Risk-Based Supervision for Securities Supervisors (and Other Supervisors of Small Firms)
Friday, Feb 28, 2020

Risk-Based Supervision for Securities Supervisors (and Other Supervisors of Small Firms)


The purpose of this Note is to help securities supervisors to develop and implement a risk-based, forward-looking and proactive approach to supervision (while preserving the capacity to respond to rule breaches when they nevertheless occur).

Many securities supervisors want to move away from a compliance-based, backward-looking and reactive supervisory approach based primarily on identifying rule breaches and taking enforcement action in response to these breaches. 

The series of Toronto Centre Notes on risk-based supervision published in 2018 and 2019 provides an excellent starting point here. Forward-looking and proactive risk-based supervision is as important for securities supervisors as it is for banking and insurance supervisors. 

However, there are some specific characteristics of the securities sector that require at least some fine-tuning of the generic risk-based approach set out in the first four TC Notes on risk-based supervision.

This Note discusses the application of risk-based supervision to major securities firms; to stock exchanges and other financial market infrastructure; and to the responsibilities of securities supervisors with respect to listed firms and market abuse. It also develops a risk-based approach to small firms which individually may have low impact. The existence of large numbers of small firms is not unique to the securities sector, but it is more common in the securities sector.

This Note does not assume or impose a single definition of the securities sector or of the responsibilities of a securities supervisor. It is recognized that the nature and market structure of the securities sector differs across countries, as do the regulatory perimeters, objectives and mandates of securities supervisors. This is also being affected by technological innovations. Different supervisory authorities will be responsible for different types of firms and activities, and for different types of risks.

In general, however, securities supervisors are likely to be responsible for some combination of investor protection (in both retail and wholesale markets), consumer protection more widely, prudential requirements for securities firms (even if prudential risk may be less pronounced in many securities firms than in banks and insurers), market integrity (including fairness and efficiency, protection against various aspects of financial crime and money laundering, market manipulation, etc), and disclosures and reporting by listed firms. Securities supervisors may also oversee one or more self-regulatory organizations (for example a national stock exchange that has its own responsibilities for market monitoring).

Examples of risk-based supervision of the securities sector

In some integrated supervisory authorities that cover the securities sector together with the bank and insurance sectors – for example as in Guernsey, Jersey, Ireland, Malta, and Singapore – risk-based supervision is already well-established across all sectors.

Some stand-alone securities supervisors – for example the Hong Kong Securities and Futures Commission – have also adopted a risk-based approach to supervision.

But risk-based supervision is less well-established in many other stand-alone securities supervisory authorities.[2]

Risk-based supervision

The first TC Note on risk-based supervision (Toronto Centre 2018a) dealt with the principles of risk-based supervision. These principles and the motivation for adopting risk-based supervision apply equally in the securities sector. The essence of risk-based supervision – identifying and addressing the most important risks – applies to all financial sector supervisors. The Note observed that:

  • Risk-based supervision focuses on the risks that are most significant from the point of view of the objectives of the supervisory authority.
  • It is a forward-looking and judgment-based approach intended to pre-empt prudential and conduct failures, in contrast to other approaches that are backward-looking and compliance-based, with little scope for the use of judgement.
  • Risk-based supervision does not (and should not aim to) eliminate all risk. It does however provide a systematic and analytical way of identifying and addressing risk.
  • It provides a good basis for dialogue with supervised firms – based on a better understanding of their risks.
  • Supervisory bodies have limited resources. They therefore have to prioritize. Risk-based supervision provides a framework for the efficient and effective allocation of supervisory resources.

The second TC Note (Toronto Centre 2018b) discussed the role of senior management in the promotion and implementation of risk-based supervision. The adoption of risk-based supervision involves radically different ways of doing supervision. The cultural and behavioural changes that need to accompany this are pervasive and should not be underestimated. The senior management of supervisory authorities adopting risk-based supervision need to understand fully the implications of adopting risk-based supervision; actively and visibly support the introduction and operation of risk-based supervision; and be prepared for the fact that – as with any other system – things will go wrong. Senior management needs to be robust in these circumstances.

The third TC Note (Toronto Centre 2019a) covered the development and implementation of risk-based frameworks, including the assessment of the potential impact of prudential or conduct failings at each regulated firm, and for larger regulated firms a supervisory assessment of the firm’s:

  • Inherent risks (such as credit, insurance, market, operational, and conduct risks).
  • Governance, management, and controls intended to reduce and mitigate inherent risks.
  • Financial resources (capital, earnings, and liquidity).
  • Net risks, overall risks, and the direction in which risks may be changing.

The fourth TC Note (Toronto Centre 2019b) addressed the issues involved in turning completed risk assessments into supervisory action plans for medium- and high-impact individual supervised firms.

Applying risk-based supervision to the securities sector

The generic risk-based approach set out in the series of TC Notes requires some adjustment when it is applied to different sectors and to different types of financial institutions. For example, securities supervisors have traditionally focused less on prudential issues than have banking and insurance supervisors – either because many securities firms have limited prudential risk (where they do not take positions and/or protect their customers through the segregation of client assets) or because securities supervisors have not usually been given a financial stability mandate.   

