Under surveillance: Getting to grips with the new Market Abuse Regulation
Fri, 30 Sep 2016 11:06:51 GMT
In this article, Mike O’Hara and Adam Cox of The Realization Group look at how prepared financial firms are for reporting requirements under new Market Abuse Regulation (MAR). Many firms that previously did not need to worry about market abuse – at least from a regulatory compliance perspective – now must put in place systems that will enable them to report to their local watchdogs any suspicious activity in near-real time. The regulation throws up a host of issues, from broad questions about what’s required to nitty-gritty considerations such as how to handle cross-asset class surveillance. Mike and Adam hear from Nick Gordon of Certeco, Sam Tyfield of Vedder Price, Lars-Ivar Sellberg of Scila AB and Gavin Jackson, MD at Colehouse Ltd. If there’s one thing that’s clear from these experts, it’s that firms need to be thinking ahead. Regulators expect companies to be ready and they’re likely to take a dim view of any firms that aren’t up to the task or are found to be dragging their feet.
European authorities introduced new regulation in 2014 designed to prevent markets from being abused by participants through transactions or orders (see links below). It came into effect in July this year, although some technical standards are still being worked out ahead of the start of MiFID II and MiFIR. At the heart of the measure is a requirement for a range of market participants to report any suspicious trades, orders or patterns of activity. To be sure, participants of all stripes have a clear incentive to prevent or discourage market manipulation. But many of these firms have never before grappled with the legal obligation of having to report any sign of market abuse, much less the technical and business requirements for making that happen. Executives from the IT, broking, legal and consultancy sectors say the task of getting up to speed need not be overly daunting; but it does require a good degree of forward planning and the readiness by firms to think long and hard about what they trade, how they trade and what would constitute a sensible automated system for generating alerts. Also, given that this is new territory for a number of players, they say some companies are likely to want to bring in third parties to help them design and implement new systems. MAR represents more than just another regulatory requirement – it marks a fundamental change in how firms work with their regulators.
A sea change
Compared with other transitions to new regulatory regimes, Nick Gordon detects a definite change in the air. Gordon, Business Development Director at change management consultancy Certeco, says there are numerous businesses that are finding themselves in uncharted territory as they suddenly discover they are caught up in an unfamiliar regulatory framework. “They’re being pulled in,” he says. “There are organisations that are not so familiar with how to operate under these terms. So you’ll find that the business people in some of these organisations – really the traders – are just not aware of the requirements and therefore tend to under-estimate the amount of work needed.”
Of course, companies have Legal and Compliance departments that are going to be quite capable of dissecting the regulatory language and understanding its implications. But that only represents part of the story. MAR is essentially about trading activity and it’s the traders and their bosses who will need to work towards practical and effective solutions to satisfy a new breed of regulators.
“It’s a big deal, and they’ve got to make a decision as to whether they can rely on their type of business being undertaken by a package or outsourced through one of their service providers,” Gordon says. “If they can outsource, that’s an awful lot easier than doing it the other way round, which is having to do it basically all yourself.”
The reason why doing it themselves would be so much harder for many firms: modern trading is fast, wide-ranging and, in a word, complex.
“For the industry, it’s a bit of a sea change,” says Sam Tyfield, Partner at law firm Vedder Price. “Firms are now required to implement automated monitoring for market abuse activity, which is required to provide alerts very soon after suspicious activity occurs.”
“For the industry, it’s a bit of a sea change. Firms are now required to implement automated monitoring for market abuse activity, which is required to provide alerts very soon after suspicious activity occurs.”
Sam Tyfield, Partner, Vedder Price.
Once firms have alerts in hand, they’re expected to make investigations and file reports on the suspicious orders or transactions. In an industry which is well known for worrying about milliseconds and microseconds, MAR presents yet another example of time pressure. Only this time the threat is not about losing a fill but about gaining undesired attention from regulatory authorities.
But experts say that by separating the business and the technical aspects of the challenge, firms can start getting to grips with the changes they need to make. Two issues stand out as trading companies undertake their journeys. Internally, they need to consider all the ramifications of cross-market, cross-asset class activity. Externally, they need to deal with a large degree of fuzziness on the part of the regulators as to what authorities actually want to be reported.
The classic type of firm that is now caught in the regulatory web, which hitherto was not, is the interdealer broker. These IDBs need not be large market players, but they often are undertaking complex transactions, which presents challenges. Suddenly, they need a new perspective on what they do from a compliance point of view, and they need to put in place the operational processes and the IT infrastructure that goes with that.
The first hurdle is dealing with the unknown.
