Article 18 of MAR Explained + FAQ On Insider Lists

The Market Abuse Regulation (MAR) came into effect on 3rd July 2016 through the European Parliament, aimed at creating transparency in the financial markets, tackling market abuse and protecting investors in the European Union. The regulation employs a number of instruments for the prevention of market manipulation and the prohibition of insider dealing, including rules to manage the unlawful disclosure of inside information, closed periods for managers’ transactions and a process for market soundings. This article focuses on the subject of Article 18 of MAR — insider lists. We answer the most pressing questions raised by organisations wanting to understand their obligations and how to comply with the legislation. 

MAR Article 18 Explained  

Understanding the term ‘inside information’ is a prerequisite to understanding the contents of the article itself. So, this is where we start. 

What is inside information?

The definition of inside information, according to MAR is information that meets the following conditions: 

• Relates to particular instruments or issuers
• Is of a precise nature
• Has not yet been made public
• Is likely to affect the price of those instruments if it were made public

Possession of inside information of a precise nature that could have a significant effect on the value of a financial instrument can create an unequal market, affecting financial stability. MAR seeks to stop individuals with access to inside information from profiting or advising others to profit from certain knowledge that hasn’t entered the public domain yet. For example, inside information can be used to make an investment decision such as the buying and disposal of shares right before a major company event is announced. 

By controlled disclosure of inside information, MAR aims to create a regulated market that gives confidence to “reasonable investors” who, the regulation says, “base their investment decisions on information already available to them”. 

The information might relate to an acquisition, a year-end report, an announcement of an interim financial report or anything else that proves advantageous to know in advance for an investor. 

Article 18 of MAR 

In the event of a delay of disclosure of inside information in the legitimate interests of the issuer, a written explanation must be recorded, detailing the exceptional circumstances. It must be stored in electronic format and provided to the authorities if requested. 

Article 18 then requires financial institutions and bodies with financial instruments traded on regulated markets, or those acting for the issuers, to “draw up a list of all persons who have access to inside information and who are working for them under a contract of employment, or otherwise performing tasks through which they have access to inside information, such as advisers, accountants or credit rating agencies.” 

This is called an insider list and it is the issuer’s or agent’s own responsibility to maintain.

Compliance with this requirement to maintain an insider list applies to issuers on regulated markets, whether they are Multilateral Trading Facilities (MTF) or Organised Trading Facilities (OTF), as well as those that have applied for admission of their financial instruments on the market. 

The insider list helps organisations to formalise the practice of compiling the names of those with access to inside information of a precise nature, aids market integrity, investor protection and the economic interests of the issuer by ensuring that trading of financial instruments is carried out in a legitimate manner. 

A comprehensive and up-to-date insider list, adjusted any time someone new accesses the information or when an employee ceases to have access, means that a national competent authority (NCA) can narrow down the search for unlawful transactions. It gives the issuer the chance to take reasonable steps to inform all parties with inside information of their duties and responsibilities in relation to the confidentiality of the information, as well as the sanctions for breaching the Market Abuse Regulation. The insider needs to acknowledge their responsibilities.   

ESMA Guidelines For Insider Lists

The European Securities and Markets Authority (ESMA) lays down a set of draft guidelines and regulatory duties in its technical standards for creating insider lists in accordance with Article 18. They apply for current issuers as well as those whose instruments are awaiting admission to the market.

• Issuers should include in insider lists only individuals who have accessed the inside information, not those who had the potential to access but didn’t.
• Auditors or notaries should be included in the scope of “the issuer or any person acting on their behalf or on their account” when it comes to working out who needs to draw up insider lists and who to include on them.
• On who to include in the permanent insider list, ESMA says “In ESMA’s view, only an extremely limited group of individuals should meet that definition, including the Chief Executive Officer, in certain specific cases, the Chief Finance Officer, Executive Assistant, Chairman of the Board, Head of Legal Department/Compliance Officer and Chief Technical Officers.” 
• A permanent insider list should be used with caution, if at all. Any individual not meeting ESMA’s definition of a permanent insider should feature on an event-based insider list for any piece of inside information they access.
• ESMA believes that, rather than the issuer providing all of the names of individuals from external service providers on the insider list, they should list one contact. The external service provider should then hold its own insider list featuring all of the natural and legal persons under its control who have access to the issuer’s inside knowledge.

FAQ: Drawing Up And Managing Insider Lists

How to draw up an insider list?

Commission Implementing Regulation (EU) 2016/347 requires that you draw up an insider list in digital format when you delay public disclosure of inside information that could affect the prices of the financial instruments offered by your organisation. You should include the following information: basic information on the project, event or deal to which the information is related, including the name, date and time the information became identified as inside information. You must also note the particular circumstances that occurred that prevented you from making an immediate disclosure, as well as the names of the people with knowledge of the inside information relating to such instruments. 

How to update an insider list? 

Article 18 of MAR states,

 “Issuers or any person acting on their behalf or on their account shall update the insider list promptly, including the date of the update.” 

If you use a spreadsheet, you should add or take away members of the list as required and note down the reason for the change and the date and time it happened. Then save it as a new file in order to maintain the audit trail. 

With a dedicated insider list management system like InsiderLog, you make the changes and the software timestamps the details and stores the changes to allow you to show which adjustments were made, when they were made and by whom. 

A third party can act on your organisation’s behalf to update your insider list, but the issuer should maintain right of access to the list at all times.

When do I need to update my insider lists?

There are three main reasons why you might need to update your insider list:

• When a legal or natural person gains access to inside information
• When someone ceases to have access to the information
• When the information ceases to exist due to disclosure of the information or end of the project

In each of these cases, you should make the updates promptly, as per the wording in Article 18. 

