GC100: MAR: guidelines on the requirement to maintain insider lists | Practical Law

GC100: MAR: guidelines on the requirement to maintain insider lists | Practical Law

Guidelines on the requirements of the Market Abuse Regulation (Regulation 596/2014) for companies to maintain insider lists.

GC100: MAR: guidelines on the requirement to maintain insider lists

Practical Law UK Practice Note 2-629-0375 (Approx. 19 pages)

GC100: MAR: guidelines on the requirement to maintain insider lists

by GC100 and Practical Law Corporate with assistance from Stephanie Maguire, Victoria Kershaw and Jennifer McCarthy, Freshfields Bruckhaus Deringer LLP
Law stated as at 31 Oct 2019United Kingdom
Guidelines on the requirements of the Market Abuse Regulation (Regulation 596/2014) for companies to maintain insider lists.

Scope of this note

These guidelines have been drawn up by the GC100 Listing Rules Working Group to assist members of GC100 to implement procedures for the purposes of complying with the requirements of the Market Abuse Regulation (MAR) for companies to maintain insider lists.
For GC100's guidelines on systems and controls, see Practice note, GC100: guidelines for establishing procedures, systems and controls to ensure compliance with Listing Principle 1.
GC100 is the association of general counsel and company secretaries working in FTSE 100 Companies. These guidelines, which do not necessarily reflect the views of all individual members of the GC100 or their employing companies, have been produced for guidance only. Nothing in these guidelines or the accompanying appendices represents advice by the GC100 or any of its members, Practical Law, Thomson Reuters (Professional) UK Limited, Freshfields Bruckhaus Deringer LLP or any of the participants in the Listing Rules Working Group to any person and none of the GC100, its members, Practical Law, Thomson Reuters (Professional) UK Limited, Freshfields Bruckhaus Deringer LLP and the participants in the Listing Rules Working Group accepts any responsibility or liability to any person for or in respect of the guidelines. It is the responsibility of individual companies to ensure that they understand, and comply with, MAR and to take specific external advice (legal or otherwise) as they deem appropriate.

Section 1: The requirement to maintain insider lists

1.1 Overview

The requirement to maintain insider lists is contained in Article 18 of MAR.
Companies, or any person acting on their behalf or on their account (adviser), must draw up, and promptly update, a list of all persons who have access to inside information and who are working for them under a contract of employment or otherwise performing tasks through which they have access to inside information. Insider lists must be in a prescribed format (see Appendix 1: Prescribed form insider list) and must be provided to the FCA as soon as possible on request. The requirement to create and maintain an insider list applies whenever a company has inside information, even if that information is disclosed as soon as possible.
Companies must also take all reasonable steps to ensure that any person on their insider list acknowledges in writing the legal and regulatory duties entailed and is aware of the sanctions applicable to insider dealing and unlawful disclosure of inside information.

1.2 Responsibility for insider list

The company itself is responsible for drawing up and updating its insider list.
In its Questions and Answers on MAR, ESMA has stated that where a company has engaged advisers to act on its behalf or on its account in connection with a matter that requires an insider list, those advisers have their own obligation to draw up, update and provide to the FCA on request an insider list which records details of, for example, the adviser's own employees. The company is not responsible for an adviser's fulfilment of these insider list requirements.
In contrast, where a company delegates the task of drawing up and updating the insider list regarding details of the company's own employees, the company will remain fully responsible for compliance with the MAR rules.

1.3 Identification of inside information

Information will be inside information if it meets certain cumulative criteria (see Checklist, MAR: is it inside information?).
For guidance on establishing procedures for the identification of inside information, see Practice note, GC100: guidelines for establishing procedures, systems and controls to ensure compliance with Listing Principle 1.

