In light of the increased automation of trading on securities exchanges and alternative trading systems ("ATS") today, and the growing popularity of sponsored and direct market access arrangements, the Securities and Exchange Commission ("SEC" or "Commission") has grown concerned that the various financial and regulatory risks that arise in connection with such access may not be appropriately and effectively controlled by all broker-dealers. As a result, on January 26, 2010, the Commission published Proposed Rule 15c3-5 under the Securities Exchange Act of 1934 ("Exchange Act") for public comment.1 As proposed, Rule 15c3-5 would require brokers or dealers with access to trading directly on an exchange or ATS, including those providing sponsored or direct market access to customers or other persons, to implement risk management controls and supervisory procedures reasonably designed to manage the financial, regulatory, and other risks of this business activity. After reviewing the 47 comment letters submitted in response to the proposal, on November 3, 2010, the Commission determined to adopt Rule 15c3-5 substantially as proposed ("the Rule"), but with certain narrow modifications in response to concerns expressed by commenters, including the following:
- A broker-dealer operator of an ATS is subject to the Rule if it provides non-broker-dealer subscribers access to its ATS;
- Broker-dealers that provide outbound routing services to an exchange or ATS for the sole purpose of accessing other trading centers with protected quotations on behalf of the exchange or ATS in order to comply with Rule 611 of Regulation NMS, or a national market system plan for listed options, need not comply with the risk management requirements of paragraph (b) of the Rule;
- Subject to certain conditions, broker-dealers providing market access may reasonably allocate control over certain regulatory risk management controls and supervisory procedures to customers that are registered broker-dealers; and
- In appropriate cases, reasonable risk management models may be used to discount the credit or capital exposure generated by outstanding but unexecuted orders.2
The Rule will be effective 60 days from the date that it is published in the Federal Register. Once effective, broker-dealers subject to the Rule will have six months to comply with its requirements.
II. Issues Related to Direct Market Access and Sponsored Access
An increasing number of sophisticated institutional customers and broker-dealers have begun using technological tools to place orders and trade on markets, in many instances, with little or no substantive intermediation by the broker-dealer providing access to trading markets. Under "direct market access" or "sponsored access" arrangements, a broker-dealer allows its customer to use the broker-dealer's market participant identifiers ("MPID") or other mechanism or mnemonic to identify a market participant for the purpose of electronically accessing an exchange or ATS. Generally, direct market access refers to an arrangement in which a broker-dealer permits customers to enter orders on an exchange or ATS but such orders flow through the broker-dealer's trading systems prior to reaching the exchange or ATS. In contrast, sponsored access generally refers to an arrangement whereby a broker-dealer permits customers to bypass the broker-dealer's trading system and route orders directly to an exchange or ATS. "Unfiltered" or "naked" access generally is understood to be a subset of sponsored access, where pre-trade filters or controls are not applied to orders before the orders are submitted to an exchange or ATS. In all cases, however, the broker-dealer with market access is legally responsible for all trading activity that occurs under its MPID.
After acknowledging the benefits that may be associated with market access arrangements, the Commission notes that such arrangements have given rise to increased concerns about the quality of broker-dealer risk controls. With sponsored access arrangements, especially "naked" access arrangements, the Commission believes that there is a greater potential that financial, regulatory and other risks associated with the placement of orders are not being appropriately managed. In particular, the SEC is concerned that there is an increased likelihood that customers and broker-dealers, among other things, will enter erroneous orders as a result of computer malfunction or human error, fail to comply with trading rules and other regulatory requirements, and breach applicable credit or capital limits. In light of the speed and interconnectedness of today's securities trading, any such errors can quickly spread across the financial markets, potentially with systemic implications.
III. Rule 15c3-5 Under the Exchange Act
A. Applicability of Rule 15c3-5
1. Definition of "Market Access"
The definition of "market access," as set forth in paragraph (a)(1) of the Rule, is central to the Rule; it determines which broker-dealers are subject to the Rule. Under the first prong of the definition, "market access" includes access to trading in securities3 on an exchange or ATS as a result of being a member or subscriber of the exchange or ATS, respectively. The SEC intentionally defined "market access" broadly to include not only direct market access or sponsored access services offered to customers of broker-dealers, but also access to trading for the proprietary account of the broker-dealer and for more traditional agency activities.4 In addition, in response to commenters' concerns that similar regulatory and financial risks are present when a non-broker-dealer subscriber directly accesses an ATS as when a broker-dealer accesses an exchange or ATS, the SEC added a second prong to the definition of market access in the final rule. Under this new second prong, "market access" also is defined to include access to trading in securities on an ATS provided by a broker-dealer operator of an ATS to a non-broker-dealer. A broker-dealer operator of an ATS, therefore, is subject to the Rule if it provides non-broker-dealer subscribers access to its ATS.
