The New Age of Surveillance
A fireside chat with the PricewaterhouseCoopers Market Abuse and Surveillance team.
Ruk Permal and Graham Ure’s team at PwC specialise in helping clients tackle the challenges of market abuse regulation and surveillance. Their experience ranges from conducting market abuse investigations through to transforming and future-proofing their clients’ businesses to manage and detect market abuse through the means of monitoring and surveillance – here they tackle the burning questions that need attention from the Radar editors.
Ruk: In our dealings with a number of organisations, when considering Market Abuse Regime (MAR) compliance, they are typically thinking about the automated methods to detect potential incidents of market abuse. Ultimately, clients immediately look to automated trade surveillance; that is usually their first port of call to determine if it is or is not market abuse. However, in our ongoing dialogue with various industry bodies and regulators, and this reflects our own view, it is clear that automated trade surveillance is one way of mitigating the risk of market abuse and one way of identifying it, but it is not the only way. There are a number of other initiatives such as surveillance or supervisory control procedures that reside in the first line, eCommunications surveillance, as well as relevant governance arrangements and training across the business. All of these can contribute significantly to compliance with MAR. My feeling is that a number of organisations have taken a relatively narrow view, whereas our own view, and we also feel this is congruent with our discussions with regulators, is that a macro approach is required to really determine inherent risk, using this as a basis to define and implement the relevant control framework, which may not always mean implementing automated trade surveillance for every scenario.
Charlotte: With any control framework, there are certain things that can reduce the market abuse risk and inherent conflicts, such as thinking about where people are physically located, or able to communicate with each other, so that the tendency and ability to share confidential information is restricted.
What is the elephant in the room that senior management ignores/denies in relation to surveillance and monitoring?
Ruk: For me this is not simply relying on known cases of bad behavior. Senior Management need to think about how the market is changing and how their particular organization is adapting and interacting with the market (e-business, use of electronic trading platforms to execute, voice-dominated or order-based) and then determining, in the spirit of regulation, where the key risks are and where automated surveillance or other controls will prove to be an effective deterrent. What I think we see is a legacy focus on the equities market, much deeper thought and focus on benchmarks and FX, and then a series of other markets like FI and commodities, which has had much less investment from organisations, and also from vendors. This is the area where further enhancement is required, and that is a comment that applies very much across the board, rather than at a handful of firms.
Graham: Reflecting upon my experiences with a number of the organisations I have worked with over the last two years, one of the greatest issues has been an under-estimation of the challenge of designing, implementing and deploying automated surveillance as BAU. There are multiple elements that need to be in place in order to perform adequate monitoring and surveillance. Practical examples include but are not limited to, ensuring the alignment of the front office to compliance and to IT functions; addressing the challenges of the underlying data; recognising that even where a data lake has already been built then on the balance of probability it will not contain all of the data entities that one needs to conduct adequate surveillance; added to which is the complexity that many organisations will have multiple trade and order systems all of which are likely to contain data required for surveillance purposes. All these challenges exist before you even start to address implementation of vendor solutions and tuning the scenarios to run effectively. For organisations augmenting their surveillance capability, the impact of all of this is an incredibly complex, multi-faceted programme of work that will probably take some organisations, dependent on their size and scale, something between 18 months and three years to complete. Doing surveillance well is difficult.
What is regulatory expectation and do you sense frustration at a lack of progress in the market generally?
Graham: In our dealings with regulators, we sense that they increasingly have the same appreciation of the size and complexity of the challenge as we do and as I’ve just outlined. I would not say there is a sense of frustration, it is more concern that there is a continued tendency to under-estimate the complexity of embedding adequate surveillance, coupled with an under-estimation of how long it takes to put in place.
Ruk: From our viewpoint the challenge is both macro and micro; with macro there are problems around understanding risk and coverage, and that does extend to some of our clients globally. But at the heart of this is the detail and when you get down to a very low level of data, especially in organisations that have grown over a considerable time with legacy systems, where they may or may not have a data lake, it just makes the problem seem insurmountable at times. It just takes a lot of effort and commitment from senior management, as well as investment to get to a place where they can be comfortable that they have got a decent suite of controls and surveillance that provides them with adequate coverage over MAR. What this creates is an environment where firms are trying to build a MAR-compliant framework principally driven by surveillance, and where they are only trying to get coverage of the issues they know today. In terms of where they need to apply an analytical lens to the issues of tomorrow, most are not really in the place to do that yet because they are still trying to get their baseline coverage right.