Section 2: Frequently asked questions

2.1 How many insider lists must be maintained?

The provisions in MAR are drafted on the basis that each company will have a single insider list. However, as there may be multiple pieces of inside information within the company at any one time, the list can be divided into separate sections relating to different pieces of inside information (whether it is a transaction, a project, a corporate or a financial event, preparation of financial statements or profit warnings) (Article 2(1) and recital (3), Commission Implementing Regulation on the format of insider lists and format for updating the insider list ((EU) 2016/347)) (Implementing Regulation).
New sections can be added to the insider list as and when each new piece of inside information (referred to as "deal-specific" or "event-driven" inside information) is identified. Each section should only include persons with access to the inside information relevant to that section.
To avoid multiple entries in respect of the same individuals in different sections of the insider list, companies and their advisers are permitted (although not required) to insert a supplementary section into their insider list, referred to as the "permanent insiders" section (Article 2(2) and recital (4), Implementing Regulation). This section differs from the rest of the sections of the insider list, as it is not created upon the existence of a specific piece of inside information. The permanent insiders section should only include those persons who, due to the nature of their function or position, have access at all times to all inside information within a company. The details of insiders included in the permanent insiders section should not be included in the other "deal-specific" or "event-driven" sections of the insider list.
Given the definition of "permanent insiders", it is likely that where companies do have a permanent insider list, it will be limited only to a small number of directors and other senior executives within the company, and it is unlikely that anyone at an adviser or other external organisation would be included on this list.
In practical terms, companies can therefore create a separate list for each specific piece of inside information, together with a list of permanent insiders, but treat the lists combined (together with those of any advisers or others) as constituting the single insider list for the purposes of MAR. Companies may choose to maintain additional lists of individuals involved in specific projects, but note that these will not amount to insider lists until they involve inside information (and should not be called insider lists until such time).

2.2 Who should be on the insider list?

Insider lists should record all personnel of companies, whether employees or otherwise, with access to the inside information. Every situation will need to be considered on a case-by-case basis in light of this requirement, but the list will, for example, need to include (as applicable):
  • All team members to whom inside information is circulated/made known.
  • Secretaries/assistants with access to emails or other records containing inside information.
  • Compliance staff with access to inside information.
Senior management who are not directly involved in transactions but who receive inside information, for example, on potential transactions, or sit on review committees for such transactions, may be included on the permanent section of the insider list (see 2.1 How many insider lists must be maintained?) or a section of the non-permanent list, but not both.
There is a general requirement for companies to allow access to inside information only to those who require it for the purpose of their work (that is, on a "need to know"’ basis). Companies should have in place policies regarding access to inside information that are consistent with this requirement and ensure that they have robust IT controls to limit access to inside information.

2.3 When do individuals need to be included on the list?

Given the requirement to record in any "deal-specific" or "event-driven" section of the insider list the date and time at which each individual named first obtained access to the inside information concerned, it will be critical for:
  • Companies to identify and record, and to communicate to their advisers, the time at which each particular piece of information first becomes inside information.
  • Companies and any advisers to identify and record when each relevant individual (that is, each individual it is responsible for including on the list) first gained access to the inside information after such time.
Where information is not inside information from the outset, but instead develops over time:
  • Companies (in conjunction with their brokers and other advisers, where appropriate) will need to monitor the progress and development of the potential transaction and identify the point in time at which it becomes inside information.
  • All individuals that were aware of the potential transaction prior to that time should be treated as first becoming aware of the inside information at the time that it was first identified by the company as being inside information (rather than only when later informed that the information has become inside information).
  • Having decided the time at which the potential transaction becomes inside information, companies should communicate that to advisers maintaining their own insider list, so that they can record that in their list in a manner consistent with the company's list.
  • For other individuals that become aware of the potential transaction at a later date, it will be the time and date that they are first informed of it (and the company and others maintaining lists on its behalf will need to identify when that is for each of those individuals).
The need to identify the point in time at which a transaction first becomes inside information is also important because:
  • That will be the time from which it will be judged whether any announcement was made "as soon as possible".
  • Where companies can rely on the ability to delay disclosure, it will trigger the MAR record keeping obligations.
Where a list of those with knowledge of a confidential project is compiled before the project constitutes inside information, those on the list must be moved to a project specific insider list only as and when information relating to the project has first been identified as being inside information. The insider list must show the date and time at which persons moved onto it from the confidential project list.

2.4 What information needs to be on the insider list?

Both a company's insider list and any adviser's insider list must follow the new pan-European standard format for insider lists (see Appendix 1: Prescribed form insider list).
Insider lists must therefore contain the following:
  • Full name (and birth surname, if different), date of birth, personal telephone numbers (fixed line and mobile numbers) and personal address of the insider.
  • National identification number of the insider, if applicable. It is thought that, for UK nationals, the national identification number column can be left blank, as it is only required to be completed "if applicable". For other nationals, who have a national identification number, that number should be included (Question 30, Part A, CLLS and Law Society Q&A). Note that it is not always easy to assess whether a national identification number is required as there is no parallel requirement to ascertain or include an insider's nationality.
  • Professional telephone numbers of the insider (fixed line and mobile numbers), and the company/adviser name and company/adviser address.
  • Insider's function and reason for being an insider. The reasons for being an insider will vary from person to person depending on the information to which the person has access and the nature of the person's role. A short description of the transaction, situation or business to which the inside information relates and the person's role/position relating to it will usually suffice (however, very generic descriptions of the functions of non-deal team members should be avoided, as they may not be sufficient to show the reason for including that person on the insider list). Companies will want to adopt a consistent approach to the reasons why someone has been included on the list (for example, because they have access to financial results or because they have access by virtue of being involved in a particular project which involves inside information).
  • Date and time (including the time zone) at which the insider obtained access to inside information.
  • Date and time (including the time zone) at which the insider ceased to have access to inside information. This may be the date and time when the information is made public (for example, a transaction is announced) or when the individual ceases to be employed by the company.
  • Dates and times (including time zones) when the insider list was created and updated.

