Testde Lachman-Trillat (65,156,157)

Learning Objective

8.3.2 Know the offences that constitute market abuse and the instruments covered

Market abuse is an offence introduced by the Financial Services and Markets Act 2000 (subsequently amended in the Market Abuse Directive 2005 (MAD)). It relates to behaviour by a person or a group of people working together, which occurs in relation to qualifying investments, on a prescribed market, and which satisfies one or more of the following three conditions:

1. The behaviour is based on information that is not generally available to those using the market and which, if it were available, would have an impact on the price.

2. The behaviour is likely to give a false or misleading impression of the supply, demand or value of the investments concerned.

3. The behaviour is likely to distort the market in the investments.

In all three cases the behaviour is judged on the basis of what a regular user of the market would view as a failure to observe the standards of behaviour normally expected in the market.

The Treasury has determined the ‘qualifying investments’ and ‘prescribed markets’ – broadly, they are the investments traded on any of the UK’s recognised investment exchanges (RIEs) such as the LSE main market and AIM.

An example of prohibited market abuse was the spreading of false rumours in March 2008 about certain companies listed on the LSE. It was suspected that those spreading the rumours were holding short positions in the companies – in other words, they had sold shares which they did not own, in the hope of buying them back at a lower price in the future. The spreading of false rumours was designed to push down the price.

8

5.

Data Protection

Learning Objective

8.4.1 Understand the impact of the Data Protection Act on firms’ activities

The Data Protection Act 1998 details how personal data should be dealt with to protect its integrity and to protect the rights of the persons concerned.

In order to comply with the Act, firms have a number of legal responsibilities, including: • notifying the Information Commissioner that they are processing information;

• processing personal information in accord ance with the eight principles of the Data Protection Act; • answering subject access requests received from individuals.

Any firm that is holding and processing personal data is described as a data controller, and is required to comply with the Data Protection Act. The firm must be registered with the Information Commissioner. The Data Protection Act lays down eight data protection principles:

1. Personal data shall be processed fairly and lawfully.

2. Personal data shall be obtained for one or more specified and lawful purposes, and shall not be further processed in any manner that is incompatible with those purposes.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed.

4. Personal data shall be accurate and, where necessary, kept up-to-date.

5. Personal data shall not be kept for longer than is necessary for its purpose or purposes. 6. Personal data shall be processed in accordance with the rights of the subject under the Act.

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data, and against accidental loss or destruction of, or damage to, the personal data.

8. Personal data shall not be transferred to a country or territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection in relation to the processing of personal data.

Under these principles, firms are therefore required to take particular care if financial or medical information is held on a laptop or other portable device. Data should be encrypted and organisations must have policies on the appropriate use and security of portable devices and ensuring their staff are properly trained in these.

Other steps that can be taken to keep data safe include the following regulatory recommendations: • Employees should not have access to data beyond that which is necessary for them to perform their

job. When possible, data should be segregated and information such as passport numbers, bank details and social security numbers should be blanked out.

• All forms of removable media should be disabled, except when there is a genuine business need. There should be no physical means available for unauthorised staff to remove information undetected.

• When laptops or other portable devices are in use, these should be encrypted and wiped afterwards. Usage of such devices should be logged and monitored under the authority of an appropriate individual. Watertight policies on using such devices should be in place.

• Software that tracks all activities, as well as web surfing and email traffic, should be installed on every single terminal on the firm’s network, and staff should be aware of this.

• The firm should completely block access to all internet content that allows web-based communication. This includes all web-based email, messaging facilities on social networking sites, external instant messaging and ‘peer-to-peer’ file-sharing software.

• The firm should conduct due diligence of data security standards of its third party suppliers before contracts are agreed, and review this periodically. If the firm chooses to outsource its IT, conduct checks should be made on their staff also, since they have access to absolutely everything on the firm’s network.

• All visitors to the firm’s premises should be logged in and out, and be supervised while on site. Logs should be kept for a minimum of 12 months.

If a firm outsources, there are data protection implications. Firms must assess that the organisation can carry out the work in a secure way, check that they are doing so and take proper security measures. The firm must also have a written contract with the organisation, which lays down how it can use and disclose the information entrusted to it.