Trade Surveillance

A trader submits 500 orders in a session. Twelve are cancelled within 200 milliseconds. Three of those cancellations preceded a price movement in the trader's favour. Is this spoofing, or is it a market maker adjusting quotes in a volatile session? The difference between legitimate trading and trade surveillance alerts that matter depends on context that rule-based systems cannot assess.

What is trade surveillance?

Trade surveillance is the monitoring of order and execution activity to detect market manipulation, insider dealing, and other prohibited trading practices. It is the operational implementation of the market abuse surveillance obligation, focused specifically on trading data: orders placed, modified, cancelled, and executed across all instruments and venues where the firm operates. The output is alerts that require investigation by the compliance team, suspicious transaction and order reports (STORs) filed with the regulator, and management information on surveillance coverage and effectiveness.

The data volumes are substantial. A mid-sized investment bank generates millions of order events per day across equities, fixed income, derivatives, and foreign exchange. Each event must be captured, stored, and available for surveillance analysis. The surveillance system must process this data in near-real time for detection and retain it for years for regulatory purposes. MiFID II requires firms to retain order data for a minimum of five years. Sound data governance is the foundation: without accurate, complete order data, no surveillance model can function.

The manipulation typologies the system must detect are diverse and evolving. Spoofing involves placing orders with the intent to cancel before execution. Layering involves stacking orders at multiple price levels to create false market depth. Wash trading involves simultaneous buy and sell orders to inflate volume. Front-running involves trading ahead of a known large order. Ramping involves placing orders to move the price in a desired direction. Each typology has a distinctive data signature, but those signatures overlap with legitimate trading behaviour, making detection a classification problem rather than a simple pattern-matching exercise.

The landscape

The FCA's Market Watch newsletter regularly highlights deficiencies in firms' surveillance arrangements. Common findings include: surveillance systems that do not cover all relevant instruments, calibration thresholds that generate excessive false positives without improving detection, insufficient investigation of alerts, and failure to file STORs in a timely manner. The regulatory expectation is not just that surveillance exists but that it is effective and that deficiencies are actively addressed.

MiFID II and MAR have standardised the data that firms must submit to regulators via transaction reports. This data enables the FCA's own market surveillance function to identify suspicious patterns across the market. Firms that fail to detect patterns that the regulator can see in their own data face questions about the adequacy of their surveillance. The regulator's surveillance capability sets the floor for what firms' own systems must achieve.

The expansion of electronic trading into fixed income, foreign exchange, and commodities markets extends the surveillance perimeter. These markets, which historically relied on voice trading and bilateral relationships, are increasingly electronic. The regulatory expectation is that firms' surveillance covers these markets with the same rigour applied to equity markets, even though the manipulation patterns, data structures, and market microstructure differ significantly.

How AI changes this

Behavioural baseline modelling is the most impactful application. Rather than applying static rules (flag any order cancelled within N milliseconds), AI models learn each trader's normal order behaviour: their typical order-to-trade ratio, cancellation patterns, time-in-force preferences, and reaction to market events. Deviations from the individual baseline generate alerts, while behaviour that matches the baseline does not, regardless of whether it would trigger a generic rule. This approach dramatically reduces false positives for active traders and market makers whose legitimate behaviour routinely triggers rule-based alerts.

Multi-typology detection uses a single model to assess whether trading activity matches any of several manipulation patterns simultaneously. Traditional systems run separate detection logic for each typology, which means an alert is classified as "potential spoofing" or "potential layering" based on which rule it triggered. AI models assess the probability of multiple typologies for each trading pattern, identifying hybrid strategies that combine elements of different manipulation types. This is a more realistic representation of how sophisticated manipulation actually works.

Cross-venue correlation identifies manipulation that spans multiple trading platforms. An order placed on one venue to influence the price, followed by execution on another venue at the manipulated price, is invisible to venue-specific surveillance. AI models that analyse consolidated order and trade data across all venues where the firm operates detect these cross-venue patterns. The data engineering challenge of consolidating venue data with consistent timestamps and instrument identifiers is substantial but essential.

Anomaly detection applied to new markets and asset classes provides surveillance coverage where insufficient historical data exists to calibrate traditional rules. For cryptocurrency trading, carbon credit markets, or newly listed instruments, AI models can identify statistically anomalous trading patterns without requiring predefined manipulation signatures. As more data accumulates, the model refines its understanding of normal behaviour for each market, improving detection precision over time. These capabilities feed into the broader financial crime analytics platform.

What to know before you start

Timestamp precision is non-negotiable. Manipulation detection depends on the sequence and timing of events measured in milliseconds. If your order data timestamps are imprecise, rounded, or inconsistent across venues, your surveillance will miss time-dependent patterns and generate false positives from ordering artefacts. Ensure your data infrastructure captures and preserves sub-millisecond timestamps from each venue.

Model validation for trade surveillance models must demonstrate that the model does not miss known manipulation patterns while reducing false positives. The validation should include backtesting against historical cases where manipulation was confirmed (either through internal investigation or regulatory action) and testing against synthetic manipulation scenarios injected into real market data. The PRA's SS1/23 expectations on model risk management apply.

Investigation workflow integration matters as much as detection quality. An alert that reaches a surveillance analyst three days after the trading activity occurred is harder to investigate than one that arrives within hours. The analyst needs access to the full order book data, communication records from the same time window, and the market context (price movements, news, corporate actions) to assess the alert. Build the investigation tooling alongside the detection model.

Start with alert scoring on your highest-volume surveillance alert type. For most firms, this is spoofing or layering alerts in equity markets, where the rule-based systems generate large volumes with high false positive rates. Deploy an AI scoring model to prioritise the queue, validate the model's performance over three to six months, and then extend to additional typologies and asset classes. The infrastructure and governance built for the first deployment accelerates every subsequent one.