The legal and compliance industry is often an alphabet soup of rules and regulations, and it can be hard to keep up. However, there’s one acronym that all compliance and legal teams—especially those who are monitored by the Financial Conduct Authority (FCA)—need to bear in mind: STOR, or Suspicious Transactions and Order Report.
Despite its name, a STOR is far more than a simple report. It’s an expectation that any firm dealing with transactions has the appropriate arrangements and processes in place to detect and report on suspicious behavior—and to do so in a timely manner.
To determine the efficacy of your systems and arrangements, the FCA will often perform what’s called a STOR visit. The FCA emphasises that STOR visits are primarily educational; however, in cases of firms that are at risk of breaching requirements, a remediation might be requested.
So, what does that mean for surveillance teams? The short answer: You need to ensure all of your processes are up to snuff. You should be able to answer “yes” to the following four questions.
#1: Do you have a detailed and robust risk assessment?
Despite the world’s increasingly volatile state, regulators have identified that many firms do not have a risk assessment in place or have not updated it for a very long time. However, a risk assessment is one of the primary tools that many regulators will look for during a STOR visit.
Firms must undertake a risk assessment documenting their market abuse risks and how they respond to new regulations and enforcements—including analysing risk by asset class and/or business, with input from front office staff and management. Additionally, you must also document any technology platforms that you use to meet regulatory requirements, including an analysis of any identified risks or gaps. The assessment must be refreshed periodically and if and when there are any material business changes.
Perhaps most importantly, however, you must remember to consider all risk types in your assessment—not just those identified under Market Abuse Regulations (MAR). In other words, you cannot rely solely on out-of-the-box policies and industry standards, with little to no customisation to your firm’s risks.
For example, amid the COVID-19 pandemic, the FCA has put renewed focus on how the financial sector should finetune their surveillance strategies. Specifically, Julia Hoggett, director of market oversight at the FCA, emphasises the importance of agility and identifying unique risks.
Software can help on this front—Relativity Trace now offers a policy enhancement program (PEP) that allows you to hone policies to catch risk while reducing false-positive alerts. The process includes implementation of Trace’s 40+ surveillance polices for detecting different types of misconduct, improving policies clients already have in place and implementing AI models as a way to increase performance and reduce false positives.
#2: Are you up to date on new FCA expectations for your surveillance systems?
Surveillance systems are a crucial component of the compliance office. To meet STOR requirements, you must test, understand, and create operating processes around the maintenance of your surveillance systems to ensure you’re detecting instances of misconduct. This includes calibrating alert parameters to the scale, size, and nature of your firm’s business and risk appetite and reviewing those calibrations periodically to ensure they’re in line with the adoption of new communication channels—and expectations of the FCA.
The FCA periodically publishes a newsletter, called Market Watch, to provide guidance about market conduct and transaction reporting issues. Keep tabs on Market Watch to ensure your firm is adopting and amending processes to meet the FCA’s recommendations—and be sure to document any updates to your surveillance systems in your risk assessment.
For example, in the first Market Watch of 2021, the FCA highlights the rapid increase of communication channels due to remote work. Despite the growing volume of new channels, firms are still obligated to monitor and record misconduct and must be able to demonstrate how they’re meeting requirements.
It’s not an easy task, but having the right technology can help you keep up. Relativity Trace takes some of the burden off of firms’ shoulders with the ability to capture and dynamically review short message data in its native format, as well as partnering with various technology vendors, like Intelligent Voice, to leverage an audio surveillance module specifically for the capture, transcription, and review of audio data. Of course, be sure to update your risk assessment appropriately to detail all the technology you’re using to meet regulatory requirements.
#3: Do you provide annual training to your front office staff?
Risk assessments and calibration aren’t performed in a vacuum. In fact, your compliance team needs to work closely with front office heads when outlining the firm’s risks, and when addressing regulatory requirements. Interestingly, regulators have identified collaboration as a problem area, with many firms failing to provide bespoke compliance training to their staff. As a result, individuals are failing to come forward with potential breaches due to the lack of knowledge of the implications it has on the firm and the individual.
Remember: Front office individuals should not solely rely on compliance and the firm’s surveillance controls to detect potential market abuse—each employee is responsible for identifying and reporting any regulatory breach that they come across. This expectation needs to be clearly established—and practiced—within your firm.
To ensure everyone is aware of their responsibilities, aim to provide compliance training at least once per year to your front office staff. Be sure the training goes beyond simply stating everyone’s role in reporting any misconduct and market abuse. It should also contain firm-specific risk analyses, ensuring that all individuals are aware of each potential risk.
Additionally, regulators have stated that there’s generally a lack of discussion around enforcement cases, regulatory and business changes, and how this affects market abuse risk. Include these learnings in your training to help drive the point home to your staff: Market abuse puts everyone at risk and should be treated seriously.
#4: Do you have a documented STOR procedure?
As part of a STOR visit, regulators will of course inquire about your STOR procedure. Specifically, you need to ensure you have a defined reporting process and submission timeline, as well as a documented internal escalation process that employees are easily able to follow.
If there’s one thing regulators have found about STORs, it’s that firms are not reporting in a timely manner and are instead investigating incidents on their own prior to reporting.
This is not the way reporting should be done. All STORs must be submitted without delay, providing as much information as possible.
Of course, there are cases of “near misses,” where your firm decides not to submit a STOR. In these instances, you must provide documentation and rationale as to the reason why a STOR would not be submitted. Regulators will review these during a STOR visit, so be sure to provide as much information around the decision not to submit as possible. Not only will this help regulators, but a detailed report of near misses will also keep senior management in the know around your firm’s risk and potential breaches.
Ideally your STOR procedure will be housed in one spot that’s easy to reference, update, and use. If you use Relativity Trace for surveillance, you can customize the tool to quickly and easily create a STOR, right in the same system as all of your communications monitoring. On top of this, Relativity Trace comes with a complete audit trail that records every event within the platform and generates configurable reports to aid in proof of surveillance audits and keep internal stakeholders informed. This can save you from jumping in and out of multiple systems—and those time savings can be huge, given the delicate and urgent nature of STORs.