This informal CPD article ‘Auditing Market Abuse Controls: A Framework for Second and Third Line Review‘, was provided by Nikolas Demetriades, founder of CPDs.Academy, a CPD training platform delivering compliance education for professionals in EU-regulated financial services.
For most regulated firms, the market abuse framework was built once and has lived in the background ever since. Surveillance parameters were configured at implementation. The Suspicious Transaction and Order Report (STOR) procedure was drafted by the consultant who supported the licence application. Insider list templates have not been touched in years. The first line operates the framework day to day; the second line and the third line are the functions that periodically have to test whether it actually works.
This article sets out a methodology for testing a market abuse framework and forming a defensible opinion on its effectiveness, regardless of whether the test is conducted by compliance monitoring as part of the second line, by an internal audit function as the third line, or by an external reviewer mandated to provide independent assurance. The four sections that follow correspond to the four phases of any such review: scoping the engagement, testing design adequacy, gathering implementation evidence, and forming the opinion.
1. Scoping the engagement
Market Abuse Regulation (MAR) reach is not uniform across regulated firms. Article 16(2) of Regulation (EU) No 596/2014 imposes the obligation to detect and report on persons professionally arranging or executing transactions, but the precise application turns on the firm's licensed activities, the instruments it handles, and the venues those instruments trade on.
A reviewer should establish, in writing, three things at the outset: whether the firm falls within the personal scope of Article 16(2); which of its activities and instruments fall within the material scope of MAR; and which obligations beyond surveillance and STORs apply, namely insider lists under Article 18, notifications by persons discharging managerial responsibilities (PDMRs) under Article 19, and market sounding procedures under Article 11. Each triggers a distinct cluster of controls. A frequent weakness in market abuse reviews is that they focus narrowly on the surveillance function and overlook PDMR or market sounding processes, which often sit elsewhere in the business and are operated to a different standard.
2. Testing design adequacy
Design adequacy asks a single question: is the control, as written, capable of mitigating the risk it is intended to address. A control that is not designed correctly cannot be saved by good execution.
The market abuse risk assessment should identify the abuse typologies relevant to the firm's instruments and activities, differentiate risk by product, client, channel, and venue, and reflect the firm's current business. A risk assessment that treats every desk identically, or that has not been updated since the firm acquired a new business line, is design-defective regardless of how well the resulting controls are operated.
The surveillance system should be tested for typology coverage, calibration, and parameter justification. The reviewer should expect a documented mapping of each relevant typology to one or more surveillance scenarios, and a calibration record explaining why each scenario's thresholds were set where they were. Where parameters have been left at vendor defaults, that fact should be acknowledged rather than presented as a calibration.
The STOR procedure should be assessed against the standard set out in Commission Delegated Regulation (EU) 2016/957. It should describe how alerts are reviewed, who decides whether a reasonable suspicion has crystallised, and how that decision is documented including in cases where no STOR is filed. A frequent design weakness is the absence of a written procedure for the “no STOR” decision: where a procedure exists only for the positive case, the firm has no documented basis on which to defend its dismissals.
The insider list, PDMR, and market sounding controls should be tested against the relevant technical standards. Insider list format and updating are governed by Commission Implementing Regulation (EU) 2016/347. PDMR notifications are governed by Commission Delegated Regulation (EU) 2016/522 (notifiable transaction types, closed period exemptions and disclosure thresholds) and by Commission Implementing Regulation (EU) 2016/523 (notification format and template). Market sounding controls are governed by Commission Delegated Regulation (EU) 2016/960 and Commission Implementing Regulation (EU) 2016/959. The reviewer should examine whether the templates used are the prescribed ones, whether the procedures cover both deal-based and permanent insider arrangements, and whether market sounding scripts and cleansing procedures meet the requirements of Article 11.
The escalation and governance arrangements should be tested for clarity of accountability: who escalates flagged matters out of the first line, who decides whether to file a STOR, and what management information reaches the senior management body and on what cadence.
Commission Delegated Regulation (EU)
3. Gathering implementation evidence
Implementation testing is where most market abuse frameworks come apart in practice, and it is the dimension that supervisors test most rigorously.
Surveillance output statistics are the starting point. The reviewer should examine alert volumes over a meaningful period, broken down by alert type, instrument, and desk. A flat line in alert volumes over time, in a firm whose trading volumes have grown materially, is a red flag. A recent FCA Final Notice recorded a 42 per cent reduction in surveillance alerts between June and September 2024 against a 45 per cent increase in CFD trading volumes over the same four-month period, illustrating the kind of pattern an effective reviewer should detect.
Sample testing of alerts is the most informative part of the engagement. The reviewer should select a representative sample including both alerts that were dismissed and alerts that became STORs, and reperform the analysis. The objective is not to second-guess the operational decision but to assess whether the documented rationale supports the decision reached.
