What is your code for algorithmic trading

31.3.2017   

DE

Official Journal of the European Union

L 87/417


COMMISSION DELEGATED REGULATION (EU) 2017/589

from July 19, 2016

to supplement Directive 2014/65 / EU of the European Parliament and of the Council with regulatory technical standards to define the organizational requirements for investment firms that engage in algorithmic trading

(Text with EEA relevance)

THE EUROPEAN COMMISSION -

based on the Treaty on the Functioning of the European Union,

based on Directive 2014/65 / EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments as well as amending Directives 2002/92 / EC and 2011/61 / EU (1), in particular Article 17 paragraph 7 Letters a and d,

Whereas:

(1)

The systems and risk controls of investment firms engaged in algorithmic trading that provide direct electronic access or act as general clearing members should be efficient, resilient and have capacities appropriate to the nature, scope and complexity of the investment firm's business model.

(2)

To this end, investment firms should manage all risks that may affect the core components of an algorithmic trading system, such as risks associated with the hardware, software and communication lines that each firm uses to conduct its trading activities. In order to ensure that the same terms and conditions apply to algorithmic trading regardless of the type of trading, all execution or order management systems used by investment firms should be subject to this Regulation.

(3)

As part of their general governance and decision-making process, investment firms should have clear and formalized rules in place that include clear accountability, effective information-sharing procedures and the segregation of roles and responsibilities. These regulations should reduce the dependency on individual persons or units.

(4)

Conformity tests should check whether the trading systems of investment firms communicate and interact properly with the trading systems of the trading venue or the provider of direct market access (DMA provider) and whether the market data is processed correctly.

(5)

Investment decision algorithms make automatic trading decisions by determining which financial instruments should be bought or sold. Algorithms for order execution optimize order execution by automatically generating orders or offers following an investment decision and submitting them to one or more trading venues. In assessing their potential impact on the overall fair and orderly functioning of the market, trading algorithms should be distinguished from algorithms for investment decisions and algorithms for order execution.

(6)

The requirements for testing trading algorithms should be based on the potential impact of those algorithms on the overall fair and orderly functioning of the market. Therefore, only those algorithms should be excluded from the test requirements that exclusively bring about investment decisions and generate orders that are executed by non-automated means with human involvement.

(7)

When introducing trading algorithms, investment firms should apply controlled procedures regardless of whether they are new trading algorithms or those that have already been successfully used at another trading venue and whether the architecture has been significantly changed. The controlled introduction of trading algorithms should ensure that they work as intended in the production environment. Investment firms should therefore set low-risk upper limits for the number of financial instruments traded, for the price, value and number of orders, for the strategic positions and for the number of markets involved, and monitor the functioning of the newly introduced algorithm particularly closely .

(8)

Compliance with the specific organizational requirements for investment firms should be checked on the basis of a self-assessment, in which compliance with the criteria listed in Annex I is also assessed. In addition, this self-assessment should relate to any other circumstance that might affect the organization of the investment firm concerned. The self-assessment should be carried out at regular intervals and enable the investment firm to gain a comprehensive overview of the trading systems and trading algorithms it uses and all risks associated with algorithmic trading, regardless of whether these systems and algorithms are developed by itself, Bought from a third party or designed or developed in close collaboration with a customer or third party.

(9)

Investment firms should be able to cancel all or part of their orders if necessary (“kill function”). In order for such a cancellation to be effective, investment firms should always be able to determine which trading algorithm, which trader or which customer an order is based on.

(10)

Investment firms engaged in algorithmic trading should ensure that their trading systems cannot be used for purposes that conflict with Regulation (EU) No 596/2014 of the European Parliament and of the Council (2) or with the rules of the trading venue with which they are connected. As provided in that regulation, suspicious transactions or orders should be reported to the competent authorities.

(11)

Different types of risk should be addressed by different types of controls. Before submitting an order to a trading venue, pre-trade controls should be carried out. Investment firms should also monitor their trading activities and provide real-time alerts to indicate signs of disruptive trading conditions or breaches of their pre-trading limits. The market should be monitored through the introduction of post-trade controls and the investment firm's credit risks should be captured by reconciliation of transaction data in the post-trade phase. In addition, to prevent potential market abuse and violations of the rules of the trading venue, specific monitoring systems should be used that issue warning messages by the next day at the latest and are configured in such a way that as few positive or negative false positives as possible arise.

(12)

Warning messages generated by real-time monitoring should be issued as quickly as technically possible. Measures derived from the monitoring should be implemented as promptly as possible in order to achieve a reasonable level of efficiency and utilization of the employees and systems concerned.

