Skip to main content

Market Abuse Risk Assessments

In the second instalment of our Wholesale Conduct thematic blogs, this blog focusses on the challenges regarding market abuse risk assessments and how Deloitte can help you.

Market abuse risk assessments are a fundamental tool in identifying and managing market abuse risk at a firm. A firm’s ability to appropriately identify and mitigate the market abuse risks related to its business activities remains a supervisory focus of regulators. Failings in the assessment may be seen as undermining the firm’s control framework and could result in key control gaps and ultimately significant enforcement fines.

In this blog, we set out the key components of a market abuse risk assessment, why it is important to get it right, the common pitfalls and how we can help you.
 

Why is market abuse risk difficult to assess?
 

Market abuse risk is a measure of the risk that an individual, client or the firm engages in behaviours amounting to insider dealing, unlawful disclosure of inside information and market manipulation. The behaviour can be difficult to detect since it is likely to involve the deliberate circumvention of a firm’s policy and procedures, taking advantage of complicated booking models and trading strategies to conceal activities. While the realisation of market abuse risk occurs rarely, it has the highest impact on reputation, on firms and on individuals, often resulting in fines or costly remediation. As such, it is in every firm’s interest to assess the risk robustly. 
 

What does a market abuse risk assessment entail? 
 

The format, style and depth of the market abuse risk assessments will vary from firm-to-firm. In some firms, market abuse risk assessments are included as part of a wider market conduct or compliance risk assessment. However, a market abuse risk assessment will typically include the following components:

  • A detailed inventory of market abuse risks and related behaviours that is relevant to the firm’s business
  • Mapping of risks to relevant mitigating controls and identification of control gap
  • Inherent Risk ratings based on the firm’s business activities, including a likelihood assessment and impact assessment
  • Residual Risk ratings considering the inherent risk and control effectiveness
  • Risk appetite levels for market abuse risks which are not preventable
  • Actions to remediate identified gaps and action trackers in the form of an on-going book of work

While the components of a market abuse risk assessment are likely to be similar across firms, the effectiveness of the assessment is driven by the strength of its governance processes, collaboration between stakeholders and training.

Why is it important?
 

Market abuse risk assessments are critical in helping firms understand the risk, monitor, detect and prevent the risk from occurring and in meeting their regulatory obligations. The requirements and details of the market abuse risk assessment are not typically met through a firms Risk and Control Self-Assessment (RCSA). A specific market abuse risk assessment allows firms to identify gaps in their market abuse controls and provide a framework in which to prioritise remediation of gaps in controls.

Risk assessments allows firms to demonstrate the breadth and depth of their control environment. For many firms, the risk assessment output is one of the standard documents requested by regulators during their supervisory reviews. Market abuse controls are also repeatedly prioritised by the FCA (Financial Conduct Authority) in their Dear CEO letters and other publications.

The value that regulators place on effective and complete market abuse risk assessments is exemplified by the fines that have been issued in the past for incomplete coverage of surveillance and controls of the risks posed by the firms. Firms that can demonstrate a proactive and robust approach, with well documented decisions and collaboration between key stakeholders, are more likely to be able to evidence the effectiveness of their market abuse control framework when challenged by regulators and governing bodies. 
 

What are the common challenges?
 

From our experience of working with various firms across the financial industry and from recent communications by regulators, the common challenges faced by firms regarding their market abuse risk assessments are:

  • Unclear roles and responsibilities: The roles responsibilities of key stakeholders, including the risk owners within the business, technology and control functions, are ambiguous, leading to possible gaps in the assessment and risk coverage.
  • Lack of detail in assessment procedures: Procedures do not include key definitions such as the meaning of different inherent risk ratings or effectiveness ratings, resulting in inconsistent application by different teams and rendering the risk assessment of little use.
  • Too high level: The risk assessment does not consider all the types of market abusive behaviours and how they may manifest based on the firm’s specific business activities. Often assessments do not reflect that the risks materially differ depending on the products traded, execution channel (e.g. exchange, MTF or OTC) and method of execution (e.g. automated trading vs. high-touch voice trading). Others do not consider the risks of cross-product or cross-venue manipulation. This can result in incomplete coverage of risks and of market abuse controls.
  • Too complex: Whilst a detailed risk assessment demonstrates that the firm is thorough in its approach in covering all relevant risks, it also increases the burden of updating the assessment and reduces the ease of repeating the process consistently.
  • Inappropriate frequency: Risk assessments are conducted annually or across less frequent periods. A trigger-based approach may be more effective, where changes to the firm’s risk profile, such as changes in products traded, entering new markets, or increasing volumes and market share, will initiate a re-assessment of inherent risks and thus potentially change residual risk rating and control requirements.
  • Inaccurate control effectiveness ratings: Assessments of control effectiveness, including logic, calibration, completeness and accuracy of data is incomplete or outdated, which results in inaccurate residual risks and risk assessment conclusions.
  • Prioritisation of resources: There is a tendency to focus on covering all risk gaps irrespective of whether scarce resource may be better applied to target improvements on existing controls which will have a more material impact on the overall control effectiveness.
  • First Line involvement: There is a lack of ownership by the business or first line of the inherent and residual risk assessment process and output, no acknowledgement of the residual risk carried by the business and no clear responsibilities for known areas of control weaknesses combined with too little prioritisation of enhancement efforts by the first line.
  • Static and outdated controls: Firms have often not fully considered changing, new and emerging risks related to for example new platforms, products or more sophisticated trading activities. As such, existing controls may not effectively mitigate the firm’s current market abuse risk profile.
  • Disconnect with wider risk framework: The assessment is not integrated into the wider risk management processes for non-financial risks and is a stand-alone process.
  • Unmonitored actions: Actions generated from a risk assessment are too often not assigned owners or are not tracked for progress and completion. As such, over time, risks may remain unmanaged and can cause more significant issues in the future.
  • Inadequate training and awareness of risk assessors: There is little guidance or no tailored training to staff undertaking the risk assessment, which may result in inconsistencies in the assessment process and limited transfer of knowledge to new joiners.

How can Deloitte help?
 

We have a well-established approach to designing, reviewing and enhancing your market abuse risk assessment process end-to-end. This includes facilitating conversations between the lines of defence in order to identify the firm-specific market abuse behaviours, complex products or higher risk venues to establishing an effective governance structure to manage and oversee the assessment process. Furthermore, we can help develop and deliver bespoke training to the stakeholders, to ensure connectivity and consistency amongst the key contributors. We have successfully implemented our approach across a number of our clients.

Regulators appreciate that market abuse risk assessments will be different from firm-to-firm and will be largely dependent on the firm’s size and complexity. We tailor our approach so that it is appropriate and proportionate to your business. Our team have a wealth of expertise in market abuse risk management, having undertaken reviews and assessments at firms of varying sizes across both capital markets and investment management sectors.

If you would like to discuss the regulators’ expectations and your requirements further, please contact the authors of this blog.