3 pitfalls to avoid after you automate Prohibition on Insider Trading

The financial institutions have long been lucrative targets for insider attacks, but with the computerization of systems, attacks can now be launched on a grander scale than ever before. Insider attacks on firms’ electronic systems can result in financial and intellectual property theft, damaged or destroyed assets, and firm-wide disruption to internal systems and customer operations. Preventing and detecting attacks, however, has proven to be difficult, as insiders are often able to capitalize on their familiarity with firm’s systems to launch attacks without attracting notice.

At its core, insider threat is just as much a human problem as it is a technology one.

The objective of insider trading laws and regulations is to assure that no one would gain by trading on ' insider ' or ' unpublished ' information - information that is not available to all market participants.

The ultimate goal is to create a level playing field by making information accessible to all market participants.

Benefits of Automation

By automating the prohibition of insider trading, we have found that there is greater efficiency in compliance monitoring of insider regulations.

• Centralized data storage of the investments & holdings of employees, immediate dependents & persons with material financial relationship as defined under the regulation
• Automated request for approval/rejection of trade requests
• Configurable holding/contra restrictions
• UPSI, blackout period / no-trading windows,
• Automating the restricted securities list,
• Electronically submission of periodical disclosures,
• Systemic work-flow for all trading approvals, automated reminder emails, notification alerts & audit trail.

However even with the automation certain pitfalls should be avoided when an organisation has indeed automated their internal processes for Prohibition of Insider Trading (PIT)

1. Access Control

1. Access controls are like a gate in which only certain people that have permission are allowed to enter. Access controls can be both physical and also technological. As for physical access controls, in the financial industry for example, a company should have sensitive information locked up, key card access to the building or rooms, the inability to download information from a computer to a USB drive or disk, and the presence of physical security guards.
2. It is also important that companies prevent employees from downloading information onto USB drives or onto disks. Inserting a device into a company computer poses a variety of risks; such as theft of information even to uploading a virus into the system.
3. IT and management should work together to determine what information an employee can have access to on a computer or database. IT and management should have an access control list to regulate who has access to certain material and this list should be reviewed periodically to confirm if an individual still requires access to that information.
4. In certain companies physical access controls go even further by having certain areas of the company accessible only to certain employees. A company may have secured floors in a building accessible only by key card. In those areas only employees within that specific business are allowed to enter and sit next to each other. For example a company may not allow employees in the investment banking business to sit next to an employee in research by having the two different businesses physically separated.
5. In a company the determination of how groups should be split up and who has access to certain floors should be determined and discussed by management. There should be a “Gatekeeper” that determines who has access to a specific area in the company and that access list should be reviewed by management and security at least annually to ensure that certain people have a specific reason to have access to that area.

2. Chinese Wall

The organization should adopt a "Chinese Wall" policy which separates “ inside areas ” from “ public areas ” for preventing the misuse of confidential information. The “ inside areas ” are defined as those areas of the organization which routinely have access to confidential information and “ public areas ” are defined as those areas which deal with sales, marketing, investment advice or other departments providing support services. The following measures to be adopted by organizations for separating “ inside areas ” from “ public areas ”.

1. The employees in the “ inside area ” should not communicate any price sensitive information to anyone in “ public area ”.
2. The employees in “i nside area ” may be physically segregated from employees in “ public area ”.
3. Demarcation of the various departments as “ inside areas ”
4. Only in exceptional circumstances, employees from the public areas may be brought " over the wall " and be given access to confidential information on the basis of " need to know " criteria

3. Whistle Blowing in case of leak of Unpublished Price Sensitive Information (“UPSI”)

1. Any instance of leak of UPSI should be on the basis of a direct first- hand experience of the whistleblower. It should not be based on any secondary, unreliable source or any other form of informal communication.
2. The instance of leak of UPSI made by the whistleblower must be genuine with adequate supporting data/proof. If it is established that the allegation was made with mala-fide intentions or was frivolous in nature or was not genuine, the whistleblower shall be subject to Disciplinary Action.

To summarise, even after an organization has automated their processes to prohibit insider trading, it still remains a continuous challenge to secure information from both inside & outside that an organization has to continuously improve upon.

We at Infomatics have been partners to medium-to-large enterprises in the Financial Services business for their automations by implementing cost effective prohibition of insider trading solutions. To get more insights, do read our detailed case studies published on our website, Click here