Earlier this month, the Financial Conduct Authority (FCA) published Market Watch 60, the latest issue of its newsletter on market conduct and transaction reporting issues. In this edition, the FCA focuses on its concerns and findings regarding control of access to inside information in the wake of the recent conviction of a former compliance officer in the London branch of a major investment bank.
The FCA also goes on to share the results of its recent review of systems and controls used to manage access to inside information across a sample of investment banks, legal advisers and other consultancies. This follows the results of the FCA’s Thematic Review published in 2015 and the disclosure of the results of the high-level review of the financial services industry’s implementation of the Market Abuse Regulation (“MAR”) (which was carried out in mid-2018) and made available in Market Watch 58.
The findings from the most recent review can be summarised as follows:
The FCA found varying ways in which firms maintained their insider lists. Where reasons for including individuals on a list were required, they frequently found the reason be generic (i.e. ‘support function’) and therefore insufficient for firms to determine if there is a genuine business reason for information disclosure. This lack of detail meant that the FCA found that tracking and controlling information dissemination was challenging. That only applies where such support staff were in fact included on the insider list. Some firms entirely omitted to include a large number of support staff who also had access to documentation (i.e. risk and compliance) therefore it was not retaining comprehensive and complete records.
Conversely, the FCA saw insider lists including individuals who did not even have access to the confidential information, which of course results in the documentation being useless and grossly inaccurate. It also identified other instances of ‘permanent’ insiders, comprising of those individuals who had routine access to information without obvious reason.
Storage of information relating to confidential deals or transactions, or housing the inside information — including who had access, when and for how long — was a focus for the FCA. The FCA found that some firms did not adequately restrict access to information to ensure they maintained a ‘need to know’ basis. In addition, some electronic data was saved in general team folders accessible to a wide variety of staff, in multiple jurisdictions, who were unconnected with any associated transactions. Using Code Names for folders is seen as reasonable by the regulator, as was granting IT personnel access to these folders (where no discernable information can be gleaned) for administration and maintenance purposes.
Worryingly there was a lack of periodic review of access rights to such information, especially after internal movements of staff either away from particular projects or even out of the business altogether. Similarly, the audit trails surrounding data access were inconsistent; some firms could only provide limited information – such as creation, edits and deletion of materials. Others could not provide any logs at all. However, the FCA was pleased that some firm’s audit trails were comprehensive and included instances of information access on a ‘read only’ basis.
The FCA found widely differing levels and methods of monitoring. These ranged from none at all to firms that surveyed for attempted access to documents by non-permission staff or devices. Some firms also reviewed document access outside of normal working hours as well as the number and frequency of items accessed by permissions individuals.
Staff that conducted the monitoring also varied between those who performed generalised support functions to experienced staff familiar with the need to control access to inside information. Staff in the latter category would invariably be better at identifying suspicious behaviour.
The FCA continues to emphasise the importance of firms having effective market abuse controls in place. In particular, the regulator reminds firms in this Market Watch that when examining suspected insider dealing, it is important to establish who had access to inside information at any particular moment in time. An inability to do so will inevitably be detrimental to any investigation. Therefore, maintenance of complete and accurate records is vital for firms, together with robust controls to prevent widespread (and unlawful) dissemination and access to such confidential information. Firms must have processes in place to identify conduct risks to which they are exposed. In addition, they must ensure that their controls and monitoring programme is effective to address and monitor for such risks.
The FCA concludes that an inability to respond to regulatory requests for accurate records may further indicate underlying weaknesses in a firm’s market abuse systems, procedures and policies. The regulator cautions firms that this could lead to further regulatory scrutiny, not to mention significant reputational risk.
The latest edition of the FCA’s Market Watch provides a timely reminder that the FCA expects firms to take reasonable steps to ensure that the risks of handling inside information are identified and appropriately mitigated.
We recommend that you conduct a review your insider lists, access and monitoring controls to make sure you are not in breach of any regulatory rulings.
How We Help
- Market Abuse Thematic Review: a deep-dive review, benchmarking, and testing of your firm’s market abuse arrangements to help mitigate the risk of insider dealing, improper disclosure, and market manipulation.
- Market Abuse Controls Review: focused and cost-effective assessment of your firm’s policies, procedures, monitoring programme, surveillance techniques, and controls environment.
- Trade Surveillance Technology: provides automated in-depth trade surveillance to help identify items of interest and non-compliant trading and investment activity. The system offers a case management tool that can track, and store emails, reports, and research related to each investigation.
- Employee Personal Trading Technology: provides an integrated solution for managing your firm’s code of ethics compliance activities related to employee personal securities trading monitoring, attestations, reporting on gifts, political contributions, outside activities, and more.
- Training: our training solutions in London offers open courses devoted to Market Abuse delivered by one of our specialist trainers at our office, or at your premises at a time convenient for you.
Visit our dedicated market abuse page to access further information and resources.