On 12 February the FCA and the PRA both published papers relating to regulated firms’ use of algorithmic trading. The FCA published a report on algorithmic trading compliance in wholesale markets, and the PRA proposed a number of expectations regarding a firm’s governance and risk management of algorithmic trading through a formal consultation on a Supervisory Statement. Together the documents represent further scrutiny of and more detailed expectations from the UK regulators on the use of algorithms by capital markets participants. The two regulators will continue to collaborate on the subject to ensure coordinated approaches going forward.
The fact that the FCA and the PRA published major, detailed statements on the governance and controls over algorithmic trading systems so soon after MiFID II took effect shows the importance they attach to this area. Both reports have been informed by cross‑firm reviews carried out by the regulators, in the PRA’s case over a lengthy period from 2014 to 2017, and the good – and not so good – practices that they have observed in firms. The regulators stress the need for a comprehensive inventory of algorithmic trading systems as the foundation for an effective control structure, but also note the challenges of producing one, especially in larger firms. Unsurprisingly the regulators identify the need for independent and informed challenge by the Board, the Risk Committee, Risk, Compliance and Internal Audit and other control functions at every stage of the algorithm lifecycle – from design, through testing to deployment and monitoring. However, it will remain challenging for firms to develop a control framework that is fit for purpose, including being “fit for assurance” by Internal Audit, and for all control functions to secure and retain the necessary specialised and skilled resources.
Both the PRA and the FCA emphasise the importance of the Senior Managers Regime in the context of algorithmic trading and the need for a firm’s management body to identify the relevant Senior Management Functions (SMFs) with responsibility for algorithmic trading. The expectations set out by the PRA and FCA in these documents, together with the examples of good and poor practice, will be relevant to these SMFs as they consider what constitutes “reasonable steps” in terms of discharging their responsibilities in this area.
The FCA’s Report
Following a detailed assessment of the development and implementation procedures used by firms for algorithmic trading ahead of implementation of MiFID II, the FCA identified five key areas of focus and set out a number of examples of good and poor practices in the each of the areas. Overall, the FCA found that “firms need to do more work to identify and reduce potential conduct risks created by their algorithmic strategies”.
Areas of focus
1. Defining algorithmic trading, with the objective to ensure that firms establish an appropriate process to identify algorithmic trading, manage material changes and maintain a comprehensive inventory of algorithmic trading across the business. The FCA acknowledges that this identification process can be a challenge, especially for larger firms, but regards it as a prerequisite for robust governance and controls. The FCA can require firms to provide a description of their algorithmic trading strategies within 14 days.
Implications: firms need to establish processes to identify all existing and capture all new algorithms, trading systems and strategies on an ongoing basis, including any material or substantial changes to existing ones. A clear definition of what constitutes a “material” or “substantial” change is key and needs to be supported by training for relevant staff to ensure these definitions are applied consistently. Good practice includes conducting extensive reviews of all aspects of the business to consider how trading algorithms are used within the firm. Firms also need to maintain a comprehensive inventory of algorithmic trading strategies and systems across the firm, which can provide MI for senior management. The detailed documentation kept by firms should set out a number of criteria such as the different types of algorithms, trading strategies and systems, including relevant operational objectives, parameters and behavioural characteristics, as well as a comprehensive list of all the risk controls (including kill functionality) applicable to each strategy or system, including overall risk limits and individual risk limits within each component/algorithm.
2. Development and testing, with the objective to ensure firms maintain robust, consistent and well understood development and testing processes which identify potential issues across trading algorithms prior to full deployment.
Implications: by maintaining an appropriate development and testing framework, firms need to ensure that their development of algorithms is consistent with the risk appetite and behavioural expectations of the firm. Before sign-off, firms need to complete a comprehensive review and approval process, and all stakeholders need to confirm that their assigned tasks are completed, verified and documented. Firms should aim to have an independent committee to review the documentation and completion of testing procedures, and to verify that the algorithm is consistent with the original specifications. The FCA emphasises the need for challenge and for separation between development and validation teams – validators need to be empowered with the appropriate level of influence. Firms also need to establish a procedure to ensure any new or updated algorithms are deployed in practice in an appropriate and controlled manner, and the FCA notes the advantages of phased deployment into the production environment from a control perspective. Throughout the development and testing process, firms should ensure they have adequate documentation and a comprehensive audit trail.
3. Risk controls, with the objective to ensure firms develop suitable and robust pre-trade and post-trade controls to monitor, identify and reduce potential trading risks across algorithmic trading activity.
Implications: firms should develop the level of sophistication of their controls according to the size and complexity of their business. The FCA provides a number of useful examples of enhanced controls (describing them as “good practice” and contrasting them with what it refers to as “basic controls”) to be considered by firms in relation to their pre-trade controls, including market and credit limits, order volume/value and price collars. In terms of post-trade control and monitoring, firms should also conduct control monitoring, for example through automated control thresholds to generate alerts. Firms should also have committees comprising of representatives from areas such as trading, client coverage, compliance, risk and credit teams to review their controls, including parameter settings, amendments to controls and any limit breaches.
4. Governance and oversight, with the objective to ensure firms maintain an appropriate governance and oversight framework which demonstrates effective challenge from senior management, risk management and compliance on algorithmic trading activities. Under the Senior Managers Regime, the certification function of “Algorithmic Trading” covers staff with responsibility for approving the deployment, material amendment and monitoring of trading algorithms.
Implications: Senior management should be able to articulate the standards set for development, testing and on-going monitoring of their algorithmic trading strategies, and that such standards are aligned with the firm’s overall risk appetite. Moreover, senior management should be prepared to evidence an effective governance and risk framework for algorithmic trading activities by receiving suitable MI and having clearly understood escalation procedures. Good practice includes where senior management participates throughout the testing and development process and understands potential market conduct consequences. The risk and compliance functions should be involved at each stage of the development, testing and implementation process for algorithmic trading. The FCA particularly noted that risk and compliance staff should aim to have the required knowledge and skills (including understanding the relevant technology risks) to provide sufficient challenge to the development of algorithms. As a first step this can involve conducting a gap analysis of their ability to supervise algorithmic trading activity and establishing new roles/responsibilities where required.
5. Market conduct, with the objective to ensure firms appropriately consider the potential impact of their algorithmic trading on market integrity, monitor for potential conduct issues and reduce market abuse risks.
Implications: consistent with the Market Abuse Regulation, firms must establish and maintain effective arrangements, systems and procedures to detect and report suspicious orders and transactions. Firms should have adequate monitoring and surveillance procedures in place, including the use of post-trade surveillance tools proportionate to the nature of their business and programs making use of alert parameters and alert logic based on a firm’s trading patterns and clients. The FCA stresses the importance of firms tailoring their monitoring/surveillance approach to the specific risks of algorithmic trading activity. Firms also need to integrate market conduct considerations into their algorithm development processes. Firms should consider not only whether a strategy meets the definition of market abuse, but also whether a strategy could negatively affect market integrity and/or if it could exacerbate scenarios under a wider market disruption. In considering the potential consequences for market integrity, firms should incorporate market conduct considerations into their testing process – a good practice would be to develop (or use third-party) dynamic testing environments that could assess how their trading strategies would perform in a period of market disruption and whether their strategies might worsen such a disruption. The FCA also highlighted that firms using machine learning and artificial intelligence should consider how they can examine heightened risks to market conduct within their testing processes.
Although the report highlights the key requirements in MiFID II, market participants need to bear in mind that the UK’s transposition of the requirements for algorithmic trading also applies to other firms not authorised as investment firms under MiFID II where they carry out algorithmic trading. Firms also need to comply with the relevant requirements under the Senior Managers Regime.
The FCA has said it will continue to assess whether firms, including MiFID II investment firms and non-MiFID investment firms which are subject to the MiFID II requirements in relation to algorithmic trading, have taken sufficient steps to mitigate risks stemming from algorithmic trading.
