XLoD, which took place in London last week, gathered leaders and senior managers from the world’s largest banks to discuss non-financial risk and control. The two-day conference was full of interesting speeches, panels, and roundtables with regulators, market practitioners, and technology providers.
Here are our main takeaways as they pertain to the state of non-financial risk, regulatory scrutiny of market abuse surveillance, and the future of the surveillance function.
Non-financial risk continues to be a key focus for regulators. But will an increase in regulation become unsustainable? Most people agree that the industry is well-placed to deal with growing legislation around non-financial risk and that the regulatory landscape needs to evolve as new risks emerge.
Of course, embedding new risks into compliance processes is challenging. However, early intervention and agility are critical for firms to evolve and adjust quickly and robustly. The key to this – many said – lies in robust data management. Additionally, firms can build confidence and a stronger relationship with regulators by being transparent and sharing non-financial risks before they become a problem. In turn, this can enable firms to get guidance and advice from the regulator.
Look forward and not back – regulators are forward-looking, and financial firms need to be too
Establish robust processes for carrying out regular risk assessments
Increase collaboration across the three lines of defense
Reduce dependencies on legacy systems and data siloes, and think about how to bring data and processes together
Surveillance processes must keep pace with changing operational, regulatory, and market circumstances – especially given the high volatility and intense fluctuations we have seen in the last two years. To contextualize this, it was highlighted that over the past ten years, 95% of all intraday price improvements greater than two standard deviations have happened in the last 2.5 years. In addition, seven events where the intraday price increased by over 15 standard deviations occurred in the past year. These extremely rare events have happened in a short period – highlighting why surveillance systems and processes require regular reviews.
Beyond macro/market changes, another significant risk is the front-office moving faster than the back office can handle, exposing gaps in firms’ risk frameworks. The front and back-office need to communicate, and new business lines need to be incorporated.
Consequently, UK enforcement actions over the past year have either highlighted firms that have failed to adjust their risk process to market changes or new business lines or have simply fallen short of their obligations.
The regulator is finding that firms generally are over-relying on their risk systems – assuming they are plug-and-play. There is no such thing, and financial firms need to implement surveillance policies and procedures tailored to the risks they are exposed to.
Risk assessments are at the heart of keeping markets clean. These need to be comprehensive and reviewed regularly. But crucially, assessments that lack depth will not be tolerated.
Good compliance comes from a combination of processes, analytics, and culture and draws on regular risk reviews.
The good news is that many firms have gotten this right – exhibiting robust and resilient systems that can withstand extreme macro pressures. However, regulators warned that the gap between the average and lowest performance is still too large. As such, MAR compliance will remain a key focus in the UK as the regulator’s appetite for enforcing market abuse failings grows even higher.
For many, the golden end state of surveillance is holistic control. However, what this looks like in practice is widely debated. For many, the ideal state is a holistic platform that covers multiple jurisdictions, data points, obligations, and more. However, a global bank’s risk coverage is huge; therefore, it is impossible to do everything. With that in mind, many agree that there is an achievable baseline for holistic surveillance that centers around bringing multidimensional data together and having a live view of both cross-market and product risk.
It is all about data and capturing a broad view of risk. Regular risk assessments go a long way to do this, but the ability to join up data points, reduce dependence on legacy platforms, and remove data siloes is also essential.
Surveillance needs to be robust and dynamic, and many risk systems require optimizing so that surveillance analysts can get to the risks quicker. Firms also need efficiencies on the investigation side. Technology needs to help firms better determine which alerts to focus on and give them quicker access to the information they require for investigations.
To achieve this, firms must focus on data first. However, many firms still struggle with sourcing data. To address this, financial firms need to focus on getting better data controls and recognize that this is not a one-off exercise. In the same way that firms must carry out regular risk assessments, they also need regular reviews of their data infrastructure.
With better data management, and the ability to join multidimensional datasets, firms can get a more comprehensive view of risk – looking not just at a piece of data in isolation but using other contextual data to make more informed analyses and subsequent decisions. Better data, broader global risk coverage, and the right investigatory tools will get firms closer to the holistic end state.
Additionally, once firms have established a strong data foundation, they can shift their focus to AI, ML, and automation to reduce false positives, optimize workflows, and more. They can also start to realize the value surveillance data can bring to other departments and how the back and front-office can partner to share data and ultimately benefit the balance sheet.
“For surveillance teams, reducing false positives is the big price item, but the data foundation needs to come first.”
As mentioned above, we have seen unprecedented surges in intraday pricing in the last 2.5 years, which raises the question of how firms can manage intraday spikes without overloading surveillance analysts with false positives.
Certainly, with risk-based alerts, this is hard to do. Today, many firms add human resource to manage these situations. However, a holistic data approach with surveillance algorithms that consider market data and trends can use this data to look at what is happening in the wider market and thereby reduce false positives. For example, what looks like a breach given normal trading behavior, might not be abnormal if you consider what the broader market is doing. This kind of approach can reduce the reliance on human capital – but again – data needs to be right for this to work.
These are our main surveillance takeaways from XLoD in 2022. It is clear that many firms haven’t equipped themselves with the tools and technology they need to support the way we operate today. The use of WhatsApp for communicating with clients and colleagues is a classic example, where the channel has traditionally been prohibited but secretly (or not so secretly) used anyway. This has culminated in the surge of fines we have seen over the last 12 months and highlighted that firms need to modernize their technology to ensure it aligns with the modern worker, the regulator's expectations, and the shifting trading landscape. Here are our final words of wisdom about the effective management of surveillance obligations:
Agility is vital - firms need to keep pace with the risks they are subject to as a business
Regulators will not let firms get away with a free ride – market abuse enforcement is a top priority
Good compliance comes down to processes + analytics + culture
Risk assessments are at the heart of keeping markets clean and need to be comprehensive and reviewed regularly