CISI Combating Financial Crime study guide for market abuse and insider dealing, with learning objectives, UK control cues, and exam traps.
Market abuse and insider dealing belongs to the CISI Combating Financial Crime Fraud and Market Abuse exam topic, weighted at 4%. Study it as a UK financial-crime control lesson: the paper usually asks whether you can classify the risk, place the right authority or obligation, and choose the next defensible control, escalation, or reporting step.
| Concept | What to know for CISI CFC review |
|---|---|
| Market abuse | Conduct that harms market integrity, such as insider dealing, unlawful disclosure, manipulation, misleading signals, or improper use of information. |
| Inside information | Non-public, price-sensitive information that could materially affect investment decisions if made public. |
| Insider dealing | Trading, encouraging trading, or improperly using inside information for advantage. |
| Unlawful disclosure | Passing inside information to another person without a legitimate reason. |
| Market manipulation | Creating false or misleading signals about supply, demand, price, volume, or market activity. |
| Surveillance control | Monitoring orders, trades, communications, personal account dealing, watchlists, and restricted lists for abuse indicators. |
Market abuse is a financial-crime topic because it damages fair and orderly markets. It differs from ordinary fraud because the harm may be to market integrity, price formation, investors, or information fairness, not only to one direct victim. A customer or employee may not steal money directly but may misuse information, manipulate prices, or create misleading market signals.
The exam often asks whether the facts point to insider dealing, unlawful disclosure, or manipulation. Do not collapse all suspicious trading into generic “fraud” if the facts involve inside information, trading before an announcement, rumours, wash trades, matched orders, spoofing, or misleading market signals.
Use a structured sequence before choosing the answer. Market-abuse questions often include facts that sound like ordinary misconduct, but the decisive issue is whether market integrity or information fairness is affected.
| Step | Question to ask | Why it matters |
|---|---|---|
| identify the information or market signal | is the issue inside information, misleading orders, rumours, price movement, or volume? | separates information misuse from manipulation |
| identify the actor | employee, adviser, issuer, client, trader, friend, journalist, analyst, or connected party | determines access, duty, and evidence sources |
| identify the conduct | trading, encouraging, disclosing, cancelling, layering, matched orders, or spreading rumours | maps the facts to the abuse type |
| identify the timing | before announcement, near market close, around client order, or after rumour | timing often creates the suspicious pattern |
| identify the control failure | information barrier, restricted list, surveillance, personal account dealing, or communications control | points to the correct firm response |
| preserve evidence | orders, trades, chats, emails, access logs, call recordings, and approvals | supports investigation and reporting decisions |
The stronger answer usually does two things: classify the conduct and preserve the evidence needed to prove or disprove the concern.
| Conduct | Common clue |
|---|---|
| Insider dealing | Trading before a takeover, earnings release, financing, rating change, or regulatory announcement. |
| Unlawful disclosure | Passing confidential issuer or deal information to a friend, client, journalist, or trader without a legitimate purpose. |
| Encouraging dealing | Telling another person to trade while holding inside information, even without trading personally. |
| Manipulation | Wash trades, matched orders, spoofing, layering, marking the close, or misleading volume. |
| Rumour-based abuse | Spreading false or misleading information to move price or liquidity. |
| Personal account dealing breach | Employee trades around client orders, restricted-list securities, or deal information. |
Inside-information scenarios are high-yield because the person who trades may not be the person who originally received the information. A banker, adviser, issuer employee, lawyer, analyst, operations employee, or connected family member may pass information that later leads to trading.
| Fact pattern | Stronger classification |
|---|---|
| employee trades before a takeover announcement | potential insider dealing |
| employee tells friend to buy but does not trade personally | unlawful disclosure or encouraging dealing |
| analyst uses confidential deal information in a recommendation | misuse of non-public price-sensitive information |
| personal account trade occurs after wall-crossing | personal-account dealing and information-barrier concern |
| client order information is used ahead of execution | misuse of confidential order information |
| confidential issuer information appears in chat | information leakage and evidence-preservation issue |
The exam trap is to focus only on personal profit. Insider dealing can involve trading, encouraging another person to trade, or disclosing information improperly. The employee may still create market-abuse risk even if the profit is made by a friend, family member, client, or connected party.
Manipulation focuses on false or misleading market signals rather than hidden information. The suspicious conduct may be an order, cancellation pattern, trade sequence, rumour, price support, or end-of-day activity.
| Manipulation pattern | What it may indicate |
|---|---|
| wash trades | artificial activity without genuine change of beneficial ownership |
| matched orders | coordinated trading to create false volume or price signals |
| spoofing or layering | visible orders are placed to move price or depth, then cancelled |
| marking the close | trades near close influence closing price or valuation |
| pump-and-dump rumours | false statements inflate price before selling |
| abusive short-and-distort | false negative rumours pressure price downward |
| quote stuffing or disruptive orders | order activity disrupts normal market functioning |
The control response should not be a generic “monitor more.” It should preserve order-book data, cancellation history, trade timing, communications, account links, client instructions, and price/volume context.
Watchlists and restricted lists are preventive controls. A watchlist can help compliance monitor securities where the firm has sensitive information. A restricted list can prevent or limit trading, research publication, marketing, or employee activity where the conflict or information risk is too high. The exam may test which list is appropriate and whether escalation is needed before a trade or communication proceeds.
