Market abuse may be as old as the capital markets themselves, but the advent of electronic trading has enhanced the opportunity for people to commit financial crimes and manipulate markets. Now, both regulators and market participants are fighting back by applying advanced trade surveillance technologies to curate data, detect illicit trading, support investigations and reduce false positives.
In this article, we discuss five prominent market abuse behaviors that firms should be monitoring for, including what they look like and how to spot them.
Spoofing is a type of market manipulation where the participant tries to move the price of a financial instrument up or down by placing one large order, with no intention of executing it, to give the impression of market interest for that instrument.
Once the price has shifted, the original order is cancelled, and new orders are placed on the opposite side to take advantage of the favorable price movement created by the first order.
Layering is a specific form of spoofing where the individual places multiple orders at defined price levels (layers) to give an impression of market liquidity. Like Spoofing, the orders are not intended to be executed and will be cancelled once the price has moved to a favorable place and a real order has been placed on the other side.
Spoofing / layering can be very distinctive within a trader’s overall activity pattern and therefore relatively easy to spot given the right data. The placing of orders, cancelling them, and then placing new orders in the opposite direction happens quite fast, and is usually done using electronic trading.
An algorithm that has been correctly tuned can detect instances where a trader has a resting order with a subsequent opposite side order that is cancelled within 'x' seconds of the resting order fill event.
To reduce the number of false positives for spoofing / layering, trade surveillance technology should be able to place a pattern of trades within the overall context of what is happening in the market. This capability is particularly important in times of high market volatility, when extreme swings in financial instrument price movements could result in this kind of trading activity in a perfectly legitimate way.
A recent FCA case, where illicit activity was picked up by the regulator’s own supervisory technology (SupTech) trade surveillance system, involved an individual placing and cancelling large orders for Contracts for Difference for equities.
In front running, an individual obtains knowledge about a lawful large order to buy or sell a financial instrument – by another individual or entity – which is going to hit the market at a particular time.
There is an assumption that such a large order will shift the price of the financial instrument. So, in front running, the individual makes a transaction, ahead of the lawful transaction, in the same direction, and then sometimes unwinds the position after the lawful transaction has taken place to profit from the price movement created. Alternatively, the individual could engage with derivatives, such as futures and options, to achieve the same effect.
Generally speaking, front running is the result of data leakage within a firm – such as two trading desks in close geographical proximity – or algorithmic abuse, where front running is programmed into the execution process. Front running is also known as pre-hedging or pre-positioning.
To spot any potential front running, firms should look out for proprietary buy/sell orders that happen in close proximity to a client buy/sell order in the same instrument that impacted the share price. Front running can also be detected by monitoring trade data coming from clients, for example personal account dealing.
The key is to be able to monitor the sequence of three data points in close succession:
The front runner’s purchase/sale of a financial instrument;
the legitimate transaction; and
potentially, the front runner’s unwinding of the financial instrument to complete the cycle.
In addition, the compliance team should be able to use the trade reconstruction capabilities to connect up unstructured data, such as voice and electronic communications, to the trades to help provide context, such as legitimate discussions with clients to rule our foul play.
Front running can also be executed through friends or relatives of the individual. In a recent SEC case, a trader at an asset management company made more than $3.6 million in illicit gains by front running trades happening at his firm through the accounts of family members.
This is perhaps the most well-known market abuse behavior, as it has been the subject of Hollywood movies and famous real-life cases. Insider Trading occurs when an individual enters a trade because he or she has acquired material non-public information (MNPI) – positive or negative. Examples include advanced knowledge of earnings announcements, a change in the senior leadership team, or an M&A transaction.
The individual’s initial trades happen in advance of the public disclosure of the information – the individual will purchase instruments if he expects the price to rise as a result of the MNPI or sell/short if the news is negative. Once the MNPI is announced or becomes public through other means, such as through traditional or social media, the individual then closes his position to reap a profit.
Compliance teams should keep an eye out for unusual trades in advance of the release of MNPI by traders who are trading on behalf of the firm, as well as employees who are trading through their own personal accounts or through the accounts of friends and family.
The US SEC recently charged a former global IT manager for a pharmaceutical company for insider trading. The individual had reaped profits of $8 million by buying and selling securities in his former employer in advance of the release of news about unannounced earnings, drug approvals by the U.S. Food and Drug Administration, and an impending merger with a division of Pfizer.
To monitor for instances of insider trading, there are a number of things firms can do:
This allows firms to set up alerts for buy/sell orders that occur within close proximity to a piece of news that has influenced the price of the instrument.
