This article explores:
- How MNPI is defined.
- An MNPI case scenario and what might generally fall under MNPI compliance.
- MNPI regulation in the US and EU and what the differences are between the two regions.
- MNPI in CRM and Office software systems and how to better protect these.
1. What is MNPI?
MNPI refers to material non-public information. Material non-public information is information that has not been made public, but which could have an impact on the price of securities.
The non-public information must be significant enough to change a company’s share price. For example, if a C-level executive who works for a corporation learns that her working hours will be cut next month, this is nonmaterial information. It is nonmaterial because this information will not change the stock price.
2. MNPI examples
A classic MNPI and insider trading case scenario:
An employee learns from the CEO’s Outlook calendar entry that he is having lunch with the CEO of a competitor company. The employee concludes that a merger or acquisition is imminent (–> MNPI) and tells his wife to buy stock shares of the competitor company (–> insider trading) because he expects the share price to rise.
Material non-public information may also include the following:
- The planning or intention to launch an initial public offering, a tender offer, a private placement, a share buyback, or a stock split
- An upcoming earnings release that is not consistent with investor and analyst expectations
- Resignation or dismissal of one or more senior executives
- A pending acquisition or disposition of a significant asset or business unit.
- A pending rating change
- A pending legal dispute/lawsuit
3. Insider Trading Compliance and Regulation in the U.S. and EU
Both the USA and the EU have strict compliance rules and regulations on the subject of MNPI and insider trading. In general, holders of non-public material information may not use this information to their advantage when trading securities.
Such action is classified as insider trading and is against the law and punishable by heavy fines.
In the USA, trading based on material non-public information is regulated by SEC Rule 10b5-01.
3.1 SEC Rule 10b5-1
Section (a) of SEC Rule 10b5-1 states the following:
The “manipulative and deceptive devices” prohibited by Section 10(b) of the Act (15 U.S.C. 78j) and § 240.10b-5 thereunder include, among other things, the purchase or sale of a security of any duty of trust or confidence that is owed directly, indirectly, or derivatively, to the issuer of that security or the shareholders of that issuer, or to any other person who is the source of the material nonpublic information.
Section (b) defines what exactly is meant by the phrase “on the basis of material nonpublic information”:
[…] a purchase or sale of a security of an issuer is “on the basis of” material nonpublic information about that security or issuer if the person making the purchase or sale was aware of the material nonpublic information when the person made the purchase or sale.
In other words, the purchase or sale of shares falls under trading based on material non-public information if the trader had direct or indirect knowledge of the information at the time of the purchase/sale. It does not matter how the material non-public information was acquired or whether the person is employed by the company. For example, let’s say someone learns about MNPI from a family member and forwards it to a friend. If the friend uses this inside information to profit from the stock market, all three people involved can be prosecuted.
In order to protect against a possible allegation of the use of material non-public information, it is possible to establish a pre-arranged trading plan for the purchase or sale of shares. This is addressed in section (c) of Rule 10b5-1. Section (c) deals with situations where a person can provide evidence that MNPI played no role in the trading decision. The core aspect of section (c) is as follows:
Insiders are permitted to use a written trading plan to pre-define when and at what price they will buy or sell their securities, provided there was no knowledge of MNPI at the time the trading plan was prepared. If the person later gains access to material non-public information that could positively affect the price of the securities, there will be no criminal impact on the trader because the trading plan has already been established in advance. Accordingly, the purchase or sale of these security shares remains legally legitimate. However, it is prohibited to change the trading plan after the insider has become aware of the material non-public information.
3.2 Regulation in the EU: Market Abuse Regulation (MAR)
In the EU, insider trading is regulated by the Market Abuse Regulation (MAR). Pursuant to Art. 14 a) in conjunction with Art. 8 MAR, insider trading and attempted insider trading are prohibited. As an EU regulation, the Market Abuse Regulation is a directly applicable law. However, the national authorities are responsible for the conviction or prosecution of criminal offenses.
The term MNPI or “materially non-public information” is not used in the MAR. Instead, the MAR uses the general term “inside information”. According to Article Art. 7 (1) MAR, the following items fall under inside information:
a) information of a precise nature, which has not been made public, relating, directly or indirectly, to one or more issuers or to one or more financial instruments, and which, if it were made public, would be likely to have a significant effect on the prices of those financial instruments or on the price of related derivative financial instruments;
b) in relation to commodity derivatives, information of a precise nature, which has not been made public, relating, directly or indirectly to one or more such derivatives or relating directly to the related spot commodity contract, and which, if it were made public, would be likely to have a significant effect on the prices of such derivatives or related spot commodity contracts, and where this is information which is reasonably expected to be disclosed or is required to be disclosed in accordance with legal or regulatory provisions at the Union or national level, market rules, contract, practice or custom, on the relevant commodity derivatives markets or spot markets;
c) in relation to emission allowances or auctioned products based thereon, information of a precise nature, which has not been made public, relating, directly or indirectly, to one or more such instruments, and which, if it were made public, would be likely to have a significant effect on the prices of such instruments or on the prices of related derivative financial instruments;
d) for persons charged with the execution of orders concerning financial instruments, it also means information conveyed by a client and relating to the client’s pending orders in financial instruments, which is of a precise nature, relating, directly or indirectly, to one or more issuers or to one or more financial instruments, and which, if it were made public, would be likely to have a significant effect on the prices of those financial instruments, the price of related spot commodity contracts, or on the price of related derivative financial instruments.