2.5 When should the list be updated?

Insider lists must be updated promptly (and the update must specify the date and time when the change occurred) when:
  • There is a change of reason for an individual being on the insider list.
  • Any individual who is not already on the insider list is given access to inside information.
  • An individual on the insider list ceases to have access to inside information.
(Article 18(4), MAR.)
In relation to the third bullet point above, the most likely circumstance in which a person ceases to have inside information is when the information itself ceases to be inside information, for example, when a transaction is announced. At this time, the insider list should record all persons on the insider list as ceasing to have inside information. However, companies will need to be ready to draw up a new insider list if there are later developments in relation to the transaction that would be separate pieces of inside information (for example, a counter bidder making an approach to the company).
All fields must be kept up to date on an ongoing basis to avoid the risk of tipping off an individual if requests for updated information are made at the time of an investigation (and to ensure that information can be made available to the FCA as soon as possible) (recital (7), Implementing Regulation; see also paragraph 272, section 8.3, ESMA Final Report: Draft technical standards on MAR (ESMA 2015/1455)). Versions of the insider list at differing points in time should therefore be saved in order to preserve the audit trail. Issuers will need to be able to respond to requests from the FCA for details of who had access to inside information of a particular event, what the information was and when they had access to it.
A company may wish to consider what arrangements (if any) it should have in place with individuals on the list who leave while they have inside information, for example, it may wish to remind them that they owe a duty of confidentiality to the company and that they have previously acknowledged the legal and regulatory duties entailed and are aware of the sanctions attaching to the misuse or improper circulation of inside information. A company may also wish to remind them that some obligations (such as insider dealing offences under the Criminal Justice Act 1993) will still apply to them or to suggest that they should still clear any dealings with the company for a certain period of time after they leave.
Access rights should be reviewed regularly so that access to inside information is removed when a person changes roles or is transferred from a project. Companies may want to consider a standard approach to recording a change in the reason for a person being on the list (for example, a change in a person's responsibilities, a move from one company to another or leaving the company).

2.6 Which individuals should be responsible for maintaining an insider list?

There is no express requirement for companies to specify an individual who is responsible for maintaining the list. However, companies must ensure that access to an insider list is restricted to clearly identified persons at a company that need access due to the nature of their function or position (Article 2(4), Implementing Regulation). This could be, for example, the individual(s) maintaining the insider list and the Company Secretary and/or General Counsel.
As a practical matter, companies will want to specify an individual who has overall responsibility for maintaining the insider list, such as the Company Secretary. Companies should decide who is, and whether more than one person should be, responsible for:
  • Maintaining and updating each section of the insider list (for example, adding someone to the list, removing them or changing the reason for their being on the insider list).
  • Deciding who can be given access to inside information (both generally and in specific cases).
  • Keeping the details of principal contacts at advisers up-to-date in relation to each section of the insider list.
  • Recording the obligations of advisers in relation to their parts of the insider list, and ensuring that arrangements with all advisers are effective.
  • The employee notification requirements (see 2.10 What are the company's obligations in respect of employees?).
In relation to "deal-specific" or "event-driven" sections of the insider list, it might be appropriate for the person with overall responsibility for a company's insider list to designate another individual to maintain that section, for example the deal team leader on a transaction.
The arrangements for insider lists should be integrated with the procedures adopted by companies for the identification and control of inside information (see sections 2.3 and 2.4 of Practice note, GC100: guidelines for establishing procedures, systems and controls to ensure compliance with Listing Principle 1).

2.7 How long should an insider list be kept?

An insider list must be kept for at least five years from the date when it is drawn up or updated (whichever is later) (Article 18(5), MAR).