(13)

Investment firms that provide direct electronic access ("DEA Providers") remain responsible for the trading that their DEA clients conduct using the investment firm's trading code. Therefore, DEA providers should ensure through appropriate policies and procedures that the trade conducted by their DEA customers meets their requirements as a provider. This responsibility should be the main factor in establishing pre-trade and post-trade controls and in assessing the suitability of potential DEA customers. DEA providers should therefore be adequately informed about the intentions, skills, financial resources and trustworthiness of their DEA customers and, if publicly available, also know the past disciplinary behavior of potential DEA customers towards competent authorities and trading venues.

(14)

DEA providers should comply with the provisions of this regulation even if they do not engage in algorithmic trading, as their customers could use the DEA for algorithmic trading.

(15)

Due diligence reviews of potential DEA customers should be tailored to the risks inherent in the nature, scope and complexity of the expected trading activities and the provision of direct electronic access. In particular, the expected volume of trading, the expected order volume and the type of connection to the relevant trading venues should be included in the assessment.

(16)

The content and format of the forms on which investment firms employing high-frequency algorithmic trading techniques transmit the records of their orders to the competent authorities and the length of time for which these records are to be kept should be specified.

(17)

In order to ensure that investment firms comply with their general obligation to keep records, the period for which records are kept should comply with the requirements in Article 25 (1) of Regulation (EU) No. 600/2014 of the European Parliament and of the Council (3).

(18)

For reasons of consistency and in the interest of smoothly functioning financial markets, it is necessary that the provisions set out in this regulation and the related national provisions for the implementation of Directive 2014/65 / EU apply from the same day.

(19)

This regulation is based on the draft regulatory technical standards submitted by the European Securities and Markets Authority (ESMA) to the Commission.

(20)

ESMA carried out public consultations on these drafts, analyzed the associated potential cost and benefit effects and provided the opinion of the Securities and Markets Stakeholder Group set up in accordance with Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council (4) caught up -

HAS ADOPTED THE FOLLOWING REGULATION:

CHAPTER I.

GENERAL ORGANIZATIONAL REQUIREMENTS

article 1

General organizational requirements

(Article 17 (1) of Directive 2014/65 / EU)

As part of their general corporate governance and decision-making, investment firms apply clear and formalized guidelines when introducing and monitoring their trading systems and trading algorithms, which take into account the nature, scope and complexity of their business activities and which contain regulations for the following areas:

a)

clear hierarchies and accountability, e.g. B. in the approval procedures for the development, introduction and subsequent updates of the trading algorithms as well as for the solution of problems which are detected in the monitoring of the trading algorithms;

b)

effective procedures for communicating information within the investment firm so that instructions can be obtained and carried out efficiently and in a timely manner;

c)

Separation of the tasks and responsibilities of the trading departments and the supporting functions, for example the risk control and compliance functions, in order to ensure that unauthorized trading activities cannot be concealed.

Article 2

Responsibilities of the compliance function

(Article 17 (1) of Directive 2014/65 / EU)

(1) Investment firms ensure that the employees responsible for compliance with legal requirements understand at least the basics of how their algorithmic trading systems and trading algorithms work. Compliance staff must be in constant contact with staff who have precise technical knowledge of the company's algorithmic trading systems or trading algorithms.

(2) Investment firms must also ensure that the compliance staff is in contact at all times with either the person or persons in the investment firm who can access the function specified in Article 12 ("kill function"), or have direct access to this function or to the persons responsible for the individual trading systems or trading algorithms.

(3) If the compliance function is wholly or partially outsourced to external third parties, the investment firm concerned grants these third parties the same access to information that it would give internal compliance employees. Investment firms ensure that the compliance function is outsourced

a)

Data protection is guaranteed;

b)

the compliance function can be checked by internal or external auditors or by the competent authority.

Article 3

Staffing

(Article 17 (1) of Directive 2014/65 / EU)

(1) Investment firms must employ a sufficient number of employees who have the necessary skills to manage the algorithmic trading systems and trading algorithms and who have sufficient technical knowledge in the following areas:

a)

the relevant trading systems and trading algorithms;

b)

the monitoring and testing of these systems and algorithms;

c)

the trading strategies that the respective investment firm pursues using its algorithmic trading systems and trading algorithms;

d)

the legal obligations to which the respective investment firm is subject.

(2) The necessary competencies mentioned in paragraph 1 shall be determined by the investment firm. The employees named in paragraph 1 have these necessary skills at the time of hiring or acquire them afterwards through training. Investment firms must ensure that the skills of these employees are kept up-to-date through ongoing training and evaluate these skills at regular intervals.

(3) The training measures mentioned in paragraph 2 must be tailored to the experience and tasks of the employees and take into account the nature, scope and complexity of the activities of the investment firm. In particular, the employees involved in submitting orders must be instructed in the systems provided and trained on the subject of market abuse.

