Spreadsheets, are they worth the risk when it comes to insider management?
Of course companies can maintain their insider lists using excel spreadsheets (or indeed word documents). But if you are thinking of doing this you need to fully understanding the risks you are taking; these risks may be significant and the outcomes unpalatable.
One requirement under MAR is that a company must be able to provide a snap shot report of their insider list at any moment (date and time) in the past 5 years. The report must be in a set format and must be available “as soon as possible” when requested. There are four critical date/time stamped items of information, these are:
The date and time at which the insider section was first created;
The date and time that a person obtained access to insider information;
The date and time at which a person ceased to have access to inside information; and
The date and time that the insider list was last updated prior to an FCA request.
Whilst all these dates will be different, surely it is a fairly simple process to record them? Problems should not occur as long as the user (and designer of the spreadsheet ) fully understands the MAR requirements and the list is changed when information changes and appropriate date stamping formulae are included and manual dates are entered where these cannot come from auto-date stamping. Of course, don’t forget that the date recorded must be “UTC” (which is actually GMT). So always check that the information you receive from different time zones is recorded correctly.
All these requirements mean that very great care will be needed to ensure that:
The spreadsheet is set up to work exactly as MAR requires;
Formulae are not inadvertently corrupted;
Overwriting is avoided - one of the biggest risks is that an updated spreadsheet is saved over the previous version. If this happens the previous version will have been lost and there will be a hole in your data;
The system records all the relevant data all the time - approaching an insider for further details when an enquiry has been commenced could constitute “tipping off”.
Employees don’t last for ever
Another point to consider is that your spreadsheet will have been written by one of your team. On a change of personnel the new spreadsheet owner may not be as familiar with the spreadsheet nor aware either of its structure and design or of the over-writing risk (and, for that matter, where earlier versions have been saved).
“Now, where an earth did I put that sheet?”
Users may save some of the sequence of spreadsheets on a laptop or PC hard drive rather than network drives or they may open new network folders because they are unaware of the correct path, as a result the flow of data and its “ancestry” could be interrupted or corrupted and the wrong spreadsheet version updated or, worse still, one or more locally saved spreadsheet could be lost. Immediately your company cannot then provide the list status at any time in the past five years.
“Now, where on earth did I put that key?”
Finally, the need to encrypt data may not be appreciated by everyone thus leaving spreadsheets open to data theft. Worse still, a user may encrypt a sheet but fail to register the password (“key”) with central IT. If he/she is involved in a fatal accident, one or more iterations of the spreadsheet could be lost.
The road to hell is paved with good intentions!
The obvious conclusion to this is that using spreadsheets (or word documents) would be madness. But is there any argument that, whilst there may be a high risk that data would be lost resulting in a failure to comply with MAR, the downside isn’t too painful; surely there will be no wailing and gnashing of teeth?
The penalties associated with MAR don’t simply target the use of inside information for gain, they also attach to failures in administrative procedures in maintaining lists etc. The provisions can be found in Article 30 of MAR.
The penalties include:
A public warning (most Co Secs and CEOs would prefer to avoid this)
A maximum fine of €500,000 on the individual and
A maximum fine of €1,000,000 on the company.
We understand that in the UK these maxima have not been enacted and thus, in theory, unlimited fines could be applied.
There are also criminal sanctions in the UK.
It would be hoped that the mere failure to maintain the integrity of your insider lists would not attract such harsh treatment but do you want to take the risk? For most companies, being subjected to a public admonishment and a fine is something Co Sec teams would want to avoid. Certainly there have been recent examples of quite substantial (six figure) fines and public criticism for what some would say was merely an administrative model code error with no real market affect.
So, ask yourself, is a “simple in-house spreadsheet” really worth the risk?
It’s not just about dates, saving and encryption
In this article we have not covered the other features of any appropriate system (whether in-house or proprietary). Whilst not an exhaustive list these would include: