Level Up Your Surveillance: Why Shallow Data Isn’t Enough for Spoofing Detection

So how do we avoid having so many false positive spoofing alerts? There are refinements that can be done to these models to make them smarter. These extra checks try to differentiate a malicious spoof from coincidental normal trading:

• Order Balance Between Sides: Did you also have orders on the other side of the book during the period? If you were spoofing the buy side to help a sell trade, a logical expectation is that you weren’t also heavily buying at the same time. So, the model might check if on the genuine side (the side of your actual trade), did you have orders, and how large were they relative to the spoof side? If you had a small sell order versus huge buy-side orders, that’s more indicative of spoofing than if you had significant orders on both sides.
• Executed Volume on Spoof Side: Similar to the above, if you did get some of your spoof-side orders filled, how much was filled? If a trader’s alleged spoof orders all stay completely unfilled (because they cancel them in time) while they get a fill on the opposite side, it looks fishy. On the other hand, if a substantial volume on the “spoof” side actually traded, the situation might not be a classic spoof – the trader did take on that position, suggesting those orders were at least partly genuine. So, some models compare the volume of trades on the spoof side vs. the real side during the alert window.
• Distance from Best Price: How close were the supposed spoof orders to the touch (the best bid/offer)? An order placed far away from the best price is unlikely to ever execute or influence the market. If your “big buy” was 5 price levels below the best bid, it was probably never going to get hit – making it less likely to be a genuine spoof. Many systems will either not flag such orders or will score them as less suspicious. This analysis requires Level 2 data to give a view on the market depth – more examples of effective filtering using Level 2 data is discussed in the next section.

These supplementary rules make the alert logic more nuanced. In my experience, each added criterion knocks out a chunk of false positives. For instance, one of the biggest early wins was ignoring supposed spoof orders that were more than a few ticks away from the best price. It turned out a lot of traders naturally place far-away iceberg orders as “just in case” liquidity, with no intent to mislead – and those were triggering alerts unnecessarily. Incorporating a proximity check to only focus on near-touch activity aligned the alerts more with truly deceptive behaviour.

Even with those refinements, using only Level 1 data (just the top-of-book quotes and last trades) limits what you can do. This is where Level 2 market data comes in, giving a fuller picture with the order book. Level 2 shows multiple price levels of buy and sell orders (often the top 5, 10, or more levels on each side). Having this depth of book unlocks more advanced analysis and can further reduce false positives.

With Level 2 data, a surveillance system isn’t blind to the broader order book. It can see, for example, that you placed a buy order three levels down, 5,000 shares strong, and at that moment the order book at that price had maybe 6,000 shares total. This allows a few powerful enhancements:

