Flowrex Market Abuse Prevention Policy

Introduction

This Market Abuse Prevention Policy (“Policy”) outlines our firm’s measures to uphold market integrity and prevent market abuse in crypto-asset trading. It is designed to comply with the EU Markets in Crypto-Assets Regulation (MiCA) Title VI on market abuse, which prohibits insider trading, unlawful disclosure of inside information, and market manipulation in crypto markets. The Policy aligns with MiCA’s consumer protection and market integrity objectives, prohibiting behaviors likely to undermine user confidence in crypto-asset markets​. It also incorporates controls consistent with ISO 27001 (information security management) and DORA (Digital Operational Resilience Act) requirements. All officers, employees, and platform participants must adhere to this Policy.

Scope and Definitions

Scope: This Policy applies to all trading activity on the platform and all persons (employees, clients, contractors) involved in that activity. It covers any crypto-asset admitted to trading on our platform or for which a request for admission to trading has been made, in line with MiCA’s broad scope (applying to “any person” engaging in relevant acts)​. Both actual and attempted forms of market abuse are prohibited – no person shall engage or attempt to engage in insider dealing or market manipulation​. The key forms of market abuse addressed in this Policy are:

• Insider Trading (Insider Dealing and Unlawful Disclosure): Trading or attempting to trade on the basis of material non-public information (inside information) about a crypto-asset, or tipping such information to others, is strictly forbidden. Insider dealing occurs when someone with undisclosed inside information uses it to buy or sell (or recommends another to buy/sell) that asset for their benefit​. Similarly, unlawful disclosure is revealing inside information to any other person outside of authorized channels (except as part of one’s normal duties), which is prohibited under MiCA​. Inside information includes any non-public knowledge that could significantly impact a crypto-asset’s price if made public (e.g. upcoming listings, partnerships, or regulatory approvals). All employees and relevant persons are prohibited from using or sharing such information for trading advantage.
• Market Manipulation: Any intentional act or scheme that misleads the market by distorting supply, demand, or pricing of a crypto-asset is deemed market manipulation. This includes disseminating false or misleading information or engaging in transactions that create an artificial price level. Common forms of market manipulation addressed by this Policy include:
  • Pump-and-Dump – a scheme where perpetrators inflate the price of an asset through false or exaggerated buying interest or hype, then sell at the high price before the price collapses​. This leaves other investors with losses once the price “dump” occurs.
  • Spoofing/Layering – a tactic involving placement of fake orders with no intention of execution (often large orders on one side of the order book) to create a false impression of demand or supply, thus moving the price, and then cancelling those orders before they execute​. This manipulative layering of orders misleads other traders about true market interest.
  • Wash Trading – artificially inflating trading volumes by the same entity trading with itself (or colluding accounts trading assets back-and-forth) with no change in beneficial ownership. Wash trades create a misleading perception of liquidity or market activity and are strictly prohibited on our platform.
  • Disseminating False Information – spreading rumors, false news, or misinformation about a crypto-asset (for example, about its adoption, security, or regulatory status) to induce others to trade based on incorrect data. Publishing or sharing information that gives false or misleading signals about an asset is considered manipulation under MiCA.
  Note: Attempts to engage in any of the above manipulative behaviors are equally prohibited. MiCA explicitly forbids even trying to engage in insider dealing or market manipulation​. This Policy therefore covers attempted market abuse as well as actual misconduct.

Surveillance Procedures

We maintain robust surveillance systems and procedures to monitor all trading activity on the platform in real time and retrospectively. Our approach combines automated analytics with human oversight to detect and investigate potential market abuse. In alignment with MiCA requirements, the firm ensures effective and ongoing monitoring of all orders and transactions on the platform for the purpose of preventing and detecting suspicious activity​. Key surveillance tools and processes include:

