Investment firms shall annually perform a self-assessment and validation process and based on that issue a validation report.
Investment firms shall establish and monitor their trading systems and algorithms through a clear and formalized governance arrangement.
- IT Security
IT Security must be incorporated into internal governance and be formally approved.
New analysis AFM
On 2 April 2021 the AFM published its report ‘Algorithmic trading – governance and controls’. In this report, the AFM shares its findings and expectations with regard to different aspects of RTS 6 (for investment firms trading algorithmically) ánd RTS 7 (for trading venues which allow or accommodate algorithmic trading).
With respect to Process, the AFM observed at a majority of in-scope trading firms a substantial improvement in the way the self-assessments are performed (both in terms of the structure and the level of detail provided in describing how a firm is compliant).
The regulator expects those firms:
- to follow the structure of the RTS articles when assessing their own compliance; and
- to describe in detail the way they are compliant with the requirements of the article.
Pertaining to Governance, the AFM found that firms have increased the maturity of their organization as regards the development, deployment and subsequent updates of trading algorithms. The regulator expects them to continue to thoroughly assess how concealed unauthorized trading activity has been prevented.
And with regard to IT Security, the AFM states (under general findings) to be pleased to see that the security and reliability of IT systems are important considerations for firms: “Most firms have set up and maintained adequate arrangements for information security”. However, the AFM’s findings also show that there is room for improvement, especially regarding the incorporation of cyber risk in firms’ overall risk strategy. Under specific findings the AFM observes that:
- few of them compiled an IT strategy in a documented plan aligned with their broader strategy;
- relevant control measures are not always based on effective risk assessment;
- procedures are often not standardized and formally documented nor are they subject to appropriate review; and
- not all firms have formalized the notification requirement (i.e. notification of the AFM) in a standard operating procedure.
The regulator expects firms:
- to document their IT strategy, taking into account the requirements of Article 18(1) RTS 6;
- to perform security risk assessments; and
- to implement appropriate identity and access control measures.
Room for improvement
Whereas the AFM observed a substantial improvement at a majority of proprietary trading firms, for trading venues she sees considerable room for improvement when it comes to their annual RTS 7 self-assessments. The same goes for both firms and venues when it comes to the testing of (single) algorithms to determine their contribution to disorderly trading conditions.
Want to know more?
Do you want to improve your annual self-assessment and validation process? Or could you use some help in (further) meeting the regulatory expectations? Our consultants are happy to offer you advice. Please do not hesitate to get in touch.Contact