The Financial Industry Regulatory Authority (“FINRA”) issued a regulatory notice (the “Notice”) in March 2015 that provides guidance on effective supervision and control practices for firms engaging in algorithmic trading strategies.1 Algorithmic trading strategies, which include high frequency trading (“HFT”) strategies (collectively “algorithmic strategies”), have become more prevalent in U.S. securities markets. As a result, FINRA believes the potential for these strategies to adversely impact market and firm stability has increased. To reduce the future occurrence of such potential issues, FINRA has provided guidance on effective supervision and control practices for member firms and market participants that use algorithmic strategies. These practices focus on five general areas: General Risk Assessment and Response; Software/Code Development and Implementation; Software Testing and System Validation; Trading Systems; and Compliance.
Background and Discussion
The FINRA Notice is one of seven FINRA initiatives on equity market structure and automated trading activities, including HFT.2 These initiatives are intended to increase the scope of trading information FINRA receives, provide more transparency into trading activities to market participants and investors, and require firms engaged in electronic trading and their employees to be trained, educated and accountable for their role in equity trading.
FINRA member firms that engage in algorithmic strategies are already subject to a number of existing Securities Exchange Committee (“SEC”) and FINRA rules governing their trading activities, including FINRA Rule 3110 (Supervision).3
FINRA believes that, in addition to satisfying specific requirements imposed on trading activity, firms have a fundamental obligation to supervise their trading activity to ensure that the activity does not violate any applicable FINRA rule or provision of the federal securities laws.4 The applicable rules and provisions include the following:
- FINRA Rule 5210 (Publication of Transactions and Quotations): Rule 5210 provides that “no member shall publish or circulate, or cause to be published or circulated, any ... communication of any kind which purports to report any transaction as a purchase or sale of any security unless such member believes that such transaction was a bona fide purchase or sale of such security; or which purports to quote the bid price or asked price for any security, unless such member believes that such quotation represents a bona fide bid for, or offer of, such security.” This rule prohibits activities such as fictitious quoting, spoofing5 and layering6 of quotes. This rule requires firms to have policies in place regarding “self-trades,” which are defined as “transactions resulting from the unintentional interaction of orders originating from the same firm that involve no change in … beneficial ownership.”
- FINRA Rule 6140 (Other Trading Practices): Rule 6140 contains several provisions intended to ensure the promptness, accuracy and completeness of last-sale information and prevent that information from being reported in a fraudulent or manipulative manner.
- FINRA Rule 2010 (Standards of Commercial Honor and Principles of Trade):Rule 2010 requires firms to observe high standards of commercial honor and just and equitable principles of trade.
Federal Securities Laws:
- SEC’s Market Access Rule (Securities Exchange Act Rule 15c3-5): This rule requires brokers and dealers that have market access,7 or that provide customers with market access, to maintain a system of risk management controls and supervisory procedures that are reasonably designed to manage the financial and regulatory risks related to market access.8
- SEC Regulation NMS: Regulation NMS includes multiple provisions regarding the national market system that affect a firm’s trading activity.9
- SEC Regulation SHO: Regulation SHO establishes a set of requirements regarding a firm’s ability to sell securities short. 10 The rule requires firms to maintain policies designed to prevent short sales in a covered security that has declined 10 percent or more from the prior day’s closing price.
In light of market-impacting events related to technology issues in the past several years,11 there has been a recent focus on whether the current regulatory framework provides sufficient protection against the occurrence of technology failures by market participants. In particular, there is growing regulatory concern in instances where the failures can have a systemic impact on highly automated and interconnected markets. Regulators like FINRA and the SEC have considered if additional steps are necessary to mitigate the risks of the reoccurrence of such events in the future.
Most recently, the SEC adopted Regulation SCI with the stated intent of strengthening the technological infrastructure of key market participants. Although Regulation SCI applies primarily to self-regulatory organizations and alternative trading systems (“ATSs”) and not to broker-dealer algorithmic trading activity, the SEC stated that it could, in the future, seek comment on whether to expand the scope of Regulation SCI to also include broker-dealer operations.12
Guidance in the FINRA Notice regarding firms’ responsibilities for their algorithmic strategies is consistent with the SEC’s fundamental approach in Regulation SCI (which requires that comprehensive policies and procedures be in place for certain technological systems and mandates the testing and review of those systems).
