Market Abuse Regulation Surveillance: A Practitioner Guide

TL;DR — MAR (Regulation (EU) 596/2014, onshored in the UK) requires firms to detect and report market abuse: insider dealing, unlawful disclosure, and market manipulation. The hardest part of MAR surveillance is not the rule but the operating model — communications surveillance and trade surveillance are typically run by different teams on different data. This piece sets out what good looks like across both, the STOR threshold, and the control gaps that repeatedly surface in ESMA and FCA enforcement.

Table of contents

• What the regulation actually says
• Why MAR surveillance matters in 2026
• The three behaviours MAR addresses
• STORs: what triggers, what filing looks like
• Trade surveillance versus communications surveillance
• Common control gaps
• Three recent enforcement examples
• A 9-item MAR surveillance controls checklist
• How leading firms automate this with Sedric
• FAQ

What the regulation actually says

The Market Abuse Regulation (Regulation (EU) 596/2014) has applied since July 2016. It defines and prohibits three categories of behaviour and creates the supervisory and reporting infrastructure to detect them.

Article 8 — Insider dealing. Using inside information to acquire or dispose of financial instruments, or recommending or inducing others to do so.

Article 10 — Unlawful disclosure of inside information. Disclosing inside information outside the normal exercise of employment, profession or duties.

Article 12 — Market manipulation. A non-exhaustive list including: - Transactions or orders that give false signals as to supply, demand or price. - Transactions that secure the price at an abnormal or artificial level. - Transactions employing fictitious devices or deception. - Dissemination of false information. - Benchmark manipulation.

Article 16 — Prevention and detection. Operators of trading venues and persons professionally arranging or executing transactions (PPAETs) must establish and maintain effective arrangements, systems and procedures to detect and report orders and transactions that could constitute market abuse. PPAETs file Suspicious Transaction and Order Reports (STORs) without delay.

The technical detail is in Commission Delegated Regulation (EU) 2016/957 on STORs and Commission Delegated Regulation (EU) 2016/958 on investment recommendations.

For the UK, MAR was onshored at exit day. The UK MAR is functionally equivalent and operates alongside SYSC 10A and SUP 15.10 of the FCA Handbook.

Why MAR surveillance matters in 2026

Three trends are intensifying supervisory focus on MAR surveillance.

ESMA common supervisory action 2024–2025. ESMA coordinated a common supervisory action on MAR with national competent authorities focusing on PPAET arrangements. Findings highlighted under-investment in communications surveillance, insufficient coverage of crypto-related instruments now within scope, and weakness in suspicion-to-STOR escalation.

Cross-asset and new instrument coverage. MAR's scope expanded with MiCA: certain crypto-asset transactions, where the asset is admitted to trading on a venue or where MAR otherwise applies, fall inside the regime. PPAETs trading or executing in those assets must now extend surveillance.

Communications surveillance under-investment. The FCA's 2024 Market Watch and ESMA's 2025 thematic statements both flag that communications surveillance — as distinct from trade surveillance — is the under-resourced side of the MAR estate at most mid-sized firms. Investment has historically gone into trade surveillance vendors; chat and voice surveillance has been an after-thought.

For Heads of Compliance, MLROs and Conduct and Culture leads, the practical implication is that MAR surveillance is increasingly judged not by the number of trade alerts processed but by the integration of trade and communications surveillance into a coherent suspicion assessment.

The three behaviours MAR addresses

Insider dealing

The core question is possession of inside information and use of that information. ESMA Q&As make clear that "use" includes patterns of behaviour change — adjusting an existing position, cancelling a routine order — not only the textbook fresh trade. Insider lists (Article 18) and PDMR notifications (Article 19) provide pieces of the data picture but do not by themselves constitute surveillance.

Surveillance signals that matter: - Trades clustered in a window before a price-sensitive announcement. - Information access logs (deal rooms, data rooms) cross-referenced with trading. - Communications referencing material non-public information (MNPI) or names of restricted issuers. - Front-running of internal flow by employees with proximity to client orders.

Unlawful disclosure

Article 10 catches both intentional and reckless disclosure of inside information. The textbook case is leak before announcement, but the operational case at most firms is more banal: - A junior banker discussing a deal in a public space. - A salesperson referencing a deal name in chat with a client not on the deal team. - A wall-crossing call that crosses someone the firm did not intend to cross. - Disclosure to a journalist or analyst that strays past the boundary of "normal exercise of duties."

This is where communications surveillance earns its keep. Trade data alone will not detect unlawful disclosure that does not (yet) result in a trade.

Market manipulation

The Article 12 list is non-exhaustive and Annex I to MAR (further detailed in Annex II of Reg (EU) 2016/522) gives indicators. Recurrent surveillance categories: - Spoofing and layering — orders placed without intent to execute, to create false impressions of supply or demand. - Wash trading — matched buy and sell with no change of beneficial ownership. - Marking the close — transactions designed to influence the closing price. - Ramping — pump-and-dump style manipulation. - Cross-product manipulation — manipulation in one instrument to benefit a position in a related instrument. - Benchmark manipulation — false submissions or trades influencing benchmark fixings.

