As asset managers work to upgrade their surveillance capabilities in line with more muscular yet often ambiguous regulation, they must aim to not only meet the written requirements but the unwritten expectations, too.
Barring the UK’s Market Abuse Regulation, which came into effect in 2016, the laws governing asset managers’ surveillance responsibilities have not changed materially in nearly 80 years. Over the past decade, however, regulators themselves have invested heavily in fast-advancing technology to better tap the huge pools of data suddenly available to them. This has created an expectation that the institutions they oversee, including buy side firms of all types and sizes, will also invest in tech to surveil with a similar rigour.
A string of heavy fines for banks and other financial institutions that fail to do so – even when their activities are arguably in line with written regulations – has meanwhile sent jitters through the asset management community, with many firms now questioning what is required of them.
Bar raised – but to where?
“The world has evolved,” notes Michael Lehman, partner at ACA Technology Solutions, which has developed ACA’s trade surveillance solution. “The regulatory bar has clearly been raised, even while regulators’ expectations have become harder to read.”
“If regulators start citing asset managers for deficiencies or enforcement actions when they fail to collect and process the data they want, we would argue that the law has effectively changed, even if on paper it hasn’t,” he says. “If you can be fined for something, that’s the new minimum standard.”
At the same time, stricter operational due diligence from investors means they too require higher compliance standards – including better surveillance – from asset managers, he adds. “Regardless of whether it’s written in law, if they’re going to write you a cheque for $100 million, there are some minimum standards they expect.”
Attributes of a top surveillance programme
Implementing a surveillance programme that is capable of meeting and evolving with regulatory requirements starts with examining what regulators are doing themselves, argues Patrick Conroy, regtech leader at ACA, whose staff base includes almost 100 former regulators.
“The way global regulators approach their examinations, especially at the SEC, provides a good guide as to how clients should be approaching their surveillance,” he notes.
Asset managers should therefore be looking to monitor the same data that regulators monitor and taking a risk-based approach to surveillance. They should be moving away from random sampling towards using technology to view every single transaction and incorporating many more tests and different risks into their systems. And they should be linking together different strands of their surveillance rather than undertaking them in silos.
A successful surveillance programme that is fit for purpose and covers all bases with regulators has five key characteristics that can be broken down as follows:
1. Understand your risks
The term ‘holistic surveillance’ is over-used and often poorly interpreted. For ACA, what it really means is working with clients to help them gain a deep understanding of their various risks and tailoring a surveillance system to incorporate them all. For example, the risks associated with a fundamental analysis equity long-short hedge fund will be very different to those of a quantitative or model-based investment advisor or an investment bank that deals in non-public information around mergers and acquisitions or other material transactions.
As part of this, asset managers need to ensure their surveillance supports their investment thesis, Lehman says. For example, in the case of an equities long-short hedge fund that defines itself as doing fundamental bottom-up research and that is required to meet every issuer it invests in to assess whether its management is adequate, “you can’t just let your employees go and meet with management, not understand what took place at that meeting, and believe you’re doing good surveillance”.
2. Data collection
Data collection needs to be broad, deep and once again relevant to the asset manager’s activities. For example, if an analyst meets with an issuer, that should be available to the compliance team, Conroy states.
3. Forensic testing
Forensic testing of data and controls ensures that a surveillance system is working and that this can be demonstrated to regulators. It also flags areas that need enhancement.
Although some firms incorrectly merge the investigation stage with testing or resolution, it is actually more closely linked to stage one of building a surveillance system – understanding the firm’s risks and how it acts. For example: “If you know a meeting occurred, but you didn’t investigate that, you haven’t done a sufficient job,” says Lehman.
This fifth stage involves ensuring that the firm’s compliance team is comfortable that it has all the answers it needs and could provide them to regulators if asked.
Ultimately, implementing a surveillance system is only part of the journey; it has to be used intelligently, with an entire programme wrapped around it, Conroy concludes. “We still believe you need to have an educated user sitting on top of these things to determine in the last respect what is appropriate behaviour, what is not, and to call it out that way,” he says. “This is not a project you can do manually, nor completely automate – it has to be a combination of both.”