The publication of the FCA’s Market Watch 79 has drawn the attention of compliance teams at affected firms to venue and data completeness, with firms engaging boundary testing, system calibration exercises and, where possible and dictated by risk exposure, even detailed code reviews.
Impetus to these efforts was added by the size of the fine levied against JP Morgan by the OCC and US Fed as a result of its incomplete surveillance key venues. And the approach by firms being taken in connection with this Market Watch is different to Market Watch 74. That edition primarily triggered calibration efforts around parameters with only limited scrutiny of code that was considered high-risk, as did Market Watch 68, which had more limited buy-in as a result of its targeted nature.
Attendees agreed that one of the issues being faced by compliance teams in connection with the FCA’s expectations as set out in Market Watch 79 is the fact that the vendors are constrained in what they can disclose to clients because of their need to protect their intellectual property.
The consequences of incomplete venue or data coverage can be painful even in instances where no regulatory action is taken or fines levied.
In-house systems have the advantage here because they can be very thoroughly tested by internal technology teams with a good understanding of the underlying code and system logic. There seemed to be consensus that one outcome that the FCA may well need to consider satisfactory in this context will be a third-party technology audit of the vendor’s systems, including their effectiveness and reliability.
Model risk is also a concern in this area with models that are highly complex causing real problems not only for compliance, but also for technology teams, particularly where boundary testing suddenly uncovers unexpected problems or ommissions.
Another challenge for firms is the fact that they are not responsible for the data sources themselves and this can lead to significant practical challenges including data in different formats, interruptions in the supply of data or unannounced changes to upstream systems.
The consequences of incomplete venue or data coverage can be painful even in instances where no regulatory action is taken or fines levied, with firms having been asked to re-ingest data into their surveillance systems and then having to undertake a manual review of this historical information. This can be both time-consuming and expensive.
Communication monitoring challenges
Attendees admitted that communications monitoring is easier when compared to the complexity of effective and complete trade surveillance. A key to successful communication monitoring by firms was held to be ensuring that all relevant channels are covered.
But what sounds very simple in theory can become more difficult in practice with questions arising around novel communications channels, applications that may inadvertently enable unmonitored communications (for example Miro), as well as concerns around inconsistent or incomplete data feeds from some providers. Some of those attending suggested that having in place robust policies can be immensely helpful, but is not a panacea either simply because of the pace at which technology is changing.
Pressure on the subject of monitoring stems primarily from the US and can be a difficult one to tackle for firms with a presence in countries where there is no precedent for such monitoring. The issues here stem from different rules and laws as well as cultural norms and expectations.
Some specific pain points around communications monitoring include MMS messages and emojis, both causing real problems because of the fact that no system exists at present to interpret them effectively without input from an operator. Once again the point was made about the fact that regulatory pressure connected with these is stemming from the US, with European regulators seemingly remaining unconcerned.
Supervisory visits
The high-level discussion of recent supervisory visits revealed that data and venue completeness is indeed in the regulatory cross-hairs at the moment.
However, voice communication monitoring, particularly when it involves languages other than English, has been an area of scrutiny by regulators as different as the NFA, SEC and CBI (Central Bank of Ireland). This represents a challenge given the fact that the technology for the effective monitoring and capture of voice is only now beginning to mature.
Some of the attendees suggested that a risk-based, proportionate approach to surveillance could be the way forward. But others disagreed, pointing out that the regulators are increasingly looking for more granular data as well as evidence that firms are making a concerted effort to ensure that voice communication is being covered.
Regulators not doing enough
Finally, an interesting discussion ensued following the highlighting of the Australian Senate’s scathing criticism of the effectiveness of ASIC, with attendees sharing stories about submitting well-formed reports of clear market misconduct to regulators only to be met with aggressive challenges such as “how did this get past your systems and controls” or with near indifference – the response being “we are definitely going to be looking into this” with no action ensuing.
There was an unspoken consensus around the room that robust enforcement action from an active regulator makes the life of compliance professionals easier rather than harder and that, at the moment, it seems sadly lacking outside the United States.