It’s becoming quite obvious that regulators have increased expectations on trading controls, and with a number of high profile regulatory statements such as PRA SS5/21, this upward trend is set to continue.
In response, Financial Institutions are compelled to become more focused on the use of technology, block types, and evidence of correct action and remediation.
However they still face immediate and long term challenges as they evolve the best solutions for trading controls to meet the expected standards.
Factored into this is an industry that is being guided by, for example,
the Options Clearing Corporation (OCC) and PRA, into a culture of better evaluation and a deep-dive approach on how these controls are being managed.
Droit had an opportunity to discuss this with some of our Financial Institution clients and guests at our recent roundtable event in London. Here we share some of the topics, thoughts, and insights that were surfaced:
Managing trading controls sufficiently well, to the satisfaction of regulatory bodies, is recognized as a global challenge, rather than being confined to an individual organization or region. And of course, a key component of this is achieving the right balance of preventative and detective controls.
Overall regulatory expectations are generally perceived to be highest in the US and European regions but with Asia not far behind (typified by Singapore and the MAS).
These controls typically span booking models, trader mandates, and regulatory rules with obligatory regulator reviews that tend to be highly detailed and demanding on the Financial Institution; sometimes requiring very specific information down to an individual level within relevant teams and functions.
Much of this applies to 1LoD and 2LoD teams which adds significantly to the complexity and volume of consolidated evidence required to prove that trading controls checks have been done.
Underpinning this are expectations from organizations such as the PRA for employee-wide systems to be in place, with particular emphasis on preventative controls (over detective controls). This so that bookings of impermissible trades are effectively stopped at source.
Applying hard and soft blocks as part of a control framework is a fine balance with some Institutions often finding that internal audit processes are unable or unwilling to distinguish between the two especially if justified under the guise of preventative controls.
So in practice, often what constitutes a soft block is open to interpretation and leads to a culture of employees overriding elements of controls that reduce effectiveness and lead to additional processes to monitor these overrides.
Where feasible, applying trader mandate controls by employee objective, role, and responsibility is seen as a logical approach. This allows for distinct control-related requirements between say a junior and senior trader, as well as currencies, limits, and tenure.
However this is subject to the preferences of departmental leaders such as a Head of Trading who may seek to add an element of flexibility around these controls (over permissioning). Potential outcomes of this are the extra, resource-consuming, scrutiny that it attracts and the potential dilution of the effectiveness of the control framework.
There is also unanimous recognition of the importance of easily accessible and accurate traceability of applied rules for specific mandates. In practice, in most firms this is seldomly available, if at all, and existing detective controls cannot be generally relied on to spot and help remediate unpermitted trades (in some cases, inadvertently allowed to continue for years) so having in place a credible and accurate way of “querying history” is very desirable.
Challenges faced by control teams:
Departments and functions
Integrating and managing 1LoD and 2LoD for an efficient control process is a key pillar in managing and meeting regulatory expectations. Agreeing capacity and ultimately responsibility in maintaining and monitoring this between both 1LoD and 2LoD is easier said than done, requiring good internal communications. This is emphasized further by the wide range of other long term regulatory commitments faced by teams which can take priority over the often tactical nature of preventative control related requests (given the time-consuming Legal and Compliance team inputs also required when meeting these requests).
Automating trading controls, with solid, built-in logic, is a sought after state to deliver a relatively cost-effective and frictionless method to meet the demands of regulators. Ideally this should be created and built from an effective operating model which has been agreed and in place, globally and regionally.
Once in place there needs to be ongoing evaluation of the effectiveness of this controls framework to reduce, for example “false positives” or unmanageable and impractical internal escalation (as a result of process flaws), both of which can negate the benefits of implementation.
Risk and data
Refining and optimizing a controls framework based on needs through constant evaluation requires a risk based approach. This in turn is governed by the quality of data available and is also applicable wherever there is a need to rationalize or close controls down for further efficiency.
Quite common for Financial Institutions is a control framework that relies on multiple legacy platforms and tech. Apart from the obvious challenge around integration, single view, and inefficiency of siloed processes, at a user level there are limitations on managing access, permissions, and adaptation to new trader mandates and products for example.
The business case – start with detective controls
Assessing the importance of investing in automated controls is not as simple as assigning a corresponding, immediate monetary return before embarking. Preventative controls efficiency gains can be difficult to identify given the variation and complexity of rules as well as the whole concept of prevention. Therefore it may well be better to consider firstly implementing automated detective controls which by nature identify “incidents” which may be easier to quantify in terms of cost to an organization. This can be a first step towards creating an investment case for automated preventative and detective controls. Ultimately this helps to ensure a strategic, long term approach to managing controls rather than, in some cases, continuing with a somewhat desk-to-desk approach as part of a control framework.
If you’d like to share your thoughts on the points raised here or to find out how Droit can help you on trading controls, please contact us at firstname.lastname@example.org.