FCA Multi-Firm Review of Algorithmic Trading Controls: What is says, why it matters, and what firms should do now

Introduction

On 21 August 2025, the Financial Conduct Authority (FCA) published the results of its Multi-Firm Review of Algorithmic Trading Controls, setting out observations on how principal trading firms (PTFs) are complying with the UK’s regulatory framework for algorithmic trading. Although the FCA emphasised that this publication does not introduce new rules, the review sends a strong supervisory message: firms should expect continued scrutiny of their algorithmic trading frameworks and must be ready to demonstrate that they meet the standards in MiFID II RTS 6 (onshored in the UK) and related FCA Handbook provisions, notably MAR 7A.

The review builds on the FCA’s earlier 2018 work in this area and forms part of its ongoing supervisory strategy for PTFs. It reflects the regulator’s concerns that weaknesses in algorithmic trading systems could pose significant risks to market integrity, investor protection, and operational resilience - particularly in light of rapid technological innovation and the increasing adoption of artificial intelligence techniques within trading strategies.

Who should be aware of this?

• PTFs and other firms that develop and/or use algorithmic trading strategies (including users of third-party/vendor algos).  
• Senior Managers with Senior Managers and Certification Regime accountability for trading, risk, technology, and compliance, given the FCA’s portfolio letter framing and emphasis on board-level oversight. 

The Regulatory framework

Firms engaging in algorithmic trading are subject to detailed requirements under the UK onshored version of RTS 6, originally Commission Delegated Regulation (EU) 2017/589. RTS 6 requires firms to establish robust governance arrangements, testing and deployment protocols, risk controls, and ongoing monitoring.

Key provisions include:

• Annual self-assessments and validation of compliance (Article 9), which must be reviewed by senior management;
• Conformance testing of algorithms with trading venues and brokers providing direct electronic access (DEA) (Article 6);
• Simulation and stress testing of algorithms under extreme but plausible market conditions (Article 10); and
• The requirement to maintain an effective kill switch to withdraw unexecuted orders immediately (Article 12).

These obligations are supplemented by the FCA’s MAR 7A Handbook rules, which set conduct standards for algorithmic trading, DEA, and market-making, including surveillance expectations aligned with the UK’s Market Abuse Regulation.

What the FCA looked at - and found

Governance and oversight

The FCA found that governance arrangements had generally improved since its 2018 review, but quality remained uneven. Some firms had comprehensive, up-to-date self-assessments and validations covering all RTS 6 areas, while others relied on outdated documents or assessments that failed to cover crucial areas such as IT outsourcing and staff training. The regulator highlighted as good practice the use of external audit or independent reviews to validate self-assessments.

A recurring theme was the limited technical understanding within some compliance teams. In stronger firms, compliance officers were able to explain the basic design and operation of algorithms and provide meaningful challenge during development and deployment. In weaker firms, compliance involvement was superficial, reducing their ability to hold the business to account.

The FCA also emphasised the importance of maintaining a comprehensive algorithm inventory. Leading firms had inventories that went beyond a simple list of algorithms, incorporating details such as objectives, owners, operators, venues, and risk parameters. Some even integrated inventories into management information dashboards. Others, however, maintained sparse or incomplete records that failed to identify responsible operators or update changes promptly.

Development and testing

On development and testing, the FCA found that conformance testing was generally undertaken, but the formality and rigour of procedures varied by venue. Good practice involved clearly defined triggers for testing, documentation of results, and going beyond the minimum venue requirements. In weaker firms, procedures were poorly defined, inconsistently applied, or not fully documented.

Simulation and stress testing were common but varied in nature. Firms that performed best used robust, frequently refreshed stress scenarios (including scenarios based on recent episodes of market volatility) and integrated them into deployment decision-making. Others applied narrower stress parameters or lacked documentation on how scenarios were selected.

The FCA also looked at deployment and material change processes. Most firms operated formal sign-off procedures and cautious rollouts of new algorithms, often using pilot trades before full deployment. However, in some firms, governance was undermined by out-of-date policies, unclear ownership of processes, or insufficient escalation of new market entries to senior management.

Risk Controls

The review confirmed that most firms had implemented pre-trade risk controls, typically calibrated by asset class or strategy. In some cases, firms implemented controls at the server gateway level so that orders could not leave internal systems if thresholds were breached - a practice the FCA viewed positively. However, responsibility for risk controls was not always clearly documented, and compliance oversight was sometimes limited.

Market Abuse Surveillance

Perhaps the most striking divergence across firms was in the area of market abuse surveillance. Some firms invested in customised surveillance systems, grounded in a well-defined Market Abuse Risk Assessment (MARA). These firms regularly reviewed their MARA, calibrated alert logic to trading activity, and employed strong escalation and quality assurance processes, such as random sampling of closed alerts.

Others fell short, operating generic or under-resourced systems that did not keep pace with business growth. The FCA noted that in several firms, only a handful of staff were tasked with processing very large volumes of alerts, raising concerns about effectiveness and sustainability.

Why this matters

The FCA’s findings are significant for three reasons. First, they underscore that algorithmic trading remains a supervisory priority. Although the review does not impose new rules, the FCA has already required individual firms to provide attestations confirming remedial action, and it is clear that supervisory follow-up will continue.

Second, the review highlights the FCA’s expectation that boards and senior managers take ownership of algo governance. Under  SMCR, responsibility for algo oversight typically sits with the Senior Manager Function  responsible for trading or operations, but accountability extends to the board collectively.

Finally, the review ties into broader FCA themes: operational resilience, technological innovation (including AI), and market abuse detection.  Failures in algo controls are not only regulatory breaches - they can quickly become resilience and reputational issues.

What firms should do now

The FCA has been clear: while it is not creating new obligations, it expects firms to act on the lessons from this review. In our view, firms should consider a structured response over a defined period (such as the next 90 days).

In the immediate term, firms should present this FCA publication, together with their latest RTS 6 self-assessment, to the board or relevant risk committee. Boards should be asked to confirm whether the firm’s controls are up to standard and, where there is room for improvement, to agree on an action plan. Particular attention should be paid to whether self-assessments are up-to-date, whether they cover all areas of RTS 6 (including training and outsourcing), and whether validation has been independently reviewed.

Over the next two months, firms should take a deeper look at their development and testing frameworks. Conformance testing procedures should be documented, repeatable, and capable of withstanding supervisory challenge.  Simulation and stress testing should be checked to ensure that they include recent episodes of market disruption as well as theoretical scenarios, and firms should ensure that deployment processes are supported by clear governance, ownership, and escalation paths.

By the end of a 90-day cycle, firms should look beyond technical compliance to embedding good practice. This includes running and documenting kill-switch drills, ensuring surveillance systems are properly resourced and quality-assured, and investing in compliance training to build sufficient technical understanding. Contracts with third-party algo providers should be reviewed to confirm that firms have sufficient insight into the design and testing of the algorithms they deploy, and sufficient rights to test and challenge them.

Our View

The FCA’s August 2025 review is best understood not as a rule-change moment or a checklist, but as a benchmark of supervisory expectations. The regulator has already acted on the findings with attestations, and further supervisory engagement is inevitable. For firms engaged in algorithmic trading (whether developing their own strategies or deploying third-party tools) the message is clear: be ready to demonstrate robust controls, up-to-date documentation, and active governance from the board down.

Firms should not treat this as a compliance exercise for their risk or compliance functions alone. Senior managers and boards should take ownership, ensure their RTS 6 self-assessments are comprehensive and validated, and prioritise investment in surveillance, stress testing, and compliance expertise. In doing so, firms will not only reduce regulatory risk but also strengthen their operational resilience and protect market integrity.