ARTICLE
17 April 2025

The Trouble With Trading App Outages

PL
PwC Legal Germany

Contributor

PwC Legal Germany logo
In today’s rapidly evolving marketplace, our clients are increasingly concerned with business collaborations, restructuring, mergers and acquisitions, financing and questions of social responsibility. They need legal security when dealing with such complex issues. That is why we work closely with PwC’s tax, human resources and finance experts and draw on the resources of our legal network in more than 100 countries to deliver comprehensive advice. Whether a global player, a public body or a wealthy individual, each client can rely on a personal account manager to address his or her specific legal needs. This dedication helps us ensure our client’s long-term business success. PwC Legal. More than 220 lawyers at 18 locations. Integrated legal advice for the real world.
Explore Firm Details
Not being able to access one's own brokerage account via an app or by other electronic means can be frustrating…even more so when speed may be of the essence especially when wanting...
Germany Finance and Banking
Michael Huertas
Your Author LinkedIn Connections

RegCORE – Client Alert | Capital Markets Union | Digital Single Market

QuickTake

Not being able to access one's own brokerage account via an app or by other electronic means can be frustrating...even more so when speed may be of the essence especially when wanting to take action during dynamic market conditions. With on-going market turbulence caused by tariffs and geopolitical risk, (retail) investors may be looking to want to access their accounts, including via apps, more frequently when compared with more normal trading conditions. While brokerage apps and accounts can be (and have repeatedly been) subject to outages, the widespread lack of accessibility and lack of order execution afflicting users around the globe during April 2025 means that the EU's supervisory spotlight is now very much back on this topic.

This Client Alert assesses some of the EU-relevant legal, regulatory and supervisory issues that those offering trading apps will want to consider in terms of their compliance obligations. While these issues apply to all brokerage firms, it may be of particular relevance to neobrokers, who remain (rightly or wrongly) subject to stricter supervisory focus of EU authorities1 and whose business model is based, in part, on enabling (retail) investors a rapid response to market movements. When firms (not just neobrokers) let their customers down at crucial moments this can, in addition to compliance and contractual breaches cause reputational risk.

Given the EU-level authorities heightened focus in 2025 on improving orderly markets and order execution (even during times of heightened volatility), such outages have occurred at perhaps a somewhat inopportune moment for a number of firms, who may now become subject to greater supervisory scrutiny as well as at risk of receiving a range of regulated complaints from their customers adversely affected by the most recent outages.

Outages and regulatory outcomes

Trading app outages come in different forms and durations. Some arise due to (i) technical failures in the software, servers and or information communication technology resources of the brokerage firm or those of its own providers – such issues in the EU are supposed to be mitigated by the EU's digital operational resilience legislative, regulatory and supervisory framework (including beyond DORA); and others come from (ii) a mass interest of users and their activity looking to access or otherwise engage with the trading app over a period of time that causes the app to become inaccessible or otherwise disrupted (whether in whole or part).

Whatever the cause of an outage, it typically will limit both (1) an ability of a user to access and (2) the means to effect transactions in financial instruments and/or deposits and/or withdrawals via such trading app and/or by other electronic means.

Just like market outages, trading app outages can disrupt market integrity by creating an uneven playing field. While international, EU and national authorities have some rules and principles that apply to brokerage firms and their apps, the bulk of policy and rulemaking action in this area has largely focused on (a) order execution policies (when markets and trading systems function) and (b) market outages and/or trading venue shutdowns (see dedicated thought analysis on both topics from our EU RegCORE).

Importantly, in the eyes of EU legislators, regulators and supervisors some outages are (rightly or wrongly) assessed as reasonably foreseeable and preventable whereas others may not be. The burden of proof however falls on the trading app provider to evidence that its measures in place comply with legislative, regulatory and supervisory requirements and could not have identified, mitigated and managed the adverse impacts on an outage on its clients and the market as a whole.

In the EU, the legislative, regulatory and supervisory requirements set out in MiFID II and MiFIR (each as supplemented and amended) mandate that trading venues and investment firms ensure fair and orderly trading. This includes having mechanisms in place to prevent market abuse and to ensure that all market participants have equal access to trading opportunities.

Firms must have robust systems and controls in place to prevent outages, effective business continuity plans to manage them, and clear communication strategies to keep clients informed. In the event of an outage, firms must take steps to minimise market disruption and to restore normal trading conditions as quickly as possible. This may involve coordinating with other market participants and regulatory authorities to manage the impact of the outage. It may also mean having robust fallbacks – such as telephone/voice-based or other order execution channels.

However, with the rise of trading apps and electronic access to accounts, a number of firms (in particular certain neobrokers) have done away with staffed telephone lines to take orders from customers incapacitated from being able to execute orders, deposits and/or withdrawals, including during outages. While such telephone/voice-based or other offline modes may involve a slower execution, with potential delays, without the guarantee of the execution price as in an online i.e., app-based setting, it still caters for continuity of service during a trading app outage. Except for some very basic principles set out below, the EU's rules (currently) fail to address situations when the bulk of non-telephone-based systems that retail investors use to trade and/or fund or withdraw from their accounts are subject to an outage (including over a period of time).

Under the current rules, firms are required to report significant operational incidents, including trading app outages, to their national competent authorities (NCAs). These reports must include detailed information about the nature of the outage, its impact on clients and the market, and the measures taken to resolve it. Failure to report such incidents can result in regulatory sanctions. Additionally, firms must maintain detailed records of their trading activities and system performance, which can be reviewed by regulators to ensure compliance with respective requirements. Some firms also periodically engage in regular (reverse) stress-testing of their trading app so as to improve its accessibility and functionality during periods of market-stress.

How a trading app provider engages with its customers before, during and after an unplanned outage (particularly if it continues over a period of time) is crucial in how financial markets supervisors and investor protection authorities might act with respect to a specific trading app provider or large sectors of the market. Some (but not all) firms have dashboards setting out the systems and/or operational status of their app and/or online account infrastructure whereas others also have dedicated fallbacks in the form of technical FAQ relating to the app and/or telephone numbers for telephone/voice-based order execution. Some firms may also want to ensure their client facing disclosures are clearer and more proactive than may be currently the case as well as to clarify their contractual terms and conditions, including when it comes to liability or technical disruptions, in particular where failsafes are available, activated and accessed.

Despite the above, in the event of a trading app outage, firms may face legal claims from clients who have suffered financial losses in particular where technical disruptions were (reasonably) foreseeable and no suitable failsafes are in place. Under EU law, firms have a duty of care to their retail investor clients, and failure to maintain reliable trading systems might, depending on a number of fact-specific considerations, be considered a breach of this duty. Affected clients may seek compensation for losses incurred due to the inability to execute trades or due to unfavourable market conditions resulting from the outage. Firms must have clear policies in place for handling such claims and for compensating clients where appropriate.

For those affected by an outage, even where a firm does have policies and procedures in place as well as translated these from paper into technological practice, the problems may then arise in affected retail investors being able to prove damage has occurred and evidencing that to the trading app provider. Aside from taking and sending screenshots, clearly evidencing (1) when an order (not just spot but also limit and other scheduled orders) would have been placed or should have been actioned and (2) whether this constitutes a realised or unrealised loss (and over what time period) is subject to a lot of fact-specific considerations.

Retail investors are unfortunately likely to bear the burden of proof in any regulated complaint and/or legal proceedings brought against the trading app provider. Furthermore, it may take (considerable) time for any such regulated complaint and/or contentious proceedings to run its course, often with no positive outcome – at least from the perspective of the retail investor.

Such further complaints handling and/or disputes resolution considerations may, even after an outage has occurred, contribute to further reputational risk for the trading app provider and loss of retail clients. To counterbalance such (further) risks from materialising, a number of trading app providers may consider what other forms of goodwill gestures they may offer to retail clients outside the scope of complaints handling and/or dispute resolution. However, equally here such decisions however are often client-specific and if not carried out, with due consideration, along a carefully crafted policy that is applied consistently and fairly may actually further complicate matters.

Examples of further corrective measures that regulators may require following an outage

When a trading app outage occurs, regulators may require firms to implement a variety of corrective measures to address the root causes of the outage and to prevent future incidents. In addition to the considerations highlighted above, these measures (a number of which are also baseline requirements, certainly (under the MiFIR/MiFID II, as amended by the IFR/IFD) in the EU are designed to enhance the firm's operational resilience, ensure compliance with regulatory requirements and protect investors during the outage and ahead of return to normal operating conditions.

Some examples of corrective measures that EU regulators might mandate individual firms or specific market segments as a whole to undertake are set out below. Some firms may want to frontload such improvement measures ahead of a regulator requesting that they do so or evidence how they can satisfy supervisory expectations:

1. System upgrades and enhancements

  • Technology upgrades: Firms may be required to upgrade their trading platforms and underlying technology infrastructure to ensure they are robust and capable of handling high volumes of transactions without failure. This can include updating software, hardware, and network components.
  • Scalability improvements: Regulators may mandate improvements to the scalability of the trading system to handle peak trading volumes and prevent overloads. This can involve optimising system architecture and increasing server capacity.
  • Redundancy and failover mechanisms: Firms might be required to implement increased redundancy and failover mechanisms to ensure continuous operation in the event of a system failure. This can include setting up backup servers, data centres, and alternative communication channels such as but not limited to telephone/voice-based order execution.

2. Enhanced risk management and monitoring

  • Real-time monitoring: Firms may need to implement real-time monitoring systems to detect and respond to potential issues before they lead to outages. This can involve deploying advanced analytics and monitoring tools to track system performance and identify anomalies.
  • Risk assessments: Regulators might require firms to conduct comprehensive risk assessments to identify vulnerabilities in their trading systems. These assessments should be performed regularly and should cover all aspects of the firm's operations, including technology, processes, and personnel.
  • Stress testing: Firms may be mandated to conduct regular stress testing of their trading systems to evaluate their ability to withstand extreme market conditions and high transaction volumes. Stress tests can help identify potential weaknesses and areas for improvement.

3. Business continuity and disaster recovery planning

  • Business Continuity Plans (BCPs): Firms may be required to develop or enhance their business continuity plans to ensure they can maintain critical functions during disruptions. BCPs should include detailed procedures for responding to outages, maintaining operations, and communicating with clients and stakeholders.
  • Disaster Recovery Plans (DRPs): Regulators might mandate the implementation of disaster recovery plans that outline the steps to be taken to restore normal operations following an outage. DRPs should include data backup and recovery procedures, as well as plans for restoring system functionality.
  • Regular testing and drills: Firms may need to conduct regular testing and drills of their BCPs and DRPs to ensure they are effective, and that staff are familiar with their roles and responsibilities during an outage. These tests should simulate various outage scenarios and evaluate the firm's response capabilities.

4. Improved client communication, transparency and documentation

  • Communication protocols: Firms may be required to establish clear communication protocols for informing clients about outages and the steps being taken to resolve them. This can include setting up dedicated communication channels, such as hotlines, email notifications, and website updates. It also means providing, through an appropriate communication channel, initial notice (as soon as practicable) of the outage to clients and the general public, regulators and, thereafter, regular updates on the status of the outage and the recovery pathway. Once a return to normal operating conditions has occurred, firms will want to ensure they clearly communicate information relevant to the reopening of trading app/electronic systems in a timely and simultaneous manner to all clients, providing clarity on the status of orders and ensuring an adequate period of notice before the resumption of trading on respective trading venues.
  • Client support services: Firms may need to enhance their client support services to assist clients affected by the outage. This can include providing additional resources, such as customer service representatives and online support tools, to address client concerns and inquiries.
  • Client compensation policies: Regulators may mandate the establishment of clear policies for compensating clients who suffer financial losses due to outages. These policies should outline the process for filing claims, the criteria for compensation, and the timelines for resolution.
  • Enhanced client agreements: Firms may need to review and update their client agreements to ensure they clearly outline the firm's responsibilities and the procedures for handling outages. This can help manage client expectations and reduce the risk of disputes.
  • Client Education: Regulators may encourage firms to educate their clients about the potential risks of trading app outages and the steps that the firm is taking to mitigate these risks. This aims to build client trust and confidence in the firm's services.

5. Governance and accountability

  • Management oversight: Regulators may require firms to strengthen management oversight of their trading systems' resilience and operations. This can involve appointing dedicated personnel or committees to oversee system reliability, risk management and compliance with service continuity standards.
  • Reporting and documentation: Regulators may require firms to maintain detailed records of their corrective measures, including documentation of system upgrades, risk assessments, and testing results. Firms should also be prepared to provide regular reports to regulators on the status of their corrective actions.
  • Internal audits: Firms might be mandated to conduct targeted internal audits to evaluate the effectiveness of their corrective measures and to ensure compliance with regulatory requirements on ensuring service continuity.

Implementing preventive measures, swiftly managing outages and activating corrective measures following a trading app outage is essential to address the root causes of the disruption and to prevent future occurrences as well as minimising legal, regulatory, litigation and reputational risk before, during and after an outage.

Outlook

The increasing scrutiny from EU authorities on trading app outages underscores the critical need for brokerage firms, particularly neobrokers, to enhance their digital operational resilience with a focus on ensuring service continuity of their trading apps, and electronic and offline order execution channels. A number of firms may want to revisit how they conduct and evidence robust system upgrades, implement effective business continuity plans and ensure transparent communication with clients to mitigate the risks associated with outages and potential detriment to retail investors.

The EU's current regulatory landscape and pending reforms mandates that firms maintain fair and orderly trading conditions, even during periods of heightened market volatility. As such, in light of recurring outages, a number of established as well as nascent firms may want to (even more so than may currently be the case) proactively engage in regular stress testing, real-time monitoring and comprehensive risk assessments to identify and address potential vulnerabilities in their trading systems as well as to improve their client-facing contractual documentation and communication channels.

Looking ahead, the regulatory and supervisory focus is expected to intensify, with EU authorities likely to mandate more stringent corrective measures following the occurrence of what are preventable outages. This includes periodic technology upgrades notably to facilitate scalability improvements and the implementation of redundancy and failover mechanisms.

Moreover, EU authorities are likely to emphasise enhanced client communication protocols and clear compensation policies as crucial in maintaining client trust and managing legal risks. Firms that fail to comply with these evolving requirements may face significant regulatory sanctions and reputational damage both from supervisory action and/or litigation.

Footnote

1 See series of Client Alerts from our EU RegCORE on this topic as well as our analysis here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Michael Huertas
Michael Huertas
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More