The Securities and Exchange Commission (the “SEC”) has adopted Rule 15c3-5 (“Rule 15c3-5” or the “Rule”) under the Securities Exchange Act of 1934, restricting trading arrangements commonly called “sponsored access” or “direct market access.” Rule 15c3-5 imposes regulatory requirements and restrictions on broker-dealers that are members of a national securities exchange or an alternative trading system (“ATS”, and collectively with the exchanges, the “markets”) who allow their customers (including customers who are themselves broker-dealers) to access the market under the member’s identification.1 The provisions of the Rule will apply as well to proprietary transactions for the broker-dealer’s own account and traditional agency transactions, which are routed directly to a market,2 though the primary focus of the Rule is to regulate the provision of market access to customers.
The principal requirement of Rule 15c3-5 is that any broker-dealer providing market access must establish and enforce risk management controls and supervisory procedures designed to ensure that the customers’ transactions (i) are within credit and capital thresholds, (ii) are not erroneous, and (iii) do not violate any applicable regulatory requirements. Significantly, these risk management controls must be under the “direct and exclusive control” of the broker-dealer.
We believe that the implementation and maintenance of these controls and procedures are likely to be both more difficult and expensive than the Adopting Release suggests. Moreover, as we have previously seen with respect to other open-ended regulatory requirements, such as the continuing education rule,3 anti-money laundering requirements4 and provisions around establishing, maintaining, reviewing, testing and modifying written compliance policies and supervisory procedures,5 over time, FINRA, though its identification of best practices, focused examinations and targeted enforcements actions, can use Rule 15c3-5 as a wedge to greatly expand the scope of what it believes is reasonably required of broker-dealers that provide market access to customers and other broker-dealers.
I. Procedural History
Rule 15c3-5 was proposed on January 19, 2010,6 contemporaneously with the January 13, 2010 approval of similar revisions to The NASDAQ Stock Market LLC (“Nasdaq”) Rule 4611 (“Rule 4611”).7 Rule 4611 was adopted on an accelerated basis8 but its effectiveness has been delayed and is currently scheduled for January 8, 2011.9
The SEC voted unanimously to adopt Rule 15c3-5 on November 3, 2010.10 While Rule 15c3-5 will become effective on January 14, 2011,11 firms will not have to comply with it for an additional six-month period ending July 14, 2011.12
Nasdaq indicated that it intended to revisit Rule 4611 once Rule 15c3-5 was finalized.13 It is our expectation that Nasdaq will (i) amend Rule 4611 to conform it to Rule 15c3-5 and (ii) further delay its effectiveness to coincide with the extended compliance date of Rule 15c3-5. If it does not do so, firms would have to comply with Rule 4611 on January 8, 2011, six months prior to the compliance date for Rule 15c3-5. We expect (or at least hope) that Nasdaq will extend the date on which firms must begin complying with Rule 4611 to match the SEC’s timetable.
II. Market Access
Rule 15c3-5 recognizes two types of market access arrangement whereby a broker-dealer allows one of its customers to use its marketplace participant identifier (“MPID”) to electronically access and enter orders into a market. In a “direct market access” arrangement, the customer’s orders flow though the broker-dealer’s trading systems, such that the pre- and post-trade processes are administered and controlled solely by the broker-dealer whose MPID is used.14 In a “sponsored access” arrangement, the customer routes the orders directly to market, wholly bypassing the sponsoring broker-dealer’s systems.15
The SEC underscores the broad definition of “market access” in Rule 15c3-5, which is meant to encompass any transaction executed by a broker-dealer “as a member of an exchange or subscriber to an ATS, whether for its own proprietary account or as agent for its customers, including traditional agency brokerage and through direct market access or sponsored access arrangements.”16
A particular target of the Rule is so-called “naked access,” a sub-species of sponsored access provided to the customer without any pre-trade risk management controls by the broker-dealer.17 This practice will be completely prohibited by Rule 15c3-5. The SEC points out that sponsored access and naked access account for 50% and 38% respectively of overall average daily trading volume in the U.S. equities market.18
III. Requirements of Rule 15c3-5
Rule 15c3-5 requires that all orders entered by a customer using a market access arrangement must pass through a system of risk management and compliance controls designed and maintained under the sponsoring broker-dealer’s direct and exclusive control. In addition, the sponsoring broker-dealer is required to document this system, and maintain a set of supervisory procedures as part of its books and records. The controls and procedures must address the following objectives:
- enforce financial risk constraints19 on the customer’s activity (i.e., credit limits, position concentration limits, and the like);
- prevent orders with clearly erroneous terms and duplicative orders;20
- enforce compliance with pre-trade and certain post-trade21 regulatory requirements22 and prevent trades in securities that the broker-dealer or customer is restricted from trading;
- ensure that the trade is input by an authorized user of the customer; and
- forward execution data to the broker-dealer’s surveillance personnel.
