Show locations Show locations
Back to overview

Insider lists: Q&A for Company Secretaries

We answer frequently asked questions around dealing with insider lists and MAR-requirements.

by Adam Kulesza 5 min

    As a provider of MAR-compliance services, we are in constant conversations with company secretaries and compliance professionals and, as such, many questions come up about insider lists. Some, I’m sure you’ll be more familiar with and others perhaps not.

    During this period where most people are working from home and it’s perhaps not a simple as just turning to a colleague if you’re not sure about something, we thought it would be useful to compile them all in one place.

    Insider lists versus confidential lists

    What are confidential lists and how are they used?

    A confidential list is effectively a ‘holding pen’. Their primary use is for projects that would not be deemed to impact on the share price if the information was made public, but where this could become the case if the situation changed. Members of the list are made aware that the information is confidential and that they should consider who they discuss the project with. Should the information become inside information, the idea is that the list is already set up for you to go through the relevant MAR process with each individual, such as making them aware that they are an insider and receiving their date and time stamped confirmation. You may find my blog on the same subject helpful: All you need to know about confidential lists

    Can you use confidential lists instead of insider lists?

    No, confidential lists are not part of MAR and do not constitute an insider list in any way.

    Is it possible to never have insider lists, only confidential?

    This depends on the company. If you are not an acquisitive company whose results are consistently in line with expectations then it’s possible, however, some issuers treat any information around results as inside information. There is also the question of disclosure. If the issuer is able to disclose all information immediately then they won’t have any inside information. In practice for situations such as M&A transactions, this is unlikely to be possible due to ongoing negotiations

    Permanent insiders

    Why can’t all my insiders be permanent insiders?

    They can, but as article 19 of the Market Abuse Regulation states, only if they have access to ALL inside information, ALL of the time. Have a think about whether this is true for everyone on your permanent list. While some issuers have decided to have no permanent insiders based on this definition, others have gone for perhaps a more pragmatic approach whereby they designate a few core individuals to be permanent insiders. You may find my blog on the subject helpful: What are permanent insiders and do they really exist?

    The FCA also published some updated guidance last year in their Market Watch newsletter 58 (bottom of page 5).

    All insiders have daily access to daily trading/sales information, should they all be permanent insiders?

    This situation has been raised a couple of times and the confusion is around the fact that ALL insiders have permanent access to ONE piece of inside information, not ALL inside information. Therefore, a ‘permanent’ project is most likely the best solution, where project insiders can be added/removed as and when required but they are not classed as permanent insiders as they do not have access to all inside information at all times. You may find my blog on the subject helpful: What are permanent insiders and do they really exist? 

    Manual insider list management

    What’s wrong with managing my lists in Excel?

    In theory nothing, but if you want peace of mind that you are always MAR compliant, you may want to invest in software to help you manage your lists. If you have minimal activity and a small number of insiders, then, logistically, it’s probably feasible to manage your lists manually. However, if you have a larger number of insiders and more than a couple of projects a year – managing project lists, seeking confirmations from insiders and following up with those who have not – it becomes cumbersome and you risk becoming non-compliant with MAR. Some administrators have become increasingly reliant on capturing larger numbers of insiders on the permanent list to reduce the number of projects to manage – this is not appropriate use of permanent lists (see the FCA’s Market Watch newsletter 58 (bottom of page 5)).

    MAR also states that you must create a new version of your list after every change – version control can become tricky when using Excel. Ask yourself if you’ve ever clicked ‘save’ instead of ‘save as’. If you have then you’re currently non-compliant. You may find our blog helpful: Why insider lists in Excel put your company at risk

    Can I save every new entry in the same spreadsheet with its own time and date stamp?

    In theory yes, this could work, but ask yourself if it’s really a robust way to ensure compliance and what would you do if you had a request from the regulator for a list as of a certain date? MAR states that insider lists should at all times ensure, “the access to and the retrieval of previous versions of the insider list”. Is this possible when saving new entries in the same version? Before sending the list to the regulator you’d have to re-format it, creating extra work.

    External insiders

    Do I need to manage my advisors’ insider lists?

    Article 18, paragraph 1 (a) of MAR states that,
    “1. Issuers or any person acting on their behalf or on their account, shall:
    (a) draw up a list of all persons who have access to inside information and who are working for them under a contract of employment, or otherwise performing tasks through which they have access to inside information, such as advisers, accountants or credit rating agencies (insider list);”

    The responsibility of maintaining an insider list lies with, “the issuer or any person acting on their behalf or on their account”. It is generally recognised that best practice is to record one individual from a 3rd party on your own list and the 3rd party should be keeping their own list for projects they’re involved in. It is advisable that you ask for periodic confirmation that the 3rd party is keeping an up-to-date insider list in relation to your projects.

    What information do I need to include on our insider list for external insiders (e.g. advisors)? And what can I do if they refuse to provide the information?

    This is a question I get asked quite a lot, and different organisations approach it in different ways. In the case of external advisers who understand the requirements of MAR, it is generally considered best/good/acceptable practice to only include a key contact person from that firm on the company’s own insider list and delegate responsibility to the firm to maintain its own insider list in compliance with MAR and agree to provide it to the company or directly to the regulator upon request. You should periodically get confirmation that they are keeping their own lists.

