“I love data audits,”…said no one—ever.

The process by which exchanges audit subscribers to ensure they are in compliance with the exchanges’ data licenses is at best intrusive and inconvenient, time- and resource-consuming, and, frankly, insulting to those who make best efforts to ensure they report and pay for data correctly. At worst, it can be a costly fishing exercise, involving back payments and penalties if auditors discover any transgression.

In short, audits have been a bone of contention between exchanges and their end-user clients for years. Exchanges rightly want to protect their intellectual property and their investment in data, and ensure that subscribers are accurately reporting and paying for what they use. For the most part, client firms want the same thing—at least, they don’t want to be at risk of fines—but complain about the workload associated with performing audits, and that some exchanges treat minor accidental infringements in a draconian manner.

But this could be set to change, if the industry follows the lead of Canadian exchange TMX Group, which has introduced a new approach to audits—likened to a twice annual visit to the dental hygienist, rather than a root canal—that is garnering positive responses from end-user firms.

This is amazing for us…and if we could do this with US exchanges, it would be awesome.

Richard Tardif, Desjardins Securities

Under the initiative—originally known as Zero Admin, and now called Datalinx Xpress—firms submit to an initial audit, and agree to fix any compliance problems that it uncovers without penalty, after which they never have to go through a full audit again, but instead meet with the exchange twice a year to agree and certify any changes.

“An audit is a multi-month process involving third parties. It can be a burden. The Datalinx Xpress program can be done in an afternoon,” says Sarah Ryerson, president of TMX Datalinx, the exchange’s data business. “As part of the onboarding, a client sends us an entitlement report, and we balance it against their Exhibit A, and they are either cleared, or if any problems are identified, they fix them. It turns what was an adversarial process into one that’s much more partnership-driven, client-driven, and collaborative.”

Audit Assault

Compare this description to how exchanges traditionally approached audits: They decide how many audits they can perform in a year—perhaps between five and 15 for a small exchange, or between 50 and 75 for a large exchange—and select target organizations. These might be selected randomly, or by region, or based on something that makes the exchange suspicious that a firm might be under-reporting its data usage. So, for example, if a firm has reported exactly the same number of accesses month after month, year-on-year, or if a firm does not have a derived data or non-display license that allows it to use the exchange’s data in non-display applications, an audit can be triggered by the exchange.

One reason audits are unpopular is because the same firm could find itself subject to audits by four or five exchanges in the same year, says an exchange audit expert. “And each of those is a lot of work, especially for exchanges with a large number of data products.”

Though in total, an audit may take three months or more, most of this is scheduling, back-and-forth communications, and number-crunching. The time spent on-site can be only a few days per client, which can be made more efficient by sending the client written usage questionnaires to complete beforehand—though this adds to the end-user’s workload. Once on-site, the auditor has the client run spot-check reports, tests the entitlements system that generates the reports, and tracks every person accessing each exchange data product, along with when each access started and ended. Then they provide their report to the exchange and client to agree on anything that needs to be fixed, and to negotiate any settlements. But even if no transgressions are discovered, the continuous audit process can still cost firms indirectly by tying up market data professionals and take them away from their day jobs.

Another reason audits can be contentious is the way auditors—often independent third-party contractors, since most exchanges don’t have sufficient resources in-house to handle all the audits required—are compensated. In some cases, exchanges pay a flat fee; in others, they pay a commission-like structure, based on the amount of recoverable revenue discovered—essentially incentivizing an auditor to find as many instances of under-reporting as possible, which end-users complain can include gray areas that can create contentious arguments with the exchange.

“From my perspective, I want an accurate report,” the audit expert says. “If I try to hose someone, they won’t let me back in next time. I try to get it right and treat the subscribers like clients. If I find legitimate mistakes, they might be mad at us, but ultimately, they’re not writing me a check; they’re paying back the exchange.”

Follow the Money

The reason exchanges are so diligent about tracking who uses their data, and how much of it, is that although most infringements are minor and accidental errors—such as giving a demanding trader access to a dataset but not permissioning them properly in the firm’s entitlements system, or putting data on a website that can be seen by thousands of external clients without a redistribution license—others can be much more serious and deliberate.

