Advisor's Checklist: MAR Insider List Management

The European Union’s Market Abuse Regulation (MAR) was implemented to preserve the integrity of the capital markets by placing certain obligations on issuers. These included measures related to managing inside information, such as the prohibition of insider dealing and the requirement to create insider lists. 

When a company meets the threshold to delay disclosure of specific, non-public information that could affect the price of a financial instrument if made public, Article 18 of MAR states that: 

“Issuers or any person acting on their behalf or on their account, shall draw up a list of all persons who have access to inside information and who are working for them under a contract of employment, or otherwise performing tasks through which they have access to inside information, such as advisers, accountants or credit rating agencies.” 

This means that advisors can feature on their clients’ lists and then must also record all their internal insiders. This article provides an advisor’s checklist for MAR insider list management that will help your firm remain compliant with your obligations under the regulation.  

1. The advisor's role in managing insider list

Here is the breakdown of an advisor’s role relating to insider lists:  

• If advisory firm employees gain access to an issuer client’s inside information, the issuer’s insider list would usually contain one stakeholder from the advisory firm and the advisor should create their own insider list for each piece of information. 

• The issuer should include the required identifying information of the contact person from the advisory firm, as it would with its own insiders. This includes the date and time they became aware of the insider information. They should also note that a service provider has been engaged or inside information was disclosed to them. 

• The advisory firm is responsible for drawing up and updating their own insider list, as well as for providing it to the national competent authority (NCA) when requested.  

• The advisory firm is responsible for informing its own employees of their inclusion on its own insider list and for informing them of their responsibilities not to use the information to carry out personal trades or to unlawfully disclose it.  

2. Advisor responsibilities in insider list management

In order to meet their compliance obligations, there are a range of responsibilities that advisory firms must carry out. They include:  

3. Checklist: Insider list management for advisor

• 3.1 Establish insider list protocols 

As an advisory firm, you will gain access to a significant amount of sensitive information that can, at some point, cross the threshold and become inside information.  

This requires you to have processes and procedures in place to swiftly and effectively create and manage insider lists. Not only does the named stakeholder in the client’s insider list need to acknowledge their responsibilities to the issue, but you also need to be able to identify and inform your own insiders in good time, as well as populate the list accurately and in the correct format. 

Using insider list software ensures you use the correct formatting and tells you what information you need to provide about each insider, and some tools also automate the process of informing insiders so they can acknowledge their responsibilities.  

• 3.2 Provide training for employees 

Insiders need to understand the obligations placed upon them under MAR, which is why you should run training and awareness programmes. Discuss the importance of keeping inside information confidential and not disclosing it to other people or using it to inform their personal trading and that of third parties.  

Explain the reasons for these prohibitions – to ensure a fair market for all – and inform them of the potential fines for both individuals and businesses that fail to meet their obligations.  

Provide context to the battle against market abuse and insider trading, as well as the part that insider list management plays and the specific processes they will need to undertake to acknowledge their place on an insider list.  

Look for external courses dedicated to MAR compliance to arm your team with professional insights from experts in the field.  

• 3.3 Make timely updates 

Not only should the insider list be created as soon as the company makes the decision to delay the disclosure of inside information, but any updates to the list need to happen immediately, too. Whenever someone new gains or loses access to the information, they must be added to or taken off the list.  

This process demands constant vigilance, meaning advisors need to update the list in real time rather than waiting to process multiple changes at once. Each update creates a new version that must be timestamped and archived for future reference. 

It makes sense to have experts regularly audit the list to identify any gaps or irregularities, making necessary changes immediately. Ensure that the information is limited to authorised personnel and act accordingly if not.  

• 3.4 Liaise with regulators 

Any party that creates and manages an insider list must be able to supply it, and any previous version, to the NCA upon request. This means that an advisory firm might have to engage with regulators in the case of an investigation into how insider information was managed in relation to either their own company or by their client.  

Be prepared to cooperate with regulators so that any investigation or audit can take place in a timely manner, armed with the full evidence of what happened and when.  

