Sources from the industry have confirmed to FortuneZ that some brokers have been urged by the CySEC to undertake technology audits. Stemming from the introduction of the MiFID II regulatory framework, the issue is an obstacle to some companies as the criteria for reviews are not clear.
The move is also resulting in a reinforcement of a trend to outsource technology instead of developing software solutions internally. Smaller and low-mid-sized brokers are the main companies that are suffering from these MiFID II requirements.
Third Party Audits
Since the CySEC and broader European regulators typically lack the necessary expertise to audit software, the audits of technology are conducted by third parties.
The additional burden has been confirmed by a source with intimate knowledge of the industry: “The CySEC doesn’t know how to review our technology and there are no standards for firms to follow.”
“The vague definitions a broker with generic MT4 and a bridge is getting less scrutiny than those with their own tech built to handle things like latency and risk management automatically,” the source elaborated.
Strict Definitions and Standards Missing
Definitions used by EU bureaucrats have been too general for firms to be able to affirm with certainty that their technology is on par. The CySEC is merely definitions are mandated from the supranational EU regulator.
Cybersecurity and IT standards have been in place for quite some time, and some companies have taken the steps to get audited and receive ISO certification.
This process, however, has proven to be lengthy and might not be cost-effective for every brokerage size.
Some rather big companies from the trading industry have been increasingly more interested in obtaining ISO certificates. Major companies in the industry have announced recent certification with the international standardization organization.
Connectivity provider PrimeXM has ISO/IEC certifications 27001 and 27002. Spotware Systems have been actively engaged in the space too, and have been supporting ISO 27001 since 2012. The brokerage company ActivTrades sought the same standard, which certifies that the company is adhering to the best practices for an ISMS (information security management system).
To date, brokers are not required or mandated to adhere to ISO standards. Having such a document, however, can be key in securing institutional business. In the meantime, smaller firms are finding it hard to address the process of certification due to the vague guidance issued by European regulators.