensure that the output remains meaningful.
Discerning “Reasonable Suspicion” Before It’s Too Late
Once an alert is triggered, the process of reviewing and escalating it must remain the same regardless of the market conditions. Therefore, what compliance officers should be wary of is whether a given alert meets the bar of “reasonable suspicion.”
There would be no justice in thinking that all alerts are only unusual due to current market conditions—but making this call on each alert certainly has some contemporary complicating factors in 2020 and beyond. This also affects the quality of Suspicious Transaction Order Reports (STORs) submitted to the regulator. The FCA will not accept that, due to a surge in alerts, the time taken by a firm to submit a STOR went beyond a reasonable window from the event occurring.
Even—perhaps especially—now, the FCA expects STORs be submitted without delay. In cases where a delay can’t be avoided, the submitting firm should provide an explanation for this delay. Where firms have to focus on a backlog, they should not hesitate to inform the STOR team of an evolving situation to avoid any implications for the firm that may be triggered by a missed timeline.
How Firms are Adapting
Given all this, many compliance teams want to move toward incorporating new channels—such as mobile devices and internal group meetings—into surveillance protocols. As you can imagine, this creates issues for firms who are unable to do so with the surveillance systems they have in place.
Many teams have decided to work closely with vendors to ensure effective surveillance coverage in the new remote working environment. Most firms have now adopted new controls, and some are in the process of onboarding them. In every case, regulators expect that firms run adequate tests and create governance policies around the new controls, in addition to incorporating these into their risk assessments.
Regulators also note that, given that workspaces are no longer collocated, firms must take conscious steps to make relevant policies and reporting channels easily available to employees—and ensure compliance officers are ready to provide business support without delay. Firms have addressed this by providing extra training to those who may work in high risk areas as documented in the firm’s risk assessment. The bottom line is that firms need to enforce a professional culture with good conduct throughout their organisation, setting standards for employees to follow and reducing the risk of bad conduct.
As addressed in previous FCA Market Watch publications last year, Julia also addressed the progress on personal account dealing (PAD). As the current environment has seen an increase in personal trading and more individuals registering brokerage accounts, firms must verify that they have adequate controls in place to ensure any individuals trading in a personal capacity do not abuse insider information in doing so. The FCA stressed two points on this subject: first, committing market abuse is not limited to those working in the financial services—everyone must comply to the FCA rules and criminal law; and second, firms must conduct reviews with sensitivity, to avoid tipping off individuals.