Market Abuse Risk Assessments (MARA)


Steven Marshall, CEO





Regulatory overview

Maintaining proper standards of market conduct is a key objective of financial services regulators globally.

Regulators want to ensure that the markets they supervise are fair, transparent and orderly; that investors can be confident their trades will be executed appropriately.

Regulators perform extensive surveillance and investigatory work to ensure that remains the case; or where it isn’t, that any suspicious activity is identified and dealt with appropriately.

Regulators also require regulated firms to also perform their own surveillance and investigatory work, and report any suspicious activity to them.

However, regulated firms do not have unlimited budgets to spend on technology, data and/or surveillance analysts and investigators. Nor do regulated firms have the whole-market view of trading activity, unlike regulators.

To their credit, regulators recognise this, and so they require firms to take a risk-based, proportionate approach to their market conduct surveillance frameworks – and this is where a market abuse risk assessment (MARA) is key.


This requires firms to assess the risk of market abuse being perpetrated by their clients, employees or their automated trading algorithms.

Firms need to look at their products, trading venues, communications platforms and trading systems. They need to look at the behaviours that are, or could be prevalent, and which may be indicative of abusive practices. They need to look at the controls that are in place and their effectiveness – and the controls that may be necessary but which are not yet in place. They need to look at orders received, orders placed, orders cancelled, any quotes provided, all trades executed, the capacity in which a trade is executed and the internal and external communications around all of this activity.

Through this analysis, they need to assess the inherent risk of market abuse, the controls related to those inherent risks and the residual risks that remain. Of those residual risks that are outside risk appetite (which should also be defined – the only feasible risk appetite being ‘low’), actions need to be determined to reduce the residual risk to within risk appetite.

How can RISKGRID help?

But here is where a well-structured MARA comes in. Invariably owned by Compliance, it requires input from trading, sales, technology and risk staff to ensure it is sufficiently well informed, whilst also safeguarding confidentiality around the exact details of the firm’s surveillance strategies.

It is required to be maintained, refreshed and updated in light of trigger events, which can include internal escalations from sales and trading staff, complaints from clients, whistleblowing by staff, regulatory enquiries, the output of surveillance itself, and events at external firms which have become public, perhaps as a result of a regulatory sanction.

Executing a good MARA is no small task. But it is key to allowing a firm to focus its finite resource on a significant task. It will allow the firm’s senior management to show any regulator how it is managing its market abuse risks. And it will also allow a firm to convince clients that its risks are well managed, its controls are good and clients can safely execute their orders with the firm. Last, but not least, a good MARA, helps firms focus their surveillance efforts on the riskiest areas, and helps firms allocate resource efficiently to those areas, saving costs in the longer run.

RISKGRID allows firms to map products and/or trading desks to market abuse indictors, including the inherent risk, control effectiveness and residual risks. It allows firms to identify the highest residual risks related to market abuse quickly and easily, and set out actions to mitigate those risks. It allows a firm to future plan the impact of enhanced controls on their residual risks, and execute those plans through to conclusion. And when ‘tigger events’ such as those outlined above take place, RISKGRID can be immediately updated to reflect any changes in risks and/or controls that result.

You could try doing all this on a spreadsheet if you like, but we don’t recommend it (see our separate blogs on this). If you’d like to hear more, please get in touch.

Use our free MARA Template on RISKGRID