IPR 7 Data Licence Compliance: Audit Traps & Triggers
7.1 Why do Data Sources audit their clients?
FISD in their 2009 Best Practice Audit Document, has defined the audit purpose as being ‘to verify compliance with contract obligations and policies. In particular, the examination of the correct remuneration for the Information entitled and the identification of potential sources of error as well as the cure of potential errors. This involves verification and assessment of controls over Information at client sites’.
While this is an accurate summation of the reason to audit, FISD’s overall document is designed to define how an audit is conducted, and does not provide guidance with dispute resolution.
There are 2 compliance, 1 relationship and 2 business, reasons to conduct audits:
The level of audit competence varies significantly with the best setting high standards. But many auditors have little formal training, while motivation for others can be driven more by their commission opportunities than professionalism.
Some exchanges push the envelope in auditing to a degree that could, indeed, should be ethically questioned. In a desire to identify findings, interpretation of policies becomes elastic.
Other exchanges pay (usually external) auditors a bare minimum, with the resultant audit reports proving the old adage, ‘You get what you pay for’.
7.2 The Audit Environment
For transparency purposes, I must make clear that we as a company have undertaken both audits and audit defences. It is a point of pride to say we have acted on the basis of absolute professional integrity, and great success.
Compliance & Resources
In general, the vast majority of financial institutions try to be compliant with their contracts with data suppliers. Inevitably, the majority of those financial institutions under-resource the teams tasked with being compliant.
This means there is usually limited internal access to compliance expertise, and the time available to conduct a proper internal assessment of potential liabilities is not made available.
Naturally the larger the institution the greater the number of sources, vendors, external links and internal market data flows. This produces a complex, fluid environment increasing the difficulty in managing market data on an enterprise basis. The result is the almost definite certainty that there is a lack of compliance somewhere within the organisation. Both the auditors and the audited parties know this, but do not necessarily know where leakage is occurring.
This promotes a mutual acceptance of coming to a mutual agreement through a negotiated settlement. This results in:
Yet even smaller or less complex consumers of market data must avoid complacency. Changes in agreements, policies, fees always catch the unwary.
7.3 Audit Triggers
The criteria for triggering an audit can be complex, based on rational interpolation and/or anecdotal evidence, feedback.
It is autumn time and while the leaves are gently falling, exchanges are busily preparing their next year’s audit programme. The methodology varies in scientific approach, but there are underlying principles.
7.4 Audit Targets
Traditionally exchanges have been consistent in their strategy, go after the big financial institutions, then keep returning. As these Banks are usually concentrated in New York and London plus a few other centres, it has become an audit carousel. Some Banks have to manage 20+ audits simultaneously.
However, now the Big Banks are demanding, and getting, audit breaks, i.e. an exchange will not return for an audit for the next 3 years, or even longer.
This is forcing exchanges to seek new audit candidates, and are taking aim at a wider range of Tier 2 Banks, asset managers, hedge funds, retail brokerages and institutions, especially those based outside the main centres.
And these institutions are generally ill-prepared.
They lack the internal resources and expertise to defend themselves, and without experienced advice are all too willing to accept an exchange’s audit findings without question, or adequate validation.
The audit dragnet is growing in both breadth and depth of coverage. More institutions are being impacted and they need to be better equipped than they are today.