Market Watch 81

In Market Watch 74[1], we commented on a trend of improved data quality since 2018. This has continued, with more firms taking measures to improve the quality of their transaction reports. 

However, we continue to identify incomplete and inaccurate transaction reports. We have seen data quality issues persist and reoccur even after the issue has been identified and allegedly remediated by a firm. We have been examining the root causes for this. Our findings indicate that reporting issues are often caused by weaknesses in:   

1. change management
2. reporting process and logic design
3. data governance
4. control framework
5. governance, oversight and resourcing 

We have observed a connection between these areas, as shown in Figure 1. A weakness in one area can spread to others. 

We give further information on each theme below. We expect firms to note our findings and make necessary enhancements to their transaction reporting environment to comply with relevant requirements. 

Change within organisations can affect systems and processes for transaction reporting. We have identified examples where data quality issues were introduced by a firm following change management activities. These activities include business analysis, systems and data mapping, development of new business and functional requirements, and implementation of new reporting systems, including pre- and post-deployment testing and sign-off. These activities help firms manage change, whether cyclical or ad-hoc. 

Observations 

• Poor change management practice can undermine the delivery of change in firms. Data quality issues often coincide with change, be it system or process related. Some firms that did not use business analysis to map out business requirements before MiFID II were left with significant reporting gaps. We have identified examples where information was incorrectly sourced from clearing systems, leading to discrepancies in RTS 22 field 28 (trading date time), among other fields. 
• Insufficient change related documentation, including records of key decisions, can create knowledge gaps. This has resulted in complexity for firms when they are later required to remediate data quality issues, including back reporting. 
• Data quality issues can also emerge where change processes are outsourced to third parties, and there is inadequate oversight over the scope of deliverables. This can be worsened by the absence of transaction reporting subject matter expertise within the firm. Inadequate management information (MI) may also reduce a firm’s ability to monitor progress while managing regulatory change risk.  
• Staff turnover and absences can also affect data quality. We have identified data quality issues including failure to report transactions where key staff dependencies exist, and there are not clear policies and procedures to manage reporting in their absence.

Effective transaction reporting systems and controls should be supported by clear reporting processes and logic design documents. These should evidence how reporting processes have been designed to meet business and functional requirements. Change programmes can inform reporting process design by outlining business outcomes that the operational framework will need to deliver. 

Observations

• We have noted firms interpreting regulatory requirements and developing reporting logic independently from the firm's business context. This has resulted in misreporting. For example, populating RTS 22 field 36 (venue) with a trading venue market identifier code when reporting as a DEA user. The likelihood of errors arising from this and going undetected may increase where input from the first and second lines of defence are limited in the design process. Firms should be aware of the requirements in Article 22(2)(b)[2] of the MiFID Org Regs. 
• A lack of clarity in implementing the transaction reporting process may result in ad-hoc resource assignment and unclear deliverables. This can result in manual processes that lead to late reporting, a backlog in exception management, and difficulties when transaction reports need to be cancelled and amended.  

Transaction reporting processes often rely on multiple internal data sources and external feeds. We have identified events where a disconnect between data management and regulatory reporting has resulted in misreporting. Effective data governance can streamline data flows that enrich transaction reports at different points of the end-to-end reporting process. Data dictionaries and data lineage documents should show how data elements are used and, if applicable, transformed. 

