On 10 December 2015, the FCA published a thematic review looking at the way in which financial services Firms receive, generate and handle confidential and inside information. The review sample consisted of 16 small to medium sized investment banks and focused mainly on Debt Capital Markets and M&A departments. The sample Firms were asked for policies and related documentation, and the FCA also made full-day visits to 10 of the participating Firms and undertook transaction walk-throughs and interviews of staff. The review also looked at the ways in which senior management disseminated messages through their organisations, management oversight, employee understanding of key concepts and the role of the Compliance function.
The FCA's findings
The FCA found that standards of control varied and that some of the practices observed resulted in heightened risks for market participants and Firms, including conduct and conflict of interest failings, as well as FCA regulatory and legal breaches. The FCA summarised its key findings under three main headings as follows:
- Circumstances Posing Heightened Risk
Several Firms had not thought sufficiently about the types of circumstances (for example, certain trading scenarios, or changes to business models) which posed heightened levels of risk for misuse of confidential and inside information and whether those circumstances had been mitigated appropriately.
- Conduct, Culture and Responsibility
Senior management responsibility and accountability in managing flows of information was not always clear and understood. At a basic level, some senior management were unable to explain the difference between confidential and inside information. The Compliance function in some Firms was remote, while in others it took on too much first line responsibility. Employees at some Firms shared information without adequate deliberation.
- Firm Systems, Procedures and Infrastructure
Some Firms had not adequately considered the risks of locating employees with conflicting roles or responsibilities in close physical proximity to each other. Firms used both manual and automated surveillance mechanisms around flows of information but these were not always fit for purpose. Policies and procedures at some Firms were not user-friendly and training was at times inadequately tailored to the needs of employees. The FCA identified a small number of non-UK headquartered Firms that completely failed to reference the UK regulatory regime in their policies and procedures.
The FCA's key messages arising from the review are as follows:
- Firms needed to place the assessment of circumstances that could present heightened regulatory and conduct risks at the centre of their ongoing risk assessment.
- While Firms and senior management had identified and considered the main risks that flows of confidential and inside information posed to themselves, clients and financial markets, they were not doing enough to manage these risks.
- Employees at all levels needed to understand their role in controlling flows of confidential and inside information and make it an integral part of how they carry out their work.
- Business heads needed to take responsibility for controlling flows of information, with appropriate challenge and monitoring from the second and third lines of defence.
As regard next steps, the FCA advised that all UK based and FCA regulated Firms should consider whether their own arrangements are fit for purpose and continually review those practices. It also pointed to the implementation of MiFiD II as something that would strengthen a number of the areas identified in its review, including enhanced requirements around conflicts of interest, compliance function and record keeping. The FCA also looked to the Market Abuse Regulation (due to come into effect on 3 July 2016) and which will replace the current civil UK regime. The Regulation will extend the current regime, covering additional markets, platforms and financial instruments. As these new regimes come in, it is likely that the FCA will monitor closely Firms' efforts to comply with new requirements.
The FSA had previously taken a number of enforcement actions relating to risks associated with potentially confidential and inside information. The FCA's work on this is in some respects not new. Whilst its review suggests that Firms are recognising the risks associated with the flows of confidential and inside information, the FCA said that further work was needed in order to ensure that those risks were managed appropriately. As ever, in the world of accountability, the FCA pointed to the responsibilities of senior management.
You can read the review here.