My recent blog on how some banks were dealing with investigations into data completeness around venues was unusually prescient. Soon after it was published, JP Morgan was fined $348.2 million for failures in capturing data from around 30 venues. Under the new OCC order, the bank must overhaul and improve its trade surveillance program and conduct a 3rd party review of its policies. It must clear any new trading venues with regulators under the new order – which seems particularly bureaucratic and unnecessary.
This puts the spotlight back onto trade surveillance, which had been somewhat overlooked in the recent focus on communications. Regulators made record capture their priority with the WhatsApp fines, and banks themselves seemed preoccupied with applying artificial intelligence (AI) and other smart analytics to both voice and e-communications. Vendors too.
Trade surveillance though is the bedrock of market abuse programmes and core regulatory compliance. And a failure to be able to track which venues are being used, and/or to capture data from venues, seems a pretty fundamental issue.
In the case of JP Morgan, "While the identified gaps represent a fraction of the overall activity across the CIB, the data gap on one venue, which largely consisted of sponsored client access activity, was significant," the bank stated in a regulatory filing.
This is a clue to some of the problems banks face. First, it’s highly likely that most of the venues missed are extremely low volume.
Second, they may also just be alternative mechanisms – a web-based version for example – for accessing markets whose main access channels are known and captured. This may explain the implication that the data gaps on most of the venues where data was missing were not significant – not just that they were not significant as a proportion of total CIB activity, but not significant as a proportion of the total data recorded from the venue.
Third, it’s clear that a big problem is direct market access (DMA) or other mechanisms where clients trade through banks’ systems and where, for whatever reasons, that data has not been fully captured.
Banks also have increasing problems simply getting their own data back from venues. Having to pay for incomplete data, or data whose format is changed without notice, is an unsatisfactory state of affairs and the regulatory position – ‘nothing to do with us, that’s a commercial issue’ – is unsustainable.
JP Morgan looks unlucky. There are other large banks in various stages of remediation of various kinds, including OCC Matters Requiring Attention (MRAs), who have not been fined. And this use of MRAs is itself unhelpful. US regulators seem to have switched from using Consent Orders to MRAs as their primary tool to communicate examination findings.
In contrast to formal enforcement actions (EAs) that are public and grounded on firm legal standards, MRAs are confidential and not formally enshrined in regulatory law. The Fed and the OCC have issued very large numbers of MARs to address a wide range of findings with many large US banks said to have juggled hundreds of outstanding MRAs simultaneously.
Transparency would surely be a more sensible way of ensuring the spread of best practice. The problem of tracking new venues, new venue access channels and ensuring data completeness is much more complicated than regulators necessarily believe. Missing data is not a matter of some fundamental incompetence. It’s a reflection of the extraordinary evolution of markets and technology, and also regulatory complexity.
As for the level of the fine, it was unexpected and as one source acknowledges, “It’s safe to assume that this was not the first number they came up with” – that is, this was the number reached after lengthy negotiations. The idea that the original number was significantly higher is somewhat scary.
But perhaps the most important outcome of this saga – and other banks will be remediating this for some years and there may be more fines – is to put the spotlight back onto trade surveillance.
For all of its uses, e-communications surveillance is not yet a primary risk surfacing tool for market abuse. And while it may be increasingly required by implication, to check for off-channel jumps for example, there are still many key jurisdictions where the legislative basis for it is missing. Voice capture requirements are even more limited.
However, as one surveillance practitioner points out, “Think about the number of STORs we file, they're virtually all out trade surveillance, right?”
But, as 1LoD’s recent 2024 Surveillance Benchmarking Survey & Report shows, surveillance teams seem more excited by shiny new tech in e-comms and voice because it’s just much harder to replace legacy trade surveillance tools and the application of AI and machine learning (ML) raise more complicated questions in trade than elsewhere. Add AI pre-alert, but then have to explain to regulators the reduced alert flow? Add post-alert to reduce false positives, but then have to explain the prioritisation of even auto-closing of alerts to those same regulators.
And the real problem in trade is not technology per se, it is, as the recent enforcement indicates, the data. Says one surveillance chief, “Look at one of the latest buzzwords, related products/cross-market. I've had conversations with technology providers that say, ‘sure, we can do that, just send us your data.’ But that’s the difficult bit, right? If I could sort out the data, I wouldn’t need the 3rd party solution, I could use an in-house model.”
The JP Morgan fine is a reminder that trade surveillance is the most critical element of a surveillance programme. It’s a reminder that the regulators are still operating untransparently and that fine levels are arbitrary. And it’s a wake-up call for banks to track down the dozens or even hundreds of places on which their traders or algos are operating unsurveilled.