RegTech Intelligence 
By Sam Tyfield and JWG.
Here algo again … Yesterday, ESMA published a notice stating that supervision of automated trading across the EU (in compliance with the ESMA guidelines from 2012) was converging. We found that interesting – a closer look at the BaFin’s rules versus those MiFID II/R creates would appear to show less convergence than the headline might indicate.
Those of you active in the German market will recall that, in January 2015, the German regulator published a circular, for German algorithmic trading firms and DMA/SA providers, setting out organisational requirements which have not been widely publicised and do differ in some significant respects from the RTS on which ESMA consulted and the text of MiFID II itself. The requirement to identify DMA end-users BY NAME and the due diligence a DMA/SA provider must do on its clients’ algos are described in a bit more detail below.
BaFin circular 6/2013 (BA) – ‘Requirements for systems and controls for algorithmic trading of institutions’ includes obligations on all firms which are providing DMA/SA to others. Also, the “requirements are not limited to trading on regulated markets or multilateral trading facilities. Algorithmic trading on all trading venues and over-the-counter transactions are also included”.
The circular also states that it is transposing into German law the ESMA guidelines on systems and controls.
Here are a few important points to observe/reiterate for those providing (and receiving) DMA/SA to German markets – note the bold highlights:
Direct market access (DMA) is an arrangement through which an institution that is a member/participant or user of a trading venue permits specified clients (including eligible counterparties) to transmit orders electronically to the institution’s internal electronic trading systems for automatic onward transmission under the institution’s trading ID to a specified trading venue
and
[DMA providers] shall conduct due diligence on clients using direct market access and/or sponsored access, as appropriate to the risks posed by the nature of the clients, the scale and complexity of their prospective trading activities and the service being provided. Due diligence shall be conducted before providing market access, be risk-orientated and be repeated within a reasonable period of time. Due diligence procedures should include at least the following aspects:
a. reviewing the skill and training of the employees of the client who enters the orders* (this also applies to the business continuity plan in chapter 4.2). In the case of fast algorithmic trading, the institution shall conduct individual training seminars for the employees;
b. access controls over order entry;
c. allocation of responsibilities for the settlement of transactions;
d. dealing with errors, the historical trading pattern/behaviour of the client;
e. ability of clients to meet their financial obligations to the institution;
f. sufficiently accurate knowledge about the client, with whom the institutions has maintained a sufficiently long and intense relationship. A period of approximately one year may be considered adequate. The institution shall be able to assess whether the client is reliable and able to comply with all relevant legal and regulatory requirements as well as the requirements arising from contracts signed between the institution, the client and the trading venue;
g. prior controls and understanding of the trading systems, understanding how the clients develop and use algorithms, and analysis of the clients’ risk management, including the ability of the clients to monitor their own activities in real time with regard to solvency and liquidity risks.
and
The [DMA providers] shall be able to halt trading with certain algorithms and if necessary halt all trading of the client at short notice (in line with the business continuity plan specified in chapter 4.2 and in the case of suspicion of suspected market manipulation). The institution shall use its flagging concept (see item 17).
and
If [a DMA provider] uses direct market access or sponsored access through other institutions, also foreign institutions, it shall be able to transmit the names of the clients or traders who corresponds to the respective order.
So, in ESMA’s view, although the regulation of automated trading remains a challenge in some areas (including cyber-security), there is widespread compliance with the ESMA guidelines across the EU. But it’s pretty clear from Germany’s example that each DMA/SA provider and user is going to need to examine its current documentation and determine whether it is (a) currently compliant and (b) future-proof.
This is just one of the many MiFID II implementation challenges JWG will be covering in our MiFID II implementation training on 24 March in London. We have 3 spare seats so shout ASAP if you want access to the 18 months of MiFID II implementation research we have conducted with dozens of top firms.
To learn more about our MiFID II offerings and how we approach training, please get in touch and don’t forget to join our MiFID II LinkedIn group to be part of the online dialogue.
(* not such an issue as Eurex already has its trader exams)