Radical Compliance rarely looks at corporate misconduct as obscure as a broker-dealer improperly trading in the market for U.S. Treasurys, but trust me on this: a FINRA enforcement action last week on exactly that issue does indeed offer the larger compliance community a few lessons worth learning. Let’s take a look.
The broker-dealer in question is Bank of America Securities, which agreed to pay a $24 million fine to settle charges that two employees had engaged in “spoofing,” a fairly serious sin in the financial services world where traders place fake orders to manipulate the price their counter-parties will pay for legitimate orders. Of particular interest to the rest of us, however, are FINRA’s allegations that Bank of America failed to establish a system to supervise employee behavior. That’s a sin that could plague any of us.
First, a primer on spoofing and why it’s bad. In the broker-dealer world, spoofing happens when a trader places a bogus order he has no plans to fulfill, to deceive other market participants into trading at a time, price, or amount that they otherwise wouldn’t. For example, a trader places a large order to buy orange juice futures. Everyone else says, “Oh crap, orange juice futures are spiking, we gotta get on that now before we miss out!” Then the trader cancels his original order.
Spoofing violates FINRA Rule 2010, which says that member firms “shall observe high standards of commercial honor and just and equitable principles of trade.”
According to FINRA’s settlement order against Bank of America, from 2014 into 2021, two now-former employees engaged in 717 instances of spoofing U.S. Treasurys. One employee was a junior trader, the other a supervisor. The supervisor in particular executed more than 500 spoofed orders, even as he managed multiple trading desks for the banks. (Said supervisor was also the junior trader’s second-level manager, but the two acted separately.)
All that is unfortunate enough, and then FINRA lists another violation that should pique the interest of any compliance professional. Bank of America “failed to reasonably supervise for spoofing in the U.S. Treasury markets.”
Implementing reasonable systems of supervision is part and parcel of a compliance officer’s job. So how did Bank of America come up short here?
A Failure to Think Expansively
Bank of America started in a good place, in that it did have written policies and procedures against spoofing as far back as 2014 — but those are table stakes for the modern compliance program. Bank of America didn’t go further, with specific oversight actions to put true force behind those policies. FINRA identified three failures worth our attention.
First, prior to November 2015, the bank didn’t conduct any surveillance or supervisory reviews for spoofing in the U.S. Treasurys market at all.
Second, until mid-2019, the bank surveilled only for spoofing by trading algorithms, not manual spoofing by its traders. Bank of America designed its sole spoofing report to detect only algorithmic spoofing, with parameters that were too narrow to capture the 700+ instances of manual spoofing that happened here.
Third, until the end of 2020, Bank of America didn’t surveil for spoofing of U.S. Treasurys on external trading platforms that its employees used. Instead, its surveillance focused on internal, proprietary trading platforms Bank of America operated itself. Those now-former traders exploited that gap, placing their spoofed orders on the external trading platforms.
So what we had here was a paper compliance program without thoughtful control activities to put those policies and procedures into practice. That’s a compliance offense that we’ve seen many times across many industries (although financial services does seem to suffer this problem quite a lot).
Moreover, once Bank of America did start implementing specific compliance activities to police against spoofing, those activities didn’t align with the risk at hand. For example, the bank did look for spoofing violations — but only in its algorithmic trading, not among manual orders. The bank also looked for spoofing on its internal trading platform — but not on the external platforms employees could also use.
We on the outside don’t know why Bank of America didn’t respond to its spoofing risk with more dexterity. Maybe the bank had technical challenges to overcome; maybe it had personnel shortages. (FINRA did note that BofA “increased the number and expertise of staff” dedicated to surveillance since 2021.) Probably it was a mixture of both.
The Lesson for the Rest of Us
Our lesson here is simply the importance of a good compliance risk assessment. You need to look at what regulation demands of you, and the operating systems at your business. Then think — as imaginatively as possible — about how things could go wrong and give you a compliance violation. For example:
- Do you have controls in place to monitor how your IT systems operate?
- Do you have controls in place to monitor how your people operate?
- How do you see into all the systems your people can access, including systems beyond your direct control?
Those were the failures Bank of America had with its spoofing issue. They are the questions every compliance officer needs to ask. If your answers don’t include clear, specific, tangible actions, then perhaps you’re not supervising employee behavior as well as you should.
Obviously internal audit or anti-fraud teams could provide valuable assistance here (assuming your company has those teams). They could help you game out various ways employees might try to engage in improper behavior, and sniff out shortcomings in your control activities. They can recommend control activities to bridge those shortcomings.
That’s what successful supervision is really about: action. You must take specific, tangible, relevant actions to understand what’s going on in your company and intercept improper behavior. That’s how you put teeth into an otherwise paper compliance program.