Real-Time Surveillance: Evolving Expectations in Practice
News and Insights

Real-Time Surveillance: Evolving Expectations in Practice

Real-Time Surveillance: Evolving Expectations in Practice

By TradingHub and Greg Yanco


On trading floors and in compliance departments, “real-time surveillance” has become the phrase of the moment, invoked by regulators, vendors and banks alike. But behind the confidence of the label lies a more unsettled reality: few agree on what real-time should actually mean, or where it truly matters.

Part of this uncertainty stems from the assumption that real-time surveillance represents a universal standard, something to be applied consistently across all areas of market monitoring. In practice, the picture is more nuanced. The way regulators are thinking about real-time surveillance today reflects a more targeted, risk-based approach, rather than a single, uniform model.

At its simplest, real-time surveillance can be thought of as monitoring that takes place during the trading day, where alerts are generated and reviewed while markets are still open. But defining it purely in terms of speed risks missing the more important question: what is the purpose of reviewing activity in real-time, and where does it add meaningful value?

A helpful way to frame this is by distinguishing between different types of market risk. There is a clear difference between activity that disrupts the orderly functioning of a market, and behaviour that may constitute market abuse. The former tends to require immediate attention. The prevention of disorderly markets is of paramount importance to regulators globally, and as such the expectation is for firms providing direct access to clients having robust mechanisms in place to detect and action activities that may threaten market orderliness. In these scenarios, real-time monitoring plays a clear and necessary role, supported by controls such as pre-trade filters, kill switches, and exchange-level safeguards such as circuit breakers.

Market abuse, however, presents a different challenge. Identifying abusive behaviour typically requires a fuller understanding of context, trading patterns, and intent. These are not always readily apparent in the moment. Attempting to make determinations too quickly can, in some cases, limit the effectiveness of the analysis and may disrupt commercial activity. For this reason, many surveillance frameworks incorporate a degree of post-trade review, allowing systems to bring together a more complete picture before issues are escalated or investigated further.

This distinction is increasingly reflected in how surveillance programmes are being designed. Rather than extending real-time monitoring across all activity, there is a greater emphasis on aligning surveillance approaches to the nature of the risk being addressed. In practice, this often results in a combination of real-time monitoring for scenarios where immediacy matters, alongside more structured post-trade analysis where depth and context are required.

One of the challenges firms face is managing the operational implications of surveillance at scale. Expanding real-time monitoring across a broad set of alert types can quickly increase alert volumes, placing pressure on teams to review activity within constrained timeframes. In this environment, there is a risk that resources are spread too thinly, making it harder to prioritise genuinely significant activity. The issue is not simply the volume of alerts, but the ability to manage and respond to them effectively.

Regulatory outcomes in recent years have highlighted this point. In a number of cases, the underlying issue has not been a lack of systems or policies, but shortcomings in how alerts are calibrated, reviewed, and escalated.

Enforcement activity in Australia over the past 2 years illustrates this clearly. In several instances, firms had surveillance frameworks in place, but specific trading behaviours, such as activity around pricing windows, trading that might have influenced benchmark outcomes, or patterns consistent with false or misleading pricing signals, were either not identified quickly enough or not followed up with sufficient scrutiny. In other cases, patterns of behaviour persisted over extended periods before being addressed, even where the regulator has requested follow up, pointing less to gaps in capability than to gaps in execution and oversight.

What these cases demonstrate is that effective surveillance depends not just on detecting potential issues, but on ensuring that alerts are meaningful, prioritised appropriately, and acted on with sufficient urgency. Where this does not happen, even well-designed systems can become less effective over time. Surveillance frameworks therefore need to be actively managed, with ongoing attention to how alerts are configured and how teams are operating in practice.

It is also worth noting that regulatory expectations in this area remain largely principles-based. There is no single prescribed model for how real-time surveillance should operate across all firms and markets. Instead, regulators tend to focus on how firms are assessing the risk and outcomes, namely, identify potentially problematic activity, and respond in a timely and appropriate way.

This places responsibility on firms to assess their own risk exposure and design surveillance frameworks accordingly. Factors such as market structure, trading volumes, product complexity, and client activity all influence what an appropriate approach looks like in practice. A highly liquid, high-frequency market may justify a more sophisticated, low-latency monitoring setup, whereas a less active market may require a different balance between automation and manual oversight.

What emerges from this is not a rejection of real-time surveillance, but a clearer understanding of where it fits. It is one component within a broader surveillance ecosystem, working alongside post-trade analysis, pre-trade controls, and wider compliance frameworks. The effectiveness of that ecosystem depends not just on the technology in place, but on how well it is aligned to the specific risks a firm faces.

For firms, the practical challenge is to move beyond viewing real-time surveillance as an end in itself, and instead focus on how it contributes to overall surveillance effectiveness. This involves regularly reassessing whether resources are being directed to the areas of greatest risk, whether alert frameworks remain appropriately calibrated, and whether teams are equipped to act on the information they receive.

As expectations continue to evolve, this more measured, risk-led approach is likely to remain central to how real-time surveillance is developed and applied. Rather than attempting to do everything in real-time, the focus is increasingly on doing the right things at the right time, supported by systems and processes that are both targeted and sustainable.