Consultation paper on the regulation of electronic trading. 24 July 2012

Transcription

1 Consultation paper on the regulation of electronic trading 24 July 2012

2 Table of contents Foreword 1 Personal Information Collection Statement 2 Introduction 4 Scope of the proposals 6 Overview of the proposals 9 International comparison 20 Appendix A - Draft paragraph 18 of the Code of Conduct 23 Appendix B - Draft Schedule 7 to the Code of Conduct 26 Appendix C - Draft amendments to Schedule 6 to the Code of Conduct 36 Appendix D - Draft Part IV of the Fund Manager Code of Conduct 37

3 Foreword The Securities and Futures Commission (SFC) invites market participants and interested parties to submit written comments on the proposals discussed in this consultation paper or to comment on related matters that might have a significant impact upon the proposals by no later than 24 September Any person wishing to comment on the proposals should provide details of any organisation whose views they represent. Please note that the names of the commentators and the contents of their submissions may be published, in whole or in part, on the SFC s website and in other documents to be published by the SFC. In this connection, please read the Personal Information Collection Statement attached to this consultation document. You may not wish your name and/or submission to be published by the SFC. If this is the case, please state that you wish your name and/or submission to be withheld from publication when you make your submission. Written comments may be submitted as follows: By mail to: The Securities and Futures Commission 8/F Chater House 8 Connaught Road Central Hong Kong By fax to: (852) Re: Consultation paper on the regulation of electronic trading By online submission: By to: electronic_trading@sfc.hk All submissions received before expiry of the consultation period will be taken into account before the proposals are finalised and a consultation conclusions paper will be published in due course. Securities and Futures Commission Hong Kong 24 July

4 Personal information collection statement 1. This Personal Information Collection Statement (PICS) is made in accordance with the guidelines issued by the Privacy Commissioner for Personal Data. The PICS sets out the purposes for which your Personal Data 1 will be used following collection, what you are agreeing to with respect to the SFC s use of your Personal Data and your rights under the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO). Purpose of collection 2. The Personal Data provided in your submission to the SFC in response to this consultation paper may be used by the SFC for one or more of the following purposes: (c) (d) to administer the relevant provisions 2 and codes and guidelines published pursuant to the powers vested in the SFC; in performing the SFC s statutory functions under the relevant provisions; for research and statistical purposes; or for other purposes permitted by law. Transfer of personal data 3. Personal Data may be disclosed by the SFC to members of the public in Hong Kong and elsewhere as part of the public consultation on this consultation paper. The names of persons who submit comments on this consultation paper, together with the whole or any part of their submissions, may be disclosed to members of the public. This will be done by publishing this information on the SFC s website and in documents to be published by the SFC during the consultation period or at its conclusion. Access to data 4. You have the right to request access to and correction of your Personal Data in accordance with the provisions of the PDPO. Your right of access includes the right to obtain a copy of your Personal Data provided in your submission on this consultation paper. The SFC has the right to charge a reasonable fee for processing any data access request. Retention 5. Personal Data provided to the SFC in response to this consultation paper will be retained for such period as may be necessary for the proper discharge of the SFC s functions. 1 Personal Data means personal data as defined in the Personal Data (Privacy) Ordinance (Cap. 486). 2 Defined in Schedule 1 of the Securities and Futures Ordinance (Cap. 571) (SFO) to mean provisions of the SFO and subsidiary legislation made under it; and provisions of Parts II and XII of the Companies Ordinance (Cap. 32) so far as those Parts relate directly or indirectly, to the performance of functions relating to prospectuses; the purchase by a corporation of its own shares; a corporation giving financial assistance for the acquisition of its own shares etc. 2

5 Enquiries 6. Any enquiries regarding the Personal Data provided in your submission on this consultation paper, or requests for access to Personal Data or correction of Personal Data, should be addressed in writing to: The Data Privacy Officer The Securities and Futures Commission 8/F Chater House 8 Connaught Road Central Hong Kong 7. A copy of the Privacy Policy Statement adopted by the SFC is available upon request. 3

