As part of the certificate course “The Mechanics of Fintech and Artificial Intelligence (FLF5743)” at IFF in partnership with Middlesex University London, this text on SupTech was written. The essay with the title “A SupTech-Concept for AI-supported transaction monitoring and evaluation system in the context of the European MiFID reporting requirements for a financial market supervisory authority (NCA) by an FinTech Company” is reproduced here in abbreviated form. This text reflects the personal opinion of the author. The statements do not claim to correspond to the position of the Financial Market Authority (FMA) Liechtenstein and should be kept in the context of the above mentioned academic work. All figures and data mentioned are from publicly available registers or publications.

1. Introduction[1]

In accordance with its legal mandate, the Financial Market Authority (FMA) Liechtenstein ensures the stability of the Liechtenstein financial market, the protection of clients, the prevention of abuses, and the implementation of and compliance with international standards. The intention of writing this paper is to show which regulatory obligations the FMA has to fulfil with regard to transaction reporting within the scope of supervision. As an integrated and independent supervisory authority, the FMA supervises the financial market participants in the Liechtenstein financial center. With its supervisory activities, the FMA ensures the stability of the financial institutions and the financial market, as well as the protection of clients. In the event of punishable behavior of supervisory regulations, the FMA takes the necessary steps in the interest of client protection and the reputation of the financial center. In addition, the FMA pursues cases in which activities requiring a license are carried out without a license within the framework of combating abuse. The transaction reporting as described here and the related evaluation was a new territory for the supervisory authority. Until now, the work of a supervisory authority has usually been carried out by lawyers. In the future, it will rather require more data analysts and programmers. As a next step, this paper discusses the involvement of AI to analyze the data by an FinTech Company.

2. Value Proposition

SupTech [2]/([3] is a cross-disciplinary and portmanteau term at the same time. It consists first of all of the financial market authority as a supervisor (with Sup as an abbreviation for supervision) of a country’s financial market. With its supervisory activity the financial market authority ensures stability for financial institutions and the financial market and provides protection for customers. The financial market authority takes the necessary actions aimed at protecting customers and the reputation of the financial center in the event of breaches of the supervisory regulations. As part of efforts to combat malpractices, the financial market authority also persecutes cases in which activities requiring licensing are executed without the respective license. Secondly it consists of the concept of the latest technologies (with Tech as an abbreviation for technology), which primarily including electronic data processing (EDP). As a cross-disciplinary approach, SupTech ensures a balancing act between the traditional activity of the financial market authority combined with the technological developments of the modern era. As a portmanteau term SupTech aims to represent this connection in the same way as the related concepts FinTech and RegTech. However, SupTech refers to the originary activities of the financial market authority.

The application areas for SupTech can be divided into data collection, data analysis, and data ex-change. In addition to the application areas described below the risks of SupTech should not be ignored. Specifically, the huge data retention harbors risks, related both to cyber security and to the fact that the flood of information itself means that the supervisory authorities have a major responsibility in terms of analysis and assessment. As long as the relevant information was not available, the supervisory authority could denounce this behavior as being the responsibility of the intermediary to provide. We have also kept in mind the responsibilities regarding regulation, data privacy and ethics.

SupTech will enable real-time supervision thanks to smart supervision. The collection of (almost) real-time data that is not constrained by formatted templates gives supervisors additional flexibility to extract those pieces of information that are most relevant from a risk-based perspective and to generate customized indicators and reports at any time.  The data is analyzed on a continuous basis and presented in the supervisory authorities’ Supervision Cockpit using a Risk Map. A data analysis using self-learning artificial intelligence ensures that the supervision can also be completed using objective criteria and that subjective artificial distortions do not result in unequal treatment. Smart supervision can also – building on aggregate data – enable the system to propose core areas for ongoing supervision, linking reporting data with current market and company data.

