Exchanges can play a critical role in helping their participants manage and reduce operational risks, according to a recent whitepaper from Citadel Securities in collaboration with NYSE, Nasdaq, MIAX, MEMX and BOX.
According to the paper, there are two major operational risks: a risk of an individual firm, which trades on an exchange, and whose people, systems, or tools act or malfunction in a way that triggers or creates substantial errors; and a risk that arises from technology decisions that may increase the operational burden of firms, which could impact exchange or participant stability.
“Each type of risk has the potential to cause damage not only to the specific market participant affected but also to the wider financial system,” the paper said.
According to the white paper, perhaps the best-known operational risk incident is the 2012 near-failure of Knight Capital Group, after a faulty code change for routing retail customer orders caused the firm to enter a flood of erroneous orders into the market shortly after the trading day began.
This incident caused disruption in the pricing of many stocks and racked up large losses for Knight.
“Firm-wide risk controls can be ineffective in stopping runaway algorithms or other errors restricted to a single strategy or trading desk. A more specific limit at Knight likely would have stopped its algorithm before it erroneously amassed nearly $7bn in positions, but a firm-level one may not have helped.”
Other well-known incidents have included the recent exchange outages experienced by multiple exchanges over the last three years.
Episodes like these have prompted many trading firms and exchanges to improve internal risk controls.
In addition, regulators have stepped up oversight and rule-making around operational risk events, like the SEC’s implementation of Rule 15c3-5 (the Market Access Rule).
The rule requires broker-dealers to have controls to limit exposure and help ensure compliance with regulatory requirements for both their own systems, as well as for systems accessing the market through direct or sponsored access.
“Similarly, many exchanges have made significant improvements and investments to promote exchange stability and risk management, but this has been uneven across the exchange landscape.”
The authors of the white paper believe that exchanges globally should adopt — and many have adopted — a range of best practices, including: implementing exchange-level risk controls that act as a secondary layer of protection beyond firm-level safeguards; ensuring that exchange technology decisions — how gateways, networks and matching engines handle orders and implement risk controls — minimize unnecessary message traffic; and adopting policies and procedures for internal regulations and updates that take into account member feedback, minimize differential treatment, and allow time for preparation and testing by market participants.
According to the white paper, the electronification of markets has brought massive efficiency benefits to investors and issuers.
In addition, electronic markets have generally proven to be very stable and resilient: “For example, trading, clearing and settlement infrastructure proved extraordinarily resilient in the US during the unprecedented volatility and volume that accompanied the onset of the COVID-19 pandemic in early 2020.”
“Nevertheless, electronic markets also bring the risk of technology glitches and outages that can not only damage individual firms but also produce market-wide implications.”
Individual firms, regulators, and exchanges have done much in recent years to improve industry protections against such incidents.
“The lessons learned from the world’s leading exchanges can and should be applied broadly to provide a critical additional layer of safeguards, both by implementing exchange-level risk controls and ensuring that order-entry, execution, networking and communications architecture discourage excessive messaging and put participants on a level playing field,” the paper argued.
“Many exchanges around the world have already adopted some of the best practices for achieving this secondary layer of operational-risk protection. Nevertheless, further efforts are warranted to minimize operational risk incidents and better respond to those that will still occur.”
