Top 5 challenges advisors face when managing insider lists

The EU Market Abuse Regulation (Regulation (EU) No 596/2014), commonly referred to as MAR, imposes strict requirements on individuals and firms who possess inside information. While much of the focus tends to be on issuers, external advisors such as law firms, audit professionals and consultants are equally subject to these rules when they come into possession of inside information.

The obligation to draw up and maintain insider lists is set out in Article 18 of MAR, which applies not only to issuers but also to any person acting on their behalf or for their account. This includes legal and financial advisors who are involved in transactions or situations where inside information arises. In these cases, the advisor is not responsible for managing the issuer’s insider list but is required to keep their own list.

This article outlines five core challenges advisors face in meeting their obligations under MAR and how those challenges can be addressed with clear, structured processes.

1. Top 5 challenges advisors face when managing insider lists

1.1 Recognising when inside information is received

The first and most fundamental challenge is determining when inside information has actually been received. According to Article 7 of MAR, inside information is information of a precise nature that has not been made public and, if it were made public, would be likely to have a significant effect on the price of financial instruments.

In practice, this can include details about mergers, earnings, restructuring, litigation, regulatory actions or any other sensitive corporate development. Advisors often receive such information in the course of due diligence, contract negotiations or legal analysis.

The difficulty lies in identifying whether the information meets all of the criteria outlined in MAR: it must be precise, not public, price-sensitive and relate directly or indirectly to the financial instrument. Since this assessment often requires legal or professional judgement, there is a risk of underestimating the threshold and delaying the creation of the insider list.

Best practice: Advisors should implement internal protocols for reviewing client communications to determine whether inside information has been received. If in doubt, it is safer to assume the information qualifies and to create a list promptly.

1.2 Managing multiple insider lists across clients

Advisors typically serve multiple clients at any given time. When managing M&A or corporate law, it is common to be involved in several sensitive matters simultaneously. Each case involving inside information requires its own distinct insider list.

Under Article 18(1) of MAR, insider lists must be drawn up for each piece of inside information, not on a client-level basis. Furthermore, the advisor must maintain these lists in a format prescribed by Commission Implementing Regulation (EU) 2016/347, which sets out the exact fields required, including:

Identity of each insider

Date and time of access

Reason for inclusion

Date and time the list was created or updated

This quickly becomes burdensome when lists are managed manually using spreadsheets or shared folders. There is a risk of mislabelling, duplicating or failing to update lists in a timely fashion.

Best practice: Advisors should ensure they have a systematic way of naming, storing and managing each insider list separately. This helps maintain clarity and ensures that updates can be made quickly and correctly.

1.3 Ensuring security and role-based access control

Insider lists contain personal information including names, work and personal contact details, job titles and access timestamps. This brings advisors under the scope of both MAR and the General Data Protection Regulation (GDPR). Under MAR, the advisor must take all reasonable steps to ensure that any person on the list acknowledges their legal and regulatory duties and is aware of the associated sanctions.

More importantly, access to these lists must be restricted to authorised individuals only. Allowing broad or informal access to lists could result in a data breach or a failure to protect inside information, which carries significant legal risks.

Article 18(1b) requires that insider lists be updated “promptly” whenever there is a change, such as someone gaining or losing access to inside information. Failing to do so can expose the firm to scrutiny from regulators.

Best practice: Use permission-based access controls to restrict insider list handling to a small number of designated professionals. Keep access logs and change history as part of your compliance documentation.

1.4 Keeping a verifiable audit trail

An insider list is not a one-off document. It must be maintained and updated throughout the life of the inside information. Under MAR Article 18(6b), the list must be made available to the competent authority (in most cases the national financial regulator) upon request and without delay.

This means that lists must be kept in a format that allows them to be presented quickly, along with full audit trails showing when individuals were added or removed, by whom and why.

Common difficulties here include:

Forgetting to timestamp updates

Failing to record the reason for inclusion

Losing track of updates made by different team members

If the list is requested and cannot be produced in the correct format, or if audit trails are missing, the advisor could face sanctions.

