Market Abuse Regulation (MAR) Compliance Guide for AIFMs and ManCos

Introduction

What is MAR and who needs to comply

The Market Abuse Regulation (MAR) is a set of EU and UK rules designed to preserve market integrity by preventing insider dealing, unlawful disclosure of inside information, and market manipulation. In practice, MAR requires companies and their insiders to handle non-public information with extreme care, ensuring that no one gains an unfair trading advantage.

Why it matters for AIFMs and ManCos

Alternative Investment Fund Managers (AIFMs) and Management Companies (ManCos) may not think of themselves as typical “issuers,” but MAR does apply to them in certain situations.

If you manage a listed fund (e.g. a closed-end fund or investment trust whose shares or units trade on an exchange), are preparing a fund for a listing, or advise listed entities, you fall under MAR’s scope. In these roles, the fund or entity is considered an issuer and the AIFM/ManCo is effectively acting on its behalf as an adviser, with MAR obligations to match.

For example, Article 18 of MAR explicitly requires issuers and any person acting on their behalf or account to maintain insider lists. That means a fund manager handling inside information for a listed fund must comply just as the fund itself would. Similarly, if you as an advisor receive inside information from a listed client, you are expected to recognize and safeguard it, not just rely on the client’s own compliance.

In short, both EU MAR (No. 596/2014) and UK MAR (the post-Brexit twin) impose duties on AIFMs/ManCos whenever they interface with publicly traded instruments or information that could affect them.

Why does MAR exist?

MAR’s purpose is to promote fair and transparent markets. It does this by obliging timely public disclosure of important information, keeping logs of who has access to sensitive information, and prohibiting insiders from misusing that information.

For AIFMs and ManCos, embracing MAR is about protecting investors (no one should trade on secrets at the expense of others) and protecting your firm’s reputation (regulators aggressively enforce MAR to deter misconduct. Simply put, MAR compliance is both a legal requirement and good business practice – it builds trust that the fund’s market price reflects equal access to information.

What counts as inside information in a fund?

Inside information is the cornerstone of MAR. It is formally defined as information that is precise, non-public, and price-sensitive – in other words, if made public it would likely have a significant effect on the price of an issuer’s securities or related derivatives.

For funds, especially listed funds or those approaching a listing, inside information can arise in various ways. It’s not just company earnings and M&A deals; in a fund context, consider the following examples (all could move the market for a fund’s shares when revealed):

Key insight

If you (as the manager) know something about the fund that would influence an investor’s decision to buy or sell, and it hasn’t been made public, you’re likely dealing with inside information. This could be routine (e.g. periodic NAV calculations) or one-off and event-driven. In all cases, MAR requires careful handling, as discussed next.

Key MAR obligations for fund managers

Managing inside information properly involves a few core obligations under MAR.

For AIFMs and ManCos, the most relevant duties are: maintaining insider lists, making prompt disclosures (or properly delaying disclosure), and enforcing strict confidentiality controls. We break these down:

Insider Lists (MAR Article 18)

Whenever a piece of inside information is identified, the issuer (or person acting on its behalf, like a ManCo) must create an insider list – a record of all individuals (employees, directors, advisers, etc.) who have access to that information. This list is a regulatory tool: it helps authorities later investigate who knew what, when. Key requirements of insider lists:

Project-specific lists

• You need to draw up a new insider list for each separate piece of inside information.
• For example, if you have inside info about Q4 performance and also a planned CEO change, those are two distinct events – each should have its own insider list (often labeled by code names or project names).
• It’s not sufficient to have one static list of “all insiders” without distinguishing the specific information or event. (Many firms miss this, relying only on a static list – more on that under Pitfalls.)

Permanent insider list

• MAR does allow a “permanent insiders” section for people who always have access to all inside information (e.g. perhaps the CEO or lead portfolio manager who is always in the loop).
• However, regulators expect this permanent list to be very limited. Most individuals should appear on project-based lists only when specific inside info arises. In practice, many AIFMs/ManCos might not even need a permanent list unless certain staff (like a CIO) truly see everything early.

