Market Abuse Compliance Checklist: A Self-Assessment Tool for EU-Regulated Firms

Most EU-regulated firms have a market abuse policy. Fewer have tested whether that policy would hold up if a supervisor asked to see how it works in practice.

The Market Abuse Regulation has been in force since 2016. The Delegated Regulation setting out what firms need to have in place for prevention, detection and reporting has been there just as long. The legal framework has not changed materially since then.

But in many firms, the MAR arrangements were set up when the licence was granted. The policy sits in a folder. The trade surveillance parameters were configured at implementation and never recalibrated. The STOR decision log has a handful of entries, all from years ago.

If you are a compliance officer responsible for your firm's market abuse framework, the question is not whether the policy exists. The question is whether you could walk a supervisor through it, point to evidence that it works, and explain the decisions you have taken along the way.

This article walks through the ten areas that your market abuse framework should cover. At the end, you can download a free compliance checklist in Word format to use as a self-assessment tool.

1. Scope and Applicability

Before anything else, confirm whether your firm falls within the scope of MAR's detection and reporting obligations. This means confirming that your firm is a person required to detect and report under MAR Article 16(2),and that the instruments you handle are within MAR's scope. If neither applies, document the rationale and retain it on file. If either applies, every section that follows is relevant to you.

2. Monitoring Framework

Your firm needs a framework for ongoing surveillance of orders and transactions, designed to identify conduct that may amount to insider dealing or market manipulation. The framework should apply regardless of the capacity in which the order was placed, the client classification, or whether execution took place on or off a trading venue.

Key questions to ask yourself: is the framework documented? Is it proportionate to the volume and complexity of your business? When was it last reviewed? If the answer to any of these is unclear, that is a gap worth closing before a supervisor asks the same questions.

3. Detection Capabilities

Having a policy is not the same as having effective detection. Your surveillance tools should be able to analyse each order and transaction on both an individual and a comparative basis, generate alerts when activity meets pre-set risk indicators, and cover all asset classes and trading channels your firm uses.

What this means in practice: A common gap is that firms have surveillance software installed, but the alert parameters were set at implementation and never recalibrated. The system generates alerts that no one reviews meaningfully, or it generates so few alerts that it clearly is not capturing the full range of potentially suspicious activity.

There should also be a defined role for human judgement in evaluating alerts, a documented obligation on all staff to escalate unusual activity, and a clear procedure for how a suspicion reaches the compliance function.

4. Periodic Review

Your monitoring framework should be subject to at least an annual independent review. You should be able to state when the last review was completed, when the arrangements were last updated, and whether there is a documented schedule for future reviews. If the last review was three years ago and your business model has changed since then, that is something to address.

5. Delegation

If your firm has outsourced or delegated any part of its surveillance function, the delegation needs to be governed by a formal agreement that defines responsibilities, service levels and termination grounds. Critically, your firm must retain sufficient in-house expertise to oversee the quality of the delegated service, and must have unrestricted access to the underlying data and alert outputs. Delegation does not transfer responsibility.

6. Training

All staff whose roles involve order handling, transaction processing or surveillance need targeted training on market abuse prevention. You should be able to identify which roles are covered, how often training is delivered, and whether the depth and frequency is appropriate for the nature of your firm's activity.

7. STOR Decision-Making

This is one of the most scrutinised areas in supervisory reviews. Your firm needs a defined process for evaluating whether a flagged order or transaction gives rise to a reasonable suspicion that should be reported to the NCA. That process should incorporate the relevant conduct elements and manipulation indicators from MAR, be based on a documented analysis of all available information, and be supported by written internal guidelines.

What this means in practice: Supervisors look at two things in particular. First, how many STORs your firm has submitted. A firm that has never submitted a STOR despite years of active trading will attract scrutiny. Second, how you document cases where an internal alert did not result in a STOR. If you cannot explain the rationale for that decision, you have a documentation gap.

8. STOR Submission

Once a reasonable suspicion is formed, your firm should be able to complete and submit a STOR without undue delay. You should also be able to submit STORs relating to historic transactions where suspicion only crystallised after the event, and to supplement a previously submitted STOR with additional information if needed.

9. Record Keeping

Your firm is required to retain, for a minimum of five years, the full analysis file for every order or transaction examined for potential market abuse. This includes the documented rationale for submitting or not submitting a STOR. A chronological register of all surveillance alerts, escalations and outcomes is essential.

10. Confidentiality

All information relating to surveillance activity and STOR submissions must be kept strictly confidential. Access to STOR-related records should be restricted to specifically authorised personnel, and that access should be logged.

Know what supervisors are looking for.

Download the free Market Abuse Compliance Checklist — 10 sections, 47 checklist items covering the key areas EU supervisors examine in a firm's market abuse prevention framework.

For a full walkthrough of MAR obligations, including real enforcement cases, tipping chain liability and STOR procedures, explore the Market Abuse seminar at cpds.academy.

Sources: Regulation (EU) No 596/2014 (Market Abuse Regulation),Commission Delegated Regulation (EU) 2016/957, Commission Delegated Regulation (EU) 2016/522.

Disclaimer: This article is for educational and informational purposes only. It does not constitute legal, regulatory or compliance advice. Firms should seek independent professional advice for their specific circumstances.