6 Introduction 1. In recent years, technological developments have led to the proliferation of automated electronic trading. Similar to other major markets, we have observed an increased use of arrangements that are commonly described as direct market access, as well as the use of complex trading algorithms in the conduct of trades and the implementation of trading strategies. These developments are welcomed as they increase the efficiency of our markets and provide options for investors who participate in our markets. 2. As trading becomes an almost instantaneous process without significant human intervention, corresponding effort is required to ensure the integrity of the market and that trading via direct market access or by the use of trading algorithms are conducted in a fair and orderly manner. 3. At present, among other regulatory requirements, the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (Code of Conduct) and the Management, Supervision and Internal Control Guidelines for Persons Licensed by or Registered with the Securities and Futures Commission (Internal Control Guidelines) form the basic regulatory framework for the conduct of persons licensed or registered under the Securities and Futures Ordinance (SFO). Under the Code of Conduct and Internal Control Guidelines, regulated activities are uniformly regulated irrespective of whether such activities are conducted via paper-based media or electronic media. In conducting business activities, a licensed or registered person should act with due skill, care and diligence, in the best interests of its clients and the integrity of the market. A licensed or registered person is responsible for establishing and maintaining effective policies and procedures to ensure the proper management of risks to which the intermediary and its clients are exposed. 4. This consultation paper sets out our proposals on the regulatory requirements for intermediaries to manage and mitigate the risks that arise from trading in an automated environment. We propose to build on the existing regulatory requirements by providing a more coherent and comprehensive set of regulatory framework for electronic trading. 5. In developing the proposals, we have considered the regulatory developments of major jurisdictions, the principles for direct electronic access published by the International Organization of Securities Commissions (IOSCO) 3 and the market landscape in Hong Kong, with the aim to reach a balance between facilitating market developments and maintaining Hong Kong s competitiveness on the one hand, and ensuring market integrity and protecting investors on the other. It is our hope that the proposals would provide clarity to intermediaries on the standards that they are expected to meet in terms of internal controls and risk management when they engage in electronic trading. 3 IOSCO Final Report on Principles for Direct Electronic Access to Markets (August 2010). 4

7 6. We also propose to take this opportunity to review the Guidance Note on Internet Regulation (Internet Guidance Note) which was issued in March References were made in the Internet Guidance Note to statutes, codes and guidelines which have been replaced by the SFO and revised codes and guidelines issued on the enactment of the SFO in One of the areas covered in the Internet Guidance Note was internet trading. Over the last decade, internet trading in the retail end of the market has become increasingly popular. 5 In considering appropriate regulatory requirements on electronic trading, we have identified the minimum standards that are applicable to intermediaries who provide internet trading services with respect to the trading of securities, futures contracts and leveraged foreign exchange contracts, and propose to replace the requirements on internet trading set out in the Internet Guidance Note with these updated requirements. 8. It is proposed that the requirements be set out in the Code of Conduct by adding a new paragraph 18 and Schedule 7. Amendments will also be made to Schedule 6 to the Code of Conduct and the Fund Manager Code of Conduct. Details of the proposals are discussed in this paper. The draft amendments can be found at the Appendices to this paper. 4 The Internet Guidance Note clarified the Commission's regulatory approach with respect to internet activities, drew to the attention of intermediaries to specific areas which might trigger regulatory concerns; and addressed issues which were frequently raised with the Commission with respect to securities dealing, commodity futures trading and leveraged foreign exchange trading activities conducted over the Internet. 5 In the stock market, according to the annual survey conducted by HKEx, 209 Exchange Participants reported themselves as online brokers in 2010/11. Retail online trading accounted for 26% of total retail investor trading in 2010/11, compared to 13% in 2005/06. 5

8 Scope of the proposals 9. We propose that the requirements apply to licensed or registered persons which conduct electronic trading of securities and futures contracts that are listed or traded on an exchange. The proposed requirements on internet trading also apply to licensed persons which conduct leveraged foreign exchange trading where appropriate. The proposed requirements supplement existing applicable regulatory requirements and do not supersede them. 10. The proposed requirements can be divided into three groups as follows, and are set out in Appendices A and B to this paper: general requirements on electronic trading specific requirements on internet trading and direct market access specific requirements on algorithmic trading 11. Electronic trading, for the purpose of the proposed requirements, means the trading of securities and futures contracts electronically and includes internet trading, direct market access and algorithmic trading. It is considered that an intermediary who conducts electronic trading should meet certain minimum standards, for instance, with respect to management and supervision, system integrity and record keeping. As electronic trading is defined broadly and covers a spectrum of business models, measures that are put in place for compliance with the proposed requirements are expected to be commensurate with the nature, size and complexity of an intermediary s electronic trading business. 12. Internet trading is defined as an arrangement where order instructions are sent to a licensed or registered person through its internet-based trading facility. Internet trading includes retail internet trading whereby clients access a licensed or registered person s broking services over the internet. As discussed in the Introduction, we propose to review the regulation of internet trading as previous guidance was provided in We understand that most licensed or registered persons who provide internet trading services to clients already have in place some risk control measures governing internet trading. 13. Direct Market Access (DMA), for the purpose of the proposed requirements, means the access to a market provided to a client by a licensed or registered person through which the client transmits orders, directly or indirectly, to the market s trade matching system for execution under the licensed or registered person s identifier other than those initiated by way of internet trading. 14. In considering the scope of the regulation of DMA in Hong Kong, we have taken into account the DMA services offered by intermediaries in Hong Kong, the approaches adopted in major markets, and the principles published by IOSCO It is proposed that DMA services can be offered to clients to the extent that client orders are transmitted to the market through the intermediary s infrastructure and such orders are subject to the intermediary s automated pre-trade controls and post-trade monitoring. 6 See IOSCO (Note 3 above). 6