(4) Investment firms ensure that the employees responsible for the risk management and compliance functions of algorithmic trading are equipped with

a)

adequate knowledge of algorithmic trading and trading strategies;

b)

Sufficient skills to further process information that is issued by automatic warning messages;

c)

sufficient authority to hold the employees responsible for algorithmic trading accountable if this trading leads to disruptive trading conditions or gives rise to suspicion of market abuse.

Article 4

Outsourcing and procurement of IT services

(Article 17 (1) of Directive 2014/65 / EU)

(1) The responsibility for compliance with the obligations arising from this Regulation rests in full with the investment firms if they outsource or procure software or hardware used for algorithmic trading activities.

(2) An investment firm has sufficient knowledge and the necessary documentation to ensure full compliance with the provision under paragraph 1 in relation to any hardware or software used in algorithmic trading that it has procured or outsourced.

CHAPTER II

RESILIENCE OF TRADING SYSTEMS

PART 1

Test and implementation of systems and strategies for trading algorithms

Article 5

General methodology

(Article 17 (1) of Directive 2014/65 / EU)

(1) Before introducing or extensively updating an algorithmic trading system, trading algorithm or algorithmic trading strategy, investment firms shall establish clearly delineated methodologies for the development and testing of such systems, algorithms or strategies.

(2) Any introduction or major update of an algorithmic trading system, a trading algorithm or an algorithmic trading strategy must be approved by a person appointed by the management of the investment firm.

(3) The methodologies mentioned in paragraph 1 relate to the design, performance, records and approval of the algorithmic trading system, trading algorithm or algorithmic trading strategy. In addition, they regulate responsibilities, the allocation of sufficient resources and the procedures for obtaining instructions within the investment firm.

(4) The methodologies mentioned in paragraph 1 ensure that the algorithmic trading system, the trading algorithm or the algorithmic trading strategy

a)

does not show any unplanned behavior;

b)

complies with the obligations incumbent on the investment firm under this Regulation;

c)

complies with the rules and systems of the trading venues to which the investment firm has access;

d)

does not contribute to the creation of trading conditions that are disruptive to the market, functions effectively even under stress conditions on the markets and, if necessary under such conditions, allows the algorithmic trading system or the trading algorithm to be switched off.

(5) Investment firms adapt their test methodologies to the trading venues and markets on which the trading algorithm will be used. In the event of significant changes to the algorithmic trading system or access to the trading venue on which the algorithmic trading system, the trading algorithm or the algorithmic trading strategy is to be used, investment firms carry out additional tests.

(6) Paragraphs 2 to 5 only apply to algorithms that lead to the execution of the order.

(7) Investment firms shall keep records of all material changes to the software used for algorithmic trading that show

a)

when a change was made;

b)

who made the change;

c)

who approved the change;

d)

what the change was.

Article 6

Conformity tests

(Article 17 (1) of Directive 2014/65 / EU)

(1) Investment firms test the conformity of their algorithmic trading systems and trading algorithms

a)

the system of the trading venue in each of the following situations:

i)

when accessing this trading venue as a member;

ii)

when connecting to this trading venue for the first time through a subsidized access;

iii)

in the event of significant changes to the systems of the trading venue;

iv)

before the introduction or a comprehensive update of the algorithmic trading system, the trading algorithm or the algorithmic trading strategy of the respective investment firm;

b)

the system of the provider of direct market access in each of the following situations:

i)

when connecting to this trading venue for the first time through direct market access;

ii)

in the event of significant changes that affect the provision of direct market access by the provider concerned;

iii)

before the introduction or a comprehensive update of the algorithmic trading system, the trading algorithm or the algorithmic trading strategy of the respective investment firm.

(2) Conformity tests are used to check whether the fundamental components of the algorithmic trading system or trading algorithm are functioning properly and comply with the requirements specified by the trading venue or the provider of direct market access. For this purpose, tests must be carried out to confirm that the algorithmic trading system or trading algorithm

a)

interacts with the trading venue's matching logic as planned;

b)

processes the data streams downloaded from the trading venue in an appropriate manner.

Article 7

Test environments

(Article 17 (1) of Directive 2014/65 / EU)

(1) Investment firms shall ensure that the conformity tests with regard to the criteria set out in Article 5 paragraph 4 letters a, b and d are carried out in an environment separate from their production environment, which is specifically intended for the testing and development of algorithmic trading systems and trading algorithms .

For the purposes described in the first subparagraph, the term "production environment" means the environment in which the algorithmic trading systems are actually used and includes the hardware and software used by the traders, the routing of orders to trading venues, the market data, the dependent databases, the risk control systems, the data collection, the analysis systems and the processing systems for the post-trading phase.

(2) In order to fulfill the test requirements mentioned in paragraph 1, investment firms may use their own test environment or a test environment provided by a trading venue, a DEA provider or a third-party provider.

(3) The responsibility for testing their algorithmic trading systems, trading algorithms or algorithmic trading strategies and for making the necessary changes to these remains with the respective investment firm in full.

