Embedding the right control framework

August 2025

Regulatory transaction reporting is critical to the functioning of UK financial markets, to help support market integrity, and to combat financial crime and misconduct. In recent years, since the introduction/refinement of transaction reporting requirements under MIFID II and EMIR REFIT, the FCA has issued fines in excess of £100m and this area remains a key priority for the regulator.

FCA Market Watch 82 sets out practical guidance and expectations on remedial timelines, back reporting practices and breach notification quality, highlighting the importance of embedding the right control framework. Market Watch 82 is particularly relevant for regulated firms subject to MIFID, EMIR, and SFTR, and forms part of the FCA’s broader agenda to enhance market transparency.

Looking ahead, regulators are considering updates to the frameworks to reduce the regulatory burdens on firms and bring harmonisation across the different reporting regimes. ESMA has published a call for evidence on streamlining financial transaction reporting and the FCA’s follow up consultation to its discussion paper is expected later this year.

However, the accuracy of transaction reporting data will continue to be critical to meet regulatory expectations and allowing regulators to detect potential market abuse and threats to financial stability. Moreover, it benefits firms in protecting their brand reputation and helps them to avoid penalties and the costs associated with dedicating time and resources to remediation exercises.

Below, KPMG in the UK summarise the FCA’s observations and recommendations and consider what this might mean for firms.

The FCA continues to observe that some firms are slow to diagnose and resolve transaction reporting errors. Common reasons for delays include:

• Siloed ownership, fragmented workflows slow down decision making.
• Inadequate resourcing and competing business priorities result in slower response times.
• Focus on fixing the symptoms rather than the root cause leads to issues resurfacing.
• A reactive compliance culture results in firms addressing issues only when prompted.
• Weak governance and oversight lead to lack of urgency to remediate.

The FCA recommends that firms:

• Adhere to remediation deadlines set by internal governance bodies or the FCA or provide justifiable reasons when deadline extensions are required.
• Demonstrate measurable progress as part of regulatory check-ins, providing details on remediated volumes and trends.
• Assist with initial root cause analysis and impact assessment of identified errors are accurate with limited revisions and updates.

Where issues are identified, firms are expected to correct inaccurate and incomplete transaction reports and resubmit this data to the regulator. The FCA has shared illustrative case studies highlighting typical failings, such as:

• Crystallised compliance risk where firms have fixed current systems but failed to address historical data. This indicates ineffective compliance oversight.
• Weak internal governance with poor prioritisation across multiple issues.
• Data access failures due to flawed archiving post system migrations – raising concerns about data governance, record keeping controls and data retention as part of change management.
• BAU impact where remediation efforts have drained resources from day-to-day transaction reporting, leading to a deterioration in existing controls.

In order to mitigate similar occurrences, the FCA recommends firms:

• Embed more effective compliance oversight; second line of defence is involved in reviewing root cause analysis and impact assessment to address previous failings.
• Implement strong governance routines to understand the prioritisation for back reporting, e.g. back reporting of incomplete reports is always a priority.
• Adopt dedicated back reporting exercises do not compromise the quality of BAU reporting completeness and accuracy.

In Q1 2025, FCA received 241 breach notifications. As part of the Market Watch publication, they have identified several areas for improvement, including clarity in root cause analysis, specification of impacted transaction volumes, and articulation of back reporting plans.

The key findings noted that:

• Only 66% of notifications contained meaningful insights into system and control weaknesses
• 75% provided actionable remediation plans
• 76% of notifications provided a clear account of the root cause(s)
• 76% of notifications specified a date for back reporting commencement

Going forward, the FCA recommends that as part of breach notification practices, firms should clearly articulate:

• The issue; specifying the nature of the reporting issue with relevant firm context
• The root cause; consider how root causes relate to people, process, systems and controls
• Impacted transactions, and the relevant period during which they were impacted
• Plans for back reporting; clarity on the back reporting timeline or planning activity
• Governance; details of the governance committee forum/s or individual/s to which the issue has been escalated

Senior management, compliance officers, and operational leads should treat transaction reporting as a core regulatory priority. Timely and robust remediation of issues — with clear, complete breach reporting — is essential to maintain regulatory confidence and minimise the risk of enforcement scrutiny.

Firms subject to UK regulatory transaction reporting obligations, including MIFID, EMIR, and SFTR, should:​

• Review internal governance structures to address ownership and accountability for transaction reporting issue identification, escalation and breach management​
• Strengthen remediation frameworks:
  • Applying clear risk-based prioritisation
  • Allocating sufficient resources between BAU and ad-hoc remediation programs
  • Focusing efforts on resolving control deficiencies and not symptoms​
• Improve breach notification protocols, allowing for timely, detailed, and accurate disclosures to the FCA with clarity on root cause, impacted volumes, and remediation timelines