2.8 Where and how should insider lists be kept?

Insider lists must be drawn up in an electronic format which enables the information included to be kept confidential and accurate (Article 2(3) and 2(4), Implementing Regulation). The format must allow access to and retrieval of previous versions of the insider list.
This means that updates must not change existing information, and so each change to the insider list must be recorded in a new version that preserves the integrity of the previous version and maintains an effective audit trail, with all previous versions being retrievable during the five-year period that the insider list must be kept. Companies should ensure that their systems accommodate this.
There are no location requirements as to where a company's insider list should be kept. As noted above, where the insider list is divided into separate sections which are managed by different individuals, companies need to consider how the keepers of each section will liaise and co-ordinate regularly with someone centrally who has overall responsibility for the insider list.

2.9 How and when should the list be submitted to the FCA?

Where requested, a company must provide an insider list to the FCA as soon as possible, which will be interpreted on the assumption that an insider list will be up to date at all times and that all previous versions are readily accessible. The FCA often requests that completed insider lists be returned within two days.
In practice, companies will want to consider how it will reproduce the insider list at any given moment and ensure that adequate procedures are put in place so that any request is directed to the right individual who can access the list and provide a copy. A company's nominated FCA contact should know who to contact to respond to an FCA request for a copy of an insider list.
The insider list must be submitted to the FCA in electronic format.

2.10 What are the company's obligations in respect of employees?

Companies and each adviser must take all reasonable steps to ensure that each person on the insider list:
  • Acknowledges in writing the legal and regulatory duties entailed in having access to inside information.
  • Is made aware of the sanctions applicable to insider dealing and unlawful disclosure of inside information.
(Article 18(2), MAR.)
Companies and their advisers will therefore need to have procedures in place to ensure that an appropriate memorandum is automatically sent to each person added to an insider list and that a copy is promptly signed and returned as acknowledgement. Companies may send their insider notifications out in email format, and receive acknowledgements back electronically (see 2.11 Can employee acknowledgements be made electronically?).
As there is technically only one insider list, with different sections for each separate piece of information, the employee acknowledgment only needs to be obtained when an insider is first included on one of the sections of the insider list (and not in respect of each other section to which the individual is later added). However, companies may prefer to send a new employee acknowledgement every time an individual is added to a new section of the insider list. If the individual ceases to be on any section of the insider list at all, a further acknowledgment should be obtained if he/she is later added to the insider list again on account of a new piece of inside information.
Companies should nominate a person to keep the memorandum up-to-date in case of any changes, and decide who is responsible for refresher training for employees on the importance of keeping information confidential and the implications of unlawful disclosure. A company should also ensure that, if inside information exists, the provisions of its share dealing code are adhered to.
For a form of memorandum, see Appendix 3: Memorandum on inside information and for a form of an acknowledgement, see Appendix 4: Acknowledgement of receipt of memorandum on inside information.

2.11 Can employee acknowledgements be made electronically?

A company must ensure that every person whose name is on the insider list acknowledges in writing the legal and regulatory duties entailed and is aware of the sanctions applicable to insider dealing and unlawful disclosure of such information (Article 18(2), MAR).
A company may wish to send insider notifications out in email format. If the insider is required to electronically accept the terms of being an insider, the following may need to be considered:
  • The email address of the recipient to which the insider notification is forwarded should only be accessible by the individual being made an insider.
  • The time and date that the individual confirmed acceptance by clicking "I Accept" should be logged on the system.
The email confirmation should also make the recipient aware that:
  • By clicking "I Accept", the recipient is signing their insider's acceptance electronically.
  • By clicking "I Accept", the recipient consents to be legally bound by the company's insider terms and conditions.

2.12 What are the obligations of the company to external advisers and vice versa?

In respect of each section of the insider list for a project that involves advisers, companies should keep a record of the details of the principal contact(s) at each adviser that has access to inside information. Although, as noted above (see 1.2 Responsibility for insider list), a company is not responsible for an adviser's fulfilment of the adviser's own insider list obligations, a company may wish to consider putting in place effective contractual arrangements with each of its advisers to ensure that each adviser:
  • Draws up and promptly updates its own insider list of individuals working for them with access to inside information.
  • Is obliged to provide its insider list to the FCA as soon as possible on request.
  • Is obliged to keep such insider list for at least five years.
  • Takes the necessary measures to ensure everyone on the insider list acknowledges in writing the legal and regulatory duties entailed and is aware of the sanctions applicable to insider dealing and unlawful disclosure of inside information about the company.
In order to ensure that advisers can correctly identify the date on which their employees first had access to inside information, companies should notify their advisers if they consider that the information they are providing is inside information. It is important that there is clear communication of, and a consistent approach to, the date and time when information became inside information, and the date(s) and time(s) that employees and advisers first obtained, and subsequently ceased to have access to, inside information.
Where a company's advisers are not EU-based or otherwise are unlikely to be familiar with the insider list requirements, the company may want to consider if it will need to provide such advisers with further information.
If a company decides to use contractual arrangements, it may wish to consider using pro forma contracts (or model clauses) with its advisers and agents. For an example of a letter to advisers, see Appendix 2: Insider lists: Letter to advisers.