    In terms of how much personal information is collected, I think it comes down to a judgement call between MAR and GDPR. The key question is why you’re including that person on the insider list. If that person is only included as the key contact person for an adviser which is maintaining its own separate list of insiders, I think you could argue that the only personal data you need to hold is data that helps identify them at their place of work – name, company name, work address, work email and work telephone number. Their company’s insider list will include their full personal details.
    If an external insider refuses to provide the MAR-required information, then they will need to respond to the regulator directly for any requests for insider lists.

    You can see ESMA’s guidance on this point in their Consultation paper published in October 2019, paragraphs 187-189.

    Insider lists & GDPR

    Article 28 of MAR states that, “Issuers…shall retain the insider list for a period of at least five years after it is drawn up or updated. “However, it also states, “Personal data shall be retained for a maximum period of five years.” What should I to do?

    Article 28 is intended to deal only with ESMA and competent authorities, rather than issuers. This is reinforced in ESMA’s Final Report of Feb 2015 around protection of personal data – para 160 (page 106) states:

    “Furthermore, with respect to the data retention period, it should be noted that the Article 28 of MAR on data protection states that “personal data shall be retained for a maximum period of five years”. This 5-year period is also in line with the duration of the other record keeping requirements established under the MAR: in Articles 11(8) on market soundings and 18(5) on insider lists. Therefore ESMA considers that personal data relating to a report made under Article 32 should be kept by the competent authority in accordance with Article 28 of MAR and for the period necessary for the performance of its tasks.”

    MAR-required data

    What should insiders enter for National Identification Number in the UK?

    This used to be a bit of a grey area that caused some confusion, however, the FCA have addressed this point in their latest Market Watch newsletter (71) where they state that, “Firms are reminded that the first priority national identifier for UK nationals is the national insurance number.”

    What if insiders don’t have all the MAR-required data – i.e. National Identification Number, professional mobile number, birth surname – can they leave it blank?

    This is another topic for debate. As mentioned above, MAR states that personal information should be recorded, “if applicable”. This appears to leave the door open for some information to be left out as it is deemed not applicable. For example, in the UK, most men won’t have a different birth surname and some people won’t have both a personal and professional mobile number. Whether you leave these fields blank or duplicate the information from your surname and personal mobile fields respectively, is a decision for the issuer.

    Closed periods

    Does the announcement of the interim or year-end financial results determine the timing of the closed period referred to in Article 19(11) of Regulation (EU) No 596/2014 (MAR)?

    Yes, the close period is typically regarded as the one-month period preceding the release of a company’s quarterly results, and the two-month period before the release of its annual results. Refer to your company’s terms on this matter as some companies voluntarily extend the closed period.

    At what point does financial information relating to results become inside information or not? I.e. is it from the start of the accounting process or not until the end, when they know the whole picture?

    As the FCA states there is not always a right or wrong answer here. It is a ‘state of mind’ and issuers need to be able to demonstrate their decision-making processes. As you’ll be aware, the definition of inside information is:

    information of a precise nature, that:

    • has not been made public;
    • relates, directly or indirectly, to one or more issuers or to one or more financial instruments; and
    • if it were made public, would be likely to have a significant effect on the prices of those financial instruments or on the price of related derivative financial instruments (that is, it is information that a reasonable investor would be likely to use as part of the basis of their investment decisions).


    Therefore, the point at which the information becomes inside is the moment it meets the above criteria. In the case of full year results, for example, as soon as it becomes clear that they are not in line with expectations, it would become inside information. It’s therefore important that companies have governance structures in place to be able manage this decision-making process. For example, some companies have a disclosure committee.

    Insider lists & MAR: General questions

    If I request confirmation from insiders and they don’t provide it, who is responsible?

    MAR states that, “Issuers or any person acting on their behalf or on their account, shall take all reasonable steps to ensure that any person on the insider list acknowledges in writing the legal and regulatory duties entailed”. If, therefore, you have a strong audit trial that shows your communication with insiders and you can show that you’ve requested the information on a number of occasions, then the regulator would most likely take it up with the insider, assuming they are satisfied that the issuer has taken all reasonable steps.

    What if the information goes public and I forgot to create a project?

    This would put you in breach of MAR and at risk of sanctions by the regulator. If you find yourself in this situation, it would be advisable to create a project straight away, informing all insiders as you normally would. It would also be prudent to inform the regulator of the situation so they are aware and you can both act accordingly.

    Do investment firms need to keep insider lists?

    If they are invested in listed entities then yes. A primary example would be in a market sounding (article 11 of the Market Abuse Regulation) where someone has crossed the wall and now has access to inside information relating to an investee company.

    I hope you found this useful. If you have any other questions that have not been answered here, please send them to me at and we’ll add them to the blog.

    The complete guide to policy management

    How to effectively create, implement and communicate compliance policies and measure the success of your policy program – for everyone who is responsible for Compliance policies in their organization

    Download now
    Adam Kulesza
    Adam Kulesza

    Business Development Manager – EQS Group | Adam is working as Business Development Manager in our London office.