• Order and Trade Monitoring System: All orders received, modified, and executed on the trading platform are automatically tracked and analyzed. Our trading infrastructure (powered by Talos technology) captures a complete audit trail of order book events and executions. We utilize software capable of deferred automated reading, replaying, and analyzing order book data to identify patterns indicative of manipulation​. For example, we can replay market events to examine sequences of order placements/cancellations (useful for detecting spoofing) and unusual price movements. The system has sufficient capacity to surveil an algorithmic trading environment with high order volumes​.
• Automated Alerts: The surveillance system is configured with pattern-recognition alerts for red flags. These include indicators for insider trading (e.g. a user consistently trading advantageously right before price-sensitive announcements), unusual concentration of trades (possible wash trading), abrupt bursts of orders and cancellations (spoofing), abnormal price or volume deviations, and other anomalies. When thresholds or pattern triggers are met, the system generates real-time alerts for Compliance review. The alerts cover both orders and executed trades, as well as other aspects of trading activity that could suggest market abuse (e.g. unusual delays or errors in settlement). The alert rules are regularly refined based on evolving manipulation tactics and regulatory guidance.
• Blockchain Analytics (Chainalysis): We leverage on-chain blockchain monitoring to complement our off-chain trade surveillance. Through Chainalysis (a leading blockchain intelligence tool), we monitor crypto-asset movements and address activity that might signal market manipulation. For instance, large token transfers to our platform wallets (deposits) followed by aggressive trading could indicate a potential pump-and-dump attempt. Chainalysis provides insight into the provenance of funds (flagging addresses linked to known market manipulation rings or illicit activity) and tracks patterns across the blockchain. Analyzing on-chain data provides a valuable starting point for deeper investigations when combined with our platform’s off-chain trading data​. These analytics help identify suspicious behavior that might not be obvious from trading data alone (such as coordinated activity between multiple accounts funded by the same source). All blockchain deposits/withdrawals related to trading activity are screened for risk, and any anomalies (e.g. rapid cycling of funds between accounts, or exploitation of blockchain mechanics like MEV) are reviewed. We also monitor for blockchain consensus events (like unusual block reordering or Maximal Extractable Value (MEV) exploitation) that could facilitate front-running; such events, while outside our platform, may signal market abuse risks that we need to consider​.
• Identity Verification and Wallet Screening (Sumsub): Our onboarding and Know-Your-Customer (KYC) process (powered by Sumsub) ensures that every institutional participant is verified and risk-screened. This aids market abuse prevention by tying trading activity to verified identities, making it harder for bad actors to hide behind fake accounts. Sumsub’s crypto transaction monitoring, integrated with Chainalysis data, also allows us to screen wallet addresses and crypto transactions for suspicious attributes. If a participant’s wallet or funds history is flagged (e.g. associated with known fraud or past manipulation), our compliance team reviews and may impose enhanced monitoring on that account. Sumsub’s integration helps “keep fraudsters and money launderers at bay” through automated blockchain analytics and risk scoring, which indirectly supports market integrity by removing potential manipulators from the platform.
• Liquidity Provider Reconciliation: As a B2B platform, we may source liquidity or execute trades through external liquidity providers (LPs), such as exchanges, OTC desks, or market makers. We conduct daily reconciliation of our trading records with confirmations from these LPs to ensure there are no discrepancies. This means every executed trade or order matched via an external venue is cross-checked against that venue’s records. Any mismatch or missing trade is investigated immediately. This reconciliation control helps catch issues like potential phantom orders or trades that might be deliberately omitted or altered in our system (which could indicate internal fraud or system manipulation). It also ensures the accuracy of our trading data used for surveillance.
• AWS CloudTrail & Control Tower Logs: All critical logging from our platform’s infrastructure are logged via AWS CloudTrail and monitored. This includes administrative access, configuration changes, privilege use, and system events. Compliance and Security teams review these logs for any unusual or unauthorized activities that could facilitate market abuse – for example, an engineer querying sensitive trade data or altering an order database without change management approval. We have automated alerts on CloudTrail logs for events such as changes to trading engine parameters, creation of new privileged user accounts, or modifications to data logs. These could indicate a malicious insider attempt to tamper with systems or cover up abuse. By monitoring internal system activity, we uphold strong “checks and balances” around the trading platform’s integrity. We have documented logging procedures and use standardized protocols and tools to ensure comprehensive logging, in line with DORA requirements​. All log data is centrally collected and protected to prevent any intrusions or data misuse.
• Manual Review and Compliance Oversight: Human oversight is an integral part of our surveillance. A designated Compliance surveillance team reviews all automated alerts and weekly surveillance reports. They analyze flagged activity in context – e.g. correlating multiple alerts, checking news or announcements around the time of suspicious trades, and reviewing communication records if insider trading is suspected. MiCA and ESMA guidance emphasize having an appropriate level of human analysis alongside automated systems​. Our analysts use their market expertise to filter out false positives and escalate true suspicious cases for investigation. They also conduct periodic manual scrutiny of trading patterns (even beyond system alerts), such as random sampling of trades for any signs of layering or collusion that algorithms might miss. Compliance holds weekly meetings to discuss any anomalies and ensure proper follow-up. All surveillance findings and investigations are documented (see Record-Keeping section) and subject to management review.
• Ongoing Tuning and External Monitoring: We continuously improve our surveillance capabilities. The alert thresholds and detection models are tuned based on historical data, new patterns identified, and feedback from investigations. We also stay updated with industry developments (e.g. new manipulation tactics reported by regulators or blockchain analytics reports) to update our monitoring. If needed, we can integrate additional surveillance solutions (for instance, specialized trade surveillance software or data feeds from market surveillance firms) to augment detection. We note that MiCA expects even aspects like distributed ledger consensus issues to be monitored for abuse indicators​, and our holistic approach ensures we cover on-platform and relevant off-platform signals of potential abuse.

All these surveillance procedures are overseen by the Compliance Officer (Market Surveillance Lead) who ensures that any detected issues are escalated and addressed. The combination of advanced technology (Talos platform analytics, Chainalysis blockchain intelligence) and compliance expertise allows us to meet MiCA’s standards for proactive market abuse detection and prevention​.

Preventive Measures

We implement numerous preventive controls to minimize the risk of market abuse occurring in the first place. These measures address internal risks (e.g. employee misuse of information) and system safeguards to ensure a fair trading environment. Key preventive measures include:

