The FCA has published a report that sets out its findings following a process review into how a sample of investment banking firms manage the confidential and inside information they receive and generate. The FCA’s review focused mainly on the Debt Capital Markets (DCM) and Mergers and Acquisitions (M&A) departments of small to medium sized investment banks. The review also considered how senior management disseminated messages through the organisation, management oversight, employee understanding of key concepts and the role of the compliance function, all in the context of controlling confidential and inside information.

All FCA firms need to read this report

The FCA states that all UK-based and FCA regulated financial services firms should read the report and consider whether their systems and controls, as well as processes and procedures, in respect of both confidential and inside information, are fit for purpose. The FCA also mentions that during the review it did not test for market abuse but that it is intrinsically linked to the subject of controlling information and continues to attract significant regulatory attention due to the regulatory and conduct risks associated with it.

Three lines of defence

The report talks about a firm having three lines of defence that should take responsibility for controlling flows of information. The first line of defence includes management, front office and support functions that are responsible and accountable for the firm’s day-to-day activities, the management of risks and controls to mitigate the risks of the business with senior management taking overall accountability across the firm. The second line includes the global functions such as risk and compliance and is responsible for providing assurance, challenge and oversight of the activities of the first line of defence. The third line of defence is internal audit which provide independent assurance over the first and second lines of defence.

Understanding key terms

In the report the FCA notes that some respondents in its review found it difficult to define the difference between ‘confidential’ and ‘inside’ information. The report therefore provides an overview of these two terms and the terms ‘market abuse’ and ‘need to know’.

Key findings

The report summarises the FCA’s findings under three key headings:

  • circumstances posing heightened risk. Firms should regularly assess the conduct risks that affect their activities and services. An important part of this is that they should consider the circumstances that pose heightened levels of risk for misuse of confidential and inside information and whether these have been considered and mitigated appropriately. In particular, changes to a firm’s business model or rapid growth is likely to pose new conduct risks, including around managing flows of information;
  • conduct, culture and responsibility. Staff members have a role to play in ensuring that flows of confidential and inside information are adequately controlled, although ultimate responsibility rests with senior management. However, the FCA found that senior management responsibility and accountability in managing flows of information were not always clear and understood. Also, the compliance function in some firms was remote; and
  • firm systems, procedures and infrastructure. Robust systems, procedures and infrastructure underpin the effective management of flows of confidential and inside information in firms. The FCA found that in some instances firms had not adequately considered the risks of locating employees with conflicting roles or responsibilities in close physical proximity to each other. Also, some firms used both manual and automated surveillance mechanisms around the flows of information but these were not always fit for purpose.

Key messages

The FCA’s key messages to firms are:

  • employees at all levels should understand their role in controlling flows of confidential and inside information and make it an integral part of how they carry out their work;
  • while firms and senior management had identified and considered the main risks that flows of confidential and inside information posed to clients, firms themselves and the financial markets, they were not doing enough to manage these risks;
  • the FCA expects to see business heads acting in a supervisory capacity taking responsibility for controlling flows of information, with appropriate challenge and monitoring from the second and third lines of defence; and
  • firms should place the assessment of circumstances that could present heightened regulatory and conduct risks at the centre of their on-going risk assessment. These circumstances could also give rise to misuse of confidential and inside information.

Policies and procedures

Chapter 3 of the report sets out the FCA’s detailed findings and examples of good and poor practice that were found during the review.

In particular, when discussing firm infrastructure the FCA notes that appropriate and robust processes need to be implemented that should include how inside information should be identified as well as how and when confidential and inside information may be shared. Key questions for the firm include:

  • are the policies and procedures easy to find and use?
  • are they up-to-date and regularly reviewed?
  • are they meaningful and relevant for employees?
  • would employees benefit from practical examples and case studies relevant to their day-to-day work?

Examples of good practice on this point include:

  • firms’ policies and procedures including a definition and examples of what constitutes confidential and inside information, as well as the requirements around identification, control, insider or deal team lists and PA dealing restrictions
  • firms including a description of the different civil and criminal offences, including improper disclosure, insider trading and associated penalties; and
  • firms referencing relevant enforcement cases in the area of market abuse to demonstrate how UK and EU legislation applies to flows of information. Some firms had specific and bespoke conflicts of interest policies for each business area which included examples of potential conflicts of interests tailored to that specific business line and its activities.

Not a one off exercise

The FCA stresses that firms in the financial services industry should have arrangements that continually review their practices and procedures for handling confidential and inside information both from a market abuse and conduct of business perspective. Firms are also advised that they need to keep themselves informed about their external environment and be aware of any changes in the conduct risks they face that may arise due to external factors.

View TR15/13: Flows of confidential and inside information, 11 December 2015