DEA provider must have access to information on its DEA clients, irrespective of DEA clients’ jurisdiction or their authorisation status - ESMA underlined this once more in an interpretation of 28 March 2018.

On 28 March 2018 ESMA updated the answer to the Question 23 in Questions and Answers on MiFID II and MiFIR market structures topics (ESMA70-872942901-38), which relates to the MiFID II legal requirements resting upon providers of the direct electronic access to the trading venue (DEA).

The earlier version of the said answer to the Question 23 (dated 3 October 2017) had the following wording:

“Are the suitability checks and controls a DEA provider should perform on clients using the service also applicable in case of clients that are not investment firms authorised in the EU?

Yes, the obligations that fall on a DEA provider as per Article 17(5) of MiFID II and as specified in RTS 6 apply regardless whether the client is an authorised EU investment firms or not. In particular, all clients accessing an EU trading venue through the sub-delegated DEA should be subject to the controls and suitability checks of Article 17(5) of MiFID II as well as provisions of Articles 19 to 23 of RTS 6.”

In the edition of 28 March 2018 ESMA has retained all existing text, which is supplemented now with an answer to the additional question:

“Where a DEA client extends its access to its own clients, is the DEA provider responsible for the conduct of these sub-delegated clients?”.

The ESMA‘s stance as regards this issue is as follows:

- Ii order to fulfil its responsibility, the DEA provider must have access to information on its DEA clients, irrespective of DEA clients’ jurisdiction or their authorisation status;

- a DEA provider may not provide services to its clients, including sub-delegated clients, unless all information can be made available to the competent authority of the trading venue for its supervisory and enforcement purposes;

- the DEA provider should also clarify in the binding written agreement that the DEA service will be suspended or withdrawn from the client if the provider is not satisfied that continued access would be consistent with its rules and procedures for fair and orderly trading and market integrity - this includes a situation where the client fails to supply a reasonable explanation for a suspicious trading pattern or inappropriate trading behaviour that may involve market abuse;

- where a DEA sub-delegation is allowed, the DEA provider should require its DEA clients to have a provision to enable the DEA provider to have access to information on their sub- delegated clients’ trading activities for the express purpose of enabling the DEA provider to provide information to the competent authority of the trading venue;

- trading venues must observe Article 22(3) of RTS 7 (Commission Delegated Regulation (EU) 2017/584 of 14 July 2016 supplementing Directive 2014/65/EU of the European Parliament and of the Council with regard to regulatory technical standards specifying organisational requirements of trading venues) when permitting sponsored access, and where appropriate direct market access (DMA), to their members and participants (the said provision stipulates that trading venues must be able to suspend or withdraw the provision of sponsored access to clients having infringed MiFIDII/MiFIR, Market Abuse Regulation (MAR) or the trading venue's internal rules);

- trading venues should clearly state in their rules the circumstance in which the trading venue suspends or terminates the provision of DEA, for example, where the conduct of a DEA client is reasonably suspected to be abusive.

It my be useful to recall that according to the aforementioned Article 17(5) MiFID II:

”An investment firm that provides direct electronic access to a trading venue shall have in place effective systems and controls which ensure a proper assessment and review of the suitability of clients using the service, that clients using the service are prevented from exceeding appropriate pre-set trading and credit thresholds, that trading by clients using the service is properly monitored and that appropriate risk controls prevent trading that may create risks to the investment firm itself or that could create or contribute to a disorderly market or could be contrary to Regulation (EU) No 596/2014 or the rules of the trading venue. Direct electronic access without such controls is prohibited.”

The provisions referred to by ESMA in the above interpretation i.e. Articles 19 - 23 of the RTS 6 (Commission Delegated Regulation (EU) 2017/589 of 19 July 2016 supplementing Directive 2014/65/EU of the European Parliament and of the Council with regard to regulatory technical standards specifying the organisational requirements of investment firms engaged in algorithmic trading are quoted below: 

“Article 19

General provisions for DEA

(Article 17(5) of Directive 2014/65/EU)

A DEA provider shall establish policies and procedures to ensure that trading of its DEA clients complies with the trading venue's rules so as to ensure that the DEA provider meets the requirements in accordance with Article 17(5) of Directive 2014/65/EU.

Article 20

Controls of DEA providers

(Article 17(5) of Directive 2014/65/EU)

1. A DEA provider shall apply the controls laid down in Articles 13, 15 and 17 and the real-time monitoring laid down in Article 16 to the order flow of each of its DEA clients. Those controls and that monitoring shall be separate and distinct from the controls and monitoring applied by DEA clients. In particular, the orders of a DEA client shall always pass through the pre-trade controls that are set and controlled by the DEA provider.