• Dynamic Thresholds Based on Liquidity: Instead of a fixed “large order” size threshold (e.g. flag any spoof order >10,000 shares), the system can dynamically adjust what “large” means by looking at current liquidity. For instance, if the order book is thin (say only 5,000 shares total on the first few levels), a 2,000 share order might be impactful. But if the book is deep (say 100,000 shares resting across levels), a 2,000 share order is a drop in the bucket. By gauging how much liquidity was present at the time of the alleged spoof, the model can require a proportionately significant size. In other words, the bar for what counts as a spoofing attempt can scale with the context. This is a big improvement over one-size-fits-all thresholds. The marketability of an order (i.e. the likelihood of it executing) is not static – it varies from stock to stock and over time, depending on liquidity conditions.
• Precise Position in the Book: With Level 2, we know the order’s position in the queue of prices. For example, your large buy order was sitting at the third-best bid price. We could track if the market moved – did that order eventually become the top bid before you cancelled? This can be telling. If every time your order nears the front of the line you cancel it, that’s a red flag (more on this when we talk about Level 3). Even at Level 2, seeing what price level you were on helps. Some models explicitly include a check like: “Was the spoof order within X levels of the best price?” (If not, maybe ignore it). In fact, as mentioned in the previous section, effective spoofing almost requires being near the top of the book, because orders too far out are unlikely to ever execute or influence anyone.
• Attributing Orders to the Trader: When you only have Level 1 aggregated data from an exchange, you see the total volume at each price, but not which portion is your trader’s orders versus others. Surveillance usually gets around this by merging the firm’s internal order logs with market data, which can sometimes be a messy reconciliation process. Additionally, some Level 2 feeds (especially in futures or certain exchanges) might include anonymized participant identifiers. In short, full order data can allow the compliance team to clearly pick out which orders in the stack were ours. This makes analysis much easier. For instance, you could directly compute that “Trader Joe’s order was 80% of the volume at that price level.” If Joe singlehandedly represented most of the buy interest at a price, that’s a strong indicator of potential impact. Level 2 gives the precision to make such calculations accurately, since it lists each order and its size.
• Better Market Impact Analysis: Level 2 also helps in visualizing and quantifying market impact for the compliance officer reviewing the alert. With only Level 1, you might say “hey, the best offer fell 2 cents after the spoof bids appeared.” With Level 2, you can actually replay the order book and see how the depth changed. Perhaps you see that after the trader’s big buy orders posted, other participants started “stacking” behind them (adding their own buy orders at slightly lower prices, beefing up the bid side), which moved the best bid up. This kind of reaction is exactly what a spoofer counts on. By comparing the trader’s actions to changes in the overall book – not just the top price but the depth – the surveillance system can better determine if the trader’s orders likely influenced the market. In one case, I recall an alert where the price didn’t move much, but the depth did. Then, competitors all pulled their sell orders when our trader’s large bid showed up, a sign that the spoof did scare the market momentarily. We wouldn’t have caught that with only top-of-book data.

In short, Level 2 data provides a richer picture that both improves the trigger conditions and gives the analyst a more complete story to assess. More data means more context, and context is the antidote to false positives.

Last but not least, I am keen to explore how Level 3 data can take your surveillance to the next level (pun intended…). With Level 3 data, we can see every individual order: each order’s size, price, timestamp, and often a unique order ID. Some trading venues or data providers offer this to high-end users, and it’s the kind of data regulators themselves see when they comb through audit trails.

In practice, Level 3 isn’t commonly used in firm-level surveillance yet, partly because of the massive data volume. But let me paint a picture of what it could enable if we had it (and in some cutting-edge projects, we do):

• Queue Position and Cancel Behaviour: With full market-by-order data, you can pinpoint exactly where a trader’s order sits in the queue and watch it move. As discussed in the previous sections, a pattern that screams spoofing is when a trader consistently cancels their order just before it would hit the front of the queue, because the order’s sole purpose was to be seen in the book, not to actually trade. Level 3 data would let a surveillance system detect this pattern as it allows these nuanced behaviours to become measurable signals.
• Tracking Other Participants’ Reactions: One advanced idea I’m excited about (though it’s rarely implemented) is using Level 3 data to detect how the market responds to a suspected spoof in real time. If a spoofing order is effective, other traders or algorithms may react by either trying to race in front of it or pulling their quotes on the other side. With full order flow data, one could algorithmically look for a flurry of activity immediately following the appearance of the spoof order. For example, say our trader places a layer of big sell orders; within the next second, we observe a bunch of other orders from different participants joining the sell side (following the spoofer’s lead) or pulling their buy orders. That reaction is evidence that the spoof order had its intended effect, and incorporating this into alerts would be quite sophisticated. It’s a kind of second-order signal that today’s models typically don’t use, but with L3 data it’s conceivable. In essence, Level 3 data provides the raw, unfiltered truth of every order and cancellation, which opens the door to analysis that goes beyond the spoofer’s own actions to allow for closer examinations of the market’s response.