This Note considers six characteristics of securities supervision where some adjustment to the generic risk-based approach may need to be made. Not all of these characteristics will be relevant in every country, but as markets and technology evolve, supervisors will need to have approaches capable of dealing with them. And some of the issues – in particular the approach to small firms – may be applicable beyond the securities sector. The issues are presented here to provide a comprehensive view of what a risk-based approach entails.

Supervision of major securities firms

The risk-based supervision of major securities firms should follow the principles and guidance set out in the earlier series of TC Notes on risk-based supervision. This includes:[3]

  1. Determining the potential impact of the failure of a major securities firm (a prudential failure, a material breach of conduct rules, financial crime, or major control failings) and allocating these firms across impact categories (high, medium-high or medium-low impact). This in turn should drive to some extent the allocation of supervisory resources across these firms, and how a supervisor formulates its supervisory action plan.
  2. This impact assessment should be based at least in part on an agreed view within the supervisory authority of which types of activity and which types of risk score higher in terms of determining impact.
  3. Assessing the inherent risks facing each major securities firm. The nature and relative importance of these inherent risks differ across banks, insurers, and securities firms. For example, there is likely to be a greater emphasis on conduct risk (in both retail and wholesale markets), market risk (for position-taking firms), operational risk, and legal risk when assessing the inherent risks facing securities firms.
  4. Assessing the extent to which the inherent risks are controlled or mitigated through governance, internal controls, risk management, and financial resources. As in other sectors, the senior management of securities firms should themselves adopt a proactive, risk-based approach to ensure the adequacy of a firm’s governance, controls, and resources.
  5. Determining and implementing a supervisory action plan for the securities firm, based on the impact and risk assessment.
  6. Evaluating the effectiveness of the supervisory action plan for the firm, including the extent to which supervisory actions have reduced inherent risks and/or improved the governance, internal controls, and financial resources of the firm.

This risk-based approach is very different from the compliance-based and backward-looking approaches that are still used by many securities supervisors in response to information gathered from regulatory reporting by firms and in some cases also from on-site supervisory visits to a firm. Many securities supervisors use standard formulaic checklists at routine intervals to assess the compliance of securities firms. These checklists cover a number of risks and controls, and are therefore often described as being ‘risk-based’ as a result. But they do not focus on the forward-looking and partly judgemental assessment of the inherent risks faced by a firm and the adequacy of its governance, internal controls, and financial resources in controlling and mitigating those inherent risks.  

Supervision of financial market infrastructure

In addition to major securities firms, securities supervisors may also be responsible for the supervision of market infrastructure such as stock exchanges, other trading platforms, securities custody entities, and securities clearing and settlement systems. This varies across countries, but where such entities are supervised by securities supervisors then what should a risk-based approach look like?

High impact

In most cases such entities are likely to be assessed as being high impact, in the sense that if they failed (either in the sense of becoming insolvent or in the sense of operating ineffectively or inefficiently) this would have a significant adverse impact on the functioning of securities markets. Indeed, stock exchanges and other financial market infrastructure may be of systemic importance, in the sense that failures could have an adverse impact on the rest of the financial system or the wider economy. For example, such failures would make it difficult for market participants to trade securities, or to clear and settle securities transactions, and making it difficult for non-financial companies to raise capital.

Failures could also have an adverse impact on capital market development and on a country’s wider economic development. There may therefore be risks here to both the supervisory objectives and the wider economic development objectives of a securities supervisor (in many emerging economies the supervisory authorities have both supervisory objectives and wider development objectives).

Risk-based supervision of these entities is therefore likely to be based on a risk assessment of each individual entity and the formulation and implementation of an entity-specific supervisory plan that takes into account both the risk matrix and the impact assessment of the entity. The risk assessment can be structured and captured using the same type of risk matrix as is used for large banks, insurers, and securities firms, as described above.[4]

In addition, such entities should be expected to have their own internal processes for assessing their risks, similar to the individual capital adequacy assessment process (ICAAP) and own risk and solvency assessment (ORSA) for banks and insurers respectively. These internal self-assessments should in turn provide one input to the supervisory risk assessment, so the adoption of risk-based supervision should help to improve the quality of these self-assessments. Supervisors need to check the overall quality and effectiveness of the self-assessments, based in part on dialogue with the entity, and once they are of sufficient quality this should improve both internal management and supervisory oversight.

Inherent risks

The risk assessment should focus on the most significant risks to the supervisory authority’s supervisory objectives (and, where applicable, to any wider economic objectives of a securities supervisor, for example in promoting capital market development). These risks are likely to include in particular operational risks (including large volumes, IT-intensive and real-time processing); the risk that margin requirements are either set at too low a level or are not properly enforced; legal risk; and strategic and reputational risks. Within the operational risk category, the nature of the operational risks run by a stock exchange may differ from those run by other types of firms. The impact from settlement failures or errors in trade matching would also result in unexpected credit exposures arising.

Risk management and controls

As with other types of firm, the risk assessment should assess how well the inherent risks are controlled and mitigated through the entity’s governance, internal controls, risk management, and financial resources. There is likely to be a particular emphasis here on IT systems and data management issues, reflecting the importance of the smooth functioning of high-volume trading, custody, clearing, and settlement systems; and on the operational resilience of the entity more generally in terms of its ability to ensure the continuity of its key functions and to operate effectively and efficiently in a real-time and high-volume environment, and its ability to deliver a rapid and effective recovery from operational failures.

Supervisory action plan

The risk assessment should translate into a supervisory action plan for the entity.

Self-regulatory organizations

Risk-based supervision needs to take into account the extent to which – as in some countries – entities such as a stock exchange take on the responsibilities of a self-regulatory organization. Here, the stock exchange or other financial market infrastructure has some regulatory and supervisory responsibilities such as the setting of rules and requirements on its member firms, the licensing, monitoring and discipline of member firms, accurate trade data reporting, and the detection and response to price manipulation and other forms of market abuse.

In addition, a stock exchange may have responsibilities for the setting of disclosure, reporting, corporate governance, and other requirements on listed companies, with these companies having to meet initial requirements to issue securities that are listed on the stock exchange (for example the contents of a prospectus), and thereafter to meet reporting requirements, accounting standards, and corporate governance requirements.

A key question is then the extent to which a securities supervisor has – or is perceived to have – an oversight role over the quality and effectiveness of a self-regulatory organization. If so, then the securities supervisor will need to assess the adequacy and quality of the self-regulatory organization’s own governance and senior management, its rules and powers, and the effectiveness of how well these rules are followed. The results of this assessment can then be captured on the risk matrix for the stock exchange, for example by adding one or more columns in the risk management section of the risk matrix to cover the quality of a self-regulatory organization’s rule-making, oversight of its members, oversight of the trading activities of market participants, and oversight of listed companies.

Applying risk-based supervision to small firms

In many countries the financial sector includes a large number of small firms. The securities sector may contain a large number of small firms such as financial advisers, corporate finance advisers, securities brokers, securities dealers, custodians, trustees, fund managers and fund management service firms (trust and corporate service providers[5]), and securities-based crowdfunding operators. Individually, each small firm is likely to be assessed as being of low impact, but widespread failures across a sector or sub-sector could generate significant harm.

This is not unique to the securities sector, since the universe of small financial firms may also include credit unions, insurance and mortgage brokers, microinsurance firms, and employer-based pension plans. However, in general banks and insurers tend not to be ‘small’, not least because of the imposition of minimum capital and solvency requirements and tougher entry requirements on the quality of management, systems, and controls.

A supervisory authority is not likely to have sufficient supervisory resources to undertake a full risk assessment process for each individual small firm. And even if there were sufficient resources this would not necessarily be a good use of those resources, especially when, under risk-based supervision, greater supervisory attention than before is likely to be devoted to the risk assessment and supervisory action plans for larger firms.[6]

A supervisory authority therefore needs to consider what might constitute a good ‘small firms strategy’, in particular for ‘low-impact’ firms. Toronto Centre (2018b) stated that:

“Many supervisory bodies will be responsible for a relatively large number of small firms, each of which may individually have a small impact. Such firms cannot be ignored, however. From a consumer’s point of view, a loss resulting from the failure of a small firm is indistinguishable from that resulting from the failure of a large one. And in many countries, the (often correlated) simultaneous failures of a large number of small firms has proved a high-impact event. Supervisors require a strategy for dealing with small firms. Such strategies … may involve some combination of: a) a very limited allocation of resources for on-site visits to small firms; b) the maximum use of automation in submitting and analyzing statistical data from firms; and c) the use of thematic or horizontal work in which more emphasis is placed on examination of risk issues across groups of firms rather than individually.”

Key elements of a small firm strategy should include the following.

Sector reviews

Reviews should be undertaken of the sectors or sub-sectors that contain large numbers of small firms (these sectors or sub-sectors may of course contain larger firms as well, which will be subject to individual firm-facing supervision). These studies should focus on identifying the key risk drivers and the impact of financial or conduct failures within the sector – what actual and potential harms to investors and other types of consumer have arisen or could arise – and the likelihood of these potential harms arising. Because the focus here is on small firms, these failures are likely to create significant harm only when they occur at several firms at once.

This should be used to identify and target sectors (or sub-sectors) with the greatest potential risks to the objectives of the supervisory authority, which in turn should drive the allocation of supervisory resources. Both the choice of which sectors to review and the initial analysis will be based on the existing information and ‘prior beliefs’ that the supervisor may have about the risks and control failings that may be present, but this information set will develop over time as reviews are undertaken.

Conceptually, this sector or sub-sector analysis is in many respects similar to the risk assessment for a single large firm. The inherent risks, the quality of governance, systems and controls, and the adequacy of financial resources are assessed at an aggregated level for a sector or sub-sector as a whole.[7] A sector review should identify the activities undertaken by firms in this sector or sub-sector; the inherent risks they run; critical sector-specific and generic management or control issues; and the kinds of harm or detriment which failures might create.

Some types of inherent risk and some types of control or financial failures may be specific to individual sectors or sub-sectors. Others may run across sectors, for example the risk of cyber-attacks, money laundering, conduct risk, the control of personal data, adequate financial resources, governance, and culture. But these may still be more pronounced in some sectors and sub-sectors than others.

