The CME, earlier this month, issued a number of disciplinary orders about the same issues we have covered multiple times in this blog - wash trades, spoofing, and failure to supervise. We will look at these cases but a note about how DCM choses what to cover on this blog.
There have been a number of very large cases - nine or ten digit fines (without the decimal point) - in the last couple months. They have not, for the most part, been covered here. The reason for this is the majority of our clients (yes, we have worked with and continue to work with some of the largest trading entities in the world) are shops that are entering markets or entering US markets in a smaller manner. Those multi-year, global expanse cases tend to be met with "that isn't us and we never intend to be that" response. The "it can't happen here" is a very valid response for these strategies.
But the $30K or $100K fines for small companies - these resonate. And the purpose of this blog is to give the smaller firms - even those that seem themselves solely as hedgers and not "traders" - examples of behavior or practices that are on their scale. If that scale translates into more effective supervision and appropriately scaled compliance and risk operations, that has achieved the purpose of this blog. So, climbing down off the soapbox and back into compliance review, the notices of interest are:
1. A firm was fined $25K for "failure to supervise" in reagrds to staff entering trades "executed opposing buy and sell orders in December 2019 Silver Options for which there was common beneficial ownership on both sides of the transactions." The intent? Executing " buy and sell orders with the knowledge and intent that the orders would trade opposite one another, for the purpose of closing positions." The finding was the firm "failed to properly advise and train its employees as to relevant Exchange rules and Market Regulation Advisory Notices (“MRANs”) regarding wash trading." Traders may be tempted to use wash trades to shift positions between books - especially using an affiliate book to stash the trades - to manage risk limits. There is no better way to point out the limits of your risk analysis (and put the CRO in jeopardy) than to get a fine for shifting positions. This scenario has happened enough times to be on every compliance officers radar - and yet still we see this issue. There can be fairly simple ways to detect this - it just takes allocating resources and effort to detect this. The notice is here.
2. A prop trading company was fined $200K (split 50/50 by NYMEX and COMEX) for failure to supervise the actions of its traders. The traders hit the trifecta - they shared TAG50 IDs (trader log in IDs) which is a significant issue for exchanges, they spoofed markets over a one year period, and they failed to answer the charges of the disciplinary committee. That last is a common item we see from non-US based clients - we are in country X, they don't have jurisdiction over us. As this blog has harped on multiple times - they have jurisdiction the second you sign your brokerage agreement. You cannot trade US futures markets on US exchanges without accepting US jurisdiction in your brokerage agreement. Accept that the exchange and CFTC jurisdiction is global (and when we have space stations with people trading there it will be interplanetary). The fine ,as noted was $200K and the firm was barred from trading any CME market for five years. The COMEX notice is here.
Again, these aren't the big splashy cases but the do represent what the average participant in the market can be facing in their activities if they don't manage their compliance risk.
A number of disruptive trading fines from CME last week and a couple wash trade fines today (one of note). The disruptive trading fines are illustrative because they all point to two things that all traders (and firms) should keep in mind:
1. Any order placed on the market has to be reasonably executed within the standing liquidity in the market. If the trade is really big (doesn't even have to be flash crash big, that can be disruptive trading); and
2. There is a reason the exchanges have made block trades available - they are a mechanism to allow large trades to be executed without disrupting the market.
In the first case, Interactive Brokers was fined $275K across CBOT, NYMEX, and COMEX with $100K going to CME (the CME notice is here). The exchange response was based on:
"IB implemented customer order routing functionality that bypassed CME Group market integrity controls. Specifically, in several cases, this functionality enabled its customer orders to avoid protection points applied to all market orders by CME Group’s Globex platform in reckless disregard for the adverse impact on the market. These protection points are designed to prevent extreme price movements and other market disruptions"
"IB caused various Equity and Agricultural markets, including the E-mini Nasdaq-100, E-mini S&P 500, Nikkei/Yen, Live Cattle and Cash-settled Butter futures markets, to experience price, liquidity and trade volume aberrations and Velocity Logic events."
You can't just find a way to get trades executed any way you want - that is not how the exchanges work.
The second case is a smaller incidents that still resulted in a $40K fine - notice here. The CME did point out one specific case:
"For example, on April 18, 2016, (the company) entered a 100-lot sell market order into a Live Cattle market that displayed 33 contracts in aggregate at the top five book levels on the opposite side of the market. R&B’s order was filled across 19 unique prices. Within one second, R&B continued to enter multiple market orders that caused additional significant and disruptive price breaks in the market in a short period of time."
Here is a case where a block trade size order was 3 times the top five resting orders on the other side of the book. The CME found that to be "disruptive"
The final disruptive trading case was an $85K fine - the notice is here. It has the combination of disruptive trading with that all too present "failure to supervise" kicker. In this case, it was failure to supervise an automated trading system.
"Specifically, during this time period, an (company) automated trading system (“ATS”) engaged in a pattern of activity wherein it entered multiple opposing orders at various price levels near the start of the pre-open, provided significant liquidity to the order book in these markets, and then subsequently cancelled all or a majority of the orders near the end of the pre-open just prior to the no-cancel period, causing impacts to the Indicative Opening Price (“IOP”) and/or fluctuations in the bid-offer spread."
The company was notified by Market Regulation of the issue, made changes and redeployed the system with the same continuing flaw. The CMA followed up with:
"The Panel also found that (the company) failed to diligently supervise its ATS in the conduct of its business relating to the Exchange."
The last settlement to note is a pair of wash trade notices. The point I wish to note is the fines were $25K for the trader for the wash trade and $85 for the company for the trade and for failure to supervise - the company notice is here. Two takeaways here:
1. This was a single 9,762 options wash trade between two affiliates accounts - trades of this size might show up on someone's alerts; and
2. The trade was done to "alleviate margin pressure" which should have been likely to flag a risk alert.
Both of these point to potential breakdowns in oversight on the compliance and risk side. This is just one more opportunity to point out the interconnection between risk and compliance as complementary, not competing, functions.
Revisiting a set of principles that we have discussed here in the past, DCM looks at the revisions to the Three Lines of Defense model being put forward by the Institute of Internal Auditors. The new revisions are described as changes to "modernize and strengthen application of the model". The justification is "the responsibility for managing risk remains a part of first line roles". While that is correct, the changes make a fundamental assumption that DCM believes is incorrect. The implicit assumption is that the responsibility for management of the risk is roughly equivalent to the former role of assuring the management is done correctly. And that is the point in which this new role falls down.
Because the second leg of this change is the assumption that internal audit will perform controls testing and oversight that is adequate to the task. And, unfortunately, internal audit has consistently had neither the expertise nor the focus on trading operations and trading strategies to perform appropriate oversight. In addition, in major firms, the internal audit of trading - as opposed to financial - controls has been co-sourced with external groups. IN bigger firms, this has been directed towards bigger consulting firms which, while very good in digital and information areas, have reduced their focus on purely compliance area skill sets.
This creates a dangerous combination of potential for front office co-opting the compliance roles with the concomitant risk of reduction or even suppression of compliance oversight with reliance on a company function that is not completely focused on trade compliance oversight and skills. The news continues to point out instances where it appears compliance has been seen as a fig leaf for, rather than a control over, the front office. The end result can be fines in the 8 or nine digit range. That also has impact on senior management and staff careers.
DCM would caution companies to seriously consider what the appropriate measures are for the adoption of the new blended "three lines of defense model should be. DCM has often been critical that the three lines of defense can be too rigid and result in less effective controls. At the same time, the statement that "front line owns the risk" is too simplistic - the reality is the entire company owns the risk, front line just has the keys to the car.
For another analogy, some front line groups can be like a teenager driving the car while other trading teams can behave like reasonable adults. Just like the new insurance products offer, effective compliance is the plug in monitor that reads speed, direction, rate of acceleration, and all the other components that let you know how the car is being driven. Does it make sense to let the driver look at the data and show you what they want to show you? And if that is the case, the oversight (internal audit) better be experienced mechanics who know how to go back and look at the raw data and tell you what has been omitted or changed or, in good cases, to confirm that the appropriate data came to you in the correct form.
And that is where risk management comes in as another resource. Much of what risk management does looks at risk of future losses. But it has information and skills that can easily adapt to supporting the examination of whether how returns are being generated is within the market rules. As DCM has talked about in prior blog entries, compliance is just a mirror of risk management - risk management works to assure there is no mis-perception of the company's risk from front office activities while compliance works to assure there is no mis-perception of other market participant's risk of trading caused by your company's front office. In addition, companies are frequently much more focused on assuring risk management remains an independent and trusted source of information to management than they are on compliance. Early development of compliance often had compliance within the Risk officer's purview. It may be appropriate in the changing three lines of defense model to consider having the Risk Officer act as the guarantor of compliance's independence as well.
DCM worries some companies may see the new model as an opportunity to cut costs and increase profits without consideration of what those changes may mean for risk of loss, risk of fines, or risk to reputation. The change offers an opportunity to consider how risk and compliance may work as complimentary and efficient roles.
Supply chain and procurement for commodity products - market price risks don't just come from the unhedged supply
When the principals at DCM have worked with supply chain and procurement teams (not just at DCM but in other lives too), we have found that there is often a misconception of how market price is created, transformed, and mitigated. COVID has brought some of those issues to light for some companies but we thought it would be appropriate to revisit a couple scenarios as examples.
One that became abundantly evident to some firms is that market price risk can be caused by failure of demand or collapse of your sales price. All too often we see management talk about hedging in the accounting framework - transacting to stabilize a cash flow. However, stabilizing your supply cost cash flow while allowing the sale cash flow to fluctuate is not price risk hedging. Instead, it actually creates a price risk for the unhedged sales price.
In COVID, the price risk was created when the sales volume evaporated. Think of hotels where demand for rooms may have dropped 90%. If you had fixed price supply of energy for the hotel you were faced with the need to sell the energy before you used it or, if you have cogen, sell the generated power into the grid. But in this instance (which DCM calls event driven hypervolatility), it is likely everyone else is having to do the same thing and the market price will drop just as you are trying to sell your hedges. Now, you are losing revenue while simultaneously losing money on unwinding your hedges. There are some strategies that can help lessen these impacts but only if:
Both of these scenarios point out what DCM has referred to before as the First Law of Hedging (I know, others have asked for the others and I will get to them - but not in this post) - risk is never destroyed, it is only converted from the risk being hedged to a different risk to be managed.
In the first instance above, the hedging of price risk converts the risk of market price movement into operational and contract risk. As long as your operation continues to work as planned and your sales (whether sales contracts or FP&A projections) occur as planned, you are hedged. But once either of the two assumptions fail to perform as managed, the risk may convert back to market price risk on the supply chain. In the second instance, the market price risk has been converted into credit risk - if the credit risk blows up, you again may find the risk converted back into market price risk.
COVID has illustrated that the assumption that hedging is a "trade and forget" strategy can fall apart rapidly. That is why DCM feels the underlying assumptions always need to be a part of your risk management stress testing. One thing this stress testing does is inform management of the other company actors that can create risks (and potential losses) for the supply chain and hedging activities. Informed management can be a very valuable thing when you are explaining a loss by starting "as we noted in last month's stress tests, if...".
Prohibition against traders trading the same products you (or your customer) trade - please do something about it
There was another fine this week by the CME (the notice is here) where an employee was trading their own account to the detriment of a customer. In this instance, it was a brokerage firm employee trading against customer accounts orders in Treasury options for their own personal account. The notice does indicate the company "failed to adequately monitor the employee’s personal trading account despite permitting the employee to trade the personal account while working customer orders. Although (the company) conducted an internal investigation, (The company) failed to detect the employee trading opposite customer orders for one year, both before and after the internal investigation."
This has several points to it:
Trade compliance is only one thing we cover, supply chain risk for commodities is something different we do
In the post-COVID world, supply chain "resilience" is something that everyone is talking about. But supply chain resilience - shortening supply chain lines, increasing transport options, and diversifying suppliers comes with an increasing need to look at what DCM calls the "static/variable supply chain distinction". It is something we have developed after a number of years working with energy buyers, food products and feed suppliers, agricultural products traders, and even major manufacturing companies.