“If I find mistakes—and they are usually mistakes—it’s because unless they are only dealing with a couple of exchange data products, managing them can be very complicated,” says the audit expert. “If you’re a big shop, staying on top of around 8 exchanges and 100 specialist vendors is a lot to manage.”

However, he also describes some opposite scenarios—often originating from China—where a subsidiary in the same building as its holding company might literally drill a hole in the partitioning wall and run a cable to siphon market data from its parent without either reporting it to the source exchanges. In another scenario, a firm might pay for a handful of legitimate terminals, each displaying a different market, then set up a video camera in front of each and broadcast the content illegally to hundreds of positions on a trading floor.

If discovered, these kinds of instances can cause an exchange to cut off service, while even unintentional infringements can result in millions of dollars in fines, depending on the amount and longevity of under-reporting. For example, in 2005, Citigroup was fined £6.4 million by the London Stock Exchange for using LSE and FTSE data in algorithmic trading models that were unwittingly proliferated throughout the bank. Though an unwitting error, the usage was much broader than what Citi reported.

That aside, most firms now have systems and policies in place to minimize the risk of unlicensed data usage or under-reporting. But in some cases, in such complex environments, data usage slips through the cracks. Hence, any initiative that offers an element of forgiveness for minor infringements, or makes the audit process less adversarial, is bound to attract attention.

Clean Slate

One of the key incentives of Datalinx Xpress is that once a firm completes the initial audit, its data usage and management is tracked via a series of “true-ups”—conversations that assess what a firm is using, and what it needs, rather than repeated lengthy audits—and crucially, promises no more audits in the future. Another is that the starting point effectively wipes the slate clean and promises “no surprises” once firms pass the semi-annual checkup.

“Once we recognize that everything is in order, clients get a clearance letter saying that we cannot act retroactively,” Ryerson says.

One firm raving about TMX’s new approach is Desjardins Securities (Disnat), the discount brokerage business of Desjardins Group, one of Canada’s top 10 financial institutions. After recently undertaking a project to certify its professional and non-professional data usage with the exchange, Disnat was keen to prove its compliance credentials in other areas, and was one of the first firms approached by TMX to take part in the new initiative.

“As part of Datalinx Xpress, we had to do an audit—map everything we use, get documents, and provide usage reports of streaming and snapshot data users and external displays,” says Richard Tardif, expert advisor for markets technology at Disnat. “Part of that certification audit was proving that the invoice coming from the exchange match up with the data. Then, having done this exercise…every six months, we meet, make sure everything is accurate, and move on.”

Tardif adds that the initiative will bring TMX closer to its clients and improve exchange-client relations. “Datalinx Xpress allows us to have a very transparent business relationship with the exchange. Both parties fully understand what is being used, and the governance around it…and if we have questions, we pick up the phone,” he says. “This is amazing for us…and if we could do this with US exchanges, it would be awesome.”

Disnat isn’t the only firm saying this: A market data manager at a major investment bank, calls the move a “great step forward,” and says there may even be more room for improvement, praising not just the end results, but also the process itself.

“We sent TMX the audit files like normal, and they came back with a few queries within a week, then said we were all set. The message was ‘We’re not looking backwards; just fix it going forward,’” the data manager says. “I would encourage other exchanges to adopt similar or other innovative methods to help the industry move from a reliance on audits as a compliance tool to more forward and proactive ideas and methods to reduce and eliminate the time and resources consumed by audits, while at the same time protecting their interests for compliant use.”

Lightening the Load

Until now, audits have not only often been adversarial and “feel like a revenue-generator for exchanges,” the data manager says, but also contentious because exchanges and end-users often interpret policies differently. “I’ve seen these issues come down to a comma, and whether you read a policy as being able to do A and B with the data, or if you can only do A or B.” Instead, TMX worked hard to make the process less of a burden for the firm and to take the workload off the bank.

When we do an audit, it’s a pain—you have to put NDAs in place, you have to state what the auditor is and isn’t allowed to do, and provide information on all the applications consuming data. Now, once we’ve submitted the initial report so they can figure out where we stand, the only time we’ll need to update anything is when we add a new application.

Bank compliance executive

“We found this process to be very helpful in confirming the handshake that what we are using is in agreement with the exchange’s terms of use,” he says. “The TMX team was very helpful in pre-filling and updating the Exhibit templates based on our usage, which translated into reducing the time and overhead burden on our end.”