How to keep track of all the changes made to your insider list?

With a spreadsheet-based insider list, you must keep multiple saved copies of the various incarnations of the insider list. Every time you make changes, for example when you add a new person, you need to keep the old copy and update the new sheet with the reasons for the changes and when they happened. In a fast-moving system, you could end up doing this many times a day. This easily becomes time-consuming and creates room for critical errors. 

An online insider list portal will show you a complete list of your adjustments, as well as the details of the notes you add that detail the times, dates and reasons behind the changes. 

For how long do I have to retain the lists and their history versions?

MAR’s Article 18 requires issuers or those acting on their behalf or on account of the issuer to hold details of the insider list for a period of at least five years after the most recent update to the list. It should be available in case the NCA wishes to investigate the deal, event or project to which the list relates. 

Who is responsible for informing the employees of their duties?

It is for the party who draws up the insider list, either the issuer or the body acting on their behalf or on their account, to inform employees that they are included on the list. They are also responsible for ensuring the list member acknowledges their inclusion and the responsibilities their inclusion brings with it. The member should be informed about the criminal sanctions that can be brought if someone is found to have unlawfully shared inside information or if they are found to have partaken in insider dealing. 

If the employee does not respond, the issuer must send reminders until they receive confirmation of the above. For breaches of Article 18, an individual can face a fine of up to EUR 500,000, whereas an organisation may receive a penalty of up to EUR 1 million. 

Can the confirmation that the persons on the insider list have been informed of their duties and been made aware of the sanctions be submitted using an electronic format?

Yes, it is possible to submit this confirmation electronically, which is why an online portal can be a time-saving option. Rather than someone having to manually send out reminders and update company records to show compliance from the employee, the online option continues to send automated notifications until the employee inputs all the relevant information. Once they do so, the portal records the details and stores that within its database. 

Do persons need to be informed each time they are included in the insider list?

Insider lists are on an event or deal-specific basis, so you must inform employees every time they appear on one of these different lists. The company may run a permanent list, but this should be used with caution, if at all, and feature only a very few individuals who truly have access to all inside information, as strictly defined by MAR. Others, even those with access to a large amount of inside information must feature on separate event lists for each piece of information. The event-driven list for each project should feature only those who have access to the information currently, rather than those who potentially could access it. 

Can an insider list be prepared in advance, before inside information arises?  

You can only create an insider list once the information is categorised as inside information. However, you could create a Confidential List if you believe that a piece of information could become inside information in the future. This is not a legal requirement but can help in compiling the insider list promptly when the classification changes. 

When must employees of parent companies or subsidiaries of the issuer be included in the insider list? 

When employees of parent companies or subsidiaries perform duties on behalf of the issuer, under contract, that see them gain knowledge of the inside information through their profession, they must be featured on the insider list. You should make relevant provisions to inform them that they must keep the information confidential and must not use it to inform investment recommendations or decisions.

Is it possible to substitute the information that must be included in the insider list with reference to another database such as the HR management system?

Article 18 does not specifically allow for this, but as long as the list contains all the relevant information required by law, it doesn’t matter where you sourced it. You should make sure that the insider list is always up to date and contains everything it needs to in order to be compliant with MAR. Do note however that the insider list should reflect the correct personal information at the time it’s drawn up. It should not be updated over time as the individuals’ details change. 

Do IT employees have to be included in the insider list simply because their administrator rights give them access to internal e-mail traffic or to the databases of the party obliged to keep the insider list?

If an IT employee gains knowledge of inside information “in the normal exercise of an employment, a profession or duties they are working on”, according to MAR, they should be included on the insider list. However, just because they could potentially access the information does not automatically mean they should be on the list. They only need to be added to the list when they become aware of it.

It is recommended that you take steps to control access to inside information within the organisation. This could include using internal controls like encrypting digital media or restricting access to electronic files and folders. You should consider a classification system to limit access to sensitive documentation and to require special handling.  

With reference to data protection legislation in countries outside the EU, is it permissible to include a minimum of information in the insider list? 

The templates detailed in Annex I of Commission Implementing Regulation (EU) 2016/347 feature the information that you must collect as part of your record-keeping requirements to be compliant with MAR. If you do not collect all the necessary data, you could face sanctions from the NCA. 

FAQ: Submission Of The Insider List

When must an insider list be submitted?

You must submit your insider list to the competent authority in your territory if they request access to it. Other than that, you should keep it for at least five years in case the NCA requests it at any time during that period. 

Where must the insider list be submitted?

You must submit the insider list to the national competent authority that requests the details of your insider list. 

FAQ: Permanent Insiders

Why can’t all my insiders be permanent insiders?

The permanent list, if used at all, should only feature individuals with access to absolutely all inside information. If you consider it, this is usually very few people indeed. The permanent list provides a way of avoiding having to duplicate these details on every single event-based list. However, you should be extremely cautious when compiling a permanent list. 

ESMA fears that placing more than just a very few individuals on the permanent list “inflates” the list and makes it more likely to include people on an insider list for a particular event for which they should not appear. In terms of tracking down leaks of inside knowledge, this would slow down any investigation. 

All insiders have daily access to daily trading/sales information. Should they all be permanent insiders?

Just because all insiders have knowledge of one piece of inside information doesn’t mean that they all have access to all pieces of inside information. Only those who have access to all inside information by virtue of their role in the organisation can be featured on the permanent list. The others appear on the event lists dedicated to the different pieces of inside knowledge they have access to. 

References and Further Reading

• Insider Trading Examples
• ICSA Ireland Insider List Information
• What Insider Lists Mean for General Counsel
• Insider Lists and SME GMs
• MAR Update