Algorithm approval process


The PRA expects a firm to embed an algorithm approval process as part of its systems and controls, which captures:
(a) new algorithms; and
(b) customisation of, or amendment to, existing algorithms.


A firm may choose to have different approval requirements depending on the algorithm’s use, and where relevant the customisation or amendment being made. The PRA expects the:
(a) approval process to be commensurate with the risks the firm could be exposed to via the algorithm;
(b) firm to set out its approval requirements, clearly indicating the conditions under which different approval requirements apply, if appropriate; and
(c) firm to ensure that the approval process does not incentivise approvals to be made in a manner that could result in a lower rigour of review. For example, the PRA would not expect a significant change to an algorithm to be broken into a number of smaller changes, each of which would be subject to testing less rigorous than would be applied to the significant change itself.

Conditions to be met prior to granting approval


Prior to approval, the PRA expects, at a minimum:
(a) each algorithm to have assigned owners, who are accountable for the algorithm’s use and performance. Such accountability includes ensuring that the algorithm is appropriately developed, implemented, used as intended and has undergone appropriate testing and deployment;
(b) testing to be successfully completed; and
(c) all relevant functions (eg Front Office, Risk Management,7 Other Systems and Controls functions) to have considered and to have signed-off on the risks relevant to that function that the algorithm could expose the firm to. This should be assessed under both normal, and severe but plausible conditions.


  • 7. Which are independent from the Front Office.


The PRA expects the firm’s approval process to include the risk controls that must be in place prior to granting approval to use an algorithm. The PRA expects the risk controls to align with the firm’s risk appetite. At a minimum, the PRA expects there to be risk controls that limit exposure to a counterparty, order attribution, message rate, frequency of orders, stale data, and order and position size (including in relation to market liquidity).


The PRA expects a firm to have manual and automated controls that stop trading or prevent user access, and with manual intervention required to restart trading (referred to as ‘kill-switch’ controls). A firm, at a minimum, is expected to:
(a) have a governance process around the use of kill-switch controls;
(b) detail the action to be taken in respect of outstanding and placed orders when kill-switch controls are activated; and
(c) periodically assess kill-switch controls to ensure that they operate as intended. This includes an assessment of the speed at which the procedure can be affected.