Guide the design and implementation of post-trade compliance monitoring and trade surveillance systems. Covers trade surveillance pattern detection, best execution review, allocation fairness analysis, exception-based monitoring workflows, insider trading detection, market manipulation surveillance, and regulatory reporting triggers. Enables building systems that detect compliance violations after execution and satisfy ongoing surveillance obligations.

11 — Trading Operations (Order Lifecycle & Execution)

retrospective

Trade surveillance is the systematic, ongoing monitoring of executed transactions to detect potential violations of securities laws, firm policies, and regulatory rules. A surveillance program operates across multiple time horizons:

Surveillance scope varies by firm type and business activity. A full-service broker-dealer conducting equities, fixed income, and derivatives trading must maintain surveillance across all asset classes. An RIA managing model portfolios may focus surveillance on allocation fairness, best execution, and personal trading. The surveillance program must cover both customer/client accounts and proprietary/firm accounts.

Alert generation is the process of applying quantitative thresholds, pattern matching rules, or scoring models to transaction data to produce alerts requiring human review. Effective alert generation requires clean, normalized data from multiple sources: order management systems, execution management systems, account master data, market data, and — for insider trading detection — corporate event calendars and restricted lists.

Investigation workflow follows a standard lifecycle:

Each stage must be documented in a case management system with timestamps, analyst notes, evidence, and supervisory sign-off.

Disposition and escalation decisions are among the most consequential in a compliance program. A disposition of "no finding" must be supported by documented analysis — regulators will review closed alerts during examinations. Escalation criteria should be defined in written procedures: escalate when the pattern is consistent with a securities law violation, when the activity involves a senior person or high-risk account, when the dollar amount exceeds a defined threshold, or when a pattern recurs after a prior warning.

Regulatory filing triggers — Post-trade surveillance may identify activity that requires a SAR filing (for broker-dealers and, effective January 1, 2026, covered investment advisers), an STR (Suspicious Transaction Report, the international equivalent under FATF standards), or a self-report to FINRA or the SEC. The decision to file a SAR based on surveillance findings must be made by the AML Compliance Officer in coordination with the surveillance team. The SAR tipping-off prohibition (31 U.S.C. Section 5318(g)(2)) applies — the subject of the surveillance alert must not be informed of a SAR filing.

Surveillance systems must be designed to detect specific prohibited trading patterns. Each pattern has distinct data requirements, detection logic, and evidentiary standards:

Churning / excessive trading — Quantitative metrics include turnover ratio (aggregate purchases divided by average equity, with ratios above 6 presumptively excessive), cost-to-equity ratio (annualized costs as a percentage of average equity, with ratios above 20% generally excessive), and in-and-out trading frequency. Detection requires account-level transaction history, commission and fee data, and the customer's stated investment objectives. Churning surveillance is typically run on a rolling 3-12 month window.

Front-running — Trading in a firm or personal account ahead of a pending customer order that is expected to move the market. Detection requires correlating proprietary/personal trading activity with the timestamps of customer order receipt and execution. Key data elements: order receipt time (from CAT or order management system), execution time, account ownership, and the direction and size of the customer order. Front-running alerts are time-sensitive and should be generated on T+0 or T+1.

Cherry-picking (favorable allocations) — A pattern where an adviser or trader allocates profitable trades to favored accounts and unprofitable trades to disfavored accounts. Detection involves comparing the performance of allocations across accounts within a block trade or across trades over time. Statistical methods include comparing average returns by account against the expected distribution under fair allocation. Cherry-picking is a form of fraud that violates fiduciary duty and Section 10(b) of the Exchange Act.

Insider trading — Trading by persons with access to material non-public information (MNPI) ahead of corporate events such as earnings announcements, M&A transactions, FDA approvals, or regulatory actions. Detection requires correlating trading activity with an events calendar and identifying trades that are unusual in timing, size, or profitability relative to the trader's historical pattern. Insider trading surveillance often relies on restricted list and watch list monitoring, where securities of companies about which the firm possesses MNPI are placed on restricted or watch lists and trading activity is monitored or prohibited.

Layering / spoofing — Placing non-bona fide orders on one side of the order book to create a false impression of supply or demand, then executing on the opposite side and canceling the layered orders. Detection requires order-level data (not just executions) including order submissions, modifications, and cancellations with timestamps. Key indicators: high order-to-execution ratios, rapid cancellation patterns, and consistent profitability on the execution side when layered orders are present.

Wash trading — Simultaneously or near-simultaneously buying and selling the same security with no change in beneficial ownership, creating the appearance of market activity. Detection involves identifying offsetting transactions in the same security, same account (or related accounts), within a narrow time window. Wash trading can also occur across accounts controlled by the same beneficial owner.