Best practice: Use templates aligned with the requirements in Implementing Regulation (EU) 2016/347 and store all changes in an environment that automatically logs actions and timestamps.

1.5 Closing and archiving insider lists appropriately

Once the inside information is no longer relevant, the list must be closed. For example, after a transaction is announced or an event becomes public, the advisor must close the insider list. However, this step is often neglected or delayed, especially when managing multiple mandates.

MAR Article 18(5) requires insider lists to be kept for at least five years after their creation or last update. These lists must be stored in a manner that allows for quick retrieval and must remain legible and tamper-proof during that entire period.

Archiving also raises questions of format and accessibility. If lists are stored across various local folders or outdated systems, they may become inaccessible when needed for inspection.

Best practice: Advisors should adopt a centralised method for archiving closed insider lists, clearly labelled by client, case and closure date. Access should be limited and periodically reviewed to ensure continued compliance with both MAR and data protection laws.

2. How InsiderLog helps

For advisors who regularly encounter inside information across multiple clients, InsiderLog offers a purpose-built solution to manage insider lists in a way that is both compliant and efficient.

The tool enables advisors to:

Create and manage their own insider lists in line with Article 18 of MAR, with all mandatory fields pre-configured according to the format laid out in Implementing Regulation (EU) 2016/347.

Maintain a clear overview of all ongoing insider lists across different mandates or clients, helping reduce the administrative burden of handling multiple sensitive matters at once.

Apply role-based access controls, ensuring that only authorised users can view or edit insider list data, which is essential for both MAR compliance and GDPR obligations.

Automatically log actions and timestamps, providing a robust audit trail that can be made available to the competent authority upon request, as required by MAR.

Securely close and archive insider lists, with storage that meets the five-year retention requirement and allows for easy retrieval during inspections or audits.

InsiderLog removes the risk of relying on spreadsheets, which can cause issues with version control, require time and effort to ensure correct formatting and are susceptible to human error. It replaces this with a structured, secure and legally compliant workflow tailored specifically for advisory firms. It offers peace of mind in an area where oversight can lead to serious consequences.

3. FAQs

3.1 Do advisors manage their clients' insider lists?

No. Each legal entity is responsible for its own insider list. Advisors must maintain their own lists when they themselves possess inside information.

3.2 When must an advisor create an insider list?

As soon as the advisor receives inside information, a list must be created promptly. Delays may lead to non-compliance under MAR.

3.3 What must be included in an insider list?

As defined in Article 18 of MAR and Annex I of Implementing Regulation (EU) 2016/347, an insider list must include full name, birth surname (if different), personal and business contact details, date and time the person gained access to the information, reason for inclusion and date/time of list creation or update.

3.4 Can insider lists be stored in Excel or Word documents?

Yes, but only if they meet all MAR and GDPR requirements, including access control, integrity, audit trails and availability for five years. Manual methods, such as using documents and spreadsheets, increase the risk of non-compliance.

3.5 How long must insider lists be stored?

At least five years from the date of creation or last update, as stated in Article 18 of MAR.

4. Conclusion

The obligations placed on advisors under the Market Abuse Regulation are strict and non-negotiable. As external parties who regularly encounter sensitive information, law firms, audit firms and consultants must be fully prepared to manage insider lists accurately, securely and in real time.

Without a structured approach, the risk of falling short of these obligations is high. Inaccurate records, insecure storage or delayed updates can not only expose the advisor to fines and reputational damage but also erode client trust.

Firms that adopt a disciplined, transparent system for insider list management can ensure compliance, reduce operational risk and provide reassurance to clients and regulators alike.

For advisors seeking to streamline this process across multiple mandates, a dedicated solution can offer the automation, audit readiness and scalability that manual methods cannot provide. InsiderLog provides a secure insider list process that provides peace of mind and helps you meet your compliance obligations.