£338,000 FCA Fine for CFD Surveillance Failures: What the Dinosaur Merchant Bank Case Means for Compliance Teams

1. What happened

On 27 March 2026, the UK Financial Conduct Authority published a Final Notice fining Dinosaur Merchant Bank Limited (DMBL) £338,000 for failing to detect and report suspicious trading in its contracts for difference (CFD) business.

The fine followed breaches of Article 16(2) of UK MAR, Principle 3 of the FCA's Principles for Businesses, and SYSC 6.1.1R of the FCA Handbook. The relevant period ran from 1 June 2024 to 6 May 2025.

DMBL is a UK-based independent investment firm providing brokerage services for investment firms, proprietary trading companies, and professional investors. Its principal business lines during the relevant period included single-stock CFDs, traditional inter-dealer broking, custody services, and repurchase agreement activity.

The firm agreed to settle at Stage 1 and received a 30% discount. Without the discount, the penalty would have been £482,900.

2. The surveillance gap: a new platform, zero monitoring

In June 2024, DMBL implemented a new order management system enabling direct market access (DMA) for its CFD clients. Prior to this, client orders were primarily handled by telephone, email, or Bloomberg messenger.

Following the launch, the average number of weekly CFD trades increased by approximately 45% compared with the six months prior.

The critical failure: trading data from the new DMA platform was never connected to the firm's automated surveillance system. From 1 June 2024 until 8 October 2024, not a single trade placed through the new platform was ingested into the surveillance system for automated review.

The firm did not perform any additional risk assessment. There was no validation step to confirm that the new platform's data was being captured. No individual or team was assigned responsibility for ensuring surveillance coverage of the new system.

When the trades were eventually re-run through surveillance in July 2025, 2,194 trades (with a notional value of $3.05 billion) generated 2,916 surveillance alerts. Of those, 2,723 related to insider dealing and 193 to types of market manipulation. Multiple STORs were retrospectively submitted to the FCA.

3. The real trades the FCA identified

The Final Notice details specific examples of suspicious trading that went undetected. These are worth examining closely because they illustrate what a surveillance system should have caught.

Client A, Stock A (June 2024): Client A purchased CFDs in a stock they had never previously traded. The same day, after market close, media speculation emerged about bid interest in the issuer. The following day, the share price rose by a double-digit percentage. Client A sold their CFDs, generating £433,685 in profit. The firm's front office staff failed to identify the trading as suspicious. They misread the date of the news report, believing the trading had occurred after its release when in fact it had been before. No STOR was submitted until the FCA contacted the firm.

Clients A and B, Stock B (July 2024): Both clients purchased CFDs in a stock neither had previously traded. A week later, following a media report on a potential acquisition, the share price surged. The acquisition offer was confirmed the next day. Client A generated £290,536 in profit. Client B generated £1,285,178. Neither trade was flagged by the automated surveillance system because the platform data was not being ingested. Manual surveillance also failed to identify the activity. Two STORs were submitted only after the FCA raised the issue.

Client C, Stock C (January–February 2025): Client C purchased CFDs in a stock one working day after a media report relating to a short position. They continued buying over four days, building a substantial position. Following an announcement about a potential sale, Client C sold the position for a profit of £3,359,841. The surveillance system generated alerts on order size but did not generate an insider dealing alert. The reason: the insider dealing look-back period was set at seven days (five working days). A longer look-back period would have triggered the alert. The FCA noted that it has published guidance in Market Watch 69 and 73 advising firms to consider how long inside information might exist before release.

4. Systemic failures beyond the data gap

The FCA's findings extend well beyond the failure to connect the new platform. The Final Notice identifies multiple layers of systemic weakness in the firm's surveillance framework.

No written alert-handling procedures: Until December 2024, there were no documented procedures for staff to follow when the surveillance system generated an alert. The undocumented process was a T+1 review by a Compliance Officer, with escalation to the Head of Compliance for STOR decisions.

No calibration review policy: The firm reviewed alert calibration at least annually but had no documented calibration review policy. Critically, some alert scenarios had never been triggered during the entire relevant period, and these were not reviewed to check whether they were functioning correctly. The FCA makes a clear point: alert scenarios that produce no output for an extended period should be treated as a warning sign of a potential surveillance system failure.

