Regulatory Call to Action
Financial Institutions are being held strictly accountable for the presence and quality of systems and control. Regulators scrutinize them during exams and sweeps, and increasingly hold firms accountable for what wasn’t in place in enforcement actions. The SEC, among numerous other regulators, have advertised compliance systems and controls as a 2019 exam priority. Regulators have repeatedly commented on the awareness of an advanced vendor market in place for trading surveillance. Market participants would be remiss if they weren’t implementing and improving surveillance programs to match business risk and regulator expectation.
Regulators in the U.S. and abroad have advertised their advanced analytic capability, but we have yet to see anything near what one would expect to be the full impact of it. Regulators have advanced e-discovery and trade data extraction tools. The SEC has two powerful mechanisms in MIDAS and NEAT. The CFTC has a dedicated Layering and Spoofing task force, with the undoubted ability to uncover other manipulative patterns. Other Regulatory bodies have followed suit, requiring increased trading transparency and staffing up with data scientists, surveillance experts, and, at least in FINRA’s case, physicists.
Regulators do not view buy- and sell-side differentials when it comes to market manipulation and insider trading practices. Firms are market participants, plain and simple. With a variety of trading models and multiple touchpoints, the opportunity for collusion is ever-present and shifting shape. Regulators recognize this, and have the tools to put together the big picture for catching the more sublime behaviors. With all of this well-advertised, a couple of big concerns weigh on firms in the decision to implement.
A Hesitancy to Act
Firms face a marked switch in surveillance needs and expectations. Regulators are calling for monitoring for patterns of behavior and identifying anomalous activity. The days of managing to codified rulesets and explicit rule-based alerts are giving way to a deeper analysis. The outliers in the context of normal business are a focal point of regulators. Market manipulation and insider dealing can only be controlled so far when managing to a rule set. The analysis needs to go deeper, and requires more detailed data points and accounting for trends in behavior. As with any rule set; over time and unchanged, activity may fall of off the radar when reviewed in the context of specific codification and flow like water to circumvent the identified malpractice.
While the need for surveillance is obvious and ever-growing, firms in the U.S. have been slow to grow current process and reluctant to leverage the vendor market, particularly on the buy-side. Two major factors may be making firms gun-shy and creating a stall in the surveillance evolution. The industry will need to move past these blockers if it is to keep pace with Regulators.
Challenge #1 – Proper Resourcing
Vetting and implementing a surveillance program is one-third of the battle. The pool of vendor options is wide and deep, with many advertising sophisticated UIs and comprehensive analytic suites. The remaining two-thirds are where firms will feel the brunt of the burden and realize the true challenges of a successful surveillance program: reviewing the alerts and maintaining the program. It is in these two legs that vendor partnership is critical to proper scaling. The capability of the system cannot outpace the ability to action its results and maintain its accuracy. Both of those requirements need the proper human capital; individuals who understand the business, regulations, and are tech-savvy. This combo of characteristics has come at a premium, with turnover taking the intellectual capital and leaving firms with mounting queues of surveillance alerts.
Regulators are laser-focused on the continual effort to eliminate false positives and find real issues. In addition to the monitoring of activity and issues discovered within alerts, the following questions are asked of a surveillance program:
- If a vendor solution, were “out of the box” parameter values relied on? “Setting it and forgetting it” is not acceptable. Ultimately the firm is responsible for the input and output associated with the surveillance system.
- Was analysis completed on the population of orders and trades that did not trigger alerts? The activity that didn’t rise to level of concern where the real trouble lies. The ability to evaluate that within a system is key.
- Who changed what parameters? Why? When? Oversight and the evidence of evolving surveillance reviews to match changes in the market, business volume, new rules, etc. is as important as reviewing current activity.
- Were a “firm’s eyes bigger than it’s stomach” with what it committed to review, creating an impracticable process? Alerts cannot go to a “virtual desk drawer” and sit unaddressed. Depending on resources, turnover, and procedures in place, it’s too easy to create an audit trail of alerts not addressed that may be worse than having nothing at all.
It’s hard to find good help to manage all of this, and Firms have been understandably reluctant to implement proper surveillance as a result. This is where strong vendor partnership is the difference between creating undue burden and leveraging for a workforce multiplier. Vendor usage, particularly for a critical task like surveillance, is another pervasive concern.
Challenge #2 – Managing the Vendor Portfolio
Market participants are expected to carry-out and evidence stringent due diligence on any and all vendor relationships. With any vendor-leveraged process, the ultimate burden of regulatory requirements still falls squarely on the shoulders of the end users. Just as the aforementioned systems and controls are a top regulatory priority, so too is cyber security. The industry is in the middle of an intensive SEC vendor due diligence sweep, stemming from examination deficiencies on the both the IA and B/D areas of the market. In particular, cloud-based solutions offer nimble deployments and servicing, but have historically faced scrutiny and headwinds. So while firms are well aware of the need to improve oversight and the depth of the vendor market to help do so, they are buoyed by the need for clarity around acceptable vendor risk and due diligence expectations. The parallel focus and lack of clarity from Regulators here may have created this second challenge as an unintended consequence.
The RIMES Way Forward
Spend on Compliance technology (over headcount) is bullish across the industry, symptomatic of the need to structure and codify compliance instead of levering to headcount, prone to turnover and variability. While this shift occurs, there is understandable hesitancy, underscored by the two big concerns expressed here.
Regulators are well-aware of these concerns but the need and expectation to evolve surveillance remains. Thinking exam-to-exam and reactively is a set-up for failure. Waiting on precedent from a headline enforcement will leave firms behind a steep curve. Overcoming these concerns to establish the proper system is crucial to long-term operational and regulatory success. Strategic vendor partnerships are force multipliers, and in the regulatory space, dealing with a specialist-managed solution is key. There is a dearth of regulatory-savvy IT personnel and vice-versa, in the market. That gap can be bridged with a competent partnership.
The content provided in these articles is intended solely for general information purposes, and is provided with the understanding that the authors and publishers are not herein engaged in rendering regulatory or other professional advice or services. Consequently, any use of this information should be done only in consultation with qualified legal counsel. The information in these articles was posted with reasonable care and attention. However, it is possible that some information in these articles is incomplete, incorrect, or inapplicable to particular circumstances or conditions. We do not accept liability for direct or indirect losses resulting from using, relying or acting upon information in these articles.
- RIMES scoops sixth award win of 2020 at Data Management Insight Awards
- Asian Regulators Crack Down on Market Abuse
- BVI Webinar: In-house Data management vs. Data Management as a Service
- RIMES and MSCI Discuss the Latest Developments in ESG Investing
- Are Data Notifications a Risk to Your Business? They Should be the Least of Your Worries!