Plenty of prescriptions from the regulators

As physical FCA visits restart, it’s a good time to remember that while regulators are often criticised for not being prescriptive enough, their enforcement notices actually contain very detailed prescriptions for the kinds of policies, procedures and technology they expect in particular types of firm.

December’s BGC/GFI enforcement by the FCA contains a wealth of interesting insights into what is expected of sophisticated players in the market.

For example, “At BGC, the automated surveillance system only covered trading in equities (0.14% of its total trades by value over the Relevant Period) and fixed income (99.522% of its total trades by value over the Relevant Period) [and] at GFI, the automated surveillance system only covered fixed income trading (92.46% of its total trades by value over the Relevant Period).”

So, the regulator’s concern was the lack of an “automated surveillance system” for equity derivatives, futures and options and commodities. Despite the fact that these businesses were small relative to the others, the regulator states that “comprehensive automatic surveillance was a necessity.”

The FCA also gives specific advice on voice surveillance. “Given that 80% of the business of BGC/GFI was conducted through voice brokerage, communications surveillance was a key control that BGC/GFI should have used to appropriately monitor for market abuse risks. However, the communications surveillance undertaken by BGC/GFI had a limited, sample-focused design that was not sufficient to provide adequate monitoring … The number of communications monitored in proportion to the size and scale of the business was so low that it was not appropriate, proportionate or effective in detecting market abuse.”

And there is also specific guidance on the overall operation of the three lines of defence model. The first line of defence was the firms’ brokers, alongside the automated and the manual trade surveillance systems. The Market Conduct and Surveillance team had primary responsibility for these systems. “BGC/GFI considered that, as they primarily carried out voice brokerage, brokers were … the most effective way for BGC/GFI to identify suspicious orders and transactions … However, such a reliance on brokers to conduct proper market abuse surveillance, particularly considering the firms’ trading volumes, is inadequate as a control measure, and unrealistic as a reliable approach when being carried out in parallel with broking business.”

There was also specific criticism of accountability and staffing. The surveillance managers “held the title in name only”; a more junior team member “assumed de facto responsibility”; and recruitment efforts were insufficient.

The enforcement also offers intriguing insights into the technology struggles that lay behind some of the surveillance failures. The third-party system employed struggled to ingest data; new scenarios could not be developed in-house; as more financial instruments were added to the system its functionality declined and the system “fell over” two or three times a week.

Eventually, in a statement that will be familiar to anyone who has been involved in an IT project, it was agreed that the system needed to be replaced, but it then became clear that “implementation of the new automated system would take substantially longer than BGC/GFI had anticipated, around another 12 months, and the two automated systems would need to run in parallel for a period.”.

Within this enforcement action the FCA by implication gives an enormous amount of concrete advice on the technology, staffing, policies and procedures it expects from market participants. Yes, the regulations themselves are principles-based, but in detailing failures, these enforcements paint a detailed picture of the minimum requirements for a modern surveillance operation.

They also illustrate how much progress the best practice organisations have made in surveillance and how much work those behind them still have to do.