In our previous articles we’ve explored the expanding requirements for robust systems and risk controls under MiFID II, the nature of proportionality as it relates to algorithmic trading and the new accountability implications for senior managers. This article, written by Meredith Gibson, Head of Legal Risk, Santander UK plc and Helen Pykhova, Director, The Op Risk Company, reviews the MiFID II discussion and consultation papers and highlights the implications for firms’ ballooning operational risk mandate.
As operational risk practitioners, we tend to complain that the regulation is not prescriptive enough. Can the regulators provide the definition of Conduct? What are the expectations on operational risk Appetite and Tolerance? What is Emerging risk? The reader may agree that our well known, well-read regulatory guidelines on operational risk are mostly of a high-level nature. The MiFID Discussion paper is radically different. While essentially aiming to address the management of operational risk associated with algorithmic trading and making a reference to the high level EBA/CEBS “Guidelines on the management of operational risks in market-related activities”, it is very prescriptive.
For example, Article 48(12) establishes a requirement for trading venues to conduct a ‘self-assessment’, which ‘should be subject to sign-off by the management body and is to be reviewed at least twice yearly’. Listed further on are elements that should be taken into consideration in undertaking the self-assessment, including the extent to which the firm relies on third parties, its ownership and governance structure, level of experience of its personnel, etc.
Is this ‘self-assessment’ in fact our RCSA, Risk and Control Self-Assessment? Can we then rely and build on the existing RCSA process?
Most of the firms already have to live with at least two risk assessment methodologies – one designed by the Operational Risk department and another one – by Internal Audit. It is quite rare that these two functions are fully aligned, so in majority of cases business units have to tune into two different approaches. It is not uncommon to have a third one introduced by the Compliance department.
Are we running a risk of generating an industry of inconsistent assessments, which would be impossible for the firms to follow? If a firm has already decided on the frequency of the operational risk assessment, for example annually or upon trigger, this will create an obligation to have a two-stroke system: one cycle for its trading and associated systems; and, another for all other processes. Presumably this will also have a knock-on effect on resourcing requirements.
Another interesting point is the emergence of the somewhat new profile of the ‘risk and control’ function:
- The risk control function is required to run a validation process of all systems and algorithms and report back to senior management;
- Risk control personnel may be involved in approving exceptional deals, blocked by the firms’ pre-trading controls – still to be confirmed whether these are the same risk control staff or a different risk management function;
- There is an expectation that there will be someone in a risk control function monitoring algorithmic trading in real time, who will be accessible to both trading venues and the regulator.
The question arises on a rather unusual profile of these risk control employees – what type of a person are we looking for, to be able to understand and monitor the algorithms, sign off on exceptions and at the same time possess necessary communication skills to be accessible to the regulator?
It is worthwhile noting that Compliance is expected to be ‘kept aware’ of the results of the validation, exceptional deals, etc rather than approve and sign-off. The inference is that our new risk control function may take over some of the responsibilities currently sitting with Compliance. The national competent authority will want to see the risk controls in place for algorithmic trading and direct market access and the internal policies covering a broader range of trading activity.
A final point is on the further guidance yet to come. Central Counterparties (CCPs) and trading venues will be required to manage their operational risk in line with yet to be developed regulatory technical standards and their own risk management frameworks. The principal concern is around the granting of access to firms and specifically defining the circumstances under which a CCP or trading venue might wish to deny access on the grounds of excessive operational risk. One presumes that some considerable knowledge of an applicant’s employees, processes and systems might be required in order to fully assess the potential risk to the CCP or the trading venue. That knowledge is likely to encompass the ability to operationalise the tracing of margin and collateral along the entire supply chain as well as the contractual coverage of these relationships.
Can we be more consistent even in language? While addressing this topic, the discussion paper refers to ‘the anticipated operational risk…exceeding its operational risk design’. We are used to appetite and tolerance concepts and are yet to understand what monitoring of operational risk against the design means and how is it different.
The concern also arises in the clearing relationship between clearing member and client where ESMA expects the clearing member to “make a proper initial assessment of any prospective clearing client according to the nature, scale and complexity of the prospective client’s business”. This assessment includes the client’s internal risk control systems. It is unclear whether a contractual representation would suffice or whether there is an expectation by ESMA of some kind of audit but one would suspect the latter given the kind of detail provided.
In short, ESMA has an expectation that any firm engaging in “risky” activity – algorithmic trading, allowing a firm’s systems to be employed for direct electronic access, engaging in clearing and provision of a trading venue – will need to control operational risk in a granular fashion with new risk controls and functions. There will need to be new documentation, both legal and internal policies/procedures, new resource functions and new identification of algorithms and strategies. This will be difficult to implement operationally both in terms of current resourcing constraints and in current systems. Will we see the same increased resourcing of Operational Risk functions as we saw with Compliance?
At the time of writing the article, we reached out to several operational risk colleagues in the industry to enquire whether anyone has read the document. Unanimously, the answer was ‘No’. While the time to respond to the consultation has now run out, we urge operational risk practitioners to read the paper, understand the implications as well as actively join in the implementation when the final document comes out – to align existing operational risk practices to the extent possible with the new requirements introduced by the paper.