Unlike the risk assessment of a single large firm, this risk assessment of a sub-sector or sector does not generate firm-specific supervisory action plans, but rather a plan for the sector or sub-sector as a whole, including the use of thematic reviews (see below).

UK FCA sector review of retail investments

The UK FCA undertook a sector review of retail investments. 

The review identified four main types of retail investment – equity, bonds, managed funds, and structured products.

The main distribution channels were found to be wealth managers (in particular, managed funds) and financial advisers.

The most important drivers of change in the market for retail investments were found to be the search for yield in a low-interest rate environment; FinTech developments; demographic changes (an ageing population); and regulation.

The most important identified sources of consumer detriment were:

–       unsuitable, low-quality, and expensive products (including retirement income products);

–       the high cost of financial advice;

–       unsuitable advice (in particular on pension transfers);

–       the impact across the market of cyber-crime and technological disruption; and

–       complex products.

For further details, see UK FCA (2019a).

Risk map

Having undertaken such sector or sub-sector reviews, a supervisory authority could construct a risk map (or heat map) across all of the different types of small firms that it supervises, highlighting for each sector or sub-sector the most significant inherent risks and any significant weaknesses in governance, internal controls, and financial resources.

An illustrative example of such a risk map for a securities supervisor is given in Figure 1. In this example, the rows refer to the securities sectors and sub-sectors in the country, while the columns list the impact of each sector or sub-sector, the inherent risks, controls, and financial resources.

Although not shown here, some of the inherent risks might need to be sub-divided further to identify more specifically the types of risk relevant to each sector or sub-sector – so, for example, ‘retail conduct’ is used here to cover a variety of risks including poor disclosure of key information, poor sales practices, poor quality advice, failure to segregate client assets, poor complaints handling, and so on. 

Note that Figure 1 is purely an illustration of what a completed risk map could look like – it is not intended to capture the impacts, inherent risks, quality of controls or financial resources across sectors and sub-sectors in any particular country. 

Figure 1

Illustrative risk map for small firms


In constructing such a risk map, supervisors would have to begin with their current state of knowledge about impacts, inherent risks, quality of controls, and financial resources across a sector or sub-sector, even if this is not well-developed in some areas of the risk map. Thereafter, the risk map could evolve using additional knowledge and insights gained from sector and thematic reviews, the analysis of the continuing flow of data and information, and supervisory interventions (as shown in Figure 2 below). 

Such a risk map could also be described as one element of a supervisory authority determining its own risk appetite, by identifying where the greatest risks to its supervisory objectives lie.[8] Supervisors would need to make difficult judgements here about their responses to the various combinations of impact, inherent risks, and the quality of governance and controls. For example, a sub-sector could be medium-high impact, with low inherent risk but weak governance and controls, suggesting a need to pursue and remedy the governance and control issues. 

Hong Kong Securities and Futures Commission (HK SFC) risk-based approach to intermediaries

The HK SFC takes a risk-based approach to the supervision of securities market intermediaries. 

Key elements of this approach include:

●  Off-site financial analysis of firms, using data reported by firms on their liquid capital positions, equity, profit and loss, risk management and credit control, liquidity, clients’ securities and monies held, stock holdings, and stress testing.

●  This analysis generates message alerts, risk indicators, ratio analysis, trend analysis, and peer group comparisons to identify outliers.

●  This is supplemented by a compliance and complaints history database built from inspection findings, audit findings, disciplinary records, complaints, and market news. 

●  These data and information drive the selection of target firms for inspection, selected according to warning indicators, risk, and impact.

●  On-site inspections, both firm-specific (for larger firms) and thematic, focusing on both firm-specific and cross-cutting risks. These on-site inspections can be:

○  Routine inspections – general checks on systems and controls, and on compliance with laws and regulations, based on a standard inspection checklist;

○  Special inspections – to deal with imminent risks; and

○  Thematic inspections – in response to trends and emerging risks.

●  Resources are allocated to areas perceived as highest risk or greatest impact to the HK SFC’s objectives.

For further details see Hong Kong Securities and Futures Commission (2011 and 2014).

The risk map could then be used to prioritize the allocation of supervisory resources across the sectors and sub-sectors, to identify the risks and controls that need to be investigated and addressed further (for example through thematic work, as described below), and to set the thresholds for the identification of outlier firms (see the section below on analyzing data and information).

Thematic (horizontal) work

Supervisors can use a thematic (or horizontal) approach to follow up on the key issues identified in sector-wide risk assessments. The results of thematic work can then be used to update sector or sub-sector level risk maps (as discussed above) and therefore to drive future supervisory resource allocation. 

