The following publication has been lightly reedited for spelling, grammar, and style to provide better searchability and an improved reading experience. No substantive changes impacting the data, analysis, or conclusions have been made. A PDF of the originally published version is available here.
A number of recent technology-related snafus have focused attention on high-speed trading and affected investor confidence in the markets. These incidents and the resulting losses highlight the need for risk controls at every step of the trading process.
On Wednesday, August 1, 2012, a $440 million loss in 45 minutes brought market maker Knight Capital to the brink of bankruptcy. The loss was caused by a software malfunction that resulted in Knight sending a large number of orders to the New York Stock Exchange.1 For a time following the mishap, three of its online retail brokerage clients—TD Ameritrade, Scottrade, and E*Trade—stopped routing trades to Knight.2
In May 2012, just three months before the Knight Capital debacle, a technical error at NASDAQ delayed the start of trading for Facebook’s initial public offering (IPO) and prevented some investors from learning whether they had successfully purchased or sold shares. This prompted some of them to enter orders numerous times and led to uncertainty about their overall positions in the market. As a result of the error, the Swiss bank UBS is said to have suffered a loss of more than $350 million. Knight Capital reportedly lost $35.4 million in the Facebook incident as well.3
The nation’s third-largest stock exchange, BATS, withdrew its IPO in March of this year, following a software glitch that also caused a 9% decline in the price of Apple shares and paused the buying and selling of Apple for five minutes.4
The extent of these losses and the frequency with which these incidents are occurring in seemingly well-managed firms is focusing attention on the need for risk controls at every level of the trade life cycle, i.e., at trading firms, broker–dealers (BDs), futures commission merchants (FCMs), exchanges, and clearinghouses.
Industry and regulatory groups have articulated best practices related to risk controls, but many firms fail to implement all the recommendations or rely on other firms in the trade cycle to catch an out-of-control algorithm or erroneous trade. In part, this is because applying risk controls before the start of a trade can slow down an order, and high-speed trading firms are often under enormous pressure to route their orders to the exchange quickly so as to capture a trade at the desired price.
The competition for speed also affects BDs/FCMs. Some tout how quickly they can check customer orders before sending them to the exchange. The risk is that some BDs/FCMs may establish less stringent pre-trade risk controls to accelerate order submission. Other BDs/FCMs rely solely on the pre-trade risk checks at exchanges rather than implementing their own risk controls. The problem with this approach is that some exchanges’ risk controls might be structured in a way that does not stop erroneous orders before they are filled.
Once orders are matched in the matching engine, exchanges send drop copies (information on filled trades) to trading firms and clearing BDs/FCMs to help them manage their exposures. Some exchanges also provide information on orders that are still working in the market in their drop copies. Of critical importance in the management of risk is the time frame in which trading firms and BDs/FCMs receive these post-trade data. While some exchanges send drop copy in near real time (microseconds), others provide it within hours, or at the end of the trading day. Delays in receiving post-trade data hinder optimal risk management at trading firms and BDs/FCMs.
Another potential risk management issue relates to how some high-speed trading firms have equity ownership stakes in certain exchanges. An open question is whether these ownership stakes allow them to influence the structure of the exchanges’ systems to the advantage of high-speed trading firms but to the detriment of optimal risk management. An alternative possibility is whether these firms’ familiarity with the risks of high-speed trading causes them to influence the adoption of more stringent risk controls at the exchange level.
It is a given that technological advances are here to stay, that high-speed trading is increasing in most markets (see figure 1), and that reverting to traditional, open outcry trading is not an option. The question then is how to keep markets safe in a highly technological environment. Until about a decade ago, most exchange-traded instruments in the U.S. were traded in a physical, paper-based environment. Orders were called in by telephone, transcribed by humans and passed on to others for execution, confirmation, and settlement. During each step, a person would look at the order and, knowing where the market was trading, make a value judgment as to whether a clerical error might have been made. Certainly, errors still occurred, but ample opportunities existed to detect and correct them. High-speed trading requires a similar level of monitoring, but it needs to happen a lot faster—ideally, there should be automated risk controls at every step in the life cycle of a trade with human beings overseeing the process.
1. High-speed trading by asset class

Source: Aite Group, also featured in Financial Stability Oversight Council, 2012 Annual Report, available at www.treasury.gov/initiatives/fsoc/Documents/ 2012%20Annual%20Report.pdf.
