Insider Trading Compliance: Why Process Design Matters More Than Policy Drafting Alone

A company may have a well-drafted insider trading policy. It may mention trading windows, designated persons, pre-clearance, contra trade restrictions, disclosures, and penalties. It may even be approved by the board and circulated internally.

But on the day the trading window needs to close, what actually happens?

Does someone remember to send the communication? Is the correct list of designated persons available? Are new joiners added? Are exits removed? Are connected teams informed? Are pre-clearance requests blocked? Is the closure recorded? Is there proof that the communication was sent before the sensitive period began?

This is where insider trading compliance usually fails. Not in the wording of the policy, but in the operating discipline around the policy.

A policy is only the starting point. Process design is what makes it work.

For listed companies and market-facing organisations, insider trading compliance cannot be treated as a document kept in a folder. It has to run like a controlled workflow. The compliance officer should not have to rely on memory, manual reminders, scattered Excel sheets, or last-minute emails to manage something as sensitive as trading by designated persons.

The most obvious example is trading-window control. In theory, the trading window is closed during sensitive periods, such as before financial results or when unpublished price sensitive information is being handled. In practice, the challenge is operational: who triggers the closure, who approves it, who sends the notice, who confirms the recipient list, who blocks approvals, and who keeps evidence?

If this is handled casually, the risk is high. A delay of even one day in communication can create confusion. A designated person may claim they were not informed. A department may say the updated list was not shared. A pre-clearance request may be approved when it should have been stopped. Later, during review or investigation, the company may struggle to prove that it had a controlled process.

That is why process design matters.

A proper trading-window workflow should have clear triggers. Financial result timelines, board meetings, major corporate actions, fund-raising discussions, mergers, acquisitions, business-sensitive decisions, and other UPSI-related events should not depend only on someone remembering to notify compliance. The business, finance, secretarial, legal, and senior management teams should know when compliance needs to be alerted.

The second control is the designated person list. Many organisations treat this as a static Excel file. That is risky. Designated person lists are living records. People join, resign, move teams, get access to sensitive information, lose access, or become connected through specific projects.

If the list is not updated, the entire compliance process weakens. A trading-window closure sent to an outdated list is not enough. A pre-clearance workflow based on old employee data is not enough. An annual disclosure exercise using stale records is not enough.

The list should have ownership, update frequency, approval history, and change logs. HR should feed employee changes. Department heads should identify access to sensitive information. Compliance should validate and maintain the final record. Every addition and removal should be traceable.

Internal communication is another area where process is more important than drafting. A policy may say that designated persons will be informed of trading-window closures. But how is this done? Email? Portal notification? HRMS announcement? WhatsApp? Manual message?

More importantly, how is delivery proved?

For insider trading compliance, communication should be structured and recorded. The firm should know when the notice was sent, to whom it was sent, what it said, whether reminders were issued, and whether any acknowledgement was captured where required. Without this, compliance becomes difficult to defend.

Pre-clearance is also not just a legal requirement. It is an operating workflow. A designated person raises a request. Compliance checks whether the trading window is open, whether the person is restricted, whether there is any ongoing UPSI event, whether past trades create contra trade concerns, and whether disclosures are due. Approval or rejection should not be informal.

Every pre-clearance request should create a record. The record should show who requested it, when it was requested, what security was involved, what checks were performed, who approved it, and what conditions were attached. If the trade is executed, the post-trade confirmation should also be tracked.

This is the difference between saying “we have a policy” and showing “we operated a control.”

Another weak point is cross-functional coordination. Insider trading compliance is usually owned by compliance or secretarial teams, but the information needed to run it sits across the organisation. Finance knows financial result timelines. Business teams know commercial negotiations. Legal knows transaction discussions. HR knows employee changes. Senior management knows strategic decisions.

If these teams do not have a disciplined reporting process, compliance will always be late.

A good process makes reporting obligations clear internally. It should not depend on informal comfort or personal relationships. Business teams should know that certain events must be reported to compliance immediately. Compliance should have a way to log the event, assess whether UPSI is involved, restrict trading where needed, and document the decision.

The same applies to structured digital databases and UPSI access records. Maintaining names is not enough. The organisation should be able to show who had access to what information, during which period, and why. This becomes especially important when sensitive projects involve multiple internal teams, external advisors, consultants, auditors, bankers, or vendors.

Again, the issue is process discipline. If access records are created after the fact, they lose credibility. If they are maintained manually without ownership, they become unreliable. If nobody reviews them, they become decorative compliance.

Training also needs to be practical. Many insider trading sessions explain the law, definitions, and consequences. That is useful, but not sufficient. Designated persons need operational clarity. They should know when they cannot trade, how to seek approval, what to disclose, what to do if a relative trades, whom to contact, and why informal sharing of sensitive information is dangerous.

The goal is not to turn every employee into a legal expert. The goal is to make the expected behaviour clear.

Senior management should also care about this because insider trading failures are reputationally damaging. Even when the issue arises from poor process rather than bad intent, the damage can be serious. Regulators do not only look at the policy document. They look at conduct, controls, records, timelines, and evidence.

That is why firms should ask a simple question: if reviewed tomorrow, can we show how our insider trading process actually operated?

Can we show trading-window closure dates? Can we show designated person records? Can we show communication logs? Can we show pre-clearance approvals and rejections? Can we show UPSI access records? Can we show disclosures, reminders, escalations, and evidence?

If the answer is no, the policy is not enough.

Insider trading compliance should be built as a repeatable operating system. The policy gives the rule. The process makes the rule enforceable. The evidence makes the process defensible.

A well-drafted policy may satisfy the first layer of compliance. But in real life, compliance succeeds or fails in the daily workflow: who is informed, who acts, who approves, who records, and who follows up.