Surveillance, role of conduct in managing risk and digital transformation were some of the themes discussed during day one of XLoD Global 2020. Lockdown has made it much more difficult to manage and monitor conduct – but most firms agree that the industry has responded in an effective way. Now the focus is on how firms can future proof their operations, operate more efficiently, and enhance their risk management by increasing collaboration between the three lines of defence.
2020 has been an incredibly unusual year with a range of new risks, which has made it increasingly hard to identify, understand and manage the impact. No one saw a global pandemic coming, but when it did firms had to quickly adapt. Trading volumes and volatility went up, surveillance alerts skyrocketed, and suddenly all employees were working from home.
In an office there is an element of control. When employees are working remotely, there is hardly any. Policies therefore will need to be reviewed and governance enforced.
Whilst many agree that the industry has responded in a sufficient way, one thing lockdown has made clear is that whatever controls are in place today need to be adaptable to future scenarios. Digital transformation is in many cases needed. Yet technology is still not being used effectively in these areas. There are still many companies that have not adopted digital solutions, either avoiding it completely or opting to keep manual practices. This needs to change.
Data has grown over last 10 years and technology advancements have helped. Data will continue to grow, and the way data is treated will also change. A digital transformation programme deep-rooted in data management is therefore key to firms’ ability to futureproof their operations and stay on top of risk management.
Following on from a number of FCA decision notices for non-financial misconduct breaches issued last week, there seems to be a new focus on reducing misconduct risk. To achieve this, many argue that the focus needs to shift away from individual firms/funds to how we manage this risk as an industry. However, others said that there needs to be more onus on firms to “own” their conduct.
One thing that is clear is that compliance needs to be taken seriously by all lines of defence, especially by the first line. The days where people think that compliance is something that is simply “done to them” are gone. In the UK, the senior managers regime or SMCR has certainly helped. In Singapore, the Monetary Authority of Singapore’s (MAS) Guidelines on Individual Accountability and Conduct – which will be introduced in September 2021 – will serve a similar purpose and set out general expectations relating to individual accountability and conduct.
The good news is that culture seems to have changes and there is a lot more focus and attention on conduct and compliance. Of course, there is still some way to go, and firms still need to focus on building a culture that encourages people to speak out, where they feel comfortable reporting on issues without fear of negative consequences.
This was a theme that was raised several times. To manage conduct risk across the three lines of defence, the process needs to be embedded across the entire business.
Within some firms, regulators have seen different control approaches within the different lines of defence. There needs to be more cohesion to not only benefit from economies of scale and reduce duplicate work, but also enable better risk detection.
To increase alignment across the business, firms need to focus on establishing a common language and a shared data set that can be used across the board. This will enable a collective understanding of the risks and whether the right controls being owned by the right people. While technology is helping in this regard, getting large organisations to make the best use of new technology takes time.
An interesting concern was around managing conduct for new joiners that have never stepped a foot within the four walls of the organisation. Culture is absorbed through was is taught, but also through the surrounding environment.
What are the risks when the culture cannot be observed and learned in an office environment and how do you identify and mitigate them?
The main discussions on day two of XLoD Global were focussed around the role of the Chief Operating Officer, how to manage data, and the evolution of trade surveillance and behavioural analytics.
An important highlight was around accountability with many firms stating that non-financial risk is now as important as revenue generation.
Today, businesses are far more global than ever before – operating in multiple jurisdictions. The role of the COO is both vast and constantly evolving, which has presented a wealth of challenges around the prioritisation of work.
To free up time whilst staying informed of important developments and risks, having dedicated and specialised first line control teams seems to be recommended. However, this presents its own set of challenges in terms of creating a cohesive and homogeneous structure across diverse business lines.
When expertise is fragmented across regional and global locations, effective and informed oversight becomes more challenging. By centralising the data and making it usable, virtual proximity and information sharing can be created – presenting a unified structure (at least where data is concerned).
Many highlighted that accountability for managing the business and risk should apply to all levels of the control chain, right up to senior management.
For this to work, teams need to break down the “over-siloed” risk of keeping information for themselves and have ready access to clean, centralised data. Everyone runs the business and, as such, information sharing should become common practice (where allowed).
As the above points show, the common challenge is having data in one place and tools to enable meaningful decision making. This can be likened to a needle in a haystack. The COO expects the control teams to find the needles, but when the control teams find them they have to ask the COO which ones are important.