Furthermore, SupTech will enable supervisory authorities to shift increasingly from continuous monitoring to exception-based supervision, in which automated analyses identify outliers or abnormal situations either on institute-level or on sector level. The ultimate goal of SupTech will be the paradigm shift towards a predictive data-driven supervision that uses the available information not only to identify breaches in the past but to predict behavior or risky situations in the future and thus putting the supervisory authority in a position to act ahead of time in a preemptive manneMiFID-based transaction monitoring and evaluation system

3. MiFID-based transaction monitoring and evaluation system

The Market in Financial Instrument Directive (MiFID[4]) was written in 2004 as a European law for the regulation of financial instruments. Under the law, every European NCA is obliged to collect data on transactions from national investment firms[5] and subsidiaries domiciled in the respective country and to forward this data to other NCAs affected by the transaction. MiFID Level 2 was adopted in 2011, allowing ESMA (European Securities and Market Authority) to define technical standards for the implementation of the directive. As of January 2018, MiFID was replaced by Directive 2014/65/EU[6] (MiFID II). For the exchange of transaction data, ESMA had to specify rules and XML schemas that are intended to standardize and harmonize the processing and transmission of transaction data for all participating entities. The implementation of the specifications is left to each NCA, only interfaces, data formats and validation and routing rules are specified in detail.[7]

As every European NCA the FMA had to implement the reporting requirements from MiFID for the subject area of markets and financial instruments. Within the scope of TREM, transaction data on securities purchases and sales by financial intermediaries (FI) must be processed, analyzed and forwarded to ESMA. The processing also includes a validation with the FIRDS database[8] (register of financial instruments) and collected under Art. 4 MAR and Art. 27 MiFIR. This requires an IT solution that also integrates into the existing FMA IT landscape. When a transaction report is submitted by a national entity or another NCA, it is first validated according to predefined rules. The result of the validation, both positive and negative, is returned to the sender in the form of feedback files.

Investment firms that carry out transactions in financial instruments (e. g. shares or options) must report all transactions in detail to the competent authority. This extended obligation was introduced in Europe with MiFID II. Among other things, this is intended to combat insider trading or market manipulation and to strengthen investor protection. The reporting data must be forwarded to the NCA depending on the nature of the.[9]

The transaction data received by the FMA is checked automatically against various (confidential) scenarios in the area of insider trading and market manipulation. The stored parameters are continuously adjusted according to market events and market behavior. In addition to the implemented scenarios, the FMA regularly carries out random checks and, within the scope of its powers, requests securities firms or credit institutions to submit further details to their reporting inter alia own compliance checks, the asset management agreement or a statement to the trading behavior of the client. In addition to indications of market abuse, transaction monitoring can also identify risks that endanger the functioning of the markets. For this purpose, the FMA does not only receives reports from investment firms domiciled in Liechtenstein, but is also connected to supervisory authorities throughout Europe via the established transaction reporting system. [10]

Traded Shares (securities) natural presons compared to volume (Source: FMA)

In 2021, securities firms sent to the FMA over 10 million transaction reports, or more than 30’000 reports a day. Reporting and evaluation require a sophisticated IT solution. It must ensure that investment firms can fulfil their reporting obligations efficiently and that the validation and evaluation of the reports have a high degree of automation so that the FMA’s specialists can concentrate on the suspicious cases identified by the system. Special IT applications were developed for this purpose, which also communicate with the Financial Instruments Reference Database (FIRDS) of ESMA and the internal systems of the supervisory authorities of the EEA countries. The FMA’s internal IT systems validates the incoming reports according to predefined rules at both the technical and content levels. If these validations are successful, the transactions are stored in the FMA-Database for further analysis. If this gives rise to suspicions of misconduct on the part of market participants, the FMA carries out further clarifications or takes appropriate enforcement measures.