Over the past several years, FINRA has conducted examinations and investigations prompted by systems-related issues at firms engaged in algorithmic strategies, resulting in actions against some of these firms. The resulting actions revealed that some firms lack appropriate supervisory controls and procedures related to the creation, modification, usage and testing of trading algorithms for activity such as wash sales and excessive levels of message traffic. As a result of these reviews and working with member firms engaged in algorithmic strategies, FINRA has developed a list of suggested effective practices for such firms.
First and foremost, firms must have appropriate policies and procedures implemented to review and test any trading algorithms they use, including development, deployment and post-implementation monitoring of algorithmic strategies.
FINRA believes that firms’ implementation of the suggested effective practices may help to curb the future occurrence of unintended systems issues by firms engaged in algorithmic strategies. The list, however, is not intended to be an exhaustive list of steps firms should consider in conducting such activities. Likewise, a firm’s implementation of these effective practices would not necessarily suffice to satisfy its supervisory and other obligations that may arise under FINRA rules, the rules of other self-regulatory organizations, and SEC rules and regulations. To this end, the effective practices suggested by FINRA serve to complement, rather than supplant, existing obligations firms have under rules and regulations.
These effective practices focus on five main areas: General Risk Assessment and Response; Software/Code Development and Implementation; Software Testing and System Validation; Trading Systems; and Compliance.
FINRA’s Suggested Effective Practices for Firms Engaging in Algorithmic Strategies
I. General Risk Assessment and Response
When assessing the risk that the use of algorithmic strategies creates, firms should consider implementing a cross-disciplinary committee to assess and react to the evolving risks associated with algorithmic strategies. The most effective committees are those that include representation from areas outside of trading, such as those engaged in support and control functions within the firm.
II. Software/Code Development and Implementation
A firm’s supervisory efforts should focus on every stage of the development of algorithmic strategies and should not be limited to reviewing trading activity by algorithmic strategies after they have been put into production.13 Firms should consider the following strategies:
- Implementing a development and change management process that tracks the development of new trading code or material changes to existing code, which should include a review of test results and a set of approval protocols.
- Monitoring activity to assure algorithm development and change procedures are followed.
- Employing redundant system validations before introducing new or materially changed code into production.
- Archiving code versions in a retrievable manner for a reasonable period of time.
- Maintaining (at a minimum) a basic summary description of algorithmic strategies that enables supervisory, compliance and regulatory staff to understand the intended function of an algorithm without the need to resort to direct code review.
- Providing mechanisms by which the firm may quickly disable the algorithm or supporting platform.
- When implementing controls, accounting where necessary for the particular type or location of hardware as well as an algorithm’s destination trading center.
- Deploying new algorithmic strategies in a pilot phase of limited size.
- When deploying new code, maintaining heightened scrutiny of the impacted trading account, including real-time monitoring.
III. Software Testing and System Validation
Firms should consider the following testing strategies:
- Conducting testing to confirm that core code components operate as intended and do not produce unintended consequences.
- Establishing a quality assurance process with independent testing.
- Implementing and periodically evaluating test controls.
- Implementing data integrity, accuracy and workflow validation testing processes.
- Maintaining a record of testing protocols and results, including the remediation of defects.
- Conducting any significant testing in a development environment that is segregated from production.
IV. Trading Systems
A firm’s supervisory obligations continue after any algorithmic strategy is put into production. Firms should consider the following strategies:
- Implementing controls, monitors, alerts and processes that enable the firm to quickly identify whether an algorithm is experiencing unintended results that may indicate a failure.
- Periodically evaluating the firm’s controls and associated policies and procedures to assure that they remain adequate.
- Implementing a protocol to track and record significant system problems.
- Documenting and periodically reviewing parameter settings.
- Implementing checks on downstream market impacts.
- Making system capacity scalable if appropriate.
- Implementing security measures to limit code access and control system entitlements.
- Placing appropriate controls and limitations on a trader’s ability to overwrite or otherwise evade system controls.
- Implementing controls to manage outbound message volume via threshold parameters.