9 16. It is further proposed that arrangements that allow clients to place orders to the market directly using an intermediary s identifier without going through the intermediary s infrastructure be prohibited. We consider the banning of such arrangements necessary given the ability of an intermediary to monitor orders and to implement risk control measures, including effective pre-trade controls, for such arrangements is limited. To allow such arrangements may expose the markets and intermediaries to excessive risks. 17. Algorithmic trading, for the purpose of the proposals, is defined as computer generated trading activities created by a pre-determined set of rules aimed at delivering specific execution outcomes. 18. In line with other major international markets, we have observed that market players in Hong Kong are also using complex trading algorithms for the execution of sophisticated trading strategies. At present, the Commission relies on the general principles in existing codes and guidelines to regulate algorithmic trading. The Commission has also informed the market of its concerns as to algorithmic trading in 2008 and We consider the introduction of specific requirements to regulate the conduct of algorithmic trading to be beneficial to both the markets and intermediaries. We hope that the introduction of the proposed requirements in areas such as testing and risk management will protect the integrity of the market and allow algorithmic trading to continue to play a legitimate role in the execution of orders. Products to which the proposals apply 20. We propose that the requirements on electronic trading cover all exchange-traded securities, futures contracts and products because trades conducted via DMA are by nature exchange-traded securities, futures contracts and products. Furthermore, our regulatory concerns in relation to electronic trading are primarily market abuse, market manipulation, irregular price movements and unusual market behaviour, which typically involves trading conducted through an exchange. Persons to whom the proposals apply 21. We propose that the requirements be incorporated in the Code of Conduct and the Fund Manager Code of Conduct. The requirements will therefore apply to licensed or registered persons under the SFO who conduct electronic trading as defined in the proposed paragraph 18 of the Code of Conduct. 22. We believe that the application of the proposed requirements is largely self-explanatory. For instance, the obligations that concern DMA are imposed on the licensed or registered persons who provide DMA services to a client who may or may not be regulated under the SFO. 7 SFC Enforcement Reporter Issue No. 60 (October 2008) and Issue No. 65 (April 2010). 7

10 23. For algorithmic trading, the proposed requirements will impose obligations on a licensed or registered person which uses an algorithmic trading system or a trading algorithm, or provides a system or an algorithm to a client for use. The licensed or registered person can be a broker who offers to a client the use of its system or algorithm for trading, or who places orders with another broker using its own system or algorithm. The requirements apply whether the system or algorithm is designed and developed in-house or by a third party service provider for the licensed or registered person. Leveraged Foreign Exchange Trading 24. As explained in the Introduction, we propose to take the opportunity to review the Internet Guidance Note. We propose to amend Schedule 6 to the Code of Conduct (Additional requirements for licensed persons engaging in leveraged foreign exchange trading) by making reference to the updated minimum standards on internet trading that are relevant to leveraged foreign exchange trading. Q1. Do you agree that the proposed scope of the regulation of electronic trading is appropriate in terms of (i) (ii) (iii) the types of electronic trading, which include internet trading, DMA and algorithmic trading? the types of products primarily covered by these proposals namely securities and futures contracts that are listed or traded on an exchange? the persons to whom the proposals apply? 8

11 Overview of the Proposals General requirements on electronic trading Responsibility for orders (paragraph 18.3 of the Code of Conduct) 25. We propose that an intermediary is ultimately responsible for the orders sent to the market through its electronic trading system and for the compliance of the orders with applicable regulatory requirements. 26. This proposal makes clear that an intermediary is ultimately responsible for the orders sent through its electronic trading system irrespective of the party that initiates the orders. This is similar to one of IOSCO s principles for direct electronic access. 8 We also propose that this principle be expanded to cover other forms of electronic trading. 27. Intermediaries should therefore ensure that appropriate policies, procedures and controls are in place when they conduct electronic trading, for instance, with respect to system integrity, pre-trade risk management controls and post-trade monitoring. 28. It is not our intention to hold an intermediary liable for all market misconduct or other transgressions that involve orders that go through its electronic trading system. For instance, in order to establish the market misconduct of insider dealing, knowledge that the information is relevant information on the part of the insider is required. Consequently, an intermediary would not be held responsible for its client s insider dealing if the intermediary was not aware of the client s knowledge when the trade was conducted through its electronic trading system. Q2. Do you agree that an intermediary should be ultimately responsible for the orders sent to the market through its electronic trading system and for the compliance of the orders with applicable regulatory requirements? If not, why not? Management and Supervision (paragraph 18.4 of the Code of Conduct; paragraph 1.1 of Schedule 7) 29. We propose that an intermediary should effectively manage and adequately supervise the design, development, deployment and operation of the electronic trading system it uses or provides to clients for use. Specifically, an intermediary is expected to establish and implement written internal policies and procedures on the design, development, deployment and operation of the electronic trading system, to ensure that there: is at least one responsible officer or executive officer responsible for the overall management and supervision of the electronic trading system; is a formalised governance process with input from the dealing, risk and compliance functions; 8 See IOSCO (Note 3 above). 9

