The FCA and the PRA have both published papers on algorithmic trading.

The FCA’s paper is a report on algorithmic trading compliance in wholesale markets, based on thematic reviews and MiFID II requirements. It sets out examples of good and poor practice.

The PRA paper is a consultation paper (responses due by 7 May 2018) setting out the PRA’s proposed expectations regarding firms’ governance and risk management of algorithmic trading. The PRA’s intention is that the final version of its supervisory statement on algorithmic trading would then apply from 30 June 2018.

To a large extent, the expectations of the FCA and the PRA are predictable and should be capable of being met through good governance, risk management and other controls.

However, it is clear from the results of the thematic reviews undertaken by the FCA and PRA in this area that not all firms have adequate governance and controls in place around:

• Identifying, documenting and reviewing all the areas where a firm undertakes algorithmic trading activities;
• Developing, testing and approving trading algorithms prior to their full deployment;
• The roles of risk management and compliance; and
• The use of ‘kill-switch’ control procedures.

Moreover, the PRA’s proposed supervisory statement and the FCA’s statements of good practice go beyond the minimum requirements of MiFID II in some respects, including:

• Clarification that all algorithms, including those of third parties, would have to be tested prior to deployment;
• Firms would need to have a single and comprehensive inventory of all algorithms and risk controls, reviewed and refreshed annually;
• Risk management and other control functions would need to have a good understanding of, and the ability to challenge and restrict trading through, algorithmic trading;
• Risk management would be expected to assess intra-day exposures stemming from algorithmic trading activity;
• Algorithmic trading risks would be expected to be incorporated in firms’ stress tests, or covered in stand-alone stress tests;
• Algorithmic trading requirements would extend to unregulated markets, in particular for spot FX trading; and
• Firms would be expected to take account of the impact of algorithmic trading on market integrity more generally, not just on whether a firm meets the narrower requirements on market abuse.

Finally, the FCA and the PRA draw a helpful distinction between the expectation of Boards (to approve the risk governance framework for algorithmic trading) and of senior management (to understand algorithmic trading), while the PRA also proposes that for firms with significant algorithmic trading activity there is a specific Senior Management Function with responsibility and accountability for algorithmic trading.

1. Defining algorithmic trading – firms should establish an appropriate process to identify algorithmic trading, manage ‘material changes’, and maintain a comprehensive inventory of algorithmic trading across the business.

Good practice here includes firms that conduct extensive reviews (consulting all aspects of the business) to consider how trading algorithms are used within the firm; develop appropriate definitions; ensure that relevant activities are captured across the whole business; and create a detailed and documented inventory across the business.

2. Development and testing – firms should maintain robust, consistent and well understood development and testing processes which identify potential issues across trading algorithms prior to full deployment.

Good practice here includes firms that maintain a robust development and testing process; have checkpoints throughout the development and testing process with a full review at the end of each stage; have detailed staging and scheduling plans; and have established procedures to identify issues during the deployment process to determine and record whether any material or significant changes are required.

3. Risk controls – firms should develop suitable and robust pre- and post-trade controls to monitor, identify and reduce potential trading risks across algorithmic trading activity.

Good practice here includes firms that maintain and review detailed controls at multiple levels, with oversight by an independent risk function; that conduct extensive control monitoring with dedicated teams in place; and that have committees (with representatives from areas such as trading, client coverage, compliance and risk) to conduct regular reviews of control levels.

4. Governance and oversight – firms should maintain an appropriate governance and oversight framework that demonstrates effective challenge from senior management, risk management and compliance on algorithmic trading activities.

Good practice here includes firms where algorithmic trading is fully understood by senior management, who play a key role in providing challenge across the business; risk functions that are well versed in the expected behaviours of the algorithmic trading strategies employed and understand the technology risks involved; and compliance functions that conduct a comprehensive gap analysis of their ability to supervise algorithmic trading activity and, if appropriate, establish new roles/responsibilities to focus on this activity.

5. Market conduct – firms should consider the potential impact of their algorithmic trading on market integrity, monitor for potential conduct issues and reduce market abuse risks.
Good practice here includes firms that include specific provisions within the approval process to consider the potential impact of algorithmic trading strategies, not only on market abuse but on market integrity more widely; and that develop (or use third party) dynamic testing environments.

The PRA proposals are based on a cross-firm review carried out by the PRA between November 2014 and March 2017, and also take account of the findings in the FCA report. Not surprisingly, there is some overlap with the FCA’s five key areas.

Governance – a firm’s governing body should explicitly approve the governance framework for algorithmic trading. The firm’s management body should understand the firm’s algorithmic trading and the risk controls viewed as most important to mitigate and contain the risks from algorithmic trading. A clear line of responsibility should be created through an identified Senior Management Function with responsibility and accountability for algorithmic trading.

Algorithmic approval process – firms should have a robust algorithm approval process with clear scope and conditions that would need to be met prior to approving an algorithm’s use. Prior to granting approval, each algorithm should have assigned owners, have completed testing (by all relevant functions) successfully, and any required risk controls should have been implemented.

The PRA also proposes that a firm should have manual and automated controls that stop trading or prevent user access, with manual intervention required to re-start trading (referred to as ‘kill-switch’ controls).

Testing and deployment – all algorithms and risk controls should be tested (by all relevant functions) prior to deployment and be subject to periodic re-validation.

Inventories and documentation – firms should create and maintain comprehensive inventories of algorithms and risk controls; and documentation that sets out each algorithm’s strategy and risk mitigants, kill switch control procedures and the algorithmic trading system architecture.

Risk management and other systems and controls functions – each firm’s risk management function and other systems and controls functions should understand and have oversight of the risks of algorithmic trading. These functions should have the authority and expertise to challenge front office and to impose on algorithmic trading whatever additional risk controls are necessary for its effective risk management.

Clive Briault is a Senior Advisor for the EMA Regulatory Centre of Excellence at KPMG in the UK. He has extensive experience  in financial services regulation and supervision, having spent 18 years at the Bank of England and 10 years at the FSA.