Risk assessment: the best foundation for building an effective market abuse and surveillance function

Radar chats to PwC’s Ruk Permal about the extent to which the risk assessment is at the heart of effectively mitigating market abuse.

PwC’s 2019 Market Abuse Surveillance Survey said that “a comprehensive market abuse risk assessment is the cornerstone of effective surveillance.” Over the last few months, there has been a significant increase in firms deploying new systems, undertaking new approaches and acquiring new employees to identify potential market abuse.

Why do you think firms carry out risk assessments and do you feel that they’re the “cornerstone of effective surveillance?”

There isn’t a specific, prescriptive regulation that says “you must have a risk assessment”. A firm could have deep capability, whether personnel, process, control or technology but without a risk assessment first, their approach will be baseless. From the regulators’ perspective, and this is a global view, technology and systems are of value, but it comes back to the risk assessment as the underlying foundation from where to begin.

What elements represent the standard process when putting together a risk assessment?

Calculate inherent risk. The person responsible for conducting the market abuse risk assessment is typically an individual in compliance as their core responsibility includes managing regulatory risk. In order to conduct a risk assessment properly, expertise in market structures and specific products is required in order to determine where the risks could actually occur.

In order to determine this, it is worth constructing a matrix that sets out all of the different product characteristics and the extent to which those characteristics could cause or exacerbate a market abuse event if not appropriately managed. Once this information has been collated, an assessment of the impact and likelihood of the risk occurring in a particular product has to be made to determine inherent risk.

Understanding the controls. Subsequent to calculating inherent risk, it is time to examine controls:

1. Framework level controls required to be in place for an escalation mechanism where there is a policy or specific procedure that must be followed. This enables understanding within the organisation and creates escalation paths.

2. Controls operating across the first line of defence that are not surveillance. For example, sometimes there are preventative controls operating within the first line, so people can’t trade if their trading falls outside of certain thresholds.

3. Controls operating in the second line, such as personal account dealing or the maintenance of insider lists or watch lists. These contribute to the mitigation of some of the market abuse risks.

Surveillance methods. Finally look at the coverage and effectiveness of surveillance across the three primary channels: trade, ecomms and voice.

Once all of those inputs are evaluated, a rating or score emerges that says “inherent risk is ‘x’, based on the control framework across the lines of defence, residual risk is now ‘y’.”

Then the dialogue begins with senior management. In certain areas, they may be comfortable with that residual risk, but for others they may be more concerned as they see that as an area where the impact on the business of an event would be higher.

What’s the best approach to risk assessment? Is it DIY or using an independent company to analyse the firm as a regulator might during a supervisory visit?

The majority of firms feel that their risk assessment isn’t granular enough to drive the decisions required on what personnel, surveillance approaches and organisational structures they need. Most want an independent firm to do a thorough job first time and then maintain it and update it themselves. The omissions are notable when the expertise in the process was not available when it was first conducted. This makes it very hard to map scenarios to risk types accurately. The next move is to build a risk assessment review into the requirement to do an annual review under MAR. An annual freshening of the review will usually suffice, unless there are significant changes to the business in the interim.

Are there classic errors where firms take the wrong approach, leaving obvious gaps?

There are quite a few. A number of firms have, often unintentionally, picked a surveillance vendor and then implemented a number of scenarios out of the box, before having considered their risk. They then stop looking at risk, focus on what they are covering and assume that encompasses all of their risk.

Also firms are trying to apply equities-style scenarios in relation to market abuse to other businesses without thinking through the true application to those areas. Some assessments are produced with no interaction with the first line, and a lopsided outcome is the result. Others try and perform their risk assessment with a questionnaire, and are entirely reliant on what the business has told them. Another lopsided view!

Some firms don’t consider the overall framework and how they can mitigate market abuse. While surveillance is undoubtedly the most effective control, there are others to explore. Where the exposure is not as high, some other controls in the business actually reduce risk to a level that the organisation can live with. Sometimes a huge amount of effort goes into the control environment to cover risks which are, by their nature, very low, or with low impact. Conversely, areas perceived as higher risk are not really being covered at all.

Are there obvious differences of approach based on the sector or type of firm?

Participants in the market approach this in a different way. The way in which risk could crystalise can differ. For example, the risk of having access to inside information and unwittingly passing it on, or inadvertently facilitating market manipulation, is much higher in some parts of the industry than others. As a consequence, while the approach to risk assessment is formulaic, the outcomes can look different. That in turn has an effect on how each organisation chooses to control risk. Do they control it more in the first or the second line? Do they buy or build their surveillance technology?

Will risk assessments stand firms in good stead with the regulator?

The risk assessment is the defensible articulation of how an organisation has chosen to focus its attention on specific risk types. Firms with less mature or inadequate risk assessments could struggle with regulator interaction. It’s very difficult for the regulator to understand why some risks may or may not be more relevant to an organisation from a single individual. The risk assessment captures the views of the organisation as a whole (particularly those in risk-taking and control functions) and demonstrates why they have responded in the way that they have. Without that, conversations with the regulator fall flat and are without foundation.

Are there nuances in approach to risk assessment based on regulator or region?

Risk assessment exercises can span a number of geographic locations. Regulators overseas are not really asking for anything different.

The areas of risk may be different, however. For example, in Asia, the regulators are focussed on the rise of algorithmic trading and the risks on the trade side. Also because so much business is conducted through messaging platforms, which aren’t always housed internally, they’re interested in that as an angle.

Western regulators are thinking about specific products, especially whether a bank has coverage over every product, with the potential for cross-product manipulation.

Is this something that works for other risk areas, such as financial crime?

The principles in themselves apply to several different areas and could apply at a macro level. If organisations are assessing operational risk across the business then they could take this approach to assess what their key operational risk types are. It could be applied at an individual discipline level for issues like fraud or anti-money laundering.