Observations

• Most firms gather data used in their transaction reporting process from various sources. This can result in fragmented data owners, access, maintenance and storage, increasing the likelihood of errors and creating procedural inefficiencies. We have seen: 
  • Encrypted data flowing into transaction reports from systems that hold personal information, resulting in pseudonymised national identifiers being misused in fields that require natural persons to be identified. 
  • Incorrect data elements being sourced due to inaccurate mapping or outdated data tables.
  • Trading venue transaction identification codes being overridden in RTS 22 field 3 by internal execution identifiers.
  • Inaccurate or invalid legal entity identifiers being sourced from static data tables that do not reconcile with booking confirmations.  
• Inadequate data lineage documentation can undermine the integrity of data used in transaction reports. This may result in ineffective data management and data flow breaks. Failure to identify source data accurately can adversely affect the effectiveness of reconciliations conducted. For example, by supressing the detection of reporting breaks. Incomplete data lineage can also cause business flow blind-spots that may result in unreported transactions.  
• Poor record keeping can undermine a firm’s ability to audit its records and correct historic transactions where errors are identified. Article 25(1)[3] of UK MiFIR requires investment firms to keep at disposal of the FCA the relevant data relating to all orders and transactions in financial instruments they have carried out, whether on own account or on behalf of a client, for 5 years.  
• Inadequate security or change management for personal data can result in unauthorised or untracked data modifications, introducing inaccuracies in transaction reports.  

Firms must have arrangements to make sure their transaction reports are complete and accurate. These arrangements often include a control framework informed by a firm’s end-to-end transaction reporting process. Understanding this process and its vulnerabilities can direct control placement.  

Observations 

• Poorly designed reconciliation processes hinder firms from identifying data quality issues. These processes may exclude source data or specific data flows. Under Article 15(3) of RTS 22[4], reconciliations must include front-office records.  
• Some firms conduct reconciliations on specific fields only, or on an irregular basis. These arrangements may not be adequate to identify all errors and omissions in transaction reports or meet the requirements of RTS 22. 
• We have seen instances where controls have not been reviewed or updated when reporting processes evolve. This may not align with Article 21(5)[5] of MiFID Org Regs.  
• We have identified firms who have excluded services and data provided by third parties from their control and reconciliation framework. This can create gaps in monitoring and prevent firms from identifying issues originating outside the firm.

Effective governance plays a key role in upholding operational integrity of the transaction reporting process, managing risks, and maintaining trust through accountability. Management oversight allows for timely identification of process and data related issues through monitoring. Resourcing supports the implementation and delivery of compliance measures through adequately skilled staff, and effective tools.

Observations 

• Excluding transaction reporting from a firm’s wider risk management framework can result in limited consideration of transaction reporting as an operational, compliance and reputational risk. Prioritising financial risk management at the expense of non-financial risk can lead to significant weaknesses in the measurement and management of transaction reporting risk. This may not align with the requirements in Article 23[6] of the MiFID Org Regs.  
• Lack of relevant MI can create a monitoring gap for senior management in which transaction reporting risks may crystallise. Insufficient or inconsistent MI may prevent the board of a firm and other governance bodies from understanding the regulatory and operational risks arising from transaction reporting issues. In both cases, decision making can be impeded, stalling risk management interventions. Firms should be aware of the requirements in Article 21(1)(e)[5] of the MiFID Org Regs.  
• Deficient organisational structures, where reporting lines, function allocation and responsibilities are not clearly delineated, may result in ineffective oversight of transaction reporting risks and reporting issues. This may not align with the requirements in Article 21(1)(a)[7] of the MiFID Org Regs. 
• Unclear terms of reference across governance bodies may mean relevant persons are unaware of the procedures that apply to the proper discharge of their responsibilities. This may not align with the requirements in Article 21(1)(b)[8] of the MiFID Org Regs. 
• Limited compliance oversight over transaction reporting can hinder firms from improving their reporting processes through independent advice and challenge. We have identified firms that do not have a formal Compliance Risk Assessment (CRA) process and lack subject matter expertise to provide guidance on transaction reporting issues. This may not align with the requirements in Article 22(2)[2] of the MiFID Org Regs.  
• A lack of accountability over the transaction reporting process can result in ineffective process assessment, policies and procedures. This may disincentivise a firm from addressing emerging deficiencies. This may not align with the requirements in Article 25(1)[4] of the MiFID Org Regs.  
• Insufficiently resourced transaction reporting functions can result in operational flaws. For example, not managing exceptions and report transactions on time. Other resourcing challenges we have identified include unnecessarily prolonged delivery of remedial work and back reporting, as well as delayed implementation of regulatory change.