Rules Navigator

FCA Market Watch: Remediation, back reporting and breach notifications

Montage with the FCA logo and a street sign.
GRIP Montage: FCA/Getty Images

Hameed Shuja

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

FCA highlights issues in MiFID reporting requirements and advises firms to update and improve their processes.

The latest edition of the FCA’s Market Watch newsletter focuses on recent observations from supervising the UK MiFID transaction reporting regime, covering remedial timelines, back reporting, and transaction reporting errors and omissions notifications (for example, breach notifications).

The FCA has advised firms to “consider integrating these into their existing processes to support efficient transaction reporting,” and says it won’t create any additional burden for them.

According to the regulator, there are still “persistent inefficiencies” in the way firms identify, address and disclose reporting issues despite the fact the MiFID requirements have been in place for a while now.

Remedial timelines

The FCA says it expects firms to be proactive and transparent in their remediation process. It accepts that some reporting issues might be complex and will take longer to be resolved, but adds that other issues “should be addressed swiftly to prevent prolonged risk exposure.”

According to the regulator, some of the reasons why remedial exercises extend beyond reasonable timelines include;

  • “taking excessive time to present a remedial plan or implement corrective actions;
  • “missing deadlines set by internal governance bodies or the FCA;
  • “requesting extensions without justifiable reasons;
  • “an absence of measurable progress between regulatory check-ins;
  • “repeatedly revising root causes or impacted volumes of transaction reports.”

And common themes in the root cause(s) for delayed remedial include:


  • “Internal processes    : Siloed teams, fragmented ownership of tasks and lengthy approval chains slow down decision making.
  • Resourcing: Assigning insufficient resource to resolve issues effectively and competing business priorities resulting in slower response times.
  • Difficulty in tackling the root cause: Focus on fixing the symptoms rather than the root cause leads to issues resurfacing.
  • Compliance culture: Reactive culture results in firms addressing issues only when prompted.
  • Governance: Weak structures and lack of accountability lead to loss of momentum as remedial work is not managed centrally or treated with urgency.”

Back reporting

According to the FCA, back reporting is important for the purpose of building trust in data and allowing the regulator to investigate market abuse. It says any delays in back reporting limits its ability to carry out those regulatory duties.

It adds that “protracted remediation of an issue and delayed back reporting each presents a different set of operational and compliance risks.”

There are multiple reasons for delays in back reporting, such as:

  1. Crystallized compliance risk means a firm finds a fix for an issues and fixes it, but fails to check whether the same issue might have caused reporting errors in the past. This is non-compliance and indicates a lack of oversight and issues with internal processes.
  2. Internal governance weakness refers to a scenario where firms don’t get their reporting priorities right, “such as prioritising back reporting for the waiver indicator over submitting transaction reports for unreported exchange traded derivative transactions.”
  3. Data access and infrastructure limitations mean delays in back reporting due to inaccessible historic data “because data was archived incorrectly following a system migration.” The FCA says: “This raises concerns about data governance, record keeping controls and data retention as part of change management.”
  4. Impact on BAU means when the day-to-day reporting accuracy falls short of expected standards because “compliance and operational teams diverted resources to data retrieval, validation, testing and regulatory engagement.”

Breach notifications

The FCA says it expects breach notifications “to clearly describe the issue, its root cause, and highlight any gaps or weaknesses in reporting processes, data governance and controls” as they have an impact on data quality.

Overall, the regulator says it has received 241 breach notifications in the first quarter of 2025. Key observations include;

  • “83% of notifications provided a clear description of the issue identified;
  • “76% of notifications provided a clear account of the root cause(s);
  • “85% of notifications provided the exact volume of transactions impacted, 8% provided an approximate volume, 7% did not provide a figure (2% without justification);
  • “74% of notifications provided a precise relevant period, 21% offered an approximation, 5% did not provide a relevant period (3% without justification);
  • “66% of notifications provided clear and relevant information on weaknesses in systems and controls, 31% provided inadequate details, 3% left this section blank;
  • “75% of notifications provided clear and relevant information regarding details of plans to address weakness, 16% provided inadequate information, 9% left this section blank;
  • “80% of notifications provided sufficient information, 18% provided inadequate information by indicating escalation but not specifying the relevant forum, 2% left the section blank.”

Responding to the publication, Rob Mason, Director, Regulatory Intelligence at Global Relay, said these were “All fairly basic and reasonable observations” while caveating that it was “a very difficult and complex mechanism which firms still wrestle with, mainly due to a lack of tackling root cause data source issues and under-resourcing.”

, , , , , , , , , , , , , ,
You may also like