“Regulators want to see a clear action plan, excuses won’t wash” – Aaron Stowell

After a flurry of market enforcement action by the FCA in 2022, we discussed the impact on regulated firms and on regulatory tolerance and process with Aaron Stowell, who is a Partner of Forensic Technology and Surveillance at KPMG. He has years of experience investigating cases of market abuse and related financial crime.

GRIP: Has regulatory expectation shifted and are we entering a new phase for enforcement?

AS: Banks are just being fined now for things that happened so long ago historically. These are lapses that happened in 2018 and before in some cases. Several organizations are still dealing with, or feeling the impact of, Fed orders. Regulators are taking less of a positive view on organizations presenting what they are aiming to do.

Aaron Stowell. Photo: Private

Regulators want to see a clear action plan to close gaps, they don’t want to hear ‘we’ll improve our overall recording, voice capture and detection program’. I am sure regulators would argue there are vendors offering proven solutions, so why are you not doing it? They are aware of peer benchmarks, see people conquering voice to text, even video capture and detection. Regulators can point to others in the market who are doing this now, at scale, many for several years.

Is this change in regulatory supervision attitude universal among regulators?

That’s difficult to analyse. Looking just at the FCA, it has issued larger collective fines in previous years (2019 and 2021) than last year. It also had quite a focus on financial crime last year, so I wouldn’t say the FCA was necessarily being more aggressive or focused on any specific areas. Some of these failures related to basic things, and I don’t think it is unreasonable to assume that internally some of these cases have been pending for so long that the underlying issues should have been resolved. Five years is long enough.

“In many cases the required regulation has been in place for an extended period. These fines seem to be intended to inform the market that these things are achievable, and with relative ease.”
Aaron Stowell

None of the market abuse fines from last year seemed disproportionate. I was surprised by the size of the Sigma fine, £530,000 ($640,000), which was at the low end of the scale – it was reported as a number of potentially suspicious transactions and orders that went unreported. The £5m ($6m) on BGC and other fines were indicated to have been influenced by repeated failures.

Despite remediation, elements of the core problem and design failures seem to have remained after that period. What options does a regulator have in those circumstances? The fines did not seem out of proportion, especially when compared with the new benchmark from the SEC and CFTC under recordkeeping enforcement. I don’t currently see a change in attitude demonstrated by all regulators.

There is a sense that the volume of regulatory change, along with newer challenges such as crypto regulation, are substantial. But in many cases the required regulation has been in place for an extended period. These fines seem to be intended to inform the market that these things are achievable, and with relative ease. Excuses don’t land well any more, if they ever did.

What are clients asking for as this all washes through the market? Is there a commonality in demand and approach or is it varied and unstructured?

A real variety, and it depends on the strategy of particular companies and where they feel they are strong or weak currently, what they have in place from a technology point of view, and if they are under any type of order with existing areas that have been identified as ‘in need of improvement’.

The scope ranges from policy and procedures to how organizations are capturing, recording, and validating data from the surveillance first line, moving into supervision. There is introspection – ‘are we confident that this approach is actually meeting requirements?’

“Some brokers might be scrambling to adapt to new expectations, but I have not yet seen the same with asset managers, which is a surprise.”

For some it is just a technology play where the main focus is on actual capture, and we may help assess vendors or enhance existing audio processes.

I see different aspects from last year’s fines, some brokers might be scrambling to adapt to new expectations, but I have not yet seen the same with asset managers, which is a surprise. Many brokers handle an extensive area of business via the phone and quality of capture and more importantly monitoring is easy to get wrong. There is a lot we can do to help get that up to the levels of the best peer performance.

I don’t think asset managers are immune in this area, with extensive call use and being open to the same weakness in systems and controls. I expect to hear more in this area, after the Amundi fine.

Are you finding this is across tiers or types of firm, whether defined by size or sector, in terms of needs and movement and, to some extent, paranoia?

Everyone is picking up on this. It depends on where the organization is right now. I have seen some tier twos in a better place than some tier ones owing to previous investigations and remediation obligations. Everyone on the sell side is taking it seriously and looking to do something with quite aggressive time frames where they still have gaps. I think we might see a lot of change in the communications monitoring industry in the short term, as we have seen the loss of the Relativity Trace application, and I feel there may be pressure on other private equity-funded players – so there might be some more departures or consolidation.

“Banks are now looking for so much more from vendors beyond pure monitoring – they want real value and insight for all of that spend.”

The standout businesses have a very clear view of what they want to achieve, how to move this space forward, bring improved results and increased value, and what they can offer to their clients. Banks are now looking for so much more from vendors beyond pure monitoring – they want real value and insight for all of that spend. They need to do more with all of their information.

Are people just throwing money at the problem in terms of tech and new personnel and consulting assistance, or is it not at that stage yet?

It depends and is related to confidence in existing teams and their ability to do this internally up to a point. But it is a very cost-conscious market right now. If there is not an obvious answer and a firm feels it’s behind its peers, that is not a comfortable place to be. Regulators are messaging that this is not that complex – anyone suggesting a timeline of 18 months-plus to remediate, that won’t wash. They need to engage, whether that is internal teams, consultants or vendors.

Have you detected regulators requiring more evidence of market abuse monitoring compliance and a semi-informal reporting requirement that feels like a new informal obligation?

I am not close to this area of the market, so it is hard to say. But this would be a natural development. If you are focused on getting value for money and protecting your firm, you start to remediate what you are monitoring and collecting and what your process is.

“You need a strategy to be able to present to a regulator on why you are confident that your approach provides the protection you are seeking.”

Then supervision is the next focus as that is when you can correct based on all the information you have gathered. People can end up wasting time analyzing reports that bring no value. Certain banks I know are very focused on this as it fits their strategy. Others might be further behind but will get there as this is how you get to really change things positively.

What advice can you give right now to ensure risk mitigation, adapting to this new environment?

It starts by asking yourself whether you are really confident in your existing process. Is it doing what it is trying to achieve and how successful is it? Organizations have all of these stages and the steps that they have to go through, but the actual aim and clarity needed for each step and the overall outcome is often absent.

Behavioral analytics in supervision is an often-discussed topic, but there are so many challenges — such as the ethics of this approach, the quality of that data, the siloed information — that it feels like a veil. The key is what you need to monitor and supervize and what will make the process better and why, stripping away these other layers. You need a strategy to be able to present to a regulator on why you are confident that your approach provides the protection you are seeking.

I am not convinced everyone has that in their program. It is a simple process to continue to build on what has gone before. Some firms are still relying on what was put in place before 2015. But is that still relevant? Things change and it is key for everyone to reassess regularly.

Topics

Latest News

ASIC roundup: TPD insurance claims failures, and A$187,800 penalty for not lodging reports

Gensler speech offers a look back at 2024 rulemaking

PCAOB spotlight on auditor responsibilities in making comms about illegal acts

Topics

Latest News

'Crisis era regulation has gone too far': Rachel Reeves doubles down on regulatory reform

FCA to publish new update on name and shame plans next week

Acting SEC directors reflect on an unprecedented year

Topics

Latest News

Crypto wrap: Bitcoin value surges, jail for former binance boss, and more

Boston Consulting report pinpoints businesses adding value with AI

Crypto takes joy in Trump victory, with forecasts of $10 trillion global market

Topics

Latest News

GRIP Extra: Cash app Dave in regulatory cross-hairs, Shell wins appeal

GRIP Extra: Predictions of deregulation in US, corporate culture problems in Australia

How to get the most from our new look