Bernadine Reese and Stuart Campbell in our London office discuss the approach of the Financial Conduct Authority (the FCA) to transaction reporting and their recent fines in this area as well as raise some questions and points for risk leaders to consider
Transaction Reporting is a key operational compliance process common to institutions involved in securities and derivatives trading. Most typically its core requirements involve identifying and reporting to the relevant regulator what securities and derivatives transactions have been carried out, on what markets, at what price, in what quantity and with whom. Importantly, it affects those institutions in the UK, across Europe and also outside Europe where local financial regulators have broadly similar requirements/objectives. Financial regulators use the information from transaction reports for monitoring for market abuse, firm and market supervision and for sharing with certain external parties, such as in the UK with the Bank of England.
The rules governing Transaction Reporting in the UK and the rest of Europe significantly changed in January 2018 on implementation of what is colloquially referred to as “MiFID II”, with the broadening of what types of instruments institutions are in scope of reporting and the number of data points to be captured and reported. Scope and data requirements are complex and in my view often not helped by interpretation issues.
This combination places significant strain on front and back office systems, processes and data that are typically highly fragmented.
In the UK, the FCA has a consistent track record in penalising non-compliance, with a particular emphasis on systems & controls and oversight as well as the quality of reporting. Listed below is a record of published Transaction Reporting fines by the FCA and a summary of the rationale – including two issued in March 2019.
In order to ensure compliance with Transaction Reporting requirements, risk and operations leaders in institutions need to consider not only the accuracy, completeness and timeliness of their reporting, but also the quality of the Transaction Reporting internal control framework. Compliance should not be viewed as a tick-box exercise.
Because the data driving Transaction Reporting flows across multiple governance structures and departments, the importance of a solid control environment is paramount. It is all too clear to see that internal weakness in the control environment can and will lead to poor quality of transaction reports and to subsequent regulatory pressure.
The FCA deliberately did not enforce the MiFID II requirements immediately in order to give the industry time to adjust. Recent fines are a warning by the FCA that they are taking Transaction Reporting very seriously.
Those functions most exposed to the risks of Transaction Reporting include unsurprisingly Operations, Compliance, and Internal Audit but also those responsible for product control and change and transformation (regulatory, process, data governance).
Those leaders in institutions in scope of Transaction Reporting requirements are now on notice and need to review their own arrangements. Core questions you should be asking yourself are:
- What scope of review/assessment is anticipated and timelines is being considered?
- In considering the fine, have you also considered reporting under EMIR and SFTR (due to be implemented in 2020)
- What issues and findings arose?
- Is there a programme of work to address findings?
- What control framework is in place that governs your organisation’s transaction reporting arrangements and provides the basis for demonstrating appropriate control?
- How far advanced are any plans to implement changes?
- Who is responsible for changes?
- What level of assurance is there that the organisation is well placed – what gives you that assurance?
As an aside, there are also complex BREXIT implications that vary depending on the outcome of the current negotiations and the basis upon which the UK leaves the European Union. Additionally, whilst reviewing processes, it might be expedient to consider other regulatory reporting requirements such as EMIR and also SFTR (when it takes effect in 2020).
With Operational Resilience being a topical issue, it would be sensible to ensure Operational Resilience programmes consider the criticality of regulatory reporting which relies on systems and often third party relationships.
Historic FCA fines relating to transaction reporting (source: FCA.org)