Compliance in Focus
08.29.2023

Parsing the FCA’s “Dear Chief Executive” Letter to Principal Trading Firms

08.29.2023
Parsing the FCA’s “Dear Chief Executive” Letter to Principal Trading Firms

In August 2023 the Financial Conduct Authority, the UK market regulator, published a “Dear Chief Executive” letter addressed to Principal Trading Firms. The FCA framed the missive as follows: “This letter details our view of the most important risks arising from PTFs, what we think drives those risks, our expectations of you, and our supervisory focus for the next two years. We expect you and your Board to discuss the contents of this letter, consider how the risks apply to your business, and take action to manage them effectively.”

Markets Media spoke with David Rundle, Partner at Bryan Cave Leighton Paisner in London; Jonathan Dixon, Director of Regulatory Affairs, EMEA at Eventus; and Joe Schifano, Global Head of Regulatory Affairs at Eventus, about what PTF chief executives – and compliance executives – can take away from the letter.   

Broadly speaking, why is this letter important?

David Rundle:

It tells firms what’s on the regulator’s mind. It tells them what they think senior management should focus on. And it also signals to firms the future risk of supervisory scrutiny, or worse, potential enforcement. 

So it sends a clear message to senior management as to what regulators are looking at.

And it’s not just aimed at firms, it’s also aimed at individual senior managers. The letter is peppered with references that individual senior managers have an obligation to ensure that these aspects of their firms are in compliance. 

Jonathan Dixon:

The letter also highlights the risks, the systemic risks, in the marketplace, if these action items are not followed through. There are several references to the heightened risk of what can impact the market directly, whether it’s high frequency trading firms or algorithmic trading systems. These types of firms have the capacity to influence the market, and there is a heightened risk that goes along with that. 

David:

I agree, Jonathan. One component of the letter is operational resilience, which has been a priority area for the FCA for some time. But the underlying risk to the market, which drives the operational resilience agenda, is only increasing, particularly with increased risks of cyber attacks and the like.

Is there much that’s actually new in the letter? Or is it mostly a recitation of what they’ve previously published?

Joe Schifano, Eventus

Joe Schifano: As far as RTS 6 goes, there’s nothing new. Many large firms are already following this program. But for Principal Trading Firms specifically, perhaps the FCA has found that they have not been as holistic or comprehensive with this sort of surveillance. Would you agree with that, David?

David:

I do. When you read the key topics, none of it is really new, but it’s obvious that there are certain triggers which have prompted these matters to be re-raised on the agenda. Ordinarily those triggers are concerns, filtered through supervision, that certain firms aren’t doing as well as they should in these areas.

One bit that piqued my interest was the reference to AI systems in the context of algorithmic trading. I’m sure the use of AI has advanced significantly since the review in 2018, so maybe they’re coming back to it out of concern that the risks are more complex now, given the sophistication of AI systems. 

Joe:

Proprietary Trading Firms have traders and trading teams that are building out algorithms using all kinds of machine learning models, both supervised and unsupervised, and it’s only going to increase. 

Jonathan:

A key point in all of this goes back to operational resilience. There has to be an off switch. There has to be a human being there able to understand the risks, understand how the models operate, and understand how to turn them off.

Whether it’s risk from an AI model that’s been coded by a human and is prone to making mistakes, or risk from a machine learning model that maybe has learned something it shouldn’t have, these systems could impact financial markets. It’s almost irrelevant how the mistake is made – what is relevant is the ability to understand, see when that mistake is occurring, and turn the process off.

David:

One key concept is the need to ensure that – however you’re using algorithms or machine learning – that the systems are not a black box, and there is explainability in the outputs

Expectations of a regulator in this area aren’t clearly defined yet, but there’s a lot of work being done in the background, and we expect there will be a lot more regulatory comment generally about the expectations around the use of machine learning in financial services. I’m sure trading firms will be a part of that review.

Jonathan:

It’s also important to note that at the moment, the regulator expects that for every algo, there is a human responsible for the trading activity it undertakes. This letter is about highlighting those risks, and highlighting that someone needs to be responsible.

One specific key area the FCA highlighted is algorithmic trading controls. What else is important in this area?

David:

David Rundle

Well, they made specific reference to the weaknesses in governance and oversight framework in the 2018 review. So if I were a firm reading this letter, I would be going back to that 2018 review and read the section on governance and oversight frameworks, and be very focused about ensuring that the good practices that the paper sets out have now been fully adopted, and the bad practices aren’t present.

The point around individual responsibility is interesting. I’ve always wondered whether the more complex algorithms get, and the more they interact with each other, the more difficult it becomes to identify personal responsibility.

So for the use of machine learning in algorithms across financial services, governance and responsibility are going to be key issues.

What’s notable about the letter’s highlighted theme of financial resilience?

David:

The last sentence of the penultimate paragraph says, “In many instances, the stress was greater than the severe but plausible scenario firms had based their modeling on.” I think the message there for firms is that you may need to be more pessimistic about the very worst scenarios that you’re stress testing.

Jonathan:

There has been an increased number of black swan events over the past 10-15 years, whether that’s the credit crunch, Russia invading Ukraine and impacting energy and grain markets, or the slowdown in China that causes a massive decrease in commodity prices.

With these events, volatility has increased, and as volatility increases, the ability to react effectively to that volatility becomes more important. That circles back to operational resilience issues, and having the ability to turn off the system. It’s all very much interlinked. 

What else is important about operational resilience?

David:

The letter mentioned the ION cyber attack, and the focus seems to be around cyber events. We haven’t had many operational resilience enforcement cases, so we haven’t seen certain concepts tested.

What is clear from the FCA’s discussion around operational resilience is the need to play through scenarios, to ensure people know what they’re doing. That seems to be a key, nuts-and-bolts, practical message of operational resilience. Does everyone know what they need to be doing in an outage caused by a cyber attack? 

I suspect for many firms, that’s where they will trip up. The high-level policies may be sound, but if people don’t know what they’re doing in real time, and therefore can’t react in a satisfactory way, that’s a problem. 

What else in the letter caught your attention?

David:

Toward the end of the letter, under Next Steps, it says management needs to be “fully aware of the FCA’s expectations and are compliant and fully resourced.” I would stress to firms, in the context of all these issues, that they need to make sure they are properly resourced. If there is a concern communicated to senior management that there is inadequate resourcing to take proper care of these issues, that’s going to present an enforcement risk, both for the firm and for senior management.

Joe:

By “resources” I assume the FCA means human resources and the tools that are used for compliance?

David:

Correct.

Once a document like this is released, if there are failings, then the FCA will be more motivated to take action, because they’ve set out their expectations. 

Jonathan:

Jonathan Dixon, Eventus

I would emphasize that everything the FCA talks about here boils down to senior management understanding their risk, and having to manage that risk. They’re not talking about anything senior management shouldn’t be aware of. A chief executive may not be fully aware of RTS 6, for example, but the chief of compliance should be, and board members should have an understanding of it. So the FCA is highlighting systemic risks and regulatory requirements. And this is all fairly time-critical, as the FCA’s deadline of end of September is only weeks away. 

Related articles

  1. Big banks' concerns about vendors span the entirety of cybersecurity.

  2. Ambitious regulatory agenda includes risk management, data and technology, and vendor due diligence.