Revisiting a set of principles that we have discussed here in the past, DCM looks at the revisions to the Three Lines of Defense model being put forward by the Institute of Internal Auditors. The new revisions are described as changes to "modernize and strengthen application of the model". The justification is "the responsibility for managing risk remains a part of first line roles". While that is correct, the changes make a fundamental assumption that DCM believes is incorrect. The implicit assumption is that the responsibility for management of the risk is roughly equivalent to the former role of assuring the management is done correctly. And that is the point in which this new role falls down.
Because the second leg of this change is the assumption that internal audit will perform controls testing and oversight that is adequate to the task. And, unfortunately, internal audit has consistently had neither the expertise nor the focus on trading operations and trading strategies to perform appropriate oversight. In addition, in major firms, the internal audit of trading - as opposed to financial - controls has been co-sourced with external groups. IN bigger firms, this has been directed towards bigger consulting firms which, while very good in digital and information areas, have reduced their focus on purely compliance area skill sets.
This creates a dangerous combination of potential for front office co-opting the compliance roles with the concomitant risk of reduction or even suppression of compliance oversight with reliance on a company function that is not completely focused on trade compliance oversight and skills. The news continues to point out instances where it appears compliance has been seen as a fig leaf for, rather than a control over, the front office. The end result can be fines in the 8 or nine digit range. That also has impact on senior management and staff careers.
DCM would caution companies to seriously consider what the appropriate measures are for the adoption of the new blended "three lines of defense model should be. DCM has often been critical that the three lines of defense can be too rigid and result in less effective controls. At the same time, the statement that "front line owns the risk" is too simplistic - the reality is the entire company owns the risk, front line just has the keys to the car.
For another analogy, some front line groups can be like a teenager driving the car while other trading teams can behave like reasonable adults. Just like the new insurance products offer, effective compliance is the plug in monitor that reads speed, direction, rate of acceleration, and all the other components that let you know how the car is being driven. Does it make sense to let the driver look at the data and show you what they want to show you? And if that is the case, the oversight (internal audit) better be experienced mechanics who know how to go back and look at the raw data and tell you what has been omitted or changed or, in good cases, to confirm that the appropriate data came to you in the correct form.
And that is where risk management comes in as another resource. Much of what risk management does looks at risk of future losses. But it has information and skills that can easily adapt to supporting the examination of whether how returns are being generated is within the market rules. As DCM has talked about in prior blog entries, compliance is just a mirror of risk management - risk management works to assure there is no mis-perception of the company's risk from front office activities while compliance works to assure there is no mis-perception of other market participant's risk of trading caused by your company's front office. In addition, companies are frequently much more focused on assuring risk management remains an independent and trusted source of information to management than they are on compliance. Early development of compliance often had compliance within the Risk officer's purview. It may be appropriate in the changing three lines of defense model to consider having the Risk Officer act as the guarantor of compliance's independence as well.
DCM worries some companies may see the new model as an opportunity to cut costs and increase profits without consideration of what those changes may mean for risk of loss, risk of fines, or risk to reputation. The change offers an opportunity to consider how risk and compliance may work as complimentary and efficient roles.
Supply chain and procurement for commodity products - market price risks don't just come from the unhedged supply
When the principals at DCM have worked with supply chain and procurement teams (not just at DCM but in other lives too), we have found that there is often a misconception of how market price is created, transformed, and mitigated. COVID has brought some of those issues to light for some companies but we thought it would be appropriate to revisit a couple scenarios as examples.
One that became abundantly evident to some firms is that market price risk can be caused by failure of demand or collapse of your sales price. All too often we see management talk about hedging in the accounting framework - transacting to stabilize a cash flow. However, stabilizing your supply cost cash flow while allowing the sale cash flow to fluctuate is not price risk hedging. Instead, it actually creates a price risk for the unhedged sales price.