To understand better the controls currently used by market participants, researchers at the Federal Reserve Bank of Chicago interviewed more than 30 technology vendors, clearing BDs/FCMs,5 representatives of proprietary trading firms, futures commission merchants, and exchange and clearinghouse professionals.6 In the remainder of this Chicago Fed Letter, I provide an overview of this research on the current risk-control landscape and identify potential improvements in risk-control practices.
In today’s environment, how are risks managed before a trade is executed? There are multiple points in the life cycle of a trade where orders may be checked against preset limits before they reach the exchange matching engine. These checks may occur at the trading firm, clearing BD/FCM, and/ or exchange.7
Risk controls at clearing BDs/FCMs
Clearing BDs/FCMs are financially responsible for their own trades and for the trades of their customers. Some of these customers send orders to an exchange using trading systems that the clearing BD/FCM provides or that are offered by a vendor the clearing BD/FCM approves. BDs/FCMs also build or buy trading platforms to route their own proprietary orders to exchanges. In order to control the amount of possible losses that may arise from its own trading activity as well as that of its customers, the clearing BD/FCM typically establishes risk limits on these trading systems. Some exchanges also provide functionality to clearing BDs/FCMs to set risk limits on the exchange server. This functionality may be mandatory or optional or may not be offered at all, depending on the exchange.
Other customers of clearing BDs/FCMs may send their orders directly to the exchange through trading systems they build themselves. Clearing BDs/FCMs manage the risks of customers that access the markets directly in one or more of the following ways:
- By remotely accessing the customer’s server(s) at the co-location facility and checking whether the customer has established risk limits on the server(s).
- By setting risk limits on the clearing BD/FCM’s server(s) at the co-location facility and requiring customers to connect to its server(s).
- By using functionality provided by the exchange that enables them to set risk limits on the exchange server.
- By relying on risk checks set by exchange staff on the exchange server.
Risk controls at trading firms that access the markets directly
Risk managers at trading firms that access the markets directly may set their own risk limits by:
- Establishing risk limits on their own trading servers; and/or
- Using functionality provided by the exchange(s) that enables them to set risk limits on the exchange server. Again, this functionality may be mandatory or optional or may not be offered at all, depending on the exchange.
Individual traders and/or trading groups at trading firms may set risk limits, under the levels established by the trading firm’s risk manager, on their client systems, or on the graphical user interfaces.
Over the past several years, reports have circulated that some BDs/FCMs may not have been properly controlling the risks associated with their customers’ direct access to the markets. In particular, concerns were raised that some BDs/FCMs were allowing these customers to send their orders to an exchange without establishing adequate pre-trade limits on their trading platforms, thereby exposing the BDs/FCMs to financial risk. To ensure that BDs/FCMs are appropriately managing the risks of customers that access the markets directly, the Securities and Exchange Commission (SEC) implemented Rule 15c3-5 in July 2011, which, among other things, requires BDs to maintain a system of controls and supervisory procedures reasonably designed to limit the financial exposures arising from customers that access the markets directly.8 The U.S. Commodity Futures Trading Commission (CFTC) also adopted rules in April 2012 to bolster risk management at the FCM level.9
Risk controls at exchanges
Exchanges, too, may establish pre-trade risk checks on their own servers. Automated systems compare all orders/quotes against these pre-established limits before they reach the matching engine. Exchanges that impose pre-trade risk checks increase latency—the time it takes to send an order to an exchange and receive an acknowledgment of the order from the exchange—equitably and uniformly for all market participants on that exchange. Nevertheless, the number of pre-trade risk checks individual exchanges employ and the time it takes to execute them vary by exchange.
Study findings
To summarize, when an order is originated, it may get checked against risk limits set at the trading firm, clearing BD/FCM, and exchange before it reaches the exchange matching engine. With the chance of an order passing though controls at so many levels, how can things go wrong? One possibility Chicago Fed researchers found is that most of the trading firms interviewed that build their own trading systems apply fewer pre-trade checks to some trading strategies than others. Trading firms explained that they do this in order to reduce latency.
Another area of concern is that some firms do not have stringent processes for the development, testing, and deployment of code used in their trading algorithms. For example, a few trading firms interviewed said they deploy new trading strategies quickly by tweaking old code and placing it into production in a matter of minutes. In fact, one firm interviewed had two incidents of out-of-control algorithms. To address the first occurrence, the firm added additional pre-trade risk checks. The second out-of-control algorithm was caused by a software bug that was introduced as a result of someone fixing the error code that caused the first situation.
The study also found that erroneous orders may not be stopped by some clearing BDs/FCMs because they are relying solely on risk controls set by the exchange. As noted earlier, however, risk controls at the exchange may be structured in such a way that they do not stop all erroneous orders.
