MiFID2/MiFIR: What, when, who and how? Direct electronic access

This article sets out a summary of the obligations relating to trading venues and investment firms which provide direct electronic access under MiFID2.

Download PDF version

What does MiFID currently do?

Are these provisions currently in MiFID?


What are the key differences between the current regime and MiFID2?

MiFID2 introduces a new regulatory regime for firms which provide direct electronic access (DEA) to trading venues. Firms providing DEA must notify their competent authorities as well as the competent authorities of the trading venues to which they provide DEA. Firms offering DEA services are fully responsible for compliance of their clients with the requirements of MiFID2 and the rules of the trading venue. Written agreements will have to be in place between the firm providing DEA and its client which meet the applicable requirements of MiFID2. Firms are required to carry out a thorough due diligence in relation to their clients and will also have to constantly monitor their activities.

In addition to the general requirements under MiFID2, regulated markets permitting DEA will have to have in place effective systems, procedures and arrangements to ensure that only duly authorised firms may provide DEA and that such firms meet applicable suitability criteria. Such regulated markets will also have to ensure that responsibility for orders and trades executed via DEA remain with the provider of the DEA services used to execute those orders and trades. In addition, they will need to have in place arrangements which enable the suspension or termination of DEA services provided by a firm in the case of non-compliance by that firm.

What is MiFID2 going to do?

What does Level 1 say?

Directive 2014/65/EU Art 4(1)(41); Art 17(5); Art 48(7)

“direct electronic access” (DEA) means an arrangement where a member or participant or client of a trading venue permits a person to use its trading code so the person can electronically transmit orders relating to a financial instrument directly to the trading venue and includes arrangements which involve the use by a person of the infrastructure of the member or participant or client, or any connecting system provided by the member or participant or client, to transmit the orders (direct market access) and arrangements where such an infrastructure is not used by a person (sponsored access).

The new regime requires a firm which provides DEA:

  • to have in place effective systems and controls which ensure: 
    • proper assessment and review of the suitability of clients using the service
    • that clients using the service are prevented from exceeding appropriate pre-set trading and credit thresholds
    • that trading by clients using the service is properly monitored, and
    • that appropriate risk controls prevent trading that may create risks to the investment firm itself or that could create or contribute to a disorderly market or could be contrary to market abuse laws or to the rules of the trading venue.
  • to be responsible for ensuring that clients using the service comply with the requirements of MiFID2 and the rules of the trading venue
  • to monitor the transactions in order to identify infringements of those rules, disorderly trading conditions or conduct that may involve market abuse
  • to report such conduct to the competent authority
  • to ensure that there is a binding written agreement between the investment firm and the client regarding the essential rights and obligations arising from the provision of the service and that under the agreement the investment firm retains responsibility under MiFID2
  • to notify its competent authority and that of the trading venue at which it provides DEA accordingly
  • at the request of its competent authority, which may be on a regular or ad hoc basis, provide a description of the systems and controls referred to above and evidence that these have been applied, and 
  • to arrange for records to be kept in relation to the matters set out above and to ensure that such records are sufficient to enable its competent authority to monitor the investment firm’s compliance with the same.

A regulated market that permits DEA shall be required to:

  • have in place effective systems, procedures and arrangements to ensure that members or participants are only permitted to provide DEA if duly authorised under MiFID2 or are credit institutions
  • ensure that appropriate criteria are set and applied regarding the suitability of persons to whom such access may be provided and that the member or participant retains responsibility for orders and trades executed using that service

  • set appropriate standards regarding risk controls and thresholds on trading through such access and is able to distinguish and, if necessary, stop orders or trading by a person that is using DEA separately from other orders or trading by the member or participant, and

  • have in place arrangements to suspend or terminate the provision of DEA by a member or participant in the case of non-compliance with MiFID2.

What does Level 2 say?

Final Report 2014/1569 (FR) and Consultation Paper 2014/1570 (CP2)

In relation to the definition of “direct electronic access”, ESMA in the FR has clarified the following: 

  • The critical element to qualify an activity as DEA, regardless of the technology used for those purposes, is the ability to exercise discretion regarding the exact fraction of a second of order entry and the lifetime of orders within that timeframe. 
  • Where a client order is effectively intermediated by the member or participant of the trading venue (and therefore the submitter of the order does not have control over those parameters), the arrangement would be out of the scope of DEA. 
  • Systems which allow clients transmitting orders to an investment firm in an electronic format (on-line brokerage) would be outside the scope of DEA as long as the client does not have the ability to determine the fraction of a second where the order should enter the order book or react to incoming market data within those timeframes. Nevertheless, the client would conduct algorithmic trading if when transmitting those client orders it uses smart order routers (SORs). 
  • SORs are algorithms used for the optimisation of order execution processes and may determine the parameters of the order other than the venue(s). In particular, SORs are able to “slice” the original order into “child orders” eg, trigger contingent or delayed start time for an order; a trailing stop-loss order; orders contingent upon entry based on other instrument data and iceberg functionalities. If orders are routed via a SOR of the market place member/participant, this arrangement does not constitute DEA. SORs used by a client should be considered as DEA if the client has a permission to use the trading code of the market member/participant to directly access the market and the SOR is embedded in its systems, not into the DEA provider’s. 
  • Automatic order routers (AORs), which are systems which encompass the functionalities that determine the trading venue(s) where the order should be submitted without changing any other parameter, do not by themselves qualify or disqualify from the provision of DEA where they are embedded in the DEA systems. AORs in isolation without the rest of the elements of DEA (permission for the use the DEA provider’s trading code for submitting orders directly) should not be considered DEA.

The proposed RTS 13 in CP2 provides for the detailed requirements in relation to firms providing DEA. Under RTS 13, firms providing DEA shall: 

  • Be responsible for the trading of those clients.
  • Establish policies and procedures to ensure clients’ trading complies with the rules and procedures of the relevant venue and to enable the firm to meet its regulatory obligations.
  • Conduct due diligence on prospective DEA clients, including an assessment of expected trading and order volume and the connectivity to the relevant trading venues and, at a minimum, cover the eleven requirements set out in the RTS.
  • Review their due diligence assessment at least annually and carry out annual risk-based reassessment of the adequacy of their clients’ systems and controls.
  • Monitor intraday on a real-time basis the credit and market risk to which they are exposed as a result of their clients trading activity so that they can adjust pre-trade controls accordingly.
  • Apply pre-trade controls on entry and post-trade controls on the order flow of their clients, such controls not to be those of their clients, but which may be proprietary to the firm providing DEA, third party controls purchased from or provided by a third party or controls offered by a trading venue. The firm providing DEA shall remain responsible for the effectiveness of these controls and ensure that at all times it is solely entitled to set or modify any parameters or limits.
  • Set initial controls based on initial due diligence and periodic review of the client.
  • Have the ability to:
    • monitor any orders sent to their systems
    • automatically block or cancel orders in financial instruments which a client is not permitted to trade, and have an internal flagging system to do the same
    • automatically block or cancel orders which breach the firm’s risk management thresholds
    • stop order flow, and
    • suspend or withdraw services from a client where the firm is not satisfied that continued access would be consistent with the firm’s rules and procedures.
  • Have procedures to monitor the trading systems and support staff in the event of a trading system error, such procedures to be aimed at evaluating, managing and mitigating market disruption and firm-wide risk and which shall identify the persons to be notified in the event of an error resulting in violations of the risk profile, or potential violations of a trading venue’s rules.
  • At all times have the ability to identify different clients that submit orders by assigning unique IDs, and
  • Keep at the disposal of the competent authority the relevant data relating to order submitted by clients.