“The biggest challenge with firms doing this is the fact that this is potentially a technology that they have not put in before,” says Gavin Jackson, MD at Colehouse Ltd, who has recently been working with one of the largest IDBs.
In many cases, there will be no track record or experience to draw on for the staff trying to scope out, design and implement a new trade monitoring system. “It’s not like another trading system or an upgrade of a trading system where they (IT staff) perhaps have done it at other companies. It is likely to be the first time that they have been involved in trying to electronically survey the markets,” Jackson says. Crucially, that means they don’t necessarily know what questions to ask or what to expect.
The issue goes right to the heart of the system selection process. How does a trading firm draft an RFP (request for proposal) asking technical and business questions around a product that its staff have never seen or used? It may be relatively straightforward to come up with a list of vendors that might supply the requisite systems, but it’s another matter to determine which ones might be able to deliver the right products given the unique nature of any given firm.
Jackson breaks it down into two discrete areas. One issue is technical. How do you introduce a new system into your architecture? How do you make sure you are comfortable that all of your systems will work seamlessly together?
“It’s not like an upgrade of a trading system where they perhaps have done it at other companies. It is likely to be the first time that they have been involved in trying to electronically survey the markets.”
Gavin Jackson, independent consultant
The other issue is more difficult, and it comes before any servers are purchased or code is written. This concerns creating a set of business requirements. To do this, the first step will be to consider what sort of information regulators might want in any given market.
In Jackson’s view, regulators prefer firms to look at their trading activity from a risk-based perspective. The way to do that is for a company to build a risk heat map, one that identifies the riskiest areas of its business, either in terms of the ability or the potential desire to abuse the market. With that information in hand, companies can then focus on what their alert-generating systems need to target most.
“You would also want to be talking with each individual regulator, each of whom potentially will have different expectations,” Jackson says. Some authorities may want real-time monitoring and alerting, while others may be fine with T+1, at least for a few years before transitioning to real time. Understanding the varying regulatory desires can help when firms start talking to vendors.
Nick Gordon of Certeco takes a similar view. “Understanding exactly what you have to do to meet the criteria of the regulation can be split into two quite clear areas; what the regulator thinks is required and what your own business thinks is required. It’s bringing those two things together that is the biggest challenge.”
Jackson adds that firms need to think about what type of abuse can take place in their different markets. That will then allow them to identify the types of alerts they will need to set up. That’s why understanding their own business, clients and markets becomes so important.
The technical side
Lars-Ivar Sellberg, Executive Chairman of Scila, a surveillance solutions provider based in Sweden, says firms should not underestimate the difficulty of making sense of all their activity and the issues raised by connecting their systems.
“It can be a major challenge to start with because a lot of times these firms have a wide range of source systems, which might be completely separated and different for each asset class and business area. They are almost like isolated islands and they don’t have one consolidated view of all,” he says.
Jackson adds, “Firms often in some ways don’t understand or don’t appreciate how complicated putting these things in can be. They start off with a view of, ‘Actually it will be no problem at all, it’s going to work out of the box and we are going to survey everything’. And then all of a sudden this client, when they get to the detail of it, finds it’s a lot more complex. Trying to bed some of these alerts down is a complex and time consuming process.”
For instance, a company may find its alerting system is up and running but setting off far too many false positives. Or it may not even understand its own business enough to define it in the detail needed to create automated systems. Vendors such as Scila can offer a brokerage more than a hundred different types of alerts from a library. Even if these generic alerts don’t match a given situation that has been encountered, the vendor and the brokerage can work together to see which one might be closest and then tweak that to suit the IDB.
Sellberg says Scila’s library of alerts can search for specific suspicious patterns such as layering or spoofing. After working with a customer to determine which alerts may be applicable, the supplier and the client consider whether there is a need for bespoke alerts. “Some of these firms use very specific market models or business models that actually require totally bespoke alert rules that need to be developed,” he says.
Once an alerting system has been developed, the next step is testing. Jackson says it can be relatively straightforward if a firm is using automation, although he adds that much can depend on how time-critical the alert is if it involves surveying trades over a particular time and being able to see a sequence take place. “That may need an automation tool to be able to do that, because if it takes place in a very quick time, it’s difficult sometimes to be able to do that manually,” Jackson says.
“Some of these firms use very specific market models or business models that actually require totally bespoke alert rules that need to be developed.”
Lars-Ivar Sellberg, Executive Chairman, Scila
Finally, the alerting system needs to be calibrated based on back testing. That can lead to changes in the parameters for the alerts. Jackson adds that some parameters can be user based; that means it need not require a vendor or a developer to adjust the system and can be tuned on the fly using real-time data.
