Case Study 2: Designing a Cross-Asset Surveillance Program — Equity and Equity Derivatives at Altenburg Investment Bank

A fictional case study illustrating Priya Nair's advisory engagement. All persons, institutions, and financial data are illustrative.

Background

Altenburg Investment Bank S.A. is a Luxembourg-headquartered EU investment bank with trading operations in Frankfurt, Amsterdam, and Paris. Authorised by the Commission de Surveillance du Secteur Financier (CSSF) in Luxembourg and subject to EU MAR, MiFID II, and the full suite of European prudential regulations, Altenburg trades a broad range of instruments across asset classes.

Of particular relevance to this case study, Altenburg's Equity and Equity Derivatives division operates two closely connected but separately managed desks:

The Equity Cash Desk (ECD): Trades European equity in cash markets, including single-stock equities on Euronext, Deutsche Boerse, and Borsa Italiana. The desk trades both for clients (agency) and in its own proprietary account. Annual turnover exceeds EUR 18 billion across approximately 200 single-stock positions.
The Equity Derivatives Desk (EDD): Trades single-stock and index options and structured equity products. The desk is both a market-maker in listed options and a structurer of OTC equity derivatives for institutional clients. Many of its positions have payoffs that depend on the closing prices of the underlying equities traded by the ECD.

The two desks are separated by an information barrier, implemented through physical separation (different floors of the Frankfurt office), systems access controls (separate order management systems), and a compliance-approved exception process for any inter-desk communication regarding client-sensitive matters.

The Engagement

Priya Nair was engaged by Altenburg in September 2024 as a senior adviser on trade surveillance architecture, working through her Big 4 firm. The engagement brief was specific: design and implement a cross-asset surveillance program that could detect manipulation occurring across the ECD and EDD simultaneously — in particular, manipulation where a trader (or coordinated traders) generates artificial price moves in cash equities that benefit positions in equity derivatives.

The engagement was not triggered by any specific regulatory concern or enforcement action. Instead, it arose from Altenburg's own risk assessment following publication of ESMA's 2024 Supervisory Briefing on Market Surveillance Practices, which specifically highlighted cross-asset manipulation as an area where NCAs expected investment banks to have enhanced detection capability.

"Most firms have reasonable surveillance within each desk," Priya observed at the project kickoff meeting. "What they don't have is surveillance across desks. The information barrier is important for preventing manipulation — it stops the EDD trader knowing what the ECD trader is about to do. But it can't stop a trader who operates on both sides of the barrier simultaneously, or who coordinates with someone on the other desk. Detecting that requires surveillance that can look across the barrier, even if the traders themselves cannot."

The Target Manipulation Strategy

Before designing the surveillance architecture, Priya worked with Altenburg's existing surveillance team and a market microstructure specialist to define the specific manipulation strategies the program should detect.

The target strategy — which Priya called the "option-and-press" scheme — operates as follows:

Step 1: Option Position Accumulation A trader (or coordinating group) accumulates a significant position in call options on a single-stock equity with a strike price that is currently moderately out of the money. For example: accumulating 10,000 call options on Company X equity with a strike of EUR 52.00 when Company X is trading at EUR 49.50. The option position is accumulated gradually to avoid detection.

Step 2: Cash Equity Pressure The trader (or a coordinating party on the ECD) then buys Company X shares aggressively in the cash market over a concentrated period — typically near a benchmark fixing time, a derivatives expiry, or a period of moderate liquidity — to push the cash price above EUR 52.00. This buying is artificial in the sense that the volume purchased exceeds what genuine investment demand would support and the position is not intended to be held long-term.

Step 3: Option Monetisation With Company X now trading above EUR 52.00, the out-of-the-money call options have become in the money. The options can be exercised, sold, or held against continuing pressure. The profit on the options position — calculated against the premium paid — significantly exceeds the cost of the cash equity purchase and any losses incurred when the cash equity position is subsequently unwound.

Step 4: Cash Equity Unwind The artificially acquired cash equity position is sold, typically after the derivative benefit has been locked in. The share price falls back toward its natural level. The manipulation profit is the difference between the option gain and the cost of the cash market intervention plus transaction costs.

