This summary of TR 15/13 picks out practical ways firms can respond to the FCA’s Thematic Review of how firms manage flows of confidential and inside information.
The FCA has published a thematic review “Flows of Confidential and Inside Information“. Although the review undertaken by the FCA relates only to 16 small to medium sized investment banks, the FCA has expressly stated that it expects all firms to consider its findings. The FCA views the treatment of confidential and inside information within policies and procedures and the culture of the firm in its dealings with this information as strongly linked to its objectives on market integrity, the interests of consumers, and protecting competition.
Investment firms may be particularly interested in the paper, given its overlap with existing conduct requirements and the enhanced obligations relating to conflicts of interest, compliance functions and record keeping in MiFID II. It will therefore be useful to take the thematic review into account when preparing for implementation of MiFID II.
The Market Abuse Regulation (MAR) comes into force on 3 July 2016 and the themes in this TR15/13 will need to be taken into account by firms as they review their compliance manuals, policies and practices in time for MAR.
This note sets out some practical tips firms may wish to consider when undertaking a review of the treatment of confidential and insider information:
1. Policies and procedures should be reviewed regularly and in the event of any changes to the business
- Undertake periodic reviews and monitoring to ensure that policies continue to be fit for purpose as your business grows, and as regulatory requirements and market practices evolve. ESMA’s Technical Advice on MiFID II issued in December 2014 also recommended that MiFID firms review conflict of interest policies regularly, and at least annually.
- Make sure that risks are not only identified, but are adequately managed and/or mitigated. To illustrate the current direction of regulation, MiFID II will require that arrangements are put in place with the aim of all reasonable steps being taken to prevent conflicts of interest from adversely affecting interests of clients.
- Where such steps are not enough to ensure prevention, MiFID firms will also be required to disclose conflicts of interests to clients, as well as the steps they have taken to mitigate the risks. This provides a clear incentive for firms to minimise such risks, especially where this is can be relatively straightforward, such as in controlling the flow of information.
- Update policies and training to reflect changes in technology, and consider the risks posed by it, e.g., Whatsapp, Instagram, chat rooms and instant messaging. Lessons learnt from the LIBOR cases should be applied here, and consideration should be given to whether such communications should be monitored and controlled.
- Provide for policies and procedures to be reviewed when there is a change in the business model, and also as a specific post-completion action following a deal.
- Set out who is responsible for embedding and complying with the policies. This should lie not just with compliance, but also with the business, front office management and senior management. As set out in the FCA’s thematic review (TR14/19), senior management, compliance and risk functions should all make sure they are well informed regarding risks and the management and mitigation of conflicts of interest.
2. Review what confidential and insider information is, and what it should be used for
- Review policies and procedures to check that both confidential and inside information is clearly defined, giving clear examples or case studies. The FCA sets out useful definitions of these concepts in its review.
- Consider tightening policies to provide for situations where your business is acting for more than one bidder in a competitive M & A deal. Consideration should be given on every occasion to the protection of information, e.g., restriction of electronic access, and physical separation and surveillance and supervision of staff.
- ESMA, in the Technical Advice on MiFID II issued in December 2014, has also suggested that to manage certain conflicts of interest, physical separation should be required, and where this is inappropriate due to the size and nature of the firm, information barriers should be put in place. Firms will have to consider whether physical separation should be used more often as a way to prevent conflicts and/or the disclosure of confidential or inside information.
- Set out in policies the purposes for sharing confidential information, i.e., that it should only be shared when strictly necessary, and make it clear that staff are aware what ‘strictly necessary’ means. For example, information should not be shared in team meetings (until the information is in the public domain).
- Reconsider the use of code names, ensuring they provide enough protection for certain deals so it is not still possible to work out who the parties are.
3. Review training programmes
- Training programmes must be reviewed and refreshed regularly. These may have limited use if staff are only trained once on joining the firm or when they begin a new role. Consider offering refresher training on an annual basis, and breaking down training into ‘bite sized’ sessions. Even if run on an annual basis, vary the programme.
- Consider also offering different ‘tiers’ of training for staff as they become more experienced and/or senior, with different levels of responsibility and risk exposures.
4. Compliance should be involved (but not too involved)
- The support and coverage model for Compliance must be reconsidered, including consideration of whether Compliance is being allocated adequate resources. Consider whether their involvement could be boosted by a physical presence in the front office, even if not on a full-time basis, to increase involvement and visibility, as well as encouraging the business to engage with and ask questions of Compliance teams.
- Having said this, Compliance personnel should not be over-involved in ‘business as usual’. They should not become the first line of defence and should feel confident to challenge decisions of the business. The focus should be on teamwork across departments.
5. Senior managers should promote consideration/protection of confidential and insider information
- Any changes should be top down, and, where applicable, senior managers should undergo refresher training to remind them of the meaning of confidential and insider information and of the importance in protecting, and circumstances for sharing it.
- Senior managers should encourage the reporting of breaches, calling out non-complying staff themselves and also emphasising the importance to staff members of protecting such information.
- Senior managers could be encouraged to attend or present at training sessions, offering real-life examples to staff drawing on their own experiences.