Lessons learned

A succession of failures at the Tokyo Stock Exchange has put exchange trading systems under the spotlight and has in turn prompted traders and brokers to look closely at their own internal controls


Aspate of incidents at the Tokyo Stock Exchange (TSE) in the past four months has highlighted fundamental flaws in its trading system - flaws that have sparked regulatory ire, fury among traders and the resignations of three top exchange officials (see box). The events have also emphasised how easily trading errors can occur and shown that operational failures can have a knock-on effect on market prices and lead to significant losses for trading and brokerage firms. More importantly, whereas the automatic reaction from rival exchanges and financial institutions might once have been 'it can't happen here', firms are now more willing to analyse events such as those at the TSE and ensure they are not similarly vulnerable.

"The TSE had experienced flat volumes for 10 years, so did not invest for a period in the future when it would experience greater trading volume and volatility," says Penny Cagan, managing director and head of research at Algo OpVantage, the operational risk management division of Toronto-based risk management systems supplier Algorithmics. Nor did the exchange have a chief technology officer - a serious omission for an organisation so technology-dependent, although it has now remedied that state of affairs (see box). And it did not appear to undertake stress testing. "An exchange like Tokyo is similar to a bank trading floor," says Cagan. "It should have done tests to see whether it could handle large spikes in trading."

Yet such system glitches are not confined to Japan. In August last year, Euronext.liffe was forced to suspend trading in commodities because of a systems outage, while the Chicago Mercantile Exchange's Globex platform had a technical hitch in June that halted trading in foreign exchange products.

The technology underlying modern exchanges is highly complex, so problems are, to some extent, inevitable. Nevertheless, some exchanges are better than others at managing their technology risk. Execution capacity is a case in point. The New York Stock Exchange, for example, operates on a principle of having 10 times the capacity of average daily trading - now 6 million trades a day, up from 1 million in 2000. And the London Stock Exchange (LSE) increased its capacity by 80% last October in response to the growth in algorithmic trading - it says around 40% of trades are now algorithmic. Algorithmic trading is trading in which buy or sell orders of a defined quantity are determined by a quantitative model that automatically generates the timing of orders and the size of orders based on goals specified by the parameters and constraints of the algorithm.

Capacity issues, technology glitches and trader errors that disrupt the market mean banks and brokers face risks when trading on exchanges. "Exchange risk is something we watch very carefully," says Jonathan Howitt, operational risk manager at London-based alternative investment manager and futures broker Man Group. "Every exchange is different, and the risks differ with each location, technology and so on." Howitt would not discuss how his company manages exchange risk, but one way is to build checks and controls into the trading process, and to make use of limits and monitoring functions now available in most major trading systems. These functions allow companies to specify limits and thresholds on the number of shares per trade, the value of a trade or the total value of trades per day an individual or trading team can undertake. Alternatively, the system can check the price of a trade against a benchmark, such as the previous day's closing price, before allowing the trade through.

Fidessa, a trading, market data and global connectivity system from London-based RoyalBlue, is widely used in the global securities markets, with Mizuho Securities among its users. The system offers a host of controls, says Simon Barnby, director of Fidessa strategy at RoyalBlue. "If a trader gets close to a limit set in the system, a warning appears, and if they exceed the limit, the system registers an error and it stops the action being completed."

However, the controls are optional tools provided by the system and are not preset. When a company installs Fidessa, it can set the controls as it configures the system to its trading processes and compliance rules, specifying who has permission to override warnings and who is to be notified of warnings and errors. "Fidessa is a toolkit - how firms choose to use the tools, and the controls and limits they put in, is up to them," says Barnby.

Paris-based GL Trade Group, whose GL Stream is widely used in the securities markets, also offers several controls in its system. On the trader workstation component of its system, users can set alerts for orders based on minimum or maximum quantities and/or prices. A breach of a threshold triggers a pop-up window, where the trader must validate or correct the numbers. The system can also be set so that it requires a second mouse click to confirm orders. At the server level, a company can configure automated pre-trade risk management monitoring by volume, price or other criteria, including risk models. In addition, a supervision function allows the heads of trading desks to monitor all the order book activities of their pool of traders and intervene when necessary; an especially useful tool for new and inexperienced traders, says Christine Rolland, head of marketing at GL Trade.

Striking a balance

Setting such controls should be part of any basic operational risk management practice, says Algo OpVantage's Cagan. The rules governing who can trade what, when and how should be clear and built into the trading process. But the rules must be adhered to. If the controls and thresholds are not set carefully, they can lead to excessive warnings that traders will tend to ignore. The trader at Daiwa who sold the wrong stock overrode a warning issued by the firm's trading system because he was used to overriding such messages. "This is a classic operational risk mistake," says Cagan.

However, it is also possible to be too rigid when establishing controls, thereby constraining traders. An illiquid stock with a wide spread, or an equity trading in unusual market conditions can cause alarm bells to ring, but can offer significant opportunities for profits. For these reasons, a company may want to set thresholds so that its traders are alerted when they are doing something that breaches a specific condition, but gives them the option to override the controls under certain circumstances. "You have to be pragmatic," says Barnby. "You can't put so many controls and blocks in place that it slows the business down and stops people from being effective. It's always a balance between putting enough protection in place, but allowing traders the freedom to move quickly to take advantage of market conditions and make money."

Systems such as Fidessa and GL Stream can also help companies manage the risks of trading on exchanges. By enabling users to mirror an exchange's trading rules, the systems can pre-empt trades failing when they are sent to the exchange.