Article 8

Controlled introduction of algorithms

(Article 17 (1) of Directive 2014/65 / EU)

Before implementing a trading algorithm, investment firms set upper limits for:

a)

the number of financial instruments traded;

b)

the price, value and number of orders;

c)

the strategic positions and

d)

the number of trading venues to which orders are sent.

SECTION 2

Administration following the implementation

Article 9

Annual self-assessment and validation

(Article 17 (1) of Directive 2014/65 / EU)

(1) Investment firms carry out an annual self-assessment and validation process and prepare a validation report on this basis. Through this process, investment firms review, assess and validate the following areas:

a)

their algorithmic trading systems, trading algorithms and algorithmic trading strategies;

b)

their corporate governance, accountability and approval processes;

c)

their emergency arrangements;

d)

compliance with all provisions of Article 17 of Directive 2014/65 / EU with regard to the nature, scope and complexity of their business activities.

In the course of the self-assessment, at least compliance with the criteria listed in Annex I of this Ordinance is subjected to an analysis.

(2) The risk management function of the investment firm referred to in Article 23 (2) of Commission Delegated Regulation (EU) 2017/565 (5) shall prepare the validation report using staff with the necessary technical knowledge. The risk management function informs the compliance function of any deficiencies that are listed in the validation report.

(3) The validation report is checked by the internal audit function, if the company has one, and approved by the management of the investment firm.

(4) The deficiencies listed in the validation report will be remedied by the investment firm.

(5) If an investment firm has not established the risk management function referred to in Article 23 (2) of Delegated Regulation (EU) 2017/565, the requirements for the risk management function set out in this Regulation shall apply to any other function that the investment firm may perform in accordance with Article 23 (5) 2 of the Delegated Regulation (EU) 2017/565.

Article 10

Stress tests

(Article 17 (1) of Directive 2014/65 / EU)

As part of the annual self-assessment referred to in Article 9, investment firms review whether their algorithmic trading systems and the procedures and controls referred to in Articles 12 to 18 can withstand increased orders or market loads. Investment firms develop such tests based on the nature of their trading activities and trading systems. Investment firms ensure that the production environment is not affected by the tests. Components of these tests are:

a)

High volume testing based on twice the highest number of notifications received and received by the investment firm in the previous six months;

b)

High volume testing based on twice the maximum volume the investment firm has had in the previous six months.

Article 11

Dealing with significant changes

(Article 17 (1) of Directive 2014/65 / EU)

(1) Investment firms shall ensure that any proposed material changes to the production environment for algorithmic trading are pre-examined by an employee appointed by the management of the investment firm. The thoroughness of this review will depend on the scope of the proposed change.

(2) Investment firms shall put in place procedures to ensure that any functional changes to their systems are communicated to the traders responsible for the trading algorithm, the compliance function and the risk management function.

SECTION 3

Means to ensure resilience

Article 12

Kill function

(Article 17 (1) of Directive 2014/65 / EU)

(1) Investment firms may, as an emergency measure, immediately cancel any order that has been submitted to any trading venue but has not yet been executed; You can also immediately cancel all orders submitted to a specific or to all trading venues but not yet executed (“kill function”).

(2) For the purposes of paragraph 1, those orders that have not been executed must also be included that go back to individual dealers, trading departments or, if applicable, customers.

(3) For the purposes of paragraphs 1 and 2, investment firms can determine for each order submitted to a trading venue which trading algorithm and which trader, which trading department or, if applicable, which customer it is based on.

Article 13

Automated surveillance system for the detection of market manipulation

(Article 17 (1) of Directive 2014/65 / EU)

(1) Investment firms monitor all trading activities carried out with their trading systems, including those of their clients, for signs of possible market manipulation, as mentioned in Article 12 of Regulation (EU) No. 596/2014.

(2) For the purposes specified in paragraph 1, investment firms shall set up and maintain an automated monitoring system that effectively controls orders and transactions, generates warning messages and reports and, if appropriate, provides visualization tools.

(3) The automated monitoring system covers the entire spectrum of the trading activities of an investment firm and all orders submitted by it. The design of the monitoring system is appropriate to the nature, scope and complexity of the trading activities of the investment firm, such as the type and volume of financial instruments traded, the size and complexity of its order flow and the markets to which it has access.

(4) During the investigation phase, the investment firm compares all indications of suspicious trading activities that were reported by its automated monitoring system with other relevant trading activities carried out by it.

(5) An investment firm's automated monitoring system is adaptable to changes in its regulatory obligations and trading activities, including changes in its own trading strategy and the trading strategy of its clients.

(6) Investment firms review their automated monitoring system at least annually to determine whether the system and the parameters and filters it uses are still in line with the firm's regulatory obligations and in keeping with their trading activities; It must also be checked whether the generation of positive and negative false alarms continues to be kept as low as possible.