• Role-Based Access Control & Least Privilege: Access to systems and data is tightly controlled based on role, following the principle of least privilege. Each employee or service account is given the minimum access necessary for their function, and no more​. For example, only authorized personnel in the compliance and risk teams can access surveillance alert systems or trade databases, and even then, with read-only rights unless modification is required. Administrative privileges on trading infrastructure are limited to a small, vetted team, and all privileged access is logged and monitored (with real-time alerts on CloudTrail as noted). By adhering to least privilege, we minimize the chance of internal abuse or unauthorized data access – this is consistent with ISO 27001 requirements and best practices to reduce security incidents​. Regular access reviews are performed to revoke any excessive rights​.
• Employee Trading Restrictions: We maintain strict internal policies on personal trading to prevent conflicts of interest and insider dealing by staff. Employees (and contractors, consultants, or anyone with access to confidential information) are prohibited from trading on material non-public information gained through their role​. For example, if an employee knows about a forthcoming token listing or a big partnership announcement, they cannot trade that token (on any platform) until the information is public. Our policy, similar to Coinbase’s approach, bars employees from trading on or tipping others about upcoming listings or other MNPI​. We enforce “blackout periods” during sensitive events – e.g. employees cannot trade certain assets during a period around a listing on our platform. In many cases, employees are altogether restricted from trading on our own platform to avoid any perception of advantage; if they wish to invest personally in crypto, they must seek pre-approval and trade on external venues under disclosed conditions. All employee trades (if permitted) are subject to monitoring. Breaching these rules (insider trading by staff) results in severe consequences (see Enforcement Actions). We also prohibit employees from participating in manipulative schemes externally – any staff found to be, say, coordinating a pump-and-dump in their private time would be in violation of this Policy and face discipline. By limiting employee trading and enforcing confidentiality, we significantly reduce insider risk.
• Information Barriers: The firm employs internal Chinese walls/information barriers between different teams to manage conflicts of interest. Sensitive information (such as a client’s large pending order or strategic business decisions that could affect markets) is shared only on a need-to-know basis. Departments like Business Development (which might know of upcoming listings or partnerships) are segregated from Trading Operations. Any non-public market-sensitive information is siloed, and teams with such knowledge are reminded of their insider responsibilities. This prevents inadvertent leaks or misuse of information that could lead to market abuse. For instance, if a new token listing is being evaluated, only the listing committee and relevant executives know; the trading desk is informed only when the information is public. These internal controls ensure fair access to information, a cornerstone of market integrity​.
• System and Trading Safeguards: Our trading platform’s design includes features to deter and prevent manipulative behavior:
  • Self-Trade Prevention: The system is configured to prevent the same participant (or two accounts with the same beneficial owner) from intentionally trading with themselves. If the matching engine detects an order would be matched against another order from the same user, it will reject or cancel the trade. This stops intentional wash trades from executing.
  • Order Throttling and Anti-Spoofing Logic: We implement rate limits on order submissions and cancellations. If an account places and cancels orders at an abnormally high rate (a pattern typical of spoofing), the system can automatically pause or slow their activity and flag it. Our algorithms also randomize processing delays slightly to make it harder to “game” the matching engine with hyper-fast order flips. These measures make spoofing/layering more difficult to carry out effectively.
  • Price Collars/Circuit Breakers: To protect against erratic price swings (which could be caused by manipulation or errors), we use price collars on orders (rejecting orders that are far off the prevailing market price beyond a set percentage), and circuit breakers that halt trading on an asset if its price moves too sharply in a short time. A sudden unexplained price spike might indicate a manipulation attempt; the circuit breaker gives Compliance time to review before trading resumes. This prevents manipulators from executing large distortions in a short window.
  • Audit Trails and Tamper-Evident Systems: All system actions (e.g. trade cancellations, order book restarts, price feed adjustments) produce audit logs. Important configuration files and databases are write-protected and version-controlled. Any attempt to alter data (for example, to erase evidence of a trade) would be logged and alerted. We test our systems to ensure there are no “backdoors” that could be exploited to hide abusive activity. These technical safeguards ensure that any anomalous system activity is visible to the surveillance mechanisms.
  In implementing these safeguards, we follow guidance to ensure our “systems and security protocols meet EU standards”. Our IT and security controls are benchmarked against ISO 27001 controls and relevant ESMA guidelines for trading platforms. We maintain effective administrative arrangements to manage conflicts and protect the platform’s integrity.
• Conflict of Interest Management: We have policies to handle other potential conflicts that could lead to market abuse. For example, if we ever operate a proprietary trading desk or invest firm capital, it will be structurally separated from client trading, and strict rules will prevent it from having unfair informational advantages. Employees must disclose if they have relationships or outside interests (e.g. holdings, investments) that conflict with their duties. Any such conflicts are managed or the individual is recused from related decisions. This ensures decisions are made in the best interest of market integrity and clients, not personal gain.
• Secure Communication and Data Handling: As part of ISO 27001 alignment, we secure all communications and data. This includes using encrypted channels for sensitive discussions, preventing the use of unauthorized devices or messaging apps for work-related communication (to avoid leakage of inside info), and monitoring for any data exfiltration. By safeguarding information, we reduce chances that insiders could leak information to external conspirators for manipulation. We also enforce a clean-desk policy and ensure that sensitive documents (physical or digital) are stored securely.

These preventive measures work in concert to create a secure and fair trading environment. By limiting opportunities for abuse, we lower the burden on after-the-fact detection. Our approach is proactive: ensure people, processes, and technology are all governed in a way that inherently discourages and blocks market abuse. This is an essential part of MiCA’s market integrity framework, complementing our surveillance and enforcement efforts.

Enforcement Actions

Despite strong preventive measures, if suspected market abuse is identified (through surveillance or other means), the firm will respond decisively in line with MiCA guidelines and our zero-tolerance policy. Our enforcement actions aim to immediately stop the abusive behavior, investigate the incident, and take remedial steps including reporting to authorities. The following enforcement protocols apply:

• Immediate Account Freeze: Upon identifying reasonable suspicion of insider trading or market manipulation by a client, we will swiftly freeze or restrict the relevant account(s) to prevent further trading activity. Open orders may be canceled and the account’s ability to trade or withdraw assets is suspended pending investigation. This containment action is critical to stop ongoing abuse and protect other market participants while we examine the issue.
• Internal Investigation: The Compliance department will launch an internal investigation for any credible suspicion of market abuse. A dedicated investigation team (compliance officers, risk managers, and legal as needed) will gather and analyze evidence, including trading logs, communication records, blockchain traces, and access logs. The team will seek to determine the scope and intent of the potential abuse, identifying all involved accounts or employees. During the investigation, the team ensures confidentiality and works quickly to establish facts. We may also interview relevant personnel or request explanations from the suspect account holder (e.g., asking an institutional client to provide rationale for suspicious trades). All investigation steps and findings are documented in an investigation report.
• Employee Disciplinary Action: If an employee or insider is suspected of participating in market abuse (for example, an employee trading on inside information or aiding a scheme), that individual will be immediately suspended from duties while the investigation proceeds. We treat violations of this Policy by staff with the utmost seriousness. If the investigation confirms that an employee violated insider trading or market manipulation rules, the person will be subject to termination for misconduct and possibly legal action. As publicly stated by industry leaders, firms will not hesitate to fire employees who misuse confidential information or breach trading policies​. Our firm upholds this stance: any insider found leaking information or front-running client trades will be terminated and could face civil or criminal proceedings. Additionally, we may enforce penalties such as clawing back bonuses or benefits tied to the period of misconduct. These strong repercussions serve as a deterrent and reinforce our culture of compliance.
• Client Sanctions: If a client (institution) is found to have engaged in market abuse on our platform, we will take appropriate action which may include account closure or placing the client on a restricted list. For minor first-time violations that may have been inadvertent, a warning may be issued along with required corrective measures (e.g., improved controls on their side). However, serious or willful misconduct will result in termination of the business relationship. Any profits derived from the abusive trading may be frozen and subject to forfeiture where possible. We reserve contractual rights to reverse or cancel trades that were clearly manipulative or not bona fide. Clients are made aware of these potential actions via our terms of service and this Policy.
• Escalation and Regulatory Reporting: Upon confirming a likely market abuse incident, Compliance will escalate the issue to senior management and our legal counsel. The Board of Directors (or an appropriate board committee) is notified of significant cases. We will report the incident to our National Competent Authority (NCA) as required under MiCA (see next section on reporting). Early engagement with regulators is crucial – if we suspect that criminal market abuse has occurred, we will inform the regulator and cooperate fully. We also consider whether law enforcement needs to be notified (for instance, in cases of fraud or if the abuse involved hacking or theft). Our aim is to be transparent with authorities and to follow their guidance on evidence preservation and next steps.
• Regulatory Cooperation: The firm will cooperate fully with regulatory inquiries or investigations into market abuse. This includes promptly providing trading data, audit logs, communications, and any other requested information to the authorities. We understand that under MiCA, regulators (NCAs) have broad powers to investigate and sanction market abuse, including ordering us to provide records at any time​. We facilitate such requests and may assign dedicated resources to work with regulators. We also comply with any interim measures regulators may impose (e.g., halting trading of a particular asset if ordered). Our Policy acknowledges that regulators can impose severe sanctions on both individuals and firms for market abuse – for example, MiCA allows fines up to €5,000,000 for individuals and €15,000,000 (or 15% of annual turnover) for firms, as well as withdrawal of authorization or bans on managers. Knowing this, we act swiftly and cooperatively to mitigate issues. In the event regulators investigate our platform itself for any failure in controls, we will be transparent and corrective, addressing any weaknesses identified.
• Remediation: After an incident, the firm conducts a post-mortem review to identify how the abuse occurred and what control improvements are needed. We will remediate any gaps – for example, if a new manipulation technique was used that evaded an alert, we will update our surveillance rules. If an employee was able to exploit a loophole, we will tighten that process or add additional oversight. These fixes are tracked to completion. We also consider if broader changes are required (e.g., additional training for staff or clients). The goal is to prevent recurrence. Senior management oversees the remediation and ensures the lessons learned are integrated into our ongoing risk management.

All enforcement actions and their rationales are documented. The outcome (account freeze lifted, account closed, employee disciplined, etc.) is recorded and communicated to relevant parties internally. We maintain an internal log of incidents for audit and compliance review. Our approach is aligned with MiCA’s expectations that CASPs act decisively against market abuse to uphold market integrity. By imposing strong internal sanctions and working with regulators, we contribute to the overall deterrence of abusive practices in the crypto market.

Market Abuse Reporting (STORs)

Under MiCA, the firm has a legal obligation to report suspicious orders and transactions related to market abuse to the regulator. These Suspicious Transaction and Order Reports (STORs) are a critical part of the market abuse regime, similar to requirements in traditional finance. Our Policy establishes clear procedures for identifying and reporting such suspicions in a timely manner:

• Identification of Suspicious Activity: As described in Surveillance Procedures, our monitoring systems and compliance reviews will flag potential instances of insider dealing or market manipulation. If, after preliminary analysis, Compliance concludes that there is a “reasonable suspicion” that a specific order, trade, or behavior might constitute market abuse, we initiate the STOR filing process. We consider a suspicion “reasonable” when there are objective indicators of possible abuse and we cannot readily explain them by benign factors. Even if we are not 100% certain, if it appears likely that market abuse has occurred, is occurring, or is about to occur, we treat it as reportable. According to MiCA Article 92, we must report any such suspicions regarding orders, transactions, or even other DLT-related activities (like unusual consensus events) that could signal market abuse​.
• Preparation of STOR: The Compliance team is responsible for drafting the STOR. We use the prescribed template provided by ESMA/NCA for MiCA STOR submissions​, ensuring all required sections are completed. The report will include detailed information such as:
  • Identification of the person/entity* submitting the report (our firm) and the persons involved in the suspicious activity (names of clients or employees, account IDs, etc., if known).
  • Description of the financial instrument (crypto-asset) involved, including the trading platform and trading date/time.
  • Details of the orders and transactions that are suspicious – e.g. order IDs, quantities, prices, timestamps, order types, and how they interacted. We compile data on the sequence of events (for instance, a series of trades that pumped the price) and include specifics like prices and volumes of the affected orders/trades.
  • Reason for suspicion: a narrative explaining what happened and why we suspect it’s abusive. This might reference the behavior patterns (such as “Client A’s orders accounted for 80% of the buy volume in a short period, followed by a 30% price spike, then a rapid sale — indicative of a pump-and-dump”). We tie the facts to typical abuse scenarios or known risk indicators.
  • Supporting evidence: We attach or refer to supporting materials, which could include communication records (if insider tipping is suspected and we have any related emails/chats), relevant news or announcements (to show the context of trading vs public information timeline), blockchain analysis (for instance, showing two supposedly unrelated accounts were funded by the same wallet), and any other data strengthening the case. If any internal investigation has been done preliminarily, we summarize the findings.
  • Any actions already taken by the firm: We note if we froze accounts or confronted the client, etc., and any responses received.
  We ensure the report is factual and as comprehensive as possible, to enable the regulator to understand the case and take action. Quality of reporting is important – thorough STORs assist regulators and fulfill our obligations properly.
• Timelines: We will submit the STOR “without delay” once a reasonable suspicion is formed​. This means as soon as Compliance has enough information to believe an incident is suspicious (and has completed internal checks to confirm it’s not an obvious false alarm), we file the report. We do not wait for absolute proof or the conclusion of an internal investigation to report; MiCA expects prompt reporting similar to MAR’s approach of reporting as soon as the suspicion is confirmed. In practice, our goal is to file within a few days of detection (and sooner if the suspicious activity is ongoing). The draft STOR is reviewed and approved by the Chief Compliance Officer (and legal counsel if needed) expeditiously. We recognize that a delayed STOR could allow further manipulation to occur or evidence to dissipate, hence speed is of the essence.
• Submission: The STOR is submitted electronically to our National Competent Authority (e.g., via the secure regulatory portal or email designated by the regulator). We use the secure channels mandated to ensure confidentiality. We reference the relevant MiCA provisions in the report and use the standardized format. If multiple regulators need notification (for example, if the activity spans jurisdictions), we will coordinate to inform each as required. Under MiCA, we typically report to the NCA where our firm is registered or operates​.
• Record of Reports: We maintain an internal register of all STORs submitted. Each entry includes the date of submission, a brief description of the content, and reference details (like the case number or acknowledgment from the regulator). We also keep copies of the submitted reports and any correspondence with the authority about the STOR. These records are kept for at least five years in accordance with regulatory requirements​. Notably, we also document cases that were investigated but decided not to warrant a STOR, including the rationale (for example, if initial suspicion was later explained by legitimate factors). Both filed and unfiled suspicions are retained, as MAR/MiCA guidance indicates firms should keep such records for five years in case the regulator inquires or new information arises.
• Follow-up and Regulator Interaction: After filing, we stand ready to assist the regulator. If the NCA requests additional information or clarification regarding the STOR, we prioritize those requests. We may receive feedback or further questions which we address promptly. Additionally, if after submitting the STOR we uncover more details (e.g., new evidence, or we discover the suspicious behavior is more widespread), we will update the regulator with supplemental reports or communications. We treat STOR submission as the beginning of a collaborative process with the regulator to investigate and stop the abuse. Internally, the case remains open until the regulator provides guidance or closes it. We ensure not to tip off the suspected individuals about the report to avoid alerting potential wrongdoers (maintaining confidentiality is crucial).
• Staff Training on Escalation: All relevant staff are trained to immediately escalate any suspected market abuse to Compliance (even before they are sure). We prefer early escalation so that Compliance can assess and, if needed, start drafting a STOR. There is no downside to reporting in good faith – even if a suspicion later turns out benign, it is better to have reported than to miss a genuine case. This approach is communicated in training sessions.

By adhering to these reporting procedures, we fulfill MiCA’s requirement for proactive notification to authorities of market abuse​. Timely STOR filings are not only a legal obligation but an ethical one, contributing to overall market integrity. We view regulators as partners in combating abuse and ensure our reporting is accurate, prompt, and complete.

Record-Keeping and Audit

Accurate record-keeping and the ability to audit our compliance measures are fundamental to this Policy. We maintain comprehensive records of trading activity, surveillance, and compliance actions, in a secure and organized manner, to both facilitate oversight and meet regulatory and standards requirements (MiCA, ISO 27001, DORA). Key practices include:

• Trade and Order Records: We retain detailed records of all transactions and orders on our platform, as required by MiCA. This includes order book data (every order submission, modification, cancellation), trade executions (price, volume, timestamp, counterparties), and related metadata. These records are stored in immutable logs and databases with proper backups. As MiCA mandates, such trading records are kept for at least five years. In practice, we retain them for longer if necessary to support any investigations or as directed by regulators. All data is time-stamped and indexed for easy retrieval. We also store historical market data (price feeds, etc.) relevant to our trading platform to reconstruct market conditions around any event.
• Surveillance and Alert Logs: Every surveillance alert triggered by our systems, along with its review outcome, is logged in a case management system. We document the alert details, analysis performed by compliance, and decision (e.g., false positive, escalated to investigation, etc.). If an investigation is opened, all evidence collected and analysis performed is recorded in an investigation file. These logs create an audit trail showing that we have monitored and addressed potential issues. They also help in improving the surveillance process (by reviewing false positives, for instance). All surveillance-related data (alerts, investigations, communications) are similarly retained for at least five years, aligning with market abuse regulatory expectations​.
• Communications and Disclosure Records: In the context of market abuse controls, we maintain records of any insider lists or confidentiality acknowledgments if we handle inside information (note: MiCA does not require formal insider lists for crypto like MAR does​, but we still internally track who knows about major pending announcements). We log when and how material information was disclosed publicly. If we delay disclosure of inside information for any reason (in contexts where we might be an issuer or have such obligation), we document the justification and follow-up, in line with regulatory guidance. Additionally, any communications with external parties related to trading (such as with liquidity providers, or inquiries from regulators) are archived.
• Regulatory Reports and Correspondence: All STORs and any other reports to regulators (as described in the prior section) are securely stored. We also keep copies of regulatory correspondence, inquiry letters, and our responses. Should the regulator ever request an audit or inspection, we have readily accessible records to demonstrate our compliance. Regulatory authorities have the power to request trading and communication records at any time​, and we ensure that our record-keeping facilitates prompt retrieval to satisfy such requests. We also log any significant interactions with law enforcement if, for example, we file a criminal report or receive a subpoena related to market abuse.
• Protection and Security of Records: We treat surveillance and compliance records with high sensitivity. They are stored in secure environments with access controls (only Compliance, Legal, senior management, and auditors have access as needed). In line with ISO 27001 controls and Annex requirements, we protect these records from loss, tampering, or unauthorized access. Digital records are encrypted at rest and in transit. We maintain tamper-evident logs – any modification to a record (where permitted) is tracked. Backups of critical logs (trade data, alerts, etc.) are performed regularly and stored off-site to ensure durability. ISO 27001:2022 emphasizes protecting organizational records from unauthorized access or destruction, and we implement those practices to guard the integrity of our logs​. We also implement monitoring of privileged access to records: any time an admin or developer accesses sensitive log repositories, it’s logged and reviewed​. This prevents internal misuse of records (like someone trying to alter an entry).
• Logging Procedures (DORA Alignment): As part of our overall ICT risk management, we have formalized logging procedures consistent with DORA. We have developed and documented procedures for what events must be logged (covering trading, security, and system events) and how those logs are handled​. This includes specifying retention periods, which in the case of market abuse-related logs is at least five years or more as needed. We consider business and security needs in setting these retention periods, per DORA’s guidance. Our logging infrastructure is designed to serve as a safeguard against intrusions and data misuse, which complements market abuse prevention by ensuring we can detect if someone tried to cover their tracks. We periodically review our logging policy to incorporate any new requirements (for example, if ESMA issues guidance under MiCA to log additional data points, we will integrate that).
• Periodic Audits and Reviews: We conduct regular audits of our market abuse controls and record-keeping. Internal audit (or an independent external auditor when required) will review whether:
  • Surveillance alerts are being appropriately logged and handled in accordance with the policy.
  • All required records (trades, communications, reports) are being retained for the correct duration and are easily retrievable.
  • Access to sensitive records is properly restricted and monitored.
  • Past incidents were documented and resolved fully.
  • Our systems are capturing all necessary data (for example, verifying that no trading activity bypasses logging).
  Any findings or exceptions are reported to senior management and remedied. These audits not only ensure compliance with MiCA and ISO standards but also help us demonstrate to regulators our proactive stance. Moreover, as part of DORA’s ICT risk management framework, we produce reports on the review of our ICT controls (which include logging and security) – these reports feed into improving our record-keeping resilience.
• Retention and Disposal: We have a data retention schedule that meets the five-year minimum and often extends longer for critical data. Once records exceed their required retention period and are no longer needed, we dispose of them securely (ensuring no sensitive data is leaked). However, if any records are subject to ongoing investigations or legal hold (e.g., instructed by a regulator to keep them beyond five years), we will retain as long as necessary.

In summary, our record-keeping system is designed to meet or exceed MiCA’s requirements for transparency and auditability. By keeping precise and secure records for at least five years​ (and providing regulators access to them on request​), we not only comply with the law but also use these records to continually reduce risk and improve our surveillance accuracy​. Robust record-keeping underpins every other aspect of this Policy – without logs and evidence, we cannot effectively detect, prove, or prevent market abuse. Therefore, we invest in technologies and processes to ensure data integrity and availability, aligning with ISO 27001 and DORA standards for operational resilience and record protection.

Training and Awareness

Creating a culture of compliance and ensuring that all relevant personnel understand their responsibilities is critical in preventing market abuse. We have implemented a comprehensive training and awareness program focused on market abuse prevention:

• Regular Training for Staff: All employees and contractors involved in our crypto-asset business (from trading and operations staff to IT and customer support) receive effective and comprehensive training on market abuse laws, this Policy, and their role in prevention​. Training is provided at onboarding and on a continuous basis (at least annually, with more frequent refreshers for high-risk roles). MiCA and ESMA expect ongoing training for staff of trading platforms​, and we organize sessions appropriate to the scale and activities of each team. The training covers:
  • Definitions and Types of Market Abuse: We educate staff on what constitutes insider trading and market manipulation, providing real-world examples (case studies of historical abuses in crypto or traditional markets) so they can recognize patterns. This includes explaining terms like spoofing, layering, wash trading, etc., as defined in this Policy.
  • Legal and Regulatory Requirements: The training reinforces that market abuse is illegal and details the regulatory framework (MiCA Title VI, ESMA guidelines, as well as any applicable national laws). Employees learn about the firm’s obligation to monitor and report suspicious activity, and the personal and organizational penalties that can arise from violations.
  • Internal Policies and Procedures: We review the specifics of this Policy, including what employees can and cannot do (e.g., trading restrictions, information handling rules), how our surveillance works, and what to do if they spot something. We ensure they know the process for escalating suspicions internally. For example, traders are trained to be alert for unusual market moves and to alert Compliance if they suspect manipulation. IT staff are trained on maintaining log integrity and watching for system misuse.
  • Role-Specific Guidance: Training is tailored to the audience. Front-office and trading personnel get emphasis on not sharing client information, not exploiting upcoming news, and being vigilant to anomalies during trading. Compliance and Risk teams receive more in-depth training on detection tools, investigation techniques, and regulatory reporting standards (including how to draft quality STORs). Developers and engineers are trained on security practices that prevent data leaks (to avoid insider info breaches) and on how to implement systems that track data for compliance. Senior executives and the Board are briefed on their accountability for setting the “tone at the top” and overseeing the effectiveness of the program.
  • Incident Response: Employees learn what steps to take if they suspect market abuse. This includes immediately notifying the Compliance Officer or using our internal incident reporting channels. We simulate scenarios (e.g., receiving a tip from a friend about a coming announcement) to walk employees through the correct response (which would be not trading and informing Compliance). We make it clear that reporting misconduct internally is encouraged and protected (anti-retaliation policies for whistleblowing are in place).
• Training Frequency and Format: We conduct formal training sessions at hire and annually. In addition, we provide bi-annual refreshers or bulletins highlighting any updates (especially as MiCA and ESMA guidance evolve). Training is delivered through a combination of e-learning modules, live workshops, and scenario-based drills. For example, an interactive module might test the employee’s ability to identify whether a given trading scenario is suspicious or not. We track completion of mandatory training and require a passing score on knowledge checks. If regulations or our policies change (say, new ESMA technical standards), we issue interim training or memos so that staff stay current.
• Awareness and Culture: Beyond formal training, we foster an everyday culture of compliance and awareness:
  • Tone from the Top: Management consistently communicates the importance of market integrity. This can be through periodic company-wide messages, including references to this Policy in team meetings, and leading by example. For instance, executives will openly adhere to the trading blackout rules themselves to set an example.
  • Reminders and Updates: We send out periodic reminders of key rules (e.g., before a major token listing event, reminding everyone of the trading embargo on that asset). Posters or intranet bulletins highlight dos and don’ts (like “Do not share confidential information – Remember our Market Abuse Policy”). We might include short newsletters with summaries of enforcement actions in the industry to reinforce lessons (e.g., “Regulator X fined a firm for failing to report suspicious trading – this is why our STOR process matters”).
  • Whistleblower Mechanisms: Employees are informed of the channels to report any wrongdoing or ethical concerns (anonymously, if desired). We have a whistleblower hotline/email for reporting market abuse concerns outside the normal chain of command. This is crucial in case an employee spots something like a senior person violating the rules – they need a safe way to report it. We reassure staff that raising concerns is a protected activity and that we investigate all reports thoroughly.
  • Cross-Functional Training: We also conduct joint training sessions between departments (e.g., Compliance presenting to the Engineering team, or Legal presenting to Sales) to break down silos and ensure everyone understands how their work can impact market integrity. This holistic understanding helps, for example, a developer realize why a logging feature request from Compliance is critical, or helps a salesperson identify if a client’s trading behavior is off.
• Testing Knowledge and Preparedness: We periodically test the effectiveness of training. This may involve quizzes, simulated phishing or rumor scenarios to see if employees properly handle them, or surprise audits (like checking if employees adhere to the clean desk policy regarding sensitive info). Results inform if additional coaching is needed. For compliance-critical roles (like those reviewing surveillance alerts), we ensure they have advanced training and perhaps certifications or external courses on market abuse detection.
• Documentation: All training activities are documented – we keep attendance records, training materials, dates, and results of any testing. This not only helps us track compliance but would serve as evidence to regulators that we have an ongoing training program as MiCA expects​. It also allows us to identify if any individuals missed training and need a makeup session.

Overall, the aim is that every employee is well-versed in recognizing and avoiding market abuse and feels responsible for upholding market integrity. A strong awareness across the company creates multiple lines of defense – not only is Compliance watching, but everyone is effectively a sensor for potential issues. This reduces the likelihood of internal or external abuse going unnoticed. The training and culture piece of our Program is aligned with MiCA’s emphasis on prevention and detection – knowledgeable staff are essential for both. By organizing regular and comprehensive training for all involved staff on these topics​, we ensure that our human element is as robust as our technical controls in safeguarding market integrity.

