Chapter 19 Key Takeaways: Market Surveillance: Detecting Manipulation and Abuse

1. MAR Prohibited Behaviors: Reference Table

Prohibited Behavior MAR Article Core Definition Key Elements Criminal Parallel (UK)
Insider Dealing Art. 8, 14 Using inside information to acquire, dispose of, or attempt to acquire/dispose of financial instruments (1) Inside information held; (2) Transaction in covered instrument; (3) Causal link Criminal Justice Act 1993, s.52 — up to 10 years
Unlawful Disclosure Art. 10, 14 Recommending another person trade on inside information, or inducing them to do so Tip must be based on inside information; tipper must know or ought to know CJA 1993, s.52(2)(b)
Market Manipulation — Transaction-based Art. 12(1)(a) Transactions or orders giving false/misleading signals or securing an artificial price False signals test OR artificial price test; legitimate purpose defense available Financial Services Act 2012, s.89-91
Market Manipulation — Information-based Art. 12(1)(c) Disseminating false/misleading information about an instrument Person knew or ought to have known it was false/misleading Fraud Act 2006 (potentially)
Benchmark Manipulation Art. 12(1)(d) Transmitting false inputs or otherwise manipulating a benchmark calculation Applies to EURIBOR, LIBOR successors, and other regulated benchmarks Benchmarks Regulation (criminal)

Inside Information: The Four Cumulative Elements (MAR Article 7)

Element Description Practical Test
Precise Indicates specific circumstances or events that exist or may reasonably be expected Can a conclusion be drawn about price impact?
Not public Not generally available; not disclosed via regulated information service Would a reasonable investor already know?
Material Would likely have a significant effect on price Would a reasonable investor use this in a decision?
Instrument-related Relates to one or more specific issuers or instruments Distinguishable from general market information

Primary vs. Secondary Insiders (MAR Article 8)

Category Basis of Possession Standard Applied
Primary insider Board membership, shareholding, employment/professional access, or criminal activity Strict — possession + use is sufficient
Secondary insider Any other person who receives inside information Knew or ought to have known it was inside information

2. STOR Obligation Summary

Element Requirement Source
Who must report Market operators, investment firms, persons professionally arranging or executing transactions MAR Art. 16(1)-(2)
Reporting threshold Reasonable grounds to suspect insider dealing, market manipulation, or an attempt Suspicion standard — not certainty
Timing As soon as possible; FCA interprets as promptly — typically hours, not days MAR Art. 16(1); FCA Market Watch
Recipient (UK) Financial Conduct Authority via online reporting system FCA STOR portal
Recipient (EU) National Competent Authority (e.g., BaFin, AMF, CNMV) Relevant NCA
Confidentiality Firm must not tip off the subject of the STOR MAR Art. 16(4)
Required content Instruments, suspected behavior, persons involved, dates/times, grounds for suspicion, supporting evidence FCA STOR guidance
Orders covered Suspicious orders reported even if not executed MAR Art. 16(1) — "transactions and orders"

3. Surveillance Architecture: Text-Based Diagram

┌─────────────────────────────────────────────────────────────────────────┐
│                    SURVEILLANCE PLATFORM ARCHITECTURE                    │
└─────────────────────────────────────────────────────────────────────────┘

