Newsletter Details

Controlling access to inside information

The Financial Conduct Authority (FCA) has expressed concern about systems in place for controlling access to inside information following the conviction of Fabiana Abdel-Malek, a former senior compliance officer in the London office of UBS.

Abdel-Malek was found guilty of five counts of insider dealing under s. 52(2)(b) of the Criminal Justice Act 1993, which makes it an offence for a person who has access to inside information to disclose that information to another person, otherwise than in the proper performance of the functions of their employment, office or profession. Such behaviour amounts to unlawful disclosure and is echoed in Article 10 (1) of the EU Market Abuse Regulation (EU MAR).

Abdel-Malek abused her position of trust by repeatedly accessing electronic compliance systems containing inside information about several, as then non-public, price-sensitive corporate transactions. She passed that information on to a family friend, Walid Choucair, an experienced day trader who used it to make a profit of approximately £1.4 million. While Abdel-Malek was named on the relevant insider lists, she had, according to the FCA, no real business need to access the information concerned.

In its August 2019 Market Watch newsletter, the FCA states that by allowing widespread and unchallenged access to individuals who do not require the inside information to do their job, firms increase the risk of that information being disclosed unlawfully. In doing so, it also warns that they are exposing themselves to regulatory action and significant reputational risk. 


Insider lists and access to inside information

EU MAR requires issuers or any person acting on their behalf or on their account, to draw up a list of all persons who have access to inside information and who are working for them under a contract of employment, or otherwise performing tasks through which they have access to inside information, such as advisers, accountants or credit rating agencies (Article 18.1.a).

The purpose of this insider list is to enable regulators to establish who had access to inside information when investigating suspected insider dealing. However, the FCA says that insider lists often omit the names of people who were provided with or who had access to inside information. It regularly uncovers evidence of individuals not named on relevant insider lists accessing inside information and says that these issues can hinder its investigations.


Insider lists – common failings

The FCA is keen to see an improvement in standards in this area and has dedicated most of its August 2019 Market Watch newsletter to highlight some of the more common failings that it has uncovered in recent reviews of systems and controls to manage access to inside information. Although those reviews mainly related to systems implemented by investment banks, legal advisers and other consultancies, the findings are potentially relevant to issuers as well.

The findings included:

  • Instances of large numbers of support staff having access to documents containing inside information. One insider list suggested that only 12 deal team members worked on the transaction, but that over 600 members of compliance, risk and other support functions also had full access to inside information about the deal.
  • Some insiders are classified as ‘permanent insiders’ and have routine access to all inside information without obvious reason.
  • Failures to restrict access to inside information to those who need it for the proper fulfilment of their role. For example, support staff having the same access rights to inside information as the deal team, regardless of the differing needs of those roles. As an example of good practice, some firms granted IT staff access only to anonymised or code-named folders for maintenance or permission purposes, not to files within those folders.
  • An absence of regular reviews of access rights resulting in access not being terminated after staff change roles or are transferred from projects.
  • Insider lists containing very generic descriptions of the functions of non-deal team staff, for example, ‘Support Function’, or ‘Other Support Function’. The FCA questions whether such non-descriptive titles provide enough information for firms to track and control how inside information is communicated, and whether a valid business ‘need to know’ is being imposed. It recommends that firms should consider whether such descriptions meet the MAR requirement that insider lists should include ‘the reason for including that person in the insider list’ (Article 18 (3) (b)).
  • Insider lists including individuals who did not have access to inside information, rendering them not fit for purpose.
  • Electronic files containing deal-specific inside information stored in general team folders, accessible by front-office staff not working on the deal and not on the insider list.
  • Non-deal team staff in multiple jurisdictions having access to inside information, where some of those jurisdictions had no connection to the transaction.
  • Differing levels and methods of monitoring by firms: In some firms, there was a complete absence of any monitoring. Some firms’ monitoring did not give enough detail on who had accessed inside information. Some firms monitored for repeated access to large numbers of documents, or access outside normal working hours by permissioned individuals, as well as attempted access by non-permissioned staff and from non-permissioned devices. In some firms, responsibility for monitoring rested with dedicated staff within compliance, who had a clear understanding of the need to control access to inside information. In others, monitoring was conducted by more generalised support staff.
  • Some firms were able to provide comprehensive audit trails of access, including instances of ‘read-only’ access. Others were able to evidence only when documents had been created, edited or deleted. A small number of firms were unable to provide any logs of access to inside information at all.
  • Some firms identified inaccuracies in several insider lists previously supplied in response to regulatory requests. These included discrepancies between those lists and records of who was given permission to access the relevant inside information. This suggests that the accuracy of insider lists offers significant room for improvement.


Summary and key recommendations

The FCA has warned that it views the inability to respond to a regulatory request with accurate records of who had access to inside information as an indication of underlying weaknesses in systems, procedures and policies.

‘By allowing widespread and unchallenged access to inside information to individuals who do not require it to perform the proper functions of their employment, firms increase the risk of that information being disclosed unlawfully. In addition, if firms cannot respond appropriately to FCA requests, they may be subject to further regulatory scrutiny. We expect firms to take reasonable steps to ensure that the risks of handling inside information are identified and appropriately mitigated. The Abdel-Malek case is an example of the risks of non-deal team staff being granted access to inside information not being identified and appropriately mitigated, leading to criminal activity’.


Abdel-Malek case

Abdel-Malek’s compliance role at UBS covered investment banking, which meant she was trusted with access to price-sensitive information about potential mergers and acquisitions held on its compliance system. The system contained information about any proposed merger and acquisition transaction that UBS was either pitching for or working on.

Despite being aware of the restrictions on disclosing inside information, Abdel-Malek searched the compliance system and obtained inside information relating to the proposed takeovers of five companies. She created and printed documents containing inside information copied from the UBS compliance system. She then disclosed the inside information to Choucair, who traded in the shares of the target companies:  

  • Vodafone Group Plc’s acquisition of Kabel Deutschland Holding AG (June 2013);
  • Essex Property Trust’s acquisition of BRE Properties Inc. (November – December 2013);
  • LG Household & Healthcare’s potential acquisition of Elizabeth Arden Inc. (April 2014);
  • American Realty Capital Partners’ potential acquisition of NorthStar Realty Finance Corporation (April 2014); and
  • Energy Transfer Equity LP’s potential acquisition of Targa Resources Corporation (June 2014).


Choucair dealt in anticipation of a press article or company announcement that would cause the share price of the target company to rise significantly. He conducted his trading by dealing in contracts for difference (CFDs) through an account held in the name of a company incorporated in the British Virgin Islands with a trading address in Switzerland.

Abdel-Malek and Choucair sought to conceal their activity by using unregistered pay-as-you-go mobile phones, changing and swapping SIM cards at regular intervals, to communicate with one another. On occasions Abdel-Malek would be in contact with Choucair while in the office looking at UBS’s compliance system. To further disguise the fact that she was contacting Choucair, she used an unregistered phone model identical to her work-issued Blackberry. When interviewed after her arrest, Abdel-Malek lied to the FCA and denied using unregistered mobile phones.

Abdel-Malek and Choucair were both sentenced to three years’ imprisonment in June 2019.



Information for subscribers

The above article is relevant to CSP 4.7 ─ Insider lists and control of inside information.