Marking the close — Placing orders near the end of the trading session to influence the closing price. Detection requires analyzing order timestamps relative to market close, particularly for securities where the closing price affects portfolio valuations, options settlements, or performance calculations. Key indicator: late-session orders in securities where the firm or its clients have a valuation interest.

Coordinated trading — Multiple accounts trading the same securities in the same direction within a narrow time window, suggesting coordination or common direction. Detection involves clustering analysis across accounts by security, direction, and time, particularly when the accounts share a common adviser, trader, or beneficial owner.

Late trading — Submitting mutual fund orders after the 4:00 p.m. ET NAV pricing cutoff but receiving the current day's NAV. Detection requires comparing order entry timestamps with the 4:00 p.m. cutoff, with attention to time zone differences, system clock accuracy, and any manual order entry processes that could allow backdating.

Best execution is the obligation to seek the most favorable terms reasonably available for client transactions. Post-trade best execution review measures execution quality after the fact and identifies systematic deficiencies.

Benchmark comparison — Each execution is compared against one or more benchmarks to measure quality. Common benchmarks include:

Outlier detection — Identify executions that deviate significantly from the benchmark. Common approaches: flag executions more than a defined number of standard deviations from the mean benchmark deviation, or flag executions where the deviation exceeds a basis-point threshold (e.g., more than 50 basis points worse than VWAP). Outlier thresholds must be calibrated by asset class, order size, and market conditions — a 50 bps deviation may be normal for a small-cap equity but alarming for a large-cap liquid name.

Venue analysis — Compare execution quality across venues (exchanges, ATSs, market makers, OTC dealers) to determine whether the firm's order routing is systematically achieving best execution. Metrics include effective spread, fill rate, speed of execution, and price improvement. Venue analysis should account for order flow characteristics — routing difficult orders to one venue and easy orders to another will skew venue-level statistics.

Systematic review program — Regulation NMS, FINRA rules, and the SEC's interpretive guidance require broker-dealers to conduct regular and rigorous reviews of execution quality. Most firms conduct quarterly reviews with formal committee reporting and an annual comprehensive review. The review should cover:

Best execution committee — Many firms establish a formal best execution committee composed of representatives from trading, compliance, technology, and senior management. The committee meets quarterly to review execution quality data, evaluate routing arrangements, approve changes to routing logic, and document its findings. Committee minutes serve as key evidence of the firm's best execution compliance during regulatory examinations.

When a single order is executed on behalf of multiple accounts (a block trade), the resulting executions must be allocated fairly. Allocation fairness monitoring detects systematic patterns of favoritism.

Pro-rata allocation verification — The standard method for block trade allocation is pro rata, where each participating account receives shares in proportion to its intended participation. Post-trade monitoring verifies that actual allocations match the pro-rata methodology by comparing each account's allocation percentage to its intended participation percentage. Deviations must be documented and justified (e.g., rounding, minimum lot sizes, odd-lot avoidance).

Dispersion analysis — Measures the distribution of execution prices across accounts within a block trade. In a fair allocation, all accounts should receive approximately the same average execution price. Dispersion analysis flags block trades where certain accounts received systematically better prices than others. The analysis should account for legitimate reasons for dispersion, such as different allocation methods (average price vs. sequential fill) and account-level constraints.

Systematic favoritism detection — Extends cherry-picking analysis across time to detect patterns where specific accounts consistently receive more favorable allocations. Statistical approaches include:

IPO allocation rules — FINRA Rules 5130 and 5131 restrict the allocation of new issues (IPOs, secondary offerings) to certain persons, including broker-dealer personnel, portfolio managers, and their immediate family members. Post-trade surveillance must verify that IPO allocations do not flow to restricted persons. Rule 5131 also prohibits quid pro quo allocations (conditioning allocations on the receipt of excessive compensation) and spinning (allocating hot IPOs to executives of investment banking clients).

Trade rotation monitoring — For firms that use a rotation system (where the first account to receive an allocation rotates across trades), post-trade monitoring verifies that the rotation is being followed. Deviations from the rotation schedule should be flagged and investigated.

Partial fill allocation — When a block order is only partially filled, the partial fill must be allocated fairly. Post-trade monitoring verifies that partial fills are allocated pro rata (or according to the firm's stated methodology) rather than being concentrated in favored accounts. Partial fill allocation is a common area of cherry-picking because partial fills on profitable trades are particularly valuable.

Exception-based monitoring is the operational framework for managing the volume of alerts generated by surveillance systems.