In COVID, the price risk was created when the sales volume evaporated. Think of hotels where demand for rooms may have dropped 90%. If you had fixed price supply of energy for the hotel you were faced with the need to sell the energy before you used it or, if you have cogen, sell the generated power into the grid. But in this instance (which DCM calls event driven hypervolatility), it is likely everyone else is having to do the same thing and the market price will drop just as you are trying to sell your hedges. Now, you are losing revenue while simultaneously losing money on unwinding your hedges. There are some strategies that can help lessen these impacts but only if:
Both of these scenarios point out what DCM has referred to before as the First Law of Hedging (I know, others have asked for the others and I will get to them - but not in this post) - risk is never destroyed, it is only converted from the risk being hedged to a different risk to be managed.
In the first instance above, the hedging of price risk converts the risk of market price movement into operational and contract risk. As long as your operation continues to work as planned and your sales (whether sales contracts or FP&A projections) occur as planned, you are hedged. But once either of the two assumptions fail to perform as managed, the risk may convert back to market price risk on the supply chain. In the second instance, the market price risk has been converted into credit risk - if the credit risk blows up, you again may find the risk converted back into market price risk.
COVID has illustrated that the assumption that hedging is a "trade and forget" strategy can fall apart rapidly. That is why DCM feels the underlying assumptions always need to be a part of your risk management stress testing. One thing this stress testing does is inform management of the other company actors that can create risks (and potential losses) for the supply chain and hedging activities. Informed management can be a very valuable thing when you are explaining a loss by starting "as we noted in last month's stress tests, if...".
Prohibition against traders trading the same products you (or your customer) trade - please do something about it
There was another fine this week by the CME (the notice is here) where an employee was trading their own account to the detriment of a customer. In this instance, it was a brokerage firm employee trading against customer accounts orders in Treasury options for their own personal account. The notice does indicate the company "failed to adequately monitor the employee’s personal trading account despite permitting the employee to trade the personal account while working customer orders. Although (the company) conducted an internal investigation, (The company) failed to detect the employee trading opposite customer orders for one year, both before and after the internal investigation."
This has several points to it:
Trade compliance is only one thing we cover, supply chain risk for commodities is something different we do
In the post-COVID world, supply chain "resilience" is something that everyone is talking about. But supply chain resilience - shortening supply chain lines, increasing transport options, and diversifying suppliers comes with an increasing need to look at what DCM calls the "static/variable supply chain distinction". It is something we have developed after a number of years working with energy buyers, food products and feed suppliers, agricultural products traders, and even major manufacturing companies.
The static side of the equation is that portion of direct (and indirect) spend dollars that can be easily forecasted on a unit cost for one, two or even three years. This is things like staff labor costs per person - you won't be changing their pay during the budget year by an impactful amount outside budgeted numbers. Similarly, your some of your external supplier costs - cost of paper supplies or computers is not likely to drastically change. These products are very amenable to standard strategic sourcing and resilience normative models.
The other side, the variable side, is much more problematic. This would supplies of items like natural gas, diesel fuel, aluminum, interest rate products or corn or wheat. These product may fluctuate dramatically on a daily - even hourly - basis. The measure of that risk of fluctuation is the volatility of prices. Procurement departments that don't look forward to at least observe the markets' expectation of potential fluctuations can be caught in an noncompetitive position by a sudden increase in supply (or decrease in output) prices that were not managed.
So, when you begin to restructure or even reexamine your procurement function in the post-COVID world, first identify the static and variable components. Determine how much impact the potential movement that the market is expecting and gauge the EPS impact of a change that decreases your margin (supply cost up or output side down). If you want to get deeper into the issue, look at the correlation between the supply and output variations and see how likely a negative impact from both sides is to occur.
Redesigning your supply chain just to unknowingly increase the potential negative impacts of procurement of variable components of your supply chain can just install a new set of problems to replace those uncovered by COVID.