(7) The monitoring system of an investment firm is able to read, reproduce and evaluate the order and business data retrospectively with sufficient time granularity; its capacities are sufficient to function in an automated trading environment with low latency times when required. It also generates warning messages that are processed at the beginning or, if manual processes are involved, at the end of the following trading day. Adequate documentation and procedures are available for handling the alerts generated by an investment firm's monitoring system.

(8) The employees responsible for monitoring the trading activities of the investment firm for the purposes described in paragraphs 1 to 7 shall report to the compliance function all trading activities that could violate the company's guidelines and procedures or supervisory obligations. The compliance function checks this information and takes appropriate measures. Part of these measures is the notification of the trading venue or the reporting of suspicious transactions or orders in accordance with Article 16 of Regulation (EU) No. 596/2014.

(9) Investment firms shall ensure that their records of trading and account information are accurate, complete and consistent by keeping their own electronic trading logs as timely as, where applicable and appropriate given the nature, scope and complexity of their business Compare practically with the records made available to them by their trading venues, brokers, clearing members, central counterparties, data service providers or other relevant business partners.

Article 14

Emergency precautions

(Article 17 (1) of Directive 2014/65 / EU)

(1) Investment firms have arrangements appropriate to the nature, scope and complexity of their business activities with which they can maintain their algorithmic trading systems in an emergency. These precautions must be documented on a permanent data carrier.

(2) The emergency measures of an investment firm enable disruptions to be effectively remedied and, if appropriate, an early resumption of algorithmic trading. The emergency measures are adapted to the trading systems of the individual trading venues to which the investment firm has access and include the following components:

a)

Management requirements for the development and implementation of the emergency measures;

b)

the recording of possible adverse scenarios in relation to the operation of the algorithmic trading system, for example the failure of systems, employees, workstations, external service providers or data centers or the loss or modification of business-critical data and documents;

c)

Procedures for moving the trading system to a back-up location and operating the trading system from that location, which the investment firm must have when appropriate given the nature, scope and complexity of its algorithmic trading activities;

d)

Training of employees on emergency precautions;

e)

Guidance on how to use the feature mentioned in Article 12;

f)

Precautions to switch off the relevant trading algorithm or trading system, if indicated;

G)

alternative ways for the investment firm to process open orders and positions.

(3) Investment firms ensure that their trading algorithm or trading system can be switched off as part of their emergency measures without creating trading conditions that disrupt the market.

(4) Investment firms shall review emergency arrangements annually and adjust them in the light of that review.

Article 15

Pre-trade controls when entering the order

(Article 17 (1) of Directive 2014/65 / EU)

(1) Investment firms carry out pre-trade controls for all financial instruments when entering an order with regard to the following requirements:

a)

Price bands with which orders that do not correspond to the specified price parameters are automatically blocked or canceled and which differentiate between different financial instruments both at the level of the individual order and for a specific period of time;

b)

High order values, which prevent orders with an unusually high order value from entering the order book;

c)

Maximum order volumes, which prevent orders with an unusually large order volume from entering the order book;

d)

Notice upper limits that prevent an excessive number of notifications about the submission, modification or cancellation of an order from being sent to the order books.

(2) Investment firms include all orders transmitted to a trading venue immediately in the calculation of the pre-trading limits mentioned in paragraph 1.

(3) Investment firms have repetitive automatic order execution throttling mechanisms that control how often an algorithmic trading strategy is applied. After a predetermined number of repeated executions, the trading system is automatically switched off until it is switched on again by a specially designated employee.

(4) Investment firms set caps on market and credit risk; these are based on their capital base, their clearing agreements, their trading strategy, their risk tolerance and experience, as well as on variables such as the length of their experience with algorithmic trading and their reliance on third parties. Investment firms adjust the upper limits for these market and credit risks on an ongoing basis to the effects that result from changes in the price and liquidity levels of the orders on the relevant market.

(5) As soon as investment firms discover that a trader is not authorized to trade a specific financial instrument, the trader's orders are automatically blocked or canceled. Orders that violate their risk thresholds are automatically blocked or canceled by the investment firm.Where appropriate, risk controls are used for individual customers, financial instruments, traders, trading departments, or the investment firm as a whole.

(6) Investment firms have procedures and arrangements in place in connection with orders that have been blocked by the respective investment firm's pre-trade controls, but which the investment firm nevertheless wishes to transmit. These procedures and arrangements are used temporarily for a specific commercial transaction in exceptional circumstances. They must be reviewed by the risk management function and approved by an employee appointed by the investment firm.

Article 16

Real-time monitoring

(Article 17 (1) of Directive 2014/65 / EU)

(1) During the times in which they transmit orders to trading venues, investment firms monitor in real time all algorithmic trading activities carried out under their trading code, including those of their customers, for signs of disruptive trading conditions, including all markets, asset classes or products on which the Activities of the investment firm or its clients.