There have always been, and likely always will be, firms that specialise in one market or another. But over the years, as market linkages have strengthened, connectivity has increased and trading technology has grown more sophisticated, the amount of cross-market trading activity has undeniably surged.
From a self-reporting surveillance perspective, cross-market trading throws up a number of issues.
“It just adds to the complexity,” says Gordon of Certeco. “We’re working with one customer at the moment who has multiple complex types of trades because that’s what he does in the market place. But he’s got to now consider each of those and think, ‘Okay, if I’m looking at a particular type of circular deal that I need to monitor, what does that mean in this respect?’ He’s got to analyse each one of those examples. So it does get very complex.”
Tyfield says the cross-market issue is complicated by the fact that a broker will potentially only see a sliver of a client’s activity. “Put yourself in the position of a compliance officer or somebody who’s operating market surveillance. If you have a trading desk which is operating a strategy that places orders on two, three, four, five exchanges, then there could be any number of reasons that orders are being entered, cancelled or amended on various exchanges, which are perfectly legitimate. But reading the market abuse regs should raise a red flag.”
That ties in with an additional concern: the fuzziness factor. By not spelling out precisely what constitutes market manipulation, regulators are taking a ‘we’ll-know-it-when-we-see-it’ approach. But for a compliance team, taking that into account means that their systems might be generating a large number of false positives.
Regulators took this approach because they recognised that the industry, when it comes to market manipulation, is dynamic. People are always finding new ways of trying to influence the markets. What may be vexing for the industry is how much the onus is now on participants. As Tyfield says, if regulators investigate a situation and find market abuse where none was reported, a firm can find itself in deep trouble. There is little incentive to over-report because regulators could adopt a no-smoke-without-fire approach, plus there would be the added burden of all the extra work for the compliance team. And there is certainly no incentive to under-report given the possibility of financial penalties or criminal charges. Even in so-called no-intent situations, a firm may be found guilty of market abuse. For instance, a malfunctioning algorithm could create such a scenario.
Despite all of the concerns – from cross-market activity to the fuzziness factor – experts say it’s possible for firms to develop robust systems that are fit for purpose.
For a start, some have noted that there is at least one good precedent. The move towards certain types of trade reporting, both under Dodd-Frank in the United States and EMIR in Europe, requires similar types of systems.
“IDBs look upon that area as being a starting point,” Jackson says. “Brokerages are able to leverage some of the work they’ve done to create a trade reporting system, which can fast-track the learning curve early on”.
“What processes do you have in place to assure yourself that when you come into your office in the morning, the systems are doing compliance correctly, they’re performing the monitoring and surveillance that’s required for you to be compliant, in order to keep you out of jail?”
Nick Gordon, Business Development Director, Certeco
Another way to ensure the learning curve is not too onerous is to take a gradual approach. For instance, Jackson advises that firms start with a small number of situations that require alerts, possibly just three or four of the key ones, to capture a decent chunk of a company’s potential risk area. As a company learns from this initial experience and its team becomes more knowledgeable about potential software solutions, it can add new alerts. As he explains, it’s not just about generating the alert. “What do you do about it? How do you close it? How do you create a case out of it? How do you investigate it? And what does it actually mean?”
Scila’s Sellberg says the one prerequisite in any system in the surveillance business is that the supplier needs to support the flexibility required by very different types of firms. Applications need to be able to be deployed with completely different sets of alert rules and be able to be calibrated differently. In addition, firms will have varying appetites for how much they want a third party to get involved in their business. Many high-frequency trading firms for example will want to do the bulk of the deployment themselves. Other firms may want a third party to handle much more of the job, particularly those that are less technologically savvy.
That range of approaches applies to user acceptance testing as well. “We have a defined test procedure and strategies,” Sellberg says, “but there is no way around the fact that once deployed in the customer’s environment, there is a need for final testing in that particular environment to see that it works there.”
Gordon of Certeco stresses the importance of reliability in terms of testing. Once a system is in place, a company needs to be able to ensure it will work 24/7. “What processes do you have in place to assure yourself that when you come into your office in the morning, the systems are doing compliance correctly, they’re performing the monitoring and surveillance that’s required for you to be compliant, in order to keep you out of the eye of the regulator?” Gordon says.
Certeco takes an automated approach wherever possible, while at the same time focusing on defining unique scenarios so that any automated testing is bespoke to a company’s particular requirements.
Gordon’s final advice for companies that are only just waking up to the tasks ahead: try to stay ahead of the game. “Don’t underestimate the challenges of implementing this. Underestimation can be very, very difficult to get around later in the cycle. Because what happens with the regulators is that if you get behind, they get even more interested in you and that creates even more work and pressure.”
For more information, visit: