Trade Surveillance
Trade surveillance is the automated monitoring systems broker-dealers use to detect manipulative trading patterns, insider trading indicators, and behavioral anomalies across proprietary, market-making, and customer order trading activity.
Definition
Trade surveillance — also referred to as market abuse surveillance (MAS) in institutional and vendor contexts — is the automated monitoring of a broker-dealer's trading activity, including proprietary trading, market-making activity, and customer order handling, to detect patterns consistent with market manipulation, insider trading, best execution failures, and other regulatory violations. It is not a separate regulatory requirement from FINRA Rule 3110; it is one of the core technology implementations that satisfies Rule 3110's obligation to maintain a supervisory system reasonably designed to achieve compliance. While communications surveillance focuses on what registered persons say, trade surveillance focuses on what they do in the market — and the two layers together form the complete supervisory picture FINRA examiners expect. Specialized third-party surveillance platforms serve the broker-dealer market for this function; internal implementations deployed through a firm's operations infrastructure operate on the same underlying rule obligations.
The practical scope of trade surveillance is defined by the firm's written supervisory procedures (WSPs). The WSP must specify which trading activities are supervised, what exception parameters define potentially violative behavior, which registered persons are subject to surveillance, and how the firm responds when an exception is generated. A firm that maintains trade surveillance technology but does not document the parameter logic in its WSPs — or whose WSP describes surveillance that the system does not actually implement — has a gap that FINRA examiners are trained to identify. The WSP-to-system alignment check is among the first steps in a Rule 3110 examination.
Three Surveillance Parameter Types
Trade surveillance systems operate across three categories of exception parameters, each designed to detect different classes of potentially violative behavior. Threshold-based parameters flag trading activity that exceeds defined size, velocity, or concentration limits — a trade exceeding a defined notional size, a position concentration above a defined percentage of a security's average daily volume, or a sequence of orders placed at a rate that exceeds the account's historical norm. These are the simplest parameters to configure and explain, but sophisticated manipulation strategies are often deliberately calibrated to stay below them.
Pattern-based parameters identify sequences of order and execution events associated with known manipulation tactics. Wash trade detection looks for offsetting buy-and-sell activity between accounts with common beneficial ownership that creates a false appearance of market activity without genuine transfer of risk, prohibited under FINRA Rule 6140 and SEC Rule 10b-5. Layering detection identifies orders placed at multiple price levels on one side of the market to create a misleading impression of supply or demand, canceled before execution. Spoofing is closely related to layering but is treated by regulators as a distinct violation: spoofing focuses on the trader's specific intent to cancel the order before execution, which makes enforcement more complex to establish but carries significant penalties. Marking-the-close detection flags execution patterns concentrated in the final minutes of the trading day, particularly in securities with month-end, quarter-end, or benchmark pricing relevance.
Trade surveillance — parameter types, detection scope, and rule authority
| Surveillance type | Detection method | Pattern detected | Prohibition / Supervision rule |
|---|---|---|---|
| Threshold-based | Size, velocity, or concentration limit breach | Large trades, concentration, order velocity | Supervision: FINRA Rule 3110; Pre-trade: Rule 15c3-5 |
| Pattern-based | Sequence matching: order/cancel/execute patterns | Wash trades, layering, spoofing, marking the close | Prohibition: Rule 10b-5; Rule 6140 · Supervision: Rule 3110 |
| Behavioral anomaly | Statistical deviation from peer or historical baseline | Insider trading indicators, front-running, drift | Prohibition: Rule 10b-5; Rule 2010 · Supervision: Rule 3110 |
| Cross-venue | Multi-platform order and execution correlation | Cross-venue layering, cross-market manipulation | Prohibition: Rule 10b-5 · Reporting: CAT NMS Plan |
| Pre-trade controls | Real-time order validation before market routing | Erroneous orders, regulatory violations pre-execution | SEC Rule 15c3-5 — Market Access Rule |
Behavioral anomaly detection compares a registered person's current activity against their own historical baseline and against a comparable peer cohort baseline. A representative whose activity deviates materially from either baseline generates an exception even if no fixed threshold was breached and no known manipulation sequence was matched. Behavioral analytics is increasingly important because it is harder to circumvent: activity deliberately calibrated to stay below threshold and pattern parameters cannot prevent the system from detecting the statistical deviation from normal behavior. In practice, the large majority of behavioral alerts — like alerts across all surveillance types — are false positives. This makes parameter calibration and false positive management a core compliance function, not just an operational efficiency matter. Firms should maintain tuning documentation — records of the parameter calibration history, the data reviewed to support each threshold decision, and the rationale for changes — that can be produced in a FINRA examination. Broker-dealers deploying AI or machine learning for behavioral detection should also maintain a model validation audit trail: the testing and validation methodology used before deployment, records of algorithmic bias testing, and documentation of how the model was challenged and validated. FINRA expects firms to be able to explain the inference path behind any given exception; a "the model flagged it" response without a description of the triggering data pattern does not satisfy the supervisory documentation requirement.
Market Manipulation Patterns Requiring Detection
Regulators have identified and prohibited several manipulation patterns that broker-dealer surveillance programs must be capable of detecting. Front-running — executing trades in a security ahead of known customer orders whose anticipated size will move the price — is one of the oldest and most consistently enforced violations. Cross-market manipulation exploits the relationship between related instruments: activity in an equity, for example, coordinated to move the price of a correlated derivative before the derivatives position is unwound. Cross-venue layering uses orders on one venue or liquidity pool to create a misleading price signal while the actual execution occurs on a different venue that is not visible to participants watching the first — a pattern that requires multi-venue data aggregation to detect. Surveillance systems that ingest data from only one venue cannot detect cross-venue manipulation, and a WSP that purports to supervise cross-venue activity without the corresponding data infrastructure has a gap.
Insider trading detection is a distinct surveillance function that focuses on information rather than order pattern. Surveillance systems monitor for unusual pre-announcement trading activity — purchases or short sales in a security in the days or weeks before a material corporate event — as well as correlated trading across accounts that may indicate a shared informational source. Behavioral analytics contributes here: a registered person whose trading activity in a specific security spikes in correlation with an upcoming corporate announcement they were positioned to learn about before it became public may generate both a threshold exception (the activity level) and a behavioral anomaly exception (the deviation from their normal trading). Communications surveillance is the typical complement — trading and communications data are cross-referenced to assess whether the informational source can be identified.
Digital Asset Trade Surveillance
Digital asset trading creates three surveillance challenges that traditional equities-oriented systems do not address without modification. The first is operational continuity: digital asset markets operate 24 hours a day, seven days a week, while surveillance systems and supervisory workflows are often structured around standard exchange hours. A wash trading pattern initiated on a Saturday must be detected and escalated before the next active trading session — defined escalation paths for off-hours exceptions are a WSP requirement for any firm with digital asset trading activity.
The second is data richness: where settlement occurs on-chain — which is not the case for all digital asset transactions, as many centralized exchange trades settle off-chain within the exchange's internal ledger — the execution record and the settlement event can be correlated at the block level with no settlement lag. This creates a surveillance advantage for on-chain transactions: a manipulation pattern that traditionally exploits the gap between trade date and settlement date becomes visible as a single correlated event when settlement is atomic. Surveillance systems can instantly verify whether a suspected wash trade involved a genuine transfer of economic risk or was reversed in the same block — reducing the false positives that arise during T+1 reconciliation when this confirmation is not yet available. Firms holding custodied digital assets should additionally monitor for unauthorized internal asset movements — USDC or tokenized assets transferred between firm wallets without a corresponding trade record — as potential misappropriation exceptions, a surveillance scope that does not exist in traditional securities custody.
The third is market structure: digital asset liquidity is fragmented across centralized exchanges, decentralized protocols, and OTC desks with no single consolidated order book for most assets. Cross-venue layering and spoofing patterns that are detectable in equity markets through CAT data require multi-venue feed ingestion in digital asset markets. Firms without multi-venue ingestion capability have a material gap between their WSP surveillance obligations and their actual detection coverage.
The Consolidated Audit Trail as Surveillance Infrastructure
The Consolidated Audit Trail (CAT) is the NMS plan that requires broker-dealers and national securities exchanges to report order lifecycle events — initial receipt, modification, routing, execution, and cancellation — to FINRA's CAT repository. CAT data is typically submitted through end-of-day processing, not in real time. A broker-dealer's internal trade surveillance operates on the firm's live OMS and EMS data — the same order and execution records that are later reported to CAT — generating supervisory documentation in near real time under Rule 3110 before CAT filing is complete. Reporting to CAT satisfies a regulatory reporting obligation; running internal trade surveillance satisfies the Rule 3110 supervisory obligation. One does not substitute for the other. Trade surveillance systems configured to cross-check internal order records against CAT submission data surface reporting discrepancies as data integrity exceptions — reducing the risk of CAT filing deficiencies that would otherwise only surface in a regulatory review. A broker-dealer's failure to report to CAT correctly is a regulatory violation independent of any underlying trading conduct.
How it works
1. Trade and order data ingestion
The surveillance system ingests real-time or near-real-time order and execution data from the firm's order management system (OMS), execution management system (EMS), and exchange or venue feeds. For digital asset activity, ingestion includes on-chain settlement data from supported distributed ledgers, centralized exchange execution records, and DEX order data where available. The ingestion layer normalizes data across sources — different timestamp formats, instrument identifiers, and order type taxonomies — into a unified record that surveillance parameters can evaluate consistently across all trading activity.
2. Threshold-based screening
Each ingested record is evaluated against the firm's configured threshold parameters: notional size limits, position concentration limits, order velocity metrics, and other defined size or frequency boundaries. Records within defined thresholds are logged without generating an exception. Records that breach a threshold generate an exception work item routed to the designated supervisor's queue, tagged with the breached parameter, the triggering activity data, and the account and registered person context.
3. Pattern detection and sequence matching
The surveillance system evaluates order and execution sequences against the pattern library — layering configurations, spoofing sequences, wash trade activity, marking-the-close timing patterns. Pattern detection requires access to the full order lifecycle, not just executions: a layering pattern may consist of many limit orders placed and canceled within a brief window with only a small number of executions. Where multi-venue ingestion is configured, cross-venue pattern matching correlates order activity across venues to detect patterns that are only visible when data from multiple sources is combined in a single view.
4. Behavioral baseline analytics
For registered persons and accounts configured for behavioral monitoring, the system computes a deviation score by comparing current activity against the historical baseline and peer cohort baseline. Deviation scoring considers multiple dimensions — trade frequency, notional size, security type distribution, time-of-day patterns, options activity ratio — and generates an exception when the combined score exceeds the configured sensitivity threshold. Each exception record includes a description of which activity dimensions contributed to the score, giving the reviewing supervisor the context needed to make an informed, documented conclusion.
5. Exception generation, routing, and queue management
Exceptions from all three detection layers are consolidated into the supervisory review queue, tagged by exception type, severity, and the registered person and account involved. The queue management system routes exceptions to the designated supervisor for each registered person or trading desk, applying priority weighting that surfaces the highest-severity exceptions first. Queue aging is tracked and reported — an exception unreviewed past the timeframe defined in the WSP generates a secondary alert. FINRA examiners treat persistent queue aging as evidence that the supervision system is not reasonably designed regardless of how sophisticated the detection logic is. Surveillance parameters should be reviewed periodically and recalibrated as the firm's business, trading volume, or risk profile changes; tuning documentation — records of parameter changes and the data reviewed to support each decision — is a compliance artifact that should be maintained and producible for examination.
6. Supervisor review and documentation
The supervisor reviews each exception with access to the full context: the order and execution records, the parameter or pattern that triggered the exception, historical activity for comparison, prior exceptions for the same registered person, and any related communications surveillance flags. The supervisor documents the conclusion — no violation found with explanation, or further investigation warranted — and closes or routes the exception for deeper review. Every review action is timestamped and attributed to the reviewing supervisor in the audit trail.
7. Investigation and escalation
Exceptions where the supervisor determines that a deeper review is warranted are escalated to an investigation workflow — a more detailed review that may involve pulling communications data, interviewing the registered person, or engaging the compliance or legal team. The investigation may conclude with a case clearance (no violation found) or with escalation to compliance for regulatory action, which may include a disciplinary proceeding, a Form U4 amendment, a SAR filing, or a regulatory referral. The full investigation record — from initial exception through investigation actions to final disposition — is retained in the supervisory audit trail.
8. CAT reconciliation
Trade surveillance operates on the firm's live OMS and EMS data, which is later reported to CAT. Firms that run both can use the surveillance system as a continuous cross-check on CAT submission accuracy: discrepancies between internal order records and events reported to CAT — missing events, incorrect timestamps, wrong sequence numbers — surface as data integrity exceptions alongside trading exceptions. Resolving CAT discrepancies promptly reduces the risk of regulatory findings related to reporting obligations, which are assessed independently of any underlying trading conduct.
Trade surveillance — exception lifecycle
Devancore Glossary · devancore.com
Trade surveillance — exception lifecycle
Devancore Glossary · devancore.com
In Devancore™
Devancore — trade surveillance workflow
Devancore Glossary · devancore.com
Devancore — trade surveillance workflow
Devancore Glossary · devancore.com
Broker-dealers operating across traditional securities rails and digital asset venues face a surveillance architecture gap: most trade surveillance technology was built for exchange-reported equity data and cannot ingest on-chain settlement events, DEX order flows, or the 24/7 trading schedule of digital asset markets without significant modification. The same Rule 3110 supervision obligation applies to both rails. Devancore provides a unified trade monitoring layer that applies configurable exception parameters across traditional and digital settlement environments within a single supervisory workflow.
Cross-rail pattern detection
Devancore monitors trading activity for threshold, pattern, and behavioral anomaly exceptions across traditional securities transactions and digital asset activity — including USDC-settled trades and on-chain execution records — in a single exception queue. The same exception workflow, documentation standard, and audit trail applies across both rails; supervisors do not need a separate tool for digital asset surveillance.
Behavioral baseline analytics
Devancore tracks historical trading activity at the registered person and account level and computes deviation scores against the historical and peer baseline. Each exception record includes a description of which activity dimensions contributed to the deviation score — giving the reviewing supervisor the context needed for a documented, explainable conclusion. The exception parameter logic is maintained in the firm's WSP configuration and updated through a logged change process that produces the tuning documentation FINRA may request in an examination.
Synchronized audit trail for digital asset activity
For USDC-settled trades on supported distributed ledgers, Devancore correlates the execution record with the on-chain settlement event — a synchronized audit trail that eliminates the settlement lag where manipulation evidence is traditionally obscured. Supervisors can confirm the settlement finality of implicated trades in the same view as the order data. For firms with custodied digital assets, Devancore also monitors internal asset movements — flagging transfers between firm wallets without a corresponding trade record as potential misappropriation exceptions.
CAT reconciliation and Rule 3120 reporting
Devancore cross-checks internal order records against CAT submission data, surfacing CAT reporting discrepancies alongside trading exceptions in a single queue. Every surveillance exception reviewed — the triggering activity, the parameter or pattern logic, the supervisor's conclusion, and the timestamp — is retained in the tamper-evident audit log. In a FINRA Rule 3110 examination, this record documents that supervisory review occurred as the WSP describes. The same exception metrics — volume by category, closure rates, escalation rates, queue aging — are available for the Rule 3120 annual report.