Permanent Insider Lists: Best Practices

When the Market Abuse Regulation (MAR) came into force, one of the key elements in the fight against misconduct in the markets was Article 18 on insider lists. This requires issuers to create lists of all those stakeholders with access to specific, non-public information that would significantly affect the price of a financial instrument if it were to become public.

As soon as a company decides to delay the disclosure of inside information, in accordance with the requirements for doing so, it must create an event-based insider list. This list should include each insider’s full contact details, reason for inclusion and the dates and times they gained and lost access to the information.

However, this has contributed to a regulatory burden on many organisations, leading to them taking advantage of the ability to reduce admin work by creating a permanent insider list. This article explains what a permanent list is, how it differs from an event-based list, how to create it and when to use one.

1. What is a permanent insider list?

A permanent insider list is a record of the individuals in a company who, by virtue of their position, will have continuous access to all inside information generated within the organisation. This means that the company only has to adjust this list when someone enters or leaves the business in such a role, rather than for every piece of inside information.

This supplements the event-based insider list, reducing the need for companies to continually input the details of the same individuals on each list. The event-based list remains for those with occasional access to inside information.

The European Securities and Markets Authority (ESMA) is not in favour of permanent insider lists in general, warning in a March 2023 letter that they make it more difficult to understand who had access to information at certain times during investigations into insider dealing. However, it states that, if businesses do choose to use a permanent insider lists, they should feature “only an extremely limited group of individuals should meet that definition.” In ESMA’s guidance, to avoid over-inflating the list, this can include:

Chief Executive Officer

Chief Finance Officer

Executive assistant

Chair

Head of Legal Department

Head of Compliance
Chief Technical Officers

Issuers on SME growth markets are required only to create permanent insider lists, rather than event-based lists. This helps simplify processes for businesses where senior management typically has continuous access to inside information.

2. Permanent vs event-based insider list

Feature	Permanent insider list	Event-based insider list
Definition	A list of individuals who always have full access to all inside information.	A list of individuals who have access to inside information related to a specific event or project.
Regulatory requirement	Optional under MAR for all issuers in addition to event-based lists and allowed as a complete solution for issuers on SME growth markets.	Mandatory under MAR for issuers other than those on SME growth markets.
Who is included?	Only those senior figures with access to all inside information within the business.	Employees, advisors, external consultants and other stakeholders who are involved in a specific price-sensitive event.
Frequency of updates	When roles change.	Immediately when inside information arises and when an insider gains or loses access to the information.

3. How to create a permanent insider list

3.1 Identify permanent insiders

Consider whether there are any individuals within your organisation that do have access to all inside information that arises. This must be full, ongoing access to every single piece of information. If there are occasions when they do not, you should not include them on the list, as this will hinder and delay any investigation into insider trading or the unlawful disclosure of inside information.

Look closely at ESMA’s recommendations regarding who could form part of your list and ensure you do not widen the scope any further. If you find that there genuinely are permanent insiders, you can move forwards with your permanent list.

3.2 Gather required information

As you would with an event-based list, you should collect information from your permanent insiders to input on the permanent list. According to the template provided by the Commission Implementing Regulation (EU) 2022/1210, this means creating a list in digital format that includes the following personal details and information about each insider:

First name

Surname

Birth surname (if different)

Professional telephone number

Company name and address

Function and reason for being on the list

Date they were included on the list

National identification number (if applicable)

Date of birth
Personal address and telephone number

Dates should be provided in the yyyy-mm-dd format, while times should be indicated in hh:mm format, using Coordinated Universal Time (UTC). The permanent list section should also feature details of when it was created, the date and time it was last updated and when it was transmitted to the national competent authority (NCA).

3.3 Implement version control

You should keep copies of all versions of your permanent list for your records and in case your NCA needs to see them. This means you need a process in place to timestamp each version in accordance with ISO 8601, archive old versions in a secure but easily retrievable manner and ensure that you always use the most recent version.

Many companies use Excel spreadsheets to manage insider lists, but there can be issues with version control and saving over old iterations. A dedicated insider list tool like InsiderLog automates the process of updating, timestamping and archiving old permanent lists, ensuring you remain compliant, maintain an audit trail and always work from the most recent version of the list.