The static side of the equation is that portion of direct (and indirect) spend dollars that can be easily forecasted on a unit cost for one, two or even three years. This is things like staff labor costs per person - you won't be changing their pay during the budget year by an impactful amount outside budgeted numbers. Similarly, your some of your external supplier costs - cost of paper supplies or computers is not likely to drastically change. These products are very amenable to standard strategic sourcing and resilience normative models.
The other side, the variable side, is much more problematic. This would supplies of items like natural gas, diesel fuel, aluminum, interest rate products or corn or wheat. These product may fluctuate dramatically on a daily - even hourly - basis. The measure of that risk of fluctuation is the volatility of prices. Procurement departments that don't look forward to at least observe the markets' expectation of potential fluctuations can be caught in an noncompetitive position by a sudden increase in supply (or decrease in output) prices that were not managed.
So, when you begin to restructure or even reexamine your procurement function in the post-COVID world, first identify the static and variable components. Determine how much impact the potential movement that the market is expecting and gauge the EPS impact of a change that decreases your margin (supply cost up or output side down). If you want to get deeper into the issue, look at the correlation between the supply and output variations and see how likely a negative impact from both sides is to occur.
Redesigning your supply chain just to unknowingly increase the potential negative impacts of procurement of variable components of your supply chain can just install a new set of problems to replace those uncovered by COVID.
If you have questions about how to looks at these issues, feel free to send us an email or call us. The information is on our Contact page.We are happy to chat and see if we can help.
There is a difference between the US and Europe futures markets' disciplinary actions - you should take that into account
When DCM does trade compliance training for non-US firms trading US markets there is often that moment when the client realizes that thinking trading US futures has the same risk as trading EU futures may be very, very wrong. This doesn't have to do with the basic understanding that markets trade differently or that liquidity pools my differ but rather the understanding that the traders - and their supervisors - may have much more direct contact with and risk from US exchange and regulatory enforcement staff.
Let's just take one small example. Since June 1, 2020, ICE Futures Europe has issued 3 disciplinary circulars. All three dealt with brokers ("Members" in ICE Europe parlance) and failures of their procedures for handling customer business. CME, on the other hand, has issued 30 disciplinary or summary action notices in the same period. Of those, 13 were summary action notices - minor infractions by brokers that were even less impactful than the ICE Europe circulars. The other 17, however, only four were for brokers - for fines from $35K to $60K. Of the other 13, eight were actions against individuals four individuals with eight notices total). In three cases, they were individuals being disciplined for actions within their employment (either as brokers or traders) and the fines ranged from $15K to $200K with associated suspension from privileges to act on customers behalf or to trade the market ranging from 32 years to a permanent bar from ever entering a customer order to the exchange. The other individual trading their own account had a $20K fine and a 30 bar from the exchange.
This is a significant departure between operating environments. One has a more collaborative regulatory structure with a rule book oriented toward the Member (broker) being the entity with responsibility. The other environment is one where the individual logging into the trading screen had personal responsibility for trading activity and violations with the firm having strict liability for any action of their employee when trading the screen.
DCM suggests you take that into account when considering how different your oversight and training should be when trading global markets.
The US Department of Justice has issued guidance to prosecutors regarding compliance programs and their connection to the decision to file charges or recommendations for sentencing. Trade surveillance is one of the tools in the quiver but it isn't the only one. DCM published a whitepaper on the prior April 2019 compliance guidance (int eh May 2019 archive of the blog) that laid out the salient points of consideration. There has been a further update in June 2020 that stressed a couple points:
1. Compliance has to be an evolving practice - if reviews aren't undertaken or or no changes result from reviews, it is likely the program is no really effective;
2. Compliance is not considered effective if it is not adequately resourced - the resource needs are dependent on company scope of activities, level of activities, and size. An under resourced compliance program can be just as much a red flag of lack of corporate importance as having none;
3. If compliance activities (surveillance, training, disciplinary actions) has no impact on staff behavior, it probably isn't working effectively. And if compliance isn't tracking the impacts, the company's commitment to compliance is suspect.