2.13 Data protection

The regime under MAR means that companies will be processing significant personal data in order to create, and disclose to the FCA, insider lists. Companies should ensure that this processing is compliant with data protection laws. Where potential insiders are based outside the EU, companies may need to seek local law advice on how to comply with relevant data protection laws.
Although companies are under a legal obligation to create and disclose their insider lists, they must make sure that the personal data that it processes in this regard is actually necessary for compliance with the relevant obligation (that is, it is not merely useful or desirable). EU law permits personal data to be collected if there is a legal requirement to do so, although this does not extend to "sensitive data", for example, about health, religion or trade union membership.
Companies are likely, as a minimum, to need to check that the fair processing notice given to potential insiders when their personal information is collected clearly sets out what the information will be used for, who will hold it, where it will be held and whether any third parties will be involved in storage or transfer. These requirements might be satisfied by a company's general staff privacy notice. From an EU perspective it is most straightforward if personal data is held within the EU as this avoids the restrictions on exporting data outside the EU. Personal data can be exported outside the EU with appropriate legal arrangements in place.
If a company maintains a less formal confidential project list, that is, before a formal MAR requirement bites, this should be permitted by EU law as being in the company's "legitimate interest", although this will need to be considered on a case-by-case basis. Again, this will not cover sensitive data, and privacy notices are required (although a staff privacy notice might suffice, as above).

Section 3: Practical guidance on insider lists

3.1 Allocate responsibility for compliance with the rules

  • Allocate responsibility to a person/team for:
    • deciding when to start an insider list and the criteria to be used in determining how and when information becomes inside information;
    • maintaining and updating the list;
    • deciding who can be given access to inside information either generally or in specific cases; and
    • keeping the details of principal contacts at persons acting on behalf of or for the account of the company up-to-date.
Responsibility is likely to lie with the company secretariat team or the disclosure committee.

3.2 Compiling lists

  • Draw up an insider list in accordance with the prescribed template (see Appendix 1: Prescribed form insider list).
  • Consider producing a separate section for permanent insiders.
  • Adopt a consistent approach for inclusion on the insider list and consider whether certain types of employees (for example, secretaries, senior executives, administrative or IT staff) should be on the list.

3.3 Updating lists

  • Adopt procedures to ensure that lists are promptly updated with the date and time when:
    • an individual on the list ceases to have access to inside information (for example, if that person ceases to be employed by the company and no longer has access to inside information or because the information is made public);
    • any individual who is not already on the list is given access to inside information; and
    • there is a change of reason for an individual being on the list.
  • Consider arrangements for individuals on the list who leave while they have inside information.
  • Adopt a consistent approach for removal from the list. (For a notification of removal from an insider list, see Appendix 5: Notification of removal from insider list.)

3.4 External advisers and agents

  • In each insider list for a project that involves external advisers and agents, include details of the principal contacts at advisers and agents who have access to inside information.
  • Review all contractual arrangements with advisers and agents and consider the use of pro forma contracts (see Appendix 2: Insider lists: Letter to advisers) to ensure that the company has effective arrangements in place so that advisers or agents:
    • keep their own lists of all individuals working for them with access to inside information about the company;
    • are obliged to provide such lists to the FCA as soon as possible on request;
    • are obliged to keep such lists for at least five years; and
    • take the necessary measures to ensure everyone on the insider list acknowledges in writing the legal and regulatory duties entailed and is aware of the sanctions applicable to insider dealing and unlawful disclosure of inside information about the company.
  • Consider discussing the approach to insider lists with advisers and agents.
  • Consider whether to provide further information to non-EU based advisers and agents unfamiliar with the EU insider list requirements.

3.5 Employment arrangements

  • Review existing employment arrangements in light of procedures for keeping insider lists.

