MiFID II RTS 6 – 5 years on: What have we learned?

MiFID II investment firms engaged in algorithmic trading activities must perform an annual self-assessment to demonstrate compliance with RTS 6 requirements. Due to the exercise's nature and the scope covered by the requirements, input from several functions is necessary, which can put pressure on firms' resource needs.

In September 2021, the European Securities and Markets Authority (ESMA) published a final report on algorithmic trading, proposing a reduction in the frequency of the self-assessment review from annual to biennial. However, no further legislative steps have been taken at the European level to finalize such plans.

We have been working with firms for many years, and for some, this year will mark their fifth self-assessment and validation review – a process that is now integrated into their regular procedures. Five years on, what are the key challenges faced by firms, and what lessons have been learned?

Many larger firms have adopted an approach where they leverage existing processes and artifacts (risk and control assessments, known control issues/deficiencies, existing policies/procedures) as the basis for the self-assessment report. They perform deep dives into specific topics covered by RTS 6 throughout the year, outside the MiFID II review.

Others use the self-assessment and validation review as an opportunity to delve into specific areas covered by RTS 6 by performing targeted and in-depth control testing specifically for the purpose of the self-assessment. This approach is less common and mostly preferred by smaller firms.

Due to the breadth of areas covered by RTS 6 requirements, the self-assessment review requires input from several functions. In some cases, this can lead to a lack of clarity regarding the roles and responsibilities of those involved in the process. Through numerous reviews we have supported, we have observed that this could result in a lack of accountability for those involved, missing information from relevant functions if they have not been involved, and inconsistency in the quality of evidence provided across functions and lines of businesses when applicable. This has downstream consequences for the challenge performed by the independent risk function and the internal audit function when reviewing the business's self-assessment and validation process.

Some firms document the roles and responsibilities of those involved in compiling and providing evidence for the self-assessment review, as well as attestations from senior management, to improve accountability and the quality of evidence. As the RTS 6 self-assessment and validation review becomes embedded, we note that such issues become less significant as all parties involved have more exposure and experience in carrying out the review.

Overreliance on existing policies/procedures – Firms sometimes quote existing policies and procedures to demonstrate compliance. However, they lack traceability from specific obligations through policy statements to implemented processes and/or controls.

Quality of evidence – Sometimes evidence of operating effectiveness is provided without accompanying context and reference to expected internal policies and procedures. Drawing conclusions from such evidence is hard at best and sometimes outright impossible.

Evidencing challenge and oversight – The challenge provided by the independent risk function should be evidenced, enabling internal audit to validate the effectiveness of the review.

As firms continue to embed the RTS 6 framework into their risk and control frameworks, small steps can be taken to improve overall governance and ensure an efficient and timely self-assessment and validation process.

If you wish to discuss this in more detail, please contact Lucas Ocelewicz and Julie Yvin.