Q: Against the context of monitoring and related recordkeeping type fines not at levels where they are having potential impacts on bank earnings, the role of surveillance is more important than ever before. As a global leader of this function, how do you do what you do?
Ian Blair: Recordkeeping from an enterprise wide surveillance perspective is hugely important, and needs to be firmly enabled by the enterprise. While surveillance will have certain requirements for trade, orders, or communication channels, it’s critically important that surveillance should not be the ones who are responsible for ensuring the full data set is captured.
What surveillance should be doing is acting as influencers to ensure the firm, at the board level, is apprised of their requirements to remain compliant with the regulations of the industry. From there, once a complete data set has been provided, they’re then responsible for making sure that all the control functions in the firm have the data they need and the records are kept in a proper way.
Of course, surveillance needs to do surveillance of the data and of those records, but we don’t need to surveil everything.
The important thing is to be able to evidence that what we do surveil is done from a thought-through, risk-based, and proportionate perspective. What you don’t surveil is as important as what you do surveil. So, you always need to have a risk assessment to evidence the tracking and the traceability between your behaviors or use cases in your scenarios across various channels and asset classes.
Q: This all needs to be manageable against a backdrop of apparent cost consolidation. Is this manageable?
Stephen Livermore: There’s some truth in the fact that surveillance is having to do more with less. Banks will always have a desire to operate in the most cost-effective way, but you don’t want to see multi-million-dollar fines coming from regulators in order for banks to jump into action. It’s partly surveillance’s role to win the hearts and minds of stakeholders to express the value-add that surveillance brings, the importance of the program that we run, and the benefit of putting pennies on the table over a longer period of time rather than a massive check once in a decade.
What I would say is that there is always going to be money there if you have a compelling business case and an argument to justify that spending.
Q: Do you see a time where the head of surveillance is an FCA controlled function, similar to an SMF16?
Livermore: Yes, I do. It depends on the relationship you’re able to build within your organization as to how seriously surveillance is taken. I’ve seen both ends of that scale. Some firms already look at it that way and are pushing in that direction already.
Two of the things that the SMF regime looks for, and that works really well for us, is responsibility and influence. Responsibility is relatively obvious. The influence part is much more difficult, and that takes time to build and to create relationships and win stakeholders over. Sticking an SMF badge on your forehead probably gets you there faster.
Q: Considering risk appetite – for areas like recordkeeping there isn’t a risk appetite, you have to capture everything. With surveillance, due to budget, resource constraints, and regulation, you simply can’t cover everything and brave decisions have to be made. How do you make those risk appetite judgments?
Blair: One word jumps to mind – governance. First and foremost, it is really important that you are integrated and fully connected across the lines of defense in the control function and particularly the first line. Start with governance and ensure you have senior folks at the table at a regular degree of cadence across first line, second line, and even third line as well. It’s important to make sure you have relevant stakeholders actively engaged in conversations.
From there, a risk appetite can only be gleaned from a risk assessment. You need to understand what the risks are before you can make decisions around your risk appetite.
To make a decision around risk acceptance, you need to ensure that you have the front office, your coverage compliance officers, your surveillance teams, all working actively together to complete a risk assessment.
And then you need to work through all ideas and asset classes, understanding what the key risks are depending on the types of activities and access to markets that you have as a firm. Then, the control environment can produce a second-line consideration, and can come in from a surveillance perspective and say ‘we’re capturing this, we haven’t got that, etcetera’. Ultimately the residual risk gets derived from that. And then you have your conversations in governance to say ‘these are our residual risks, we’ve got highs – we’ve got mediums – we’ve got lows’.
As long as you take a view of governance, as long as you properly limit it and properly document, you’re usually safe.
Q: Is there a gap to be bridged between MAR assessments and RCSAs?
Livermore: The risk assessment that we perform in surveillance is led by surveillance alongside advisory or compliance teams, or people from the control office, or the first line. But the Risk and Control Self-Assessment (RCSA) process is suboptimal compared to what we do on the MAR risk assessment.
One of the things I’ve seen over the last few years is that the penny has dropped for the first line that the risk assessment work that surveillance is doing is starting to feed in to theirs. We’re seeing a desire to integrate the two, or certainly engage more. This is a great opportunity for surveillance to win trust and confidence by producing a product which is vastly superior to what they’ve been working with previously.
Q: Will AI be game changing to processes in the next 12 months? Or at this point is it about doing the basics well?
Livermore: You’ll often hear that every man on the street is very mature in the AI space and have been for the last decade. Us two at the top haven’t (referring to himself and Blair), so maybe there’s something more realistic in what you’re hearing now.