Anne-Marie: There is often a disconnect at firms in terms of what they actually want to implement from a surveillance perspective, based on analyzing the areas that bring most risk for their business and operations, and what they are actually able to deliver. This can be compounded by not having the actual data needed available or having the ability to manipulate it in such a way to support those risk-based evaluations. For many firms there is the conflict around not getting to full MAR compliance versus getting to the level that their peers are. In some cases the latter is all they aspire to, or are able to achieve at this point, because of all the challenges surrounding the real end state.
What are regulator expectations now that technology is becoming more affordable, market practice continues to evolve and the data corpus is increasing exponentially? What approaches and legacy systems are clearly not going to be defensible if a breach occurs or an extensive supervisory visit takes place?
Graham: This feels like a leading question, asking us to comment on a distinction between those solutions which have come to market more recently and those that have been in existence much longer. What I would state is that our clients and the regulators have all seen all of the technology offerings. Our sense is that the regulators have no preference per se for one vendor over another. However their requirement for adequate surveillance is unyielding; they care less about what you use, more that what you use is effective and gives adequate coverage across the whole of MAR, or that you have mitigating controls in place for where your surveillance is not automated. What we have definitely seen as a journey over the last two or three years is more and more of our clients showing interest in some of the technologies that have more recently come to the market, especially now that a number of these software vendors can demonstrate successful deployments.
Ruk: We have not seen any regulators prescribe preference on systems; they do acknowledge having seen certain systems before; they do understand that some of the newer tech in the future will provide some level of triangulation that will be helpful to organisations. They do want to see effective and complete surveillance and don’t pass judgment on whether it is efficient. The majority of the market are still grappling with some of the issues within MAR and some of those issues affect certain firms much more than others, just because of the type of business that they do.
What has been the impact of the larger and some would say systemic cases of misconduct around benchmark rigging, and FX manipulation that occurred and caused such public shock when they were exposed in terms of senior management’s approach to the issue?
Ruk: More events on the size we have seen would not be tolerated by regulators and the public, and have proved very difficult for certain organisations. But that message, and the fines, and the conversations had with senior management, were clearly heard. But they were not purely focused on what could be detected in the second line, it was more a complete overhaul of what the organization does from a governance perspective, how the business is run and properly supervised, through to compliance and operational risk working together to be a deterrent or identifier of issues. That is how the conversation went and organisations we work with have designed their programmes with that in mind – this is not a single problem held by a single function, it is across the organisation with lots of senior stakeholder input and, since the introduction of SMCR, someone is now accountable at the helm.
The nature of the regulations when they came out was principles-based which gives wide scope to determine what constitutes market abuse – so the industry is tackling that by developing codes and industry bodies are setting the standards. The FICC Markets Standards Board (FMSB) is a good example of an industry body that is trying to set an appropriate standard for surveillance for FICC markets. This we expect to continuously evolve and the challenge for firms trying to hit that standard today to give them coverage over a market or product is that this may not be the standard you want to achieve in six months’ time. The picture changes constantly and none more so than in the last 12 months.
Charlotte: It has become very much about documenting the approach and looking at the whole picture rather than focusing on one solution and one area as the root of any problem.
Anne-Marie: With the adoption of new global codes of conduct, the main issue is the fact that it feels like the goalposts have moved since MAR came out almost two years ago now. There has been a steady of flow of market standards and codes in order to set the standard, as well as a number of papers published that have clear overlaps with MAR. This has an impact as the standards have been changing continually over the last 18 months. For example, the FX Global Code of Conduct touches on a number of areas within market abuse and calls out a number of behaviors specifically (eg sections on order handling, info sharing and execution type behaviours such as e-trading). This means that the challenge is establishing where the firms should be setting their own benchmark now, and which areas are the ones to prioritise.