For cryptoassets in scope, the same categories apply with adaptation. The Sedric platform applies the MAR Annex II indicators to in-scope trading activity and the underlying communications in parallel.

STORs: what triggers, what filing looks like

The Suspicious Transaction and Order Report is the operational hinge of MAR.

The threshold. Article 16(2) requires a STOR where the firm has a "reasonable suspicion" that an order or transaction (including the cancellation or modification of an order) could constitute market abuse. The threshold is below "evidence" and below "balance of probabilities" — it is suspicion sufficient to warrant a regulator's attention.

Without delay. Filing must be without undue delay once the suspicion is formed. National competent authorities take this seriously. Multi-week delays from suspicion formation to filing are a routine enforcement finding.

Reasoned analysis. A STOR is not a tip-off. The template (Reg (EU) 2016/957) requires a description of the order or transaction, identification of the persons, the reasoning for the suspicion, and any analysis. ESMA's expectation is that firms have done their own analytical work before filing.

No tipping-off. The subject of the STOR must not be informed.

Records. All STORs and the underlying analysis must be retained for five years.

Three operational points firms underestimate:

• A high false-positive rate at the alert level is acceptable. A high false-positive rate at the STOR level is not. The internal review layer between alert and STOR is the substantive piece of work supervisors examine.
• The "no STOR filed" decision needs the same documentation as the filed STOR. ESMA and FCA both look for evidence of the reasoning where a candidate suspicion was closed.
• Communications surveillance generates STOR candidates that are entirely independent of trade alerts. A firm whose STORs all originate from trade alerts is showing a coverage gap.

Trade surveillance versus communications surveillance

The two surveillance disciplines target overlapping but distinct behaviours.

Trade surveillance uses order and execution data to detect patterns consistent with manipulation or insider dealing. Vendors are mature, alert taxonomies are well-defined, and integration with venues is standardised. Trade surveillance tends to be strong at: - Spoofing, layering, wash trades, marking the close. - Cross-product manipulation where the data is available. - Pre-announcement clustering, given a clean MNPI calendar.

Trade surveillance tends to be weak at: - Detecting intent. The data shows the pattern but not the reasoning behind it. - Unlawful disclosure, which leaves no trade footprint until and unless someone trades on the disclosed information. - New behaviours that do not yet have alert logic.

Communications surveillance uses voice, chat, email and meeting transcripts to detect content consistent with market abuse, insider information handling failures, or front-running discussions. It is operationally harder because the data is unstructured.

Communications surveillance tends to be strong at: - Unlawful disclosure, including informal leaks. - Front-running discussions, including off-the-record commitments. - Wall-crossing failures and information barrier breaches. - Inducement and conflict-of-interest signals adjacent to MAR.

Communications surveillance tends to be weak at: - Pure trade-pattern manipulation where there is no parallel conversation. - Coverage of populations who communicate primarily through unmonitored channels.

The integration of the two — a suspicion candidate from trade surveillance enriched with the relevant communications, or vice versa — is what defines mature MAR surveillance. ESMA's recent guidance signals this explicitly.

The Sedric platform sits on the communications surveillance side and integrates with the trade surveillance system of record. Each communications alert is linked to the relevant MAR article and Annex II indicator. The reviewer sees the conversation in context of any related trade alerts.

For the underlying recording obligation that feeds MAR surveillance, see our MiFID II recording requirements and Article 16 MiFID II communications guides.

Common control gaps

Across recent enforcement and supervisory findings the recurring MAR surveillance gaps are:

1. Communications surveillance scope limited to chat. Voice and meeting platforms excluded for cost or technical reasons.
2. Static lexicons. Communications surveillance built on keyword lists that have not been updated for current trading desk vocabulary.
3. No integration of trade and comms alerts. A reviewer sees one or the other but not the combined signal.
4. STOR threshold drift. Either filing too readily (low signal-to-noise) or under-filing (suspicion review closes without documented reasoning).
5. Cryptoasset coverage gap. PPAETs trading in-scope cryptoassets have not extended surveillance.
6. Insider list hygiene. Article 18 lists not kept current, leading to insider dealing alerts that cannot be triangulated.
7. Wall-crossing controls. Process exists but evidence of effective operation is thin.
8. Cross-border arrangements. Group-wide policy but local NCA expectations not met (BaFin, AMF, AFM, CSSF each have specific operational expectations).
9. Senior accountability. MAR surveillance owner not mapped to an SMF or equivalent, weakening the governance signal.

Three recent enforcement examples

UK FCA enforcement, 2025. A six-figure financial penalty against an investment firm for MAR surveillance failings, including inadequate communications surveillance of a population of relationship managers, weak STOR escalation, and absence of cross-product manipulation alerts.

