In the first installment of our Wholesale Conduct thematic blogs, this blog focusses on the challenges regarding information control and how Deloitte can help you.
The control of non-public information (“NPI”) has been and will continue to be an area of focus for the Financial Conduct Authority (“FCA”). The management of NPI at a firm forms the basis for regulators in assessing a firm’s overall conduct framework and its management of market abuse risk. Whilst many firms have worked hard to improve their controls around NPI, the FCA continues to signal areas for improvement1. Enforcement actions on individuals who have access to sensitive information and who have subsequently abused that access, further signal the personal consequences to individuals and reputational damage to firms for the mismanagement of NPI.
For a compliance function the policies and procedures requiring the establishment of information barriers and associated controls in relation to conflicts of interest and market abuse invariably require the definition of inside information (or material non-public information ("MNPI")) and the need to define NPI more generally. Compliance policies on this topic will typically draw a distinction between MNPI (in respect of which there are specific control requirements) and other NPI which does not amount to MNPI. It is critical that information is properly classified on first receipt. The policy is likely to go on to articulate the concept of “need to know” which should be regarded as the fundamental principle applicable to the handling, use and dissemination of all NPI by anyone in the organisation regardless of position or department. Access to NPI across the organisation should be managed accordingly.
"Need-to-know" is in common use but it requires a more detailed articulation to ensure consistency of understanding and to avoid self-serving interpretations. The principle applies to the management of all NPI and extends to the sharing of NPI both within the organisation and externally.
In summary, the need-to-know principle requires, absent permission/consent to the contrary, that all NPI must:
In an investment bank, the need-to-know principle is applied in the context of handling sensitive financial information, proprietary trading strategies, client data, and other confidential matters. Key questions for firms are:
It is essential to restrict access to NPI within the bank to only those individuals who require it to perform their job responsibilities effectively. This principle helps maintain the integrity of the bank's operations, ensures client confidentiality, and protects sensitive data from unauthorised access or potential misuse.
In practice, investment banks should implement the need-to-know principle through a combination of access controls, user permissions, data segregation, and strict information-sharing protocols. Regular training and awareness programs are also conducted to educate employees about the importance of confidentiality and data security. By adhering to this principle, investment banks can maintain trust with their clients, comply with regulatory requirements, and mitigate potential risks associated with sensitive information.
It is important to recognise that while the control of information within a financial institution is multi-disciplinary, as illustrated by the diagram below showing many functions with related responsibilities, adherence to the need-to-know principle should be universal.
Key questions for firms are:
The control of information is complex task. The intricate web of data, including sensitive client information, proprietary trading strategies, market-moving transactions, and risk assessments, demands clarity in information ownership and control.
From our experience having worked with firms of varying size and complexity and through recent communications by the regulator, the most common challenges faced by firms concern the following:
Successfully addressing these challenges requires a comprehensive approach that combines informative policies and procedures, technological solutions, employee education, and effective governance practices.
We can help firms design effective information controls, from classification of information, to devising ownership parameters to implementing robust security measures and data governance policies, all of which will help to protect NPI and foster a culture of responsibility and accountability within the organisation. Underpinning the success of those information controls, we can devise and deliver tailored training to employees at your firm.
The need-to-know principle need not act as a hindrance to internal collaboration and cross selling opportunities. If applied correctly, it can optimise a firm’s business and improve its reputation in the safe management of client confidential data.
If you would like to discuss the regulators’ expectations/your requirements further, please contact any author of this blog.
_____________________________________________________________________________
1 Recent examples of FCA publications include, FCA Market Watch 60 and 71 on inside information and insider lists, Market Watch 75 on market soundings and the FCA’s letter to Corporate Finance Firms summarising poor information controls observed at CFF firms.