AI models that understand what “normal” behavior looks like can help by looking, among other criteria, at:
Whether the trader normally trades in this instrument/asset class?
Whether the trader normally places large orders on this security?
The context of normal behavior can help surveillance teams understand whether the trader was trading as usual or whether they were privy to MNPI.
The use of communications data adds additional valuable insight which can help uncover the lawfulness of the trade. For example, a communications surveillance system with an AI-driven lexicon can identify the use of suspicious language prior to a large favorable trading event.
Ideally, firms should be able to cross-check transactions with all of these data to ensure all potential instances of insider trading are detected. The more of this data and analytics that exist in one system, the easier it is for surveillance teams to determine whether any market manipulation was in play and report all suspicious activity (whether it turned out to be market abuse or not) to the regulator. It also helps reduce false positives and increase accuracy.
In wash trading, a trader wants to create artificial volume in a given security, so that it appears as though there is a “buzz” around it. So, he/she colludes with another trader, and together they buy and sell the security repeatedly and rapidly, in a manner that there is no change of ownership.
The trades have no economic purposes and are all executed at similar prices and similar quantities. The intention with Wash Trading is to increase the volume traded for an instrument, making it appear more liquid.
This form of market abuse is also known as scratch trading, wash sales, circular trading (several counterparties involved), and pre-arranged trading.
Churning is a variation of the Wash Trading scheme, whereby a broker excessively trades on behalf of one of his clients to generate commissions.
Firms should look out for unusual trading patterns by one of their traders – buying and selling in a brief time period, with a single counterparty that has no impact on the position or PNL of the entity.
In a recent UK case, the FCA detected wash trading activity through its own trade surveillance software by an individual who believed that a company’s shares needed to show a minimum volume to remain in the FTSE All Share Index. In this case, the individual conducted both sides of the wash trade himself.
Another SEC case in the US shows how an equity research firm manipulated the stock of a stock he was soliciting investors to purchase.
A firm’s trade surveillance algorithms should be able to determine whether a specific pattern of activity is normal or atypical. In addition, the platform’s lexicon should be able to comb through voice and electronic communications for a wide range of search terms, including colloquialisms, to help tease out potential collusion with another trader. To help reduce false positives, it should be able to filter for context.
These behaviors involve deliberately buying or selling a security at the open, the close, or an intraday fixing period of the market to create an artificial price that is favorable to the trader.
Most banks use the closing price to value their portfolio of securities, and so by artificially inflating the price of the security through a marking the opening/close strategy, the PNL generated by a long position on the security will be increased. For example, when a security has an end-of-day auction, traders engaging in this form of market abuse will submit a large volume of buy orders to help push the price up.
Compliance teams should look for:
a large trade placed during the last few seconds of trading, or
a large order placed during an auction session
that is creating an imbalance pushing the price in a given direction.
It is important that the firm’s trade surveillance software can monitor in this way. FINRA recently fined a broker for failing to have sufficient trade surveillance in place to catch two employees who were concentrating their activity on a thinly traded share at the end of the day, for activities conducted in 2013.
Once a trade is flagged as suspicious, trade reconstruction should bring together all relevant information, including communications, market conditions, transactions, and independent pricing. This enables compliance teams to investigate potential marking the open or the close to better understand the context behind the trades.
With the rise of electronic and algorithmic trading, today’s market abuse can happen at lightning speed, and compliance teams need to be able to respond equally fast. It is essential that compliance teams know what to look for to identify potential market abuse, to ensure that their trade surveillance algorithms are tuned correctly.
Once a potential incident is discovered, compliance teams then need to be able to investigate the incident quickly through trade reconstruction, minimize disruption to the business, manage market abuse risk effectively, and demonstrate compliance with market abuse rules. Overall, the increased use of technology to execute trades means that compliance teams need to ensure they are able to move just as quickly to detect market abuse within the firm, should it happen.
SteelEye Releases Automated Three-Way Reconciliation Solution
30 November, 2021 | Press Release
Proposed SEC changes to Electronic Record Keeping Requirements
24 November, 2021 | Regulatory Watch
5 Prominent Market Abuse Behaviors and How To Spot Them
24 November, 2021 | Blog
STEELEYE LIMITED, A COMPANY REGISTERED IN ENGLAND AND WALES WITH COMPANY NUMBER: 10581067, VAT NUMBER: 260818307 AND REGISTERED ADDRESS AT 55 STRAND, LONDON, WC2N 5LR.