Julia Hoggett: firms identify the “shades of grey” surrounding MAR

Following a series of Market Watch publications at the close of 2018, Julia Hoggett delivered a cautionary speech on February 13th at the AFME MAR event. Radar spoke to industry experts about the FCA’s approach to MAR implementation and how firms can evolve to ensure they cover all bases within the ever-changing risk landscape.

In 2017, Julia Hoggett, director of market oversight at the UK’s Financial Conduct Authority (FCA), gave a stirring speech on the implementation of the Market Abuse Regime (MAR). For many, this speech marked a change in dynamic for FCA; moving away from a tolerance of firms attempting to find their feet and towards a steady increase in pressure on the financial industry. “Compliance with the regime…cannot and should not stay still”, she announced.

Over the course of 2018, FCA continued in the same vein, publishing a series of Market Watch newsletters that gradually escalated in intensity, culminating in Market Watch 57 & 58, after which we concluded that the honeymoon was over for those that are failing to comply with the requirements under MiFID II and MAR.

In February 2019, Hoggett delivered a speech on the implementation of MAR at an event organised by the Association for Financial Markets in Europe (AFME). The speech reiterated FCA expectation around MAR and highlighted “specific issues” in certain areas that remain lacking. In particular, Hoggett established an expected approach in which businesses should be taking steps to implement systems that not only detect misconduct, but that actively prevent it from occurring in the first place.

At a recent Radar roundtable, a number of compliance experts offered their own reactions. Are firms running scared? Desperately scrambling to tie up loose ends and close gaps? Or is this “chest thumping” from FCA that is hard to enforce?

Start with your staff (all of them)

Hoggett referred to FCA’s 5 Conduct Questions, the first being “how do firms identify the conduct risk inherent within their business?” There are any number of detectable risks to a company, the most important (and often overlooked) being the individual.

In order to prevent misconduct, firms should be exercising their “conduct risk identification muscles”, Hoggett suggests. Companies should look to create a comprehensive risk profile of staff in order to build a picture of which individuals have access to sensitive data and the likelihood that they could abuse that trust.

Traders aren’t your only risk

Contrary to common perception, risk does not begin and end on the trade floor. This was something Hoggett was eager to emphasize in her speech: “trader behaviour…is not the only place where behavioural risk exists.” FCA is clearly expecting firms to cast their nets wide when considering the compliance risks that all individuals pose, suggesting that they monitor a wide pool of people “from cleaning staff to your head of compliance…IT support and other functions”. And this monitoring shouldn’t end at the office doors – FCA expects firms to keep track of information travelling from the inside out.

At a Radar roundtable, it was suggested that the regulator’s instructions are easier said than done as firms are sometimes unsure about how to identify those people who could be carrying the risk. If firms are urged to use a broad brush approach, what sort of risk profile does a staff member have in order to become a monitored employee? Alternatively, is it feasible to envisage all employees being monitored and, if so, how is a framework developed that is capable of capturing and storing all this data, which also provides meaningful results for the company?

“Move away from the assumption that if someone legitimately has access to information, they will always act legitimately with that information.”

Perhaps the starting point in identifying the individuals that could pose a risk would be to look at who has access to what information. FCA is keen to see firms proactively reviewing their permissions. Where an employee no longer needs access to information, companies should consider revoking permissions. This essentially boils down to firms having better control over their data in order to make sure it doesn’t fall into the wrong hands.

Educate everyone

Successful implementation of MAR doesn’t stop at identifying risk factors. If only it were that simple. It’s one thing to identify the individuals that pose a risk to the company, it’s another to ensure those individuals – and potentially all employees within the company – are aware of their responsibilities under the compliance regime. As Tom Goodman, UK Capital Markets, Surveillance & Market Abuse Advisory Lead at EY, commented, “risks can’t be prevented deliberately unless they’re understood.”

“Firms need to take responsibility and ensure staff understand the consequences of unlawful behaviour… greater awareness of the risk of market abuse is needed.”

Understanding starts with awareness of the issue. Awareness can be generated through effective training plans. However, as above, FCA is keen to point out that training should not be limited to those on the trading floor; it should be company-wide and required at all levels. In particular, FCA has placed more focus on the more senior members of staff.

It is often assumed that those in a position of seniority will be well aware of the tenets of their role and the regulatory limitations surrounding the information they’re given. However, FCA picks up on this as a “black hole” for risk: senior people have wider access to sensitive information at the highest level, as well as frequent interactions with senior investors and journalists.

Radar roundtable participants seemed trepidant about this suggestion: “they’re saying you ‘you need to be enhancing monitoring of the senior folks at firms’, which I’m sure will go down really well when it’s mentioned to senior management.

So is training something that senior managers are actively engaging with? Apparently so, according to roundtable attendees, who unanimously agreed that they are involved with and frequently attend training sessions. More than that, the training appears to be working. “You can track it quite easily. If you’re recording your business referrals and know training went in and the date of business referrals, it does gradually decrease. When it starts to drop off, we do training again.”