This strategy is a textbook example of cross-asset manipulation captured by EU MAR Article 12(1)(a) — the cash equity trading gives a "false or misleading signal" as to the equity's value, and the manipulation secures its price "at an abnormal or artificial level." The fact that the primary benefit accrues in the derivatives market does not insulate the manipulator from MAR liability.

Surveillance Architecture Design

Priya structured the cross-asset surveillance architecture around three design principles:

Principle 1: Data unification without wall penetration. The surveillance system must have visibility into both the ECD and EDD order and trade flows simultaneously — but the surveillance team analyzing combined data must not be a channel through which information flows from EDD back to ECD traders or vice versa. Surveillance operates behind both walls simultaneously; it does not break them.

Principle 2: Position-aware alert generation. Detection of cross-asset manipulation requires knowing not just what orders were placed but what positions those orders were building or unwinding. An anomalous buy surge in a cash equity is ambiguous; an anomalous buy surge correlated with a concurrent option accumulation in the same underlying stock, at a strike price that becomes in the money at the target price implied by the cash buying, is not.

Principle 3: Cross-desk temporal correlation as the primary signal. The defining signature of the option-and-press scheme is the temporal relationship between events across the two desks: option position accumulation precedes cash equity pressure, which precedes option monetisation. The surveillance system must track this multi-phase sequence across instruments and desks.

Component 1: Unified Surveillance Data Layer

Priya recommended that Altenburg create a dedicated surveillance data lake that ingested order and trade events from both the ECD and EDD order management systems, alongside position data from the firm's risk management system. Critically:

The data lake was accessible only to the compliance surveillance team and was strictly read-only for all other users
Logical access controls ensured that no ECD data could be accessed through any interface accessible to EDD traders, and vice versa — the unified visibility existed only at the surveillance layer
All access to the surveillance data lake was logged and subject to quarterly access review

The data model unified the following fields across both desks:

@dataclass
class UnifiedTradeEvent:
    event_id: str
    desk_id: str              # 'ECD' or 'EDD'
    trader_id: str
    instrument_id: str
    underlying_equity_id: str # For derivatives, the underlying equity ISIN
    instrument_type: str      # 'equity', 'call_option', 'put_option', 'structured'
    event_type: str           # 'order_place', 'order_cancel', 'trade_execute'
    side: str                 # 'buy' / 'sell' / 'long' / 'short'
    price: float
    quantity: float
    notional: float           # EUR notional value
    strike_price: Optional[float]    # Options: strike
    expiry_date: Optional[date]      # Options: expiry
    delta: Optional[float]           # Options: delta at time of trade
    timestamp: datetime
    account_type: str         # 'proprietary', 'client', 'market_making'

Component 2: Option Position Accumulation Monitor

The first detection component monitored the EDD for accumulation of directional option positions relative to a single underlying equity within a defined time window.

class OptionAccumulationMonitor:
    """
    Monitors whether a trader (or the desk collectively) is accumulating
    a significant directional option position in a single underlying equity
    over a rolling window. A large net long delta in call options signals
    that someone holds a position that benefits from a rising cash price.
    """

    def __init__(
        self,
        accumulation_window_days: int = 10,
        min_net_delta_threshold: float = 500_000,  # EUR notional delta
        min_position_relative_to_adv: float = 0.05  # 5% of average daily volume
    ):
        self.accumulation_window_days = accumulation_window_days
        self.min_net_delta_threshold = min_net_delta_threshold
        self.min_position_relative_to_adv = min_position_relative_to_adv

    def compute_rolling_net_delta(
        self,
        edd_events: list[UnifiedTradeEvent],
        underlying_equity_id: str,
        as_of_date: date,
        trader_id: Optional[str] = None,  # None = desk-wide
    ) -> dict[str, float]:
        """
        Compute net option delta exposure to a single equity over
        the accumulation window. Returns {trader_id: net_delta_EUR}.
        """
        window_start = as_of_date - timedelta(days=self.accumulation_window_days)

