Insider Trading Surveillance
Executive Summary
SEC fines for insider trading averaged $4.7 billion per year over the past decade. Varpulis monitors trading activity across all symbols simultaneously, detecting suspicious order accumulation before material news breaks -- at 100x the speed of traditional surveillance systems using Hamlet trend aggregation.
The Business Problem
Insider trading is difficult to detect because sophisticated insiders do not place a single large order. They split their trades into many small orders over hours or days, each individually unremarkable. By the time regulators reconstruct the pattern from trade records, months have passed.
Compliance teams face two challenges:
- Volume: A large trading desk generates millions of orders per day across thousands of symbols
- Subtlety: Each individual trade is small enough to pass threshold-based alerts
Traditional surveillance checks each trade against fixed limits: "flag orders over $1 million." A sophisticated insider splits their order into 8 pieces of $125,000 each -- every single one passes the check.
How It Works
Varpulis watches for two key patterns across all symbols simultaneously:
What Varpulis Detects
Trade Before News
A trader buys 10,000 shares of ACME Corp. Two days later, ACME announces a merger and the stock jumps 12%. That purchase now looks very suspicious. Varpulis correlates the trade with the subsequent news event automatically.
Abnormal Position Building
Over 48 hours, a trader places 4 buy orders for the same stock, all small enough to fly under individual trade alerts. Varpulis counts all the orders as a single accumulation pattern using Kleene closure -- not 4 separate events.
Why Competitors Miss This
Traditional surveillance checks each trade against fixed thresholds: "flag orders over $1 million." A sophisticated insider splits their order into 8 pieces of $125,000 each -- every single one passes.
Varpulis tracks the accumulation pattern over time using Hamlet trend aggregation. Even better: when monitoring 50+ symbols simultaneously, Varpulis shares computation across overlapping patterns -- delivering 100x throughput compared to checking each symbol independently.
| Symbols Monitored | Traditional | Varpulis (Hamlet) | Speedup |
|---|---|---|---|
| 1 | 2.4 M/s | 6.9 M/s | 3x |
| 5 | 398 K/s | 2.8 M/s | 7x |
| 10 | 122 K/s | 2.1 M/s | 17x |
| 50 | 9 K/s | 950 K/s | 100x |
Measurable Impact
- 100x throughput for multi-symbol monitoring via Hamlet engine
- Detects split-order accumulation that per-trade thresholds miss
- Automated SEC 10b-5 evidence collection with full audit trail of every order in the chain
- Sub-millisecond alert latency -- flag suspicious activity before the trading day ends
Live Demo Walkthrough
cargo test -p varpulis-runtime --test cxo_scenario_tests cxo_insiderInput events:
- trader_sus buys 10,000 shares of ACME at $45.50
- ACME announces merger (material news)
- accumulator places 4 buy orders for WIDG ($500-$800 each)
- legit_trader makes normal buy of SAFE
Alerts generated:
trade_before_news-- trader_sus, ACME, ahead of merger announcementabnormal_position_building-- accumulator, WIDG, 4 orders over 30 seconds
No false positives: legit_trader's single normal order generates zero alerts.
Technical Appendix
VPL Pattern: Trade Before News
stream TradeBeforeNews = TradeOrder as trade
-> NewsRelease where symbol == trade.symbol as news
.within(48h)
.emit(alert_type: "trade_before_news", ...)VPL Pattern: Abnormal Position Building (Kleene)
stream AbnormalPositionBuilding = TradeOrder as first
-> all TradeOrder where trader_id == first.trader_id as orders
.within(48h)
.emit(alert_type: "abnormal_position_building", ...)Test Files
- Rules:
tests/scenarios/cxo_insider_trading.vpl - Events:
tests/scenarios/cxo_insider_trading.evt