When the entire SEC is ordered to work from home, it’s time to talk about market surveillance infrastructure and remote access.
Global Impact Event Response
During these early weeks in March of 2020, uncertainty levels are escalating surrounding the scope and severity of the COVID-19 virus. In the financial world, most scheduled conferences have been cancelled, and at the time of this writing most major market participant firms have either instituted split-shift staffing plans or strongly discouraged employees from reporting to offices, while confirmations of contagious employees have resulted in outright office closure. The rational hope, of course, is that these cautionary measures will prove effective in both mitigating risk to employees’ health and slowing the spread of a worrisome public health threat.
Meanwhile, the “show” must go on. Financial market participants are keenly aware of the importance of maintaining firm operations, not only to maintain profitability and fulfill client expectations, but also (and especially in the case of systemically important financial institutions) to promote global financial market stability during a time of heightened volatility. In addition to trading and risk management, compliance operations are a critical part of this effort—particularly market oversight and trade surveillance.
Have VPN, Will Travel
Migration to holistic surveillance programs has been a de rigueur compliance technology upgrade for several years now, as the benefits of successfully integrating various data sources have become increasingly obvious. Market participants subject to major regulatory regimes are already required to maintain recording and/or oversight of trading activity and electronic and voice communications, so it often makes sense to leverage that data by integrating the information into surveillance alert algorithms (note: this process is much more complicated than it sounds when considering unstructured data, but that is a topic for another day). Improving surveillance alert capabilities in this way better protects firms and ultimately better protects market stability.
How does a firm maintain holistic surveillance coverage when employees are not operating in their usual business environment, with only mobile tools at their disposal? Luckily, the solution is relatively simple and already in place for many firms, as providing travel-friendly work tools or facilitating “working from home” options has become standard practices for most organizations over the last few decades. Establishment of corporate VPNs and enforcement of remote access requirements provide the foundation to facilitate secure remote access, while use of software has been further enhanced through secure cloud providers, such as Google Cloud, AWS and Cloud 9. With these structural tools in place, multiple data-source monitoring sounds nearly as easy to maintain remotely as it is in the physical office.
Except, it’s not.
Regulatory Risk Assessment
Despite the fortunate, widespread provision of VPN functionality, the growing number of investment, trading, and compliance employees being advised or ordered to work from home for extended periods of time has challenged business continuity planning (BCP) readiness for compliance operations in many firms. IPC Systems, a global provider of connectivity and voice recording solutions to the financial industry, estimates that one-third of firms found themselves unprepared for the rapid location transition demands necessitated by the COVID-19 outbreak, while another third were only moderately prepared for the escalating events. Firms with experience facilitating flexible working locations across multiple regions or geographies have fared the best, while those tied to a single region are working through communications and compliance challenges.
Hindsight is 20/20, but certain organizations have fared better than others in adapting trade surveillance and risk oversight to large-scale remote working conditions—and thus facilitating minimal disruption in trading itself. At a birds-eye view, the firms that have been able to adapt most easily appear to have employed particularly helpful core infrastructure strategies, including:
- Testing remote access resources regularly. This should go without saying, but many operational hiccups have occurred recently because of employees being unprepared to leverage infrequently used remote access networks, or outdated software and similar issues. The best-prepared firms have been vigilant in avoiding these pitfalls.
- Identifying key connectivity data users and providing them with remotely accessible hardware-based access. Sometimes there’s no software substitute for the real thing, and employee functions dependent on running multiple concurrent communications and data feeds, or roles using large-scale complex data operations, exceed the limitations of software VPN access. Regulatory risk and performance risk are both reduced if employees are not forced to choose between being unable to do their jobs, or else resorting to unmonitored device usage.
- Being proactive in trade surveillance and risk management infrastructure investment. For revenue-generating roles, investing in the necessary remote access is a no-brainer, especially if it’s as simple as providing and testing VPN access and a corporate laptop. For power users needing backup hardware, chances are it’s worth the insurance. And for functions responsible for ensuring regulatory compliance and holistic surveillance, investing more than the bare minimum in regtech—and ensuring the infrastructure functions under BCP scenarios—pays for itself when trading operations can be nearly seamlessly adapted to global impact event conditions.
 Examples of voice recording requirements include: Section 764 SEA Section 15F(g)(1,4); SEC DFA 941-954; CFTC Regulation 23.2 Preventing Fraud; [MAR, MIFID II]