12 are clearly identified reporting lines with supervisory and reporting responsibilities assigned to appropriate staff members; and are managerial and supervisory controls to manage the risks associated with the use of the electronic trading system by itself or by its clients. 30. For resources devoted to the business, we propose that an intermediary should assign adequately qualified staff, expertise, technology and financial resources to the design, development, deployment and operation of the electronic trading system. Q3. Do you agree that an intermediary should effectively manage and adequately supervise the design, development, deployment and operation of the electronic trading system it uses or provides to clients for use? If yes, are the proposed requirements sufficient? If not, why not? Adequacy of System (paragraph 18.5 of the Code of Conduct; paragraph 1.2 of Schedule 7) 31. In an automated trading environment where human intervention in order processing is limited, it is important that the electronic trading system in place is adequate and fit for its purpose. Accordingly, we propose that an intermediary should ensure the integrity of the electronic trading system it uses or provides to clients for use, including the system s reliability, security and capacity, and have appropriate contingency measures in place. System Controls 32. We propose that an intermediary should put in place control measures to enable it to prevent the system from generating and sending orders to the market that may be erroneous or not compliant with the applicable regulatory requirements. 33. We also propose that an intermediary should have effective controls to enable it to cancel unexecuted orders in the market, so that it can intervene or halt outstanding trades when necessary. System Reliability 34. Given that reliability of the service is vital for investors, we believe that it is necessary for an intermediary to take appropriate steps to ensure that the electronic trading system it uses or provides to clients for use operates properly. We consider regular testing is a critical part of evaluating the system s reliability. We therefore propose that an intermediary should ensure that the electronic trading system and all modifications to the system are adequately tested before deployment and are regularly reviewed to ensure that the system and modifications are reliable. We further propose that an intermediary should promptly report to the Commission any material service interruption or other significant issues related to the system. 10

13 System Security 35. We propose that an intermediary should employ adequate and appropriate security controls to protect the electronic trading system it uses or provides to clients for use from being abused. At a minimum, the security controls should include: reliable techniques to authenticate or validate the identity and authority of the system users to ensure that the access or the use of the system is restricted to persons approved to use the system on a need-to-have basis; effective techniques to protect the confidentiality and integrity of information stored in the system and passed between internal and external networks; appropriate operating controls to prevent and detect unauthorised intrusion, security breach and security attack; and appropriate steps to raise the awareness of system users on the importance of security precautions they need to take in using the system. 36. Where an electronic trading system is provided by a third party service provider, the intermediary should make arrangements with the service provider to ensure that the proposed requirements on system security are met, for instance, with respect to the protection of the confidentiality and integrity of information, and the prevention and detection of unauthorised intrusion, security breach and security attack. System Capacity 37. Insufficient capacity is often a cause of system delay or failure. To prevent this, we propose that an intermediary who provides an electronic trading system for use by its clients should ensure that: the capacity usage of the electronic trading system is regularly monitored and appropriate capacity planning is developed. As part of the capacity planning, a licensed or registered person should determine and keep a record of the required level of spare capacity; the capacity of the electronic trading system is regularly stress tested to establish the system s behavior under different simulated market conditions, and the results of the stress tests and any actions taken to address the findings of the stress tests are documented; the electronic trading system has sufficient capacity to handle any foreseeable increase in the business volume and market turnover; and the electronic trading system has contingency arrangements to handle client order instructions exceeding the capacity of which the system can handle and inform clients about the arrangements and ensure alternative means of order execution are available and offered to them. 11