If you have questions about how to looks at these issues, feel free to send us an email or call us. The information is on our Contact page.We are happy to chat and see if we can help.
There is a difference between the US and Europe futures markets' disciplinary actions - you should take that into account
When DCM does trade compliance training for non-US firms trading US markets there is often that moment when the client realizes that thinking trading US futures has the same risk as trading EU futures may be very, very wrong. This doesn't have to do with the basic understanding that markets trade differently or that liquidity pools my differ but rather the understanding that the traders - and their supervisors - may have much more direct contact with and risk from US exchange and regulatory enforcement staff.
Let's just take one small example. Since June 1, 2020, ICE Futures Europe has issued 3 disciplinary circulars. All three dealt with brokers ("Members" in ICE Europe parlance) and failures of their procedures for handling customer business. CME, on the other hand, has issued 30 disciplinary or summary action notices in the same period. Of those, 13 were summary action notices - minor infractions by brokers that were even less impactful than the ICE Europe circulars. The other 17, however, only four were for brokers - for fines from $35K to $60K. Of the other 13, eight were actions against individuals four individuals with eight notices total). In three cases, they were individuals being disciplined for actions within their employment (either as brokers or traders) and the fines ranged from $15K to $200K with associated suspension from privileges to act on customers behalf or to trade the market ranging from 32 years to a permanent bar from ever entering a customer order to the exchange. The other individual trading their own account had a $20K fine and a 30 bar from the exchange.
This is a significant departure between operating environments. One has a more collaborative regulatory structure with a rule book oriented toward the Member (broker) being the entity with responsibility. The other environment is one where the individual logging into the trading screen had personal responsibility for trading activity and violations with the firm having strict liability for any action of their employee when trading the screen.
DCM suggests you take that into account when considering how different your oversight and training should be when trading global markets.
The US Department of Justice has issued guidance to prosecutors regarding compliance programs and their connection to the decision to file charges or recommendations for sentencing. Trade surveillance is one of the tools in the quiver but it isn't the only one. DCM published a whitepaper on the prior April 2019 compliance guidance (int eh May 2019 archive of the blog) that laid out the salient points of consideration. There has been a further update in June 2020 that stressed a couple points:
1. Compliance has to be an evolving practice - if reviews aren't undertaken or or no changes result from reviews, it is likely the program is no really effective;
2. Compliance is not considered effective if it is not adequately resourced - the resource needs are dependent on company scope of activities, level of activities, and size. An under resourced compliance program can be just as much a red flag of lack of corporate importance as having none;
3. If compliance activities (surveillance, training, disciplinary actions) has no impact on staff behavior, it probably isn't working effectively. And if compliance isn't tracking the impacts, the company's commitment to compliance is suspect.
This brings us back to trade surveillance. Let's ask the first question - why are you adopting it? Is it to have coverage for a future issue or is to truly understand and control behavior within a corporate compliance system. This leads to what DCM would recommend as the process for determining the trade surveillance need.
First, look at what the trading activity is - how many trades, what size, what markets, how many orders are entered per trade (right here is a big stumbling block for companies - they don't record order level activity), how many traders, how many products traded, how many offices, what hours of the day? This is a long list of questions but it boils down to one simple fact - do you know the size of the risk you are trying to control?
Second, once you have the question of where do your risks arise (and if you don't have a former trader or compliance officer to help, make sure the consultant you use does have that experience - a fresh MBA will read a list of risks and a checklist, that will give you an answer but will it give you the right one?), you need to determine what your compliance risk tolerance is. I have seen clients say "we never want any trade to be entered that could cause a concern for the regulator" - my answer to that is "do really want to stop all trading"? There are perfectly legitimate trading patterns and activities that can raise caution flags. The ability to answer the regulator's questions quickly, accurately, and effectively is a huge advantage and should be your goal. Therefore, the minimum bar for compliance, in DCM's opinion, is the ability to identify and resolve potentially suspect activity at a time when memory is still fresh reagrding the strategy, tactics, and actions. That is where trade surveillance comes in - managing that identification and resolution process.