EU NCA fine, 2024. A penalty against an EU-headquartered broker for failure to file timely STORs in relation to suspected manipulation of mid-cap equity prices. The supervisory finding emphasised that the suspicion had been formed weeks before the STOR was filed, and the firm's internal documentation did not justify the delay.

Individual sanction, EU NCA, 2025. Personal sanctions against a head of equity sales for inadequate handling of MNPI in client communications, with the firm's information barriers cited as inadequate. The action underlined the personal accountability dimension that runs through MAR enforcement.

A 9-item MAR surveillance controls checklist

1. PPAET scoping. Confirm whether the firm is a PPAET and document the basis. Group entities scoped individually.
2. Surveillance coverage. Trade and communications surveillance both in place, with documented coverage of all in-scope instrument categories including any in-scope cryptoassets.
3. Alert taxonomy. Documented alert library mapped to MAR Article 8/10/12 and Annex II indicators, with calibration evidence.
4. STOR threshold and workflow. Documented threshold, escalation pathway, decision documentation for both filed STORs and closed candidates, retention for five years.
5. Comms surveillance lexicon refresh. Documented quarterly refresh of search terms, sentiment patterns and behavioural cues, signed off by surveillance lead.
6. Trade-comms integration. Workflow for combining trade alerts with relevant communications, with reviewer-level evidence of the combined assessment.
7. Insider lists and wall-crossings. Article 18 lists current, wall-crossing logs maintained, cross-checks against trading activity.
8. Cross-border arrangements. Local NCA expectations documented for each jurisdiction the firm operates in.
9. Senior accountability. MAR owner mapped to an SMF or equivalent, with annual board-level report.

How leading firms automate this with Sedric

Most firms have a trade surveillance tool. Far fewer have communications surveillance that operates at the same level of maturity. The result is a structural gap in the MAR estate: trade-pattern manipulation gets caught, but unlawful disclosure, front-running discussions, and information barrier breaches sit untouched until the FCA or an NCA asks the question.

Sedric ingests in-scope communications across voice, chat, email and meeting platforms and applies real-time content surveillance keyed to MAR Article 8, 10 and 12 indicators, Annex II behaviours, and firm-specific lexicons. Each alert is linked to the relevant MAR article and indicator so a reviewer sees the regulatory basis, not just the flag. Overrides are logged with reasoning. The output integrates with trade surveillance systems of record, so combined trade-and-comms alerts feed a single suspicion review queue. For the MLRO this means STOR escalation is faster, the no-STOR-filed decision is consistently documented, and the audit trail is generated as part of normal work rather than retrieved on supervisory request.

The model also extends to MAR-adjacent risks — conduct, conflict of interest, off-channel communications — that are increasingly examined in the same supervisory visit. This is what we mean by real-time guardrails: the conduct signal arrives during the conversation, not weeks later in a sample review. For comparison of the legacy archive-and-supervise model versus modern AI-native approaches, see our Smarsh alternatives post.

FAQ

What is the STOR threshold under MAR? Reasonable suspicion that an order or transaction could constitute insider dealing, unlawful disclosure, or market manipulation under Articles 8, 10 or 12. The threshold is below evidence and below balance of probabilities.

Who is a PPAET under MAR? Persons professionally arranging or executing transactions in financial instruments within MAR's scope. The category includes investment firms, credit institutions and trading venue operators where they arrange or execute. The detailed definition is in ESMA Q&As.

Does MAR apply to cryptoassets? MAR applies to cryptoassets admitted to trading on a venue and to certain other in-scope situations following MiCA's interaction with MAR. Firms trading cryptoassets must scope surveillance accordingly.

How long do I have to file a STOR? "Without undue delay" once suspicion is formed. Multi-week delays from suspicion to filing are not consistent with the standard and have been the basis for enforcement actions.

Is keyword search good enough for communications surveillance? No. Static lexicons miss intent, context, vocabulary drift and code-switching. ESMA's recent statements implicitly recognise this in calling for more sophisticated surveillance, though the regulation is technology-neutral.

Does MAR require recording of communications independently of MiFID II? MAR does not impose a separate recording requirement, but MAR surveillance depends on recordings produced under MiFID II Article 16(7), SYSC 10A in the UK, or other applicable regimes. See our Article 16 MiFID II communications deep-dive.

What is the difference between an internal escalation and a STOR? An internal escalation is the firm's own review process — moving an alert up to a senior reviewer or to compliance. A STOR is the formal external filing to the competent authority once reasonable suspicion is formed. Both processes need documentation.

Has the UK diverged from the EU on MAR? The substantive provisions are very similar. The FCA's expectations operationally have hardened in line with ESMA's, and Market Watch publications continue to set the practical agenda for UK firms.

See MAR surveillance on your own data

Book a 30-minute demo with Sedric and we will run the platform on a sample of your recorded communications keyed to MAR indicators. You will see how alerts map to MAR Articles 8, 10 and 12, how trade-and-comms integration works in the review queue, and how the audit trail is built as part of normal workflow. Request a session at sedric.ai.