3.6 Memorandum and acknowledgement

  • Produce a memorandum on the legal and regulatory duties entailed in having access to inside information and the sanctions applicable to insider dealing and unlawful disclosure of inside information and give it to those individuals included on the company's insider list (see Appendix 3: Memorandum on inside information).
  • Require each individual receiving such memorandum to acknowledge receipt of the memorandum (and the legal and regulatory duties referred to in it) in writing (see Appendix 4: Acknowledgement of receipt of memorandum on inside information).
  • Allocate responsibility for keeping the memorandum up-to-date.

3.7 Training

  • Implement appropriate communication and training programmes so that existing employees and future employees who have access to inside information are aware of and understand their obligations in relation to inside information under MAR. Consider the need for refresher training. Ensure training covers the need for secrecy and the need to comply with established procedures to protect inside information.
  • Ensure that all employees understand the potential liabilities for them, the company and the PDMRs for a breach of MAR.
  • Keep a record of all training received.
  • Review periodically whether the training programme continues to be adequate to protect any inside information.

3.8 Employee arrangements in relation to dealing and share schemes

  • Reasonable consideration should be given to establishing personal account dealing policies; those policies should be made clear to staff together with the civil and criminal penalties for dealing on the basis of inside information or enabling such dealing.
  • Where relevant, make insiders aware that there are company share schemes and trading plans which may be subject to the company's Share Dealing Code and prior clearance might be required.
  • Require each individual to submit and obtain clearance in writing.

3.9 Co-ordination

  • Consider liaison and co-ordination between the keepers of the insider list and the person with central responsibility for insider lists. Ensure that they can compile a central insider list quickly and easily to satisfy a request from the FCA.
  • Make sure that the company's nominated FCA contact knows who to contact to respond to an FCA request for a copy of an insider list.

3.10 Access and control of inside information

  • Restrict access to the insider list to a select number of individuals. Where practicable apply a "need to know" policy.
  • Review access to the company's IT systems and consider passwording procedures and restricted access to sensitive documents. Consider using secure access databases and/or encryption software for storing and protecting inside information.
  • Review procedures for protecting physical copies of sensitive documents and consider the use of project names and codes that are not easy to decode.

3.11 Administrative/IT systems

  • Review and ensure appropriate consideration is given to the security of and access to inside information on IT systems, including the implementation of controls to limit access on a regular basis.
  • Consider the range of people with access to inside information and whether any administrative/IT staff and other individuals working for the company (such as external contractors where administrative/IT functions are outsourced) who have overriding access to such information should be included on the insider list. However, it should generally be sufficient if companies can identify any such individuals who have in fact accessed files containing inside information and include those individuals on the insider list. Protecting information using secure databases and/or encryption systems can help reduce this risk.
  • Where administrative "pools" (for example, word processing and photocopying) are used to process documents that contain inside information, consider whether there are any individuals who may need to be included on the insider list.

3.12 Storage and retrieval

  • Consider storage and retrieval facilities for insider lists to ensure speedy access.
  • Keep all insider lists for five years from when compiled or updated (whichever is later).

Appendix 1: Prescribed form insider list

For the prescribed form insider list, see Standard document, MAR: insider list for issuer of financial instruments traded on a regulated market.

Appendix 2: Insider lists: Letter to advisers

OBLIGATIONS RELATING TO INSIDE INFORMATION
Please confirm by email to [NAME] at [EMAIL ADDRESS] that you acknowledge and will comply with the requirements set out in this letter.

1. Introduction

1.1 You are an adviser to [name of client] (Company) [in connection with Project [NAME]/[on various matters]. You are receiving this letter because you have, or could in the future have, access to inside information about the Company (inside information).
1.2 This letter confirms the arrangements that we require you to put in place in order to ensure compliance with the EU Market Abuse Regulation.

2. Requirement to maintain an insider list

2.1 The Company requires you to draw up and maintain a list (Insider List) of all persons who have access to inside information (recording each piece of inside information separately) and who are working for you under a contract of employment or otherwise performing tasks through which they have access to inside information.
2.2 The Insider List must be kept in electronic form and follow the format prescribed by Commission Implementing Regulation (EU) 2016/347.
2.3 You must promptly update any Insider List:
  • When there is a change in the reason why an individual is already on that Insider List;
  • When any individual who is not already on that Insider List is required to be added to it; and
  • To indicate when an individual already on that Insider List no longer has access to the relevant piece of inside information.
2.4 You must keep any Insider List for a period of not less than five years from the date on which it was created or last updated. In addition, you must provide a copy to the Financial Conduct Authority as soon as possible upon request.