So, the final step will be identifying what types of suspect activity will be observed, what machine learning or AI can be applied to automate some resolutions (but recognize - that automated resolution is going to be a focal point of a regulator if it turns out the automated resolution has been hiding issues, not resolving them), and what resources are needed to manage the more complex resolutions. Automated trade surveillance that is not properly calibrated can generate hundreds of alerts that need to be resolved - failing to resolve them indicates a lack of commitment, exacerbating rather than controlling the compliance issues.
Saying "we need a system" without this analysis can end up creating more costs while also creating greater exposure under the DoJ guidance. Trade surveillance is not a silver bullet - it is a serious solution that can be immensely helpful if deployed at appropriate scale and complexity, it can be a millstone around compliance operations if done ineffectively.
Trade surveillance of physical trading - first questions, what are you trading and where in the world are you trading it ?
Last week, the DCM blog as on considerations that could influence choosing an "in house" or vendor solution to trade surveillance needs. That discussion really focused on transparent markets (such as futures) much more than physical markets. The closing note was that this week's discussion would focus on physical markets.
The most important questions on choosing an "in house versus vendor data system for physical commodity market trade surveillance are:
1. What physical products do you trade; and
2. Where do you trade these products?
Fairly simple but crucially important questions that may need some further explanation. The starting point is to understand that all of the first trade surveillance systems were emerging from the securities markets - equities and such. In those markets, every product has its own singular product code. So, from a data analysis point of view, it is very simple to have all similar trades in the same analysis buckets - just put every trade with the same code in the same bucket. Voila, you have the filtering done. Shifting from equities to futures is just a matter of expanding your look up table to include a bunch of new product codes. And that was the basis for the first energy trade surveillance software (that market started to emerge in the late 2000's with CFTC settlements that required companies to install trade surveillance). And that is where the roll out hit a screeching halt.
I was SME on one of the very first roll outs. The data model was agile and flexible - the problem was it expected all trades to have a product code. The fun really hit doing global oil where the refined products desk traded US diesel and hitting oil in varying sulfur contents, Europe traded gasoil and, at that time, Singapore was trading products based on centistokes (viscosity). These were all different terminology for nearly the same product. The end result was the necessity to create concatenations of data fields to assemble a "product code". The negotiations necessary to get agreement across desks extended implementation times by orders of magnitude. There were a number of comments on last week's posting that alluded to exactly these questions from others who were also involved in some of these early projects - they have lived through these problems and seen the issues.
Now, fast forward to today. If you trade power and gas in Europe, you likely trade on a Multilateral Trading Facility ("MTF") which has specific requirements under EU regulation. An entity created for regulation of the European energy markets, the Agency for the Cooperation of Energy Regulators - "ACER", published a taxonomy for power and gas markets back in 2015 with the onset of REMIT (Regulation for Energy Market Integrity and Transparency). This led to development of a system for physical energy market product references very similar to futures markets product codes. Voila, the data problem is greatly reduced.
In the US and Asia, however, the natural gas, power, and oil markets have not had the same structure imposed. Therefore, most companies have an idiosyncratic data structure for naming and time bucketing of physical transaction data. Add to that the fact that outside of Europe most regulators do not have access to ongoing reporting of discrete transaction level data as well as any access to order level data for physical natural gas and oil markets (in the US, order level data is available from the Independent System Operators for certain products) and the efficacy of vendor solutions for the physical markets can be severely hampered.
That efficacy issue does not even address the fact that, unlike exchange markets with products codes, a US physical or power market deployment is likely to be a "build from nearly scratch" data problem that is based on your ETRM system data structure, your naming convention for products in your system, and the complexity of transaction structures you trade.
