“Not suspicious enough”: the requirements, processes and values surrounding “near misses”

Near misses offer valuable insights and protections to firms and their regulators. But in the absence of direct regulatory requirements, are firms sufficiently tracking activity that “wasn’t suspicious enough” to report? And how curious is the regulator?

The roll out of the Market Abuse Regulation (MAR) in 2016 imposed a new wave of requirements and obligations on financial services companies.

In its consultation phase, the European Securities and Markets Authority floated the idea of “near misses”. While the term never found its way into the final wording of MAR, most firms have proceeded to monitor, assess and take insights from such instances. Radar sat down with industry professionals on condition of anonymity to better understand the requirements and benefits of near misses and what the regulator’s looking for, if anything.

When does an alert become a “near miss”?

Near misses, unlike provisions under MAR, don’t necessarily have a clear-cut definition. As noted by Tom Goodman, UK Capital Markets, Surveillance & Market Abuse Advisory Lead at EY, “the definition of near misses tends to vary across firms”. Broadly speaking, near misses are instances of suspicious activity that are recorded, but deemed not suspicious enough to be reported in a Suspicious Transaction and Order Report (STOR) or a Suspicious Activity Report (SAR).

Suspicious activity alerts can be categorised on a number of levels: those that are clear false positives; those that show enough potential wrongdoing to warrant a STOR; and those in between that show activity that is suspicious, but are deemed not suspicious enough to escalate – these are the near misses. As the head of surveillance at a Tier 2 bank told Radar: “where I see the near miss is anything that comes to a case meeting that is suspicious enough to discuss and is suspicious enough to make a judgement on, but actually it doesn’t fall into the suspicious category for actual submission.”

For one head of trade surveillance at a Tier 1 bank, the explanation is more clear-cut: near misses were floated in the original consultation, confused the banks and were subsequently dropped by FCA. “It’s a STOR or it isn’t. If you’ve got additional records to highlight those that aren’t, so much the better,” they said.

But in the absence of a clear regulatory obligation to do so, are firms holding this information?

An extension of record keeping requirements?

With no direct reference to near misses in MAR, and considering that FCA may have attempted to “bury” the phrase, firms might conclude that the recording and analysis of near misses is unnecessary. However, the STOR level 2 of MAR imposes record keeping requirements across all firms. Moreover, 2nd LOD escalations oblige firms to record instances of cases which are “just” mitigated. Near misses fall seamlessly into that bracket: they are part-and-parcel of firms’ record keeping obligations under MAR.

FCA does not specify a prescribed format or nature for record keeping, only what should be recorded and for how long. As such, near misses are often naturally captured within some firms’ case management systems, but as one surveillance expert pointed out “we don’t have a special category for near misses and I don’t really see it as its own category, it’s really just an extension of the fact that you keep records of all the alerts that you look into.”

Another surveillance head agreed that, from the point of view of record keeping, it’s no different to a STOR: “We carry out exactly the same process and in fact it would have been a proposed STOR in order to end up being a near miss. So it would have already gone through all the work that’s usually associated with a STOR. We keep them exactly the same way. The only difference being that instead of filling out a STOR form we’d fill out a near miss form.”

What does the regulator hope to find?

As near misses aren’t defined by regulation and firms aren’t formally required to keep records of them, there are still instances of FCA supervisors asking businesses to provide evidence of near misses. What do FCA hope to deduce from them?

“They’re designed by the regulator as a way to ensure you’re doing something,” said a global head of market conduct. This stands to reason; after all if a firm is failing to conduct effective compliance monitoring, it is unlikely they’ll be creating near misses, let alone STORs and SARs.

In the same vein, FCA may also ask to see near misses in situations where firms are failing to submit reports on either side of their business. For example, if peer firms are submitting 10 STORs per month, and one particular firm is only submitting one, FCA may look to near misses to provide insights into that firm’s approach to market abuse detection and whether they’re setting the bar too high.

Concurring, Goodman added that near misses “could be used to help demonstrate to a regulator or to management why it believes the surveillance is effective, even if it is not generating STORs”.

But, as one contributor pointed out, FCA is unlikely to use near misses as a “stick” to punish firms, “it’s more of a guidance tool where they’d say ‘look, show us your near misses and we’ll tell you if we want to see them formally submitted’.”

Is the regulator actually looking at near misses?