A thematic review involves:

  1. Taking a risk-based approach to choosing a risk, a control (or set of controls), or the way that regulated firms meet specific requirements,[9] to review. This choice can be based on known or suspected risks and control weaknesses, shortcomings observed in individual or groups of firms prompting a perceived need for a more systematic understanding, emerging risks, market developments, and issues found in the risk assessment of larger firms in the same sector.
  2. Choosing a sample of firms for each thematic review. Reflecting the resource constraints of supervision authorities, each sample is likely to be relatively small (no more than 10-20 firms); the sample may include some larger firms, not just small firms; and the sample may not be entirely random – some firms may be included within the sample as an opportunity for the supervisor to visit firms where warning indicators (these are discussed further below) have already been observed.
  3. Visiting the chosen sample of firms (not necessarily only small firms) to assess the magnitude of a specific risk and how well it is understood, managed, and controlled by supervised firms; or to focus on how well firms approach a specific aspect of governance and controls, such as board effectiveness, culture, controls to protect client assets, anti-money laundering controls, controls over services outsourced to third parties, complaint handling, or the quality of internal audit. Note that this approach differs from completing a standard checklist covering (often only superficially) a wide range of risks and controls, because it is more focused on specific risks and controls, more forward-looking, and more risk sensitive.
  4. Providing feedback to the firms visited and also communicating clearly to all firms in the sector or sub-sector on what poor and good practices were found in the thematic work, and making it clear that all relevant firms are expected to review where they stand on the spectrum of good and poor practices and to act on the results of their own internal review.[10] The results of a thematic review could also be used by a supervisor to amend its more formal guidance or rules relating to the issues discovered during the thematic review.
  5. Taking supervisory (and possibly enforcement) action against firms in the sample at the poor-practice end of the spectrum. While supervisors will certainly need to deal with serious and egregious weaknesses, they may also need to recognize that where poor practice is prevalent across a sector, the emphasis needs to be on raising standards. Enforcement action may have a role to play here, not least in ‘encouraging the others’. 
  6. Possibly following up with a further series of visits to the same or a different sample of firms looking at the same area of risk or controls one or two years later, in particular where high inherent risks and poor control practices were found in the first round of thematic work. This serves to maintain supervisory pressure in areas of high supervisory concern, while also providing one means of evaluating supervisory effectiveness – as with an individual firm, it is important to evaluate whether supervisory action following an earlier thematic review has made a difference to the relevant risks and controls across a sector or sub-sector.

Jersey FSC approach to the risk-based supervision of small firms

The Jersey FSC’s approach to supervision determines the level of supervisory resource that is dedicated to individual firms. The overall risk-based supervision model has three main elements.

First, the impact of each regulated firm on the Jersey FSC’s supervisory objectives is assessed on the basis of metrics such as the type of firm, balance sheet size, annual income, the amount of assets under management, the number and nature of its clients/customers, and the number of employees. 

This assessment determines the broad approach to supervision that a firm is subject to:

  • Enhanced supervision for high-impact firms – supervision based on regular update meetings, periodic reporting, engagement with key assurance providers (such as internal and external audit), and on-site examinations.
  • Proactive supervision for medium-impact firms – supervision based on update meetings, periodic reporting, and on-site examinations (less frequent than for high-impact firms).
  • Reactive (“Pooled”) supervision for low-impact firms. More than 600 firms are in this category. While the individual impact risk that each of those firms poses does not warrant the allocation of resources to them on a day-to-day basis through a named relationship supervisor, they are not considered automatically to be low risk. Supervision is primarily through trigger events, changes in the risk profile of the individual entity based on intelligence and risk data, thematic examinations, and outreach to the industry. 

Second, thematic examinations of a sample of firms are conducted in response to current or emerging risks that cut across a range of firms in a sector, or affect one or more sectors as a whole. These risks are identified from firm-based risk assessments, market intelligence and other information. They are examined through on-site visits and questionnaire-based off-site research, and feedback based on the results is subsequently issued to the whole industry.

In 2019, thematic examinations covered outsourcing arrangements, the role of the money laundering reporting officer, and the placing of reliance on third parties. In 2020, the Jersey FSC plans to focus on compliance monitoring, wire transfers, and private funds. The Jersey FSC also conducts individual entity-specific examinations based on known risks materializing within firms whether they be high, medium or low impact. 

Third, the organizational structure of the Jersey FSC reflects this risk-based approach, with separate units responsible for the oversight of higher-impact entities (the Relationship Managed Supervision Units), of all types of low-impact firms (the Pooled Supervision Unit), and the Supervision Examination and Financial Crime Examination Units dedicated to delivering on-site examination programs. 

For further details see Jersey FSC (2016, 2019b, and 2019c).

Analyzing data and information

Supervisors receive a large amount of information from small firms and about small firms. This typically includes, but is not limited to:

  • regular regulatory reporting;
  • self-reporting by firms of rule breaches and other failures;
  • various required notifications of changes in senior management and board members and changes in control;
  • levels and nature of complaints (including those referred to an ombudsperson or similar body);
  • whistleblowing on poor practices within firms by employees;
  • information about the firms visited as part of thematic reviews (as described above);
  • information from other authorities, such as Financial Intelligence Units and overseas supervisors (where the firm is a subsidiary or branch of an overseas parent, or the parent of overseas operations); and
  • comments from consumer organizations.

But supervisors do not have the time or other resources to analyze or to act upon all of this information. So, what can supervisors do here as part of a small firms strategy?

