The finance industry is becoming increasingly automated with many banks and financial institutions using or interacting with algorithms. The amount of trading algorithms has significantly increased in recent years. This trend is driving efficiencies, lowering costs and enabling firms to gain a competitive advantage. However, there is now a heightened regulatory focus with specific requirements over algorithms to ensure accountability and fairness in their use.
Algorithms that fall under the purview of the Article 17 MiFID II requirements could be client facing, assisting or recommending financial instruments to be purchased or sold and/or executing orders themselves on behalf of clients or the firm. RTS 6 requires firms to annually perform a Self-Assessment and validation process where firms engage in algorithmic trading activity1. Since the implementation of MiFID II in January 2018 many firms have completed or are in the process of completing their first round of Annual Self-Assessments.
The scope of RTS 6 is broad and applies to firms that fall under the definition of an investment firm within MiFID II2. It should be noted that the exemptions that insurers, emissions operators/dealers, CIUs and own account commodity dealers are usually granted under MiFID II will not apply if they are members or participants of regulated markets or MTFs3. Furthermore, RTS 6 also defines and differentiates between investment decision and order execution algorithms4.
Against this backdrop of regulatory requirements and complexity in its interpretation our team has worked alongside industry leading market participants to help them navigate through the Annual Self-Assessment, gaining an insight into the challenges surrounding the process and designing an approach to overcome them.
Key Areas of Challenge
There have been a number of challenges faced by firms throughout the Self-Assessment. In our view, many firms have faced issues when embarking on the Annual Self-Assessment in terms of distinguishing between their responsibilities to separately assess, validate and audit their algorithmic trading controls. Identifying appropriately skilled resources across the three lines of defence has also been a key issue.
In the context of these challenges our Algorithm Assurance team has detailed below a high level view on how firms should approach the Annual Self-Assessment across the key stages of planning, assessment, validation and audit.
The planning phase is crucial to ensure that across the firm all functions understand their responsibilities and are agreed on the timeline and scope of the Self-Assessment process. If not done properly, there is a risk that an inconsistent approach is applied across business lines which could delay the completion of the validation report and require elements of the assessment process to be revisited.
The Business, Compliance, Risk Management function and Internal Audit should convene before the Self-Assessment process commences and agree on the following:
- The period being assessed and the assessment date.
- Key definitions to be agreed allowing all stakeholders to understand what is in scope
- The timing of the Self-Assessment, validation report, audit procedures, audit report and any relevant approvals.
- The scope: which algorithms and legal entities are regulated by MiFID II and will form part of the annual Self-Assessment and which articles of the regulation apply (for example, is the firm a Direct Electronic Access ‘DEA’ provider thus making the DEA requirements in RTS 6 applicable?).
- Roles and responsibilities of each stakeholder in the process.
- The format of the validation report.
- The level of evidence and testing required. For example, will this include testing for operating effectiveness of controls over the period?
- Control Owners and approvals - who will be signing off on the Self-Assessment (e.g. will this require Senior Manager sign-off?) and validation report (e.g. Head of Risk or Risk Committee?)
Planning is an important step to guide the path forward, although it is also necessary to allow for flexibility in the planned approach (and timelines) to allow for inevitable issues and challenges that may arise throughout the execution of the work that may require certain elements of planning to be reassessed.
Self-Assessment (performed by Control Owners):
The Assessment phase can be observed as being similar to other traditional Internal/External Audit processes across the bank. Control Owners will have to attest compliance and agree remediation if deficiencies have been identified. Key considerations in this phase are listed below:
- Each function should attest to their compliance with the requirements relevant to that function for RTS 6, 8 & Article 17 of MiFID II.
- Each function should maintain appropriate evidence regarding operation of key controls and provide evidence of this to the Risk Management function.
- Where non-compliance has been identified, key stakeholders must be consulted to agree appropriate remedial action and document this in the report.
- The Self-Assessment must also include consideration of factors in Annexure I (i.e. nature, scale and complexity).
During this phase of work it is also important to keep in mind the independence of each function as part of the Self-Assessment process. If there is substantial support from the validation team in producing the Self-Assessment there will likely be challenges raised (e.g. by Audit) regarding the ability for that same team to then validate the assessment.
Validation (performed by the Risk Management Function):
RTS 6 Article 9(2) ascribes responsibility to the Risk Management function for drawing up the validation report. However, from a practical perspective we have seen Business Control, Op Risk and/or Compliance undertake the validation review of the Control Owner’s compliance statements. In our experience the Risk Management function often disagrees with initial conclusion, due to a lack of clarity on up front definitions or the process applied in executing the work. It is also necessary for the Risk Management function to determine what additional steps need to be taken to ensure compliance. A summary of key considerations for the validation phase are highlighted below:
- Validation should be in the form of a design effectiveness or operating effectiveness test of key controls. We have noted through our discussions with firms that the extent of testing remains an area of inconsistency across the market. Evidence of the functioning of the control should be reviewed to assess whether the Risk Management function agree with the Control Owner’s conclusion, providing challenge where necessary.
- For items assessed as non-compliant, there should be an assessment to ensure that the documented remedial action is sufficient to remediate any issues identified.
- Where additional non-compliance has been identified, appropriate remedial action must be agreed.
- In assessing the conclusions for each article, the Risk Management function should also assess any existing remediation plans and whether these indicate compliance or non-compliance with the relevant requirements.
- The validation report should include an overview of the validation approach, extent of testing and procedures performed. It should also include a conclusion detailing underlying evidence inspected to support the validation report.
The Internal Audit function then takes the next step in the process. This is essentially to provide oversight over the validation report that the Risk Management function has produced, ensuring that the governance and conclusions reached are valid. They also perform a final check to ensure that all instances of non-compliance have been linked to appropriate remedial actions. Key considerations that should be included for the scoping and execution of this work by Internal Audit are:
- Article 9(3) of RTS 6 states that Internal Audit are required to audit the validation report. However, there is no further guidance on how this audit should be performed. In practice we have noted that this typically entails an audit of the Risk Management function’s process to validate the Self-Assessment conclusion for each article, including a review of the validation strategy and the appropriateness of the extent of procedures performed.
- A review of the governance around the process i.e was the scope, timing and approach approved by the appropriate individuals / governing bodies and have the Self-Assessment results and validation report been signed off by the appropriate individuals (e.g. senior managers)?
- A review of the validation conclusions reached should be conducted by re-performing the validation procedures for a sample of higher risk areas. To avoid duplication of effort, this could include reliance on audits which were completed during the period.
- Ensuring that all non-compliance areas, identified as part of the Self-Assessment and validation process, have been linked to approved remedial action and this has been communicated to the Compliance function.
The MiFID II RTS 6 Annual Self-Assessment process can be seen as a robust approach in helping to ensure that financial institutions which fall under its scope are continuously assessing their controls around algorithmic trading. The power of automation in the financial services sector cannot be understated, with flash crash scenarios over the past decade demonstrating the disruption that rogue code or ineffective controls can cause.
Up-front planning is critical, to ensure roles and responsibilities, definitions, timelines and approach are agreed in the first instance. Internal Audit should be engaged early and agree on scope, approach, format and content of the validation report. It should be noted that It is our view that the road to full implementation will take some time, as resourcing and the interpretation of regulations across businesses in scope are challenged which will remain for the foreseeable future.
Deloitte have strong and extensive experience in various aspects of the Self-Assessment process and are able to guide financial institutions through a process that may seem onerous and complex at the outset. If you would like to discuss the MiFID II Annual Self-Assessment or any other areas of algorithmic trading risk and control, please do get in touch.
1RTS 6 MiFID II Article 9(1)
2Article 4 (1) MiFID II: “Any person whose regular occupation or business is the provision of one or more investment services to third parties and/or the performance of one or more investment activities on a professional basis”
3Article 17(1) MiFID II
4Investment decision algorithms that do not initiate orders or the timing, price or quantity of an order do not fall within the scope of MiFID II. However, the FCA has stated best practice would subject these algorithms to the same standard of controls as within MiFID II