3. Acknowledgement of duties

You must take all reasonable steps to ensure that any person on your Insider List acknowledges in writing the legal and regulatory duties entailed and is aware of the sanctions applicable to insider dealing and unlawful disclosure of inside information.

4. Classification of information as inside information

4.1 The Company will inform you on each occasion that it provides you with any piece of information which it considers to be inside information.
4.2 The Company shall also inform you on each occasion that it considers that any inside information previously disclosed to you ceases to be inside information.

5. Other advisers

You should not engage another third party to act in relation to [Project [NAME]] [any matters on which you are advising] unless the relevant third party agrees to substantially the same terms in relation to inside information and insider lists as are set out in this letter. You are entitled to assume that we have secured the necessary agreements with other parties acting for us whom you have not engaged.

Appendix 3: Memorandum on inside information

MEMORANDUM ON INSIDE INFORMATION: [NAME OF COMPANY] – PROJECT [NAME OF PROJECT]
You have received this memorandum because you have access to inside information about [NAME OF COMPANY] (Company). You must read this memorandum carefully and sign and return the acknowledgement slip on the last page of this memorandum to [NAME] as soon as possible.
Please remember that this memorandum is a summary and is not exhaustive. It should therefore not be used as a substitute for specific legal advice. If you need any more detailed information, you should contact [NAME].

1.Applicable laws and possible sanctions

1.1 Insider dealing provisions

It is a criminal offence for an individual who has inside information to deal in securities whose price would be likely to be significantly affected by that information if made public. It is also a criminal offence to disclose inside information other than in the proper performance of the functions of your employment or office, as well as to encourage others to deal.
"Inside information" is information of a precise nature, which has not been made public, which relates, directly or indirectly, to the Company (including its subsidiaries) or its securities or related financial instruments and which, if it were made public, would be likely to have a significant effect on the price or value of those securities or related financial instruments.
Information is likely to have a significant effect on price if it is information that a reasonable investor would be likely to use as part of the basis of his or her investment decisions.
An individual guilty of insider dealing may be liable to a fine and/or to imprisonment.

1.2 Duty of confidentiality

You are under a duty of confidentiality in respect of any confidential information you receive (whether about the Company or a third party) and you must not use or disclose such information without due authorisation.
The Company (or others) may take action against you if you breach this duty of confidence, including seeking an injunction to prevent the disclosure of any confidential information or damages for any losses suffered.

1.3 Market abuse provisions

The market abuse regime prohibits the following types of behaviour:
  • Engaging, or attempting to engage, in insider dealing.
  • Recommending that another person engage in insider dealing or inducing another person to engage in insider dealing.
  • Unlawfully disclosing inside information.
  • Market manipulation and attempted market manipulation, which comprises the following activities:
    • Entering into a transaction, placing an order to trade or any other behaviour which gives or is likely to give, false or misleading signals as to the supply or demand for, or price of, a financial instrument or secures, or is likely to secure, the price of one or several financial instruments at an abnormal or artificial level;
    • Entering into a transaction, placing an order to trade or any other behaviour or activity which employs fictitious devices or any form of deception; and
    • Disseminating information by any means which gives, or is likely to give, false or misleading signals as to the supply of, demand for, or price of, a financial instrument, or is likely to secure the price of one or several financial instruments at an abnormal or artificial level, including the dissemination of rumours where the person who made the dissemination knew, or ought to have known, that the information was false or misleading.
Market abuse is not a criminal offence and therefore it is not punishable with imprisonment, however, the Financial Conduct Authority may impose unlimited financial penalties, publicly censure a person and/or make an order to compensate or disgorge profits to affected persons. Injunctions to prevent market abuse (and to freeze assets) may also be available.
If the abusive behaviour falls within the scope of the insider dealing provisions of the Criminal Justice Act 1993, it will be a criminal offence and will be punishable with imprisonment (see section 1.1 above).

