Top-Ten Checklist: Data Optimisation for Surveillance

1. Capture Every Trade and Order Across All Asset Classes

   • What Firms Should Consider: Ensure your surveillance system logs every trade and order—executed, unexecuted, or canceled—across all asset classes your firm trades, such as equities, derivatives, OTC instruments, bonds, and crypto. This means capturing every detail: trade ID, instrument type, volume, price, timestamp, counterparty, trading venue, and order type (e.g., market, limit, cancel). Compliance officers must work with trading desks to confirm all activities are recorded, especially for less liquid assets like OTC derivatives or crypto, which FCA scrutinizes heavily (Market Watch 79). Create a data flow map to track how trades move from order entry to surveillance, identify gaps (e.g., missing OTC trades), and ensure no activity slips through. Assign a Compliance Lead to oversee this, with IT fixing gaps within 30 days, and document findings for FCA inspections.

   • FCA Reference: Market Watch 79 (2024): “Firms must monitor all orders and transactions to identify market abuse”; MAR Article 16(2): Requires surveillance of “all orders received and transmitted, and all transactions executed.”

   • Fine Example: Citigroup Global Markets Limited (£12,553,800, June 2022) failed to capture derivative trades, missing potential manipulation, leading to an FCA fine for MAR non-compliance.

   • How to Do It:

     • Map Data Flows: Compliance Lead collaborates with trading desks and IT to create a data flow diagram showing how trades/orders move from order management systems (OMS, e.g., Fidessa) to surveillance platforms (e.g., Actimize). List all asset classes traded (e.g., equities, crypto).

     • Audit Coverage: Compliance Officer reviews OMS and surveillance reports quarterly to confirm all asset classes are logged. Request trade logs from each desk (e.g., equities, fixed income) and compare against surveillance system outputs. If gaps exist (e.g., no OTC data), escalate to IT for integration (e.g., API setup).

     • Checklist Creation: Develop a checklist to verify fields: trade ID, volume, price, etc. Example: “Are all derivative orders logged?” Review with trading managers biweekly.

     • Document for FCA: Maintain a compliance log with audit findings (e.g., “Q3 2025: Added OTC trades”). Senior management reviews monthly to ensure FCA readiness.

       
       

2. Validate Data Accuracy with Monthly Checks

   • What Firms Should Consider: Check trade and order data monthly for accuracy in key fields (trade ID, instrument, volume, price, date, counterparty, venue) to ensure surveillance systems catch market abuse like insider dealing. Compliance officers must verify no missing values, duplicates, or errors (e.g., negative prices, mismatched IDs), focusing on high-volume trading days (e.g., earnings releases). Set up a formal validation process, assign a Compliance Analyst to lead, and cross-reference data with OMS and exchange records. Establish error thresholds (e.g., <1% error rate), escalate issues to IT within 7 days, and log results for FCA audits to prove diligence.

   • FCA Reference: Market Watch 79 (2024): “Data quality is essential for effective surveillance”; SYSC 6.1.1R: Requires “effective arrangements” for data governance.

   • Fine Example: Infinox Capital Limited (£99,200, February 2025) missed 46,053 CFD transaction reports due to inaccurate and incomplete data, breaching MAR Article 26(1).

   • How to Do It:

     • Set Validation Process: Compliance Analyst designs a monthly validation process targeting 10% of trade records, prioritising high-volume times (e.g., 8–10 AM BST). Use OMS reports (e.g., Fidessa) and exchange data (e.g., LSE).

     • Check Data: Review trade logs for missing fields, duplicates, or errors. Example: Check for negative prices or blank counterparties. Use a checklist: “Are trade IDs unique? Are prices positive?”

     • Cross-Reference: Compare trade data against OMS and exchange records weekly, flagging discrepancies >0.5% (e.g., missing volumes). Escalate to IT for fixes (e.g., update data pipelines).

     • Document and Report: Log errors in a compliance report (e.g., “01/08/2025: 0.8% error rate, fixed duplicate IDs”). Senior management reviews monthly for FCA audits.

       
       

3. Source Data from High-Quality Market Feeds

   • What Firms Should Consider: Use reliable, industry-standard market feeds (e.g., Bloomberg, Refinitiv Eikon, IRESS) for price and trade data to ensure accurate surveillance of manipulations like pump-and-dump or spoofing. Compliance officers must confirm data providers deliver real-time (as needed), high-quality data, verify contracts for uptime and accuracy, and cross-check prices against secondary sources (e.g., LSE, Euronext) biweekly. Set anomaly thresholds (e.g., <1% price swings >10%), assign a Compliance Officer to oversee checks, and escalate issues to IT within 14 days.

