FCA Market Watch 82

In Market Watch 82, the FCA highlights recent observations from its supervision of the UK MiFID transaction reporting regime. Among other things, these observations relate to remedial timelines, back reporting and transaction reporting breach notifications. This edition of Market Watch will be of interest to firms that are subject to reporting requirements under the UK Markets in Financial Instruments Regulation (“UK MiFIR”) reporting regime. It will also be of interest to firms subject to reporting under the UK version of the European Market Infrastructure Regulation (“UK EMIR”) and the UK version of the Securities Financing Transactions Regulation (“UK SFTR”).

Introduction

The FCA has published Market Watch 82. This edition of Market Watch focuses on transaction report and, more specifically, highlights the FCA’s observations from its supervision of the UK Markets in Financial Instruments Regulation (“UK MiFIR”) transaction reporting regime. The FCA’s observations relate to:

1. remedial timelines;
2. back reporting; and
3. breach notifications.

Transaction reporting continues to be a focus area for the FCA given the importance of transaction reporting data to the FCA's monitoring of abusive market practices. The FCA’s comments in Market Watch 82 are clear that the FCA will view failures in remedial actions and back reporting to indicate more widespread underlying governance, systems and controls issues. It is therefore important that firms carefully consider the practical implications of this Market Watch edition.

Transaction reporting

The FCA clearly states that it expects firms to have in place processes for identifying, addressing and disclosing regulatory reporting issues in a timely and accurate manner. The FCA also notes that it expects these processes to have evolved and matured since the MiFIR transaction reporting requirements took effect with MiFID II in 2018. However, the FCA states that it has seen “persistent inefficiencies” that suggest some firms must improve their operational frameworks.

Remedial timelines

The FCA flags that it has seen remedial exercises extending beyond what it considers to be reasonable timelines. This has manifested in (among other things) firms taking excessive time to present a remedial plan, missing deadlines set by governing bodies (e.g. the board) or the FCA, and an absence of measurable progress between FCA check-ins.

The FCA identifies a number of common themes in the root cause(s) for these delays including:

1. Internal processes – Siloed teams, fragmented ownership of tasks and lengthy approval chains slowing down decision-making.
2. Resourcing – Assigning insufficient resource to resolve issues effectively and competing business priorities resulting in slower response times.
3. Difficulty in tackling the root cause – Focus on fixing the symptoms rather than the root cause leading to issues resurfacing.
4. Compliance culture – Reactive culture resulting in firms addressing issues only when prompted.
5. Governance – Weak structures and lack of accountability leading to loss of momentum as remedial work is not managed centrally or treated with urgency.

Back reporting

The FCA notes that it draws a distinction between protracted remediation of an issue on the one hand, and delayed back reporting, on the basis that each of these types of issue present a different set of operational and compliance risks. Market Watch 82 sets out a number of case studies through which the FCA highlights common causes for back reporting issues. The key themes drawn out by these case studies are as follows:

1. Cystallised compliance risk – Where a firm has deployed a fix for an issue but has failed to identify and correct all historic reports. Here, although the root caused is remediated, the firm remains non-compliant until back reporting is completed correctly. The FCA also highlights that this scenario indicates ineffective compliance oversight as the firm appears to lack internal processes to ensure timely reporting corrections, which in turn could suggest underlying accountability issues, among other things.
2. Internal governance weakness – Where a firm does not apply a risk-based approach to sequencing action and deploying resources to address issues. The FCA also notes that this scenario could raise concerns about the firm’s internal governance, and in particular its operational risk management and compliance delivery arrangements.
3. Data access and infrastructure limitations – Where back reporting is significantly delayed due to inaccessible historic data, for example as a result of data having been archived incorrectly following a system migration. The FCA highlights that this scenario could raise concerns regarding data governance and record keeping controls.\
4. Impact on BAU – Where a firm has significantly underestimated the resource required to complete a back reporting exercise and this in turn has adversely impacted resources available compliance and operational resources to complete BAU tasks.

Breach notifications

Market Watch 82 reiterates the critical role that breach notifications play in relation to data quality, noting that the FCA expects breach notifications to:

1. clearly describe the issue, including for example:

• the impacted transactions in detail (or, where this information is not available because impact assessment is ongoing, to provide a timeline as to whether this assessment will be complete); and
• the relevant period;

2. set out the root cause of the issue;
3. describe the firm’s intended back reporting arrangements;
4. describe the firm’s intended remedial actions;
5. clearly explain the governance forums that the issue has been escalated to; and
6. highlight any gaps or weaknesses in reporting processes, data governance and controls.

The FCA further notes that it received 241 breach notifications in Q1 2025. Market Watch 82 sets out a table in which the FCA's observations and best practices from a review of these notifications are set out. These examples provide useful practical examples of how firms should address each of (a) to (c) above within their breach notifications.

[View source.]