DATA INGESTION LAYER
────────────────────────────────────────────────────────────────────────────
  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐
  │  Order Data  │  │  Trade Data  │  │ Market Data  │  │  Comms Data  │
  │  (OMS feed)  │  │  (EMS/CCP)   │  │  (venue tick)│  │  (voice/chat)│
  └──────┬───────┘  └──────┬───────┘  └──────┬───────┘  └──────┬───────┘
         │                 │                  │                  │
         └─────────────────┴──────────────────┴──────────────────┘
                                     │
                           DATA NORMALIZATION
                       (deduplicate, timestamp align,
                        reference data enrichment)
                                     │
DETECTION LAYER
────────────────────────────────────────────────────────────────────────────
  ┌──────────────┐  ┌──────────────────────┐  ┌──────────────────────────┐
  │  Rule-Based  │  │  Statistical / Quant  │  │   ML / NLP / Graph       │
  │              │  │                      │  │                          │
  │ • Threshold  │  │ • Z-score vs baseline│  │ • Unsupervised anomaly   │
  │ • Ratio      │  │ • Peer comparison    │  │   detection (iso-forest) │
  │ • Sequence   │  │ • Regression residual│  │ • NLP comms scoring      │
  └──────┬───────┘  └─────────┬────────────┘  └──────────────┬───────────┘
         │                    │                               │
         └────────────────────┴───────────────────────────────┘
                                     │
                          ALERT SCORING ENGINE
                    (composite score, severity assignment,
                     de-duplication, enrichment with context)
                                     │
CASE MANAGEMENT LAYER
────────────────────────────────────────────────────────────────────────────
  ┌─────────────────────────────────────────────────────────────────────┐
  │  ALERT QUEUE                                                        │
  │  ┌──────────┐  ┌──────────────┐  ┌─────────────────────────────┐   │
  │  │  LOW     │  │    MEDIUM    │  │          HIGH               │   │
  │  │ (weekly  │  │ (2-day SLA)  │  │ (4-hour notification)       │   │
  │  │  review) │  │              │  │                             │   │
  │  └──────────┘  └──────────────┘  └─────────────────────────────┘   │
  └─────────────────────────────────────────────────────────────────────┘
                                     │
  ┌──────────────┐  ┌────────────────┴─────────────────┐
  │  NO FURTHER  │  │        INVESTIGATION              │
  │  ACTION      │◄─┤  • Data pull                     │
  │  (documented)│  │  • Comms review                  │
  └──────────────┘  │  • Business explanation           │
                    │  • Legal advice (if required)     │
                    └────────────┬─────────────────────┘
                                 │
              ┌──────────────────┴──────────────────┐
              │                                     │
     ┌────────▼────────┐                  ┌─────────▼──────────┐
     │  CASE CLOSED    │                  │   STOR FILED       │
     │  (no reasonable │                  │   (FCA / NCA       │
     │   grounds)      │                  │    notification)   │
     └─────────────────┘                  └────────────────────┘

4. Alert Severity Framework

Severity Level Score Range Escalation Requirement Typical Response SLA Examples
LOW 0.00 – 0.49 Logged automatically; weekly batch review 5 business days Marginally elevated cancel ratio; peer comparison deviation within 1.5 SD
MEDIUM 0.50 – 0.74 Compliance analyst review; documented disposition 2 business days Cancel ratio above threshold + size asymmetry; marking-the-close pattern without directional asymmetry
HIGH 0.75 – 1.00 Head of Compliance notification; presumptive STOR assessment within 48 hours 4 hours (notification) Multi-session spoofing pattern + price impact evidence + directional asymmetry; cross-asset coordination pattern

Score Component Weighting (Spoofing Detector — Illustrative)

Component Weight What It Captures
Cancel ratio (above threshold) 50% Core behavioral signature of spoofing
Large order size asymmetry 25% Economic motivation — large cancelled, small executed
Directional asymmetry 25% Cancellations on one side correlated with executions on opposite side

5. Investigation Workflow Checklist

Use this checklist to ensure all regulatory investigation steps are completed and documented for each escalated alert.

Phase 1: Initial Triage

  • [ ] Alert reviewed and severity level confirmed or upgraded based on investigator judgment
  • [ ] Instrument(s), trader(s), and date range identified
  • [ ] Preliminary assessment of applicable MAR provision(s) recorded
  • [ ] STOR preliminary assessment: reasonable grounds present? (yes / no / inconclusive — further investigation needed)

Phase 2: Data Gathering

  • [ ] Full order and execution data pulled for flagged period (all statuses: placed, cancelled, modified, executed)
  • [ ] Market data (BBO, depth) pulled for flagged sessions and correlated with order timestamps
  • [ ] Position data pulled: does the pattern benefit an existing position?
  • [ ] Communications records requested and reviewed: Bloomberg Chat, email, voice recordings for flagged dates
  • [ ] Reference data confirmed: instrument characteristics, desk mandate, trader permissions

Phase 3: Contextual Analysis

  • [ ] Safe harbor assessment: could this be market making, stabilization, pre-commitment plan, or buy-back?
  • [ ] Peer comparison: how does the trader's cancel ratio/behavior compare to comparable traders in the same period?
  • [ ] Historical baseline: does this pattern deviate from the trader's own historical behavior?
  • [ ] Market context: was there a legitimate market event (data release, ratings action, liquidity dislocation) that could explain the behavior?