A data compliance executive at a US bank echoes this reduction in audit-related work as a key incentive.

“People who haven’t implemented it might be worried that because it’s more frequent, that means it’s more work…but it’s so much easier to have our reporting team just run a report twice a year. It’s probably 1% of the effort that goes into an audit,” the compliance executive says. “When we do an audit, it’s a pain—you have to put NDAs in place, you have to state what the auditor is and isn’t allowed to do, and provide information on all the applications consuming data. Now, once we’ve submitted the initial report so they can figure out where we stand, the only time we’ll need to update anything is when we add a new application.”

That said, the reduction in work only cuts down a fraction of the time spent on audits because other exchanges still audit in the traditional, time-consuming manner, the executive warns, adding that if other exchanges would adopt a similar approach, it would make life much easier overall.

Another benefit is that the more frequent “true-ups” reduce the risk of non-compliance spreading. “In the worst-case scenario, you can only be out of whack for a couple of months,” the compliance executive says, “so if you find out that someone is not doing something correctly, you’re not looking at fines dating back years. [As a result], when they first showed us the proposal, we said, ‘This is fantastic! When can we sign up?”

What makes TMX’s new approach all the more remarkable is the about-face from how the exchange has been vilified in the past for its aggressive audit tactics. While Ryerson—who joined TMX in 2018 from Google, where she was industry head for financial services—says she can’t comment on activities prior to her tenure, she says this change has come from the top, and covers all of the group’s activities. That said, she also notes that Datalinx Xpress was already in the works when she arrived, crediting director of commercial management Dave Hill as being the architect of the program.

“This is another leg of TMX’s client-first transformation, and fits squarely with our commitment to better serve clients. I’ve been in this role for a just over year, and the number one piece of feedback I would hear from clients was how we could be easier to work with,” she says. When it comes to measuring the success of the initiative, Ryerson says she looks at the number of clients participating.

“Close to 40% of eligible clients are now participating…and we hope those numbers will climb through the remainder of 2019 and 2020,” she says. “There has been no material impact on revenue—and that’s not the goal; the goal is to improve client relations. The ultimate measure of success will be client satisfaction.”

Following Suit?

Nasdaq is rumored to be exploring a similar approach to audits, though the exchange declined to comment for this article, and Ryerson says Hill has received inquiries from other exchanges expressing interest in following in TMX’s footsteps.

“We’re proud of the program, and think it would be great to see broader adoption,” she says.

However, others—particularly those in near-monopoly positions with a sticky client base—seem content to continue with the status quo for now. One consultant says that when he proposed a more progressive model to one major exchange, the operator responded that it felt there was more money to be made from audits, and it wasn’t willing to give up the income.

I think TMX is going about this the right way. I’ve talked to banks and the buy-side about this, and they are all giving this an A for effort.

Tom Davin, FISD

The question at the heart of change is this: do exchanges want compliance, or do they want to be able to recoup windfalls from audits? In theory—whether the client pays correctly upfront, or whether unpaid fees are collected later—the numbers should be a wash, except that recouping unpaid revenues via audits comes at a cost: the auditors’ fees, plus the harder-to-quantify cost of souring a client relationship. And if clients truly ever achieve full compliance (or close to it), then the need for audits goes away—along with any revenue recoveries. So if that’s the aim, then audits will ultimately become obsolete, and exchanges will sooner or later have to change the way they approach data license compliance anyway.

And while end-users want to see more exchanges moving in the same direction, it may take time as other exchanges scrutinize the impact on TMX’s data revenues. “I think it will take a year or two of this working. Other exchanges will want to see the effect of these changes,” the data compliance executive says.

“I think TMX is going about this the right way. I’ve talked to banks and the buy-side about this, and they are all giving this an A for effort,” says Tom Davin, managing director of data industry association FISD, who previously ran market data at Nasdaq. And for any exchange holding back from change because of potential lost recoveries, Davin notes that a less adversarial and closer approach can actually strengthen an exchange’s revenue streams by making data usage more compliant and therefore more consistent.

While it may take some time for the impact of TMX’s new approach to be fully realized on the exchange’s balance sheet, the bottom line is that the positive feedback it is already getting is priceless.