Effectiveness Reviews and Ongoing Compliance

Financial markets and abuse tactics evolve, and so must our controls. We have established a process for bi-annual effectiveness reviews of our market abuse prevention program to ensure it remains robust, relevant, and fully compliant with MiCA and other requirements. These reviews are part of our commitment to continuous improvement and operational resilience. Key aspects of the effectiveness reviews:

• Frequency and Governance: Twice a year (bi-annually), a formal review is conducted that covers all components of this Policy – surveillance efficacy, preventive controls, enforcement actions, reporting, record-keeping, and training. The review is led by the Compliance department, with participation from Risk Management, Internal Audit, and IT Security. We schedule these reviews every six months, and additionally if there’s a major regulatory change or a significant market abuse incident that warrants an out-of-cycle review. Results are reported to senior management and the Board’s Risk/Compliance Committee for oversight.
• Surveillance System Testing: We perform tests of our surveillance mechanisms to validate that they can detect and respond to contemporary forms of market abuse. This might involve:
  • Simulation tests: We feed historical data from known market abuse cases (or synthetic data scenarios) through our monitoring system to see if alerts trigger as expected. For example, we could simulate a wash trading pattern or an insider trade before a hypothetical announcement and verify our systems raise flags. If any scenario is missed or generates excessive false positives, we adjust the detection algorithms accordingly.
  • Calibration review: We analyze the alerts generated in the past period – were there many false alerts? Did any real suspicious behavior go unnoticed until later? Metrics like the ratio of alerts to investigations, and investigations to actual STOR filings, are considered. If, say, we had zero alerts for spoofing but the market generally has seen spoofing issues, we question whether our thresholds are too lax.
  • Capacity and performance: We ensure that as trading volumes grow, our systems still log and process data without gaps. We might perform stress tests to see that under high load (burst of orders) the surveillance still captures everything. This aligns with MiCA’s expectation that systems handle algorithmic trading environments​.
• Policy and Control Audit: The review checks that all the preventive and detective controls laid out in the Policy are functioning and effective. For example, we verify:
  • Employee adherence to trading restrictions (by sampling employee trades or verifying that restricted asset lists were enforced).
  • Access control reviews have been done and no unauthorized access was given.
  • The incident response procedures were followed in any alerts/investigations that occurred.
  • Our STOR reporting procedures met the expected timelines and quality (maybe by doing an internal “quality assurance” on a submitted STOR or a mock drill).
  • Record-keeping – confirm logs are intact, accessible, and properly protected (perhaps internal audit retrieves some records to test).
  We also incorporate any external audit findings or regulatory feedback from the prior period. If, for instance, a regulator exam noted a deficiency, we specifically verify that it’s been corrected.
• Regulatory Updates and Best Practices: As part of the review, we survey any new regulatory guidance, ESMA guidelines, or industry best practices that have emerged in the past 6 months. MiCA is a new framework, so ESMA may periodically issue Q&As or updates on expectations. We ensure our Policy and systems adapt to any such changes. We also review relevant market abuse cases in the industry – learning from others’ mistakes or new schemes uncovered. This proactive approach ensures our program stays one step ahead. For example, if a new form of DeFi market manipulation is identified in the wider market, we consider if it could affect us or if we should monitor for it.
• Effectiveness Metrics: We define and track certain KPIs/KRIs for the market abuse program. These might include: number of surveillance alerts per volume of trading, average time to review an alert, number of STORs filed, training completion rates, etc. During the review, we evaluate these metrics against benchmarks or prior periods. If we see trends (e.g., a drop in alerts could mean either less manipulation or that our detection is failing; a spike in alerts could mean market conditions changed or too many false positives), we analyze causes. The goal is to quantify our surveillance effectiveness and identify areas to improve. We also ensure that we have adequate resources – if trading volume doubled but compliance staff stayed the same, is the review workload still manageable? This process ties into DORA’s emphasis on evaluating ICT and operational risk management on a regular basis for adequacy.
• Reporting and Remediation: After analysis, the team documents the findings of the effectiveness review in a report. This report includes any identified weaknesses or gaps, and a set of action items to enhance our controls. For example, the review might recommend additional training on a specific topic if it finds some employees had misunderstandings, or it might suggest purchasing a new surveillance tool for a certain type of analysis. Each recommendation is assigned an owner and target date. Senior management reviews and approves an improvement plan. Because we do this bi-annually, issues are addressed promptly rather than accumulating. Significant enhancements (like policy updates or system upgrades) are prioritized according to risk impact.
• Continuous Improvement: This regular cycle embeds a culture of continuous compliance improvement. We treat the Policy as a living document – if the reviews indicate that certain provisions need updating (due to new regulations or discovered inefficiencies), we update the Policy and communicate the changes to all staff. For instance, if MiCA’s implementation technical standards (RTS) require a specific new procedure or form, we would incorporate that immediately and train staff accordingly. Continuous improvement also involves technology upgrades: we stay informed of new compliance tech (e.g., AI-based trade surveillance) and assess if it can further strengthen our program.
• Audit and Board Oversight: The results of each effectiveness review are shared with our Internal Audit function and the Board-level committee responsible for compliance. Internal Audit may do an independent assessment of the program annually, the results of which feed into our bi-annual reviews as well. The Board’s oversight ensures accountability – they will question management on any open issues or resource needs. This top-down involvement reinforces the importance of market abuse prevention within our governance structure.

By conducting these bi-annual reviews and tests, we ensure that our Market Abuse Prevention Policy is not just a document but a dynamic set of practices that remain effective against emerging risks. This fulfills the aim of MiCA’s provisions that require ongoing vigilance and adaptation by crypto-asset service providers. It also aligns with broader operational resilience expectations (such as DORA’s requirements to regularly review risk management frameworks). Ultimately, the continuous feedback loop from these reviews helps us maintain strong, up-to-date defenses against market abuse, thereby protecting our clients, the integrity of our platform, and the crypto market at large.