Phase 4: Business Explanation

  • [ ] Decision to seek business explanation documented (or rationale for not seeking one, e.g., tipping-off risk)
  • [ ] Explanation requested from desk head or trader (in writing)
  • [ ] Explanation received and assessed: is it plausible and consistent with the evidence?
  • [ ] Any new facts arising from the explanation incorporated into the assessment

Phase 5: Decision and Disposition

  • [ ] Final assessment recorded: (a) no reasonable grounds — case closed; (b) reasonable grounds — STOR to be filed
  • [ ] If STOR: STOR drafted, reviewed by Head of Compliance, filed with FCA (and relevant NCA if EU instruments involved)
  • [ ] STOR reference number recorded in case management system
  • [ ] Filing timestamp recorded (to demonstrate promptness)
  • [ ] Case closed and full investigative record archived (minimum 5 years per MAR Art. 16)
  • [ ] If no STOR: full reasoning documented with specific reference to why reasonable grounds are not met

6. False Positive Management Strategies

A well-designed surveillance program minimizes false positives without sacrificing sensitivity. The following strategies are used in practice:

Strategy Description When to Apply
Threshold calibration Set detection thresholds based on empirical analysis of the firm's own order flow rather than generic industry defaults At program inception and after any material change in trading strategy
Instrument-level tuning Apply different parameters to different asset classes (illiquid bond markets tolerate higher cancel ratios than liquid equity markets) Continuously, as instrument liquidity evolves
Safe harbor tagging Pre-tag orders associated with known safe harbor activities (stabilization programs, buyback mandates) to suppress alerts When new programs are established
Trader-level baselining Use rolling historical baselines per trader rather than static thresholds, so alerts reflect genuine behavioral shifts For high-volume traders with stable, well-understood strategies
Feedback loops Record investigation dispositions in the case management system and use them to recalibrate rules and scoring weights After each investigation cycle (monthly or quarterly review)
Alert clustering Group alerts from the same trader and instrument across consecutive sessions into a single case to avoid duplicative reviews When the system generates multiple low-to-medium alerts on the same pattern
Peer group comparison Normalize behavior against peer groups to identify genuine outliers rather than firing on absolute thresholds For desks with distinctive trading styles that would otherwise generate excessive alerts

7. Market Manipulation Typologies: Quick Reference

Typology MAR Art. Key Pattern Signature Data Stream Required
Spoofing 12(1)(a) Large order + rapid cancel + opposite-side execution + price impact Order data, market depth
Layering 12(1)(a) Multiple orders at different price levels, all cancelled after triggering price movement Order data, level 2 market data
Marking the close 12(1)(a) Disproportionate volume in closing auction window at aggressive prices Order data, market data, position data
Wash trading 12(1)(a) Buy and sell by same or connected entity, no economic ownership change Order data, counterparty data, position data
Pump and dump 12(1)(a)+(c) Accumulation + positive information dissemination + distribution at inflated price Order/trade data + communications/media monitoring
Quote stuffing 12(1)(a) Very high order-to-trade ratio, orders in microsecond bursts Tick-by-tick order data (nanosecond precision)
Benchmark manipulation 12(1)(d) Submissions diverging from implied market rate; communications directing submissions Submission data, derivatives position data, communications
Painting the tape 12(1)(a) Sequence of trades between connected parties creating artificial price or volume trend Trade data, counterparty network analysis

Key Regulatory References

  • UK MAR: The Market Abuse (Amendment) (EU Exit) Regulations 2019, as it forms part of UK law under EUWA 2018
  • EU MAR: Regulation (EU) No 596/2014 of the European Parliament and of the Council, 16 April 2014
  • FCA STOR guidance: FCA SUP 15.10 (Suspicious Transaction and Order Reports)
  • ESMA MAR guidelines: ESMA Guidelines on the Market Abuse Regulation (ESMA70-145-111), covering accepted market practices, inside information, and the delay of disclosure
  • FCA Market Watch: Published by FCA Markets Policy and International Department — key editions: 69 (comms surveillance), 71 (STOR quality), 73 (algorithmic trading), 75 (front-office controls)
  • Record keeping: MAR Art. 16 requires firms to retain records supporting STOR decisions for at least five years