The metals and agricultural markets can have their own complexities. Think about lending precious metals and the start and end date intricacies of those trades. First, how do you create a consistent product code? Second, what regulator has jurisdiction over these trades and how would they have the data to look at them?
In agriculture, think of the variations in moisture, quality, even age of the grain - you may "simplify" those trades into a common grade and quality for risk control but are they really the same trade for trade surveillance? And, just like in metals, what regulator is looking at those specific trades? Wouldn't a more general in house system that looks at the book as a whole and potential physical/financial cross-market influences be a better fit? Is there a vendor system that thinks that way or is a more simplistic in house build more appropriate?
I still get calls today from trade surveillance software vendors in discussion with customers in US physical markets asking why the customer is being very skeptical regarding their claims to handle physical commodity trade surveillance in the US. I go through a very similar discussion as set forth above. The data issue of "building from scratch" the product codes has a real implication in the estimation of installation costs. As noted earlier, the product code issue can add an additional 4 to 6 to 8 month data reconciliation issue in front of any commencement of the implementation - adding significant hard and soft costs to the customer.
For those reasons, DCM believes that trade surveillance development in physical commodity markets - metals, agricultural products, or energies - needs careful consideration of whether a singular vendor solution for physical and financial products is appropriate or whether bifurcation based on underlying data between vendor and in house might be appropriate.
Having run multiple vendor selection "beauty pageants" for customers as well as designing business rules for major trade surveillance software vendors, the answer is not a simple "of course you do". Because there is a simple fact, trade surveillance software automates finding the needle in the haystack. So, the first question is - do you have a haystack that needs to be sorted?
That is not as "well, duh" a statement as it seems. DCM has consulted with clients where they look at our initial data request and say "what does this have to do with anything?"
For example, a primary question is "how many different products do you trade and how many trades do you execute a week or month - both on average and maximum activity"? Let's see why that is important.
Let's assume a buyer is hedging their supply pricing - all of their purchases are index related and they are buying futures to lock in prices. They execute no more than 100 trades per month which many buy side companies may think as a huge number - I have seen a dozen trades per year for some clients. Let's say they are trading Henry Hub natural gas and two power contract locations. That would mean they execute roughly 33 trades per month per contract. Over 20 business days, that is less than 2 executions per day. That level of activity can be handled in Excel spreadsheets. Even developing simple spoofing models could be done in VBA or Python or something simple. It only would require getting your order level data from your exchange activity (you get one free data feed for this). How much time, effort, and cost is this? Not a lot.
The rationale for a trade surveillance solution becomes much more compelling when you start talking about hundreds of trades per day and thousands of orders per day across twenty or thirty or forty products on three or four or five exchanges. Now, to continue the analogy, you have multiple haystacks in multiple fields and trade surveillance cuts down on the number of people you have to have sorting through the haystacks. If you have a backyard garden, you don't need a John Deere tractor and combine to grow your veggies - if you have 100,000 acres under cultivation, you better have a lot more.
Next week we will talk about the utility of trade surveillance software in physical energy markets (hint - the answer will depend on where you trade these products).
This week's example of "what not to do and how not to do it" comes courtesy of the ICE US Futures Market Regulation disciplinary notices. The story is set forth in ICE notices here (employee) and here (company). The facts are pretty simple:
1. Broker employee screws up customer trades (entered spread trades backwards) as orders and gets filled;
2. Employee panics and tries to reverse trades by doing them as block trades without customer permission or knowledge,
3. Employee does not file block trade documentation
Ok, it seems like a broken record that you have to do block trades according to the rules. It also seems obvious a broker's employees have to know the block trade rules. Well, doesn't seem so in this case. Anyone who has been through training on this would know that you can't get away with block trades without the exchange figuring it out - and, by the way, the employee allocated the trades to push the loss to the customer accounts. Pretty sordid all the way around.
The employee got hit with a $20K fine and a two week suspension form the market for violating Block Trade, improper handling of customer accounts, and "conduct detrimental" charges.
