The regulator is increasingly asking to see your market abuse risk assessment and often at short notice. In this article we provide some tips on what you should be considering as you refresh your own market abuse risk assessment.
It must be broader than trader and dealer risks
A risk assessment needs to be comprehensive and consider all the possible risks that your business faces.
These will range not just from the obvious market manipulation type risks but should also consider factors such as governance and employee competence. For example, when were employees last taught about market abuse risks and why they need to declare all of their personal dealing accounts?
It is good practice to overlay your risk assessment with some scenario’s which allow you to test the effectiveness of your controls. This can be particularly effective when there are new enforcement actions or court judgements.
Regularly review Information Walls
It is easy to only think of information walls as physical walls that prevent access to part of a building. However probably the most common information wall is a secured electronic folder or shared filing system. These may well be under regular review from an information security perspective, but access must also be reviewed regularly from an information walls perspective.
You should, of course, equally be reviewing physical access to records and areas of your building. Checking access as well as considering if any need revoking.
Your control framework should include designated wall crossers and approvers for whom these reviews should be part of their remit.
These days chat room access forms a key part of anti-collusion controls alongside ecomms surveillance.
You should be regularly reviewing chat room access. Checking who has access to which chat rooms and scanning for any new chat rooms.
Since the rigging scandals many firms have prevented multi party chat rooms. You may wish to revisit your controls if you are one of the remaining few that does permit multi chat rooms.
A regular scrub of chat rooms is good practice and close down those that serve no obvious business purpose as these are where bad habits can form.
Your risk assessment must be action oriented and a living document.
Risks, and the effectiveness of your controls to manage risks, are dynamic. You wouldn’t only update your insider list once a year, so neither should you only update your risk assessment once a year.
Make sure that your committees and meetings are receiving details of your risk assessment. Meeting papers and minutes are common regulatory requests. These should clearly show which individuals challenged aspects of the risk assessment.
Prove the negative
The regulator remains suspicious that regulated firms aren’t spotting actual or potential market abuse.
Remember that market abuse is another area of the rules (like CASS) where there is no de minimis amount. So your surveillance should not be calibrated in a way that ignores alerts based on value.
As well as a near miss log showing issues that you identified, have you contacted individuals when you have near misses to explain why their conduct triggered an alert.
Consider risk avoidance not just mitigation
Whether it’s a real situation or not your market conduct policy should stipulate what you will do in the event that you have multiple STORs on a client.
You need a clear policy or principles that specifies at what point will you exit clients about whom you have to keep making STORs. Your governance needs to set its risk tolerance for avoiding people who appear to be using your business to create misconduct.
Making the links
Remember that if you are raising a STOR, you may also need to raise a SAR. These reports go to different regulatory authorities as they trigger quite different investigations.
That is because the underlying behaviours and conduct leading to market abuse fundamentally differs to that for financial crime. Consequently the underlying risks and associated controls, and surveillance, for detecting and preventing market abuse and financial crime are fundamentally different.
So while you may find a little overlap don’t be fooled into thinking trade surveillance is looking for financial crime or that transaction monitoring is looking for market abuse. Make sure you join the dots, if the teams looking at financial crime alerts and market abuse alerts barely speak to each other you might have a problem.