Key findings

Governance and oversight

Self-assessment and validation have improved, especially at larger firms since the last review in 2018; some engaged external authorisers to review their self-assessments, which resulted in action-tracked recommendations. However, quality varied widely and some firms omitted RTS 6 elements such as IT outsourcing and compliance training. Policies were sometimes out of date or not properly linked to the assessment.

The role of compliance is uneven. Stronger firms demonstrated technical knowledge in challenging compliance issues and ran RTS-6-mapped monitoring plans; weaker ones showed limited technical knowledge and less involvement in key processes.

Algorithm inventories were found to be generally comprehensive, capturing objectives, owners, venues, and risk parameters. However, in some cases the algorithmic inventory did not list approved operators of the algorithm.

It was found that algorithm deployment and material change governance were usually formalised. Good practice included multi-disciplinary approvals, elevated scrutiny for first-time markets, timely communications, continuous training on material-change policies, and in some cases senior management function (SMF) approval for all changes. Poor practice included unclear ownership and out-of-date procedures for testing and deploying algorithms.

In certain cases, firms that had used third-party algorithms found that internal users did not have a good technical understanding of how the algorithms were actually developed.

Development, conformance, and simulation testing

Most firms complied with Article 6 of RTS 6 and completed the required conformance testing, and some exceeded venue minimum requirements with clearly defined triggers; others had ill-defined procedures and weak record-keeping.

Simulation and stress testing approaches varied. Better programmes combined theoretical scenarios and historical stress periods and considered conduct risks pre-deployment; weaker ones lacked breadth and documentation, or relied solely on vendor testing for third-party algorithms. The FCA encourages cross-asset testing where relevant.

Controlled deployment typically used slow phased go-lives with small pilot trades. However, documentary gaps arose where deployment ownership and procedures were unclear.

Trade risk controls

All firms maintained pre-trade controls; strong programmes calibrated limits by algorithm type and asset class and implemented internal stops at internal server/gateways so orders cannot leave if a control is breached. Weaknesses included uncertain ownership and limited compliance oversight.

Market abuse surveillance

Many firms used custom, in-house surveillance aligned to a market abuse risk assessment (MARA), with regular calibration discussions at committees, clear escalation, and even random sampling of closed alerts.

Areas to improve included under-investment in surveillance systems, lack of formal procedures, slow alert handling, and resourcing pressure on small teams.

What should firms be thinking about now?

1. Firms should review their RTS self-assessment and governance procedures: Firms should ensure the assessment covers every RTS 6 element, including outsourcing and training, is linked to live policy repositories, and has clear remediation owners and timelines. Consider external validation to harden challenge and produce action-tracked findings.
2. Clarify ownership and SMF touchpoints across the algorithm lifecycle: Firms should map and evidence who owns deployment decisions, who can operate specific algorithms, and which SMF approvals are triggered by material and non-material changes. Ensure teams are trained to detect false negatives, particularly where changes may have been misclassified.
3. Codify conformance testing and improve records: Define when conformance testing is required, what scenarios must be covered, and how results are recorded. Where firms rely on vendor testing, they should document their own procedures.
4. Broaden simulation and stress testing: Include recent stress periods and theoretical tests, test for intended behaviour and random trading risks, and document conduct risk considerations before deployment. Where relevant, use cross-asset testing.
5. Tighten trade control governance: Calibrate by strategy and asset class, enforce at the internal gateway, and ensure compliance visibility over thresholds, overrides, and breaches. Review control suites and documentation on a rolling cycle.
6. Strengthen market abuse surveillance: Align systems to MARA, document alert and logic calibration, formalise investigation and escalation playbooks, and institute quality sampling of closures.
7. Be deliberate about third-party algorithms: Where firms deploy vendor algorithms, maintain a technical understanding of design, testing, and controls rather than relying solely on the vendor, and integrate them into the firms’ inventory, testing, and surveillance frameworks.

What happens next?

The FCA will continue to assess firms’ algorithmic trading controls as part of its supervisory role and has already used attestation to ensure progress. Firms should close any gaps against the FCA’s observed good practices and maintain board-level visibility over remediation efforts.

Client Alert 2025 -232