Prudential Regulation Authority Rulebook

6.1

The functions responsible for Risk Management and Other Systems and Controls are expected to:
(a) understand algorithmic trading being undertaken at the firm, the risks that such trading exposes the firm to, and how it affects their oversight responsibilities; and
(b) have authority to challenge and ultimately restrict or impose additional controls or limits on algorithmic trading.

6.2

In addition to these general expectations, the PRA has the following specific expectations in relation to these units and/or functions.

6.3

The PRA expects the firm’s Risk Management function to ensure that algorithmic trading is consistent with the firm’s risk appetite and governance framework, as approved by the governing body.

6.4

The Risk Management function is responsible for ensuring that all risk controls that it owns, including those located in Front Office infrastructure, are updated in line with its expectations.

6.5

Where risk controls are located in the Front Office infrastructure but the Risk Management function does not have direct access to that infrastructure, the PRA expects there to be a policy in place that:
(a) sets out how changes are made to the risk controls; and
(b) details on who has authority following instruction from the Risk Management function for altering the risk controls.

6.6

The PRA expects the Risk Management function to manage potential concentration of risk arising from counterparties using similar algorithmic trading strategies.

6.7

For direct electronic access counterparties, the PRA expects the Risk Management function to incorporate in its frameworks the oversight and management of these counterparties. Specifically, the Credit Risk Management function should assess the suitability of counterparties with direct electronic access and, if necessary, deny access.

6.8

The Risk Management function should identify, assess and report the risks that arise from algorithmic trading if the system architecture:
(a) (including algorithms) operates as intended; and
(b) does not operate as intended.

6.9

If the system architecture operates as intended, the Risk Management function is expected to assess intra-day exposure stemming from algorithmic trading, and to design and implement, if necessary, measures to ensure that risk exposure at all times is within the firm’s risk appetite.

6.10

In addition, the PRA expects a firm’s Risk Management function to identify, assess, and report the risks that would arise were parts of the system architecture do not to operate as intended (for example, if an algorithm or its associated controls were to malfunction, causing trading to stop or to continue but in an uncontrolled way). Such risks could include:
(a) risk exposures rising beyond their limits and the firm’s risk appetite; and/or
(b) the firm failing to meet contractual or other obligations.

6.11

In respect of each of these risks, the Risk Management function should formulate and execute mitigation plans.

6.12

The PRA expects that algorithmic trading and its associated risks should be included in the design of a firm’s stress tests, and in the design of market resilience testing. Where appropriate, a firm should undertake standalone algorithmic trading stress tests.

6.13

Algorithmic trading can result in a high volume of trades over a short period of time. The PRA expects those responsible for operations and settlements to be aware of the algorithmic trading system capacity and ensure that this aligns with post-trade processing capacity. Where post-trade controls are required, such as throttling controls to handle high capacity utilisation incidents, these should be clearly documented and relevant functions, including Front Office, should be aware of them.

6.14

A firm’s Compliance Function should ensure that its algorithmic trading activities comply with the PRA Rulebook and meet the expectations set out in this SS.

6.15

A firm’s Internal Audit function should ensure that reviews of algorithmic trading activities are included in its audit plans.