Written by Florian Nitschke, Vice President, Compliance and Regulatory Consulting
The use of algorithms for routing and executing trades has been in the spotlight for some time, even more so since the infamous May 2010 flash crash in the U.S. Regulators are concerned about the potential impact of malfunctioning algorithms on the orderly functioning of markets and related knock-on consequences for financial stability. There are also concerns that algorithms can be used to manipulate markets and prices.
On 3 January 2018, EU regulators began enforcing stringent requirements for firms using algorithmic trading strategies and trading systems under the Markets in Financial Instruments Directive (MiFID II), which are detailed in Regulatory Technical Standard 6 (RTS 6). Crucially, firms are required to carry out an annual self-assessment and validation of their algorithmic trading activity against the regulatory requirements. Further, the results of these assessments can be requested by regulators at short notice.
A month later, the FCA and PRA each made clear their focus on the topic by publishing papers setting out their respective expectations: the FCA’s Algorithmic Trading Compliance in Wholesale Markets report, and the PRA’s Algorithmic Trading Consultation Paper 5/18, which has since resulted in a Supervisory Statement in June 2018.
UK regulators are now following up with firms that would be well placed to review their arrangements to ensure compliance with the increased regulatory expectations.
Given the level of regulatory attention on the topic, it is crucial to get these assessments right. In this article, we outline a summary of the key regulatory requirements, challenges and practical guidance for firms to consider for their self-assessment and effective operation of algorithmic trading environments.
What are the regulatory expectations?
The FCA’s paper helpfully structures the RTS 6 requirements into five chapters and provides the FCA’s own views on what it considers good and bad practice. The PRA’s paper covers largely the same areas but focuses on the accountability, governance and oversight arrangements that firms must have in place. Following are the key requirements set out in these documents and some of the challenges firms have faced in meeting them.
- Defining and capturing
Defining algorithmic trading as captured by RTS 6 is not an easy task. The main criterion is whether an algorithm makes decisions about trading parameters, such as the timing, size or price of an order, with limited or no human input. Additionally, an FCA best practice states that a firm should document and provide some oversight for any algorithm used, even if it would not strictly fall inside the MiFID II definition captured by RTS 6.
Firms must keep a detailed inventory of algorithms once they are identified. This record should describe the different algorithm types and functionality, their owners, the sign-off obtained and the risk controls put in place. In practice, the same algorithm may have different risk controls depending on its usage. A firm’s inventory might therefore be quite detailed and extensive.
- Development and testing of algorithms
A key aspect of the regulatory requirements is that firms must have stringent processes for developing sound algorithms as well as for testing their functionality and robustness prior to launch. The FCA’s paper notes the example of a firm whose insufficiently robust roll-out of new algorithmic software in 2012 caused a loss of hundreds of millions of dollars for the firm.
The FCA therefore expects this pre-launch framework to involve:
- All control functions
- Ample opportunity for challenge by those functions as well as other business functions
- Rigorous testing which results in a clear audit trail of review and sign-off
- Safe deployment of new or revised algorithms which requires the cooperation of various 1st and 2nd line functions
- Risks controls
Firms are expected to have pre- and post-trade controls that would limit the potential damage a malfunctioning algorithm could have on the firm and the wider market. Pre-trade controls may include market and credit risk limits, maximum order volumes, automatic execution throttles and price collars. Post-trade controls should sit within both the 1st and 2nd line and focus on the monitoring of pre-trade controls, e.g., market and credit risk exposures, with specific limits being set.
Importantly, kill-switch functionality is a requirement, which would allow a senior manager within a firm to withdraw all unexecuted orders relating to a malfunctioning algorithm. This often requires additional IT functionality to stop an algorithm at the click of a mouse button. Firms may also need to think through the potential scenarios in which they would activate the kill-switch. Whilst it is a requirement to have the functionality, simply flicking the switch without consideration of the potential consequences may also breach the firm’s obligations to contribute to an orderly market.
- Governance and oversight
Firms’ governance frameworks must clearly set out their systems and controls in relation to algorithmic trading. Senior management must be accountable for the firm’s strategy and controls, and management information must be provided to them to effectively supervise the business.
Clearly, the Risk function must play an important role by supervising the market and credit risk controls in place. Additionally, MiFID II gives the Compliance function a dedicated role for supervising algorithmic trading activity and requires that its staff are sufficiently skilled to perform this role. For the FCA, it is vital that Compliance actively participates in developing and deploying algorithmic trading software and has a direct line to the senior manager controlling the kill-switch.
- Market conduct
Given the potential for algorithms to be used to carry out market abuse and to be targeted by individuals who seek to manipulate markets, regulators require robust controls around these risks.
In particular, firms are expected to consider the specific market abuse risks inherent in their use of algorithms. MiFID II reinforces the Market Abuse Regulation (MAR) obligation in terms of monitoring behavior associated with illegal use of algorithms (e.g., pinging). It specifies that firms must conduct real-time monitoring and regularly review their automated alerts to minimize false positives and negatives.
Regulators also expect firms to consider market abuse risks in the algorithm design and development process. This should include how an algorithm could impact the wider market even where the automated activity itself would not fall foul of MAR.
We see firms facing some consistent challenges with their algorithmic trading environment:
- Defining and identifying algorithms
There is still considerable uncertainty within the industry around what qualifies as an algorithm under MiFID II. The answer ultimately depends on the level of human intervention and the sophistication of the algorithm.
Given the FCA’s guidance that it would expect a firm to have a view on all its algorithms, a practical approach is to create a complete inventory and design controls proportionate to the risks each algorithm poses to market integrity. This also has the advantage of avoiding long discussions about whether an algorithm is caught or not and allows staff to focus on the controls framework.
- Use of third-party algorithms
Many firms will use algorithms developed by third parties, which in some cases are not MiFID investment firms or regulated at all. As a result, the procedures of these third parties may not be compliant with the requirements of MiFID II and the additional regulatory guidance. Nevertheless, MiFID II is explicit that firms are still required to ensure that such outsourced arrangements comply with RTS 6.
As a result, firms must review the processes in place at their third-party providers and should consider whether they need to supplement these with their own procedures. In practice, a firm may require that third parties provide an overview of their design and development work for each algorithm, with the firm then carrying out additional work to consider whether all risks have been sufficiently covered and mitigated. Where this is not the case, the firm should not use the algorithm unless it can make changes or customize the code.
- Effective oversight and governance
Algorithms were often gradually introduced by trading functions with the intent of automating simple processes and subsequently taking over more complicated tasks. In many cases, this growing role of algorithms will not have been given the level of board and 2nd line oversight that it deserves given the potential risks it poses to a firm. Firms may lack formal, well-thought-through processes that review new or materially changed algorithms, both from a business and risk perspective. Even where those processes exist, they may differ between asset classes.
The latter issue was raised by industry to the PRA in responses to its February consultation paper. The PRA maintained its view that at a minimum, a firm-wide oversight framework should be established whilst allowing for specific departmental or regional processes.
It is no small feat to develop and implement a single framework across business units with unified standards and reporting to senior management and the board. Firms would be prudent to allocate sufficient time, resources and planning to meet this expectation.
- Independent testing
The PRA highlights that testing of algorithms prior to deployment should be conducted by teams that have not been involved in their development. The FCA notes that this encourages a culture of open communication between different business units.
In practice, such independent reviews can result in additional burden and resource requirements. Firms must consider how best to ensure the independence of these testing teams whilst also managing their operation’s overall efficiency. Some firms might use 1st line teams from other business units, which might burden them with additional work and create a strain on their resources. Others might task their Risk or Compliance function to carry out testing, but this may require additional training and skills.
Next steps and conclusion
The PRA has made clear that they will use supervisory tools to work with firms on achieving compliance with the regulatory standards and expectations. As part of their business plan, the FCA have also stated algorithmic trading controls as one of the areas where they will carry out additional work. We are aware that the regulators have started to ask questions about algorithms as part of wider regulatory visits and reviews.
The self-assessments which firms will have to complete under MiFID II will serve as a first port of call for regulators. Therefore, such a review should be comprehensive and well documented. Substandard work will be sure to attract further regulatory questions.
For further information
If you would like additional information on this topic, please contact our expert team. At Duff & Phelps, our specialized, multi-disciplined Markets team has assisted investment firms and trading venues to address their algorithmic trading challenges and create fit-for-purpose arrangements that are in line with relevant regulatory expectations and industry practice.
Our team consists of experienced professionals including former heads and members of the FCA’s Markets division, stock exchanges and firms’ surveillance teams who have led and advised on markets regulatory policy such as MAR, enforcement investigations, framework reviews and remediation programs.