THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments amending Directive 2002/92/EC and Directive 2011/61/EU, and in particular points (a) and (d) of Article 17(7) thereof.
Systems and risk controls used by an investment firm engaged in algorithmic trading, providing direct electronic access or acting as general clearing members, should be efficient, resilient and have adequate capacity, having regard to the nature, scale and complexity of the business model of that investment firm.
To that end, an investment firm should address all risks that may affect the core elements of an algorithmic trading system, including risks related to the hardware, software and associated communication lines used by that firm to perform its trading activities. To ensure the same conditions for algorithmic trading independently of trading form, any type of execution system or order management system operated by an investment firm should be covered by this Regulation.
As a part of its overall governance framework and decision making framework, an investment firm should have a clear and formalised governance arrangement, including clear lines of accountability, effective procedures for the communication of information and a separation of tasks and responsibilities. That arrangement should ensure reduced dependency on a single person or unit.
Conformance testing should be made in order to verify that the trading systems of an investment firm communicate and interact properly with the trading systems of the trading venue or of the direct market access (DMA) provider and that market data are processed correctly.
Investment decision algorithms make automated trading decisions by determining which financial instrument should be purchased or sold. Order execution algorithms optimise order-execution processes by automatic generation and submission of orders or quotes, to one or several trading venues once the investment decision has been taken. Trading algorithms that are investment decision algorithms should be differentiated from order execution algorithms having regard to their potential impact on the overall fair and orderly functioning of the market.
The requirements concerning the testing of trading algorithms should be based on the potential impact that those algorithms may have on the overall fair and orderly functioning of the market. In this regard, only pure investment decision algorithms which generate orders that are only to be executed by non-automated means and with human intervention should be excluded from the testing requirements.
When introducing trading algorithms, an investment firm should ensure controlled deployment of trading algorithms, regardless of whether those trading algorithms are new or previously have been successfully deployed in another trading venue, and whether their architecture has been materially modified. The controlled deployment of trading algorithms should ensure that the trading algorithms perform as expected in a production environment. The investment firm should therefore set cautious limits on the number of financial instruments being traded, the price, value and number of orders, the strategy positions and the number of markets involved and by monitoring the activity of the algorithm more intensively.
Compliance with the specific organisational requirements for an investment firm should be determined according to a self-assessment which includes an assessment of compliance with the criteria set out in Annex I to this Regulation. That self-assessment should furthermore include all other circumstances that may have an impact on the organisation of that investment firm. That self-assessment should be made regularly and should allow the investment firm to gain a full understanding of the trading systems and trading algorithms it uses and the risks stemming from algorithmic trading, irrespective of whether those systems and algorithms were developed by the investment firm itself, purchased from a third party, or designed or developed in close cooperation with a client or a third party.
An investment firm should be able to withdraw all or some of its orders where this becomes necessary ("kill functionality"). For such a withdrawal to be effective, an investment firm should always be in a position to know which trading algorithms, traders or clients are responsible for an order.
An investment firm engaged in algorithmic trading should monitor that its trading systems cannot be used for any purpose that is contrary to Regulation (EU) No 596/2014 of the European Parliament and of the Council or to the rules of a trading venue to which it is connected. Suspicious transactions or orders should be reported to the competent authorities in accordance with that Regulation.
Different types of risks should be addressed by different types of controls. Pre-trade controls should be conducted before an order is submitted to a trading venue. An investment firms should also monitor its trading activity and implement real-time alerts which identify signs of disorderly trading or a breach of its pre-trade limits. Post-trade controls should be put in place to monitor the market and credit risks of the investment firm through post-trade reconciliation. In addition, potential market abuse and violations of the rules of the trading venue should be prevented through specific surveillance systems that generate alerts on the following day at the latest and that are calibrated to minimise false positive and false negative alerts.
The generation of alerts following real time monitoring should be done as instantaneously as technically possible. Any actions following that monitoring should be undertaken as soon as possible having regard to a reasonable level of efficiency and expenditure of the persons and systems concerned.
An investment firm providing direct electronic access ("DEA provider") should remain responsible for the trading carried out through the use of its trading code by its DEA clients. A DEA provider should therefore establish policies and procedures to ensure that trading of its DEA clients complies with the requirements applicable to that provider. That responsibility should constitute the principal factor for establishing pre-trade and post-trade controls and for assessing the suitability of prospective DEA clients. A DEA provider should therefore have sufficient knowledge about the intentions, capabilities, financial resources and trustworthiness of its DEA clients, including, where publicly available, information about the prospective DEA clients' disciplinary history with competent authorities and trading venues.
A DEA provider should comply with the provisions of this Regulation even where it is not engaged in algorithmic trading, since its clients may use the DEA to engage in algorithmic trading.
Due diligence assessment of prospective DEA clients should be adapted to the risks posed by the nature, scale and complexity of their expected trading activities and to the DEA being provided. In particular, the expected level of trading and order volume and the type of connection offered to the relevant trading venues should be assessed.
The content and format of the forms to be used by an investment firm engaged in high frequency trading technique for submitting to the competent authorities the records of its placed orders and the length of time that those records should be kept should be laid down.
To ensure consistency with the general obligation for an investment firm to keep records of orders, the required record keeping periods for an investment firm engaging in high-frequency algorithmic trading technique should be aligned with the ones laid down in Article 25(1) of Regulation (EU) No 600/2014 of the European Parliament and of the Council.
For reasons of consistency and in order to ensure the smooth functioning of the financial markets, it is necessary that the provisions laid down in this Regulation and the related national provisions transposing Directive 2014/65/EU apply from the same date.
This Regulation is based on the draft regulatory technical standards submitted by the European Securities and Markets Authority ("ESMA") to the Commission.
ESMA has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the opinion of the Securities and Markets Stakeholder Group established by Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council,
HAS ADOPTED THIS REGULATION: