The finance industry is becoming increasingly automated with many banks and financial institutions using or interacting with algorithms. The amount of trading algorithms has significantly increased in recent years. This trend is driving efficiencies, lowering costs and enabling firms to gain a competitive advantage. However, there is now a heightened regulatory focus with specific requirements over algorithms to ensure accountability and fairness in their use.
Algorithms that fall under the purview of the Article 17 MiFID II requirements could be client facing, assisting or recommending financial instruments to be purchased or sold and/or executing orders themselves on behalf of clients or the firm. RTS 6 requires firms to annually perform a Self-Assessment and validation process where firms engage in algorithmic trading activity1. Since the implementation of MiFID II in January 2018 many firms have completed or are in the process of completing their first round of Annual Self-Assessments.
The scope of RTS 6 is broad and applies to firms that fall under the definition of an investment firm within MiFID II2. It should be noted that the exemptions that insurers, emissions operators/dealers, CIUs and own account commodity dealers are usually granted under MiFID II will not apply if they are members or participants of regulated markets or MTFs3. Furthermore, RTS 6 also defines and differentiates between investment decision and order execution algorithms4.
Against this backdrop of regulatory requirements and complexity in its interpretation our team has worked alongside industry leading market participants to help them navigate through the Annual Self-Assessment, gaining an insight into the challenges surrounding the process and designing an approach to overcome them.
There have been a number of challenges faced by firms throughout the Self-Assessment. In our view, many firms have faced issues when embarking on the Annual Self-Assessment in terms of distinguishing between their responsibilities to separately assess, validate and audit their algorithmic trading controls. Identifying appropriately skilled resources across the three lines of defence has also been a key issue.
In the context of these challenges our Algorithm Assurance team has detailed below a high level view on how firms should approach the Annual Self-Assessment across the key stages of planning, assessment, validation and audit.
The planning phase is crucial to ensure that across the firm all functions understand their responsibilities and are agreed on the timeline and scope of the Self-Assessment process. If not done properly, there is a risk that an inconsistent approach is applied across business lines which could delay the completion of the validation report and require elements of the assessment process to be revisited.
The Business, Compliance, Risk Management function and Internal Audit should convene before the Self-Assessment process commences and agree on the following:
Planning is an important step to guide the path forward, although it is also necessary to allow for flexibility in the planned approach (and timelines) to allow for inevitable issues and challenges that may arise throughout the execution of the work that may require certain elements of planning to be reassessed.
The Assessment phase can be observed as being similar to other traditional Internal/External Audit processes across the bank. Control Owners will have to attest compliance and agree remediation if deficiencies have been identified. Key considerations in this phase are listed below:
RTS 6 Article 9(2) ascribes responsibility to the Risk Management function for drawing up the validation report. However, from a practical perspective we have seen Business Control, Op Risk and/or Compliance undertake the validation review of the Control Owner’s compliance statements. In our experience the Risk Management function often disagrees with initial conclusion, due to a lack of clarity on up front definitions or the process applied in executing the work. It is also necessary for the Risk Management function to determine what additional steps need to be taken to ensure compliance. A summary of key considerations for the validation phase are highlighted below:
The Internal Audit function then takes the next step in the process. This is essentially to provide oversight over the validation report that the Risk Management function has produced, ensuring that the governance and conclusions reached are valid. They also perform a final check to ensure that all instances of non-compliance have been linked to appropriate remedial actions. Key considerations that should be included for the scoping and execution of this work by Internal Audit are:
The MiFID II RTS 6 Annual Self-Assessment process can be seen as a robust approach in helping to ensure that financial institutions which fall under its scope are continuously assessing their controls around algorithmic trading. The power of automation in the financial services sector cannot be understated, with flash crash scenarios over the past decade demonstrating the disruption that rogue code or ineffective controls can cause.
Up-front planning is critical, to ensure roles and responsibilities, definitions, timelines and approach are agreed in the first instance. Internal Audit should be engaged early and agree on scope, approach, format and content of the validation report. It should be noted that It is our view that the road to full implementation will take some time, as resourcing and the interpretation of regulations across businesses in scope are challenged which will remain for the foreseeable future.
Deloitte have strong and extensive experience in various aspects of the Self-Assessment process and are able to guide financial institutions through a process that may seem onerous and complex at the outset. If you would like to discuss the MiFID II Annual Self-Assessment or any other areas of algorithmic trading risk and control, please do get in touch.
1RTS 6 MiFID II Article 9(1)
2Article 4 (1) MiFID II: “Any person whose regular occupation or business is the provision of one or more investment services to third parties and/or the performance of one or more investment activities on a professional basis”
3Article 17(1) MiFID II
4Investment decision algorithms that do not initiate orders or the timing, price or quantity of an order do not fall within the scope of MiFID II. However, the FCA has stated best practice would subject these algorithms to the same standard of controls as within MiFID II