Storm clouds on the horizon?
When it comes to the introduction of new rules for marketplace conduct, changes don’t occur all at once. Instead, it takes time – often years – after new regulations have been put in place for enforcement actions to begin in earnest as a process of consultation, collaboration, interpretation and codification precede concerted enforcement actions from regulators. That was certainly the case in the U.S. as it took several years for regulators to digest and interpret the Dodd Frank Act and begin to increase their enforcement actions. Even after almost 10 years, enforcement and fines continue to grow with the recent CFTC record $67.4 million penalty for market manipulation as a new high-water mark.
We are approaching a similar inflection point in Europe as changes that were implemented in MiFID II at the beginning of 2018 are now becoming firmly established and codified. As we get set to wind up two years under this revised regulatory regime, it is reasonable to expect that enforcement actions will start to rise. In this environment, it’s prudent to stop and review the key tenets of RTS-6 in order to confirm the necessary policies, procedures and technology are in place so as to avoid unwanted and unwelcome regulatory sanctions.
Tenets of RTS 6
MiFID II (Markets in Financial Instruments Directive) is a broad and deep updating of MiFID, which was promulgated in 2007. There are 28 Regulatory Technical Standards (RTSs) within MiFID II with RTS 6 addressing issues covering the specific requirements for investment firms engaged in algorithmic trading. Algorithmic trading is broadly defined so that only a small percentage of trades that are expressly executed manually are excluded from oversight.
The five main RTS 6 tenets are:
- Defining and capturing: the creation of a repository to document algorithms, including those from third parties, as well as all changes made to these algorithms.
- Development and testing of algorithms: detailed documentation of development steps as well as testing protocols and results of all trading and risk management algorithms.
- Risk controls: both pre- and post-trade controls are required. Pre-trade controls may include market and credit risk limits, maximum order volumes, automatic execution throttles and price collars. Post-trade controls should sit within both the 1st and 2nd lines of defense (i.e. operational management and risk management/compliance, respectively) and focus on the monitoring of pre-trade controls. Kill switch functionality is also required.
- Governance and oversight: it is vital that compliance actively participates in developing and deploying of algorithmic trading software and that reporting lines are clearly delineated. Conflicts of interest should be clearly avoided and training must be thorough and kept current.
- Market conduct: it reinforces the Market Abuse Regulation (MAR) obligation in terms of monitoring behavior associated with illegal use of algorithms (e.g., pinging). It specifies that firms must conduct real-time monitoring and regularly review their automated alerts to minimize false positives and negatives.
Some Important Areas for Trade Surveillance and Compliance
While each circumstance is different and an in-depth review of all facets of trading and reporting is highly recommended, several key factors emerge as being central to adherence with RTS-6. Specifically,
- Requirements for real-time monitoring are particularly stringent: Article 17.1 stipulates that “real-time alerts shall be generated within five seconds after the relevant event” and that there be “a process in place to take remedial action as soon as possible after an alert has been generated.”
- The self-assessments which firms have to complete under MiFID II are likely the first thing that regulators look at during an investigation. For that reason, it is prudent that these assessments be comprehensive and well documented. The presence of substandard work could be an invitation to attract further regulatory review.
- Two potentially tricky record keeping requirements include:
- The need to keep a record of all changes to algorithms. However, before you keep track of changes, you first need to define what the firm considers an ‘algorithm.’ This definition needs to be defensible and easily understood.
- Algorithms produced or provided by third-parties must also comply, which is problematic. Care should be taken to ensure compliance with these algorithms as well.
- At a minimum, testing procedures should be thoroughly documented with clear division of responsibilities between trading, risk, compliance and management. Make a plan and stick to it.
Regulatory Precedent from the U.S.
We are at the same stage with MiFID II in Europe that coincides with the time that enforcement action started to kick into high gear relating to Dodd Frank in the U.S. Precedent indicates that we can expect to see a regulatory rush that starts small but continues to build over the next several years. The CFTC completed a record number of actions in fiscal year 2018 and the recent close of fiscal year 2019 saw a flurry of actions, including expanded criminal cooperation between the agency and the U.S. Department of Justice as well as the previously mentioned record action in a spoofing case. It is reasonable to expect that a similar pattern will be followed in Europe and, given the strict, rules-based nature of MiFID II, it will not be at all surprising if it will be more prescriptive and aggressive than what has transpired in the U.S. Now is a good time to make sure that your firm is in close compliance with MiFID II and, more specifically, RTS 6. It’s certainly a situation where an ounce of prevention will be worth more than a pound of fines and sanctions.
Eventus Systems, Inc. offers one of the leading global trade surveillance and market risk platforms. Available as a cloud-based or real-time enterprise on-premise solution, the Validus platform provides sophisticated market surveillance and financial risk capabilities, enabling clients to solve some of the most pressing regulatory challenges. For more information, contact us at email@example.com