14 Contingencies 38. To ensure adequate contingency measures are in place for electronic trading systems, we propose that an intermediary who provides an electronic trading system for use by its clients should establish a written contingency plan to cope with emergencies and disruptions. At a minimum, the contingency plan should include: a suitable backup facility which will enable the licensed or registered person to provide electronic trading services or alternative arrangements for order execution in the event of an emergency; arrangements to ensure business records, client and transaction databases, servers and supporting documentation are backed up in an off-line medium. Offsite storage is generally expected to be subject to proper security measures; and a plan for dealing with client and regulatory enquiries by trained staff. Q4. Do you agree that an intermediary should ensure the integrity of the electronic trading system it uses or provides to clients for use, including the system s reliability, security and capacity, and have appropriate contingency measures in place? If yes, are the proposed requirements sufficient? If not, why not? Record Keeping (paragraph 18.6 of the Code of Conduct; paragraph 1.3 of Schedule 7) 39. General requirements on the keeping of records are set out in the Securities and Futures (Keeping of Records) Rules. We propose to build on the general requirements by making clear the types of records that should be kept with respect to an intermediary s electronic trading system. 40. The objectives of the proposals on record keeping are to ensure that: all electronic trading and system activities are traceable for risk management and compliance purposes if necessary; all system incidents are recorded so that all recommended incident corrective actions are appropriately implemented and reviewed to prevent recurrence; and there is readily available information to explain the design, development and risk management controls of the system should there be regulatory concerns. 41. We propose that an intermediary should keep, or cause to be kept, proper records on the design, development, deployment and operation of its electronic trading system. The records in question are as follows: audit logs on the activities of the electronic trading system; incident reports for all system delays or failures of the electronic trading system; 12

15 comprehensive documentation of the design and development, including any testings, reviews, modifications, upgrades or rectifications of the electronic trading system; and comprehensive documentation of the risk management controls of the electronic trading system. 42. In terms of the periods for record keeping, we propose that audit logs and incident reports be retained for no less than 2 years, and documentation on system design, development and risk management controls be retained for a period of no less than 2 years after the electronic trading system ceased to be used. Q5. Do you agree that an intermediary should keep, or cause to be kept, proper records on the design, development, deployment and operation of its electronic trading system? If not, why not? Q6. Do you agree with the proposed periods of record keeping? If not, why not? Specific requirements on internet trading and DMA Risk Management (paragraph 18.7 of the Code of Conduct; paragraph 2.1 of Schedule 7) 43. As discussed at paragraphs 13 to 16, we propose to allow DMA services to the extent that client orders are transmitted to the intermediary s infrastructure and are subject to automated pre-trade controls and regular post-trade monitoring. Our proposals for pretrade controls and post-trade monitoring for intermediaries which conduct internet trading are similar to the proposals for DMA services. As explained at paragraph 11, measures put in place for compliance with the proposed requirements are expected to be commensurate with the nature, size and complexity of an intermediary s business. Pre-Trade Controls 44. We propose that an intermediary should establish and implement automated pre-trade controls that are reasonably designed to: prevent the entry of any orders that would result in exceeding appropriate trading and credit thresholds prescribed for each client or proprietary account; limit the financial exposure of the intermediary; alert the user to the entry of potential erroneous orders and prevent the entry of erroneous orders; and prevent the entry of orders that are not in compliance with the regulatory requirements. 13

16 45. The proposed requirements build on the measures set out in the Internal Control Guidelines, which provide that an intermediary should define its risk policies and establish and maintain risk measurements commensurate with its business strategies, size and complexity of its operations and risk profile. An intermediary should therefore already have in place policies to prevent the sending of order instructions to the market that are erroneous or disruptive, or are in breach of trading or credit limits. The proposed requirements merely set out in greater detail the controls that we expect intermediaries to have in place for internet trading and trading conducted via DMA. Further, it is our view that only controls that are automated and applied on a pre-trade basis are effective in mitigating the risks that may arise from trading via DMA. Pre-trade credit controls which can be altered by the client or the user with or without notice to the intermediary will not be considered sufficient controls as this could potentially impact the financial position or the liabilities of the intermediary. Post-Trade Monitoring 46. We propose that an intermediary should regularly conduct post-trade monitoring with the aim to reasonably identify any order instructions and transactions which may be manipulative or abusive in nature. 47. We further propose that, upon the identification of any suspected manipulative or abusive trading activities, an intermediary should take immediate steps to prevent them from continuing. We consider this proposal to be in the intermediary s interests as the continuous business relationship with a client suspected of manipulative or abusive trading activities might implicate the intermediary and expose it to unnecessary reputational, compliance and operational risks. Q7. Do you agree that, in providing internet trading or DMA services, the proposed pre-trade controls should be put in place by an intermediary? If yes, are the proposed requirements appropriate? If not, why not? Q8. Do you agree that, in providing internet trading or DMA services, an intermediary should conduct post-trade monitoring to reasonably identify any order instructions and transactions which may be manipulative or abusive in nature? If not, why not? Minimum client requirements for DMA services (paragraph 18.8 of the Code of Conduct; paragraph 2.2 of Schedule 7) 48. We consider it necessary for intermediaries to conduct due diligence on their clients before providing DMA services to them. This process is important as the intermediary bears the ultimate responsibility for the orders sent to the market using its identifier. 49. We propose that an intermediary establishes minimum client requirements for its DMA services and assesses whether each client meets the requirements before granting DMA services to a client. At a minimum, the requirements should include: 14