One of the areas that could be really valuable here, which would allow the industry to jump forward, would be to create more of a utility-type capability and allow a number of like-minded souls to come together in an open environment. What regulators are doing at the moment is beneficial, but it doesn’t have the likes of us there talking about our challenges and where AI could make a difference.
I think what will happen is we’ll all play at it for the foreseeable future. We’ll all spend a little bit of money and make a little bit of progress. And we’ll probably not get as far as we’d like to get. I anticipate that everybody’s thinking about it. Some people are already dipping their toe in, and we will have the same conversation year after year until something significant happens.
Are we going to use it? Yes, we will. Are we going to use it in the next 12 months? No. But, it will come.
Blair: I do now think we are standing on a new paradigm of how we’re going to be doing our surveillance. But there’s a long way to go. It’s going to be a slow burn and we’re going to learn from each other.
What I will say is that we’re going to have to marry the two most important components together to make it work. The first is people with the right skill sets, the right experience, who actually understand the risks and requirements of the surveillance analyst. And then the second is the provision of data. One of the unintended consequences of recent enforcement action is that the front office and surveillance are now much more joined up regarding data provision. I think there’s a lot of hope here – it’s an exciting time to be in surveillance – but proceed with caution.
Q: Are you concerned about employees using social media at work? Is this the next type of WhatsApp that’s been hiding in plain sight?
Blair: Most firms tend to have some digital governance in place used in the corporate communications function. And some may not even know but these functions usually do their own surveillance of folks using LinkedIn and other social media sites.
There are compliant ways of using the likes of LinkedIn through the firm’s own infrastructure and following the policies and protocols and guidelines around that.
I would say that in terms of trying to ensure that firms are genuinely compliant from the communications perspective, firstly, have a phone communications policy. This should be very clear and set out the do’s and don’ts. Set out clear examples of what should be recorded, where there are gray areas, and how to navigate those. Training is really important too – making sure you’ve rolled out training to all staff and employees. And within that, possibly attestations from staff and making sure you’re getting those on a regular cadence.
And the disciplinary process is really important here. Making sure you can evidence that further disciplinary measures are in place, and you can evidence that when people have transgressed they’ve been disciplined in an appropriate way.
Q: As voice transcription and translation is now close to perfect, what does that mean in terms of target operating models? Do you still need teams in different locations who speak local dialects? And do you see other shifts in your operating models as tech developments progress?
Livermore: I think there’s been really good progress made with the capabilities on transcription and translation. Does that mean we don’t need people who are native speakers of languages? It does not. You still need to people to verify it. We’ve seen machine translation and transcription for a long time, just with different levels of quality.
What it doesn’t do is understand the nuances of the way that people speak. You can transcribe a conversation, but it won’t pick up the ‘eyebrows raised’ or the way in which they’re saying it. Having individuals that are closest to that language, in my experience, is the most effective way of determining whether there is a risk. Having native speakers of languages still provides a higher quality of review. But they don’t have to be armies of people – just one or two.
Q: If you were given a blank canvas rather than an inherited program, what would you do differently at the beginning?
Blair: First and foremost, I would want to look at the skill sets that we have within the function and design the roles that we need to ensure we have an equal ability to generate the right alerts. By that, I mean having people to understand the risks that the business, and the exposures of doing that business from a market abuse or market conduct perspective, creates.
I would also want to make sure that we have individuals who understand the nuances of the data, both from a provisioning perspective, and an understanding what controls need to be in place when it flows from the providers by the venues from the front office to our own surveillance systems.
And I want to make sure that we have enough skill sets to be able to understand how we work within the model governance structures of the firm to be able to effectively tune and calibrate those alerts below the line and above the line.
I’d want more mathematical and statistical sampling approaches to ensure that, when the alert is finally generated, a lot of thought has gone into that. And I’d want to see that we are absolutely covering the right areas of risk, that we have the right number of false positives, that we’re not missing any true negatives, and that when the analyst gets the alert eventually the analyst is enabled to disposition it effectively.
There is nothing worse than having analysts ploughing through false positives every day. It’s depressing, you see no yield on it, and you lose them over time – and that’s not good. You want to be able to create careers, you want to be able to enthuse and inspire people, you want them to understand what you’re doing is a good thing, and you want to be able to give them positive, constructive feedback. Make sure your analysts are properly trained, that you have Q&A in place – and it’s sensible, on a risk-based approach.
But ultimately, it always comes down to people and data.
Livermore: If I had the opportunity to build from a blank piece of paper – and if I were to talk to mistakes I made – it’s the inability to throw people of the bus soon enough. It’s so important to have the right people in the room. Surveillance comes down to three components: the technology that you use, the data, and the people. People are the key.