First, as for all types and sizes of firm, some supervisors have made use of technological innovations to collect and analyze information (this is part of what is termed ‘SupTech’). Financial Stability Institute (2019) describes four ‘generations’ of data and information analysis by financial supervisors:

The manual receipt and filing of regulatory reports, supplemented by some limited input by supervisors of data into spreadsheets to generate some basic data analysis and produce some unsophisticated reports on regulated firms.

The digitization and automation of at least some elements of the reporting and analysis process, including for example the electronic transfer of regulatory reports from firms and a more sophisticated analysis of these data by the supervisory authority.

Moving closer to the use of more recent technological developments, some financial supervisors are beginning to use big data architecture to store data and to make it more easily usable for analysis, including the use of cloud computing and ‘data pools’.

The use of artificial intelligence for at least some types of data analysis, including elements of machine learning and advanced data analytics. There is scope to extend such analysis beyond the data contained in regulatory reports, for example to the analysis of social media references to regulated firms or to documents (annual reports, product literature, etc.) issued by regulated firms.

Note, however, that the third and fourth ‘generations’ remain a work in progress – there is no immediate prospect of ‘quick fixes’ here that will remove the need for human judgement.

Second, supervisors can use a ‘triage’ approach to assess incoming information, with the objective of devoting scarce supervisory resources to the indicators of significant actual or potential harm (heightened impact, heightened risk, or a failure of governance, controls, or inadequate financial resources). This is likely to require the exercise of a strong element of judgement and experience to spot the most significant warning indicators, in addition to the setting of quantitative thresholds where possible to highlight serious outliers.

For example, identification of outliers in terms of growth, abnormally high profitability or large losses, inadequate financial resources (even where required resources are based simply on three months operating expenses), level of complaints, etc. – so need to establish thresholds here to highlight when these data are showing a ‘red flag’. But remember here that with limited supervisory resources available, the thresholds need to be set at levels that do not throw up so many red flags that there are insufficient resources available to follow them up.

Third, supervisors should follow up on the most serious warning indicators and should act swiftly and decisively where significant harm is identified (and also where potential harm is high-probability and high-impact).

Fourth, these data and information should feed back into sector and sub-sector risk maps.

Figure 2 shows how these various processes interact. The risk map (see Figure 1, above) drives supervisory resource allocation, the choice of thematic work, and the focus of data and information analysis. The results of thematic work and data and information analysis feed back into the risk map. Meanwhile, thematic work, data and information, and resource allocation all drive supervisory activity (which takes the form of communication to small firms in each sub-sector generally, and some firm-specific supervisory and enforcement activity when material failings are identified in individual firms).

As with all aspects of risk-based supervision, judgements will sometimes be wrong so that supervisors will focus and allocate resources to the ‘wrong’ thing. That should be within their risk tolerance threshold. Similarly, supervisors will sometimes follow up on things they do not need to and not follow up on things they should. When that happens, supervisors need to learn lessons. However, such issues should arise less frequently than under non-risk-based supervisory approaches.

Figure 2

Risk-based supervision of small firms



Although risk-based supervision represents in many cases an explicit move away from compliance-based or enforcement-led approaches, it remains the case that supervisors adopting a risk-based approach can and should be ready to take enforcement actions in response to serious breaches of rules or higher-level principles.

In the context of a small firms strategy, the additional element here is for a supervisory authority to consider whether the active publication and communication of enforcement actions could help to deter poor behaviour in firms more generally (not just in the firm against which the enforcement action has been taken). 

Risk-based supervisory authorities should therefore consider whether they should adopt a relatively proactive enforcement policy, in particular for small firms, to reflect (a) the lack of time and resources to pursue a more accommodating approach with small firms, and (b) the opportunity to convey supervisory expectations through well-publicized enforcement actions to ‘encourage the others’. 

Providing education and advice to small firms

There should be some value in supervisors providing education and advice to small firms at a sector or sub-sector level (indeed this may apply to all firms). For example, this might take the form of general guidance on how regulatory requirements (rules and principles) should be interpreted and how they apply in the specific circumstances of the sector or sub-sector; communicating to firms the priority areas for supervision in a specific sector or sub-sector; communicating the outcomes of thematic reviews to all relevant firms, not just those included in the sample of firms visited as part of the thematic review (as discussed above); and communicating enforcement actions taken against firms in the relevant sector or sub-sector (as discussed above). 

This communication can take various forms, for example standard letters (or emails) sent to all firms in the relevant sector or sub-sector, press releases issued by the supervisory authority, circulars and newsletters produced by the supervisory authority, notices posted on the website of the supervisory authority, speeches by senior supervisors, round table meetings with groups of firms, and engagements with trade associations.

Some firms may not pay much attention to such communications, but at least they have been put on notice by the supervisory authority of the importance of the issues raised in the communications and the firms should then have no excuse if they are later found to have failed to implement the necessary measures.

Applying risk-based supervision to other functions of securities supervisors

Securities supervision is not just about the supervision of securities firms and financial market infrastructure.

Some securities supervisors spend significant resources on other functions, for example the pre-approval of new products; setting the rules and running the application process for companies (not just financial institutions) wanting to list their securities (equities and bonds) on the national stock exchange; reviewing prospectuses for capital market issues by listed companies; monitoring the application of national accounting standards by listed firms; monitoring for insider dealing, market manipulation, and other forms of market abuse; and requiring the publication of pre- and post-trade data in some financial markets.