Essentially, U.S. and EU laws agree on what information falls under MNPI or inside information. Similar to U.S. law, (pre-arranged) orders that were initiated before a person possessed inside information are not considered insider trading under EU law. The German Federal Financial Supervisory Authority (BaFin) guidelines contain the following text on this subject:
Exceptions to the prohibition of insider dealing are thus transactions to which somebody has made a commitment before being in possession of the inside information, even if those transactions are executed at a later date. This also applies when a standing order is issued where the insider does not come into possession of the inside information until after the standing order has been issued (see also section I.18.104.22.168.1.4).
3.3 Essential difference between U.S. and EU: Cancellation of orders
An essential difference between the U.S. and EU compliance regulations is the treatment of order cancellations after obtaining material non-public information.
According to the U.S. Supreme Court’s decision in Blue Chip Stamps vs. Manor Drug Stores, 421 U.S. 723 (1975), there can be no insider trading liability under Rule 10b-5 if there is no actual securities transaction. Therefore, cancellation of trading plans is permitted even if the individual was in possession of material non-public information at the time of cancellation.
This is not the case in the EU. Here, cancellations of orders after knowledge of MNPI are prohibited. The following text can be found in the Market Abuse Regulation:
However, where a person comes into possession of inside information, there should be a presumption that any subsequent change relating that information to orders placed before possession of such information, including the cancellation or amendment of an order, or an attempt to cancel or amend an order, constitutes insider dealing. That presumption could, however, be rebutted if the person establishes that he or she did not use the inside information when carrying out the transaction.
Similar information can be found in the BaFin guidelines:
Under point (a) of Article 14 in conjunction with Article 8 of the MAR, engaging or attempting to engage in insider dealing is prohibited. The new rule is no longer limited to acquiring or disposing of a financial instrument, but now also covers canceling or amending an order.
Thus, the US and EU jurisdictions take different approaches in this regard.
Note: Changing (not canceling) trade plans and pre-arranged trade orders after the person has obtained MNPI is prohibited in both the US and the EU. Both regulations agree on this.
4. MNPI in CRM and Office software systems
For decades, companies have increasingly relied on IT-supported applications to store their data and, above all, customer relationship information and to use it to improve customer relationships. The actual customer communication usually takes place in e-mail systems, while the information important for customer management is stored in the CRM system (Customer Relationship Management System). Due to the digital transformation, the amount of collected data and customer information is constantly increasing. Therefore, it is more important than ever to protect such information and, above all, to ensure that no material non-public information leaks out. Companies and institutions that come into contact with MNPI in their data processing are therefore subject to strict security and compliance requirements as described above.
Comprehensive protection of enterprise IT systems is not limited to firewalls or antivirus software solutions but encompasses numerous layers ranging from general data security, application security, endpoint security, and network security to perimeter security.
Major security risk in the CRM and Office software area is the interaction and synchronization between the two systems. Companies are using synchronization services to automatically transfer data between CRM and Office applications. This is supposed to save time by eliminating much of the manual data entry and bring companies closer to their goal of a 360-degree customer view, as important customer information becomes available quickly across systems. The big danger is that sensitive data such as MNPI is automatically synchronized along with it, without specifying exactly who can view this information. Let’s bring up the simplified case scenario from Chapter 2 again:
- A CEO creates a calendar entry in his office system (e.g., Microsoft Outlook) for the meeting with the CEO of the competitor company. This calendar entry is marked as private in Outlook, which means that all other employees cannot see what this calendar entry is about. So far, this would be security compliant.
- The calendar entry in Outlook is transferred to a CRM software system such as Salesforce via a synchronization service.
- After synchronization, the calendar entry, including the information that the meeting is an M&A related meeting, becomes visible in Salesforce to all employees. In other words, material non-public information has been leaked to unauthorized employees through synchronization. There has been a breach of security and compliance regulations.
To prevent such scenarios from emerging, it is necessary to 1) ensure that the synchronization service itself is unassailable and that all compliance requirements are met, and 2) configure granularly which types of data may be synchronized and which remain restricted. In practice, configuration on this scale is extremely complex, as large enterprises store a vast amount of different data in a multitude of IT systems.
While the standard synchronization of CRM systems such as Salesforce offers little possibility of granular security settings, special synchronization services such as Riva, allow precise selection of what information is synchronized with the CRM and for whom it is visible.
For bank and insurance company employees who have access to sensitive customer data, the “Riva Classification Prompt” feature allows them to fulfill their responsibility to safeguard essential non-public information with the click of a mouse, while still having access to all the information critical to their customer relationships.
Such “Data Sharing Protection” can be set both on the administrator and/or on the end-user side for all information that is synchronized with the CRM system.
This means that CRM and Office software systems can be used to their full extent to improve customer relations and increase sales, and this is supposedly small, but especially in the financial sector so critical security gaps can be reliably closed.