3.4 Obtain acknowledgement from permanent insiders

Ensure that your permanent insiders acknowledge their responsibilities as insiders not to disclose unlawfully inside information or to use it to inform their personal trading. They must keep the information confidential until the company officially discloses it to the market to ensure fairness amongst investors.

Send emails to insiders asking them to confirm that they understand their obligations and regulatory duties and automate reminders so that you can show you made every effort to acquire their agreement.

3.5 Update regularly

Update the list as soon as there is a change in the status of individuals included or new individuals take up roles that make them permanent insiders. Log your changes with reasons and timestamps.

Schedule periodic reviews to check that your permanent list is operating as it should and that those on the list are still eligible for inclusion.

4. Potential pitfalls of permanent lists

While permanent insider lists can help reduce administrative burden, they are not recommended as a primary solution for managing access to inside information. They should only be used in limited cases, and always with caution.

Non-compliance with MAR and the technical standards on permanent lists can lead to significant sanctions for organisations. Be sure to understand the advice provided when creating these lists.

Delayed investigations due to bloated lists hampering the effective tracking of who really did have access to the information. It can waste the time of investigators talking to individuals who had no knowledge of the information, but who remained on a permanent insider list.

Diluted accountability, caused by a lack of clarity over when people gained access to the inside information. With a correctly formatted event-based list, you can see who knew what and – crucially – when. Without this extra information, there is a less clear picture of who could be responsible for leaks, for example.

Security risks, as some individuals are able to access inside information, even if it is not relevant to them. This increases the likelihood of leaks and the misuse of inside information.

Case study: Permanent insider list penalty

A permanent insider list does not replace an event-based list for each piece of inside information. A Swedish issuer was fined more than SEK 1 million (around €90,000) for failing to produce an event-based list for a piece of inside information and only providing regulators with its permanent list, which did not show all individuals who had accessed the information.

Read the full story here.

5. FAQ

5.1 Which individuals should be responsible for maintaining an insider list?

The company’s compliance officer or a designated compliance lead should be in charge of maintaining the permanent and separate lists in accordance with MAR, including inputting the details of individuals with access to information.

5.2 How often should a permanent insider list be updated?

Update your permanent insider lists whenever someone takes up or leaves a role that is considered one in which they will have access to all inside information. In addition, if you find that some of these roles do not always possess inside information, you should remove them and only add them to event-based lists when they do gain knowledge of such information.

5.3 How should changes in roles or responsibilities be managed on the permanent insider list?

Determine whether the change in their role or responsibilities will affect whether they still have permanent access to all inside information. If they do, they may remain on the list. Otherwise, remove them and add them only to event-based lists where appropriate. Document all changes with a correctly formatted timestamp and save each version for your records.

5.4 Where and how should insider lists be kept?

Keep insider lists in an electronic format in a secure location. Ideally, this will be a dedicated insider list management tool that is able to protect your data, ensure a proper audit trail and handle insider notifications. You should also have the option to restrict access to authorised personnel only.

5.5 How long should a permanent insider list be kept?

Issuers should keep event-based insider lists for five years from being drawn up or updated. Although there is no specific ruling on permanent lists, it makes sense to keep them for at least five years from the last update or longer, in the event that there are updates made within that timeframe.

6. Conclusion

Although ESMA is not in favour of using a permanent insider list, it is understandable why issuers choose to use them sometimes. Rather than chasing the same people to input their details in insider lists every time there is a new piece of inside information, you place them on a list once and reduce the administrative burden. However, you must be sure that those on the list are permanent insiders and that you enter the details in a compliant manner.

InsiderLog helps you create and manage compliant insider lists with ease. Whether you are maintaining event-based lists, PDMR lists or using a permanent insider list where appropriate, the platform ensures that all required information is captured in the correct format. It also timestamps all versions and saves them securely for your audit trail. If you want to avoid misusing permanent insider lists and find a smarter way to manage insider information, try InsiderLog.

Request a demo today →