Broker-dealers: Direct Market Access compliance continues to be a focus for regulators
If you review recent FINRA and SEC exam priorities, guidance, enforcement actions, and similar regulatory communications, you’ll notice continued emphasis on a major obligation for broker-dealers that is often overlooked: Direct Market Access.
Broker-dealers’ Direct Market Access (DMA) obligations are outlined under the Exchange Act 17 CFR § 240.15c3-5, which sets forth a number of requirements for broker-dealers with market access. Market access generally includes access to trading securities on an exchange or alternative trading system (ATS) as a member/subscriber (with a few exemptions and caveats).
These obligations fall into one of three categories:
- Financial Risk Management Controls
- Regulatory Risk Management Controls
- Compliance Procedures (including testing and CEO certification obligations)
If you have not taken a close look at your direct market access compliance recently, you may want to review this area of your firm’s compliance program – before regulators do.
Financial Risk Management Controls
The Financial Risk Management Controls category includes two distinct obligations. One is the establishment of appropriate credit and capital thresholds, and the other is an obligation to prevent the entry of erroneous orders.
Credit/Capital: Broker-dealers are often confident that their customer credit/capital limits are “reasonable,” but that is only one component of a much larger framework for which the firm must be prepared to demonstrate compliance. Specifically, compliance professionals should be asking: Has the firm properly documented the methodology for arriving at these limits? Does this methodology include the factors considered, parties consulted, and the basis for why such limits are appropriate? How about a request for temporary or permanent changes, is this methodology reasonable and memorialized the same way?
Remember a one-size-fits-all approach here will likely be scrutinized, so make sure these limits are appropriate for various types of customers you serve and business lines you engage in.
FINRA has also highlighted a number of control failures where the actual limits are simply not enforced or are easily circumvented. This is perhaps why the testing component under 15c3-5 is so important and can be valuable to the firm.
Erroneous or duplicative orders: What is an erroneous order? Anytime a user (customer or a firm registered representative) enters an order which was not intended (i.e., erroneous), including the wrong price, number of shares, or even the actual security. In these cases, the firm is expected to identify this potentially erroneous or duplicative order (within reason) and confirm legitimacy (and compliance with other obligations) before routing or executing that order.
This is not to be confused with erroneous “executions” and associated obligations of exchanges which can occur from two legitimate orders and are often the result of third-party factors such as stock-splits, system failures (exchange, market makers, etc.), trading halts, or other conditions that cause price, number of shares, or similar discrepancies, which will often result in an execution that will likely be reversed.
There are a number of controls that try to ensure an order entered is legitimate, including size controls (number of shares and price), potential market impact (average daily volume), price (limit orders), duplicative orders, and more.
FINRA does recognize it can be a challenge to balance customer needs with fulfilling this obligation as they pointed out in prior guidance. After all, it can be frustrating when a customer wants to enter a specific order and is paused for verification given the “possibility” the order is erroneous. The time lost conducting this verification may result in significant losses for a customer. Nevertheless, firms must be prepared to demonstrate they have the correct controls in place and the parameters set are “reasonable” given their customers and their business.
Regulatory Risk Management Controls
The Regulatory Risk Management Controls category includes four distinct obligations:
- Prevent orders that do not comply with regulatory requirements pre-order entry;
- Prevent orders that the customer is restricted from trading;
- Ensure the firm has access controls on all trading systems and technology; and
- Assure supervisors receive immediate post-trade execution reports.
Pre-order prevention: This may seem straight-forward and indeed most order management systems (OMS) are designed to confirm required regulatory obligations are met before allowing an order to be routed or executed; however, there are other regulatory obligations that can be overlooked, such as ensuring the firm doesn’t accept a market order in an IPO prior to the commencement of trading in secondary markets (FINRA Rule 5131(d)(4)) or even various exchange rules and obligations.
Customer restrictions: These can also be a challenge as this control must be unique to various accounts. Particularly for firms using paper applications or with multiple OMSs, a customer may disclose information that requires restrictions be placed on certain securities, and the firm must confirm this control exists across the enterprise as well as within the firm’s own restricted trading list.
Access control: These obligations are not just a hot topic for DMA compliance, but also regulatory cybersecurity expectations as a whole. Generally, the greater the access, the greater the risk. And this is an area that is easy to miss. For example, it’s not uncommon for firms with multiple systems to find themselves with terminated or reassigned employees who still have not had their rights terminated months or even years later.
In addition, access control is not just about who has access, but also what level of access each person has. For example, providing a trader with administrative privileges to an ATS that would allow them to change control parameters, add new users, etc., may be subject to intense regulatory scrutiny and create additional risks, including fraud. Access must be appropriate for each employee’s role and responsibilities.
Immediate post review: This last obligation may be common practice in established OMS environments; however, in proprietary systems or firms with multiple venues, systems, and controls, the firm may struggle to make this data “immediately” available as required.
Important considerations for both financial and regulatory risk management controls
Many of the controls discussed above are often not in the exclusive control of the broker-dealer, but may be maintained in a third-party system, such as the order management system of an ATS. In these situations, FINRA reminds broker-dealers that the ultimate responsibility for these DMA obligations rests with the firm, and the firm may not assign this responsibility to third-parties. That does not mean firms cannot rely on these controls, but rather that firms must remember they have to retain control over these alerts and parameters and be prepared to demonstrate adequate due diligence that such reliance was reasonable.
Broker-dealer firms have an obligation under the Direct Market Access rule to ensure they are testing their supervisory controls and procedures regarding DMA at least annually to prepare for the CEO certification, which is also due annually. In prior examinations, FINRA has found that inadequate testing means the CEO had no reasonable basis to certify that their risk management controls and procedures complied with the rule. Accordingly, broker-dealers need to ensure their testing is timely, thorough, accurate, and complete.
Direct Market Access obligations may seem overwhelming, but taking a proactive, methodical approach to compliance will go a long way in mitigating associated risks. Kaufman Rossin has extensive expertise with FINRA and SEC compliance and can assist broker-dealers with meeting their DMA obligations. Contact me or another member of our Risk Advisory Services team to learn how we can help your firm with this and other regulatory requirements.