Inside information controls: lessons from the FCA’s Gerrity case

Introduction

In December 2025, the FCA published a Final Notice fining Russel Gerrity £309,843 for insider dealing under UK MAR, linked to trading in Chariot Oil & Gas and Eco (Atlantic) Oil & Gas between 2018 and 2022. The enforcement action is a reminder of inside information controls, especially when contractors and offshore teams are involved.

What makes this case interesting is that we can see the machinery of an insider list operating in real time. Inside information is identified. A disclosure committee takes a formal decision. A confidential list is converted into an insider list. An email goes out telling an individual they have been added and pointing them to the share dealing policy. And yet the misconduct still occurred.

So what should issuers and advisers take from this, specifically about the insider list process and how it is used?

The case in brief

The FCA found that Gerrity, an experienced petrophysical consultant working offshore, traded while in possession of inside information about drilling results. He dealt in Chariot shares on two occasions and Eco shares on two occasions.

The FCA press release adds two practical signals compliance teams will recognise:

• The FCA was initially alerted by STORs (Suspicious Transaction and Order Reports) submitted by a firm.
• The FCA then identified further suspicious trading across multiple accounts and brokers, including while Gerrity was outside the UK.

This matters because it reinforces that market abuse detection often starts outside the issuer. Issuers’ controls, including insider list records, become critical when regulators start asking who knew what, and when.

The insider list moment: from confidential list to insider list

A key section of the Final Notice describes events around the Jethro-1 well in August 2019. After preliminary positive results, an email went to Tullow’s Disclosure Committee attaching a draft decision record. The committee determined the information constituted inside information from a specific time and instructed the team to convert the current confidential list relating to Jethro-1 into an insider list.

Shortly after, Gerrity received an email titled “Jethro-1 well is now an Insider List”, informing him he had been added because he had, or was likely to have, access to privileged, price-sensitive information, and directing him to read the share dealing policy or speak to the company secretarial team. This is what an insider list process should look like operationally:

• An identified trigger point for inside information
• A formal governance decision
• A controlled transition from confidential handling to MAR insider list handling
• Individual notification tied to dealing rules and escalation routes

It also highlights an often overlooked reality. Many firms run a pre-inside-information confidential list, or similar, and only “upgrade” it when a defined threshold is met. The upgrade point and audit trail become crucial under scrutiny.

What this shows about insider list controls and the gaps it exposes

1) Notification is not the same as acknowledgement

In the Jethro-1 episode, the insider list email clearly notified Gerrity of his status and pointed him to the relevant policy. But notification alone does not prove the person understood and accepted their duties. Insider list guidance commonly stresses obtaining written acknowledgements and maintaining evidence of delivery and response as part of “reasonable steps” (for a look at what constitutes 'reasonable', have a look at our article here). If your process is “we sent the email”, you may be missing the defensible record regulators expect. Practical upgrade: use a trackable acknowledgement workflow, such as a portal link, e-signature, or logged reply, and build escalation when acknowledgements are not returned.

2) Contractors and offshore teams are high-risk insiders

This case centres on a third-party consultant working offshore, getting information as results were being obtained or shortly after. These are exactly the scenarios where insider populations are fluid, time-critical, and operationally distant from HQ controls. Practical upgrade: treat contractors as a first-class insider list population, with tighter onboarding to the list, contractual hooks for personal data collection, and stricter acknowledgement timelines.

3) The confidential list to insider list transition must be auditable

The disclosure committee decision to convert the confidential list into an insider list is explicit in the Final Notice. That is helpful for the issuer, because it shows governance and timing. But many firms struggle to preserve historic versions and change logs, especially where spreadsheets are involved. Insider list audit trail expectations include being able to evidence who was added or removed, when, by whom, and to preserve list versions. Practical upgrade: maintain an electronic insider list with preserved versions and an audit trail that captures list changes and access events.

4) Insider lists do not stop dealing, so controls need teeth

The uncomfortable truth is that insider lists are primarily record keeping and notification controls. They do not physically prevent someone trading in their own brokerage account. That is why a broader control stack matters:

• Targeted reminders at the moment of becoming an insider, not just “please read the policy”
• Monitoring and escalation for non-responsive insiders
• Stronger controls around who gets live results and how widely they are distributed
• Cultural reinforcement that offshore intel is market-sensitive

The FCA’s narrative also shows how detection may occur externally, through STORs and FCA surveillance, not via the issuer. Issuers should assume regulators can connect the dots, and that insider lists will be used to test who plausibly had access.

Recommended actions for insider list managers

If you want to pressure test your current process against the Gerrity fact pattern, these are the checks that matter most:

1. Can you evidence the exact inside information start time and the decision to activate the insider list?
2. Do you capture a written acknowledgement from every insider, especially contractors, and chase non-responders?
3. Do you preserve insider list versions and a complete audit trail of changes?
4. Is your confidential list process linked to your insider list process with a clear, logged conversion step?
5. Can you respond quickly to regulator questions with complete, exportable records, rather than stitched-together spreadsheets?

Final takeaway

The Gerrity Final Notice is a strong example of an issuer-side insider list process being triggered and executed, and still not being enough on its own. The FCA Final Notice is directed at the individual for insider dealing. It does not allege wrongdoing by the issuer, nor does it suggest their disclosure committee process or insider list operation was itself non-compliant. The list did what it was supposed to do. It marked the point at which information became price-sensitive, documented who was brought inside the wall, and communicated dealing obligations. What would have happened if the issuer had no inside information controls in place?

The case underlines what compliance teams already know. Insider lists are only effective when they are backed by acknowledgements, audit trails, contractor governance, and escalation mechanisms that make the obligation real, even when the insider is offshore, external, and trading through multiple brokers.