The Gateway to Algorithmic and Automated Trading

The difficulty of identifying multi-broker spoofing

Published in Automated Trader Magazine Issue 42 Q1 2017

Trading through multiple brokers has been used by spoofers to help avoid detection. New regulations for cash equity markets in the EU and US are designed to curtail the practice.

Michael Friedman


Michael Friedman is General Counsel and Chief Compliance Officer at Trillium, a proprietary trading and technology firm based in New York. Michael is also the lead designer of Trillium's trade surveillance platform Surveyor. Prior to joining Trillium, he was a securities litigation partner at a large multinational law firm.

Two New Jersey day traders were charged with spoofing and layering in parallel civil and criminal actions brought in federal court in Newark in December. The complaints identify three sample trading patterns. The symbols traded are not named, but enough detail is provided to enable us to back out what the symbols were. Figures 01-03 show what the patterns look like.

Figure 01: Kite Pharma Inc ($KITE), 08 January 2015

Figure 01: Kite Pharma Inc ($KITE), 08 January 2015

Figure 02: Esperion Therapeutics Inc ($ESPR), 18 June 2015

Figure 02: Esperion Therapeutics Inc ($ESPR), 18 June 2015

Figure 03: Natural Gas Services Group Inc ($NGS), 25 September 2015

Figure 03: Natural Gas Services Group Inc ($NGS), 25 September 2015

The basic pattern is nothing new: The traders entered multiple visible orders on one side of the market that pushed market prices towards orders waiting on the opposite side which in turn were filled at improved prices. Classic spoofing and layering.
What is new is that the traders used 35 different accounts at six different (unnamed) brokerage firms to attempt to conceal a pattern that would have been obvious had it all been sent through one broker. Almost all brokers today have systems in place to detect patterns like this when the entire pattern occurs under their roof. Those systems have enabled brokers to identify and terminate problematic accounts. The response of some illicit traders has been to slice their tell-tale patterns into multiple pieces and then send each piece through a different broker. In this scenario, none of the brokers used sees enough of the pattern to be able to identify it as suspicious.

How then can multi-broker spoofing be detected?

For US equities, the long term solution is the Consolidated Audit Trail (CAT). CAT will enable a central processor to see all order messages across all brokers and venues, identified with customer ID tags. With that rich data set, it will be relatively easy to paste the pieces of a scheme like this back together and see the entire pattern as if it were sent through one broker. But most brokers will not be reporting data to CAT until late 2019, and even then CAT will only cover US equities and equity options. Until CAT is ready, and in other jurisdictions and asset classes, multi-broker spoofing can only be detected from the other end of the broker-to-exchange pipes.

In monopoly product asset classes like futures - and equities in certain unfragmented jurisdictions - this process is easy. The exchange sees the full universe of order messages and can effectively identify spoofing patterns even if their component parts originate at different brokers.

But in fragmented markets, each venue only sees a fraction of the orders quoted in a symbol. To find multi-broker spoofing in these markets, the venues must cooperate to reassemble their collective order flow into a cohesive and reviewable whole.
For US equities, until CAT is ready, this task is performed by the Financial Industry Regulatory Authority (FINRA), which is paid by the exchanges to surveil their order data. FINRA's process is imperfect because the order messages it receives from the exchanges do not contain customer ID tags. As a result, FINRA cannot tell whether a batch of orders from a large broker came from one account or from many unrelated accounts without making a manual follow-up request for customer-ID-tagged data from the broker.

FINRA has recently worked to streamline that process through its Cross-Market Report Cards program, through which FINRA alerts brokers that they may have received a piece of a sliced-up spoofing pattern. FINRA has also asked brokers to look for instances where a customer receives a favorable print at the end of a temporary price move (the large buys or large sells in the samples above) without having first seen a collection of opposite side bids or offers from the same customer leading up to that print. (The check is also implemented in proprietary trade surveillance platforms. For example, Trillium's Surveyor platform has a feature called 'Away Account Spoofing'.)

For Canadian equities, each venue forwards its order message data to the Investment Industry Regulatory Organization of Canada (IIROC) for centralized surveillance. Canadian order messages already contain customer ID tags, so IIROC's process is more like the future CAT process than the current FINRA process.

For European equities, the recently enacted Market Abuse Regulation requires brokers to look for multi-venue spoofing (EU Reg 2016/522, Annex II, 2(d)), but it does not solve the riddle of multi-broker spoofing. If a trader uses Broker A to place some bids on Euronext and Broker B to place more bids on BATS, and then sells at the resulting artificially-increased price using Broker C on Turquoise, none of Euronext, BATS, or Turquoise will have adequate data to detect this scheme, nor will any of Brokers A, B or C.

MiFID 2, specifically ESMA RTS 24, requires each trading venue to store all relevant order data (which is the large depth-of-book quote feed, not merely the executed trades required under transaction reporting rules). But it falls on each sovereign member state to design and implement a way to weave these data sets back into a complete picture that can be effectively surveilled. In France, the recently announced "ICY" platform by the Autorité des Marchés Financiers appears to be what will collect and surveil the required RTS 24 data, although details are sketchy at the time of writing. Presumably, other state regulators will follow suit.