(2) The real-time monitoring of the algorithmic trading activities is carried out by the trader responsible for the trading algorithm or the algorithmic trading strategy, the risk management function or an independent risk control function set up for the purposes of this provision. Regardless of whether an internal employee of the investment firm or a third party is entrusted with real-time monitoring, this risk control function is considered independent if it is not in any hierarchical dependent relationship with the trader and, if appropriate and necessary, within the framework of the provisions of Article 1 Can hold corporate governance accountable.

(3) Employees entrusted with real-time monitoring react to operational and regulatory issues in a timely manner and take corrective action if necessary.

(4) Investment firms shall ensure that the competent authority, the relevant trading venues and, if applicable, the DEA providers, clearing members and central counterparties can contact the staff responsible for real-time monitoring at all times. For this purpose, investment firms establish communication channels, also for establishing contact outside of trading hours, and check these regularly so that in an emergency the employees with the necessary authority can contact each other in good time.

(5) The systems for real-time monitoring must generate warning messages in real time in order to support employees in the detection of unscheduled trading activities carried out with the aid of an algorithm. Investment firms have processes in place with which they can react to warnings as quickly as possible and, if necessary, withdraw themselves from the market in an orderly manner. These systems also generate alerts relating to algorithms and orders received via the DEA that trigger the circuit breakers of a trading venue. Real-time alerts are generated within five seconds of the relevant event.

Article 17

Post-trade controls

(Article 17 (1) of Directive 2014/65 / EU)

(1) Investment firms continuously apply their post-trade controls. If an irregularity is discovered, investment firms will take appropriate action, including adjusting or deactivating the relevant trading algorithm or trading system, or an orderly withdrawal from the market.

(2) The post-trade controls mentioned in paragraph 1 also include the continuous assessment and monitoring of the effective market and credit risk of the respective investment firm.

(3) Investment firms keep complete, accurate and consistent records of their trading and account information. Investment firms match their own electronic trading logs with information about their open orders and risks received from the trading venues to which they submit orders, their brokers or DEA providers, their clearing members or central counterparties, their data service providers or other relevant business partners receive. The comparison takes place in real time, provided that the market participants listed above provide said information in real time. Investment firms are able to calculate their own open risks and those of their dealers and clients in real time.

(4) In the case of derivatives, the post-trading controls mentioned in paragraph 1 also extend to the upper limits for the buy and sell positions as well as the strategic positions as a whole, whereby the upper trading limits must be set in units that are suitable for the type of financial instrument in question.

(5) The post-trade controls are carried out by the traders who are responsible for the algorithm and risk control function within the investment firm.

Article 18

Security and Access Restrictions

(Article 17 (1) of Directive 2014/65 / EU)

(1) Investment firms pursue an IT strategy with defined goals and measures that

a)

is aligned with the business and risk strategy of the respective investment firm as well as with its operational activities and the risks to which it is exposed;

b)

is supported by a reliable IT organization that includes maintenance, productive operation and development;

c)

meets the requirements of an effective IT security management.

(2) Investment firms shall ensure physical and electronic security by putting in place and maintaining appropriate measures to reduce the risk of attacks on their information systems; this also includes effective identity and access management. Such precautions protect the confidentiality, integrity, authenticity and availability of the data as well as the reliability and resilience of the information systems used by the investment firm.

(3) In the event of significant breaches of their physical and electronic security precautions, investment firms shall notify the competent authority immediately. You will provide the appropriate authority with a report on the incident describing the nature of the incident, the actions that have been taken as a result, and the initiatives taken to prevent similar incidents in the future.

(4) Investment firms carry out penetration tests and vulnerability analyzes annually in order to simulate cyber attacks.

(5) Investment firms ensure that they can identify all users who have important access rights to their IT systems. Investment firms limit the number of these users and monitor their access to the IT systems to ensure traceability at all times.

CHAPTER III

DIRECT ELECTRONIC ACCESS

Article 19

General provisions for direct electronic access

(Article 17 (5) of Directive 2014/65 / EU)

DEA providers use appropriate guidelines and procedures to ensure that the trading conducted by their DEA customers complies with the rules of the trading venue and that they, as DEA providers, meet the requirements set out in Article 17 (5) of Directive 2014/65 / EU.

Article 20

Control obligations of the DEA provider

(Article 17 (5) of Directive 2014/65 / EU)

(1) DEA providers subject the order flow of each individual DEA customer to the controls in accordance with Articles 13, 15 and 17 and the real-time monitoring in accordance with Article 16. These controls and this monitoring are carried out independently and separately from the controls and monitoring by the DEA Customers themselves. In particular, the orders of a DEA customer always go through the pre-trade controls, which are defined and controlled by the DEA provider.