How is practice changing and what are the the most typical demands being made of you by your existing and prospective clients?
Graham: The balance of our work has increasingly swung towards operation and the hands-on implementation of software and support for the delivery of programmes. This would suggest that now we are approaching two years post the advent of MAR, organisations are very focused on compliance with the regulation and are investing further in their surveillance capability.
Anne-Marie: To add to Graham’s comments what has been most interesting is the area of the regulation that requires an annual independent review of MAR in relation to the systems or controls that firms have in place to ensure compliance. This seems to have triggered a re-focus by firms, who may have put MAR on the backburner since it went live and have subsequently prioritized other regulatory initiatives like MiFID II. The annual review has driven people to think about how far they have come and the fact that maybe some more help is needed to put in place those changes to really get them to compliance.
Ruk: A couple of years ago we were much more pure advisory whereas now it is advisory through to operation. So we are now strategically advising clients on what they need to do to be compliant with MAR or to communicate with the regulator, but for some clients we are now effectively helping them to run their surveillance function. The latter can vary in terms of scope (eg the tech side of it; implementing it; running the risk assessment for them and developing scenarios based on that conclusion; actually managing their ecomms and trade surveillance teams). For us that has been a large shift over the last two years.
The other thing that is interesting from a macro view with regards to the annual review is that we certainly got a lot more calls from global firms rather than purely UK entities or entities with a presence in the UK. This included firms in the US, Germany, France and Africa, and their interest was not just the extra-territoriality of MAR but they were interested in using MAR as the standard they should want to hit in their own domain.
Who are the progressive firms in this space and what are they looking to do in terms of an improved approach in process, infrastructure and recruitment? What makes them different and what are the drivers for this change?
Ruk: We do have clients that fit this description and the things they are thinking about and doing take various forms; some have been much more leading in the way they have normalized all their data, perhaps through a data lake, or some other way which gives them incredible analytical power for a forward looking ‘lets predict what future event in a particular market’ might happen next. Where some others have gone, which is a different approach, is they are more interested in the workforce of the future and are much more focused on data literate recruits or pure data scientist hires, and are looking at integrating them into compliance or front office functions and that is much more exploratory in nature. These are leading-edge initiatives, giving those types of organisations the potential to spot the next big issue before it really becomes an issue for them. Anticipation is crucial. They don’t want to suffer the misfortunes of others previously or even themselves, and that comes through analytical power, especially with the amount of data now available. There is a commercial advantage to having high quality surveillance, as not only can they address compliance but also identify better performance, and some firms are even creating systems and an approach they can commercialise; this is fuelling the appetite of some of our clients as they can now see there is a commercial edge and it is not just complying with regulation.
Charlotte: Another approach where it is not yet totally apparent if this has been successful is firms looking at individual traders as opposed to looking at trades or ecomms in isolation; this trader-centric view across all areas, including conduct to spot people under pressure, people behaving unusually or erratically, is another stream that has its appeal with some.
If you were to categorise the laggards, those in the middle of the pack, and those who are really the market leaders from a compliance perspective, what differentiates their approach and thinking?
Anne-Marie: I think it is the firms who are thinking about the big picture rather than those who are viewing the regulation in a flat, one dimensional way; it requires a holistic approach to see how best to protect against market abuse as a whole rather than a tick-box approach.
Ruk: It is easiest to talk about laggards and there are reasons why they are in that situation. Firstly, there has been under-investment or deprioritisation of MAR as a piece of regulation. We saw this when MAR came in and the time it seemed to get more focus was when MiFID II was delayed, which was when people woke up and saw a big piece of regulation that was not being addressed. This under-investment was in understanding the regulation, but also determining the risks and systems and controls to mitigate the risks. Secondly, there are a number of organisations where the attitude is ‘we are not a big bank so this is not that applicable to us’. There are a large number of entities right across the industry in this category. This is a big proportion of the industry, who because they have not been targeted or not been embroiled in some of the big issues, they have not applied the same focus and attention to MAR. I would be interested to see, if these firms did some benchmarking against some of the standards published such as the FMSB, how they would fare, and I suspect they would still need to do quite a bit of work to get to a comfortable baseline level.