One option for securities supervisors here is to implement entirely standardized approaches to these functions, making no distinctions across listed firms (or applicant firms) and no distinction across types of market abuse. This might be both feasible and appropriate where the supervisory activity is ‘data rich’ – in the sense that there is extensive information gathering, the marginal cost of collecting and analyzing the data for small firms as well as large ones is small or zero, and there is a fully-automated way of analyzing it. But securities supervisors also need to have the option to take a more risk- and judgement-based approach to the performance of functions where, for example, the above conditions are not met.

Recall here the essence of risk-based supervision – to identify and mitigate the largest risks to the objectives of a supervisory authority. A risk-based securities supervisor should therefore consider (a) which of these activities generate the largest risks to its supervisory objectives (which should then drive the overall allocation of supervisory resources across these functions, in the same way that the risk map discussed above should drive the allocation of supervisory resources across sectors and sub-sectors); and (b) how to focus on the largest risks and greatest potential impacts within each of these areas.

Examples of such a risk-based approach within these areas include:

Non-risk-based supervision

Risk-based supervision





Same rules apply to all applicants

Take the same approach to all applications, reviewing compliance with every requirement

Apply the same level of scrutiny and hence spend the same amount of time on every application

Same rules apply to all applicants

Use a range of impact and risk characteristics to drive alternative approaches

In higher-risk and higher-impact cases, the supervisor undertakes its own thorough review of whether an applicant meets the listing rules

In lower-risk and lower-impact cases, the supervisor could place greater reliance on the applicant’s own self-attestations and on third party legal opinions



Prospectuses issued by listed companies or funds


Spend the same amount of time reviewing each prospectus in detail

Intensity of review of prospectuses differs according to indicators of impact and risk such as the size of the issuer and the size of the issue, the type of issuer, known problems at that issuer or in issuers from the same industry sector, and the investors to whom the issue is targeted (in particular whether the issue is targeted at retail investors)

Supplemented through a thematic review of a sample of other prospectuses, to check that they remain low-risk and low-impact



The compliance of listed firms with accounting and other reporting standards


Spend the same amount of time reviewing the accounts and other required reports of each listed firm

Targeted approach based on the potential impact and probability of a listed company failing to meet accounting and reporting standards[11]

Could be based on factors such as the size of the listed company, the past compliance record of the listed company, the complexity of the company’s operations, and on market-wide experience of where poor accounting and reporting standards have typically arisen

Supplemented by thematic reviews to check whether standards are being met by different types of listed firm



Market abuse


Purely reactive approach (waiting for some evidence of market abuse to arise, then analyzing the relevant transactions)

Adopt a proactive approach in areas where the greatest risks are thought to lie, for example through the active and more real-time monitoring of transactions undertaken by specific traders or transactions in specific securities that have been subject in the past to unusual trading patterns and/or price movements

Use of SupTech (advanced data analysis techniques) to be more proactive at lower resource cost

New areas of focus

Securities supervisors need to decide how to respond to new forms of securities activity, such as cryptocurrency platforms and exchanges,[12] initial coin offerings (ICOs), and the development of secondary markets for crowdfunding. While over-the-counter (OTC) trading activities have always co-existed with exchange-traded activities, new instruments and structures have resulted in increased involvement by individuals or firms who have not typically been subject to regulation and who may prove hard to reach within conventional supervisory remits. This introduces additional elements of risk and uncertainty to the securities markets.

This requires (a) training and development to improve the understanding of supervisors about these FinTech developments; (b) consideration of complicated issues in the (re)drawing of the regulatory perimeter and in the allocation of responsibilities across supervisory authorities; and (c) taking a risk-based approach to the analysis of the potential impact and risks arising from these developments. While structures and activities may change, the principles of risk-based supervision do not change.

Supervision of groups

In some countries, the securities supervisor may have primary responsibility for one or more of (i) the supervision of a securities firm that is a subsidiary of a bank or insurer supervised by a different domestic supervisory authority; (ii) the supervision of a securities firm that is a subsidiary of a foreign securities firm, bank, or insurer and where the parent financial institution is supervised by an overseas supervisory authority; and (iii) the supervision of (retail and wholesale) conduct issues in banks and insurers, where the prudential supervision of banks and insurers lies with a different supervisory authority (as for example in South Africa and the UK).

In many instances, ‘host’ supervisors are explicitly responsible for conduct issues within their jurisdiction. In other cases, a supervisor may be the ‘home’ authority for a firm based in its jurisdiction but with branches or subsidiaries in other countries whose activities may have the capacity to have an impact on the parent’s financial health or well-being.

Ideally, the lead (usually the home) supervisor of any financial services group would construct a consolidated risk matrix for the group, based on inputs from more than one supervisory authority. This would cover all the group’s material activities and risks and the full range of the group’s controls and financial resources and would be used to devise a group-wide supervisory action program (to be undertaken by the relevant supervisory authorities on a coordinated basis).

