Our Take
Compliance on paper and control in practice have diverged; regulatory reform acts as a stress test that collapses the independence supposed to catch errors before they cost millions.
Why it matters
The FCA's reliance on MiFIR reporting data for market abuse surveillance is deepening, not shrinking. Firms that carried legacy assumptions forward into post-2018 frameworks now face the bill when audits and regulatory engagement expose undocumented logic, inconsistent field-level decisions, and eroded segregation of duties.
Do this week
Compliance leads: audit segregation between your first line (reporting operations), second line (independent monitoring), and third line (assurance) this quarter, because blurred boundaries allow errors to accumulate undetected until reform or inspection surfaces them at maximum cost.
MiFIR reform is stress-testing governance that was never stress-tested
Transaction reporting frameworks built at pace before the MiFID II deadline of 3 January 2018 embedded weaknesses that have remained dormant for years. As the FCA signals a reshaping of the UK transaction reporting regime through consultation paper CP25/32, regulators are clarifying what they have always expected but firms are only now realizing: the bar for control has risen. The expectation is no longer compliance; it is proof that reporting is complete, consistent, and defensible.
ACA Group, a regulatory reporting specialist, identifies three structural failure modes. First, the three-lines-of-defence model (first line: reporting operations; second line: compliance oversight; third line: independent assurance) is collapsing in practice. Compliance teams are drawn into first-line work, filling resource or expertise gaps in the operational function. That erodes independence. Second-line monitoring commonly relies on management information generated by the teams it is supposed to challenge, creating a structural ceiling on objectivity, particularly where reporting logic is technical and assumptions were never formally documented. Third-line assurance tends to be periodic and retrospective, offering snapshots rather than sustained confidence.
The cumulative effect is silent: known issues are tolerated rather than challenged; control effectiveness is assumed rather than evidenced; remediation targets symptoms rather than root causes. Reporting frameworks can appear fully compliant on paper while harbouring hidden errors, inconsistent field-level assumptions, and undocumented logic. When those problems surface through regulatory engagement or formal review, remediation is invariably broader, more disruptive, and more costly than it would have been had they been caught earlier.
Reform windows are when hidden risks emerge
Regulatory change acts as a stress test. When firms are focused on interpreting new rules, meeting implementation timelines, and delivering technical changes, structural weaknesses in reporting governance become easier to overlook and more likely to compound. Legacy assumptions are quietly carried forward into new frameworks. Control gaps go unaddressed. The window for proactive remediation narrows.
The FCA's underlying reliance on reporting data as a surveillance tool is unchanged. What has changed is the regulator's depth of engagement with that data and the clarity of expectation that firms can demonstrate control, not merely compliance. Firms that carried forward the operating models, personnel structures, and system assumptions from 2018 are now discovering those assumptions do not hold under scrutiny.
Define ownership, embed independence in change, test against regulatory intent
To address governance weaknesses and prevent risks from compounding, firms should move now on three fronts. Ownership across the three lines should be clearly defined, with delivery, oversight, and assurance not implicitly shared across functions. That requires resourcing compliance independently from first-line operations.
Second, independent monitoring of reporting accuracy and completeness should be introduced separately from day-to-day reporting operations, drawing on sampling, reconciliation, and objective challenge. Where issues arise, they should be investigated to root cause rather than resolved through tactical fixes that allow errors to re-emerge.
Third, independent challenge should be embedded in change programmes from the outset, so new requirements are implemented on a foundation of proven control rather than inherited assumption. Reporting outcomes should be tested against regulatory expectations, not merely internal interpretations, to ensure data is capable of supporting effective market abuse surveillance. An independent perspective allows firms to assess their frameworks as regulators do, objectively and from the outside, identifying where assumptions have not kept pace with changes in business activity, personnel, or systems.