(2) DEA providers can also carry out their own pre-trade and post-trade controls, controls provided by a third party or offered by the trading venue, and real-time monitoring. In all circumstances, responsibility for the effectiveness of these controls remains with the DEA provider. Furthermore, DEA providers ensure that nobody but them is authorized to set or change the parameters or upper limits of the pre-trade and post-trade controls and real-time monitoring. The functioning of the pre-trade and post-trade controls is continuously monitored by DEA providers.

(3) The upper limits of the pre-trade controls for submitted orders are based on the upper limits for credits and risks that the DEA provider applies to the trading activities of its DEA customers. The DEA provider derives these upper limits from the due diligence check before the start of the business relationship and the subsequent regular reviews of the DEA customer.

(4) The parameters and upper limits for the controls of DEA customers who have subsidized access are just as strict as those for DEA customers with direct market access (DMA).

Article 21

Specifications for DEA Providers' Systems

(Article 17 (5) of Directive 2014/65 / EU)

(1) DEA providers ensure that their trading systems enable them to

a)

Monitor orders that a DEA customer submits under the DEA provider's trade code;

b)

To automatically block or cancel orders from persons whose trading systems submit orders related to algorithmic trading and who are not authorized to submit orders through direct electronic access;

c)

To automatically block or cancel orders for financial instruments for which the submitting DEA customer has no trading authorization, and for this purpose to identify and block individual DEA customers or groups of such customers using an internal identification system;

d)

To automatically block or cancel orders from DEA customers that violate the threshold values ​​set in the risk management system of the DEA provider and, for this purpose, apply risk controls for individual DEA customers, financial instruments or groups of DEA customers;

e)

interrupt the flow of orders from DEA customers;

f)

suspend or terminate the DEA Services to any DEA customer if the DEA provider is not satisfied that its continued access is consistent with its own rules and procedures to ensure fair and orderly trade and the integrity of the market;

G)

if necessary, to review the internal risk control systems of DEA customers at any time.

(2) DEA providers have procedures with which they can assess, control and mitigate market disruption risks and company-specific risks. DEA providers know who to notify in the event an error occurs that leads to violations of the risk profile or potential violations of the rules of the trading venue.

(3) By assigning unique identification codes, DEA providers are able to identify their DEA customers as well as their trading departments and dealers at any time when they submit orders via the DEA provider's systems.

(4) If DEA providers allow a DEA customer to grant access to their own customers (subordinate access), they are able to distinguish the incoming orders of the beneficiaries of such an agreement via subordinate access, even if they identify their identity not knowing.

(5) DEA providers keep records of the orders submitted by their DEA customers and also note changes and cancellations, warning messages generated by their monitoring systems and changes to their filtering process in the order data.

Article 22

Due diligence reviews of potential DEA customers

(Article 17 (5) of Directive 2014/65 / EU)

(1) DEA providers subject their potential DEA customers to a due diligence review to ensure that they comply with the requirements of this Regulation and the rules of the trading venue to which they provide access.

(2) The due diligence mentioned in paragraph 1 extends to

a)

the governance and ownership structure of the prospective DEA customer;

b)

the types of strategies the prospective DEA customer must pursue;

c)

the operational facilities, systems, pre-trade and post-trade controls and real-time monitoring of the potential DEA customer. Investment firms that offer direct electronic access and allow their DEA clients to access trading venues with third-party trading software shall ensure that such software includes pre-trade controls equivalent to the pre-trade controls set out in this Regulation;

d)

the internal regulation of the responsibilities for trading activities and errors on the part of the potential DEA customer;

e)

the trading patterns and behavior of the potential DEA customer in the past;

f)

the expected trading and order volume of the potential DEA customer;

G)

the ability of the prospective DEA customer to meet its financial obligations to the DEA provider;

H)

the past disciplinary behavior of the potential DEA customer, if information is available.

(3) DEA providers who enable their customers to provide downstream access must ensure that the potential DEA customer has due diligence procedures in place, similar to those described in paragraphs 1 and 2, before granting such access are at least equivalent.

Article 23

Regular review of DEA customers

(Article 17 (5) of Directive 2014/65 / EU)

(1) DEA providers review the assessment processes envisaged as part of their due diligence on an annual basis.

(2) DEA providers subject the adequacy of their customers' systems and controls to an annual risk-based reassessment, with special consideration given to changes in the nature, scope and complexity of their trading activities or trading strategies, personnel changes, changes to their ownership structure, their trading or bank accounts, their regulatory status and financial situation as well as with regard to whether the DEA customer has expressed the intention to offer subordinate access under the access of the DEA provider.

CHAPTER IV

SECURITIES COMPANIES ACTING AS GENERAL CLEARING MEMBERS

Article 24

Systems and controls of investment firms acting as general clearing members

(Article 17 (6) of Directive 2014/65 / EU)

The systems through which an investment firm acting as a general clearing member (“clearing house”) offers clearing services to its customers are appropriately subjected to due diligence checks, as well as controlled and monitored.

