A number of disruptive trading fines from CME last week and a couple wash trade fines today (one of note). The disruptive trading fines are illustrative because they all point to two things that all traders (and firms) should keep in mind:
1. Any order placed on the market has to be reasonably executed within the standing liquidity in the market. If the trade is really big (doesn't even have to be flash crash big, that can be disruptive trading); and
2. There is a reason the exchanges have made block trades available - they are a mechanism to allow large trades to be executed without disrupting the market.
In the first case, Interactive Brokers was fined $275K across CBOT, NYMEX, and COMEX with $100K going to CME (the CME notice is here). The exchange response was based on:
"IB implemented customer order routing functionality that bypassed CME Group market integrity controls. Specifically, in several cases, this functionality enabled its customer orders to avoid protection points applied to all market orders by CME Group’s Globex platform in reckless disregard for the adverse impact on the market. These protection points are designed to prevent extreme price movements and other market disruptions"
"IB caused various Equity and Agricultural markets, including the E-mini Nasdaq-100, E-mini S&P 500, Nikkei/Yen, Live Cattle and Cash-settled Butter futures markets, to experience price, liquidity and trade volume aberrations and Velocity Logic events."
You can't just find a way to get trades executed any way you want - that is not how the exchanges work.
The second case is a smaller incidents that still resulted in a $40K fine - notice here. The CME did point out one specific case:
"For example, on April 18, 2016, (the company) entered a 100-lot sell market order into a Live Cattle market that displayed 33 contracts in aggregate at the top five book levels on the opposite side of the market. R&B’s order was filled across 19 unique prices. Within one second, R&B continued to enter multiple market orders that caused additional significant and disruptive price breaks in the market in a short period of time."
Here is a case where a block trade size order was 3 times the top five resting orders on the other side of the book. The CME found that to be "disruptive"
The final disruptive trading case was an $85K fine - the notice is here. It has the combination of disruptive trading with that all too present "failure to supervise" kicker. In this case, it was failure to supervise an automated trading system.
"Specifically, during this time period, an (company) automated trading system (“ATS”) engaged in a pattern of activity wherein it entered multiple opposing orders at various price levels near the start of the pre-open, provided significant liquidity to the order book in these markets, and then subsequently cancelled all or a majority of the orders near the end of the pre-open just prior to the no-cancel period, causing impacts to the Indicative Opening Price (“IOP”) and/or fluctuations in the bid-offer spread."
The company was notified by Market Regulation of the issue, made changes and redeployed the system with the same continuing flaw. The CMA followed up with:
"The Panel also found that (the company) failed to diligently supervise its ATS in the conduct of its business relating to the Exchange."
The last settlement to note is a pair of wash trade notices. The point I wish to note is the fines were $25K for the trader for the wash trade and $85 for the company for the trade and for failure to supervise - the company notice is here. Two takeaways here:
1. This was a single 9,762 options wash trade between two affiliates accounts - trades of this size might show up on someone's alerts; and
2. The trade was done to "alleviate margin pressure" which should have been likely to flag a risk alert.
Both of these point to potential breakdowns in oversight on the compliance and risk side. This is just one more opportunity to point out the interconnection between risk and compliance as complementary, not competing, functions.
Revisiting a set of principles that we have discussed here in the past, DCM looks at the revisions to the Three Lines of Defense model being put forward by the Institute of Internal Auditors. The new revisions are described as changes to "modernize and strengthen application of the model". The justification is "the responsibility for managing risk remains a part of first line roles". While that is correct, the changes make a fundamental assumption that DCM believes is incorrect. The implicit assumption is that the responsibility for management of the risk is roughly equivalent to the former role of assuring the management is done correctly. And that is the point in which this new role falls down.
Because the second leg of this change is the assumption that internal audit will perform controls testing and oversight that is adequate to the task. And, unfortunately, internal audit has consistently had neither the expertise nor the focus on trading operations and trading strategies to perform appropriate oversight. In addition, in major firms, the internal audit of trading - as opposed to financial - controls has been co-sourced with external groups. IN bigger firms, this has been directed towards bigger consulting firms which, while very good in digital and information areas, have reduced their focus on purely compliance area skill sets.
This creates a dangerous combination of potential for front office co-opting the compliance roles with the concomitant risk of reduction or even suppression of compliance oversight with reliance on a company function that is not completely focused on trade compliance oversight and skills. The news continues to point out instances where it appears compliance has been seen as a fig leaf for, rather than a control over, the front office. The end result can be fines in the 8 or nine digit range. That also has impact on senior management and staff careers.
DCM would caution companies to seriously consider what the appropriate measures are for the adoption of the new blended "three lines of defense model should be. DCM has often been critical that the three lines of defense can be too rigid and result in less effective controls. At the same time, the statement that "front line owns the risk" is too simplistic - the reality is the entire company owns the risk, front line just has the keys to the car.
For another analogy, some front line groups can be like a teenager driving the car while other trading teams can behave like reasonable adults. Just like the new insurance products offer, effective compliance is the plug in monitor that reads speed, direction, rate of acceleration, and all the other components that let you know how the car is being driven. Does it make sense to let the driver look at the data and show you what they want to show you? And if that is the case, the oversight (internal audit) better be experienced mechanics who know how to go back and look at the raw data and tell you what has been omitted or changed or, in good cases, to confirm that the appropriate data came to you in the correct form.
And that is where risk management comes in as another resource. Much of what risk management does looks at risk of future losses. But it has information and skills that can easily adapt to supporting the examination of whether how returns are being generated is within the market rules. As DCM has talked about in prior blog entries, compliance is just a mirror of risk management - risk management works to assure there is no mis-perception of the company's risk from front office activities while compliance works to assure there is no mis-perception of other market participant's risk of trading caused by your company's front office. In addition, companies are frequently much more focused on assuring risk management remains an independent and trusted source of information to management than they are on compliance. Early development of compliance often had compliance within the Risk officer's purview. It may be appropriate in the changing three lines of defense model to consider having the Risk Officer act as the guarantor of compliance's independence as well.
DCM worries some companies may see the new model as an opportunity to cut costs and increase profits without consideration of what those changes may mean for risk of loss, risk of fines, or risk to reputation. The change offers an opportunity to consider how risk and compliance may work as complimentary and efficient roles.