Skip to main content
Lantern Home
 
 
Splunk Lantern

Complying with the Markets in Financial Instruments Directive II

  1. Last updated
  2. Save as PDF

 

MiFID and MiFID II are regulations for electronic trading in EMEA. Best execution is a key principle of these directives and states that "take all sufficient steps to obtain, when executing orders, the best possible result for their clients taking into account price, costs, speed, likelihood of execution and settlement, size, nature or any other consideration relevant to the execution of the order." One standard for adhering to best execution requires firms to show that servers all have time settings that vary no more than one MS from UTC. Another standard requires firms to execute trades at the best possible price among exchanges. Financial markets must adhere to the regulations set forth in these directives to protect investors. There are many searches you can run to help ensure compliance and identify any violations so they can be investigated and prevented in the future.

Required data

How to use Splunk software for this use case

Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment. In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.

Splunk recommends that customers look into using data models, report acceleration, or summary indexing when searching across hundreds of GBs of events in a single search. The searches provided here are a good starting point, but depending on your data, search time range, and other factors, more can be done to ensure that they scale appropriately.

MiFID II time drift

The MiFID II best execution principle states that firms must "take all sufficient steps to obtain, when executing orders, the best possible result for their clients taking into account price, costs, speed, likelihood of execution and settlement, size, nature or any other consideration relevant to the execution of the order." Hosts that have a large time drift may effect best execution. You need to monitor for time drift.

Use a script to contact an NTP server on a host every N minutes and capture the results to a file. A script such as echo `sntp time_server` `hostname` might be enough.

|lookup <NTP data by host>
|sort - date
|where drift<-0.1 OR drift>+0.1

MiFID II time drift impact on buy and sell orders

Hosts that have a large time drift may have business impact on buy and sell orders. You want to see any impacted transactions by listing out the volume and monetary amount that was recorded on that host at the time of intolerable time drifting.

Use a script to contact an NTP server on a host every N minutes and capture the results to a file. A script such as echo `sntp time_server` `hostname` might be enough.

|lookup <NTP data by host>
|sort - date
|where drift<-0.1 OR drift>+0.1
|lookup <transaction data lookup file> host, date
|table date, host, drift, amount, volume
|eval amount=tostring(round(amount, 2),"commas")

MiFID II best execution buy and sell violations

The MiFID II best execution principle states that firms must "take all sufficient steps to obtain, when executing orders, the best possible result for their clients taking into account price, costs, speed, likelihood of execution and settlement, size, nature or any other consideration relevant to the execution of the order." You need to correlate trade logs with pricing databases to see if a trade met best execution for a buyer or if a lower price was found. If the exchange price is lower, it is a violation, and violating best execution may result in penalties.

|sourcetype=<buy and sell order data source>
|lookup <commodity reference data> _time, symbol OUTPUT exchangeA exchangeB exchangeC
|where (action="buy") AND (amount>exchangeA OR amount>exchangeB OR amount>exchangeC)

Next steps

The penalties for violating best execution principles of MiFID II can be severe. Schedule these compliance searches to run and report on a regular basis, investigating as needed and taking appropriate action. For example, if the time drift in the log entry is above a tolerance, the host should be fixed as trades may be impacted. You can also correlate the total volume of trades and monetary amount that was involved for buy or sell orders with hosts experiencing intolerable time drifts. Use this information for your KPIs.

The Splunk Essentials for the Financial Services Industry app helps you automate the searches provided in this article. The app also provides more insight on how they can be applied in your environment, how they work, the difficulty level, and what data can be valuable to run them successfully. In addition, the Splunk Essentials for the Financial Services Industry app provides a number of other monitoring and reporting solutions for banking services:

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.com if you require assistance.