2. A DEA provider may use its own pre-trade and post-trade controls, controls provided by a third party or controls offered by the trading venue and real time monitoring. In all circumstances, the DEA provider shall remain responsible for the effectiveness of those controls. The DEA provider shall also ensure that it is solely entitled to set or modify the parameters or limits of those pre-trade and post-trade controls and real time monitoring. The DEA provider shall monitor the performance of the pre-trade and post-trade controls on an on-going basis.

3. The limits of the pre-trade controls on order submission shall be based on the credit and risk limits which the DEA provider applies to the trading activity of its DEA clients. Those limits shall be based on the initial due diligence and periodic review of the DEA client by the DEA provider.

4. The parameters and limits of the controls applied to DEA clients using sponsored access shall be as stringent as those imposed on DEA clients using DMA.

Article 21

Specifications for the systems of DEA providers

(Article 17(5) of Directive 2014/65/EU)

1. A DEA provider shall ensure that its trading systems enable it to:

(a) monitor orders submitted by a DEA client using the trading code of the DEA provider;

(b) automatically block or cancel orders from individuals which operate trading systems that submit orders related to algorithmic trading and which lack authorisation to send orders through DEA,;

(c) automatically block or cancel orders from a DEA client for financial instruments which that client is not authorised to trade, using an internal flagging system to identify and block single DEA clients or a group of DEA clients;

(d) automatically block or cancel orders from a DEA client that breach the risk management thresholds of the DEA provider, applying controls to exposures of individual DEA clients, financial instruments or groups of DEA clients;

(e) stop order flows transmitted by its DEA clients;

(f) suspend or withdraw DEA services to any DEA client where the DEA provider is not satisfied that continued access would be consistent with its rules and procedures for fair and orderly trading and market integrity;

(g) carry out, whenever necessary, a review of the internal risk control systems of DEA clients.

2. A DEA provider shall have procedures to evaluate, manage and mitigate market disruption and firm-specific risks. The DEA provider shall be able to identify the persons to be notified in the event of an error resulting in violations of the risk profile or in potential violations of the trading venue's rules.

3. A DEA provider shall at all times be able to identify its different DEA clients and the trading desks and traders of those DEA clients, who submit orders through the DEA provider's systems, by assigning a unique identification code to them.

4. A DEA provider allowing a DEA client to provide its DEA access to its own clients (‘sub-delegation’) shall be able to identify the different order flows from the beneficiaries of such sub-delegation without being required to know the identity of the beneficiaries of such arrangement.

5. A DEA provider shall record data relating to the orders submitted by its DEA clients, including modifications and cancellations, the alerts generated by its monitoring systems and the modifications made to its filtering process.

Article 22

Due diligence assessment of prospective DEA clients

(Article 17(5) of Directive 2014/65/EU)

1. A DEA provider shall conduct a due diligence assessment of its prospective DEA clients to ensure that they meet the requirements set out in this Regulation and the rules of the trading venue to which it offers access.

2. The due diligence assessment referred to in paragraph 1 shall cover:

(a) the governance and ownership structure of the prospective DEA client;

(b) the types of strategies to be undertaken by the prospective DEA client;

(c) the operational set-up, the systems, the pre-trade and post-trade controls and the real time monitoring of the prospective DEA client. The investment firm offering DEA allowing DEA clients to use third-party trading software for accessing trading venues shall ensure that the software includes pre-trade controls that are equivalent to the pre-trade controls set out in this Regulation.

(d) the responsibilities within the prospective DEA client for dealing with actions and errors;

(e) the historical trading pattern and behaviour of the prospective DEA client;

(f) the level of expected trading and order volume of the prospective DEA client;

(g) the ability of the prospective DEA client to meet its financial obligations to the DEA provider;

(h) the disciplinary history of the prospective DEA client, where available.

3. A DEA provider allowing sub-delegation shall ensure that a prospective DEA client, before granting that client access, has a due diligence framework in place that is at least equivalent to the one described in paragraphs 1 and 2.

Article 23

Periodic review of DEA clients

(Article 17(5) of Directive 2014/65/EU)

1. A DEA provider shall review its due diligence assessment processes annually.

2. A DEA provider shall carry out an annual risk-based reassessment of the adequacy of its clients' systems and controls, in particular taking into account changes to the scale, nature or complexity of their trading activities or strategies, changes to their staffing, ownership structure, trading or bank account, regulatory status, financial position and whether a DEA client has expressed an intention to sub-delegate the access it receives from the DEA provider.”