Detailed information fields

• Insider lists must include personal details for each insider: full name, birth surname (if different), company and role, obtained date/time (when they got access to the info), contact details (work/mobile phone, full home address), national identification number, and the reason why they’re on the list.
• These details are mandated in an official template (EU Implementing Regulation 2016/347). The UK has equivalent requirements under its MAR, omitting data like phone numbers or national IDs is a breach.
• Indeed, the FCA has warned that some firms’ insider lists lacked required personal data, hindering investigations, in Market Watch 71.

Timely updates

• The list should be updated promptly whenever someone new gets access or someone’s access ends. Promptly usually means on the same date the change occurs.
• For instance, if you inform a new analyst of the inside info, you must add them to the list that day, noting the timestamp. Likewise, if an insider leaves or no longer has access, record the date/time their access ended. Every update should be captured.

Maintain for 5 years

• Completed insider lists (and all their versions) must be kept for at least five years. Regulators may ask for them long after the fact, especially if an investigation arises down the line.

Insider acknowledgement

• Critically, you must inform each insider of their legal duties and obtain their acknowledgment. MAR (Article 18(2)) says you should take all reasonable steps to ensure anyone on the list acknowledges in writing their obligations and the sanctions for misuse.
• In practice, this means whenever you add someone to an insider list, you should send them a notice (often by email or through an automated system) telling them: “You now have access to inside information [about X]. You must not disclose it or trade on it. By return/email click you confirm your understanding.” Keeping these acknowledgments (or at least documenting that notice was given) is part of compliance.

Availability to regulators

• The list isn’t public, but you must be able to furnish it to the regulator on request at any time.
• Typically, if an FCA or ESMA investigation occurs, they will ask the issuer (or its ManCo) for insider lists for the relevant periods.

The list needs to be readily available in the prescribed format (usually an Excel or CSV in the set template). Delays or messy lists can draw scrutiny.

Key insight

For each inside information event, keep a tight list of exactly who knows, with all required info recorded. This discipline not only fulfills MAR but also forces your organization to control information flow (you can’t list someone as an insider if they don’t actually need to know – so it makes you think twice about who to loop in).

Disclosure of inside information (MAR Article 17)

MAR requires that inside information must be disclosed to the public as soon as possible (via a regulatory news service or equivalent announcement).

In other words, a listed fund can’t sit on price-sensitive news; it needs to release it promptly to ensure all investors are informed. There is a critical caveat: issuers are permitted to delay disclosure under certain conditions, as long as they keep the information confidential in the meantime and follow specific procedures.

For AIFMs/ManCos, this means: the moment you determine something is inside information (say, a big NAV drop), you have a decision to make – announce it promptly, or, if you have a legitimate reason, delay announcement. Common legitimate reasons to delay might include negotiating a deal or needing time to stabilize a situation (for example, a fund facing a one-off valuation issue might delay disclosure for a short period to avoid premature panic, if conditions are met).

If you delay disclosure, you must:

• Document the decision and the rationale (e.g. “disclosure now would prejudice our legitimate interest in completing a pending asset sale, and we can keep it confidential in the interim”).
• Ensure strict confidentiality during the delay. This usually means activating procedures like code names, limited access, and of course an insider list for that information. If a leak occurs such that the information gets out (rumors, unusual market movements), you lose the ability to delay – you’d have to disclose immediately in that case.
• Notify regulators as required: Under EU MAR, the regulator (e.g. the national authority or ESMA-coordinated process) must be informed at the time of finally disclosing the information that it had been delayed, with an explanation. Under UK MAR, firms must also be ready to explain a delay and in practice the FCA expects a record of the decision; the FCA can request the explanation (the UK slightly tweaked the procedure post-Brexit). In any event, you should treat it as mandatory to keep evidence of why and how you delayed.

Article 17 also specifically mentions that if a delay is employed, an insider list must be maintained during that period (since the info is inside info until released). So, these obligations tie together – you can delay news, but you then have to tightly control it, list who knows, etc. Many ManCos will coordinate disclosures with the listed fund’s board or the stock exchange, but ultimately ensuring compliance falls to both the issuer and its manager.