In practice, however, it may be the case that each supervisory authority will ‘do its own thing’ for the entities in the group for which it is responsible. The problem here is that this separation runs risk of missing key group-wide issues, for example the impact of enforcement and remediation actions arising from retail or wholesale market misconduct on the prudential position of the group, or the potential read-across from governance or control failings identified in one entity to more general failings across the group. Even in the absence of a consolidated, group-wide assessment, this risk can be addressed to some extent through effective home/host communications concerning risk issues, ideally in the form of colleges in which relevant information can be exchanged. 


This Note has focused on how securities supervisors can develop and implement a risk-based, forward-looking, and proactive approach to supervision.

In particular, the Note has shown how risk-based supervision can be applied to major securities firms; to stock exchanges and other financial market infrastructure; to small firms; and to the responsibilities of securities supervisors with respect to listed firms and market abuse.

The existence of large numbers of small firms is not unique to the securities sector, so the framework for small firm supervision presented in this Note should also be relevant to any supervisor responsible for a large number of small firms, as for example may be the case for credit unions and microinsurance firms.


Central Bank of Ireland. PRISM Explained – How the Central Bank of Ireland is

Implementing Risk-Based Regulation. February 2016.


Financial Stability Institute. The suptech generations. October 2019.


Group of International Finance Centre Supervisors. Standard on the Regulation of

Trust and Corporate Service Providers. September 2014.


Guernsey Financial Services Commission. Investment Supervision & Policy Division – Governance, Risk and Compliance. Fund managers and fund administrators. Thematic review. November 2017.


Hong Kong Securities and Futures Commission. Regulatory Framework for Intermediaries. June 2011.


Hong Kong Securities and Futures Commission. Presentation by Stephen Po at the IOSCO Conference Workshop on Market Intermediaries Risk Based Supervision. September 2014.


International Organization of Securities Commissions (IOSCO). Guidelines to Emerging Market Regulators Regarding Requirements for Minimum Entry and Continuous Risk-Based Supervision of Market Intermediaries. Final Report. December 2009.


International Organization of Securities Commissions (IOSCO). Issues, Risks and Regulatory Considerations Relating to Crypto-Asset Trading Platforms. May 2019.


Jersey Financial Services Commission. JFSC Risk Overview: Our approach to risk-based supervision. 2016.


Jersey Financial Services Commission. Themed examination programme 2019: Outsourcing. July 2019.


Jersey Financial Services Commission. 2020 programme for on-site thematic examinations. December 2019.


Jersey Financial Services Commission. Supervision industry seminar Q&A. December 2019.


Mexico National Banking and Securities Commission. Risk Based Supervision. September 2014.


Toronto Centre. Risk-Based Supervision. March 2018.


Toronto Centre. Implementing Risk Based Supervision: A Guide for Senior Managers. July 2018.


Toronto Centre. The Development and Use of Risk Based Assessment Frameworks. January 2019.


Toronto Centre. Turning Risk Assessments into Supervisory Actions. August 2019.


UK Financial Conduct Authority. Thematic Review: Meeting investors' expectations. April 2016.


UK Financial Conduct Authority. Sector Views. January 2019.


UK Financial Conduct Authority. Understanding the Money Laundering Risks in the Capital Markets. Thematic Review. June 2019.




[1] This Note was prepared by Clive Briault.

[2] See IOSCO (2009) for a survey of the use of risk-based supervision of intermediaries in emerging economies, which showed that the majority of stand-alone securities supervisors do not apply risk-based supervision.

[3] Toronto Centre (2019a and 2019b) explain these six steps in more detail.

[4] For example, in Guernsey The International Stock Exchange (TISE) is supervised alongside other major groups, using the standard PRISM methodology for the assessment of impact and risk. See also Mexico National Banking and Securities Commission (2014) for details of the supervision of the Mexico Stock Exchange using standard risk-based tools including risk assessment and the use of a risk matrix.

[5] Group of International Finance Centre Supervisors (2014) illustrates the wide range of areas in which this group of small firms could cause harm.

[6] Indeed, the difference in the scale of resource applied to large firms and small ones may be substantial. In some countries applying risk-based supervision, a full-time team is devoted to a single high-impact firm, while the resource allocated on average to an individual low-impact firm may be less than, say, 5% of a person year. See, for example, Central Bank of Ireland (2016).

[7] See for example UK FCA (2019a).

[8] It may be observed here that although supervisors often insist that regulated firms have a risk appetite statement and that this drives the firm’s limits and controls, very few supervisory authorities have their own risk appetite statement (and even fewer of them publish this statement).

[9] Although rules and requirements apply to all firms, in thematic work a supervisor can choose to focus on how firms meet (or fail to meet) a sub-set of specific rules and requirements.

[10] See, for example, the thematic review reports published by the UK FCA (2016 and 2019b), the Guernsey FSC (2017) and the Jersey FSC (2019a). 

[11] Mexico National Banking and Securities Commission (2014) sets out a risk-based supervisory approach to the compliance of listed companies with accounting standards, including the risk-based selection of which listed companies to review, supplemented by rotation and random selection.

[12] See for example IOSCO (2019) on crypto asset trading platforms.