17 the client has appropriate arrangements in place to ensure that its users are proficient and competent in using the system for the DMA services; the client understands and has the ability to comply with applicable regulatory requirements; and the client has adequate arrangements to monitor the orders entered through the DMA services. 50. We further propose that, where an intermediary allows its clients to sub-delegate the DMA services to another person, the client should be a licensed or registered person or an overseas securities or futures dealer. In this situation, the intermediary and its client should have in place an arrangement to ensure that: the orders of such person will flow through the systems of the client and will be subject to appropriate risk management and supervisory controls; and such person meets the minimum client requirements established by the intermediary and a written agreement is in place between the client and such person that sets out the terms of the DMA services being sub-delegated. With respect to the reference to overseas securities or futures dealer, we propose to adopt a definition similar to the definitions of securities dealer and futures dealer in the Securities and Futures (Financial Resources) Rules, i.e. a person licensed, registered or authorised by an authority or regulatory organization outside Hong Kong for an activity which, if carried on in Hong Kong, would constitute Type 1 or Type 2 regulated activity. Q9. Do you agree that an intermediary should establish minimum client requirements for its DMA services and assess whether each client meets the requirements before granting DMA services to a client? If not, why not? Q10. Do you agree that an intermediary should not allow its client to subdelegate the DMA services to another person unless the client is a licensed or registered person or an overseas securities or futures dealer? Do you agree with the proposed definition of overseas securities or futures dealer? If not, why not? Specific requirements on algorithmic trading 51. This section discusses our proposed requirements that apply to algorithmic trading. Qualification (paragraph 18.9 of the Code of Conduct, paragraph 3.1 of Schedule 7) 52. We propose that an intermediary should establish and implement effective policies and procedures to ensure that persons involved in the design and development of or approved to use its algorithmic trading system and trading algorithms are suitably 15

18 qualified. A system user who fails to adequately understand the manner in which an algorithm trades or who sets improper parameters for trade execution may conduct trades that distort the market or affect market integrity. 53. Specifically, we propose that an intermediary should ensure that: the design and development of its algorithmic trading system and trading algorithms are supported by persons adequately qualified and trained to understand the compliance and regulatory issues which may arise from the use of the system and algorithms; and a person who is approved to use its algorithmic trading system has a good understanding of the operation of the system and trading algorithms, and the compliance and regulatory issues which may arise from the use of its system and trading algorithms. 54. To meet the proposed requirements, an intermediary should assess the level of knowledge of the system user and determine what, if any, training is required. Where necessary, an intermediary should provide training to the user on: the use and operation of the algorithmic trading system; and each of the trading algorithms contained in the algorithmic trading system including its trading characteristics and execution behavior, the potential market impact and risks to market integrity, and whether it is appropriate to use a particular algorithm under certain market conditions in the execution of certain orders in light of the regulatory requirements. Q11. Do you agree that an intermediary should establish and implement effective policies and procedures to reasonably ensure that persons involved in the design and development of, or approved to use its algorithmic trading system and trading algorithms are suitably qualified? If not, why not? Testing (paragraph of the Code of Conduct; paragraph 3.2 of Schedule 7) 55. We propose that an intermediary should ensure that the algorithmic trading system and trading algorithms it uses or provides to clients for use, and any subsequent developments and modifications, are adequately tested before deployment in such a way so as to be satisfied that: the algorithmic trading system and trading algorithms will operate as designed; the design and development of the algorithmic trading system and trading algorithms have taken into account foreseeable extreme circumstances and the characteristics of different trading sessions, such as auction sessions and continuous trading sessions; and the deployment of the algorithmic trading system and trading algorithms would not interfere with the operation of a fair and orderly market. 16