   • FCA Reference: Market Watch 79 (2024): “Accurate price data is critical for identifying manipulative behaviors.”

   • Fine Example: Arian Financial LLP (£288,962, January 2025) missed cum-ex trading signals due to unreliable data, breaching anti-money laundering controls linked to market abuse.

   • How to Do It:

     • Verify Contracts: Compliance Officer reviews data provider agreements (e.g., Bloomberg Terminal, £20,000/year) to confirm real-time, high-quality feeds.

     • Cross-Check Prices: Compare prices against secondary sources (e.g., LSE via API) biweekly. Flag swings >10% or negative prices.

     • Set Anomaly Thresholds: Establish a rule: “Price anomalies <1% of records.” Escalate issues to IT (e.g., switch to another data vendor) within 14 days if threshold exceeded.

     • Document Checks: Log findings in a compliance report (e.g., “01/08/2025: 0.7% price anomalies, fixed source issue”). Risk Officer reviews monthly for FCA audits.

       
       

4. Assign Clear Data Ownership Roles

   • What Firms Should Consider: Define specific roles for data governance (e.g., Compliance Lead validates data, IT Manager oversees integration, Risk Officer reviews audit trails) to ensure accountability and prevent gaps. Compliance officers must draft a governance policy, train staff on responsibilities, and review roles quarterly to account for staff changes or new asset classes (e.g., crypto). Use real-world fine examples in training to drive home the stakes, and ensure senior management signs off on roles to align with FCA expectations.

   • FCA Reference: Market Watch 79 (2024), SYSC 6.1.1R: Firms need “clearly defined responsibilities” for effective controls.

   • Fine Example: BGC/GFI Brokers (£4,775,200, October 2022) lacked clear data oversight, missing market abuse signals due to poor governance.

   • How to Do It:

     • Draft Policy: Compliance Lead creates a governance document. Compliance Lead: Monthly data validation; IT Manager: System integration; Risk Officer: Audit trail review.

     • Train Staff: Conduct annual training using BGC/GFI fine as a case study. Include in onboarding.

     • Review Roles: Compliance Officer audits assignments quarterly, updating for staff changes. Example: “Q3 2025: Added crypto desk lead.”

     • Document: Log governance structure in a compliance manual, reviewed monthly by senior management for FCA audits.

       
       

5. Ensure Timely Data Capture

   • What Firms Should Consider: Configure surveillance systems to capture trade and order data (e.g., trade ID, instrument, volume, price, timestamp, counterparty, venue) as close to execution as possible, ideally within 1–5 minutes, to enable timely detection of market abuse like insider dealing or spoofing. For small to medium-sized firms, this means ensuring data from order management systems (OMS, e.g., Fidessa) and trading platforms (e.g., Bloomberg) flows to surveillance systems (e.g., Actimize) without significant delays, especially for high-frequency or volatile markets (e.g., equities, CFDs). Compliance officers must verify integration (e.g., via APIs), monitor delays, set alerts for breaches (>5 minutes), and document timeliness for FCA audits. This involves coordinating with IT to optimise data pipelines, setting realistic expectations for resource-constrained firms, and logging results to demonstrate FCA compliance.

   • FCA Reference: Market Watch 69 (2022): “Timely surveillance is critical to prevent market abuse”; MAR Article 16: Systems must be “effective and timely.”

   • Fine Example: Citigroup Global Markets Limited (£12,553,800, June 2022) had delayed data capture, missing insider dealing risks, contributing to an FCA fine for MAR breaches.

   • How to Do It:

     • Verify Data Flow Timing: Compliance Officer collaborates with IT to review data pipelines from OMS to surveillance systems. Request trade log samples from trading desks (e.g., equities, CFDs) and compare timestamps (trade time vs. capture time) to confirm delays are <5 minutes for 99% of trades.

     • Set Delay Thresholds: Establish a policy: “Data capture delays must be <5 minutes for high-frequency assets (e.g., equities, CFDs).” Compliance Analyst checks weekly using OMS reports (e.g., Fidessa export) and surveillance logs (e.g., Actimize dashboard). Example: “Trade at 09:00:00, captured at 09:00:45.”

     • Configure Alerts: Work with IT to set system alerts for delays >5 minutes. Example: Configure Actimize to flag trades with capture delays >300 seconds. Escalate breaches to IT within 24 hours for fixes (e.g., optimise API bandwidth).

     • Document for FCA: Log timeliness metrics in a compliance dashboard (Google Sheets, free), e.g., “Q3 2025: 99.7% trades captured <5 min.” Risk Officer reviews monthly to ensure FCA audit readiness. Include in compliance reports: “Timeliness meets MAR 16 requirements.”

       
       

6. Anonymise Sensitive Data for GDPR Compliance

   • What Firms Should Consider: Safeguard personal data (e.g., trader IDs, client names, emails) in trade and order datasets to comply with GDPR while supporting FCA-required surveillance for market abuse (e.g., insider dealing, spoofing). Compliance officers must ensure data is processed only when necessary (e.g., for alert reviews, STOR submissions), using encryption, access controls, and retention policies (e.g., delete after 90 days) to minimise exposure. For internal surveillance (e.g., Actimize), trader IDs can remain identifiable during active monitoring but must be secured against unauthorised access. When data is stored long-term, shared externally (e.g., with third parties like consultants), or analysed in cloud systems (e.g., AWS S3), firms should anonymise or pseudonymise identifiers to reduce GDPR risks. Assign a Compliance Officer to oversee monthly security checks, document processes in client agreements and compliance logs, and coordinate with IT to implement safeguards.

   • FCA Reference: Market Watch 60 (2019): “Firms must ensure data security in surveillance systems”; GDPR Article 5(1)(c, f): Data must be processed with “minimisation” and “appropriate security”; SYSC 6.1.1R: Requires “adequate systems and controls” for data handling.

   • Fine Example: GDPR fines (up to £17.5M, ICO, 2023) for data breaches, e.g., a UK financial firm fined £7M in 2023 for unauthorised access to trader and client data due to weak encryption and access controls.

   • How to Do It:

     • Secure Internal Surveillance: Compliance Officer ensures surveillance systems (e.g., Actimize) restrict access to authorised users (e.g., compliance team) via role-based access controls. Example: “Only Compliance Analysts view trader IDs in alerts.”

     • Implement Encryption and Access Controls: Work with IT to encrypt data at rest and in transit (e.g., AES-256 for storage, TLS for transfers, 2-day setup, £1,000). Use secure cloud storage (e.g., AWS S3 with SSE-S3) for external analysis. Set up user authentication (e.g., IAM roles) to limit access to Compliance Officer and Risk Officer.

     • Anonymise for External Use: When sharing data externally (e.g., with consultants) or storing long-term, pseudonymise trader IDs (e.g., replace “Trader123” with “Code789”). IT implements pseudonymisation. Example: “Trader IDs hashed before cloud upload.” Include in client data agreements.

     • Set Retention Policies: Compliance Officer sets a 90-day deletion policy for surveillance data (1-hour setup, no cost). Example: “Delete trade logs after STOR review unless escalated.” Log policy in compliance manual.

     • Audit Monthly: Compliance Officer reviews data access logs (1 hour, monthly) to ensure no unauthorised access (e.g., non-compliance users). Use system logs (e.g., Actimize audit trail) or cloud logging (e.g., AWS CloudTrail). Escalate breaches to IT within 24 hours (e.g., add two-factor authentication).

     • Document for FCA/GDPR: Log security measures (e.g., “Q3 2025: AES-256 encryption, 0 breaches”) in a compliance report, reviewed monthly by senior management for FCA/GDPR audits.

       
       

7. Maintain Robust Audit Trails for FCA Reviews

   • What Firms Should Consider: Log all data access, modifications, and surveillance actions (e.g., alert reviews, data downloads) in a secure system to provide FCA-compliant audit trails. This includes user IDs, timestamps, and action details (e.g., “Dismissed spoofing alert due to low volume”). Compliance officers must ensure logs are stored for 5 years, assign a Risk Officer to review monthly for unauthorised access, and integrate with surveillance platforms (e.g., Actimize) for transparency during FCA inspections.

   • FCA Reference: Market Watch 60 (2019), SYSC 6.1.1R: Firms must maintain “adequate records” for regulatory scrutiny.

   • Fine Example: BGC/GFI Brokers’ weak audit trails contributed to £4,775,200 fine (October 2022) for missing market abuse signals.

   • How to Do It:

     • Set Up Logging: Compliance Officer works with IT to log actions in surveillance systems. Example: “User: Compliance, Action: Reviewed alert, 01/08/2025.”

     • Review Logs: Risk Officer checks logs monthly for unauthorised access (e.g., non-compliance users). Escalate issues to IT within 24 hours (e.g., add authentication).

     • Store Logs: Store logs for 5 years in a secure system (e.g., cloud storage). Use a compliance log template.

     • Document: Log audit trail reviews (e.g., “Q3 2025: No unauthorised access”) in a compliance manual, reviewed monthly by senior management.