Surveillance is the detection layer. It should connect order activity, trade timing, price movement, news events, communications, personal account dealing, client instructions, and employee access to information. Strong controls also preserve evidence and support suspicious transaction or order reporting where required.
| Control | What it supports |
|---|---|
| Information barriers | Limits improper sharing of inside or confidential information. |
| Watchlists | Enables heightened monitoring where the firm holds sensitive information. |
| Restricted lists | Blocks or restricts activity where risk is too high. |
| Trade surveillance | Detects suspicious orders, trades, timing, volume, and price impact. |
| Communications monitoring | Identifies leaks, rumours, collusion, or instructions inconsistent with policy. |
| Personal account dealing rules | Controls employee trading around confidential information and restricted securities. |
The two lists are often confused. A watchlist usually supports heightened monitoring while activity may continue under controls. A restricted list usually prohibits or limits activity because the risk is too high or the firm has sensitive information that cannot be safely managed through monitoring alone.
| Situation | More likely control |
|---|---|
| firm is advising an issuer on confidential transaction | watchlist for monitoring and possibly restricted list for affected activity |
| employee wants to trade a security connected to a mandate | restricted-list or pre-clearance block may be needed |
| firm has sensitive but not yet public information | information-barrier and watchlist controls |
| research publication could reveal or misuse inside information | restricted review or publication hold |
| suspicious order pattern appears after news leak | surveillance escalation and evidence preservation |
| security is widely discussed but no inside information is held | monitor for manipulation or rumour abuse rather than automatic restriction |
Exam answers should avoid treating lists as decoration. The list must connect to a workflow: who adds the security, who can see it, what activity is blocked or monitored, what evidence is preserved, and when the restriction is removed.
| Evidence source | What it helps test |
|---|---|
| order and trade records | timing, size, direction, price impact, cancellations, and execution pattern |
| communications | leaks, rumours, instructions, coordination, or intent |
| wall-crossing records | who received inside information and when |
| restricted-list history | whether controls should have blocked or monitored the activity |
| personal account dealing records | employee trades, approvals, and conflicts |
| client account links | whether related accounts traded together or around news |
| news and announcement timeline | whether trading preceded price-sensitive information becoming public |
| access logs | whether the trader or employee accessed confidential files |
| surveillance alerts | whether the system detected and escalated the pattern |
The evidence map matters because market-abuse investigations are timing-sensitive. A trade may look suspicious only when compared with announcement timing, communication records, and access to information.
When market-abuse concerns arise, the firm should normally preserve evidence, avoid tipping off the suspected person, escalate to compliance or surveillance specialists, assess regulatory-reporting obligations, and review whether the control failure is isolated or systemic.
| Scenario | Better response |
|---|---|
| suspicious trading before announcement | preserve trades, communications, access logs, and escalate |
| employee discloses deal information | investigate unlawful disclosure and review information-barrier controls |
| potential manipulation in client orders | review order pattern, communications, and client intent |
| personal account trade breaches pre-clearance | investigate employee conduct and list-control failure |
| restricted-list security was traded | stop further activity where appropriate and review override evidence |
| rumour appears linked to trading | preserve communications and trade chronology |
| surveillance alert closed with generic note | quality-review closure and remediate investigation standards |
Do not assume the correct answer is to confront the trader immediately. Premature contact can destroy evidence, create tipping-off-style risk in a broader investigation, or allow explanations to be coordinated. Preserve the audit trail first.
Market abuse can overlap with fraud, money laundering, or corruption, but it should not be swallowed by them.
| If the facts emphasize… | Think first about… |
|---|---|
| trading before a confidential announcement | insider dealing or unlawful disclosure |
| false statement to move market price | market manipulation and possible fraud |
| proceeds from abusive trading are moved through accounts | market abuse plus laundering of proceeds |
| employee receives bribe to leak information | bribery/corruption plus unlawful disclosure |
| client order is misused for personal trading | market abuse, conflict, and personal-account controls |
| false invoices fund trading account | fraud and laundering, not necessarily market abuse unless trading conduct is abusive |
The exam rewards precise classification. If the conduct damages market integrity through information misuse or misleading signals, market abuse is central even if another financial-crime issue also appears.
An employee working on a confidential takeover mandate tells a friend that the target company’s shares are likely to rise soon. The friend buys shares before the announcement. Which control response is most appropriate?
A. Treat the issue as ordinary customer suitability because the friend made the trade. B. Escalate potential insider dealing or unlawful disclosure, preserve communications and access records, and review watchlist/restricted-list controls. C. Ignore the issue because the employee did not trade personally. D. Treat the issue only as money laundering because a profit may result.
Answer: B. The facts point to misuse and disclosure of inside information. The firm should escalate, preserve evidence, and review information-barrier, list, surveillance, and employee-dealing controls.
For final review, separate market-abuse questions into information misuse and market-signal manipulation. Information misuse focuses on inside information, disclosure, trading, and encouragement. Manipulation focuses on misleading price, volume, supply, demand, or market activity.
Also practise linking each scenario to an evidence set. Insider dealing needs trade timing, access logs, wall-crossing records, and communications. Manipulation needs order-book activity, cancellations, trade sequence, market data, and communications. That habit makes the control response more precise.
Return to the CISI Combating Financial Crime guide for the full exam-topic table, or use the CFC Cheat Sheet for threat classification, UK authority cues, and final review prompts.