This brings us back to trade surveillance. Let's ask the first question - why are you adopting it? Is it to have coverage for a future issue or is to truly understand and control behavior within a corporate compliance system. This leads to what DCM would recommend as the process for determining the trade surveillance need.
First, look at what the trading activity is - how many trades, what size, what markets, how many orders are entered per trade (right here is a big stumbling block for companies - they don't record order level activity), how many traders, how many products traded, how many offices, what hours of the day? This is a long list of questions but it boils down to one simple fact - do you know the size of the risk you are trying to control?
Second, once you have the question of where do your risks arise (and if you don't have a former trader or compliance officer to help, make sure the consultant you use does have that experience - a fresh MBA will read a list of risks and a checklist, that will give you an answer but will it give you the right one?), you need to determine what your compliance risk tolerance is. I have seen clients say "we never want any trade to be entered that could cause a concern for the regulator" - my answer to that is "do really want to stop all trading"? There are perfectly legitimate trading patterns and activities that can raise caution flags. The ability to answer the regulator's questions quickly, accurately, and effectively is a huge advantage and should be your goal. Therefore, the minimum bar for compliance, in DCM's opinion, is the ability to identify and resolve potentially suspect activity at a time when memory is still fresh reagrding the strategy, tactics, and actions. That is where trade surveillance comes in - managing that identification and resolution process.
So, the final step will be identifying what types of suspect activity will be observed, what machine learning or AI can be applied to automate some resolutions (but recognize - that automated resolution is going to be a focal point of a regulator if it turns out the automated resolution has been hiding issues, not resolving them), and what resources are needed to manage the more complex resolutions. Automated trade surveillance that is not properly calibrated can generate hundreds of alerts that need to be resolved - failing to resolve them indicates a lack of commitment, exacerbating rather than controlling the compliance issues.
Saying "we need a system" without this analysis can end up creating more costs while also creating greater exposure under the DoJ guidance. Trade surveillance is not a silver bullet - it is a serious solution that can be immensely helpful if deployed at appropriate scale and complexity, it can be a millstone around compliance operations if done ineffectively.
Trade surveillance of physical trading - first questions, what are you trading and where in the world are you trading it ?
Last week, the DCM blog as on considerations that could influence choosing an "in house" or vendor solution to trade surveillance needs. That discussion really focused on transparent markets (such as futures) much more than physical markets. The closing note was that this week's discussion would focus on physical markets.
The most important questions on choosing an "in house versus vendor data system for physical commodity market trade surveillance are:
1. What physical products do you trade; and
2. Where do you trade these products?
Fairly simple but crucially important questions that may need some further explanation. The starting point is to understand that all of the first trade surveillance systems were emerging from the securities markets - equities and such. In those markets, every product has its own singular product code. So, from a data analysis point of view, it is very simple to have all similar trades in the same analysis buckets - just put every trade with the same code in the same bucket. Voila, you have the filtering done. Shifting from equities to futures is just a matter of expanding your look up table to include a bunch of new product codes. And that was the basis for the first energy trade surveillance software (that market started to emerge in the late 2000's with CFTC settlements that required companies to install trade surveillance). And that is where the roll out hit a screeching halt.
I was SME on one of the very first roll outs. The data model was agile and flexible - the problem was it expected all trades to have a product code. The fun really hit doing global oil where the refined products desk traded US diesel and hitting oil in varying sulfur contents, Europe traded gasoil and, at that time, Singapore was trading products based on centistokes (viscosity). These were all different terminology for nearly the same product. The end result was the necessity to create concatenations of data fields to assemble a "product code". The negotiations necessary to get agreement across desks extended implementation times by orders of magnitude. There were a number of comments on last week's posting that alluded to exactly these questions from others who were also involved in some of these early projects - they have lived through these problems and seen the issues.
