At the turn of the century, the framers of the UK’s financial infrastructure rulebook enshrined four fundamental concepts into systems and controls practice. The rulebook in question is the Financial Services and Markets Act 2000 (FSMA), which created the FSA. (The FSA was then subsequently split into the FCA and the PRA in 2013.) In line with FSMA, a firm must:
|UK PRIN 3
|take reasonable care to …
|Use a high standard as measured by industry practice, regulatory guidance or a firm’s own process
|… organise and control its affairs …
|Allocate and properly describe jobs, manage people, track management information
|… responsibly and effectively …
|It works and is fit for the job at hand
|… with adequate risk management systems
|Risks are mapped, measured and managed
In simple terms, UK firms need to know, and spell out, what ‘good looks like’. Nowhere does it say precisely who is the keeper of good but, generally, we can presume it is either within a risk function, compliance or other form of second line of defence.
Complicating things further, Europe’s view of what ‘good looks like’ also needs to be taken into account. MiFID II, while maintaining some of this original focus, is set to impact more substantially on firms’ systems and controls. This is because MiFID II is mandating much more expansive systems and risk controls across trading operations.
Under MiFID II, systems and risk controls will be required for any ‘risky activity’. For these purposes, ESMA regards risky activities as algo trading, in particular HFT, any trades conducted through DEA, firms acting as any kind of recognised trading venue (remember this now includes a much wider scope) and firms acting as general clearing members.
And yet, it is not at all clear whether these controls belong to risk, compliance or even in the ‘first line of defence’, i.e., the business itself. Evidently, MiFID II has the potential to create a crisis of risk ownership within a firm itself.
ESMA’s discussion paper does refer back to the CEBS operational risk management guidelines, and this grounding in the familiar is sure to offer some comfort to risk specialists. But ESMA goes much further than simply referring back to these principles and it is clear from both their discussion and consultation papers that they feel strongly that the best course of action is to move away from principles towards a much more prescriptive set of controls. As a consequence, the question is how can firms manage very granular risks in any way other than giving them to the front line?
There are two separate issues in the ownership debate, management of systems and risk controls on the one hand (e.g., whose finger is on the kill button) and the production of documentation on the other (e.g., who runs the reports on how well we are killing). How these two separate, but intertwined, issues can ultimately be divided between risk and compliance, as well as potentially the front-office, is a complex question – for which the answer will be different in each firm.
There will be concerns that the emphasis on granularity and very specific controls could have both unpredictable and undesired effects. What is expected, however, is that the necessary systems rebuilds will be painful. There will be further worries about the creation of a two, perhaps even three, tiered system to control risk, since the way in which some of the requirements that ESMA sets out in the discussion paper directly conflict with both the aforementioned CEBS guidelines and other regulations, such as EMIR.
For example, in several instances, ESMA sets out the need for twice-yearly reviews of systems and risk controls, notably in relation to HFT kill buttons, and trading venue self-assessment requirements. These requirements directly transverse the annual reviews which many firms will already have in place in line with the CEBS operational risk guidelines. Furthermore, the grey areas regarding overlap between MiFID II and EMIR, as well as countless other regulations, have been much discussed, particularly in terms of documentation.
Due to the fact that many of the MiFID II implementation issues cut across the ways in which firms operate, in a lot of cases there will be no obvious owner, especially since risk is generally controlled holistically. As an example, the tagging of algos could well become a debate of risk versus compliance versus front-office, with responsibility passed around between the three – especially since ownership of regulatory problems is hardly the most desirable of possessions.
This means that there are some tough decisions for firms to make before the substantial implementation work even begins. How these sorts of issues will be resolved by firms remains far from clear, but those who deal with them most effectively and quickly will be reaping the benefits come 2017.
The embers are now cooling in this initial consultation period, and it was apparent from ESMA’s public hearing on MiFID II in Paris this month that language and attitudes are hardening quickly. The imperative for firms must be to begin focusing on implementation planning, and a key initial part of this will be to solve the risk versus compliance problem. One thing is certain, there is no easy answer but this is sure to be a hot topic for debate in London on 23 September at the Capital Markets Forum. Book now to get your early bird discount.