FIA’s Guide to the Development and Operation of Automated Trading Systems

1.11 Kill Switches

A kill switch is a control that when activated immediately disables all trading activity for a particular participant or group of participants, typically preventing the ability to enter new orders and cancelling all working orders. It may also allow for risk-reducing orders while preventing risk-increasing orders. This can be considered an effective safeguard against situations such as an automated trader breaching
limits defined by a broker, or erroneous trading activity that may be caused by an automated trading system malfunction or the generation of unintended orders released into the market.

Activation of a kill switch is based on a decision that such action protects market integrity or the financial integrity of the counterparties involved. Such a control may provide exchanges, brokers and automated traders with an immediate and effective way to remove or reduce risk. The conditions under which a kill switch may be used by an exchange or a broker should be clearly communicated to their counterparties.

However, kill switches should be considered just one of many different types of risk controls that comprise an effective suite of risk controls, and only invoked based on a qualitative decision taken as a last resort when other actions have failed or may not be feasible. In an environment that has adequate pre-trade risk controls at all appropriate focal points for the automated trader, broker and exchange, a kill switch may ultimately be considered redundant.

Automated traders are encouraged to build their own kill switch functionality into their trading applications where it is possible to implement it on a sufficiently granular level to identify individual trading systems. Such functionality may be separate from the trading application itself and can be operated both by the trader and by the person responsible for risk. When made available, this functionality should be in addition to and as a final backstop for the pre-trade risk functionality outlined above.

A broker may want to implement kill switch functionality for both its direct and indirect automated trader customers, although typically the revocation of customer trading access takes place through the broker’s pre-trade risk controls whether implemented within its own infrastructure or using exchange provided tools for direct access customers. Such a control should be granular enough to identify individual customers and/or trading systems as appropriate.

Where a broker has to rely on an exchange-provided risk management control—for example for a kill switch for a direct access participant—the exchange control should operate at a suitable level to control only that customer’s order flow and should not be shared across customers. It is important to note that exchange risk management tools vary in how they are implemented based on how the exchange identifies trading sessions or operator IDs. Where an automated trader also has access to the exchange-provided control, the automated trader should not be able to override a kill switch invoked by the broker.

Where an exchange provides such a control, there should be a registration process and entitlement system that requires automated traders and brokers to specify which staff are authorized to use the functionality. The system itself should provide explicit warnings informing the authorized users of the consequences of activating the kill switch.


source: Futures Industry Association Guide to the Development and Operation of Automated Trading Systems