The Surveillance Conundrum
September 30, 2019 Thought-leadership
Is my surveillance process good enough?
Every compliance officer lives with the knowledge that something can always get through the net. Despite advancing techniques used to capture, process and analyse trading, no surveillance process will ever be perfect, so the task becomes building a sound and demonstrable process that can withstand scrutiny from investors, colleagues and regulators alike. As scrutiny from investors and regulators increases, compliance teams are left pondering “how do we know our process is good enough?” As regulation and the firm’s trading changes over time, the question becomes “how do we keep our processes good enough?”
Accepting the axiom that no process is perfect, means accepting that your existing approach has weaknesses and gaps. That implies a required assessment of these gaps and a realistic plan of tactical and strategic steps to address them. As a result of recent changes in regulatory guidance (FCA Market Watch 56 to 60 and the SEC’s recent focus on MNPI and Electronic communications), it’s become evident that firms do not currently have these plans in place, and often they have accepted a temporary and manual solution to the problem that is neither sound, nor demonstrable. This presents a challenge. The solution is a change in approach.
- From an environment of concentration on tuning and noise (both remain relevant, but later in the order), the focus should instead shift to a shared understanding. This relates to the communication of risks, policies and processes in plain English that enable constructive discussion amongst peers, illustration to investors, and concise response to regulatory queries. As businesses evolve, clear and repeated communication of policy and process will ensure collective buy-in and understanding, which increases the likelihood that potential gaps will be identified and reduced.
Establish, in plain language - risks, policies and processes
- Run a comprehensive, bottom-up risk assessment covering regulatory and internal requirements
- Identify units of risk (for example: email communications, trade activity, external phone calls)
- Develop policies mitigating the identified units of risk
- Link the policies to processes where applicable
- Generate rules based on the processes
2. With a basis of communication and understanding, firms should look at systems of reporting, versioning, and validation (verifying, testing, tuning). A single system implemented well, can explain existing and previous policies and their processes, changes to them, and an audit trail, which serves as justification and a path to soundness and defensibility.
Once you establish the policies, processes, and rules, put all of them into a single system
- Rule generated alerts
- Policy documents
- Written processes
- Full audit trail for documents, rules, and any systematic changes
- Explain the key phases and process changes and develop the responses to:
- - What policies do you have and why?
- - Which policies have processes and why?
- - How are the processes maintained, evolved and refined?
3. With that done, the final step is to define an internal flow of publishing, challenge, and review - to provide firm-wide visibility and understanding. Done correctly, this process can be almost fully automated, taking the form of emailed review reminders, scheduled reporting and internal surveys, which when combined with the detailed audit, complete the change.
Automate as much as possible:
- Alert generation and resulting activities
- Periodic policy reviews
- Management information reporting
- Internal firm surveys
The result is a well-understood surveillance approach, supported by detail and audit covering all decisions, reviews, and changes in one automated system. Reduced overhead in spite of an increase in regulatory oversight. An answer of yes to the questions “is this good enough”, and will it remain so.