On October 16, 2013, Knight Capital Americas LLC (Knight Capital) agreed to pay $12 million to settle charges brought by the Securities and Exchange Commission (SEC) alleging that the firm violated Rule 15c3-5 (the Market Access Rule or Rule) under the Securities Exchange Act of 1934.1The Market Access Rule, which was adopted by the SEC in 2010 and became effective in 2011, requires broker-dealers with market access to establish, document and maintain risk management controls and supervisory procedures that are reasonably designed to manage the financial, regulatory and other risks of market access.2 Among other things, such controls must address the entry of erroneous and duplicative orders, and orders that exceed pre-set aggregate credit and capital thresholds.3 All broker-dealers providing market access should review the Order, which represents the SEC’s first enforcement action alleging violations of the Market Access Rule, to consider whether any of the deficiencies identified by the SEC are applicable to their respective businesses.4
The enforcement action against Knight Capital stems from technology errors revealed on August 1, 2012, that led to the entry of millions of erroneous orders by the firm. Specifically, according to the Order, during the first 45 minutes of trading on August 1, 2012, a router that contained discontinued and therefore incorrect code sent over 4 million orders to the market in an effort to fill 212 small retail orders. The error resulted in Knight Capital trading more than 397 million shares, acquiring several billion dollars in unwanted positions, and suffering a trading loss of over $460 million. The Order also states that Knight Capital’s trading system sent 97 automated emails to certain employees that identified an error in the system prior to the market open on August 1, 2012, but no action was taken because those emails were not designed as system alerts, so they were generally not reviewed upon receipt. The Order emphasizes the SEC’s view that these alerts, despite their design, provided an opportunity for Knight Capital to identify and fix the problem before markets opened.5
Because the SEC has not issued formal guidance on the Market Access Rule, the Order is informative as it reflects the scope of activities that the SEC views as falling within the parameters of the Rule. Notably, the SEC charged Knight Capital with violating the Market Access Rule by:
- failing to have controls reasonably designed to prevent the entry of erroneous orders at a point immediately prior to the submission of orders to the market (such as by maintaining a control to compare orders leaving the router with those that entered it);
- failing to have controls reasonably designed to prevent the entry of orders for equity securities that exceeded pre-set aggregate capital thresholds for the firm and to link accounts to firm-wide capital thresholds, and instead relying on financial risk controls that were not capable of preventing the entry of orders (Knight Capital had an account, with a position limit that was exceeded as a result of the aforementioned activity, but this account was not linked to an automated control to prevent the entry of orders that exceeded firm-wide pre-set capital thresholds);
- failing to generate automated alerts, and instead relying on human monitoring of the firm’s financial exposure;
- failing to have controls and supervisory procedures to guide employees’ responses to significant technological and compliance incidents; and
- failing to satisfy the annual CEO certification requirement, because the certification stated that the firm had in place “processes” to comply with the Market Access Rule, rather than stating that the firm’s controls and procedures complied with the rule. The Order noted that “[c]ertifying to the existence of processes is not equivalent to certifying that controls and procedures are reasonably designed and comply with the rule.”6
Importantly, while this action was brought under the Market Access Rule, certain of the findings in the Order seem to evoke the requirements of recently proposed Regulation SCI. Regulation SCI, which was proposed on March 7, 2013 but has not yet been adopted, is intended to require certain market participants to establish and maintain comprehensive policies and procedures related to the design, development, testing, maintenance, and surveillance of systems critical to their operations.7 For instance, the SEC charged Knight Capital with violating the Market Access Rule by failing to:
- have technology controls and supervisory procedures in place to ensure the orderly deployment of new code or to prevent the activation of code no longer intended for use but left on its servers, or to guide employees’ responses to “significant” technological and compliance incidents;
- retest code not intended for use but left on servers to determine whether it would still operate correctly if called upon;
- require a second technician to review new code deployment or maintain written procedures that require such a review; and
- have controls to halt a system’s operations in response to its own aberrant behavior.
As noted by Andrew Ceresney, co-director of the SEC’s Division of Enforcement, “Given the rapid pace of trading in today’s markets and the potential massive impact of control breakdowns, broker-dealers must be held to the high standards of compliance necessary for the safe and orderly operation of the markets.”8 Accordingly, while the Order is specific to the facts at issue, other broker-dealers providing market access should be mindful of the allegations and should consider carefully whether their controls are reasonable, robust and appropriately address the requirements of the Market Access Rule, and whether their certifications comply with Rule 15c3-5(e)(2).
1See In the Matter of Knight Capital Americas, LLC, Exchange Act Release No. 70,694 (Oct. 16, 2013) (order instituting administrative and cease-and-desist proceedings) (the Order).
2 The Market Access Rule was intended to require broker-dealers to “control the risks associated with market access, so as not to jeopardize their own financial condition, that of other market participants, the integrity of trading on the securities markets, and the stability of the financial system.” Risk Management Controls for Brokers or Dealers with Market Access, Exchange Act Release No. 63,241 at 3 (Nov.3, 2010) (adopting release). See also Rule 15c3-5(b).
3See Rule 15c3-5(c)(1).
4 Although the Order marks the SEC’s first enforcement action alleging violations of the Market Access Rule, self-regulatory organizations have brought actions under the Rule. See Woodmere Trading, LLC, Chicago Board Options Exchange, Inc. Decision Accepting Offer of Settlement, 12-0031 and 12-0050 (Sept. 24, 2012); Jefferies & Company, Inc., NASDAQ Stock Market LLC Letter of Acceptance, Waiver and Consent, 20110286830-01 (Dec. 21, 2011).
5 Order at 6-7.
6 Order at 13.
7Proposed Regulation SCI would not apply to all broker-dealers as a general matter; rather, it would apply to those operating alternative trading systems that meet the thresholds of the rule. See generally, Regulation Systems Compliance and Integrity, Securities Exchange Act Release No. 69,077 (Mar. 8, 2013) (proposing release). See also SEC Gets SCI-entific About Trading Systems with Proposed Regulation SCI, WilmerHale Securities Alert (Mar. 27, 2013), available here.
8See SEC Charges Knight Capital with Violations of Market Access Rule, Press Release, available atwww.sec.gov.