What major regulatory initiatives are having an impact on the approaches you are seeing within your clients in the UK and globally such as MAR, MiFID II, Dodd Frank, SMCR, GDPR, others?
Anne-Marie: SMCR has had a significant impact in terms of surveillance but not necessarily in terms of the types of behavior of interest or who is being monitored, but among the individuals who are now taking more interest in surveillance and where it sits in the organisation. SMCR has created a focus for individuals in the front line who are signing off on adherence with market codes, and in some ways compliance with regulation. We have seen a real shift in ownership and accountability for surveillance in the front line to senior managers who want and need more control of what is in place, and are making sure they are comfortable with that, and what is deployed against the perceived risks.. Separately MiFID II had requirements around e-trading, HFTs and algos and we have seen that individuals are not wanting to look at these regulations separately. Firms are identifying efficiency in scale, in being holistic and creating an approach that fits all, as opposed to needing perpetual revision of the surveillance coverage you have for different parts of different regulations. This approach is not easy because of the depth of regulation out there.
What excites you most about the work you are doing right now for some of your clients?
Ruk: We are a hugely passionate bunch; what is really enthralling is that this work continues to be intellectually stimulating on many levels. If we are working with clients and providing an advisory lens, we are helping them not just to solve their current issues but look forward and address the ways in which the market could be manipulated in future. We relish the challenge and the debate. Also what is exciting is the level of senior engagement in the C-suite or their equivalent as the head of compliance or the front office. These people are deeply engaged and they see the issue as one of their top operational risks and something that ultimately could take down their organization. Therefore we are getting the level of attention and access and buy-in to make what we are doing for them something that is genuinely value-accretive and sustainable that can be used far into the future. Plus the area is constantly evolving. Even some of the issues we were seeing three or four years ago are still present but the way the market moves, as well as the vendor market, is creating a new age of surveillance, a new age of MAR year on year. This just helps us and our clients develop, increase standards and make the market more orderly.
Charlotte: Some of the work we have done recently has not been with the big banks, in places where compliance has not been so well invested in and so we have had to go back to the basics: what behaviours are we looking for, how do we implement that, and that is just as satisfying as some of the more complex assignments at larger firms.
Anne-Marie: I have really enjoyed the shift from advisory to a more practical role and actually implementing surveillance and having firsthand experience of the risk assessment. It can be more interesting intellectually; to be more hands-on, taking a step back and not being so theoretical, but looking at what the regulation requires and understanding how to do that practically.
Ruk Permal: Ruk is a globally recognised expert on market abuse and PwC UK’s lead spokesperson on this area. Ruk is a senior advisor to a range of clients spanning global investment banks through to commodities trading firms on the issue of market abuse. Ruk was the primary advisor to the FICC Markets Standards Board on market abuse and surveillance, and is also PwC’s nominated skilled person to conduct FCA s.166 reviews.
Graham Ure: Graham is PwC’s global co-lead for financial crime technology. He specialises in surveillance and market abuse technology and the selection, implementation and optimisation of trade, e-comms and voice surveillance solutions. He has led a number of engagements supporting banks respond to regulatory scrutiny around benchmarks, FX and market abuse and more recently has supported clients build out their surveillance operating models and technology capability.
Anne-Marie Edmonds: Anne-Marie specialises in market abuse and market conduct with a focus on both regulation and surveillance. She has significant experience in advising a range of financial services clients in this area, including investment banks, brokers and asset managers. Anne-Marie has recently assisted clients conduct market abuse risk assessments which has included identifying relevant risks across the business, understanding how the current framework addresses those risks and recommending areas for enhancement.
Charlotte Nordgren: Charlotte specialises in surveillance and market conduct, and has previously performed engagements for investment banks, private banks and interdealer brokers. Charlotte’s recent experience includes leading surveillance reviews as part of organisations’ response to Cease and Desist Orders and FX remediation programmes, and helping organisations implement and run surveillance functions. She has a detailed understanding of surveillance processes, systems and controls
