DR. Alpay Soytürk, SPECTRUM MARKETS' Chief Regulatory Officer, ON disruption and the operational resilience of trading venues
"Disruption" is a term widely used in euphoric or even euphemistic technological contexts. In association with operational stability, it is a state you want to avoid. With cyber risks being the talk of the day, the Digital Operational Resilience Act (DORA) approaching fast, and ESMA1 having just closed a consultation on market outages2, it is time to discuss the operational resilience of trading venues and what DORA means for them. Dr. Alpay Soytürk, Chief Regulatory Officer at Spectrum Markets, has the details.
Alpay, why is operational resilience such burning issue now?
It is not a new topic but the dynamics of technology and software development cycles, consumer behaviour, hybrid work patterns and trading habits have gained massive momentum. With it, threats to the stability of IT-operations and cyber-crime risks have significantly increased, too. The higher the volume of sensitive data we exchange, the more endpoints and the higher the degree of interconnection, the more vulnerable we get. In trading, algorithms can aggravate the severity of disruptions and the likelihood of outages.
What is the role of algorithms in association with trading disruption?
While damage caused by trading algorithms is never desirable, one can basically distinguish between those that have been designed to be applied abusively in the first place and those which inadvertently prove detrimental to an orderly functioning of trading infrastructure. Another demarcation line can be drawn between algorithms that have been developed by humans and those which are based on machine learning – also referred to as first-generation and second-generation algorithms. In trying to understand the risk, we should not concentrate too much on blatantly fraudulent first-generation algorithms – not because these wouldn’t be serious but because they’re less relevant in terms of discoverability, the inherent difficulty of protecting against and the overall damage they cause.
Algorithms have been around since the degree to which trading is automated, computing capabilities and electronic access started to allow for their deployment, i.e., for around two decades. However, what may have started as a playground for Wall Street nerds has become the rule in some major markets as opportunities grow with scale. This should not obscure that there are comparably simple algorithms which initiate orders and set their details based on signals pre-defined by the humans who developed the algorithm, and the disruption potential of which is less pronounced. It’s easy to figure how the execution advance over a human trading interaction will come into play. So, the algorithms beat the human trader in terms of time and efficiency. Over time, more and more accounts have realised these advantages. The result has been that algorithms were developed which try to optimise arbitrage opportunities arising from price differentials on various markets. At the same time, they were being designed to achieve this in ever shorter periods of time, supported by physical infrastructures that have become more and more performant.
The next phase of evolution was rung in by the development of algorithms based on a much lower level of human intervention, with machine learning capabilities and the leeway to develop strategies on their own. These programs, referred to as second-generation algorithms, are where the real disruption begins.
Before looking into this, what is the formal definition of algorithmic trading? And isn’t there sufficient regulation to prevent abuse and distortion from trading algorithms?
MiFID II3, which contains the central governing principles for the use of algorithms in capital markets in the European Union, defines this as “trading in financial instruments where a computer algorithm automatically determines individual parameters of orders such as whether to initiate the order, the timing, price or quantity of the order or how to manage the order after its submission, with limited or no human intervention”. This definition refers to the investment decision itself and to relevant transaction details and excludes order routing or post trade processing mechanisms.
MiFID II and its delegated acts stipulate, among other things, that firms wishing to engage in algorithmic trading must maintain efficient and resilient systems and risk controls adequately scaled to their individual business model and addressing all relevant risks. This includes detailed requirements for the development, testing and deployment of trading algorithms, algorithmic trading systems and strategies. There are defined methodologies for the design of algorithmic trading systems, aimed at preventing their unintended behaviour, regarding their performance and including recordkeeping and management responsibilities. For trading venues regulated under MiFID II, there are detailed requirements regarding pre-trade controls, systems resilience and business continuity arrangements. While these rules are straightforward and comprehensive, they fail to address the challenges from the second-generation, machine-learning based algorithms.
Why is that?
The requirements under the delegated acts of MiFID II, especially those under Article 5 of RTS64 – namely the obligation to prevent algorithms’ unintended behaviour, to prevent it from contributing to disorderly trading conditions and to maintain its effectiveness in stressed market conditions – are neither misunderstandable nor do they lack a clear assignment of responsibilities to the involved parties. The same is true for the testing requirements. However, there is no definition with regard to which testing environment firms must use or how this environment must be designed technically. Of course, firms using algorithms need to comply with any conformance testing steps required by the operator of the relevant trading venue – this is no different for our members. But when an algorithm and, more importantly, the interplay of many algorithms can be considered to be thoroughly tested with a view to its disruptive potential, is difficult, if not impossible to answer. There are technical limits to any trading infrastructure’s ability to process a certain number of orders simultaneously in extremely volatile market periods. In these periods, second-generation algorithms significantly add to volatility.
That is, the logic of an algorithm may be impeccable, the data fed into the order automation system may be clean and there is no misinterpretation of microstructure signals, too, but trading will come to a halt anyway – because the algorithms, all designed to squeeze latency to close to zero, amplify trading activity in a self-accelerating manner and trading venues’ infrastructure can no longer process the messaging volume.
Isn’t that an execution issue at the trading venues’ end? And what is ESMA’s view on it?
ESMA is of the view that market outages over the recent years that were marked by extreme volatility were primarily attributable to the trading venues’ proprietary infrastructure rather than to high volatility itself. By acknowledging that exchanges have become increasingly resilient but that outages are likely to continue to occur, it basically acknowledges what we have discussed – i.e., that legacy infrastructures cannot keep pace with the development of automated trading. The problem ESMA sees is that an outage at a primary market is not just affecting orderly execution there, but that trading goes down by the same proportion on alternative lit markets – instead of being used to ensure continuity of trading.
ESMA blames this on poor communication and the lack of adequate outage strategies, hence it is calling national supervisory authorities to impose relevant requirements on trading venues, which does not necessitate changing existing legislation. These requirements include setting up crisis management procedures that outline the steps to be taken to restore orderly trading, an outage strategy including necessary actions during an outage, a strategy for reopening once the problems are fixed, a communication strategy regarding the details of the outage and the way this is communicated and, probably most importantly, information on how orders are treated. The latter point comprises an indication of which orders were affected, including references to the time of their submission and indicating which orders were cancelled and which were executed, with clear procedures for validating cancellations where needed by participants. In addition, venues shall indicate whether orders sent during an outage were accepted or rejected in accordance with the procedures defined in trading manuals and, where the integrity of the orders has been largely compromised, offer participants the removal of all orders from the order book.
How is DORA coming into play?
Foregoing suggesting legislative amendments in its actual market outage guidance doesn’t mean ESMA will remain passive on venue resilience going forward. The Digital Operational Resilience Act sets uniform requirements for the security of network and information systems in the financial sector including critical third parties which provide ICT5-related services to them. This will create a harmonised framework for cyber/ICT risk management, resilience testing, incident reporting and outsourcing throughout the European Union. And it mandates ESAs6 such as ESMA to develop technical standards, which financial services institutions have to adopt. This means that trading venues should use the 24-month implementation period sensibly to prepare for operational resilience becoming an essential element of supervisory authorities’ oversight and enforcement schedule.
Thank you very much!
1. The European Securities and Markets Authority
2. https://www.esma.europa.eu/sites/default/files/library/esma70-156-6040_consultation_paper_on_market_outages.pdf
3. Directive 2014/65/EU, the “Markets in Financial Instruments Directive”
4. Regulation (EU) No 2017/589, regulatory technical standards specifying the organisational requirements of investment firms engaged in algorithmic trading, “RTS6”
5. Information Communication Technologies
6. European Supervisory Authorities