Finally, after disclosure, any insiders who were aware should be notified that the information is now public (so they’re free from insider restrictions on that info going forward). This isn’t explicitly in MAR’s text, but it’s a good practice so insiders know when the constraint is lifted.

Maintaining confidentiality and preventing abuse

Even before any inside information is disclosed (or if it’s never disclosed because it never fully materializes), MAR Article 17(1) implicitly requires issuers to keep it confidential. This means having internal controls so that only people who need the information get it. Here are some controls and practices AIFMs/ManCos should implement:

• Need-to-know access: Only share inside information with individuals (or service providers) who genuinely require it for their job. By minimizing the circle of insiders, you reduce the risk of leaks or inadvertent misuse. The FCA has emphasized cutting down unnecessary insiders.
• Physical and IT security: Ensure that documents or files containing inside info are secure. This might involve password-protection on files, using secure data rooms for deal documents, encrypting emails that carry sensitive info, and marking documents as “CONFIDENTIAL – PRICE-SENSITIVE” so employees know to handle them carefully.
• Wall-crossing procedures: If the fund manager needs to share inside information with an external party (e.g. a potential investor or a due diligence advisor), use formal “wall-crossing” procedures. This involves obtaining the outsider’s agreement to keep the information confidential (often via a non-disclosure agreement or an insider acknowledgement letter) before sharing, and then adding them to the insider list. Market soundings (gauging interest in a transaction) have their own MAR provisions, but generally you must control how you do this to not inadvertently leak info.
• Training and awareness: Employees at AIFMs/ManCos should be trained to recognize inside information and understand their duties. They should know, for instance, that they can’t trade fund shares or related securities while in possession of inside info, nor tip off anyone else. Regular training helps create a culture where staff immediately escalate potential inside info to compliance.
• Surveillance and monitoring: Although primarily an issuer obligation, it’s wise for ManCos to monitor trading in their fund’s securities. Unusual price movements or volumes could indicate a leak.

By implementing these controls, AIFMs/ManCos can greatly reduce the risk of insider dealing or information leaks. Remember, prevention is far better than cure – once a breach happens, the damage (legal, financial, reputational) is done. MAR compliance is all about discipline in how information is handled day-to-day.

Common compliance pitfalls and lessons from enforcement

Even years after MAR’s implementation, regulators find that firms (including fund managers) struggle with certain aspects of compliance. Here are some common pitfalls that AIFMs and ManCos should beware of, illustrated with (anonymised) examples from enforcement cases and regulatory findings in both the EU and UK:

• Using static or outdated insider lists (often in Excel): A very prevalent issue is treating insider lists as a one-time formality – e.g. maintaining a single Excel spreadsheet of “insiders” that isn’t event-specific or regularly updated.
• Failure to identify “project-based” inside information: Some managers miss the fact that certain events or projects have turned into inside information. Perhaps they assume if the fund itself isn’t listed yet, MAR doesn’t apply, or they wait for the client company to tell them an event is inside info. In reality, advisors and managers must proactively identify inside info they receive.
• Over-inclusion of insiders and poor access control: It might seem safer to copy half the firm onto every insider list “just in case,” but regulators consider this a failure of controls.
• Incomplete or non-compliant list entries: Another common failure is when insider lists lack required details or are not kept updated.
• Lack of insider awareness and acknowledgment: A subtle but important pitfall is not communicating with the insiders themselves. MAR expects that people on the list know they’re on it and acknowledge their duties.
• Mixing up “confidential” lists with MAR insider lists: Some fund managers maintain internal “confidential information” lists (for example, for Chinese wall purposes or general compliance) and mistakenly think those suffice for MAR. However, a generic confidential list is not the same as a MAR insider list.

The clear takeaway is that robust insider list management is non-negotiable. And trying to manage this via ad-hoc, manual methods (especially spreadsheets) often underpins these failures. In the next section, we address why that is and how to fix it.