2.Insider list obligations

The Company must draw up, and promptly update, a list of all persons who have access to inside information and who are working for them under a contract of employment or otherwise performing tasks through which they have access to inside information (insider list). Insider lists must be provided to the Financial Conduct Authority as soon as possible on request.
You have been included on the Company’s insider list as you have access to inside information about the Company. Now that you are included on an insider list, you must:
  • Inform [NAME] in advance if you propose to communicate inside information on this matter to any person for the first time. It is important that you comply with the communication requirements in section 3 below. If you are not sure whether you should make a particular communication, you should discuss the question with [NAME]. If you are proposing to make a communication outside the Company, you must not do so without the prior agreement of [NAME]. Communication outside the Company is likely to require a particular acknowledgement from the person receiving the information and this must be co-ordinated with [NAME].
  • Inform [NAME] of the date when you do communicate inside information to another person.
  • Inform [NAME] if you think there has been a leak of inside information (whether from the Company or elsewhere).
  • Inform [NAME] of any changes in your personal details (for example, name, personal address, personal telephone numbers, the office in which you are based).
If the person to whom inside information is to be communicated in either of the first two bullet points above is a director or employee of the Company, you need only give [NAME] their name. In other cases, you must give [NAME] their name, the name and address of their firm or company and their telephone number.

3.Communication requirements

You should take steps to ensure that inside information [relating to Project [NAME OF PROJECT]] you have is kept confidential by restricting access to it and only communicating it on a "need to know" basis. The number of people aware of inside information should be kept to the minimum reasonably practicable and individuals within the Company should only be made insiders in relation to certain categories of information or particular deals or other significant matters with the approval of [NAME]. Incidental access to inside information needs to be eliminated so far as possible.
External advisers or other third parties should only be made aware of inside information with the prior authority of [NAME]. Individuals should only be made insiders if they are clearly made aware of and acknowledge the need for confidentiality and the information disclosed even to an insider should be limited to what he/she needs to know at any particular time (rather than allowing access to all information that is available).
In addition, the Company requires that you comply with the following:
  • Documents containing inside information should not be read or worked on where they can be read by others and should only be taken off-site when absolutely necessary.
  • Sealed non-transparent envelopes should be used for internal circulation of hard copy documents.
  • There should be no discussions of relevant information in public areas (even within the office).
  • Wherever practical, relevant documents should be kept in locked cabinets and IT access to emails/documents should be restricted only to those to whom access should be granted.
  • Passwords and/or restricted access should be used for key documents.
  • Code names should be used where possible in all documents, correspondence (including emails) and discussions that relate to individual projects that constitute inside information.
  • Access to computers and other electronic devices used by those with access to inside information should be restricted through the use of passwords.
  • Think carefully about which persons need to see particular emails: access to inside information should be limited to only those who need to see it.

4. The Company's securities dealing code

You are subject to the Company's securities dealing code in relation to dealings in the Company's securities (Securities Dealing Code).
You must comply with the Securities Dealing Code and any breaches will be regarded as serious and may lead to disciplinary action, including, where appropriate, dismissal. The Securities Dealing Code is intended to protect those to whom it applies, as well as the Company and its management.
[A copy of the Securities Dealing Code is attached as Schedule 1 to this memorandum.] Before dealing in the Company's shares at any time, you must obtain clearance by completing and returning a "Request for clearance to deal" form. [A copy of the form is attached as Schedule 2 to this memorandum.] You must not deal in the shares until approval has been given and returned to you.
If you are in any doubt as to whether you can deal in the Company's shares, you should either not deal or you should contact [NAME] for further clarification.

Appendix 4: Acknowledgement of receipt of memorandum on inside information

Acknowledgement slip
Please complete this form and press submit. It will then be sent to [the Company Secretary].
I hereby acknowledge receipt of the memorandum dated [DATE] on inside information (Memorandum) and confirm that:
(a) I have read the Memorandum;
(b) I am aware of the legal and regulatory duties entailed in having access to inside information [(including dealing restrictions in relation to the Company's shares or other financial instruments)];
(c) I am aware of the sanctions applicable to insider dealing and unlawful disclosure of inside information;
(d) I consent to the disclosure of the insider list to the Financial Conduct Authority upon its request.
I understand that I will appear on an insider list maintained by the Company and that I should inform [NAME] of the matters referred to in [section 2 of the Memorandum] as required.
_________________________________
Name:
Position:
Department:
Date:

Appendix 5: Notification of removal from insider list

This is to inform you that with effect from [DATE] you are no longer considered an insider in accordance with the [Company's] Share Dealing Code (Code) and therefore you do not need to seek pre-clearance in accordance with the Code should you wish to deal in the Company's securities.
You are, however, reminded that it remains a criminal offence in the UK to deal in the securities of a company when you are in possession of inside information.
If you are in any doubt as to the interpretation of inside information, please contact a member of the [NAME OF RELEVANT DEPARTMENT] in the first instance.
All rights reserved to GC100. You must obtain the prior written permission of GC100 for the republication or redistribution of this content, including by framing or similar means. If you would like permission to use any content published by GC100 please contact [email protected].