The company got hit with a $30K fine for all the same charges and the normal "failure to supervise" charge - and also paid over $11K in restitution to the customers.
Once again, the company pays more than the employee for the employee's mistake. But the company should have caught the failure to report a block trade and by " failing to properly instruct employees on applicable Exchange Rules."
It frequently comes down to training in these instances. DCM has provided multiple training sessions to firms located outside the US on nit just the content but the culture and reach of US oversight on futures. It is all to frequent when the staff being trained as things like "US exchanges can do that?". Just because you have a good knowledge of your local or regional exchange and regulatory rules and culture, do not assume the US markets are the same. They are not.
DCM doesn't presume to train people on EU rules, get US training from EU based sources has the same danger.
Friday CME disciplinary notices - 4 notices, $2.465 million in fines - some concerning points in several
.CME issued multiple disciplinary notices Friday - one for $2MM, two in the 100's of thousands, and one for $10,000. The last was for orders placed in the pre-market for spread trades that the CME felt the trader should have known would cross trade based on market size and pricing.
The $2MM dollar fine was for an agricultural firm that reads in a similar fashion to the Kraft case settled in 2019. In this case, the firm of Andersons Inc. registered certificates (i.e., rights to ship physical wheat under a futures contract) in excess of the limited number (600) allowed without "bona fide commercial purpose" and be granted an exemption under from the Market Regulation Department. The notice also points out that The Andersons held over 60% of the open short position in the applicable contract. Finally, the Andersons also sold the product under the contract to local wheat mills for the moth prior to their contracts to suppress demand.
The CME noted that The Andersons, by means of these actions, were able to buy back 1,330 of the 2,000 registered certificates at lower prices than they were originally registered.
Again, the basic format is similar to that described in Kraft - take a position in the futures market and then craft a strategy for disrupting the physical market for delivery of those contracts in a manner that allows the firm to capitalize on the market impacts of caused by their position in the physical market on the futures contract physical delivery mechanisms. So, even though the alleged scheme is not manipulating the trading of the futures contract, it is disrupting the capture of value in the resulting physical delivery mechanism.
For those reasons, the disciplinary comimittee found the actions to violate the following provisions of the "General Offences" Rule (Rule 432) - the notice is here:
"B. 2. to engage in conduct or proceedings inconsistent with just and equitable principles of trade;
Q. to commit an act which is detrimental to the interest or welfare of the Exchange or to engage in any conduct which tends to impair the dignity or good name of the Exchange;
T. to engage in dishonorable or uncommercial conduct."
The second large fine was for actions of Exante Limited - a Malta based fintech firm whose website indicates they are a "Next Generation Investment Company" providing a multi-asset trading platform. Unfortunately, the firm did not do some basic things properly according to the disciplinary committee. The list of problems was extensive:
1. Improper customer set up, resulting in improper account netting - impacting open interest reports from the exchange; and
2. Failure to assign unique Tag50s (a point DCM harps on frequently) to both employees and customers; and\
3. Performing wash trades to transfer positions between clearing firms - another common violation; and
4. Failure to "fully answer regulatory inquiries"
All of this added up to violations warranting a $350K fine for wash trade, Tag50, and failure to supervise violations. The notice is here
The final large fine was imposed on Algolab.com Inc. They operate a proprietary trading shop as well as licensing their software to customers for purposes of entering orders on their behalf. The software allowed orders to exit positions to be entered without regard to market liquidity. The orders "on two occasions" triggered unrelated stop orders, causing additional disruption. These disruptions had the impact of triggering a trading halt on the entire Swiss Franc futures and options trading product group.
More disturbingly, the committee also found, due to "technical reasons", the Algolab product would prioritize Algolab's proprietary trade orders before customer orders - both for entering and existing positions. Algolab also utilized the customer's Tag50 IDs, rather than its own, to enter trades. Algolab was fined $105K - the notice is here