       
       

8. Test Data Completeness Against Expected Volumes

   • What Firms Should Consider: Compare actual trade/order counts against expected volumes from OMS or trading platforms (e.g., Fidessa, Bloomberg) to ensure no data is missing, critical for FCA transaction reporting. Compliance officers must reconcile daily, especially during high-volume periods (e.g., 8–10 AM, 3–5 PM BST), set thresholds (<0.5% missing trades), and assign a Compliance Analyst to investigate discrepancies. Log results for FCA audits, with IT fixing gaps within 7 days.

   • FCA Reference: Market Watch 79 (2024), MAR Article 26(1): Complete transaction reporting is mandatory.

   • Fine Example: Infinox Capital’s 46,053 missing CFD reports led to £99,200 fine (February 2025) for MAR breaches.

   • How to Do It:

     • Reconcile Daily: Compliance Analyst compares trade counts with OMS reports daily, focusing on peak hours. Example: “OMS: 10,000 trades, Surveillance: 9,950.”

     • Set Thresholds: Establish a rule: “Missing trades <0.5%.” Flag discrepancies >0.5% to IT within 24 hours (e.g., API sync issues).

     • Investigate Gaps: Compliance Analyst reviews logs to identify missing trades (e.g., CFDs not captured).

     • Document: Log reconciliation (e.g., “01/08/2025: 0.3% missing, fixed”) in a compliance dashboard, reviewed monthly by senior management.

       
       

9. Integrate Data Across Systems for Holistic Surveillance

   • What Firms Should Consider: Combine trade, order, and reference data (e.g., prices, counterparties) from OMS, EMS, surveillance systems, and market feeds to detect cross-asset or cross-market abuse (e.g., layering, wash trading). Compliance officers must map data pipelines, verify integration (e.g., APIs), and test monthly to ensure no siloed data undermines surveillance. Assign a Compliance Lead and IT Manager to oversee, with quarterly API updates and FCA-compliant documentation.

   • FCA Reference: Market Watch 69 (2022): “Siloed data undermines surveillance effectiveness.”

   • Fine Example: Citigroup’s siloed data missed cross-asset manipulation, contributing to £12,553,800 fine (June 2022).

   • How to Do It:

     • Map Pipelines: Compliance Lead and IT Manager create a data flow diagram, e.g.: OMS (Fidessa) → EMS (Bloomberg) → Surveillance (Actimize) → FCA Reporting.

     • Verify Integration: Compliance Analyst tests integration monthly by comparing trade/order counts across systems. Example: “OMS: 5,000 orders, Surveillance: 4,950.”

     • Update APIs: IT Manager updates APIs (e.g., REST, FIX) quarterly to ensure seamless data flow. Escalate gaps >1% to IT within 24 hours.

     • Document: Log integration tests (e.g., “Q3 2025: 0.8% gap, fixed API”) in a compliance log, reviewed monthly by Risk Officer.

       
       

10. Conduct Quarterly Data Governance Reviews

    • What Firms Should Consider: Review data capture, validation, ownership, integration, and audit processes quarterly to ensure FCA compliance and proactive risk management. Compliance officers must schedule structured reviews with compliance, IT, and risk teams, set KPIs (e.g., <1% error rate, 100% asset class coverage, <60s delays), assess gaps, and implement fixes within 30 days. Senior management must sign off, with results logged in a compliance manual for FCA audits.

    • FCA Reference: Market Watch 79 (2024), SYSC 6.1.1R: Firms must have “ongoing monitoring” of controls.

    • Fine Example: Arian Financial’s poor data governance led to £288,962 fine (January 2025) for missing cum-ex trading signals.

    • How to Do It:

    • Schedule Reviews: Compliance Lead sets quarterly meetings with an agenda: capture, accuracy, ownership, integration, audit trails.

    • Assess KPIs: Review metrics: error rate (<1%), missing asset classes (0), delays (<60s). Use OMS/surveillance reports to quantify.

    • Implement Fixes: Assign action items (e.g., “IT: Fix OTC API”). Track in a governance dashboard.

    • Document: Log findings (e.g., “Q3 2025: 0.3% error rate, fixed crypto gap”) in a compliance manual, reviewed monthly by senior management.

    
    

Disclaimer: This checklist is for informational purposes only and does not constitute legal or regulatory advice. Scientia RegTech’s services support alignment with FCA Market Watch and Handbook guidance, but compliance depends on individual firm circumstances. Consult a qualified legal professional for tailored advice. Data is handled securely in accordance with GDPR requirements.