By Dan Simon, Markets Media Correspondent
Given the renewed focus on the benefits and risks of high frequency trading, and with market fears of another flash crash or a cyber-attack constantly looming, brokers and regulators are more concerned than ever about controlling and monitoring the connections between the execution system and the exchange. We spoke with Tony Amicangioli, CEO of Hyannis Port Research and an expert on pre-trade risk management, cyber security and surveillance, to discuss the importance of securing interactions between exchanges and trading firms.
1. Has SEC Market Access Rule 15c3-5 made markets safer?
Market Access Rule 15c3-5 has clearly made the markets safer. One way one can measure this is to consider recent disruptive events and whether the new controls would have prevented such disruptions from happening. In one recent incident, a large market maker firm’s systems went into a disruptive loop causing the firm to lose hundreds of millions of dollars in a very short period of time. In that case, current risk controls, such as the run-away algorithm tests would have prevented such a loss.
Also consider the Flash Crash. It is somewhat difficult to ascertain in this case because there are varying accounts on where the problem initiated. If it was in the equities markets clearly the right controls would have had an impact. On the other hand, other markets are still working toward similar regulations which will prevent issues from cascading across asset classes. However, even if the Flash Crash initiated in, for example, the futures markets, the equities markets would have been less impacted by that disruption.
Rule 15c3-5 would have prevented or greatly reduced the impact of the Flash Crash and has been a very positive and effective improvement to our capital markets structure.
2.It seems many financial firms have been piecing their 15c3-5 compliance together with a range of different solutions, including throwing more bodies at the problem. Why do you think a unified solution hasn’t been universally adopted?
There are unprecedented product creation and execution challenges for would-be providers of any-such universally adopted solution. Creation of such a platform necessarily requires building a product capable of meeting all of the regulatory requirements, while simultaneously meeting the performance demands necessary to compete in today’s markets.
There are so many facets to such technologies; HPR’s Riskbot represents a culmination of aerospace engineers, telecommunications technologists, and software specialists, particularly at the high-end, along with people who have significant experience in the financial and capital markets. Assembling a team with that culmination of necessary skills was a critical factor in our success.
3.What are some of the risks your clients are trying to mitigate with a solution like Riskbot?
Above all, regulatory risk. The Market Access Rule represents a new trend in the regulatory environment that seems to be ever-increasing. In particular, the regulation requires the CEO of any broker-dealer to sign off personally on an annual basis which adds additional pressure for these institutions and/or funds. Moreover, examinations and continued fines in this area are likely, given that the SEC and FINRA have both cited market access regulation enforcement as ongoing priorities, as they have in recent years. We have seen the fines across the market related to these technologies and we believe that trend will continue.
Other risks follow regulatory risks. For example, reputational risk is a very important factor, in particular for those who manage significant assets for others while also electing to maintain direct broker-dealer status. The cost of a regulatory examination failure is much higher for those entities as it can drive away investors.
Finally, there are direct monetary risks. Recall that the Riskbot is first and foremost a regulatory device, but it really is designed to protect your institution. So if you manage an entity with numerous trading desks, all operating at substantial daily equity or other asset class amounts, the ability to watch, monitor and react to anomalies and in particular, adverse behaviors, is of the utmost importance.
4. What would you say poses a bigger challenge for financial firms today: the need for daily compliance, bad actors within their organization, or cyber security?
In many ways they are all inextricably related and all drive the same net reputational, monetary, and regulatory risks we discussed above. While they all pose significant challenges for financial firms, cyber-security is the greatest challenge.
Market access devices are situated between exchanges and some of the world’s most prestigious trading operations. It is clear that both of these stakeholders have a tremendous incentive to ensure that no cybersecurity breaches occur. Such attacks would allow someone who breaks through either entity’s firewall to extend their attack beyond their first point of entry. That is why we decided to enhance Riskbot 3.0 with a cybersecurity feature set to minimize the chance of reach-through type attacks. Moreover, cyber-attacks are becoming so common, media reports of breaches appear on a nearly daily basis.
The need for daily compliance has become a much greater challenge as new regulations such as the Market Access Rule are implemented and enter the enforcement phase. Hence, all firms are actively trying to address this need. The extent to which you may need internal compliance controls varies substantially based on your status. Those with broker-dealer status are held to a much higher standard, as they are the owners of the 15c3-5 controls. This is substantial because when the regulation went into effect, many entities decided to break away from their brokerages and apply for broker-dealer licenses directly. Initially this was because there were no providers available that were capable of meeting all of the Market Access Rule requirements, while maintaining the market connectivity profile that a product like Riskbot can provide. Thus, the current market poses an opportunity; with Riskbot now available we are beginning to see a trend where some firms move away from in-house broker-dealers.
As it relates to bad actors, this speaks to the next natural evolution for the pre-trade risk system. The Riskbot system, for example, monitors all trading activity at all entities for all traders of a given organization. This allows us to watch the individual traders, as well as the overall portfolio of our clients. Our product road-map clearly recognizes the need for surveillance capabilities to monitor bad behavior such as layering, spoofing or marking the close, which is currently a capability many firms do build in-house, but is not yet a regulatory mandate as is the Market Access Rule.
5. What threats do you think financial firms need to be paying greater attention to?
HPR interacts with a wide variety of firms with different profiles and varying requirements. From our perspective, the firms who manage money for other institutions whether it be bulge bracket bank or hedge funds with large AUM, face some of the greatest threats.
First and foremost the root of the risk lies both in reputational risk which leads to monetary risk in a number of ways. HPR is observing a growing concern over cyber threats as you can imagine given the recent highly publicized attacks that have happened on what would be considered, highly protected organizations. In short, a successful cyber-attack of one of these entities would certainly have a very negative effect, in a very direct and measurable way, from a monetary and reputational standpoint.
Maintaining risk and compliance capabilities would follow as a close second to this, given that problems in these areas could lead to similar outcomes.