Why excel spreadsheets fall short for MAR compliance

It’s very common to use Excel or other simple tools for maintaining insider lists, especially in smaller firms or those with fewer inside information events. While an Excel spreadsheet can serve as a basic log, it has serious limitations when it comes to strict MAR compliance. Regulators and compliance experts have flagged several issues with relying on Excel:

• No automatic audit trail: Excel doesn’t track who changed what, or when. If someone updates an insider list spreadsheet (adds a name, changes a time), there’s no built-in log of that change. You could turn on “Track Changes” in Excel, but that’s clunky and easy to circumvent. MAR requires confidence that the list is accurate and un-tampered; Excel provides little of that.
• Version control headaches: MAR mandates that any change to an insider list should result in a new version being saved, and previous versions retained. In an Excel world, this means manually saving new files (v1, v2, v3…) every time – which is error-prone. If someone simply edits the Excel and hits save (overwriting the old data), you’ve lost the historical version, making the list non-compliant.
• Multi-user and access control issues: Insider list management often involves multiple people (e.g., a compliance officer, an assistant, business team leads contributing info). Excel is not multi-user friendly – if two people open it at the same time, you get conflicts; there’s no single source of truth unless it’s on a shared drive, which introduces access risk.
• Data integrity and consistency: Excel relies on manual data entry. It’s easy to make typos or put info in the wrong format. If everyone maintains their own version of contact details, you’ll have inconsistent data (one list has “Jim” on 01/02/2025, another says “James” on 02/01/2025 – is that two people or one with a mistake?). There is also the risk of formulas or sorting errors scrambing data. In the context of MAR, a fragile record is dangerous.
• Limited notification and acknowledgment tracking: Excel can’t send emails or reminders. So if you use Excel, you need separate processes to inform insiders and capture their acknowledgments (e.g. sending individual emails and noting in the Excel “ack received on X date”). That’s a lot of manual work, and things fall through the cracks.
• Retention and archiving problems: With MAR’s five-year retention rule, you need to safely store old insider list data. Spreadsheets saved on an employee’s hard drive or email inbox are at risk – what if that employee leaves or their laptop is replaced? Firms have lost historical insider lists because the file was saved locally and not backed up. Excel files can also become corrupted over time. Ensuring secure, long-term storage of every version requires extra IT effort if using manual files.

Because of these issues, relying on Excel can put your company at risk of non-compliance. In fact, companies have been warned they risk fines.

Building a compliant insider list process (step-by-step)

Given the challenges above, it’s essential to establish a clear, step-by-step process for insider list management in your organization. Below is a guide that AIFMs/ManCos can implement to ensure MAR compliance, from the moment inside information is identified to the closure of a project and beyond:

Step 1: Recognize Inside Information Promptly – Train your investment teams, finance personnel, and executives to flag potential inside information events as soon as they arise. When something noteworthy happens (refer to the examples like NAV swings, major deals, etc.), err on the side of caution: assume it might be inside information and inform the compliance officer or legal team immediately. It’s better to evaluate and conclude it’s not inside, than to miss it altogether.

Step 2: Initial Assessment and Documentation – The compliance team (or a designated MAR officer) should quickly assess the situation with relevant managers. If it meets the inside information criteria, document that determination (e.g. in an email or a log: “On 30 Apr 2025 at 10:00, determined that X is inside information, not yet public”). Also decide if you will disclose it immediately or delay (with justification). This decision (to disclose now or later) should be recorded. If delaying, you must also record that the conditions for delay are met (and keep reviewing those conditions).

Step 3: Create a Project-Specific Insider List – As soon as you’ve identified inside information, open a new insider list for this event. Give it a clear code name/reference (e.g. “Project Falcon – NAV drop Q1” or “Fund X – New Investor”). Start by listing the people who already know (likely the core team who discovered/decided this info). Use the MAR template fields: add each person’s details (you may have these on file; if not, gather them).

Step 4: Add New Insiders as Needed (Real-Time) – As the project or event progresses, you’ll likely need to bring in other insiders (e.g., external lawyers, a valuation expert, maybe additional team members). Before sharing the info with them, make sure to wall-cross them: inform them that they will receive inside information and obtain their agreement to keep it confidential. Once they agree, add them to the insider list with the timestamp of when they gain access. This step is critical, do it in real-time, not after the fact. Every time someone new is told, update the list immediately (and if using Excel, save a new version each time to preserve previous records).

