In March 2019, the Central Bank issued an industry communication, setting out their expectations for the identification, mitigation and management of market conduct risk by regulated financial service providers (‘FSPs’) engaging or applying to engage in wholesale market activity.

In the ensuing months, the Central Bank employed a range of supervisory tools to assess wholesale market conduct risk, including a thematic review of regulated entities’ effectiveness in identifying and assessing such risk. As part of this exercise, the Central Bank engaged directly with 24 regulated entities, conducted on-site inspections of 10 regulated entities and visited branches of Irish entities in other jurisdictions. Central Bank supervisors conducted over 150 interviews of directors and CEOs, risk and compliance officers and frontline staff and the Central Bank continues to engage with relevant entities in relation to identified deficiencies.

As a result of this supervisory engagement the Central Bank issued a ‘Dear CEO’ letter on 21 January 2020. The Central Bank is asking firms to:

•  Bring the letter to the attention of the Board at its next meeting;
• The Central Bank has emphasised that FSPs should review the expectations set out in the Appendix and address misalignments with their internal frameworks and practices;
•  In Addition, the Central Bank placed particular emphasis on a reminder to Issuers, to whom this letter is addressed, that they should focus on the relevant concerns expressed in the third finding - failure to identify market abuse risk. 

In light of the Central Bank’s findings, they have expressed an expectation to market participants to place a renewed focus on ensuring they have in place frameworks that effectively protect the best interests of investors and they operate in a fair, orderly and transparent manner.

In addition, the Central Bank also highlighted that it expects to devote considerable supervisory resource in the year ahead to examining the compliance by regulated entities and issuers with their obligations to recognise and manage inside information and, in the case of relevant regulated entities, to identify suspicious transactions and orders.

The Central Bank have articulated that the central theme that underpinned their findings detailed in the Appendix to the Dear CEO letter was that FSPs may not have been adequately identifying the market conduct risk to which they are exposed, and so cannot appropriately mitigate and manage the risk. 

Such a failure leads to or, where relevant, arises from the following: 

• Inadequate market conduct risk frameworks: The Central Bank expects regulated entities to fully embed into their organisational arrangements, market conduct risk frameworks and consequential controls that employees fully understand said risks. 
• Inadequate governance of market conduct risk: The Central Bank expects the Board and senior management of regulated entities to take full ownership of the governance of market conduct risk. In the global context this includes challenging group decisions where appropriate. It also means ensuring that the FSPs is sufficiently well controlled to monitor, marshal, receive and, where appropriate, report to the Central Bank all information pertinent to the conduct of staff and, where relevant, staff located in affiliate entities. Regulated entities must fully embed compliance with the Central Bank’s Fitness and Probity Regime into their organisational arrangements at local and branch level. 
  
• Failure to identify the risk of market abuse: The Central Bank expects regulated entities, issuers and those who act on behalf of issuers (whether or not they are regulated entities) to have systems and controls in place to ensure compliance with their obligations under the Market Abuse Regulation and related legislation. Where relevant, this includes the establishment and maintenance of effective trade surveillance systems and other arrangements to prevent, detect and report potentially abusive behaviour. For issuers and market participants who contact them it includes the implementation of organisational arrangements that minimise the risk of abusive behaviour. 
  
• The Central Bank’s supervisory work in 2020 will include focussing on regulated entities’ ability to identify market conduct risk; the extent to which they are sufficiently well controlled to govern wholesale market conduct risk; and the flow and escalation of conduct-specific information within and across regulated entities and groups.

1. Inadequate MCR frameworks

Regulated entities should:

• Identify all MCRs applicable to their business model at local and branch level … [including] engagement with, and challenge to, centralised group risk management functions;
• Use their conduct risk identification process to inform the development of their MCR frameworks and controls;
• Generate and use market conduct-related Management Information (MI) that is relevant, accurate and timely and ensure staff understand what information should be generated, maintained and escalated and to whom. For group risk management functions, relevant local senior management should also review it; and
• Include the identification of potential conflicts of interest in their conduct risk identification process.

2. Inadequate governance of MCR:

Regulated entities: 

• Should ensure the Board and senior management own the governance of MCR irrespective of group arrangements;
• Should assess their governance structures on a periodic basis to ensure they have sufficient capacity to manage MCR … (including reviewing roles, responsibilities & committees);
• Should be sufficiently well controlled to monitor, marshal, receive and, where appropriate, report to the Central Bank all information pertinent to the conduct of its own staff and (where relevant) affiliate staff, irrespective of their location;
• [are reminded of their] obligations under Section 21 of the Central Bank Reform Act 2010 … not only performance of due diligence to ensure [CFs and PCFs] comply with the Fitness and Probity Standards 2014 … but to satisfy themselves on reasonable grounds and on an ongoing basis of the fitness and probity of such staff, including, where relevant, providing appropriate training. This includes the PCF-29 function.

3. Failure to identify the risk of market abuse.  

Regulated entities:

• Should assess the effectiveness of their trade surveillance systems … [taking] into account the nature and frequency of the data gathered, the extent of review (including the assessment of alerts), and analysis of that data … strike an appropriate, entity-specific balance between prudent and effective reliance on technology and the application of human judgment and scepticism;
• Remain responsible for performance of outsourced trade surveillance functions to third parties, including affiliates, and should actively monitor and supervise the performance of outsources service provider;
• Should establish and communicate to staff, clear lines of responsibility for oversight of trade surveillance and internal escalation of alert;
• Should consider whether the quality and volume of their STOR submissions is appropriate given their level of trading activity;
•  In the context of their dealings, issuer investor relations functions (whether outsourced or inhouse) and market participants who contact them should ensure they do not, respectively, breach the prohibitions against unlawful disclosure of inside information and insider dealing. Regulated entities and issuers should have in place controls governing communications between, for example, research analysts and issuer investor relations functions to minimise the risk of breaching MAR.