It’s easy to speculate about what the UK’s Financial Conduct Authority (FCA) hopes to see when considering near misses, but the real question is whether the regulator is asking to see near misses at all.

“Not for a few years,” said the Tier 1 surveillance head. “When they moved from suspicious transaction reports (STRs) to STORs, we were having pretty regular conversations with them. They wouldn’t give us an opinion, but they would tell us if they’d like to see any of our near misses submitted. Once we came to understand the level that they expected, those meetings fell away.”

This doesn’t appear to be the exception to the rule. Radar asked a handful of industry experts whether the regulator had shown interests in their near misses when on visits, or at all. The resounding answer was “no”, at least not specifically.

That’s not to say they don’t add value, however, or that FCA isn’t asking to see them in certain instances. In particular, near misses come into play where FCA detects trading activity that is potentially suspicious. They will then turn to firms and ask whether it was picked up within their own surveillance and, if so, what happened to it. For one contributor, this is the time where near miss records are “crucial, because then rather than going back to them and saying ‘we’ve got no idea why we didn’t pick it up’, you can go back to them and say ‘we did pick up this trading as part of our surveillance and concluded that it wasn’t suspicious’.”

The internal value of near misses: protection and patterns

There is much that near misses offer firms, from the benefit of hindsight to the ability to perform pattern analysis.

Near misses provide a level of protection for compliance officers who, when challenged, can present contemporaneous notes as to their original decision: extent of the enquiry; detail on decision to close rather than report. Tom Goodman agrees, adding that near misses allow firms to demonstrate effective surveillance, “so you can be reactive to a supervisor challenging the business or proactive when you’re in conversation with the regulator saying ‘this is how we get comfort that, should something occur we would spot it, because we’ve spotted things already that are near misses’.”

Perhaps the most valuable insight that can be realised through near misses is pattern analysis as “judging reasonable suspicion is not an exact science”. Pattern analysis allows firms to hone their ability to spot activity that provokes reasonable suspicion. “We rate all of our closures with a number based on how interesting the alert was – from 0-5. And we do pattern analysis on the basis that it’s perfectly possible that in the first instance of something occuring it wouldn’t be suspicious, but maybe the third time it happens or the fourth, while each individual event wouldn’t be suspicious on its own, taken as a whole it can become suspicious.”

Historical and contextual information can enable firms to make a better assessment of risk and suspicious activity, as it’s often difficult to judge suspicions on a case-by-case basis without some knowledge of the client’s historical behaviour.

This is particularly relevant to areas such as layering, as a compliance expert pointed out. “Layering is a tricky one,” he said. “If you spot one instance of layering you might say ‘ok look that’s perhaps a trading error – it happened by accident – it’s not suspicious’. But when you start seeing more instances of it you suddenly realise that it’s developing into a pattern and therefore maybe there is some intent to manipulate the order book. So that’s where the near miss records become really valuable and where actually it becomes really important that they’re held in a way that allows you to do pattern analysis.”

Gone but not forgotten: are near misses ever closed?

What happens if pattern analysis reveals a case that was previously closed as a near miss that morphs into suspicious activity worthy of escalation? Once closed, do near misses stay closed? Apparently not, according to a compliance industry professional: “If you had some client or trader who had a number of near misses on their file, you might look at it and think ‘you know what – this is a pattern of apparently suspicious behaviour that we didn’t think was serious enough to submit viewed individually, but cumulatively, it’s made more serious’. We have seen instances where near misses have been reopened and submitted on that basis.”

This seems to be the general consensus across compliance teams. A head of one such team told Radar that there have been occasions at their firm where they have seen instances of recurring bad behaviour and would therefore submit not only the latest incident but also past near misses.

Does the recording of near misses signify a cultural shift?

The recording of near misses shows a change in attitude at firms, a level of monitoring maturity and efficiency. As Tom Goodman highlighted, “the FCA is focussing on firms not just ticking the boxes for systems and controls, but being effective in challenging market abuse inherent in the systems”.

Firms aren’t obliged to record near misses per se. There’s no prescriptive method required, or a right or wrong way. However, most compliance officers are developing systems for near misses as a matter of course, from specialised forms to well-maintained spreadsheets. They serve as another indicator that compliance teams are listening to the FCA’s guidance and taking their monitoring responsibilities seriously.