Chicago Fed staff also found that out-of-control algorithms were more common than anticipated prior to the study and that there were no clear patterns as to their cause. Two of the four clearing BDs/FCMs, two-thirds of proprietary trading firms, and every exchange interviewed had experienced one or more errant algorithms. The frequency with which they occur varies by exchange. One exchange said it could detect an out-of-control algorithm if it had a significant price impact, but not if an algorithm slowly added up positions over time, although exchange staff had heard of such occurrences.
The study also revealed that there may be times when no single entity in the trade life cycle—trading firm, clearing BD/FCM, exchange, or clearinghouse—has a complete picture of a firm’s exposures across markets. For example, some trading firms and BDs/FCMs are unable to calculate their enterprise-wide portfolio risk. Trading firms and BDs/ FCMs need to aggregate trade information from multiple exchanges in a central repository and calculate their overall exposures in the markets in a timely manner. However, the speed at which this calculation can be made depends on how quickly trading firms and BDs/ FCMs receive drop copy information from exchanges. Some trading firms also use multiple BDs/FCMs to clear trades, which results in no single BD/FCM being able to see the trading firms’ exposures across markets. Many trading firms also trade at multiple exchanges, and trades are settled at multiple clearinghouses. This prevents any single exchange or clearinghouse from seeing the total positions amassed by the firm.
Interestingly, market participants at every level of the trade life cycle reported they are looking to regulators to establish best practices in risk management and to monitor compliance with those practices.
Mitigating risks
What are some controls that might have helped to mitigate the recent losses related to high-speed trading? In the case of Knight Capital, the following are some examples of controls at the trading firm and clearing BD level that might have aided in containing the financial loss:
- Limits on the number of orders that can be sent to an exchange within a specified period of time;
- A “kill switch” that could stop trading at one or more levels;
- Intraday position limits that set the maximum position a firm can take during one day;
- Profit-and-loss limits that restrict the dollar value that can be lost.
In addition, trading firms should have access controls defining who can develop, test, modify, and place an algorithm into production, as well as quality assurance procedures for the code and development processes. Clearing BDs/FCMs should periodically audit these access controls and quality assurance procedures.
The BATS and Facebook IPOs would also likely have benefited from more stringent development and testing controls at the exchange level. The manner in which exchange policies were invoked during the two IPOs and in the Knight Capital incident also added to uncertainty in the marketplace. Specifically, market participants need to know whether their trades are being adjusted or busted (invalidated) in the shortest possible time.
These are only a few of the practices that could potentially help to control erroneous trades in a high-speed trading environment. Each level of the trade life cycle should also have a risk manager who can respond quickly if exposures exceed pre-set limits. More generally, regulators should work with the industry to define best practices and to audit firms’ compliance with them. At the very minimum, it is critically important that each firm involved in the life cycle of a high-speed trade has its own risk controls and does not rely solely on another firm in the cycle to manage its risk. To that end, the Financial Stability Oversight Council (FSOC), a council of regulators established under the Dodd–Frank Act, recommended in July 2012 that the SEC and the CFTC consider establishing error control and standards for exchanges, clearinghouses, and other market participants that are relevant to high-speed trading.10
Notes
1 See http://dealbook.nytimes.com/2012/08/02/knight-capital-says-trading-mishap-cost-it-440-million/; and http://dealbook.nytimes.com/2012/08/02/trying-to-be-nimble-knight-capital-stumbles.
2 See www.advancedtrading.com/managingthedesk/240004887.
3 See http://newsandinsight.thomsonreuters.com/Securities/News/2012/08_-_August/Citadel_urges_SEC_to_approve_Nasdaq_s_Facebook_compensation_plan/.
4 See www.bloomberg.com/news/2012-03-25/bats-ceo-scuttled-ipo-on-potential-for-erratic-trading.html.
5 Clearing BDs/FCMs are members of an exchange clearinghouse, where trades are settled.
6 For detailed findings of the study, see www.chicagofed.org/webpages/publications/publications_listing.cfm?filter_series=16.
7 A visual representation of the trade life cycle and risk controls is available at http://chicagofed.org//digital_assets/others/ markets/trading_infrastructure_graphic.pdf.
8 See www.sec.gov/rules/final/2010/34-63241.pdf.
9 See www.cftc.gov/ucm/groups/public/@lrfederalregister/documents/file/ 2012-7477a.pdf.
10 See www.treasury.gov/initiatives/fsoc/Documents/2012%20Annual%20 Report%20Recommendations.pdf.