Alert tuning — Surveillance systems generate alerts based on thresholds and rules. Alert tuning is the ongoing process of adjusting these parameters to optimize the trade-off between sensitivity (catching real violations) and specificity (minimizing false positives). A system that generates too many false positives overwhelms investigators and leads to alert fatigue, causing real violations to be missed. A system that is too conservative misses violations. Tuning involves analyzing historical alert data: review disposition outcomes (what percentage of alerts resulted in findings?), adjust thresholds based on statistical analysis, and implement machine learning or scoring models to prioritize alerts by risk.

Alert prioritization — Not all alerts are equally urgent or significant. Prioritization frameworks assign risk scores based on factors such as:

High-priority alerts should be routed to senior investigators with defined response-time SLAs.

Investigation workflow — The standard investigation lifecycle is:

Aging and SLA management — Alerts must be investigated within defined timeframes. SLAs should be tiered by priority:

An aging dashboard tracks open alerts against SLAs and flags overdue items. Persistent SLA breaches indicate insufficient staffing, poor alert tuning, or systemic workflow issues. Regulators expect that firms can demonstrate timely disposition of alerts — an examination finding of hundreds of unreviewed aged alerts is a serious supervisory deficiency.

Alert documentation — Every alert must be documented from generation through disposition. Documentation must include: the alert details (trigger, threshold, data), the investigator's analysis, evidence reviewed, disposition rationale, supervisory approval, and any follow-up actions. Documentation serves two purposes: it creates an examination-ready audit trail, and it provides data for alert tuning and program assessment.

Firms must monitor the personal securities trading of employees, officers, and access persons to prevent conflicts of interest and insider trading.

Employee trading monitoring — Firms must receive and review reports of personal securities transactions by access persons. Under SEC Rule 204A-1 (for investment advisers) and FINRA rules (for broker-dealers), access persons must report holdings and transactions. Surveillance systems compare employee trading against restricted lists, watch lists, and client trading activity to detect potential front-running or trading on MNPI.

Preclearance verification — Many firms require employees to obtain preclearance before executing personal trades. Post-trade surveillance verifies that all personal trades were precleared by comparing executed trades against preclearance records. Trades executed without preclearance — or trades that differ from the precleared terms (different security, larger size, different direction) — must be flagged and investigated.

Holding period compliance — Firm codes of ethics commonly impose minimum holding periods (e.g., 30 or 60 days) to discourage short-term speculative trading that could conflict with client interests. Post-trade surveillance monitors buy-sell intervals for personal accounts and flags violations.

Blackout period enforcement — During blackout periods (typically around earnings announcements, fund portfolio rebalancing, or when the firm possesses MNPI about a security), employees are prohibited from trading the affected securities. Surveillance systems must cross-reference personal trading against active blackout periods and restricted lists.

Reporting deadline monitoring — Access persons must file:

Surveillance systems track filing compliance and flag late or missing reports.

Post-trade surveillance activities may identify conditions that trigger specific regulatory reporting obligations.

SAR filing thresholds — Broker-dealers must file SARs for transactions of $5,000 or more that the firm knows, suspects, or has reason to suspect involve illegal activity, BSA evasion, or no apparent lawful purpose (31 CFR Section 1023.320). Post-trade surveillance findings — such as wash trading, layering, or unusual trading patterns with no economic rationale — may satisfy the suspicion element. The decision to file rests with the AML Compliance Officer, and the SAR tipping-off prohibition applies. Effective January 1, 2026, covered investment advisers are also subject to SAR filing requirements under the FinCEN final rule.

Large trader reporting (Form 13H) — Post-trade analysis may identify accounts or persons whose aggregate trading activity meets the large trader thresholds (2 million shares or $20 million in a single day, or 20 million shares or $200 million in a calendar month). Broker-dealers must monitor for customers who meet the threshold but have not self-identified with an LTID, and must maintain transaction records for all large trader accounts.

Blue sheet requests — Although blue sheet requests originate from the SEC, a firm's post-trade surveillance system must be capable of extracting and producing the required transaction data (customer identity, account, security, date, price, quantity, capacity) within the SEC's specified timeframe. Firms that discover potential issues during blue sheet preparation (e.g., trading by restricted persons, unreported large trader activity) should evaluate whether self-reporting is appropriate.

CAT reporting obligations — All reportable events in the order lifecycle — origination, routing, modification, cancellation, execution, and allocation — must be reported to CAT by 8:00 a.m. ET on T+1. Post-trade compliance processes must verify that CAT submissions are accurate and complete, and that errors are corrected within T+3.