Article 25

Due diligence reviews of potential clearing clients

(Article 17 (6) of Directive 2014/65 / EU)

(1) Clearing houses assess potential clearing customers in an initial assessment before the start of the business relationship with regard to the type, scope and complexity of their business activities. Each potential clearing customer is assessed based on the following criteria:

a)

Creditworthiness including any guarantees;

b)

internal risk control systems;

c)

intended trading strategy;

d)

Payment systems and payment arrangements that enable the prospective clearing customer to timely transfer margin payments in assets or in cash requested by the clearing house in connection with clearing services;

e)

System settings and access to information that support the potential clearing customer in complying with the upper trading limit agreed with the clearing house;

f)

any collateral that the potential clearing customer makes available to the clearing house;

G)

operational resources such as interfaces between technical solutions and connectivity;

H)

Involvement of the potential clearing client in violations of the regulations that ensure the integrity of the financial markets, e.g. involvement in market abuse, financial crime or money laundering.

(2) Clearing houses review annually to what extent their clearing customers still meet the criteria listed in paragraph 1. These criteria are part of the legally binding written agreement referred to in Article 17 (6) of Directive 2014/65 / EU, which also regulates the frequency with which the clearing house verifies compliance with the criteria by its clearing customers, provided that this verification is carried out more than once takes place annually. The legally binding written agreement regulates the consequences clearing customers have to face in the event of non-compliance with these criteria.

Article 26

Position limits

(Article 17 (6) of Directive 2014/65 / EU)

(1) Clearing houses set appropriate trading and position limits for their clearing customers, with which their own counterparty, liquidity, operational and other risks are reduced and controlled, and they inform them of these limits.

(2) Clearing houses monitor the positions of their customers with regard to compliance with the limits mentioned in paragraph 1 in real time and have appropriate pre-trade and post-trade procedures with which they can reduce the risk of violations of the position limits by means of suitable "margin procedures" (margining). and can control other suitable means.

(3) Clearing houses document the procedures mentioned in paragraph 2 in writing and keep records of whether the clearing customers comply with these procedures.

Article 27

Disclosure of information about services provided

(Article 17 (6) of Directive 2014/65 / EU)

(1) Clearing houses publish the conditions under which they offer clearing services. They offer these services on commercial terms.

(2) Clearing houses inform their potential and existing clearing customers about the level of protection and the costs associated with the respective degree of account segregation they offer. The information about the individual stages of separation includes a description of the essential legal framework conditions of the respective degree of separation offered, including information on the insolvency law of the respective legal system.

CHAPTER V.

HIGH FREQUENCY ALGORITHMIC TRADING TECHNOLOGY AND FINAL PROVISIONS

Article 28

Content and format of the order records

(Article 17 (2) of Directive 2014/65 / EU)

(1) Investment firms using a high-frequency algorithmic trading technique shall record the information on each order immediately after it has been submitted in the format specified in Tables 2 and 3 of Annex II.

(2) Investment firms that use a high-frequency algorithmic trading technique update the information mentioned in Paragraph 1 in accordance with the standards and formats specified in Annex II in the fourth column of Tables 2 and 3.

(3) The records referred to in paragraphs 1 and 2 shall be retained for five years from the date on which the order was submitted for execution to a trading venue or other investment firm.

Article 29

Entry into force and application

(Article 17 (2) of Directive 2014/65 / EU)

This Regulation shall enter into force on the twentieth day following its publication in the Official Journal of the European Union.

It is valid from January 3, 2018.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Brussels, 19 July 2016

For the Commission

The president

Jean-Claude JUNCKER


(1) OJ L 173 of June 12, 2014, p. 349.

(2) Regulation (EU) No. 596/2014 of the European Parliament and of the Council of 16 April 2014 on market abuse (Market Abuse Regulation) and repealing Directive 2003/6 / EC of the European Parliament and of the Council and Directives 2003/124 / EG, 2003/125 / EG and 2004/72 / EG of the Commission (OJ L 173 of 12.6.2014, p. 1).

(3) Regulation (EU) No. 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No. 648/2012 (OJ L 173 of 12 June 2014, P. 84).

(4) Regulation (EU) No. 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No. 716/2009 / EC and repealing it of Commission Decision 2009/77 / EC (OJ L 331 of 15.12.2010, p. 84).

(5) Commission Delegated Regulation (EU) 2017/565 of 25 April 2016 supplementing Directive 2014/65 / EU of the European Parliament and of the Council with regard to the organizational requirements for investment firms and the conditions for the performance of their activities and as regards the definition of certain terms for the purposes of that Directive (see page 1 of this Official Journal).


APPENDIX I.

Criteria to be taken into account by investment firms in the self-assessment under Article 9 (1)