Joe Vittoria, co-founder of Global Regulatory Surveillance Services (GRSS), has spent many years keeping abreast of the UK FCA’s thinking on surveillance of orders, trades, and communications and observes: “Market abuse has been climbing the list of priorities”.
The regulator is clear that firms need to detect and deter market abuse and financial crime and has suggested that monitoring alerts need to be tailored and regularly recalibrated to take account of firms’ activities; investment strategies; market conditions; and changing regulations and has recently flagged up remote and hybrid working as warranting attention.
In its reports following thematic reviews the FCA sometimes highlights deficiencies in certain areas such as call recording or post-trade surveillance. The UK regulator occasionally mentions that it has witnessed a lack of adequate surveillance following visits to un-named firms, but it does not publicly discuss the deficiencies in much detail – and does not always reveal much additional information behind its judgements. The FCA is not prescriptive about the way in which it expects regulated firms to carry out surveillance. Some firms still do everything manually, while others may have access to various monitoring systems that can be configured in different ways and may use artificial intelligence. This lack of clarity has created a degree of inertia within the universe of regulated firms, with many waiting for more guidance before committing to a more specific surveillance process.
The challenge of surveillance is to detect material breaches within the universe of the numerous false alarms which these systems need to kick up.
Joe Vittoria, Co-Founder, Global Regulatory Surveillance Services (GRSS)
In his previous role, as the founder of regulatory hosting platform Mirabella in 1998, and the CEO of Mirabella and ACA Mirabella for more than 20 years, Vittoria developed a trade surveillance system and became the anchor client for the IP Sentinel Fingerprint e-comms surveillance product. He latterly oversaw USD19 billion of discretionary assets across 70 mandates covering various strategies and asset classes.
Different markets pose various challenges: “Inside information as such is obviously quite rare in markets like foreign exchange, but there could be some in illiquid currencies and spreads. While listed equities are the mainstay of the hedge fund industry, there is also scope for abuse in debt markets and at Mirabella we created our own internal systems for fixed income markets. An AI-based high frequency quantitative trading strategy can develop trading patterns that may accidentally adopt the characteristics of spoofing. Activist managers might have material non-public information, which is not in itself an offence, but it becomes one if they trade on it or pass it on to others who trade on it. Abuse can also be relevant for illiquid asset classes, such as private equity and real estate, where a surveillance process needs to watch out for areas such as price manipulation around valuation, and anti-money laundering breaches,” says Vittoria.
In 2021, Vittoria and ten former colleagues from ACA Mirabella launched GRSS, which is owned by its staff and some former clients. GRSS complements generalist compliance consultancies by solely focusing on assisting in the surveillance of financial crime, just as cybersecurity or ESG specialists also work alongside generalist regulatory firms. GRSS supports the compliance oversight person (registered as SMF16 with FCA), or those assisting the SMF16. GRSS itself does not conduct a regulated activity, but it can be cited in the Statement of Responsibilities (SOR) under the Senior Managers and Certification Regime (SMCR) as providing important assistance to the SMF16. GRSS provides clients with a range of escalation reports, some of which may be reported as Suspicious Transaction and Order Reports (STORs), that are sent to the regulator. (A secondary escalation channel, which might be a CEO or board member, is also needed in case the compliance officer is remiss).
Vittoria believes that specialists can work more quickly and efficiently than a generalist compliance officer who is juggling multiple responsibilities. “Two hours a day of focus time can cover more ground than a generalist compliance officer might do in four hours. The challenge of surveillance is to detect material breaches within the universe of the numerous false alarms which these systems need to kick up, since it is time consuming to establish that the false positives are indeed false. In more complex situations, this can entail: speaking to various related staff members; accessing market data; or researching market events (takeovers, earnings events etc),” says Vittoria.
“The aim is to improve the hit rate, and provide the compliance team with fewer, and more important cases. The FCA wants to see a process which is applied robustly and consistently and that would capture habitual abuses but does not necessarily expect a surveillance system can catch 100% or identify every isolated or idiosyncratic instance of abuse. The process must also act as a viable deterrent as staff should know that it is being rigorously applied,” he adds.
In 2021, Vittoria and ten former colleagues from ACA Mirabella launched GRSS, which is owned by its staff and some former clients
Systems are powerful tools that need to be used appropriately. “They are becoming more sophisticated and are able to manage enormous databases including transcripts of phone calls. If compliance officers can show the FCA they have considered their process properly, they are in better shape than most. However, buying a system and then not using it is worse than having no system at all. Sensible flags in monitoring systems need to go beyond box ticking. You need to regularly change the filters to avoid getting too many false alarms, and missing more obvious issues,” says Vittoria.
A wide variety of communication mediums may need to be monitored, including fixed line and mobile phone calls; internet phone calls; video calls; emails, Bloomberg chat; WhatsApp chat, telegraph chat and social media chat, on work devices. “In the credit default swaps space, a lot of activity is via instant messaging. Pricing chats need to be captured, even if they are in WhatsApp,” says Vittoria. Firms might well prohibit some mediums to reduce the monitoring burden and will often prohibit the use of personal systems and devices for work. Meetings can also be video or audio recorded with the permission of participants.
“For trade monitoring, orders as well as trades need to be monitored to check for abuses such as spoofing. Personal trades monitored may need to include spouses and other family members,” says Vittoria.
GRSS is system agnostic, but systems need some degree of sophistication. Mere archiving of communications is not enough. In addition to IP Sentinel’s Fingerprint, systems that GRSS can work with include SteelEye, LiquidMetrix, eflow Global and MyComplianceOffice. If clients are running multiple systems, some integration may be needed. “We are not a systems house as such, but we are keeping abreast of developments with all of them. For example, Fingerprint has a powerful new database structure, which opens emails, and attached PDF files, Excel sheets, transcripted calls, and WhatsApp messages and scans them too,” says Vittoria. “We are seeing a wide range of AI use in various systems, but it is not the full solution. AI may highlight some items that then require interpretation.”
In the credit default swaps space, a lot of activity is via instant messaging. Pricing chats need to be captured, even if they are in WhatsApp.
Joe Vittoria, Co-Founder, Global Regulatory Surveillance Services (GRSS)
GRSS believe that sensitivity around rising compliance costs has discouraged some firms from devoting enough resources to surveillance and aim to offer a competitively priced and affordable solution. “The most obvious clients could be short-staffed compliance officers wearing two, three or four hats. They cannot outsource the obligation and responsibility for compliance. But we are also seeing interest from larger firms who might need temporary cover for staff on say parental leave, or just want some external verification and certification of their processes,” says Sarah Donnelly, Head of Sales at GRSS.
The pricing matrix is based on the complexity of the company, asset class and investment strategy. The base case is that clients subscribe to regular monitoring, paying a monthly retainer on a rolling annual contract with a setup fee refunded after 18 months.
Single reviews can also be considered: “Some firms may also seek a one-off test, to provide a second opinion on their own surveillance. This is analogous to the phishing and penetration exercises carried out for cybersecurity purposes,” says Vittoria.
The service is now oriented towards UK regulated firms, but might expand to those elsewhere using English, though not in the US, which is already a well-served market. Trade-based surveillance could already be done outside the UK, and new hires with language skills could expand coverage of e-comms to Europe. GRSS has identified candidates who may come on board, and be offered equity participation, as the business grows.