A Guide to Monitoring and Maintaining Surveillance Controls



Hanne Jepsen
Commercial Director

AnyConv.com__Sonia (1)

Sonia Chowdhury
Regulatory Solutions


Many financial firms have a ‘project’ mentality towards surveillance controls: once the program is in place, they can flick the switch and sit back. The reality of the situation is very different.

Monitoring and maintaining surveillance controls by all three lines of defense is essential if a firm is to avoid the damage caused by fines and reprimands of the regulator. As the pace of change in the ecosystem in which firms operate continues to accelerate, monitoring and maintaining surveillance controls will only continue to heighten in importance. Additionally, monitoring and maintaining surveillance controls correctly can deliver tangible benefits to a firm’s overall surveillance controls program.

To ENABLE firms better understand what is involved in monitoring and maintaining surveillance controls, this blog explores:

Understanding the Role of Surveillance Controls

SteelEye - Understanding the role of surveillance controls

Failing to implement, monitor, and maintain surveillance controls can mean that a firm is failing to meet its regulatory obligations, leaving it open to significant financial damage and reputational risk. In a firm, surveillance controls are defined as the whole framework of policies and procedures that are put in place to detect and help prevent market abuse behaviors. Surveillance controls are owned by all three lines of defense. They include governance, policies, processes, risk controls, internal audits, surveillance technology, and more. Detecting and preventing market manipulation is not down to just one or two factors or people – it requires the monitoring and maintaining of integrated surveillance controls across this organizational ecosystem.

The purpose of surveillance controls is to mitigate the significant risk of market abuse that financial services firms that trade financial instruments are exposed to. Market manipulation can happen at any trading desk, in any jurisdiction. It is circular logic to say that the firm hasn’t had any incidents of market manipulation if the firm doesn’t have the full spectrum of surveillance controls in place, including a technology platform. In short, without robust surveillance technology, there is no high-quality data to base that assertion on.

Why do firms need Surveillance Controls? SteelEye - Why do firms need surveillance controls

In most jurisdictions, firms have a regulatory obligation to implement surveillance controls. For example, in the UK, identifying and reporting instances of potential market abuse is required under the UK’s version of the Market Abuse Regulation (UK MAR). The UK Financial Conduct Authority (FCA) says that a firm must have effective arrangements, systems, and procedures to detect and report suspicious activity, which should be appropriate and proportionate to the scale, size, and nature of its business activities. Additionally, firms must perform risk assessments, have order and trade surveillance in place, and implement the right policies and procedures. The FCA fined one US broker-dealer nearly £13 million in August 2022 for not having properly implemented a trade surveillance program – demonstrating that overseas firms that operate in London must abide by UK MAR rules.

As UK MAR was transposed over from the EU’s Market Abuse Regulation, requirements in the EU are similar. And the US also has a strong market abuse regulatory framework, which is supported by a robust approach to enforcement – in the US there were $2.7 billion in market abuse fines between 2020 and 2022, for 61 incidents.

It is evident that the regulators have high expectations for all regulated financial firms, including smaller firms, but in addition to these expectations, the surveillance compliance landscape continues to evolve meaning firms need to be able to adjust quickly to regulatory change.

Gaps in a firm’s approach to monitoring and maintaining surveillance controls

Regulators are also looking for weak spots among firms and it often falls to internal audit teams to point out the gaps between the approach to monitoring and maintaining surveillance controls that a firm has in place and the compliance requirements it is supposed to be adhering to. Now, regulators are paying more attention to how firms respond to internal and external audit action items. For example, firms are being upbraided if they have a long list of action items that are not being dealt with promptly.

SteelEye - Gaps in a firms approach to monitoring and maintaining surveillance controls

Where do these gaps come from?

Often firms think about the implementation of surveillance controls as a “project.” However, firms need to continually monitor and maintain their surveillance controls – not just flick the “on” switch and sit back.

For example, the outputs that a surveillance technology platform is generating need to be regularly reviewed to ensure the following:

  • Is it supporting surveillance for the top market abuse behaviors in a particular jurisdiction?

  • How well is it aligned to the firm’s risk assessment data?

  • Is it looking for market abuse behaviors recently detected by the local regulator?

  • Does it incorporate recent changes in slang or new communication tools?

An interesting example of a failure to monitor and maintain surveillance controls is the fines that were handed out in August 2023 where the SEC AND CFTC fined 13 Wall Street firms a combined $549m for recordkeeping failures.

Having the right surveillance controls in place contributes to having a safer and more productive work environment. Monitoring and maintaining surveillance controls can significantly reduce false positives, shrinking the burden on compliance teams, and improving the ability of those teams to focus on more proactively managing risks.

The Importance of Monitoring and Maintaining Surveillance Controls

SteelEye - The importance of monitoring and maintaining surveillance controlsMonitoring and maintaining surveillance controls is of critical importance for all financial services firms. Antiquated legacy systems or poorly maintained controls can lead to market abuse incidents being missed, and to regulatory fines and reprimands – leading to reputational damage. The downside risks are very real.

However, there are also substantial upside benefits to monitoring and maintaining surveillance controls. Regular reviews – including policies and processes, and making sure software updates have been undertaken – ensure optimal performance. In addition, routinely monitoring and maintaining surveillance controls – and quickly taking action on flagged items by the internal audit team – will help to deliver optimal performance, manage regulatory change efficiently, improve working conditions for the compliance team, and support the longevity of the system.