In fact, data management remains one of the biggest challenges for firms and takes a lot of time, particularly within surveillance. There is also a high level of manual work required to mine data, which often leads to signals being missed.
With many firms projecting that that data governance will become a top focus for the regulator going forward, it will be increasingly important that firms build out capabilities that enable them to understand their data, turn it into useful information and share it across the business.
There was a consensus that the events of 2020 have increased the focus on surveillance within senior management.
On the communications front, there is a clear need for a deeper understanding of internal communication policies and how they are enforced. Governing and enforcing these in a remote working environment has been a key priority for most firms.
Another key point that was made is that surveillance cannot just be forward looking. Firms need to have the ability to look historically to understand if certain behaviours are out of the norm.
Many agree on the benefits of behavioural analysis - in terms of improving the quality of alerts and reducing false positives - but are concerned about the ethics. There is a fine balance between respecting the privacy of employees and identifying risk.
Firms need to clearly define their red lines as they build out their surveillance programme, and this takes careful consideration. But once the balance has been found, many agreed that there is an enormous amount that can be gained.
During day three of XLoD Global, the focus shifted towards Communications Surveillance, how to capture employee data whilst respecting their privacy, and the use of AI and Automation in improving efficiencies and reducing false positives.
Communications surveillance was a big focus on day 3 of XLoD. Whilst many people agreed that advancements in technologies such as Natural Language Processing (NLP) and Behavioural Analytics will enhance the practice of communications monitoring, there will always be a need for lexicons as well. However, it was noted that lexicons will evolve with the use of AI and ML – becoming more efficient and better at reducing false positives.
Employee surveillance is necessary for capturing things like rogue trading and to provide valuable context around conduct and performance. However, capturing relevant data and ensuring employee privacy is a fine balance. To get this right, firms need to be clear about what they are trying to achieve with their surveillance programmes, and once defined, make this transparent. To empower employees and ensure they do not feel "watched", firms should explain exactly what data needs to be captured and why, and ask employees to acknowledge this before any data is collected. Some of the more “personal” data points include:
Door tagging
Many firms are today looking at the movement of people when they are in the office, tracking when people are arriving and leaving, and which rooms/floors they are entering. However, it was noted that this can throw up some false flags as there could be genuine reasons why certain patterns are happening. For example, a trader might be in the office late at night because they are behind on their P/L and trying improve their performance - rather than carrying out illicit activity.
‘Fitbit’ style tagging
Some firms are looking at data such as the heart rate of their employees, and overlaying this with trading activity and general health (e.g. underlying issues such as drug or alcohol abuse) to uncover trends.
Sentiment
Surveillance is starting to lean more towards behavioural analytics and looking at the tone of voice to determine whether there is anxiety, aggression, or stress. This helps firms to understand if there are underlying factors that are contributing to a trading decision.
Looking at AI, many people agreed that this will be a significant element in the future, but it is not the answer to all problems. Data remains a prominent issue across the board and until firms have fixed their data problems, AI cannot work.
The same was said about automation, something many people agree is required to increase efficiency and risk management across the three lines of defence. Many firms are having difficulties in harmonising and normalising information, and as a result, they are failing at the first hurdle of applying more advanced technology.
To succeed, firms need to be able to bring together, cleanse, index and analyse the vast amounts of data produced today. They also need to have the right people and the right resources in place to use the data. Simply ticking a box to say “yes, we do AI” is not sufficient and this is why we saw 60% of respondent state that investments in AI-powered surveillance tools have not reduced false positives.
One thing that was agreed was that firms need to spend money to save money in the long term – investing in systems and technologies that enable enhanced data management, process automation and interoperability.
SteelEye is a trusted compliance platform for MiFID II, EMIR, Dodd-Frank, MAR, SMCR & more. Established to reduce the complexity and cost of financial compliance, SteelEye enables firms globally to manage their regulatory obligations through a single platform.
SteelEye’s ability to bring together, cleanse, index and analyse structured and unstructured data across all asset classes and communication types enables clients to effortlessly meet their regulatory needs, because when all this data is in one place, compliance becomes both easy and cost-effective. And with everything under one lens, firms also gain fresh insight into their business, helping them improve their efficiency and profitability.
To date, SteelEye has launched solutions for record keeping, trade reconstruction, transaction reporting, trade and communications surveillance, best execution reporting, transaction cost analysis and advanced analytics for regulations including MiFID II, EMIR, Dodd-Frank, SMCR and MAR.