2. Definition of "Regulatory Requirements"
The definition of "regulatory requirements," as set forth in paragraph (a)(2) of the Rule, defines the scope of the regulatory risk management controls and supervisory procedures. "Regulatory requirements" are defined to mean "all federal securities laws, rules, regulations, and rules of self-regulatory organizations, that are applicable in connection with market access." Thus, the term "regulatory requirements" references existing regulatory requirements applicable to broker-dealers in connection with market access, and is not intended to substantively expand upon them. These regulatory requirements would include, for example, pre-trade requirements such as exchange trading rules relating to special order types, trading halts, odd-lot orders, and SEC rules under Regulation SHO (order marking and locate requirements) and Regulation NMS (order marking), as well as post-trade obligations to monitor for manipulation and other illegal activity. The specific content of the "regulatory requirements" would, of course, adjust over time as laws, rules and regulations are modified.5
B. Requirement to Maintain Risk Management Controls and Supervisory Procedures
1. General Requirements
Paragraph (b) of the Rule sets for the general requirement that any broker-dealer with access to trading on an exchange or ATS must establish risk management controls and supervisory procedures reasonably designed to manage the associated risks. Specifically, paragraph (b) provides that a broker-dealer with market access, or that provides a customer or any other person with access to an exchange or ATS through use of its MPID or otherwise, shall establish, document and maintain a system of risk management controls and supervisory procedures reasonably designed to manage the financial, regulatory, and other risks of this business activity. The Rule requires that the controls and procedures be documented in writing, and requires the broker-dealer to preserve a copy of its supervisory procedures and a written description of its risk management controls as part of its books and records.
As the SEC noted, the Rule does not employ a "one-size-fits-all" approach; it is drafted to allow the controls and procedures to vary from broker-dealer to broker-dealer, depending on the nature of the business and customer base, so long as they are reasonably designed to achieve the goals articulated in the proposed rule. For example, a broker-dealer that only handles order flow from retail clients may very well develop different risk management controls and supervisory procedures than a broker-dealer that mostly services order flow from sophisticated high-frequency traders.
2. Outbound Routing Exception
In the final rule, the SEC added an exception to the risk management control requirements of paragraph (b) of the Rule for routing brokers that was not included in the original proposal. Specifically, broker-dealers that provide outbound routing services to an exchange or ATS for the sole purpose of accessing other trading centers with protected quotations on behalf of the exchange or ATS in order to comply with Rule 611 of Regulation NMS, or a national market system plan for listed options, need not comply with paragraph (b) of the Rule.6 Under the Rule, orders sent to an exchange or ATS for execution on that exchange or ATS are required to be subject to broker-dealer risk management controls immediately before submission to the exchange or ATS. Therefore, brokers routing orders for an exchange or ATS pursuant to Rule 611 of Regulation NMS or the NMS plan for listed options necessarily would only handle orders that have just passed through broker-dealer risk management controls subject to the Rule, making further application of the Rule's mandated risk controls unnecessary. The Commission notes, however, that routing brokers will not be exempt from the requirement in the Rule to prevent the entry of erroneous orders by rejecting orders that exceed appropriate price and size parameters, on an order-by-order basis or over a short period of time, or that indicate duplicative orders. The Commission believes that requiring routing brokers to comply with this provision should help ensure that order handling by an exchange or ATS routing broker would not increase risk.
C. Financial Risk Management Controls and Supervisory Procedures
1. Credit and Capital Controls Generally
Paragraph (c)(1) of the Rule, which is adopted as proposed, states that a broker-dealer's risk management controls and supervisory procedures must be reasonably designed to systematically limit the financial exposure of the broker-dealer that could arise as a result of market access. Specifically, under paragraph (c)(1)(i) of the Rule, the broker-dealer's controls and procedures must be reasonably designed to prevent the entry of orders that exceed appropriate pre-set credit or capital thresholds in the aggregate7 for each customer and the broker-dealer, and where appropriate more finely tuned by sector, security, or otherwise, by rejecting orders if such orders exceed the applicable credit or capital thresholds. Under this provision, a broker-dealer must set appropriate credit thresholds for each customer for which it provides market access, including broker-dealer customers,8 and appropriate capital thresholds for proprietary trading by the broker-dealer itself. The Commission expects broker-dealers will make such determinations based on appropriate due diligence as to the customer's business, financial condition, trading patterns, and other matters, and document that decision.
2. Reasonable Use of Risk Management Models
Under the Rule, the broker-dealer's controls must be applied on an automated, pre-trade basis. Furthermore, the broker-dealer must assess compliance with the applicable threshold on the basis of exposure from orders entered on an exchange or ATS, rather than relying on a post-execution, after-the-fact determination. However, in appropriate cases, reasonable risk management models may be used to discount the credit or capital exposure generated by outstanding but unexecuted orders. Broker-dealers relying on such models should monitor them for accuracy and make adjustments as warranted.
3. Preventing Erroneous/Duplicative Orders
Paragraph (c)(1)(ii) of the Rule provides that the broker-dealer's controls and procedures must be reasonably designed to prevent the entry of erroneous orders, by rejecting orders that exceed appropriate price or size parameters, on an order-by-order basis or over a short period of time, or that indicate duplicative orders. For example, such controls should be reasonably designed to prevent orders from being entered erroneously as a result of manual errors (e.g., erroneously entering a buy order of 2,000 shares at $2.00 as a buy order of 2 shares at $2,000.00). According to the Adopting Release, a systematic, pre-trade control reasonably designed to reject orders that are not reasonably related to the quoted price of the security is one way to help prevent erroneously entered orders from reaching the market.
D. Regulatory Risk Management Controls and Supervisory Procedures
Paragraph (c)(2) of the Rule requires a broker-dealer's risk management controls and supervisory procedures be reasonably designed to ensure compliance with all regulatory requirements9 that are applicable in connection with market access, including four specific circumstances enumerated in the Rule.
1. Pre-Order Entry Controls
First, under paragraph (c)(2)(i) of the Rule, the broker-dealer's controls and procedures must be reasonably designed to prevent the entry of orders unless there has been compliance with all regulatory requirements that must be satisfied on a pre-order entry basis. To comply with this provision, the broker-dealer's controls must be applied on an automated, pre-trade basis. The pre-trade controls must, for example, be reasonably designed to assure compliance with exchange trading rules relating to special order types, trading halts, odd-lot orders, and SEC rules under Regulation SHO and Regulation NMS.
2. Restricted Trading Controls
Second, paragraph (c)(2)(ii) of the Rule requires the broker-dealer's controls and procedures to prevent the entry of orders for securities that the broker-dealer, customer, or other person, as applicable, is restricted from trading. For example, if the broker-dealer is restricted from trading options because it is not qualified to trade options, its regulatory risk management controls must be reasonably designed to automatically prevent it from entering orders in options, either for its own account or as agent for a customer or broker-dealer. In addition, if a broker-dealer is obligated to restrict a customer from trading in a particular security, then the broker-dealer's controls and procedures must be reasonably designed to prevent orders in such security from being submitted to an exchange or ATS for the account of that customer.
3. Limiting Access to Trading Systems and Technology
Third, under paragraph (c)(2)(iii) of the Rule, the broker-dealer's controls and procedures must be reasonably designed to restrict access to trading systems and technology that provide market access to persons and accounts pre-approved and authorized by the broker-dealer. The Commission expects that elements of these controls and procedures would include: (1) an effective process for vetting and approving persons at the broker-dealer or customer, as applicable, who will be permitted to use the trading systems or other technology; (2) maintaining such trading systems or technology in a physically secure manner; and (3) restricting access to such trading systems or technology through effective mechanisms that validate identity.
4. Post-Trade Execution Reports
Fourth, paragraph (c)(2)(iv) of the Rule will require the broker-dealer's controls and procedures to assure that appropriate surveillance personnel receive immediate post-trade execution reports that result from market access.10 Among other things, the Commission expects that broker-dealers will be able to identify the applicable customer associated with each such execution report. The SEC has clarified, however, that this provision does not require that post-trade surveillance for manipulation, fraud, and other matters occur immediately.
E. Direct and Exclusive Broker-Dealer Control Over Financial and Regulatory Risk Management Controls and Supervisory Procedures
Paragraph (d) of the Rule requires the financial and regulatory risk management controls and supervisory procedures described above to be under the direct and exclusive control of the broker or dealer with market access, subject to the limited exception discussed below. This provision is designed to eliminate the current practice in which some broker-dealers providing market access rely on their customers, third-party service providers, or others, to establish and maintain the applicable risk controls. The Commission believes the potential risks presented by market access are too great to permit a broker-dealer to delegate control of these critical risk management systems to the customer or another third party.
