What to do about data completeness

Does anyone still care about market abuse? It’s a slightly tongue in cheek question, but it’s being asked by surveillance heads in the wake of the regulatory enforcements around WhatsApp and then missing venues. What these surveillance leaders mean is, in the quest for channel and data completeness, have we lost sight of the idea of a risk-based approach to surveillance? And where does the drive for completeness end?

The biggest fines have been about large-scale data failures: an entire class of e-communications channels that can lie outside surveillance and the revelation that banks do not, across all their record keeping and monitoring functions, actually know how many venues they are trading on.

But regulators tend not to stop at the big picture. They have now got their teeth into data completeness, and so coverage is back at the top of the surveillance agenda – if it ever left that spot.

As one surveillance chief said recently to 1LoD, “The regulators are far more interested in proof that you are covering the right people, channels and languages than they are in the details of how well you are using technology to improve risk detection.”

They are also starting to dig much more deeply into data completeness and validation on a trade-by-trade basis.

For surveillance teams this means that the best value use of new tech may not be anything fancy, it may simply be to expand coverage of regulated activities.

Get languages covered

The best example is probably languages. Banks have usually implemented surveillance for their core language and a handful of others but have been very open that because of limitations in technology or because of risk-based decisions, they have left significant voice and e-comms datasets unsurveilled or subject to extremely limited sample-based surveillance. According to the 1LoD Surveillance Benchmarking Report & Survey, almost half the banks polled (46%) surveilled between zero and five languages.

It’s hard to see this being acceptable going forward. It is going to be increasingly difficult for banks to explain to regulators why they are not surveilling all the languages used in regulated activities, since technology is now able to accurately transcribe, translate and analyse both voice and e-comms across most of the languages banks need to look at.

Everything about the trade

Regulators are also likely to continue to look hard at trade and order data. They have looked at venue completeness to start with, but they are starting to zoom in on the data itself. For every trade there is an increasing expectation that banks have easy access to the request for quote (RFQ) / indication of interest (lol) data, the order itself, data around execution whether that is electronic or voice, plus any comms around the trade and any other metadata that is relevant.

This regulatory focus has changed how surveillance teams – and other lines of defence – are thinking about data.

For example, model risk management teams, already involved in evaluating surveillance calibration and scenarios, are now conducting their own versions of a data audit at some banks.

At others, the validity controls around data ingestion are being beefed up, and starting to generate their own alerts streams. These suffer from the familiar problem of false positives and are also likely to be checked by surveillance staff lacking the data science skills to fully understand them.

And the 3rd line have responded to regulatory enforcements with their own checks. As one surveillance chief says, “Regulators are zero tolerance so [internal] auditors are zero tolerance.”

No more risk-based approach?

All of this is a departure from the traditional risk-based approach. That is exemplified by the comments of one surveillance head, who said: “I think there has to be a degree of pragmatism and realism that you physically can't capture every single element of every single thing across every single channel.”

It’s not clear that this is acceptable anymore. Regulators are much less willing to accept that banks cannot obtain this data, or that venues are to blame, or that this level of detail is unnecessary. In their view, the cost (and unfairness) of having to buy data from venues which the banks have partly provided is simply a cost of doing business. And banks can always refuse to do business with venues unwilling or unable to provide the required datasets.

Banks seem resigned to this new reality. As another surveillance leader explained, “Given the regulatory obsession with data completeness what you see is a de facto move away from a risk-based approach. But there is an infinite cost to total completeness and if total completeness is needed then what happens to the idea that we are managing risk?”

Put another way, what is the definition of success for a head of surveillance? The prevention and detection of actual market abuse? Or total compliance and data completeness?