19 56. We further propose that after an algorithmic trading system or a trading algorithm is in operation, an intermediary should ensure that they are regularly, and no less than annually, reviewed and tested for the system s ability to handle sizable trading volume and for the trading algorithm s ability to execute orders without interfering with the operation of a fair and orderly market. Q12. Do you agree that an intermediary should ensure that the algorithmic trading system and trading algorithms it uses or provides to clients for use are adequately tested to ensure that they operate as designed at all times? If not, why not? Risk Management (paragraph of the Code of Conduct; paragraph 3.3 of Schedule 7) 57. Our proposals on risk management for algorithmic trading take into account the characteristics of algorithmic trading and are similar in nature to the proposals for internet trading and DMA services. 58. We propose that an intermediary should have effective controls to ensure: the integrity of its algorithmic trading system and trading algorithms; and its algorithmic trading system and trading algorithms operate in the interest of the integrity of the market. 59. Specifically, we propose that an intermediary should ensure that it has effective controls to: monitor and prevent the generation of or passing to the market for execution order instructions from its algorithmic trading system which may be erroneous, manipulative or abusive, or interfere with the operation of a fair and orderly market; and protect the intermediary and its clients from being exposed to excessive financial risk. 60. It is proposed that an intermediary should conduct regular post-trade reviews of trading activities to identify any suspicious market manipulative or abusive activities, and any market events or system deficiencies such as unintended impact on the market which call for further risk control measures. 61. With respect to suspected market manipulative or abusive trading activities, it is proposed that an intermediary should take immediate steps to prevent these activities from continuing. 17

20 Q13. Do you agree that an intermediary should have effective controls to ensure the integrity of its algorithmic trading system and trading algorithms and that they operate in the interest of the integrity of the market? If yes, are the proposed requirements for risk management sufficient? If not, why not? Record Keeping (paragraph 18.6 of the Code of Conduct; paragraph 3.4 of Schedule 7) 62. We propose that an intermediary should keep or cause to be kept the following documents with respect to its algorithmic trading system and trading algorithms: a complete audit trail of the design and development, including any modifications, of its algorithmic trading system and trading algorithms. The audit trail should show the rationale for the design, development and modification, as well as their intended outcome; records of all the parameters which its algorithmic trading system and trading algorithms take into account for each order; and records of the reviews and tests conducted on its algorithmic trading system and trading algorithms setting out the scope of findings of the tests. 63. We propose that an intermediary should retain these records for a period of no less than 2 years except for the documentation of the audit trail which should be retained for no less than 2 years after the system and the algorithm ceased to be used. Q14. Do you agree that an intermediary should keep, or cause to be kept, proper records on the design, development, deployment and operation of its algorithmic trading system and trading algorithms? If not, why not? Q15. Do you agree with the proposed periods of record keeping and details of the records to be kept? If not, why not? Electronic trading system not developed by the licensed or registered person (Introduction and notes to paragraphs 1.3, 3.2 and 3.4 of Schedule 7) 64. We understand from discussions with market players that intermediaries may use electronic trading systems and/or trading algorithms designed and developed by third party service providers. We take the view that the same standards apply to electronic trading systems and/or trading algorithms, whether they are developed in-house or by service providers. An intermediary remains responsible for the electronic trading system 18

21 and/or trading algorithms provided to it by a service provider. It is therefore proposed that an intermediary should exercise due care, skill and diligence in the selection of service providers and perform appropriate due diligence to ensure that the intermediary meets the proposed requirements set out in paragraph 18 of and Schedule 7 to the Code of Conduct in its use of the system or algorithms. 65. Similarly, we expect that the same records are kept in compliance with the proposed record keeping requirements irrespective of whether the electronic trading system and/or trading algorithms used by an intermediary is developed in-house or provided by a third party service provider. Where the records are not provided to an intermediary, e.g. information that is proprietary in nature to the service provider, we propose that the intermediary makes arrangements with the service provider to ensure that the records are kept in accordance with the proposed requirements. In response to a request for information made by the SFC, proprietary information in the possession of a third party service provider may be provided to the SFC directly from the service provider. Q16. Do you agree that where an electronic trading system is provided by third party service provider, an intermediary should perform appropriate due diligence to ensure that the intermediary meets the proposed requirements set out in paragraph 18 of and Schedule 7 to the Code of Conduct in its use of the system? If not, why not? Q17. What is your view on requiring an intermediary to make arrangements with a service provide for the purpose of meeting the proposed requirements on record keeping? 19

