Insights

Blogs

A Template for the MiFID II RTS 6 Algo Self-Assessment Validation Report

MiFID II RTS 6 Article 9 details the requirement for all investment firms that provide Direct Electronic Access for clients and/or perform algorithmic trading to undertake annual self-assessments to ensure continued compliance with RTS 6. This is because RTS 6 has no other outward measurement of a firm’s compliance. However, the article is non-specific about the format and content of the report.

Stay current on your favourite topics

Subscribe

In a previous blog, Citihub Consulting suggested a three-step assessment approach.  The blog discussed a pragmatic and objective mechanism to assess the firm’s nature and business scope, scale and complexity. Under Article 9, this first step in the assessment forms the basis of determination in respect of the level of detail and evidence required to support the self-assessment and validation report.

This blog attempts to highlight some suggested contents of a self-assessment validation report and provide a simple checklist of in-scope assessment criteria.

Self-Assessment Validation Report Template

The following parts are recommended as the basis of the self-assessment validation report. This is based on the assumption that this document will be the only one that senior management will read prior to approving the assessment:

Part I – Management Summary of Overall Requirement and Statement of Compliance

1.1 Executive Summary

Answer the question: Why am I reading this?

  • Structure the answer by describing the requirement of RTS 6, Article 9 – i.e. that as a provider of algo services, you must also perform an annual self-assessment
  • Make a high-level statement of compliance

1.2 Approach

Answer the question: How did you produce the report?

  • Describe the high-level approach: was it policy mapping based; a first principle evidence review; was it performed algo-by-algo or by MiFID II legal entity and what regions were included
  • Try to demonstrate how or if all relevant articles have been covered and what the overall RAG status of compliance is
  • Mark references to Annex I: how was it assessed and a statement of your firm’s view of your nature, scale and complexity

1.3 Assessment of Compliance

Answer the question: At a high-level, what were the obligations and how did we comply to them?

  • Write a summary or tabulate the main requirements and the top-level compliance statements. The summary could be by RTS 6 chapter; by the thematic grouping of articles or even by internal policy groupings
  • Focus on the main items that senior management will recognise and be concerned with
  • This is probably as detailed as some senior management will ever read

1.4 Declaration of Known Deficiencies

Answer the question: What didn’t we do?

  • List items that are known gaps even before the review by internal audit
  • Few organisations are so perfect such that there are no known deficiencies

Part II – Detailed Compliance

Answer the question: For each article, what should I be complying with and how am I doing this?

  • This should be more detailed than in Part I
  • Take an article by article view
  • Summarise the requirement but do not paste in the raw regulatory text. This may still be read by a diligent senior manager and some of the raw text is confusing
  • Indicate how the firm is compliant (e.g. policy / procedure / technology etc.)
  • Provide links to policies
  • Provide links to suitable evidence

Part III – RTS 6 Annex I Assessment

Answer the question: What were your answers to Annex I that determined the nature, scale and complexity of the firm? Detail the answers against each part of Annex I.

An algo inventory is an important input. It should document all algos that are in use and why the firm believes that they are either in or out of RTS6 scope.

Special caution should be applied by buy-side firms that might be using algos (either directly or through outsourced relationships) that fall within the in scope for MiFID II because the amount of human intervention is low. A well-constructed and maintained algo inventory is crucial to mitigating scope creep.

Part IV – Evidence

Answer the question: What evidence do we have that supports our statement of compliance? Use the checklist below to help build this list.

Part V – Sign Offs

Provide dates for sign offs. If necessary, include electronic email sign offs as attachments to the main report. This should include:

  • Risk management
  • Senior management
  • Internal audit review output

Stay current on your favourite topics

Subscribe

Checklist

Below is an entry-level checklist for an algo self-assessment. This is not an exhaustive list and excludes items relating to continuous improvement of the self-assessment validation report in future years. The depth to which the report must extend to any one aspect of the checklist will vary between firms.

  • Self-assessment validation report
  • Sign off emails
  • Internal audit review
  • Stress testing results
  • Venue conformance testing statements
  • Algo governance policy
  • Training guides
  • Vendor management policies
  • SLDC documentation
  • HFT algo identification
  • Review of algo governance framework
  • Release and deployment documentation
  • Testing environment separation proof
  • Kill functionality procedures
  • Market surveillance policy
  • BCP policies
  • Pre & post-trade controls inventory
  • Algo inventory extract
  • Infosec policies
  • DEA due diligence questionnaires
  • Order record keeping evidence

Conclusion

Firms that have not conducted an annual self-assessment still have time. There is an active debate on whether a self-assessment should be:

  1. Written, approved and audited within a single year;
  2. Written within a year with final approval and auditing the following year.

Developing a report based on this template and covering the checklist items will help to mitigate the risk of non-compliance.

All firms will be performing this activity for the first time and for most, they will find it to be a manual task. This is especially true where key data points are not captured systematically. Citihub Consulting recommends a remediation project to define the target operating model for the creation of the self-assessment validation report. This will ensure that any required data capture is automated thereby reducing the manual effort in producing future annual reports.


Would you like to know more about our work?


The author

David McMahon

David McMahon

Associate Partner, London

David is a hands-on professional with over 20 years’ experience across the development lifecycle – from systems design and architecture to business process reengineering. His most recent experience is in solution design and implementation relating to MiFID II microstructural issues.

david.mcmahon@citihub.com