“You maximise the chance of those you regulate meeting your expectations, if you make it clear what your expectations actually are.”

Invest in controls, but make sure they work

While an awareness of risk from both firms and individuals is essential, this is only the first step on the long path to watertight MAR compliance. The systems and controls that a company employs are a “critical element”, especially those surrounding inside information and surveillance of market manipulation in the non-equity space. FCA does not believe those systems and controls have evolved as much as they should given the risk profile.

“We only care about systems and controls for one very simple reason – so that they work effectively.”

The existence of a particular system or control may not, in fact, be interesting to the regulator and is not necessarily an indicator that a firm is effectively monitoring the activities within their organisation. The firm must ensure that the systems and controls that they have in place are in good working order. “If it doesn’t work, it would much more likely make me concerned about the firm,” Hoggett said.

While FCA acknowledges that the management of false positives is “challenging and time consuming”, it expects companies to ensure that they are aware of, and design controls to monitor, alerts that are meaningful to the risks in the market.

“Evolution of controls will necessarily require nuanced discussion.”

The industry is aware of this requirement, but in discussions expressed frustration with the technology offerings: “we’re waiting for the technology to get there”. They agreed, however, that the available systems have developed exponentially over the last few years, causing them to take the regulator’s directions more seriously and actively engage with possible options. Common issues include voice (capturing broker calls that last only one to three seconds) as well as a lack of servers and space to store the data that fuels the technology

Don’t take comfort in other firms’s failings

Despite her generally evolutionary spirit, Hoggett touched upon an area of compliance which she perceived as “depressing”: the practice of firms taking comfort from the perception that others are also failing in their compliance duties. And this isn’t necessarily hearsay. Head of surveillance at a tier-2 bank told Radar that this is a recurring issue when pitching ideas to management. When approached, management teams will often ask, “are any of our peers doing this?” It seems there is a general attitude that if those around you aren’t investing in compliance systems, there’s no pressure for their own firm to do so.

FCA believes there is too much mediocrity across current compliance teams. They want thought leaders and firms who recognise that they have a regulatory requirement and will invest energy, innovation and funds into meeting those obligations. The current state of the market, in which firms reinforce their own negative performance by reassuring themselves that others are doing the same, should be turned on its head. Instead, firms should be looking to be the compliance leaders – who’s getting the fewest false positives? Who’s receiving the least fines? These should be the standards that the industry strives to achieve.

Manual surveillance is not enough, but has its merits

Subsequent to Julia Hoggett’s speech, FCA hosted a Q&A session in which it allowed the audience to delve deeper. In response to a query on whether manual surveillance was still permitted, or whether it should all be automated, Hoggett responded that manual surveillance, while useful, is only effective to a certain extent. Once a firm’s trading volume reaches a certain level, manual surveillance capacities fall short.

Manual compliance has not had its day though and Radar roundtable attendees shared a number of instances where manual methods have prevented misconduct. Head of trade surveillance at a tier-1 bank noted that FCA expects firms to be far more enquiring of corporate customers and to probe instances where trades look suspicious. Further to this, Hoggett expressed a wish to introduce a system whereby firms can refuse to process transactions if it looks as though they will take the form of market manipulation.

While front-office staff are often reluctant to ask probing questions (the retail side are more open to the idea), firms have seen ”wins” from the practice; clients have stopped doing something potentially illicit because they were asked persistent probing questions. This depends on client relationships, however. In some instances, probing questions have simply received an automated or flat response.

Moreover, Goodman of EY noted that manual anti-money laundering (AML) techniques are sometimes more insightful than those produced by technological systems: “It’s very well known in AML transaction monitoring that consistently higher quality SARs are those proactively identified by front line staff over those flagged by monitoring systems”, he said. As such, it is imperative to ensure that front line employees have “the latest and greatest understanding of the risks of market abuse and its manifestations across the industry, but also how and where those market abuse risks are most relevant to their business.”

Market abuse and financial crime are not mutually exclusive

Market Watch 58 blurred the lines between regulatory and financial crime teams, suggesting that there should be more overlap between the two. This message was echoed in Hoggett’s speech, where she once again highlighted the “necessary interplay” between financial crime and market abuse systems and controls. Some firms, she said, have started to implement financial crime policies and procedures which cover insider dealing and market manipulation, however many firms have further to go. Where such interplay exists, Hoggett suggested that some firms have taken to offboarding clients who repeatedly acted suspiciously. This, in turn, has lead to a reduced number of STORs being filed.

Is this wishful thinking from the regulator? Not according to our roundtable attendees. “It’s really been happening” said a senior compliance practitioner when asked if his firm had offboarded suspicious clients. “It tends to be based more on SARs than STORs”, they added. Practically speaking, the compliance teams have conducted investigations within their teams, which they then pass to the financial crime teams. Both segments conduct their own investigations and join together at the end of the process to decide whether to issue a STOR or a SAR or some other action.

