Some choice words from the FCA's Director of Market Oversight, Julia Hoggett, in a speech discussing market abuse. New technology will not stand in the way of the FCA's mission to protect the market from manipulation and other suspicious behaviour, nor will it provide a smoke screen for senior managers in regulated firms to hide behind.
She reiterated the mantra that effective compliance is a state of mind: after-the-event controls cannot work alone and need to be accompanied by tailored systems and controls, together with informed awareness on the part of market participants and senior managers so that they might (i) properly assess the risk that an institution could be used to facilitate a financial crime; and (ii) mitigate against the risk that staff (from print room to front-line) are not sufficiently conscious of the risk that their own behaviours may pose: "[W]hen it comes to mitigating the risk of market abuse, you could say that we are not seeking to be in the business of closing the stable door after the horse has bolted."
Hoggett's speech challenged firms to consider the effectiveness of their "conduct risk identification muscles" and "to think critically about the front-to-back information management that they need to have in place" to guard against the misuse of inside information.
Based on Hoggett's observations, some practical questions for firms to consider are as follows:
- Is your control framework adequately mitigating market abuse risks holistically?
- Do your staff members understand their responsibilities in relation to inside information?
- Do they understand the consequences of acting unlawfully with that inside information?
- Do you have measures in place to monitor for inside information leaving your firm's building (and not just via electronic means)?
- Are your senior managers sufficiently well-equipped to understand what they can and cannot say when speaking with senior investors and journalists?
- Do you overly-rely on insider lists? How often do you review / refresh / close such lists (and deal-specific teams)?
- Does your firm-wide risk assessment consider the access risks to inside information by all members of your staff: from cleaning staff to your head of compliance, IT support and other functions?
Finally a word to the complacent: "We observe firms taking comfort from the perception that 'others are also failing' in the same way that they are. As a regulator, I must say that there is something depressing about that logic."
Sharing the limelight with the lowest common denominator never was, and never will be, a comfortable hiding place.
The FCA cannot prosecute a computer, but we can seek to prosecute the people who provided the governance over that computer."