Transaction data aggregated on a monthly basis 2018-2021 (Source: FMA)

The volume of transaction data shows a clear correlation to the respective market trend. Consequently, fluctuations on the stock markets (bull market or bear market) lead to a striking increase in the transaction data received. “For the purposes of effective data analysis by competent authorities, there should be consistency in the standards and formats used when reporting transactions. […] In order to enable effective market monitoring, transaction reports should include exact information on any change in the position of an investment firm or its client resulting from a reportable transaction at the time such transaction took place. Investment firms should therefore report related fields in an individual transaction report consistently and should report a transaction or different legs of a transaction in such manner that their reports, collectively, provide a clear overall picture which accurately reflects changes in position.”[11]

Interdependence of transactions to the stock market performance (Source: FMA)

The European regulator does not give the NCAs any guidelines on how the transactions are to be evaluated. However, it seems likely that the data sets are evaluated by means of rigid rules and that currently no NCA uses AI technology for the evaluation.

4. From legacy processes to a unified approach

It is now to be examined whether the evaluation by means of AI by an external FinTech company can contribute to increasing the efficiency and effectiveness of the transaction monitoring and evaluation system. The evaluation by means of rigid rules which, moreover, are neither coordinated nor standardized at European level, harbors significant risks. There is a risk that transactions will be assessed differently in the individual countries an there is no common level-playing-field.

The reporting of transaction data must be received by the FMA no later than 21:00 on the working day1 following the day on which the transaction was executed (e. g. transactions executed on day T should be reported no later than 21:00 on day T+1). Investment firms may also report details of their trades executed on day T on the same day (e. g. day T). It does not matter whether the reporting is done by the investment firms themselves, by an ARM (approved reporting mechanism) acting on their behalf or by the trading venue through whose system the trades were executed. The information must be submitted to the trading venue or the ARM by the securities firm in good time so that the trading venue or the ARM can submit the report to the FMA within the deadline of T+1. The financial intermediary, which is obliged to report, has no influence on the criteria according to which the data are analyzed. However, it is in the nature of things that the supervisory authority only wants to and may sanction punishable behavior. The previously uncoordinated European approach to transaction evaluation can thus be standardized. A level playing field will be created and inefficient gold plaiting is prevented.

5. Standardized reporting as a counterpart to Open Finance

A cornerstone for Open Finance is PSD2[12]. This abbreviation stands for the revised Payment Services Directive. The first regulations of PSD2 were already put into effect in January 2018. In summary, a number of new regulations have been adopted that are intended to make payment transactions better overall. The EU directive focuses on the regulation of payment services and payment service providers. But PSD2 is less relevant for the transaction monitoring and evaluation system. The requirements can rather be found in the Delegated Regulation[13] (EU) 2015/2366 from 2017. However, since standardization through interfaces and uniform requirements (templates) has been created here as well, the two regulations are comparable in spirit as counterparts. The same principle applies here: Without standardization of the input, there will never be no automation of the output.

6. AI-supported transaction monitoring and evaluation

The current evaluation model of transaction data is based on rigid rules and has its weaknesses. According to the trial-and-error principle, the FMA aims to detect the right hits or abusive behavior. After careful and time-consuming examination, the findings are manually entered into the system, which is based primarily on individual findings and the personal assessment of the supervisor in charge. Anomaly detection based on AI and ML, on the other hand, would have advantages: a negative bias with regard to certain securities, markets, volumes, sectors or currencies would be eliminated from the outset if the algorithm for evaluation is checked by various bodies and subjected to constant control. In such a cybernetic system, there are several adjusting screws that guarantee an effective and efficient evaluation. One no longer assumes rigid rules in the sense of a secret science, but transparently discloses the underlying model.

One thing is clear, however, no matter how fast or how slow the implementation of AI and ML takes at a supervisory authority, the development cannot be stopped. Monthly transactions will continue to increase and manually or purely rules-based evaluation has long been part of romanticized supervisory narrative. Computer sciences (AI and ML) and law (regulation) is not a development of modern times. More than 40 years ago, Niblett showed in his still relevant publication the manifold relationships between lawmaking and computer-aided analysis. Clear rules, structures and procedures are important. Thus, even then, requirements for transparency and disclosure applied so that the underlying algorithms of an AI evaluation could also be programmed.[14]

7. Regulation

MiFID II and MiFIR[15] together provide a European legal framework for the requirements imposed on investment firms, trading venues, data reporting services and third country firms offering investment services or activities in the Union. MiFID and MiFIR were implemented in Liechtenstein in the Banking Act and the Asset Management Act.