The proposed RTS 14 in CP2 sets out the organisational requirements that apply to trading venues which permit DEA through their systems. In particular, such trading venues shall be required to set out and make public the rules and conditions pursuant to which their members may provide DEA to their own clients, covering at least: 

  • specific requirements that firms should meet to provide DEA to their own clients
  • specific due diligence on prospective clients by firms intending to provide DEA
  • the requirement for a legally binding agreement between the DEA provider and the DEA user
  • the description of the systems and controls to be established and maintained
  • ensuring that firms providing DEA will remain ultimately responsible to the trading venue for all trades using their market member or participant ID
  • whether sub-delegation of DEA is permitted and, if so, provisions to ensure that the DEA provides is able to identify different order flows
  • where “sponsored access” is permitted, that firms who provide “sponsored Access” comply with the requirements for firms providing DEA and, in particular, that they are at all times solely entitled to set or modify the parameters that apply to the pre-trade and post-trade controls over order flow, and
  • that “sponsored access” shall be subject to authorisation.

In addition, such venues shall request firms providing DEA to have the ability to monitor any orders sent by DEA users, stop order flows transmitted by a DEA user, suspend or withdraw services where the firm is not compliant.

Will any Member States be gold-plating?

There is no indication at this stage that Member States will gold-plate.

When will it happen?

When will these provisions apply?

Member States are required to adopt and publish measures transposing MiFID2 and delegated acts into national law by 03 July 2016. MiFID2 and delegated acts under MiFID2 will apply from 03 January 2017.


What happens next?

ESMA delivered its final technical advice for delegated acts on the 19 December 2014 to the European Commission in the FR. The European Commission shall adopt the delegated acts within six months which will then be published in the Official Journal. The European Parliament and Council have the right to object to a delegated act within three months (which can be extended by a further three months).

On 30 June 2015, ESMA published its Final Report on the draft technical standards on authorisation, passporting, registration of third country firms and cooperation between competent authorities. In the report, ESMA stated that the remaining draft technical standards ESMA is mandated to develop will be published by the end of 2015.

How is it going to impact my business?

Who will be affected by these changes and how will it impact their business?

MiFID firms providing DEA will need to ensure their systems meet numerous requirements, the highlights of which include the requirement to have in place arrangements to:

  • ensure proper assessment of suitability of persons using the DEA service
  • ensure pre-set trading/credit thresholds are not exceeded
  • proper monitoring, and
  • ensure robust risk controls and filters are in place to detect errors and attempts to misuse facilities. 

In addition, such firms will be required:

  • to enter into a written agreement with DEA clients setting out the essential rights and obligations and ensuring that the firm providing DEA retains regulatory responsibility
  • to keep detailed records of their trading for a period of five years.

Firms using SORs and/or AORs should also consider whether they are engaging in algorithmic trading for the purposes of MiFID2.

Where the trading venue permits DEA, it will need to ensure that members are only permitted to provide such services if they are an authorised firm under MiFID. A trading venue should also be able to distinguish between, and if necessary stop trading by a person using direct electronic access, separate from trading carried out by a member or participant.

MiFID and non-MiFID firms accessing a trading venue via DEA provided by a MiFID firm will be required to enter into appropriate written agreements with the provider of DEA.

Action for firms?

Q4 2015

  • consider implications of ESMA’s FR and CP2 published December 2014 an ongoing discussions within the industry in the lead up to the publication of final Level 2 measures
  • consider the implications of ESMA’s definition of DEA, and
  • for firms caught by the regime review current practices and procedures and analyse changes required and/or new systems required to meet the organisational, due diligence and monitoring requirements.


  • implement procedural requirements to ensure compliance with due diligence, monitoring and risk controls required
  • prepare required internal documentation and/or amend existing documentation in line with new requirements
  • draw up written agreements to enter into with clients to whom DEA will be provided, and 
  • implement staff/ personnel training to ensure they are aware of new requirements and firms risk strategy and systems with regards to DEA.
For more information please see our MiFID2 Tracker and HFT Tracker or contact a member of our international MiFID2 team.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.