Inadequate escalation processes: In the CFD and cash equities trading desks, brokers escalated concerns to the Head of Trading Desk first, who would then decide whether to pass them to Compliance. This contradicted the firm's own escalation policy. No records were kept of incidents reported to desk heads that were not escalated further.

No change control process: There was no formal process to ensure that market abuse risks and controls were considered whenever there was a business or technology change. The new DMA platform was implemented without any documented consideration of how it would interact with the surveillance system.

Inadequate board reporting: Monthly Compliance Reports noted the number of alerts generated but did not include previous months' figures as a comparison. Had they done so, it would have been immediately apparent that alerts had dropped by 42% during a period when trading volumes increased by 45%. The reports also did not break down alerts by type or instrument, which would have shown a reduction specifically in insider dealing alerts.

A known, unresolved system deficiency: In December 2023, six months before the new platform launched, the Board was made aware that the surveillance system was failing to pick up news items from a news feed used to trigger insider dealing alerts. The firm repeatedly asked the third-party provider to fix the issue. It remained unresolved for six months, without any mitigating action, until the firm decided to replace the provider entirely. Even then, the replacement system did not go live until April 2025.

5. Why this matters for EU CFD providers, and especially those in Cyprus

The EU, and Cyprus in particular, hosts one of Europe's largest concentrations of CFD providers. Many of these firms are CySEC-regulated investment firms offering leveraged products to retail and professional clients across the EU.

The obligations under the Market Abuse Regulation are directly applicable. Article 16(2) of MAR requires any person professionally arranging or executing transactions to establish and maintain effective arrangements, systems and procedures to detect and report suspicious orders and transactions. This applies equally whether the firm is regulated in the UK, Cyprus, or any other EU member state.

The DMBL case establishes a clear regulatory benchmark in several areas that are directly relevant to EU-regulated firms, and to Cyprus-based CFD providers in particular:

What this means in practice:

Platform changes require surveillance validation. If your firm has launched a new trading platform, changed an order execution system, or migrated to a new surveillance provider, the FCA's expectation is clear: you must conduct a formal risk assessment and validate that all trade data is being captured and processed by the surveillance system before or immediately after the change goes live.

Calibration must be reviewed against actual business risks. Alert scenarios that never trigger are not evidence that the market is clean. They may be evidence that the scenario is broken. Firms must regularly review whether their alert parameters are appropriate for their specific trading activity.

Board reporting must enable challenge. If your compliance reports show alert volumes without month-on-month comparisons, without breakdowns by alert type and instrument, and without correlation to trading volumes, your board cannot identify problems. The DMBL case shows that a 42% drop in alerts during a 45% increase in trading was invisible to the board for months.

Written procedures are not optional. Documented policies for alert handling, calibration review, escalation, and change control are regulatory expectations, not best practice aspirations.

6. Key figures at a glance

Firm: Dinosaur Merchant Bank Limited (UK)

Regulator: Financial Conduct Authority

Fine: £338,000 (reduced from £482,900 after 30% settlement discount)

Relevant period: 1 June 2024 to 6 May 2025

Breaches: UK MAR Article 16(2),FCA Principle 3, SYSC 6.1.1R

Unmonitored trades: 2,194 (notional value $3.05 billion)

Alerts generated on re-run: 2,916 (2,723 insider dealing, 193 market manipulation)

Client A profit (Stock A): £433,685

Client A profit (Stock B): £290,536

Client B profit (Stock B): £1,285,178

Client C profit (Stock C): £3,359,841

Increase in weekly CFD trades after new platform: ~45%

Decrease in surveillance alerts during same period: ~42%

Final Notice date: 24 March 2026

FCA publication date: 27 March 2026

Know what supervisors are looking for. The Dinosaur Merchant Bank case covers exactly the type of surveillance failures and enforcement outcomes we examine in our Market Abuse seminar. Real cases. Real numbers. Real regulatory expectations.

Market Abuse: Real Cases, Statistics & Supervisory Insights at cpds.academy

Source: FCA Final Notice, Dinosaur Merchant Bank Limited, 24 March 2026. Available at fca.org.uk.

Disclaimer: This article is for educational and informational purposes only. It does not constitute legal or regulatory advice. For specific compliance questions, consult a qualified professional.