        relevant_events = [
            e for e in edd_events
            if e.underlying_equity_id == underlying_equity_id
            and e.instrument_type in ('call_option', 'put_option')
            and window_start <= e.timestamp.date() <= as_of_date
            and (trader_id is None or e.trader_id == trader_id)
            and e.account_type == 'proprietary'
        ]

        net_delta_by_trader: dict[str, float] = defaultdict(float)
        for event in relevant_events:
            if event.event_type != 'trade_execute':
                continue
            sign = 1 if event.side in ('buy', 'long') else -1
            option_sign = 1 if event.instrument_type == 'call_option' else -1
            delta_contribution = (
                sign * option_sign * event.delta * event.notional
            )
            net_delta_by_trader[event.trader_id] += delta_contribution

        return net_delta_by_trader

    def detect_significant_accumulation(
        self,
        edd_events: list[UnifiedTradeEvent],
        underlying_equity_id: str,
        as_of_date: date,
        average_daily_volume_eur: float,
    ) -> list[dict]:
        """
        Returns a list of accumulation flags for traders who have built
        significant net long delta exposure to the underlying equity.
        """
        net_deltas = self.compute_rolling_net_delta(
            edd_events, underlying_equity_id, as_of_date
        )

        flags = []
        for trader_id, net_delta in net_deltas.items():
            if net_delta < self.min_net_delta_threshold:
                continue
            relative_size = net_delta / (
                average_daily_volume_eur * self.accumulation_window_days
            )
            if relative_size < self.min_position_relative_to_adv:
                continue
            flags.append({
                'trader_id': trader_id,
                'underlying_equity_id': underlying_equity_id,
                'net_delta_eur': net_delta,
                'relative_to_adv': relative_size,
                'accumulation_window_days': self.accumulation_window_days,
                'as_of_date': as_of_date,
            })
        return flags

Component 3: Cash Equity Pressure Detector

The second component monitored the ECD for concentrated buying in an underlying equity that is also the subject of an option accumulation flag.

The key metrics for cash equity pressure detection: - Volume surge ratio: Trader's buy volume in the equity over a defined intraday window versus the market's average volume in that equity at the same time of day - Price impact: The percentage price move from the start to the end of the concentrated buying window - Bid aggressiveness: Whether the buying was conducted using aggressive (marketable) orders or passive limit orders — aggressive buying is more consistent with manipulation - Timing relative to option position: The interval between the option accumulation and the onset of cash buying

Component 4: Cross-Asset Correlation Engine

The heart of the surveillance program was the Cross-Asset Correlation Engine, which combined the outputs of Components 2 and 3 to generate unified cross-asset alerts.

The correlation logic evaluated four criteria:

Criterion 1 — Instrument relationship: Does the equity where the cash pressure is detected correspond to the underlying of the option position accumulated in Component 2?

Criterion 2 — Directional consistency: Is the cash equity buying consistent with the direction of the option accumulation (i.e., aggressive cash buying when the option accumulation is net long calls)?

Criterion 3 — Strike proximity: Is the cash equity price, at the peak of the buying pressure, near or above the weighted average strike price of the accumulated option position?

Criterion 4 — Temporal sequencing: Does the option accumulation precede the cash equity pressure? Simultaneous or post-hoc option accumulation has a different (and less suspicious) interpretation.

A unified cross-asset alert was generated when all four criteria were met within the defined temporal windows.

Governance and Information Barrier Protocols

A critical aspect of the program design was ensuring that the cross-asset surveillance system did not itself become a vehicle for information barrier breaches. Priya implemented the following governance safeguards:

Surveillance segregation: Cross-asset alerts were reviewed only by members of the compliance surveillance team with explicit clearance for cross-desk data access. No trading desk personnel had access to cross-desk alert data.

Alert triage protocol: When a cross-asset alert was escalated beyond the initial review stage, the investigation was conducted by compliance and legal — not shared with either the ECD or EDD desk heads. If the investigation resulted in a STOR, the notification to the FCA was handled without the involvement of any trading desk personnel.