(A) Direct and Exclusive Control
Two additional aspects of Rule 15c3-5 deserve attention. The first is the requirement of the broker-dealer’s “direct and exclusive control” over the risk management controls and supervisory procedures.23 In the Adopting Release the SEC states that it expects the sponsoring brokerdealer24 to exercise control over not just the conduct of the risk management system, but also over its design.25 Specifically, the SEC would allow the broker-dealer to use a third party service provider only for the initial construction and subsequent routine maintenance and upgrades of the system, provided (i) the broker-dealer performs due diligence to ensure the system’s continued effectiveness, (ii) the broker-dealer is the only entity with the capability to adjust the system,26 and (iii) the third-party service provider is independent of the customer.27 The SEC defines independence in this context broadly, capturing both traditional affiliation (controlled, controlling, or under common control) as well as third parties who have “a material business or other relationship with the customer”.28
An additional important implication of the prohibition on using affiliates of the customer in developing the risk management controls is the problem of using pre-existing systems that had been developed in a manner inconsistent with Rule 15c3-5. To illustrate this problem, let us posit an integrated financial services institution (“XYZ”). If XYZ broker-dealer is providing market access to a customer controlled by XYZ investment advisor, would XYZ broker-dealer be required to scrap existing controls that meet in whole or in part the requirements of clauses (b) and (c) of the Rule, if these controls had been developed by technology personnel employed by XYZ parent company, an affiliate of the customer?29 The answer is unclear on the words, although one potential commonsense solution in our judgment would be for the broker-dealer’s own technology staff to re-evaluate and document the existing systems, either on its own or with the assistance of an independent third party.30
(B) Periodic Assessment and CEO Certification
Finally, Rule 15c3-5 will require sponsoring broker-dealers to conduct periodic assessments, no less frequently than annually, of the effectiveness of the risk management controls and supervisory procedures. Additionally, the Chief Executive Officer (“CEO”) of the broker-dealer will be required to certify annually that the risk management controls and supervisory procedures comply with the requirements of the Rule on the basis of the periodic review. The CEO certification would be retained as part of the broker-dealer’s books and records.31 The SEC would allow broker-dealers to include the Rule 15c3-5 certification into the same document as the certification pursuant to FINRA Rule 3130, which requires a FINRA member’s CEO to complete an annual certification of its compliance and supervisory processes.32
While CEO certification of a firm’s entire compliance process, which is required by FINRA Rule 3130, may, perhaps, find justification in the significance of that process and in the fact that the certification extends only to the process and not the particulars of the compliance program, extending the CEO certification requirement in the manner of Rule 15c3-5 is a troubling precedent. This is particularly so given that the CEO certification required by Rule 15c3-5 extends not just to the relevant process but to the effectiveness and compliance of the controls themselves. In defending this aspect of the Rule, the SEC noted that such an approach was warranted because “the potential risks associated with market access and the dynamic nature of both the securities markets and the business of individual broker-dealers” made it critical that the most senior member of a broker-dealer’s responsibility be charged with the “responsibility to review and certify the efficacy of its controls and procedures at regular intervals.”33 Moreover, the SEC believes that the certification requirement would help assure the effectiveness of the controls contemplated by Rule 15c3-5 and “serve to bolster broker-dealer compliance programs, and promote meaningful and purposeful interactions between business and compliance personnel.”34 As the foregoing rationales can be applied to a host of issues, it remains to be seen whether this is a one time approach by the SEC or something firms can expect to see more.
* * * *
In response to the enactment of Rule 15c3-5 and Rule 4611, each broker-dealer that uses or provides market access should consider:
- whether existing risk management and compliance controls are compliant with Rule 15c3-5 generally, including the requirement that the controls be designed under the broker-dealer’s direct and exclusive control;
- the need for operational or technology fixes to existing systems;
- the need for amendments or revisions to existing market access agreements with third parties;
- whether the broker-dealer’s existing supervisory procedures are sufficient for purposes of Rule 15c3-5;
- whether sufficient personnel with the appropriate technology and other skill sets reside within the broker-dealer, such that the broker-dealer will be able to comply with Rule 15c3-5 on a going forward basis; and
- the need for additional training of staff with new or expanded responsibilities.
Of course, broker-dealers that provide market access to third parties should keep their customers informed of any changes they may face, while also providing them with sufficient time to make any changes needed as a result of any changes made by the broker-dealer.
Broker-dealers should be careful to document each of the above steps in anticipation of regulatory reviews and in order to support the CEO’s certification and the required annual audit.
For their part, all institutional investors, but especially high frequency trading firms and other investors that engage in extreme low latency trading, should begin discussions with their market access providers with respect to the impact Rule 15c3-5 may have on the market access they currently employ. Investors should also begin to consider whether it might make sense to explore alternative arrangements. Moreover, to the extent Rule 15c3-5 may be considered an advantage to a broker-dealer’s own order flow over that of customers that route through it, low latency trading firms may want to consider forming their own, affiliated brokerage firm.