The Market Abuse Regulation (MAR)[16] was adopted in the EU as a package together with Directive 2014/57/EU[17] on criminal sanctions for market manipulation (MAD). Both pieces of legislation entered into force in the EU in the year 2014 and have been applicable since 2016 for organized trading facilities, SME growth markets and emission allowances or auctioned products. The Market Abuse Regulation (MAR) is amended by Regulation (EU) 2016/1011[18] (Benchmark Regulation) and Regulation (EU) 2019/2115[19] (SME Growth Markets Regulation). With the Market Abuse Regulation, the EU legislator has created a harmonized framework for maintaining market integrity, which is a prerequisite for an integrated, efficient and transparent financial market. The aim is to promote investor protection and thus strengthen public confidence in the functioning of securities markets. To ensure transparency, market operators must report all financial instruments admitted to trading or traded on a trading venue or any lapse of an admission to the competent authority, which forwards this information to ESMA, where a data is kept in a public list. The Regulation prohibits insider dealing and unlawful disclosure of inside information and market manipulation, except for the trading of own shares in the context of buy-back programs and stabilization measures. The terms insider information, insider dealing and market manipulation are comprehensively defined and specified by Level II legal acts of the Commission or guidelines of ESMA. At the same time, it is stipulated that the prohibitions do not apply insofar as they concern legitimate actions, market soundings or a permissible market practice within the meaning of the Market Abuse Regulation.

8. Data privacy (GDPR) and ethics

The protection of personal data and the appropriate handling of such data is a central concern of every Financial Market Authority. The FMA processes personal data exclusively in accordance with the general data processing principles of the Regulation (EU) 2016/679[20] (GDPR) and complies with the internal statutory data protection provisions. Delegating data analysis to FinTech companies, for example, raises various data protection issues. In general, the FMA is subject to the same provisions as a private service provider. However, it is important to consider that the trust in a state authority is higher than in a start-up from the FinTech sector, especially in the case of such highly sensitive personal and transaction data. In any delegation, the responsibility for selection, instruction and supervision lies with the delegation provider. According to the law, the FMA is subject to the provisions regarding state liability. The Principality of Liechtenstein, as the supreme supervisory authority, would probably be justifiably critical if highly sensitive personal data were evaluated by third parties and the responsibility remained with the Principality of Liechtenstein by means of state liability.

With regard to ethical issues, it should be noted that it is not clear to the financial intermediary or the client exactly what criteria are used to analyze the transaction data. This caution is understandable if one considers that the FMA does not want market participants to be able to circumvent the transaction control. This would be easily possible if the fixed criteria were disclosed. The situation is different if the transaction analysis is done according to the principles of AI and ML. Here, the FMA or the external service provider can, for example, adhere to the still non-binding European ethical guidelines for the application of AI. The system in itself will thus gain in trustworthiness and transparency.

9. Conclusion

This paper has shown that AI would be very suitable for anomaly detection in transaction data. The rigid system of rule-based criteria could be replaced by a transparent and dynamic system. However, the wish that this evaluation could be carried out by a third-party company in the future must be assessed negatively. Instead, the supervisory authority should be enabled professionally, technically and monetarily to be able to carry out this programming and evaluation autonomously on the basis of AI. This presupposes that the image of the classic supervisor will change. In the future, the procedural lawyer will increasingly be replaced by the data officer, programmer and data analyst. The previous task of a supervisor, e. g. the evaluation of reports, can also be evaluated automatically within the framework of a data portal and the standardized delivery of company data, and the supervisor concentrates on the outliers and investigates the relevant reason why. AI-based transaction evaluation will be a big step into a risk-based and a real-time supervision.[21]

10. References

Lötscher Marcel (2019) “SupTech – Challenges posed by supervisory transformation”. In DeStefano Michele & Dobrauz Guenther (Eds.). New Suites – Appetite for Disruption in the Legal World, Bern: Stämpfli, 439-458.