The PRA’s Consultation Paper
Concurrently, the PRA proposed a Supervisory Statement which sets out its expectations of firms’ governance and risk management relating to all the algorithmic trading activities of a PRA-supervised firm including unregulated financial instruments such as spot foreign exchange, which firms may not have considered as part of their MiFID II implementation programmes. These are aligned with the FCA’s approach to risk controls, testing and governance of algorithmic trading.
The proposal is structured around five sections:
- Governance: firms should define the responsibilities for overseeing the execution of the algorithmic trading policy, assigning ownership for the inventory of algorithms and risk controls and setting and managing a process that reviews algorithmic trading incidents. A firm’s governing body or, where applicable, its Risk Committee should explicitly approve the governance framework for algorithmic trading, and a firm’s management body should identify the relevant SMFs with responsibility for algorithmic trading. While firms should have implemented a robust governance framework as part of MiFID II, they may not have assigned ownership for an inventory of algorithms, risk controls and processes for reviewing incidents where an algorithm or risk control has not performed as expected. The PRA also expects firms to maintain a dedicated policy around algorithmic trading. As a result, even in cases where firms have drafted such a policy as part of their MiFID II implementation, they should ensure their policy is sufficiently robust to meet the PRA’s expectations.
- Algorithm approval process (by the firm): firms should embed an approval process that captures new algorithms and customisation of/changes to existing algorithms. Prior to granting approval, each algorithm should have assigned owners and have completed testing successfully. The testing should include all relevant parties (i.e. Front Office, Risk Management, Other Systems and Controls Functions). An algorithm must be assessed and, risk controls – aligned to the firm’s risk appetite - should be implemented prior to use in areas where relevant functions have detected that potential risks could arise.
Testing and deployment: all algorithms (including those provided by third-party vendors) and risk controls should be tested prior to deployment and subject to periodic re-validation. The testing should involve all relevant functions and be carried out at a frequency and to a standard commensurate with the risks that the firm could be exposed to should algorithms or risk controls not to operate as intended. The paper also sets out that any variation (without any mention of a materiality threshold) of an algorithm should be classified as a new algorithm and therefore subject to separate testing and approval. Testing should be undertaken by a competent team not involved in the deployment of the code. The PRA has placed emphasis on firms’ assessment of the latency of the algorithmic trading system, the latency between different parts of the algorithmic trading system where there are dependencies and the overall system capacity under normal and severe market conditions.
Inventories and documentation: firms need to create and retain a comprehensive inventory of algorithms, risk controls, documentation of strategies and risk controls for each algorithm, documentation of the algorithmic trading system architecture and the kill-switch procedure for the cessation and re-starting of algorithmic trading. Firms should consider revisiting the work they have undertaken in relation to MiFID II process implementation to ensure that the specific headings set out by the PRA are included.
- Risk Management and Other Systems and Controls function: each firm’s risk management function (independent of Front Office) and other systems and controls functions need to understand and have oversight of the risks of algorithmic trading. The PRA would expect these functions to have the authority and expertise to challenge Front Office and to impose whatever additional risk controls are necessary for effective risk management. In its Supervisory Statement, it would be useful for the PRA to clarify whether “independent of the front office” requires this risk management function to be in the second line of defence or whether it can be a first line control function provided it is independent of the algorithmic trading desks. Those responsible for operations and settlements also need to ensure that the system capacity aligns with post-trade processing capacity. The internal audit function should ensure that reviews of algorithmic trading activities are covered in its audit plans.
For non-EEA firms operating in the UK through a branch, the PRA will continue to consider the home regulator’s approach to internal governance and controls, though the proposed amendments to the PRA’s approach to branch authorisation and supervision set out a number of expectations on risks stemming from algorithmic trading.
The PRA’s consultation will close on Monday 7 May and it intends that the provisions should apply from 30 June 2018. The FCA and PRA will continue to work together to ensure a coordinated approach.