1. Risk Management Tools of Third-Party Independent of Customer
Under this provision, a broker-dealer providing market access may use risk management tools or technology provided by a third party that is independent of the customer, so long as the broker-dealer has direct and exclusive control over those tools or technology and performs appropriate due diligence. Specifically, the broker-dealer could outsource to any independent third party the design and building of the risk management tools or technology for the broker-dealer, and the performance of routine maintenance, so long as the broker-dealer performs appropriate due diligence as to their effectiveness. In addition, the risk management tools or technology could be located at the facilities of the independent third party, so long as the broker-dealer can directly monitor their operation and has the exclusive ability to adjust the controls. Further, the independent third party could, in response to specific direction from the broker-dealer, on a case-by-case basis, make an adjustment to the controls as agent for the broker-dealer.11
The independent third party could be another broker-dealer, an exchange or ATS, a service bureau, or other entity that is not an affiliate, and is otherwise independent, of the market access customer. When evaluating whether a technology provider is independent of the customer, the Commission will look at the substance rather than the form of the relationship. For example, the Commission would not consider a third party independent from a customer just because it technically is not an affiliate, if it has a material business or other relationship with the customer which could interfere with the provision of effective risk management technology to the broker-dealer. Moreover, simple reliance on a customer representation of independence is insufficient; instead, any broker-dealer providing market access must conduct an appropriate level of due diligence regarding the question of independence.
2. Allocation of Control
The Commission has modified the original proposal to permit, subject to certain conditions, broker-dealers providing market access to reasonably allocate control over certain regulatory risk management controls and supervisory procedures to customers that are registered broker-dealers. Specifically, revised paragraph (d)(1) of the Rule permits a broker-dealer providing market access to reasonably allocate, by written contract, control over specific regulatory risk management controls and supervisory procedures to a customer that is a registered broker-dealer, so long as the broker-dealer providing market access has a reasonable basis for determining that such customer, based on its position in the transaction and relationship with an ultimate customer, has better access to that ultimate customer and its trading information such that it can more effectively implement the specified controls and procedures.12 The ability of a broker-dealer to allocate responsibility under paragraph (d)(1) is limited to specific regulatory risk management controls and procedures, and does not extend to the financial risk management controls and procedures mandated under the Rule.
To allocate control pursuant to this provision, the broker-dealer that provides market access must conduct a thorough due diligence review to establish a reasonable basis for determining that the broker-dealer customer to which control will be allocated has the capability and, based on its position in the transaction and relationship with an ultimate customer, better access than the broker-dealer with market access to the ultimate customer and its trading information such that it can more effectively implement the reasonably designed risk management controls and supervisory procedures specifically allocated to it. The broker-dealer with market access must enter into a written contract with the broker-dealer customer that clearly articulates the scope of the arrangement and the specific responsibilities of each party, and, in accordance with paragraph (e) of the Rule (as discussed below), establish, document, and maintain a system to regularly review the performance of the broker-dealer customer under such contract, and the effectiveness of the allocated controls and procedures. Moreover, the broker-dealer with market access must promptly address any performance weaknesses, including termination of the allocation arrangement if warranted.
Paragraph (d)(2) of the Rule makes clear that any such allocation of control does not relieve the broker-dealer providing market access from any obligation under the Rule, including the overall responsibility to establish, document and maintain a system of risk management controls and supervisory procedures reasonably designed to manage the financial, regulatory, and other risks of market access. Thus, the broker-dealer providing market access remains ultimately responsible for the performance of any regulatory risk management control or supervisory procedure for which control is allocated to a broker-dealer customer.
F. Regular Review of Risk Management Controls and Supervisory Procedures
Paragraph (e) of the Rule requires a broker-dealer with or providing market access to establish, document, and maintain a system for regularly reviewing the effectiveness of its reasonably designed risk management controls and supervisory procedures and promptly addressing any issues. The broker-dealer, among other things, must review, no less frequently than annually, its business activity in connection with market access to assure the overall effectiveness of its risk management controls and supervisory procedures; conduct that review in accordance with written procedures; and document each such review. The broker-dealer also must preserve a copy of its written procedures, and documentation of each such review, as part of its books and records. In addition, the Chief Executive Officer (or equivalent officer) of the broker-dealer, on an annual basis, must certify that its risk management controls and supervisory procedures comply with the Rule and that the broker-dealer conducted the regular review.13 The broker-dealer must preserve the CEO certification as part of its books and records.
