On Tuesday 18th May 2021, the UK Financial Conduct Authority issued a Dear CEO Letter to Electronic Money Institutions headed "Please act: ensure your customers understand how their money is protected."

You can read a copy of the letter here.

Some interesting excerpts from the letter below:

What is the UK FCA concerned about?:

• "We are concerned that many e-money firms compare their services to traditional bank accounts or hold themselves out as an alternative in their financial promotions, but do not adequately disclose the differences in protections between e-money accounts and bank accounts. In particular, they do not make it clear that Financial Services Compensation Scheme (FSCS) protection does not apply." 

 

• "We are still concerned that many e-money firms are not adequately disclosing the differences in protections between their services and traditional banking, in particular, that FSCS protection does not apply."

 

• "We are also concerned that firms are giving a potentially misleading impression to customers about the extent to which products or services are regulated by the FCA."

Action expected of emoney firms by the FCA:

1. "you write to your customers within six weeks of the date of this letter [Ed - i.e. 18 May 2021] to remind them of how their money is protected through safeguarding and that FSCS protection does not apply."
2. "draw this letter to the attention of your Board."
3. "expect the Board to have considered the issues we have raised here and to have approved the action taken in response." 

Note the FCA point that the communication to customer be separate from any other messaging or promotional activity. And that the FCA expects emoney firms to consider the appropriate method(s) of communication based on their business model and customer base, including any vulnerable customers. 

Why should emoney action the letter?:

Because the FCA intend to follow up, with a sample of firms, to assess the actions taken. 

Contact the team at CompliReg if you require assistance. 

You can read a copy of the letter here.

The Central Bank of Ireland has released a Dear CEO letter setting out findings under four headings and expected Actions following a Thematic assessment of Algorithmic Trading Firms’ compliance with RTS 6 of MIFID II. 

1. Governance – Deficient control and risk management frameworks:

Varying levels of maturity were observed with respect to firms’ governance, control and risk
management frameworks. Supervisors observed weaknesses with respect to:

• i. The absence of formalised algorithm governance documentation;
• ii. The lack of local entity autonomy evidenced through minimal Board involvement in the
• setting or challenging of the key controls and in the oversight of the development of trading
• algorithms;
• iii. The absence of regular, formalised reporting to the Board in relation to algorithms; and
• iv. The significant reliance placed on Group resources without an appropriate level of
• formalised Group reporting lines.

The Central Bank considers the maintenance of a robust algorithmic governance and oversight
framework to be of paramount importance in enabling firms to identify, monitor and mitigate the
risks associated with algorithm trading strategies. Firms are reminded RTS 6 requires that as part
of its overall governance framework and decision-making framework, an investment firm should
have a clear and formalised governance arrangement, including clear lines of accountability, effective procedures for the communication of information and a separation of tasks and responsibilities. These arrangements should ensure reduced dependency on a single person or unit.


2. Development and Testing - Lack of formal documentation with respect to development,
testing and deployment processes:
Supervisors observed strong development, testing and deployment controls. However, significant
disparities were identified between firms with respect to the level of detail pertaining to
documentation on development, testing and deployment processes most notably:

• i. Firms were unable to provide sufficient detail with respect to their testing environments
• and how the parameters detailed in Article 5 of RTS 6 were embedded.
• ii. There is a lack of adequate information in relation to testing environments used to assess
• the performance of algorithms including assurance that trading algorithms:
• (ii) a. would not contribute to disorderly trading conditions;
• (ii) b. can continue to work effectively in stressed market conditions; and,
• (ii) c. where necessary under those conditions, can be disabled without contributing to
• disorderly trading.
• iii. Where firms are part of larger groups, it was noted that strong reliance was placed on Group entities. While outsourcing the development of trading algorithms is permitted under MiFID II, the investment firms deploying trading algorithms must fully understand the development and testing processes and the subsequent controls required. Outsourcing arrangements must be supported by appropriate documentation at local entity level with respect to the development, testing and deployment processes, be subject to regular review by the appropriate control function and consider the parameters detailed in Article 5 of RTS6.

3. Risk Measurement and Control - Lack of clearly defined Three Lines of Defence:
While it was evident that certain firms had appropriately skilled and resourced second lines of
defence, a number of firms demonstrated an absence of a formalised “Three Lines of Defence
model”. It is important that firms have a robust model in place, with clear delineation between each
line i.e. the business, the risk management functions and the internal audit function. Supervisors
observed:

• i. A blurring of lines between the first line, where the operation and implementation of risk management occurs, and second line management of risk, responsible for oversight of risk management, creating concerns around independence and appropriate separation of duties;
• ii. Within the second line, a lack of clarity between the roles and responsibilities of Risk and Compliance, in some instances, may increase the likelihood for risks to go unidentified or identified risks to go unaddressed;
• iii. An absence of a formalised plan regarding the steps taken by the Head of Compliance or first line in the event that the kill switch has been activated; and
• iv. As required under Article 9 of RTS6, all firms are required to conduct annual self-assessments and produce subsequent validation reports. Supervisors observed three common areas not sufficiently addressed by the majority of firms within the self-assessment:

:

• (iv) a. The adequacy of governance arrangements;
• (iv) b. The lack of appropriate detail with respect to testing methodologies applied and
• testing environments used; and
• (iv) c. A lack of clarity with regard to the third line of defence and the role of Internal Audit in the self-assessment and validation process. As per Article 9(3) of RTS 6, Internal Audit should play a key role in the oversight of the self-assessment and validation process to ensure that the governance and conclusions reached are valid.

 4. Trade Lifecycle Management – Lack of appropriate documentation with respect to pre and
post-trade controls:
The presence of extensive pre and post-trade controls was evident during this Thematic Review
however:

• i. These were not formally reflected in the firms’ policies and procedures, where supervisors identified a lack of adequate documentation regarding these controls and calculation of associated limits.
• ii. Firms did not demonstrate appropriate compliance with Article 15 of RTS 6 with respect to the documentation of the application and usage of appropriate limits. This information must be formally documented within the firms’ algorithmic governance documentation.

Firms must have in place appropriate pre and post-trade controls that are commensurate to the
nature, scale and complexity of the entity and ensure that these controls are appropriately
documented.

Actions
As a result of the findings of this thematic review, the Central Bank has engaged with the
investment firms where specific concerns have been identified, issuing risk mitigation programmes
to address these specific issues.

The Central Bank requires all firms engaging in algorithmic trading to consider the contents of this
letter, where applicable and take all remedial action necessary to ensure that they have the
appropriate control and oversight in place with respect to algorithmic trading and that the
requirements within RTS 6 of MIFID II are being fully adhered to. This letter should be read in
conjunction with the joint ESMA and European Banking Authority (“EBA”) Guidelines on the 
assessment of suitability of members of the management body and key function holders ; EBA
Guidelines on internal governance; and the Central Bank’s Outsourcing: Findings & Issues for
Discussion.

The Central Bank will continue to assess whether firms have taken sufficient steps to reduce risks
arising from algorithmic trading and will have regard to the contents of this letter when conducting
future supervisory engagement. Furthermore, in circumstances of non-compliance by any firm with
the regulatory requirements associated with algorithmic trading, the Central Bank may, in the
course of future supervisory engagement, or when exercising its supervisory and/or enforcement
powers in respect of such non-compliance, have regard to the consideration given by a firm to the
matters raised in the letter. 

Background:

​ The Central Bank of Ireland (“Central Bank”) undertook a thematic review to assess how firms
undertaking algorithmic trading have incorporated within their risk management and control
frameworks the requirements set out in Regulatory Technical Standard C(2016) 4478 (“RTS 6“)
supplementing Directive 2014/65/EU (“MIFID II”). The purpose of this letter is to provide
background to our assessment, highlight the key findings of this review and outline the expectations
of the Central Bank in relation to the governance, testing and controls surrounding algorithmic
trading.

Algorithmic trading gives rise to significant risks stemming from potential failures of algorithms,
information technology (“IT”) systems and processes. In recent years, a number of significant
algorithmic trading failures have resulted in substantial losses, fines and reputational damage for
firms globally. This demonstrates a clear need for all entities engaging in algorithmic trading to
ensure risk management and control frameworks in respect of algorithmic trading are
appropriately embedded and are operating to a high standard. RTS 6 provides a framework to
mitigate these, and other risks, through the requirement to maintain effective systems, procedures,
arrangements and controls.

This thematic review focused on the five principal areas underpinned by the requirements set out
in RTS 6 of MIFID II: (i) Governance; (ii) Development & Testing; (iii) Risk Measurement and
Control; (iv) Processes and Controls; and (v) Trade Lifecycle Management.

The Central Bank noted many positive practices, including the presence of experienced, competent
professionals across the first and second lines of defence, in addition to a comprehensive suite of
controls in terms of monitoring, development, testing and deployment of trading algorithms.
Notwithstanding this, supervisors also identified varying levels of maturity and a number of
concerns across governance, control and risk management frameworks of in scope entities. A full
list of the practices observed are noted in Appendix 1 of this letter. The key concerns arising from
the review include: 

​An over-reliance on service providers with a lack of demonstrable autonomy at regulated
entity level. This was evidenced through a distinct absence of entity Board oversight in
setting or challenging the key controls and in the oversight of the development of trading
algorithms.
ii. Insufficient formality with respect to key documentation. This was evidenced through a
lack of appropriate documentation in relation to algorithmic trading controls and
procedures. This speaks to this sector being at the early stages of maturity and also the
extent to which firms leverage Group documentation, where relevant, which creates a
possibility that entity specific risk may be overlooked.
iii. A lack of clearly defined roles and responsibilities, and in particular a lack of appropriate
delineation between the “Three Lines of Defence”. This is a consequence of a combination
of (i) the scale of certain firms, (ii) the maturity of risk management frameworks and (iii) the
non-specific nature for managing risks associated with algorithmic trading in certain firms.
These do not align with a comprehensive and effective implementation of the requirements set out
in RTS 6.