TRACE reporting (fixed income) — OTC transactions in TRACE-eligible fixed income securities must be reported within 15 minutes of execution. Post-trade monitoring should verify that TRACE reports are timely and accurate, and flag late reports for remediation.

Short interest reporting — FINRA Rule 4560 requires semi-monthly reporting of short positions. Post-trade systems must accurately track and report short positions as of the designated settlement dates.

Effective post-trade compliance requires robust technology infrastructure.

Data requirements — Surveillance systems consume data from multiple sources:

Data completeness and timeliness are foundational — surveillance analytics are only as good as the input data.

Data normalization — Transaction data from multiple source systems must be normalized to a common schema:

Normalization failures are a leading cause of surveillance system false positives and missed detections.

Analytics and scoring models — Modern surveillance systems use a combination of rule-based alerts (threshold breaches, pattern matches) and statistical/machine learning models (anomaly detection, behavioral scoring). Rule-based alerts are transparent and auditable but rigid. Statistical models can detect novel patterns but require careful validation and explainability for regulatory purposes. A hybrid approach — using models to score and prioritize alerts generated by rules — is increasingly common. All models must be documented, validated, and subject to periodic review.

Case management — A case management system tracks each alert through its lifecycle: assignment, investigation, evidence attachment, disposition, supervisory review, and closure. The system must support workflow routing, SLA tracking, escalation, audit trails, and reporting. Case management data is the primary artifact reviewed during regulatory examinations of a firm's surveillance program.

Regulatory examination support — Surveillance systems must be able to produce examination-ready reports: alert volumes and disposition statistics, investigation timelines and outcomes, tuning history and rationale, coverage analysis (which patterns are monitored, which are not and why), and sample case files demonstrating the quality of investigations. Regulators — particularly the SEC's Division of Examinations and FINRA's Market Regulation department — evaluate not just whether a firm has a surveillance program, but whether it is effective, adequately staffed, and responsive to identified issues.

Scenario: A broker-dealer with 120 registered representatives, $8 billion in customer assets, and business lines spanning equities, fixed income, and listed options is building a formal trade surveillance program. The firm currently relies on ad hoc supervisory review and basic exception reports (concentration, large trades) but has no systematic surveillance for manipulative trading patterns. FINRA's most recent examination identified the absence of structured surveillance as a deficiency.

The surveillance program must cover the firm's entire business: equity trading (agency and principal), fixed income (corporate and municipal bonds), and listed options. Begin with a risk assessment mapping each business line to the applicable manipulative trading patterns:

Inventory all data sources: the order management system (order timestamps, account IDs, security IDs, order terms), the execution platform (fill prices, quantities, venues, counterparties), the account master (customer profiles, investment objectives, risk tolerance, account type), market data feeds (prices, volumes, index levels, benchmark rates), and the firm's restricted and watch lists.

Identify gaps: Does the OMS capture order receipt time with sufficient precision for front-running detection? Are account relationships (households, common beneficial owners) mapped for coordinated trading analysis? Are fixed income markup calculations available for post-trade review? Remediate data gaps before deploying surveillance analytics.

For each pattern identified in the risk assessment, design alert logic with quantitative thresholds:

Establish a tiered investigation workflow. Assign two full-time surveillance analysts and a senior compliance officer to oversee the program. Define SLAs: high-priority alerts (front-running, insider trading) investigated within 3 business days; medium-priority (churning, marking the close) within 10 business days; low-priority (minor allocation deviations) within 20 business days. Implement a case management system to track each alert from generation through disposition, capturing investigator notes, evidence, and supervisory sign-off.

Establish a quarterly surveillance review in which the compliance team presents alert volumes, disposition statistics, false positive rates, and findings to senior management. Use disposition data to tune thresholds — if 95% of churning alerts are false positives, consider tightening the threshold or adding qualifying criteria (e.g., also requiring that the account has a conservative investment objective). Document all tuning decisions and rationale. Annually, engage an independent party (internal audit or outside consultant) to assess the surveillance program's effectiveness, consistent with the expectation of FINRA Rule 3120 (supervisory control system testing).

Maintain examination-ready documentation including: the surveillance policy and procedures manual, the risk assessment, alert calibration methodology and tuning history, sample investigation case files demonstrating thorough analysis, disposition statistics showing timely review, and evidence of senior management oversight. During examinations, FINRA and the SEC will request a walkthrough of the surveillance program, review a sample of closed alerts, and assess whether the firm's surveillance is commensurate with its business risk profile.