Step 5: Secure the Information – Parallel to maintaining the list, ensure that all insiders are handling the info appropriately. Use encrypted channels or secure portals for documents. Mark communications as confidential. If using Excel for the list, at least password protect it and restrict its distribution.

Step 6: Insider Notification and Acknowledgment – Whenever you add someone to the list (especially outsiders), send them an insider notification. This usually is a standardized email or system-generated alert that says: “You have been added to the insider list for [Project X] as you now possess inside information. This means you are legally prohibited from using this information for trading or tipping. By acknowledging, you confirm understanding of your duties under MAR and the penalties for violation.” MAR requires taking all reasonable steps to get written acknowledgment. In practice, have them reply “Confirmed” or use an e-signature via a compliance system. Track these responses. If someone hasn’t acknowledged, follow up. You want a complete set of acknowledgments for your records. This protects both you and the insider (they can’t later claim ignorance).

Step 7: Ongoing Monitoring and Decision Review – If you are delaying disclosure, continuously monitor for any signs that confidentiality might be breaking (e.g. rumors in the market or a price movement in related securities). Also re-evaluate whether your reason to delay still holds.

Step 8: Disclosure or Closure – Eventually, one of two things happens: either the information is disclosed to the public (e.g. you announce the event/NAV, etc.), or it ceases to be inside information (maybe the event didn’t occur as expected and no longer is price-sensitive). When that happens, do the following:

• If disclosed, ensure the announcement is made via the proper channels (stock exchange release, etc.) and at that moment the information is considered public. If you delayed, notify the regulator per requirements about the delay (for EU, typically a form to the authority explaining the delay rationale, sent immediately after announcing). Document the date/time of disclosure on the insider list file as the time the inside status ended for everyone.
• If the information ceased to be inside without a disclosure (not common, but e.g. a potential deal falls through quietly and never became known externally, yet it was inside info during the process), you should still record that outcome (e.g. “Project X aborted on Y date, inside information status ended”) in your records. In such cases, you might not announce anything, but you keep the list archived in case regulators question later.

After disclosure, you might want to send a note to insiders: “Information is now public, normal trading may resume” (many will appreciate this clarity). And importantly, lock the insider list at that point, no more changes.

Step 9: Archive the List and Evidence – Once a project is done, formally archive the insider list. If using Excel, save a final version with a clear name and date. Store it in a secure repository accessible to compliance. Maintain all versions and the acknowledgment communications. Remember, you need to keep this for 5 years minimum. If using a platform, it will auto-archive the list for you. Make sure any hard copies (if printed) are also stored or destroyed securely.

Step 10: Post-Mortem and Permanent List Update – Finally, consider if any lessons or patterns emerge from the event. Was inside info identified promptly? Did anyone have access who shouldn’t have? Use that to improve future process. Also, if someone on your permanent insider list truly didn’t need to know this time, reconsider if they should remain a permanent insider at all. The goal is to continually refine so that only the right people have access each time and everyone knows their role.

Following these steps creates a robust chain of control from start to finish. It’s a lot of detail, but regulatory expectations are high. Many firms find that using purpose-built software or tools can automate much of this workflow, which brings us to how technology can greatly assist in MAR compliance.

Leveraging technology: how the InsiderList platform helps

Manually juggling insider lists, notifications, and version control can be cumbersome. This is where dedicated compliance technology – such as the InsiderList platform – becomes invaluable. InsiderList is an example of a software solution tailored for MAR compliance, particularly useful for fund service providers who deal with multiple entities and projects. Here’s how such a platform addresses the needs we’ve discussed:

• Workflow Automation: InsiderList automates the entire insider list process from creation to closure. With compliance wizards, you can set up a new insider list in seconds, following a guided template that ensures all MAR-required fields are included. This means no insider is added without the necessary data points. The platform essentially holds your hand to make sure nothing is missed.
• Smart Data Capture and Central Database: When adding insiders, the platform uses a smart contact database to auto-fill information. For example, if an individual was on a previous list, their details (address, DOB, etc.) are pre-populated. This avoids repetitive data entry and reduces errors. It also standardizes entries (e.g., consistent format for phone numbers and names), which is important for regulator-ready lists.
• Real-time Updates and Alerts: Every time you update a list, the system keeps a log and can send real-time alerts. For instance, if a new person is added, the platform might trigger an instant email to that person with the insider notification. It can also alert compliance if, say, an insider hasn’t acknowledged their duties within a set time.
• Guided Delayed Disclosure Management: InsiderList includes a module specifically for delayed disclosure scenarios. Through a guided wizard, it helps you document your reason for delay, the decision-making, and tracks the ongoing requirements. It essentially provides a checklist so that if you’re delaying disclosure, you won’t forget to do something like updating the regulator later or revisiting the decision.
• Audit Trails and Version Control: Perhaps one of the biggest advantages is the detailed audit log the system maintains. Every addition, removal, or edit on the insider list is recorded with a timestamp and user ID. You can always retrieve past versions; the platform will never overwrite without keeping an archive.
• Insider Access Management and Acknowledgments: The platform provides secure user portals for insiders. When you add someone, they receive a link to their portal where they can see their status and electronically acknowledge their obligations. Digital signature integration means their acknowledgment is captured and time-stamped (Explore our Leading MAR Compliance Software| Platform | InsiderList), forming part of the audit record.
• Role-Based Security and Confidentiality: You can set roles so that, for example, only Compliance and certain senior managers can see the full insider lists, whereas others might only update their own information. This addresses confidentiality by design – not everyone with platform access can see all projects.
• Reporting and Analytics: The platform can generate regulator-ready reports of your insider lists (in the exact format regulators want) at the click of a button. It also provides analytics – for example, how many projects in the last quarter had inside info, average number of insiders, etc.
• Delayed Disclosure Log: In addition to guiding the process, the system keeps a log of all delayed disclosure instances, with the rationale and outcomes. If regulators ever ask for your record of delays (which they can), you have it neatly stored. This is especially useful for cross-jurisdictional compliance (UK vs EU differences) – the system can be configured to handle notifications appropriately depending on which regulator (FCA or an EU NCA) is relevant.
• Multi-Jurisdiction and Language Support: If you manage funds across the UK and EU, the platform can cater to both regimes (accounting for slight differences in rules). InsiderList supports over 25 languages (Explore our Leading MAR Compliance Software| Platform | InsiderList), meaning your international staff or board members can interact with their notices in their preferred language – improving understanding and compliance.

Overall, a platform like InsiderList mitigates the risks of human error and oversight that come with Excel-based or ad-hoc processes. It enforces best practices by default. As one client put it, it “significantly lowered the risk of human error” and made compliance “effortlessly efficient”.

For AIFMs and ManCos, which often operate with lean teams, having this kind of automation is a game-changer. It lets you focus on managing the fund, while the system handles the heavy lifting of record-keeping and reminders. Moreover, in the eyes of regulators, using a robust system demonstrates a proactive compliance culture. It’s easier to defend your actions if you can show an audit trail and timely entries, which such a platform provides out of the box.

Conclusion

MAR compliance may seem daunting, but with a clear understanding of the rules and a structured approach, it becomes manageable. For fund managers and ManCos, the key is recognizing that inside information is not just a concern for corporates – it’s equally critical in funds. By clarifying what inside information looks like in a fund context, adhering strictly to insider list and disclosure obligations, learning from common mistakes, and leveraging technology to enforce best practices, you can confidently navigate the requirements of both UK and EU MAR.

Staying compliant is not just about avoiding fines (though that is important – fines and sanctions can be severe). It’s about demonstrating integrity to investors and the market. With the right processes in place, AIFMs and ManCos can meet their MAR obligations and even turn compliance into a competitive advantage – showcasing to clients and stakeholders that their governance standards are first-class.

By using tools like InsiderList to automate compliance and following the roadmap for continuous improvement, fund managers will not only comply with MAR but also help uphold the fairness and transparency that underpin healthy financial markets. Compliance, in this case, is truly good business.