“Systems and controls need to evolve as the risks within their business evolve.”

Turn to codes for clarification

Implementation of MiFID II and MAR has, in many ways, been convoluted by a lack of clarity. The regulations only go so far in terms of setting out what is expected of firms and there have been grumblings from the industry about the lack of certainty. This has not gone unnoticed by Hoggett, who used her speech to acknowledge that “regulation is not always the best place to define the right and wrong side of the lines.”

It is for this reason, she says, that the FCA is establishing a method through which it recognises particular industry codes as supporting “greater clarity regarding expectations”. In order for firms to show compliance with the Senior Managers and Certification Regime (SMCR) Conduct Rule 5 (observing proper standards of market conduct), they will need to demonstrate that they are compliant with principles set out in these so-called “voluntary codes”.

“Life is not always that simple…it is the ability to identify the shades of grey that is most critical.”

Compliance with the voluntary codes goes beyond simply signing up to them; FCA wants to see that firms have given the principles careful consideration and embedded them into their business models. It looks as if the market is taking this message on board, with practitioners telling Radar that they’ve begun to incorporate elements into their risk assessments.

If the voluntary codes were approved with the intention of providing clarity, there may still be some way to go. One roundtable attendee expressed particular frustration with the fact that some of the codes deviate from the legal definitions. For example, the definition of pinging and spoofing in a recent code were different from the definitions outlined in MAR. Moreover, there is a lingering question around how useful the codes are: “I don’t think there was anything earth shattering in there.”

Follow your followers

Despite a raft of regulatory guidance, accompanying codes and FCA Market Watches, there continue to be areas of practice which require institutions to exercise their own judgment. One such area, highlighted by Julia Hoggett in her speech, is “following”. “Following”, for those who don’t know, is where individuals within regulated firms “follow” or “mirror” the behaviour or trading activity of their clients either by trading on their own account or by giving tips to others.

Hogget asks that firms consider the “risks and conflicts which can arise from this sort of behaviour”. In particular, they should question the motivation for an employee to do this; whether the employee expects that the client trade will result in a profit (perhaps indicating the misuse of inside information); and whether it’s within the firm’s risk appetite for their staff to engage in such behaviour.

Having spoken to market practitioners, “following” is certainly not going unnoticed within the compliance teams, not least for the risk it poses both on and off the trading floors and the challenges it presents.

“Trading for yourself in anything that you’re trading in with clients would attract serious questions.”

It would seem the industry is particularly concerned by gaps in the system, specifically in relation to personal devices. One compliance officer commented that if staff decide to follow a client using personal devices or accounts then it’s much harder to spot illicit activity. Practitioners resoundingly agreed that the issues surrounding following are a “nightmare”, but attempts to ban the activity altogether have fallen short.

What goes around comes around

Following a series of cautionary Market Watches, one might ask whether FCA’s increasingly heated warnings have an impact? Or as one partner at an international business-focused law firm suggested to Radar, is this merely “chest thumping”? The same partner, on condition of anonymity, suggested that FCA is cracking the whip, “partly as backlash because they’ve been accused of being asleep at the wheel in the run up to the financial crisis.” He added that the change in attitude could be attributed to the idea that the UK could “lose a lot to the EU because of Brexit”, so if FCA holds itself out as a “consumer-led, decent regulator” then the ultimate financial services consumer is more likely to select a UK-based provider, because they’ll be better protected.

However, a counter-argument suggests that the FCA’s new approach is merely having a knock-on effect on businesses deciding to move abroad to avoid facing tougher compliance rules: “business won’t change it’s just that the revenue will be booked overseas and the people will leave with it, people are fairly mobile now.”

Evolve…or get left behind

The centrepoint of Julia Hoggett’s speech is essentially evolution: the financial landscape is changing, the regulatory landscape must keep up. Markets are no longer formed of individuals making decisions, they’re a hybrid of tech, algorithms and humans. The risk profile is constantly changing and risk assessments must “keep pace” with these developments.

“Whilst activity may move, it is extremely important that the quality of controls remains robust.”

Some might argue that institutions could be excused for finding themselves swept up in the melee of constant change. The regulator doesn’t appear to be as forgiving. Hoggett urges firms to be “fully focussed” in the midst of change, noting that firms “must not have gaps in their oversight.”

Firms should be assessing their data sources in order to provide new insights into the performance of companies and markets. It is almost inevitable that this will require the implementation of new tech. In fact, Hoggett goes as far as saying that we are on the “brink of a new era – that of the Quantum Computer which brings game-changing technology for processing extremely large amounts of data”. However, she reminds the industry that new technologies will only be as good as the data that feeds them. In the same month that the Australian Securities and Investments Commission (ASIC) stated “if you’re not using AI…why not,” could it be that FCA are headed firmly down the same path?