In 2016 the Market Abuse Regulation (MAR) came into force in the European Union, significantly strengthening the market abuse regime and increasing the scope and expectations placed on institutions to prevent, monitor and report market manipulation and insider dealing. At around the same time, other regulations with a related focus on market integrity, such as MiFID II, also came into force resulting in a long period where institutions had regulatory topics on the top of their radar.
Similar regimes exist around the globe with differences in the degree of development, level of focus on extra-territorial activities, and the types of activities that require monitoring. Although the wave of regulations has stabilised, market participants remain under scrutiny and pressure. Institutions must ensure they are able to keep up with regulators who are increasingly employing or improving technologies and techniques to conduct market-wide surveillance, co-operating more on cross-border investigations, and keen to show they mean business when it comes to enforcement and prosecution of offences.
It is, therefore, crucial that institutions identify and continuously monitor the market abuse regulations under which their activities fall, to appropriately set-up and tune surveillance tools and processes as well as define the lenses through which its data needs to be monitored and reported. Understanding the market abuse regimes alone is not sufficient as other regulations may also significantly impact operating models and the technical set-up of such tools and data sources.
A few of the key challenges that global organisations face when setting up or improving their Surveillance function are:
- Complying with local banking secrecy or data protection laws in each location where the business is active, while transitioning towards global cloud-based vendor solutions, centralised surveillance functions or partial outsourcing of alert handling activities
- Minimising infringements on personal rights where personal data is key to identifying market abuse or intent, especially where communications are needed to detect such activities. The requirements increased significantly under the Global Data Protection Regulation (GDPR), which came into effect in May 2018. Several other countries outside of the EU have, or still are in the process of overhauling their data protection laws
- Defining alert rules to meet differing regulatory regimes while also catering to the business models and activities in a specific location without overburdening Surveillance teams with “too many” detection models
- Harmonising data archiving and deletion requirements for global tools where regulations often contradict each other (e.g. deletion after five years vs. retention for ten years)
- Meeting the regulators’ expectations with regards to taking a risk-based approach compared to just “ticking the boxes”. This requires Surveillance functions to have an extensive understanding of the operational risks the organisation faces, knowledge of local nuances in activities or controls and an ability to stay on top of changes in the business.
Making sense of the wide range of legal requirements and how these relate to the business demands an upfront investment from organisations in order to conceptualise a compliant target operating model and define surveillance requirements. Legal functions are crucial right from the onset and other functions outside of Compliance, such as Data Protection Officers and HR, play a key role in supporting operational readiness activities. Being aware of the challenges and mobilising the right people across the organisation can minimise impacts on budgets and timelines for surveillance initiatives, and ensure appropriate ownership and further development of the Surveillance function, in light of global regulatory and business developments.
If you want to discuss monitoring and surveillance with one our team then drop us an email at firstname.lastname@example.org.