STOR records should be examined for both quantity and quality. A firm that has never filed a STOR in a multi-year history of active trading attracts immediate scrutiny, but quantity alone is unreliable. The reviewer should examine the analysis files supporting filed STORs and the documentation supporting cases where alerts were dismissed. The retention obligations under the MAR Level 2 framework, which require analysis files for STORs and dismissed alerts to be kept for at least five years, mean the reviewer can sample across multiple years.
Training and change control records complete the implementation picture. Generic e-learning completed annually by the entire workforce is rarely sufficient evidence that staff in surveillance, order handling, or sales and trading roles have received training proportionate to their exposure. Where the firm has introduced a new trading platform or a material change to its surveillance configuration, the reviewer should ask whether the change was assessed for its market abuse risk implications before, not after, going live.
Management information and board reporting should be tested for whether they enable challenge. Reports that present current-period alert volumes without comparatives, without breakdowns by type and instrument, and without correlation to underlying trading activity allow the board to record that it has been informed but do not equip it to act.
4. Forming the opinion
The output of the engagement is an opinion on the effectiveness of the firm's market abuse framework. For an internal audit function this will typically be a satisfactory, requires improvement, or unsatisfactory rating; for compliance monitoring it will more usually be a narrative conclusion supported by individual findings. In either case the opinion should be defensible against three tests.
First, whether it is supported by evidence. Each conclusion should trace back to specific work performed: a sample tested, a document examined, a procedure walked through. Second, whether it is calibrated to materiality. A design weakness in a peripheral control is not the same finding as an implementation gap in surveillance over the firm's principal product line. Third, whether the recommendations are actionable. A recommendation to “strengthen surveillance” is not a recommendation; it is a description of the problem. A recommendation should identify what needs to change, who needs to make the change, against what standard, and by when.
The opinion should be reported into a forum capable of acting on it: the audit committee for internal audit, or the executive committee for compliance monitoring. The reporting should include the residual risks identified, the actions agreed, the owners of those actions, and the timelines for implementation, with a follow-up regime that tracks closure.
Closing thoughts
The methodology applies to any MAR-regulated firm and to any reviewer charged with testing the framework. Its application is specific in every case: a small investment firm with a single product line will need a different sample size, evidentiary base, and scope from a multi-asset broker-dealer. What does not change is the discipline. Scope before testing. Establish design before assessing implementation. Gather evidence before forming an opinion. Calibrate to materiality, and report where it can drive action. A market abuse framework that has been independently tested in this way is not necessarily free of weakness; it is, however, a framework whose strengths and weaknesses are known to the firm before they are discovered by a supervisor.
We hope this article was helpful. For more information from CPDs.Academy, please visit their CPD Member Directory page. Alternatively, you can go to the CPD Industry Hubs for more articles, courses and events relevant to your Continuing Professional Development requirements.
References
Regulation (EU) No 596/2014 of the European Parliament and of the Council of 16 April 2014 on market abuse (Market Abuse Regulation), in particular Articles 11, 16, 18 and 19.
Commission Delegated Regulation (EU) 2016/957 of 9 March 2016 supplementing Regulation (EU) No 596/2014 with regard to regulatory technical standards for the appropriate arrangements, systems and procedures, and notification templates, to be used for preventing, detecting and reporting abusive practices or suspicious orders or transactions.
Commission Implementing Regulation (EU) 2016/347 of 10 March 2016 laying down implementing technical standards with regard to the precise format of insider lists and for updating insider lists in accordance with Regulation (EU) No 596/2014.
Commission Delegated Regulation (EU) 2016/522 of 17 December 2015 supplementing Regulation (EU) No 596/2014 as regards indicators of market manipulation, disclosure thresholds, the permission for trading during closed periods, and types of notifiable managers' transactions.
Commission Implementing Regulation (EU) 2016/523 of 10 March 2016 laying down implementing technical standards with regard to the format and template for notification and public disclosure of managers' transactions in accordance with Regulation (EU) No 596/2014.
Commission Delegated Regulation (EU) 2016/960 of 17 May 2016 supplementing Regulation (EU) No 596/2014 with regard to regulatory technical standards for the appropriate arrangements, systems and procedures for disclosing market participants conducting market soundings.
Commission Implementing Regulation (EU) 2016/959 of 17 May 2016 laying down implementing technical standards for market soundings with regard to the systems and notification templates to be used by disclosing market participants and the format of the records.
Financial Conduct Authority, Final Notice: Dinosaur Merchant Bank Limited (Reference Number 436215), 24 March 2026, finding breach of Article 16(2) of UK MAR (the UK-onshored Regulation (EU) No 596/2014), Principle 3 of the FCA's Principles for Businesses, and SYSC 6.1.1R of the FCA Handbook.