Scenario: A registered investment adviser manages $2.5 billion across 800 client accounts using a model portfolio approach. The firm executes block trades and allocates fills across accounts using a pro-rata method. A recent compliance review identified that allocation records are maintained in spreadsheets with minimal oversight, and no systematic monitoring exists to verify fairness. The CCO wants to implement a post-trade allocation fairness monitoring system.

Before monitoring can be effective, the firm must have a clear, written allocation policy. The policy should specify:

Build a data pipeline that captures:

The pre-trade allocation schedule is critical — without it, the firm cannot verify whether post-trade allocations match the intended pro-rata distribution.

For each block trade, compute the expected allocation for each account (target percentage multiplied by total shares filled) and compare to the actual allocation. Flag deviations exceeding a defined tolerance (e.g., more than 1% relative deviation or more than 100 shares absolute deviation, whichever is smaller). For partial fills, verify that the partial allocation preserves the pro-rata distribution.

Investigate flagged deviations: legitimate reasons include rounding, odd-lot avoidance, account-level restrictions (e.g., an account that cannot hold a particular security due to client guidelines), and minimum lot requirements.

For each block trade allocated across multiple accounts, compute the dispersion of average execution prices across accounts. In a perfectly fair allocation, all accounts receive the same average price (the block's average execution price). Compute the standard deviation of account-level average prices and flag block trades where any account's average price deviates by more than a defined threshold from the block average (e.g., more than 5 basis points).

High dispersion may indicate sequential allocation rather than average-price allocation, timing manipulation, or cherry-picking.

On a monthly and quarterly basis, run a longitudinal analysis across all block trades. For each account, compute the average allocation quality (measured as the difference between the account's average execution price and the block benchmark, aggregated across all block trades in the period). Rank accounts by allocation quality and test for patterns:

Produce a monthly allocation fairness report for the CCO summarizing: total block trades, number of flagged deviations, root causes of deviations, and results of the systematic favoritism analysis. The CCO should review and sign off on the report.

On a quarterly basis, present allocation fairness findings to the firm's investment or compliance committee. Annually, the allocation fairness monitoring program should be reviewed for effectiveness, and the statistical thresholds should be recalibrated based on the prior year's data. Maintain all reports, investigation files, and committee minutes as examination-ready documentation.

Scenario: A broker-dealer that routes approximately 50,000 equity orders per month needs to formalize its best execution review process. The firm routes orders to three external market makers (two of which provide payment for order flow) and directly to two exchanges. FINRA has flagged the absence of a formal best execution committee and documented review process as an examination finding. The firm must design a framework for quarterly best execution committee reporting.

Select benchmarks appropriate to the firm's order flow:

For each execution, compute: the benchmark deviation (execution price minus benchmark), the effective spread (2 times the absolute difference between the execution price and the midpoint at time of execution), and price improvement (the improvement over the NBBO at time of order receipt, measured in cents per share). Aggregate these metrics by order type (market, limit, stop), order size (small/medium/large), security type (large-cap, mid-cap, small-cap), and venue.

For each routing destination (the three market makers and two exchanges), compute: average effective spread, average price improvement, fill rate (percentage of orders that receive a complete fill), speed of execution (time from order submission to fill), and average benchmark deviation. Compare venues against each other and against the consolidated market benchmark.

Identify any venue that is systematically underperforming — e.g., a market maker whose effective spread is consistently wider than the other venues, or a venue with a notably lower fill rate for large orders. For the two market makers providing payment for order flow (PFOF), specifically assess whether the PFOF arrangement is associated with inferior execution quality, since the SEC and FINRA scrutinize PFOF arrangements for conflicts of interest.

Flag individual executions where the benchmark deviation exceeds a threshold: for example, executions where the VWAP deviation exceeds 25 basis points (for large-cap) or 75 basis points (for small-cap). Review a sample of outlier executions to determine root cause:

Document the root cause analysis for each reviewed outlier.

Structure the quarterly report as follows:

The best execution committee should include the head of trading, the CCO or a senior compliance officer, a representative from technology (responsible for order routing systems), and a member of senior management. The committee meets quarterly to review the report, discuss findings, and approve or reject recommendations.

All committee discussions and decisions must be documented in formal minutes. The minutes should record: attendees, data reviewed, findings discussed, decisions made (e.g., to terminate a venue, adjust routing parameters, or investigate a specific pattern further), and any dissenting views. Committee minutes are a primary examination artifact — FINRA and SEC examiners routinely request them to assess the rigor and independence of the firm's best execution review.

In addition to quarterly reviews, conduct an annual comprehensive best execution review that includes:

The annual review should result in a written report to senior management documenting the firm's best execution practices and any recommended changes.