Exchanges have market rules that cannot necessarily be programmed into a trading system, but an awareness of such rules must be built into a company's trading procedures and risk management. The LSE, for example, has a rule to prevent distortions of the market, which says any trade that shifts a share price by 5% or more will be automatically suspended for a certain time period. The company that sent the trade has an opportunity to review the order, and if it stands by the price, the order goes into an auction. "Other exchanges don't have any such protections in place, so if an instruction gets to the exchange they carry it out no matter what it is," says Barnby.

The sophistication of the business logic and rules inherent in some of these platforms is one of the reasons emerging markets often look to established exchanges for their technology. The Johannesburg Stock Exchange (JSE), for instance, uses the LSE system (on an application services provision basis, whereby the LSE hosts the system in London for the JSE). Among the key reasons cited for its choice is the reliability of the LSE platform, and the ease with which its capacity can be scaled up to cope with growing volumes. Furthermore, the JSE is able to use the LSE platform infrastructure to implement its own rules and controls.

The TSE has in some ways been unlucky that a series of unrelated operational errors within four months comprehensively exposed the weaknesses in its trading platform. The Mizuho, Daiwa and Livedoor incidents turned the spotlight on the exchange's lack of capacity and inadequate rules and functionality - which it has admitted were the result of a lack of leadership and investment. But where trading companies might once have simply dismissed the events as someone else's problems, they are now more willing to analyse failures at rival firms and assess their own vulnerability to similar events.

"In the days of incidents like Barings (the UK investment bank that collapsed because of the losses of a rogue trader), there tended to be a knee-jerk reaction, with people saying, 'oh, that was down to poor controls, and it couldn't happen to us'," says Cagan. "Now the response is more likely to be, 'Let's look at the event and why it happened and make sure it can't happen to us'."

Investment banks and brokers often run their own trading platforms and so face many of the same issues as exchanges. Cagan says: "A bank is now more likely to say, 'OK, so we are not an exchange in Tokyo, but if that series of events happened to us, what would the consequences be and what would have been the losses? What controls do we have in place to try to avoid the events?'"

This post-mortem approach to industry loss events is becoming increasingly important for operational risk management. Banks are realising that 'external loss' events - if there is sufficient detail on how they unfolded - can offer useful pointers as to where they might have vulnerabilities, where they should review controls and processes, the scale of losses they might experience, the full extent of consequences that might follow, and how they can expect regulators to respond.

The First external loss event database from OpVantage not only provides the details of losses - amounts, regulatory actions and so on - but also tells the story of the event, analysing it in terms of the controls and other breakdowns that led to the event, the management's response and the lessons learned. Howitt at Man Group, which uses the First database, says: "The storyline style of writing up losses means that although people (at other companies reading about the event) don't see themselves exactly in the situation of another company, they may be able to see elements they recognise - areas where there are potential problems they need to be aware of."


Problems began for the Tokyo Stock Exchange (TSE) in November last year, when it was forced to suspend trading for more than four hours because of a problem with price information distribution following a systems upgrade - it was the TSE's worst-ever crash.

That was followed in December, when a trader at Japan's Mizuho Securities mistakenly placed an order to sell 610,000 shares in newly listed recruitment company J-Com at Yen1 ($0.008) each, rather than one share at Yen610,000. Despite several attempts by Mizuho to cancel the order, a fault with the TSE's system meant the trade went through, leaving the firm with hundreds of millions of dollars in losses.

Then, in January, a trader at Daiwa Securities confused the names of two companies listed on the TSE and entered a sell order for 25,000 shares in the wrong firm - Sumitomo Mitsui Financial Group, rather than Mitsui Sumitomo Insurance. The price plunged and investors snapped up 13,000 shares before Daiwa could issue a buyback order. That was quickly followed by another mistaken order - this time, by a trader at Nikko Citigroup. The culprit placed a buy order on the TSE for 2,000 shares in Nippon Paper instead of two.

To cap it all, TSE was forced to close 20 minutes early on January 18 to prevent a meltdown of its system, as trading volumes shot up on news that listed internet company Livedoor, a favourite of retail investors, was in trouble with regulators. To prevent further problems, the exchange delayed the opening of subsequent afternoon sessions by 30 minutes.

The causes of these incidents differ, and can be traced to failures in technology, design, management supervision and human error, or a combination of these. TSE said the system crash in November was because its developer, Fujitsu, failed to issue certain instructions to its subsidiary, Tosho Computer Systems, when it undertook the systems upgrade.

While the Mizuho order was down to a human error not being picked up by the firm's own internal controls, the TSE's system failed to cancel the trade because of a malfunction in the mechanism used to cancel orders already deemed to be processed - something the exchange says was because the developers failed to take this type of situation into account when designing the system.

Daiwa admitted its internal controls had picked up the suspect Sumitomo Mitsui trade - orders of more than 1,000 units trigger an alert in the company's trading system - but the trader had overridden the warning. The order had arrived at Daiwa shortly before market opening and the trader was in a hurry to place it in the market. The incident cost the company almost Yen500 million.

The Nikko Citigroup event was the result of a trader misreading a price, but could just as easily have resulted from a classic 'fat finger' error, where a trader presses a key too many times when inputting a trade. Either way, the company lost around Yen1 billion.

In the case of the Livedoor incident, TSE was simply unprepared for the surge in trading volumes after Japanese authorities revealed they were investigating fraud allegations at the internet start-up. At the time, the exchange had an execution capacity of 4 million trades a day - a level that was breached in the wake of the Livedoor revelations.

TSE subsequently rushed through an upgrade that expanded its execution capacity to 4.5 million trades a day. It also announced the appointment of a chief technology officer, Yoshinori Suzuki, and said it would spend Yen3.2 billion on a system to boost order-handling to 12 million trades a day. But the damage to its reputation had already been done.

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to copy this content. Please contact info@risk.net to find out more.

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here