Documentation of all access: Every access to cross-desk data in the surveillance data lake was logged to an immutable audit trail, reviewed quarterly by internal audit, and made available to the CSSF on request.

Pilot Period: Two Flagged Incidents

During the six-month pilot period (October 2024 to March 2025), the cross-asset surveillance program generated 14 alerts meeting all four correlation criteria. Of these:

12 alerts were closed as false positives after Level 1 review. The most common cause was legitimate index-related trading: Altenburg's EDD held significant long delta exposure to several large-cap equities through structured products for clients, and the ECD's volume in those equities spiked around index rebalancing events. The program was recalibrated to exclude dates identified as index rebalancing events from the concentration analysis, with date-specific baselines applied instead.

One alert was escalated to Level 2 investigation on 17 February 2025. The pattern showed: (a) accumulation of call options in a mid-cap German industrial equity (ISIN: DE000xxxxxxx, fictionalised) by a single EDD trader over a 12-day period, building net delta exposure of approximately EUR 2.4 million; (b) a concentrated cash equity buying episode in the same stock by an ECD trader on 6 February 2025, in which 14% of the day's trading volume in the stock was executed in a 35-minute window, pushing the price from EUR 38.40 to EUR 40.10 — just above the EUR 40.00 strike of the accumulated call option position. The Level 2 investigation found no communications link between the two traders and no evidence of coordination. The ECD trader's buying was attributed to a client block order. The alert was closed with no STOR submitted, but the investigation documentation was retained.

One alert remained under active investigation as of the completion of Priya's engagement.

Program Assessment and Recommendations

At the close of her engagement, Priya presented the following assessment to Altenburg's Board Risk Committee:

What the program successfully detects: - Concentrated cash equity buying temporally correlated with option accumulation in the same underlying - Desk-wide accumulation of directional option exposure that would benefit from cash equity price movement - Multi-session option-and-press patterns where the manipulation is distributed over several days

Known limitations:

External coordination. If the cash equity pressure is generated by an external entity (a client, a related entity, or a coordinating third party) rather than an ECD trader, the program will not detect it. Cross-entity detection would require coordination with the relevant exchange's surveillance team.
Reverse strategy (put-and-depress). The program was designed with call options/cash buying in mind. An equivalent strategy using put options and aggressive cash selling would require symmetric rule sets, which were scheduled for Phase 2 development.
Sophisticated timing distribution. A sufficiently sophisticated manipulator who knows the surveillance parameters could distribute the cash buying over a longer window to fall below the volume surge ratio threshold. Continuous recalibration and red-team testing were recommended.

Recommendations for Phase 2: - Integrate real-time alert generation (the pilot system operated on a T+1 batch basis) - Extend to index options (not just single-stock options) as the benefit instrument - Implement machine learning-based anomaly detection to identify option accumulation patterns that fall below absolute thresholds but are statistically anomalous relative to the trader's historical activity - Coordinate with Euronext, Deutsche Boerse, and Borsa Italiana surveillance teams to enable cross-entity detection of externally coordinated cash pressure

Discussion Questions

Priya describes the surveillance system as one that "operates behind both walls simultaneously." What does this mean in terms of information flows, and why is this architecture preferable to having the surveillance team itself straddle the information barrier?
The 12 false positives in the pilot period were predominantly caused by index rebalancing events. What does this illustrate about the importance of maintaining a market event calendar within a surveillance program? What other market events should be built into a similar calendar?
The one STOR-candidate alert (the German industrial equity) was ultimately closed without a STOR being filed because the ECD trader's buying was attributed to a client block order. What additional evidence would you want to review before accepting this explanation? What alternative explanation might account for the temporal correlation between the option accumulation and the client order?
Cross-asset surveillance generates two separate evidentiary threads (option trading and cash equity trading) that individually might appear benign. What implications does this have for how Altenburg's compliance team should structure its investigation documentation if a case is ultimately referred to ESMA or the CSSF?
The program was designed to detect coordination between an EDD trader and an ECD trader within Altenburg. What would you change about the design if you were trying to detect coordination between a trader at Altenburg and an external party (e.g., a hedge fund client of Altenburg's EDD desk)?