It’s worth noting that handling Level 3 data is non-trivial. The volume is enormous (major exchanges generate tens of billions of order messages per day), so any surveillance solution using it needs serious engineering prowess. But the benefit is a dramatically increased richness of data. From what I’ve seen, the trend is that surveillance tech is slowly moving this way. As infrastructure catches up, using full depth and even reconstructing historical order books on demand is becoming feasible. That means future spoofing models might well leverage these Level 3 insights to all but eliminate certain types of false positives and, more importantly, catch manipulations that simpler models would miss.

Thus far we’ve focused on one order book, one instrument at a time. But real-world market manipulation isn’t always self-contained. A cunning strategy we’ve seen (and regulators have busted) is cross-market spoofing – using orders in one market to influence prices in a related market. This is another case where having a wide lens on data is crucial.

Consider a scenario involving a futures contract and the underlying cash market. A trader holds a position in U.S. Treasury bonds, but they go and place large spoof orders in U.S. Treasury futures, which are different but closely correlated. The fake orders push the futures price up or down, which in turn nudges the price of the bonds, allowing the trader to profit on their bond position. This actually happened – a bank’s trader took advantage of the tight link between Treasuries and Treasury futures, and he placed spoof orders in the futures to profit in the cash bonds market. This cross-market manipulation led to a hefty $35 million fine for the firm. Similarly, equities vs. equity futures, or index futures vs. component stocks, or even between related commodities, are fertile ground for this tactic.

Why do I bring this up? Because detecting such a scheme means your surveillance system must ingest and analyse different data streams together. You’d need the order book, or at least trade and quote data, for both markets, plus logic to correlate them. Traditional systems that look at only one product at a time will completely miss this – the spoof orders alone might not trigger any alert if no trade happened in that futures market for the spoofer, and the bond trade alone wouldn’t look odd. It’s the combination of “spoof here, profit there” that completes the picture.

The push toward integrating more data sources is happening. Regulators themselves emphasize connecting the dots across markets. But more data means more complexity as it requires more processing and more analytics to find genuine correlations versus random coincidences. It can also mean more false positives if done naïvely (correlation is not always causation!). However, when built with greater data dimensionality and better models, multi-market surveillance can be extremely powerful.

From my perspective, this is an exciting direction, as it means breaking down silos and having surveillance platforms that see the whole chessboard, not just one piece. It’s another frontier where data granularity can make alerts more reliable, allowing you to weed out false positives and get better alerts.

Enhancing a spoofing alert’s reliability boils down to providing it with the right information. Level 1 data (top-of-book) gives you the bare essentials, enough to catch the outline of a spoofing scenario but not the whole shape – it often leads to crude, noisy alerts. Level 2 data (market depth) adds important context, like a higher resolution image, allowing the detection logic to zero in on realistic manipulation and filter out benign activity. Level 3 data (full order flow) is the ultimate granularity, giving x-ray vision into the order book. It’s not widely used yet by most compliance teams, but it holds the promise of detecting spoofing behaviours that were previously invisible.

On a personal note, working with these different data granularities has been eye-opening. I’ve felt the frustration of sifting through dozens of false positive spoofing alerts and the relief when a new data feed or rule tweak eliminates a chunk of them. It’s a constant cat-and-mouse game: as spoofers get more sophisticated, we counter by capturing more detail about the market’s state to expose their tricks. Yes, more data can mean more complexity, causing the engineering load to go up, and you need good tools to store, process, and analyse it. But the payoff is fewer false alarms and greater confidence when an alert does trigger. The best technologies to handle these complex analytics are those that specialise in big data storage, have exceptional processing features, and are optimized for time-series tick data – such as kdb+.

At the end of the day, surveillance is about protecting market integrity without unnecessarily hindering legitimate trading. Having richer market data, whether it’s deeper order book levels or broader cross-market coverage, is like having a more reliable detector. It allows us to focus human attention on truly anomalous patterns with a higher probability of misconduct. The result is a trade surveillance platform that can confidently say “we see what you’re up to”, while ignoring the noise. And that, to me, is worth every tick of market data we ingest.