G. Exemptive Authority
Under Paragraph (f) of the Rule, the Commission, by order, may exempt any broker-dealer from the provisions of the Rule, either unconditionally or on specified terms and conditions, if the Commission determines that such exemption is necessary or appropriate in the public interest consistent with the protection of investors.
As the SEC notes in the Adopting Release, naked access is estimated to account for 38 percent of the daily volume for equities traded in the U.S. market. Therefore, the Rule's elimination of naked access arrangements–as well as its many requirements for other access arrangements–will have a substantial effect on how equities trading is accomplished. Indeed, broker-dealers will need to evaluate and revise as necessary many aspects of their direct market access and sponsored access arrangements, including the type of risk controls in place, who is providing the risk controls, the due diligence regarding the controls and the providers, the contractual arrangements with their customers, the policies and procedures governing the controls, and their CEO certifications. Moreover, such changes will need to take place quickly given the SEC's short compliance period for this new rule.
1 Risk Management Controls for Brokers or Dealers with Market Access, Exchange Act Release No. 61379, 75 Fed. Reg. 4007 (Jan. 10, 2010) ("Proposing Release"). See also SEC Proposes Broad Changes for Broker-Dealers with Direct Access to ATSs and Exchanges, WilmerHale Client Alert (Feb. 3, 2010), available at www.wilmerhale.com/publications/whPubsDetail.aspx?publication=9392.
2 Risk Management Controls for Brokers or Dealers with Market Access, Exchange Act Release No. 63241 (Nov. 3, 2010) ("Adopting Release").
3 The definition of "market access" would encompass trading in all securities on an exchange or ATS, including equities, options, exchange-traded funds, debt securities, and security-based swaps.
4 Consistent with its understanding of current broker-dealer best practices, the Commission believes that, in many cases, particularly with respect to proprietary trading and more traditional agency brokerage activities, Rule 15c3-5 should be substantially satisfied by existing risk management controls and supervisory procedures already implemented by broker-dealers.
5 "Although a broad range of regulatory requirements may, to varying degrees, be connected to market access, the Commission would not expect broker-dealers, in response to the Rule, to formally reassess their compliance procedures with respect to rules such as those relating to trading in the over-the-counter market (other than on an ATS) or those relating to the delivery of customer account statements." Adopting Release, n. 93.
6 The Commission notes that the exception only applies to the extent a routing broker is providing services to an exchange or ATS for the purpose of fulfilling the compliance obligations of the exchange or ATS under Rule 611 of Regulation NMS, or a national market system plan for listed options. Routing services of an exchange or ATS routing broker that are not limited may include a more complex order routing process involving new decision-making by the routing broker that warrant imposition of the full range of market access risk controls. For example, the exception would not apply to a broker-dealer when it provides other routing services for the exchange or ATS, such as directed routing for exchange or ATS customers.
7 The Commission believes that a broker-dealer that sets a reasonable aggregate credit limit for each customer could satisfy Rule 15c3-5(c)(1)(i) if the broker-dealer imposes that credit limit by setting sub-limits applied at each exchange or ATS to which the broker-dealer provides access that, when added together, equal the aggregate credit limit.
8 The SEC noted that the broker-dealer providing market access also may wish to supplement the overall credit limit it places on the activity of its broker-dealer customers with assurances from those broker-dealer customers that they have implemented controls reasonably designed to assure that trading by their individual customers remains within appropriate pre-set credit thresholds.
9 "Regulatory requirements" are defined as discussed above.
10 The Commission expects that broker-dealers will establish appropriate safeguards to assure that customer trading information is kept confidential and available only to appropriate personnel for regulatory compliance purposes.
11 The Commission also notes that broker-dealers may be able to use market center-provided pre-trade risk controls as part of an overall plan to comply with the Rule. However, broker-dealers with market access should be responsible in the first instance for establishing and maintaining appropriate risk management controls under the Rule.
12 For example, such allocations of control may be made regarding obligations under the suitability and other "know your customer" rules, mechanisms for preventing the ultimate customer from trading securities such customer is restricted from trading, surveillance for manipulation or fraud in the ultimate customer's account (such as wash sales, marking the close, and insider trading), or the locate requirement of Rule 203(b)(1) of Regulation SHO.
13 The Commission notes that a broker-dealer could combine in the same document the CEO certifications required by the Rule with those required under FINRA Rule 3130 or other required certifications, so long as the substance of each of the required certifications is contained in the document.