Niblett Bryan (Ed). (1980). Computer Science and Law, Cambridge: Cambridge University Press.

[1] This paper reflects the personal opinion of the author. The statements do not claim to correspond to the position of the Financial Market Authority (FMA) Liechtenstein and should be kept in the context of the academic work (FLF5743).

[2] Supplemented and updated extract from my own chapter: Lötscher Marcel (2019) “SupTech – Challenges posed by supervisory transformation”. In DeStefano Michele & Dobrauz Guenther (Eds.). New Suites – Appetite for Disruption in the Legal World, Bern: Stämpfli, 439-458.

[3] See also the online report EBA (Ed.) Bringing artificial intelligence to banking supervision. Available from https://ww [Accessed 12th March 2021].

[4] Directive 2004/39/EC of the European Parliament and of the Council of 21 April 2004 on markets in financial instruments […] Official Journal L 145, 30/04/2004 P. 0001-0044, so called MiFID I (replaced by MiFID II).

[5] According to MiFID investment firms means any legal person whose regular occupation or business is the provision of one or more investment services to third parties and/or the performance of one or more investment activities on a professional basis (see Art. 1, 1 MiFID II).

[6] Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments […] Official Journal of the European Union L 173/349, 12.06.2014, so called MiFID II.

[7] Commission delegated Regulation (EU) 2017/590 of 28 July 2016 supplementing Regulation (EU) No 600/2014 of the European Parliament and of the Council with regard to regulatory technical standards for the reporting of transactions to competent authorities, Official Journal of the European Union L 87/449, 31.03.2017.

[8] See the FIRDS Database available under gisters_firds [Accessed 12th March 2021].

[9] See the complete table noted in (EU) 2017/590 (see above FN 7).

[10] Extracted and updated of data published in the FMA’s Annual Report of 2020, see 20210517_fma_geschaeftsbericht_20_en_interaktiv?fr=sMDMxNTM0NTk2NTQ [Accessed 14 March 2021].

[11] Considerations (1) and (11) in (EU) 2017/590 (see above FN 7).

[12] Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market […] Official Journal of the European Union L 337/35, 23.12.2015, so called PSD2.

[13] See above FN 7.

[14]. Niblett Bryan (Ed). (1980). Computer Science and Law, Cambridge: Cambridge University Press.

[15] Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments […] Official Journal of the European Union L 173/84, 12.06.2014, so called MiFIR.

[16] Regulation (EU) No 596/2014 of the European Parliament and of the Council of 16 April 2014 on market abuse (market abuse regulation) […] Official Journal of the European Union L 173/1, 12.06.2014, so called MAR.

[17] Directive 2014/57/EU of the European Parliament and of the Council of 16 April 2014 on criminal sanctions for market abuse […] […] Official Journal of the European Union L 173/179, 12.06.2014, so called MAD.

[18] Regulation (EU) 2016/1011 of the European Parliament and of the Council of 8 June 2016 on indices used as benchmarks in financial instruments and financial contracts or to measure the performance of investment funds […] Official Journal of the European Union L 171/1, 29.06.2016, so called Benchmark Regulation.

[19] Regulation (EU) 2019/2115 of the European Parliament and of the Council of 27 November 2019 […] as regards the promotion of the use of SME growth markets, Official Journal of the European Union L 320/1, 11.12.2019, so called SME Growth Markets Regulation.

[20] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data […] Official Journal of the European Union L 119/1, 04.05.2016, so called GDPR.

[21] See also the Report by Hertig, Gérard (2021). Using artificial intelligence for finanicial supervision purposes (online). Available from : AI% 20 and%20Financial%20Supverision%20(Feb-1-2021).pdf [Accessed 12th March 2021].

Print Friendly, PDF & Email