While discussions about the final contents of MiFID 2 seem set to continue for some while yet, the European Securities and Markets Authority has anticipated some important MiFID 2 issues in a set of Guidelines issued (rather quietly!) in February: Guidelines on systems and controls in an automated trading environment for trading platforms, investment firms and competent authorities.

These Guidelines are precise in a number of areas, and essentially have the force of regulation: the competent authorities in each EU country are expected to incorporate the Guidelines into their supervisory practices and “unless otherwise informed, market participants should be able to comply with the Guidelines” by May 1, 2012. So, while various national regulators may move at different speeds, the direction from ESMA is clear and urgent.

Most of the ESMA requirements refer to overall management practices: governance, staffing and so on. The Guidelines seek to influence the construction of automated trading engines via these means, but they don't place specific demands on the functionality of underlying software solutions. Definitions of what a trading engine can do are confined to a general prohibition of market abuse/manipulation, with examples such as ping orders, quote stuffing, momentum ignition and layering/spoofing.

The limited number of Guidelines that impose software functionality requirements give some useful indication about the direction of ESMA’s thinking. These Guidelines center on required risk management controls for the orders emanating from automated trading engines, and here the demands on the software used to apply these controls are very specific:

• There must be no “naked access” by sponsored access traders (as already proscribed in MiFID).
• Orders must be checked for trader authorization, price, size and capital/credit thresholds.
• There must be clear and tight control of authorization to manage the risk filters.
• There should be override procedures, again with tight control of authorization.
• Order traffic to individual trading platforms (markets) should be controlled.
• All order flows must be controlled.
• It must be possible to immediately halt trading by any individual DMA/sponsored access client.

There is little here that seems controversial: it's a fair summary of best practice for trading risk management in electronic markets, and should largely reflect practices already in place. But where gaps exist, market participants are now clearly "on notice" to fill them rapidly. Compliance with most of the Guidelines should be relatively straightforward on any individual trading architecture: the main area of complication arises where multiple architectures are in place, and controls of capital and credit need to span across them.

One Guideline that may need clarification is the requirement for control of order traffic to individual trading platforms. In a fragmented market such as European equities, where both execution algorithms (dividing parent orders into multiple child orders) and smart routers (potentially further dividing the child orders) may be in use, the orders finally sent to individual markets are somewhat removed from the original parent orders, but they are by definition only parts of those originals and are normally considered "safe". (One of course assumes that the parent orders have passed through the normal checks.) Additional risk filters could be placed on each market gateway to control flows to individual trading platforms, but this is not widespread market practice, and arguably would add little value.

As national regulators move into action in this area, it will be critical for market participants to understand the ESMA Guidelines in detail, and to ensure their firms are well positioned to comply.