22 International comparison 66. In developing the proposals, we have considered the regulatory approaches adopted by other major jurisdictions. Our proposed requirements on DMA and algorithmic trading are generally in line with international standards. A summary of the regulatory approaches of other jurisdictions in respect of internet trading, DMA and algorithmic trading is set out below. Internet Trading 67. Major jurisdictions, such as the US, UK and Australia, apply general conduct rules in the regulation of internet trading. For instance, in Australia, the requirements on maintaining necessary organisational and technical resources are taken to relate to matters such as the need to maintain adequate system controls, reliability and capability for online brokers, and the requirement to maintain an orderly market is taken to mean that online brokers are expected to filter trades/orders received via an internet facility. In the UK, the FSA s rules relating to systems and controls, which apply to all firms, are applied to entities engaged in electronic trading. 68. In deciding to include internet trading as a type of electronic trading in our proposals, we have taken into account the popularity of internet trading for retail investors in Hong Kong and that the last guidance was issued in We believe that the issue of specific requirements setting out the minimum regulatory standards for internet trading will be beneficial to the intermediaries who provide internet trading services, to investors and to the markets in Hong Kong. We believe that the proposed standards are comparable to the standards expected of overseas intermediaries who conduct internet trading. DMA 69. Our proposals on DMA are in line with relevant IOSCO principles. IOSCO issued its report on principles for direct electronic access (DEA) to markets, which provides guidance to the jurisdictions that allow the use of DEA. 9 The principles cover, among other things, adequate systems and controls which are reasonably designed to enable the management of risk with regard to fair and orderly trading and the establishment of minimum client standards. 70. Our proposals are also similar to the requirements or proposed requirements in other major jurisdictions: In the US, Rule 15c published by the SEC requires broker-dealers with access to trading securities directly on an exchange, including those providing DMA, to maintain a system of risk management controls and supervisory procedures reasonably designed to manage the financial, regulatory and other risks of their business activities. It requires those controls to be implemented on a pre-trade basis, which would effectively prohibit broker-dealers providing unfiltered access to any exchange. 9 See IOSCO (note 3 above). 10 US-SEC Final Rule 15c3-5 Risk Management Controls for Brokers or Dealers with Market Access (November 2010). 20

23 In Australia, the Australian Securities and Investments Commission (ASIC) is currently consulting the market on the requirements of minimum standards for DEA. 11 It proposes new rules to require, among other things, a market participant providing DEA to ensure that its client has the required financial resources, knowledge of the order management system and procedures to monitor all trading through its order management system. In addition, ASIC proposes that a market participant should have direct and immediate control over all trading messages submitted through a market participant s system and subject to pre-trade controls, real-time and post-trade monitoring. The European Securities and Markets Authority (ESMA) has published its guidelines on systems and controls in an automated trading environment for trading platforms, investment firms and competent authorities (ESMA Guidelines). 12 The ESMA Guidelines stipulate, among other things, that investment firms must have pre-trade controls on the orders of DMA/Sponsored Access (SA) 13 clients to promote fair and orderly trading, including in-built and automatic rejection of orders outside of certain parameters. In addition, investment firms must conduct due diligence on prospective DMA/SA clients, which is appropriate to the risks posed by the nature of the clients, the scale and complexity of their prospective trading activities and the service being provided. Algorithmic Trading 71. In relation to algorithmic trading, our proposals share the same objectives as other jurisdictions, namely, to minimise the inherent risks that algorithmic trading pose to market integrity: In the US, the Financial Industry Regulatory Authority expects firms generating orders by the use of trading algorithms to have written policies and procedures in place that are reasonably design to ensure that such trading complies with applicable rules, regulations and laws, including anti-manipulation provisions. 14 In Australia, ASIC proposes that market participants test an algorithm to ensure that it would function in compliance with regulatory requirements before using it for the first time or before a material change to the algorithm is implemented. 15 The ESMA Guidelines 16 require, among other things, that investment firms should: test the trading algorithm prior to its deployment and conduct periodic review after implementation; monitor in real time their trading algorithms; 11 ASIC Consultation Paper on Australian Equity Market Structure: Further Proposals (October 2011). 12 ESMA Final Report on Guidelines on Systems and Controls in an Automated Trading Environment for Trading Platforms, Investment Firms and Competent Authorities (December 2011). 13 ESMA defines SA as an arrangement through which an investment firm that is a member/participant or user of a trading platform permits specified clients (including eligible counterparties) to transmit orders electronically and directly to a specified trading platform under the investment firm s trading ID without the orders being routed through the investment firm s internal electronic trading systems. 14 Financial Industry Regulatory Authority NASD Notice to Members (September 2004). 15 See ASIC (note 11 above). 16 See ESMA (note 12 above). 21

24 establish procedures and arrangements, including trading and recruitment, to determine their staffing requirements and to employ sufficient number of staff with the necessary skills and expertise to manage their trading algorithms; retain for at least five years, records of their trading algorithms including information about key decisions, the trading strategy or strategies that each algorithm is deployed to execute, system properties, testing methodologies, test results and periodic reviews; and have policies and procedures in place to minimise the risk that their automated trading activity gives rise to market abuse. 22