In some cases, the advisory firm may be the primary liaison between the client and the regulator for inspections and audits. This means helping clients create lists in the right format and storing them in a manner that allows them to deliver them to regulators when necessary.  

• 3.5 Plan incident response 

Unfortunately, despite the best efforts of companies, there can be breaches of your inside information policies. This could be an insider carrying out insider trading or disclosing inside information unlawfully. It can also be in the case of a rumour circulating that is accurate enough to compromise the confidentiality of the inside information.  

In these cases, you should have an incident response plan in place, which begins with making a “complete and effective public disclosure of that information,” as stated in Article 17(8) of MAR. You should inform the issuer if the breach came from your company, helping them notify the authorities, as well as the markets and the industry press. They should also post the information on their company and investor relations websites.  

• 3.6 Retain documents 

You have an obligation to keep all versions of your insider lists for five years in a secure manner and timestamped to show the time and date they were updated, in the correct UTC format.  

Ensure that these are held securely and cannot be accessed by anyone other than authorised personnel. They must be kept intact, too, and not edited after the event so that they portray an accurate picture of the development of the insider list.  

4. Challenges in managing MAR insider lists for clients

• 4.1 Protecting the information within the business 

Only advisory firm employees who work on a particular client’s projects really need access to their inside information. However, they may have colleagues working with other clients and your challenge is to create robust controls to prevent one client’s inside information spreading further than it needs to within your advisory firm.  

• 4.2 Dynamic nature of insider lists 

Insider lists are not static documents, they require continuous updates as individuals gain or lose access to the sensitive information. This provides potential challenges in ensuring real-time updates and accuracy, requiring strict monitoring.  

• 4.3 Ensuring data security 

Insider lists contain highly sensitive information in addition to the main inside information. The lists include data such as names, roles and contact details of individuals with access to inside information. You must ensure you have robust cybersecurity measures in place to prevent unauthorised access to this information or data breaches​ that lead to non-compliance with GDPR. 

• 4.4 Resource constraints 

Advisors often face limitations in resources, including staff expertise and technological tools, which can impede your ability to manage insider lists effectively. Using office tools, such as Excel, for insider list management can cause issues with version control, lack of security and failure to maintain the format in accordance with that required by MAR.  

• 4.5 Keeping up with regulatory changes 

MAR compliance is an ongoing process, as evidenced by the updates to the process for delaying disclosure of inside information detailed in the EU Listing Act. You must stay informed about regulatory updates, enforcement trends and industry best practices​ to ensure you meet your obligations.  

• 4.6 Time-sensitive decision-making 

You are often required to make swift decisions in high-pressure situations, such as responding to leaks or regulatory requests, while maintaining accuracy and compliance. This can present a challenge and requires having robust procedures in place.  

5. FAQ

5.1 How often should insider lists be updated? 

You should update your insider lists promptly, whenever there is a change. This includes when stakeholders gain or lose access to the insider information. You should save each version, timestamped to show when it was created.  

5.2 What type of information should an advisor include in an insider list? 

An advisor’s insider list should feature all your company’s stakeholders with access to your client’s inside information. You should note the time and date they gained access to the information, their full name, their position, date of birth, national identification number, company name, address and telephone number. 

5.3 What are the consequences of poor insider list management? 

There are potential sanctions of up to €500,000 for individuals and €1 million for businesses for breaches of Article 18, which deals with insider list management. In the late 2010s, a large European bank did not input the necessary information into an insider list and failed to create an insider list for another piece of inside information. It received an undisclosed fine for these breaches. Read more on this insider list failure here. 

6. Conclusion

MAR insider list management is essential for compliance and to help maintain the integrity of the financial markets. Advisors not only have to manage their own inside information, if they are on an insider list, but also be aware of clients’ inside information to which they have access. Then they need to create compliant and secure insider lists, meeting the obligations of MAR.  

InsiderLog helps by providing templates for all the required information, featuring the correct formatting. It also automatically records every change, timestamped and stored securely for your records. Only authorised people can access this information and it is easily available within the platform if required by your NCA. The software also automates the process of informing insiders of their place on the list and their requirements. Want to find out how to manage your insider lists in an effective and compliant manner? Request a demo today.