Who is monitoring these surveillance controls?

SteelEye - Who is Monitoring these surveillance controls

Monitoring and maintaining surveillance controls should be taking place across all three lines of defense. Certainly, compliance teams should have specialist knowledge that enables them to focus on more technical elements, such as the surveillance software platform. However, the business is responsible for aspects like ensuring controls are updated to reflect changes in the business, and for reporting suspicious activity among colleagues. Additionally, internal audit performs a key role by reviewing the way surveillance controls are monitored and maintained.

All three lines of defense must have access to the appropriate resources they need to carry out their responsibilities, and one of the most important resources is training. Not only should system administrators and users have robust training on any technology being used for surveillance, but employees across all three lines of defense should be educated about their responsibilities for the monitoring and maintaining of surveillance controls. This includes making sure compliance officers know how to handle sensitive business information. In one recent case, a compliance officer was prosecuted for giving material non-public information (MNPI) to trade on. Compliance officers and internal auditors have access to a wealth of data and so it is also important to monitor any abuse of privileged information.

Developing a Plan For Monitoring and Maintaining Surveillance Controls

Monitoring and maintaining surveillance controls effectively requires a plan which is rooted in a regular risk assessment. Firms should conduct risk assessments and use the results to determine the issues that need to be addressed and to prioritize those issues. Information gathered from regular monitoring of the program should also inform those decisions, including performance and control data from the technology platform.

Roles and responsibilities for monitoring and maintaining surveillance controls are present across all lines of defense, and the individuals involved should be clear about how they are required to engage with this process. Everyone should agree on what the priorities are from both a business and a compliance point of view, and then work towards allocating budget and resources towards meeting those priorities. Also, everyone should be clear on what the impact may be on the organization regarding items that are de-prioritized, the risk trade-offs – and what the benefits of upgrading and updating their surveillance controls regularly are.

SteelEye - Developing a Plan for monitoring and maintaining surveillance controls

For example, if a firm does not have the budget to add monitoring of WhatsApp channels to its surveillance software platform until the next budget year, it should ensure that policies are changed to ban the use of WhatsApp explicitly for business purposes and that the board and senior management understand the risk implications of this decision.

When looking at issues that have arisen around monitoring and maintaining surveillance controls, stakeholders across all three lines of defense should consider how technology might help. Surveillance software platforms have a wide range of features and benefits – some of which are now employing AI and ML – which aim to improve control much more efficiently and effectively than previously imagined.


Professional Service Provider

It can be quite helpful to have a conversation with a professional service provider or a surveillance software system vendor to better understand what a firm’s options might be in addressing issues that have arisen through a risk assessment, for example. Professional services providers often have a broad view of the industry that can help firms benchmark how other firms are prioritizing surveillance controls spending, and which approach might be best to take. Surveillance software vendors usually have a fairly detailed understanding of specific issues and how their platform may be able to help in a certain set of circumstances. Key issues to ask a surveillance software vendor include how well they understand a firm’s specific business, whether or not they offer integrated surveillance, how the solution applies AI and ML algorithms, and how well the software performs at reducing false positives.

It’s vital that firms monitor, maintain, and update their surveillance controls across governance, policies, processes, risk controls, internal audits, surveillance technology, and more. Doing this correctly and regularly can reduce both compliance and regulatory risk. Moreover, it can enable the firm – working in close relationship with a professional services provider or a surveillance software vendor – to implement new technology functionality or features that can solve issues uncovered by a risk assessment or internal audit. Monitoring and maintaining surveillance controls can also lead to the enhancement of surveillance processes so that they are much more accurate – for example, by reducing false positives as well as potentially spotting market manipulation issues and enabling the firm to resolve them proactively.

How SteelEye can help

SteelEye-Integrated Trade And Communications Surveillance

Today, SteelEye is the only fully integrated trade and communications surveillance solution in the market. We empower financial firms with the data-driven tools and complete insights they need to focus on what matters, all from a single platform.

SteelEye's SaaS-based platform captures all of a firm's structured and unstructured data across any asset class, communication type, and system – unifying it under a single lens. Proactive monitoring and intelligent alerts empower firms to effectively detect potential market manipulation and compliance breaches while contextual data from systems that would otherwise not be connected reduces false positives.

SteelEye's cutting-edge technology enables our clients to boost productivity, lower the total cost of ownership, and gain a competitive edge through data intelligence.

By opting for SteelEye, firms gain more than just a solution - they embark on a strategically sound path for sustainable trade surveillance and comprehensive oversight for effective communications compliance, all from a single platform. 


Turn Supervision into Super Vision

Contact our compliance experts to see our platform in action or learn more about how we can help your firm reduce compliance fatigue.  



Latest News

Investment in compliance at record low despite regulatory burden higher than ever - survey finds

| 18 Apr 2024

Preparing for a Regulatory Examination

| 11 Apr 2024

Kyte Broking Improves Client Engagement With WhatsApp & Telegram Communications

| 10 Apr 2024

CFTC Fines Australian Bank $500,000 for Spoofing Surveillance Failures

| 03 Apr 2024

US Regulators Fine a Tier-One Bank $348 Million for Trade Surveillance Gaps

| 15 Mar 2024

SteelEye Strengthens Presence in APAC by Incorporating in Singapore

| 12 Mar 2024