Now, fast forward to today. If you trade power and gas in Europe, you likely trade on a Multilateral Trading Facility ("MTF") which has specific requirements under EU regulation. An entity created for regulation of the European energy markets, the Agency for the Cooperation of Energy Regulators - "ACER", published a taxonomy for power and gas markets back in 2015 with the onset of REMIT (Regulation for Energy Market Integrity and Transparency). This led to development of a system for physical energy market product references very similar to futures markets product codes. Voila, the data problem is greatly reduced.
In the US and Asia, however, the natural gas, power, and oil markets have not had the same structure imposed. Therefore, most companies have an idiosyncratic data structure for naming and time bucketing of physical transaction data. Add to that the fact that outside of Europe most regulators do not have access to ongoing reporting of discrete transaction level data as well as any access to order level data for physical natural gas and oil markets (in the US, order level data is available from the Independent System Operators for certain products) and the efficacy of vendor solutions for the physical markets can be severely hampered.
That efficacy issue does not even address the fact that, unlike exchange markets with products codes, a US physical or power market deployment is likely to be a "build from nearly scratch" data problem that is based on your ETRM system data structure, your naming convention for products in your system, and the complexity of transaction structures you trade.
The metals and agricultural markets can have their own complexities. Think about lending precious metals and the start and end date intricacies of those trades. First, how do you create a consistent product code? Second, what regulator has jurisdiction over these trades and how would they have the data to look at them?
In agriculture, think of the variations in moisture, quality, even age of the grain - you may "simplify" those trades into a common grade and quality for risk control but are they really the same trade for trade surveillance? And, just like in metals, what regulator is looking at those specific trades? Wouldn't a more general in house system that looks at the book as a whole and potential physical/financial cross-market influences be a better fit? Is there a vendor system that thinks that way or is a more simplistic in house build more appropriate?
I still get calls today from trade surveillance software vendors in discussion with customers in US physical markets asking why the customer is being very skeptical regarding their claims to handle physical commodity trade surveillance in the US. I go through a very similar discussion as set forth above. The data issue of "building from scratch" the product codes has a real implication in the estimation of installation costs. As noted earlier, the product code issue can add an additional 4 to 6 to 8 month data reconciliation issue in front of any commencement of the implementation - adding significant hard and soft costs to the customer.
For those reasons, DCM believes that trade surveillance development in physical commodity markets - metals, agricultural products, or energies - needs careful consideration of whether a singular vendor solution for physical and financial products is appropriate or whether bifurcation based on underlying data between vendor and in house might be appropriate.
Having run multiple vendor selection "beauty pageants" for customers as well as designing business rules for major trade surveillance software vendors, the answer is not a simple "of course you do". Because there is a simple fact, trade surveillance software automates finding the needle in the haystack. So, the first question is - do you have a haystack that needs to be sorted?
That is not as "well, duh" a statement as it seems. DCM has consulted with clients where they look at our initial data request and say "what does this have to do with anything?"
For example, a primary question is "how many different products do you trade and how many trades do you execute a week or month - both on average and maximum activity"? Let's see why that is important.
Let's assume a buyer is hedging their supply pricing - all of their purchases are index related and they are buying futures to lock in prices. They execute no more than 100 trades per month which many buy side companies may think as a huge number - I have seen a dozen trades per year for some clients. Let's say they are trading Henry Hub natural gas and two power contract locations. That would mean they execute roughly 33 trades per month per contract. Over 20 business days, that is less than 2 executions per day. That level of activity can be handled in Excel spreadsheets. Even developing simple spoofing models could be done in VBA or Python or something simple. It only would require getting your order level data from your exchange activity (you get one free data feed for this). How much time, effort, and cost is this? Not a lot.
The rationale for a trade surveillance solution becomes much more compelling when you start talking about hundreds of trades per day and thousands of orders per day across twenty or thirty or forty products on three or four or five exchanges. Now, to continue the analogy, you have multiple haystacks in multiple fields and trade surveillance cuts down on the number of people you have to have sorting through the haystacks. If you have a backyard garden, you don't need a John Deere tractor and combine to grow your veggies - if you have 100,000 acres under cultivation, you better have a lot more.
Next week we will talk about the utility of trade surveillance software in physical energy markets (hint - the answer will depend on where you trade these products).