RegTech surveillance: breaking silos with digital models

Time to get your trade surveillance models in order: digitize the 3 Lines model and get ahead of the new tech conduct risk obligations.

The concept of having everyone on the same data page at lower cost and a holistic risk framework has always made sense, but the industry has lacked motivation to execute.

With hefty fines being administered and increased regulatory scrutiny, firms are dedicating significant resources to get their trade surveillance models in order. The common domain model could help digitize the 3 Lines model and get ahead of the new conduct risk obligations lurking in new AI, Cloud, and third-party risk obligations.

Key messages

  • Over $2bn in fines have landed; the message: extended surveillance is not optional;
  • Firms are devoting large resources to get their data and ‘3 lines models’ right;
  • New non-financial and conduct risk agendas will pressure boards to upgrade their approach to integrated risk by 2025;
  • New surveillance capabilities are required along with new common domain-driven standards to align the data which powers it; and
  • Better solutions will enable the elaboration of best practices and deliver a holistic view of integrated risk in a better, faster, cheaper and safer manner.

Surveillance – all fine?

The regulatory world has been abuzz since December 2021, with fines predominately by the federal US regulators for recordkeeping failures; specifically, for failing to capture and retain certain communications, and by extension, not having or being able to produce those communications if and when required by a regulator

The $2bn total in fines has gotten the message across. It is not good enough to have a high-level compliance policy that is not followed by even the Compliance staff.

Is the root cause for these fines poor conduct, poor technology, bad record keeping or poor data? The answer is ‘yes’ to all. Al Capone went to Alcatraz for tax evasion because the paperwork got him, but the real transgressions had little to do with paperwork.

The importance of Surveillance data

JWG’s industry discussions reveal firms’ surveillance programmes to be consuming nearly as much resource as their anti-money laundering programmes. When looking to a surveillance programme, firms have been focusing on the quality and consistency of their customer and market data.

According to a Thomson Reuters news report, to save time and money, firms do minimal KYC checks, but then hire hundreds of people to wade through alerts, most of which are false positives.

Instead, firms should model what good and bad transactional behaviour looks like to contextualize customer behaviour. That means collecting demographic and transaction data to model life events.

Breaking Silos

On June 8, the Financial Markets Standards Board (FMSB), which represents global wholesale financial markets, published its updated 3 Lines Model. The framework, which helps professionals assess risk is designed to overcome siloed knowledge, ‘fudged’ accountability, excessive duplication, protracted technical issues and misconduct.

The update notes that “infrastructure that demonstrated a weak approach …might be expected to attract adverse regulatory consequences.” It lists seven issues for tools, analytics and monitoring:

  • Data sourcing – lack of a ‘golden source’;
  • Efficacy of controls – undermined due to lack of independence or expertise;
  • Point of control – the location of monitoring in the context of the risk;
  • Risk identification – teams lacking adequate business knowledge;
  • Technical complexity – skills may be inadequate for complex tooling;
  • Experience – skills may lack the breadth and depth required;
  • Duplication – infrastructure, process or reporting overlaps / testing underlaps; and
  • Obsolescence – reliance on outdated technology.

Clearly, the industry is struggling to define what ‘good data and tooling’ looks like.

The Surveillance RegRadar 2025

The front office is under pressure to account for how well they deal with new technology risk rules to mitigate Cyber, Cloud, Operational Resilience, and third-party risk.

As we have detailed in our 2022 research analysis, boards will be forced to ask many more difficult questions about their cloud providers, the use of AI by their applications and how safe the supply chain is from cyberattacks

The firms’ boards must work to develop an effective risk management strategy that meets regulatory obligations so they can meet accountability regime rules which make consequences even more personal for senior management.

Trade compliance capabilities 

In short, new surveillance capabilities are required to deal with regulatory challenges and a common domain-driven standard can help align the data which powers it.

To ensure a proper risk management strategy, firms should look to implement a solution that can capture, retain, and analyse all regulated employee communications, across all communication platforms.

AI-powered analytics – which include machine learning, anomaly detection, smart classification, Natural Language Processing, advanced speech, and behavioural analytics – should be implemented to analyse, understand and reveal the true meaning of conversations, reducing false positives.

Firms should also evaluate compliance solutions as a service which may achieve:

  • faster deployment;
  • reduced infrastructure, operational, training and maintenance costs;
  • simplified upgrades;
  • scalability, resiliency and security; and
  • and streamlined innovation.

Regardless of which route you chose, one way to get aligned with peer firms’ data capabilities is through the open-source Common Domain Model (CDM), an industry blueprint for how products are traded and managed across the trade lifecycle. Having a single, common digital representation of trade events enhances provides bedrock for business and compliance processing needs.

It helps align risk frameworks and a data framework for effective market surveillance in the language of each business. It can provide a compliance-driven view of data requirements of business events and risks and align practitioners on the way they manage individual risk.

Market practitioners believe that it is incumbent upon the industry bodies to help drive that agenda around common domain model to help solve difficult challenges like this. Digitized best practices, test data and code will increase data quality, cut costs, reduce implementation risk.


A relentless drum beat of new compliance demands is driving the industry toward digital models that help professionals work out what good looks like and how to achieve more integrated risk solutions.

By putting in place better solutions and aligning what good looks like across firms we can elaborate best practices and deliver a holistic view of integrated risk in a better, faster, cheaper and safer manner.

PJ Di Giammarino is an independent financial services RegTech authority and global standards advocate. Seeing the RegTech opportunity early, he founded JWG Group in 2006 to provide practitioners a platform for Joint Working Groups. As an independent think tank JWG leverages its unique position with regulators, firms and their suppliers to facilitate the right RegTech dialogues and drive global change.

Currently JWG is working with the top players in the industry to deliver on the promise of digital regulatory reporting for global OTC derivatives and defining holistic management obligations for trade surveillance.