What does the fining of a major Wall Street firm for trade surveillance failures, the holding to personal account of the CEO of a UK bank, the impact of cyber security incidents at a pair of broker dealers and another two firms being held accountable for off-channel communications all have in common? They all represent failures of one or more aspects of upstream recordkeeping with the consequent downstream inability to meet compliance obligations.
Recordkeeping is a core competency for financial services firms. It encompasses a firm knowing what data or records it has, why it has them and where they are. It also covers keeping those records secure and unaltered. Without a comprehensive and robust approach to recordkeeping and the associated data governance, firms will simply not be able to either fulfill or evidence compliance obligations. Firms are utterly reliant on their records to be able to act on everything from responding to regulators requests for information, meeting reporting requirements (internally as well as externally), investigating a complaint, being able to keep sensitive customer information secure to undertaking supervision and surveillance.
Trade surveillance failures
In March 2024, the Office of the Comptroller of the Currency (OCC) and the Federal Reserve Board fined a firm a combined total of $348.2m for ‘deficiencies in its trade surveillance program’ and ‘an inadequate program to monitor firm and client trading activities for market misconduct’.
The OCC civil monetary penalty and the cease and desist order highlight that the firm’s trade surveillance program was found to have operated with ‘gaps in venue coverage and without adequate data controls required to maintain an effective program.’ As a result the firm failed to surveil billions of instances of trading activity on at least 30 global trading venues.
As part of the findings, the OCC made a key point of the need for robust data governance to be implemented as part of swathe of required corrective actions. Critically the firm will not be able to on-board new trading venues unless or until the examiner-in-charge provides the firm with a prior written determination of no supervisory objection.
Other corrective actions include the need to form a Compliance Committee to project manage the corrective actions, a ‘look back’ review of the data deficiencies and the board of the firm has a series of specific responsibilities imposed for the oversight of the remediation.
As a root cause, the trade surveillance failures were due to a lack of upstream recordkeeping and data capture. Without the source records, the firm was incapable of undertaking the required trade surveillance.
