Market abuse teams have been busy recently, as they get to grips with an uptick in regulatory activity and enforcement by the FCA. Regulators are putting pressure on the industry to get market abuse controls right, and we can see that our clients are feeling the effects.

A string of recent enforcement cases, a number of which concluded at the end of last year, reinforce that this is an area where firms are very likely to be punished for errors. The volume of enforcement actions and size of fines suggests that the regulator has a renewed focus on market abuse controls.

Lessons learned

However, there is a lot that firms can do to avoid the attention of the regulator, as the FCA has highlighted in a number of Market Watch publications. Recent enforcement decisions also offer a lot of insight on where firms are going wrong. What is important is that firms take the correct lessons from them and use them to inform their approach to market abuse regulations.

The FCA’s publications show that certain themes regularly assert themselves as issues. Weak systems and controls are consistently an issue, with problems more often than not stemming from an inadequate risk assessment which often lead to gaps in the design of the controls framework. The lack of Board oversight on market abuse aspect and lack of adequate expertise in compliance teams also appeared as the key issue firms faced in the most recent enforcement cases.

The clearest lesson from recent fines is that a firm’s market abuse risk assessment (MARA) is the key to getting this right. A comprehensive MARA will help set out where market abuse risks lie, what the greatest risks are, and what sort of controls are therefore needed. It is easy to see that failure to identify risks and design adequate controls can lead to enforcement actions later on.

FCA fines

The Citigroup fine in August last year is a good example of what happens when the MARA isn’t done properly. In its enforcement notice, the FCA pointed to the risk assessment, saying that it was not comprehensive enough. It did not account for all the behaviours Citigroup needed to be aware of and did not assess how risk would manifest across different types of assets. This lack of granularity meant that they couldn’t assess which risks required a surveillance system, so that certain behaviours could be detected.

In all, the firm identified 220 gaps that required remediation, because the MARA did not set out all the risks properly. This assessment is the cornerstone for designing a surveillance system, and must take into account all the financial instruments that a firm offers.

Once the MARA has been conducted, it must be updated so that it continues to match the firm’s specific needs and risks. This includes ensuring that risks are identified when new products are offered and the business expands. Sigma Broking was fined in October 2022 after it expanded the range of services it offered, without assessing the risk of doing so. When offering new products, firms need to be able to show that they have considered the risks arising from them, in order to design adequate surveillance controls.

Effective implementation

For the MARA to be implemented effectively, compliance functions must be properly resourced, and with the appropriate expertise. Adequate resourcing allows for the design of an effective controls framework and to ensure all orders and transactions are monitored – an important requirement that is a red flag to the regulator when not fulfilled.

Larger businesses, dealing with a high volume of transactions, will require comprehensive, automated systems to achieve this. However, firms need to be considered in how they implement this technology. Last December, BCG Broker Group was fined for failures relating to its implementation of automated surveillance. The FCA found that not all the asset types it dealt with fell within the scope of its monitoring, and that its systems were therefore not fit for purpose.

Firms should make sure systems are properly calibrated and tested, as automation on its own does not represent a solution. It needs intelligent human input and oversight. In turn, those providing oversight will need appropriate resourcing and training to fulfil that role.

Boards and senior directors must also ensure that they are engaged with their business’ compliance functions, and that they too are providing sufficient oversight. The FCA also found that BCG’s senior leadership did not give enough thought to market abuse requirements, nor did they challenge failings with enough rigour. In Sigma’s case, the FCA could not find evidence that market abuse was sufficiently discussed at senior leadership meetings.

The board are responsible for putting in place processes that ensure problems can be escalated to them, especially when there are concerns there could be a gap in surveillance. They are also responsible for establishing a firm culture where everyone is aware of their obligations and takes them seriously.

Final thoughts

Preventing market abuse is one of the FCA’s core aims, and firms that are failing in this area are sure to come under the spotlight. Nonetheless, regulatory expectations have been made very clear, and firms should have these front of mind when designing their controls framework.