21 Aug Controll of access to inside information – time for firms to review?
The recent UK convictions of Fabiana Abdel-Malek and Walid Choucair for insider dealing, and the publication of the UK FCA’s latest comments on the monitoring and control issues raised by the case, has served to refocus the minds of market participants on the management of inside information as required under MAR. With EU financial regulators threatening extra visits to non-compliers, firms need to review their processes for controlling access to inside information.
The UK financial regulator (FCA) has just published the August edition of its Market Watch (1). Most of this edition is given over to FCA’s findings in a follow-up to its December 2015 Thematic Review (2) of the processes investment banks have implemented to control flows of confidential and inside information. Market Watch 58 (3) described the initial results of the FCA’s high-level review of the industry’s implementation of MAR with reference to monitoring and control of inside information.
For readers unfamiliar with the Abdel-Malek Choucair case, the bare-bones are as follows :
- Fabiana Abdel-Malek was employed as a senior compliance office at UBS AG in their London office;
- She used her position to identify inside information which she passed to her family friend Walid Choucair;
- Choucair was an experienced day trader in financial securities, including leveraged instruments such as CFDs, who traded using the information provided by Abdel-Malek;
- Information was communicated using pay-as-you-go mobile telephones (‘’burners’’);
- Choucair made a profit of approximately £1.4 million from insider trading;
- The offence was not a one-off event, but occurred as a series of offences over the course of one year, being ‘’calculated and organised’’ (4);
- Abdel-Malek and Choucair faced five charges of insider dealing, and were convicted, receiving prison sentences of three years each;
- Confiscation proceedings will also be pursued against both defendants.
One of the main surprises of this case was the element of ‘gamekeeper turned poacher’ in which the compliance officer betrayed the trust of her employer and participates in the very crimes they are supposed to prevent. Indeed, the way the crime was perpetrated using an external individual to execute the trades, and using ‘burner’ phones to conceal communications is more the stuff of TV drama (and see our previous insider dealing blog (5) as an example). So, if a firm can’t trust its own Compliance Officer, who can it trust?
The FCA stresses that this subject matters to firms. If a wide range of individuals has free access to inside information even though the individuals concerned do not actually need it to do their job, the firm increases the risk of unlawful disclosure.
The FCA also reminds firms that under MAR, firms are obliged to draw up and maintain an ‘Insider List’ comprising the names of all employed staff, consultants, advisors, etc. who have access to inside information. If insider dealing is suspected, the regulators will use this list as the starting point of their investigation into who knew what and when, so that the leak of inside information can be traced. Obviously, firms need to ensure the list is kept current, otherwise regulatory investigation is hindered.
In the case of Abdel-Malek this process clearly failed, and no doubt this element of fundamental betrayal contributed to the FCA’s decision to publish an update on their Thematic Review on insider dealing. The core findings of the update published in Market Watch 60 include :
- Instances where Insider Lists omit the names of people who were provided with, or who had access, to inside information;
- Cases where individuals not named on relevant Insider Lists nonetheless accessed inside information themselves without demonstrable authority;
- Instances of large numbers of support staff having access to deal documents containing inside information, even though not actually working on those particular deals;
- Some staff classified as ‘permanent insiders’, and having routine access to all inside information without obvious reason;
- Failures to restrict access to inside information to only those who need it for the proper fulfilment of their role, including cases of support staff having the same access rights to inside information as the deal team, regardless of the differing needs of those roles;
- No regular reviews of access rights, often resulting in access not being terminated after staff changed roles or transferred away from deals;
- A certain vagueness in the job descriptions of non-deal staff from which it was unclear why those staff had access to inside information, and where they did, if their use of inside information was being properly tracked. The FCA reminds firms that MAR contains the requirement that Insider Lists must include the reason for why a member of staff is on that list;
- Insider Lists naming staff who didn’t actually have access to inside information;
- Inside information on particular deals stored in folders accessible by staff not working on that deal, including staff not even in jurisdictions connected to the deal;
- A very
mixed standard of monitoring and control :
- Some firms showed a complete absence of monitoring.
- Monitoring was present, but failed to provide enough detail on who had accessed inside information.
- Some firms used dedicated compliance staff who had a firm grasp of MAR and the need to control inside information. Other firms used staff of more generalised skills.
- Some firms were able to provide a full audit trail of access to documents, including full read-write on a 24/7 basis (i.e. including out-of-hours) by permissioned and non-permissioned staff. Other forms could only report on the document’s creation or editing. A few firms could do neither.
- Some firms had supplied inaccurate Insider Lists in response to regulatory requests about which staff were actually given permission to access inside information, which hindered FCA investigations.
The tone of the FCA’s recommendations implies the FCA takes a very dim view of some firms’ inability to provide them with accurate records of which staff had access to what inside information and when – the FCA regards failure as an indication of an underlying weakness in the firm’s policies, procedures and systems. The Abdel-Malek case is a prime example of the consequences of allowing access to inside information to staff who don’t require it.
Using the FCA’s specific findings as the basis of a MAR general checklist, European firms should ask themselves if any of the weaknesses identified by the FCA apply to them, especially in light of the threat that if they can’t respond to requests for information from NCAs on the who-what-when of inside information, they will be subject to further NCA scrutiny.
Management and control of inside information is a foundation stone of MAR and cannot be ignored. It’s also the basis of trust in the markets by institutional and retail investors who rely on a level playing field.
The action of the FCA confirms what we said some time ago about EU regulators clamping down on market abuse in general, and insider dealing in particular. MAR needs to be seen to have teeth, especially when the transgressor is supposed to be a compliance officer responsible for MAR enforcement. We recommend that all firms subject to MAR review their controls over inside information, and may want to include the question, “Who guards the guards?”
(2) UK FCA Thematic Review December 2015 ‘’ Flows of Confidential and Inside Information’’ https://www.fca.org.uk/publication/thematic-reviews/tr-15-13.pdf
(3) UK FCA Market Watch 58 can also be accessed at https://www.fca.org.uk/publications/search-results?p_search_term=market%20watch&np_category=policy%20and%20guidance-newsletters&start=1
(4) FCA Press Statement https://www.fca.org.uk/news/press-releases/two-found-guilty-insider-dealing
(5) deltaconX Blog ‘’Insider Dealing – My Surveillance System Will Still Catch You Even If You Are Only A Cleaner’’ https://deltaconx.com/2019/02/25/insider-trading-my-surveillance-system-will-catch-you-even-if-you-are-only-a-cleaner/
For more information on how deltaconX can advise you on MAR and on the control and management of access to inside information, please contact our Compliance Help Desk.