Field Report · Forge Tier · Proprietary Trading

Amsterdam Multi-Asset Quant Liquidity Provider

Amsterdam · Dozens of Global VenuesActive since February 2025

Listed derivatives. ETPs. Equities. FX. Digital assets. Dozens of venues, four overlapping partial definitions of what each instrument was. The trading core was untouched.

Executive Summary

An Amsterdam-headquartered multi-asset liquidity provider active across dozens of trading venues in listed derivatives, ETPs, cash equities, FX, and digital assets. Three converging operational gaps surfaced from the same underlying cause: trade surveillance alerts triaged at the per-venue level missed patterns that only resolved across venues; middle-office reconciliation between prime broker, clearing broker, and internal book aged breaks for days at a time; and risk aggregation across venues lagged the trading desk’s intraday view of true exposure. The first deployed work was not analytics. It was a unified instrument identifier graph that resolved ISIN, FIGI, OCC option symbology, Eurex product codes, ICE codes, and exchange-native symbols against a single internal entity for every contract the firm trades. Two capabilities are in production: cross-venue alert scoring for layering and spoofing patterns under MAR, and event-driven re-evaluation of three-way reconciliation breaks. STOR filing decisions remain with human compliance analysts.

Layering / spoofing FP−~1/390-day production window

Scoped break agingT+5+ → Within-dayTwo break categories

Middle-office capacity400–560 hrs/moRedirected, not eliminated

Cross-venue alert latency<5 secMedian, second-leg to queue

01 · The Environment

Adjacent, not integrated.

The firm operates as a continuous liquidity provider across listed derivatives, ETPs, equities, FX, and a defined set of digital assets. The trading platform is built almost entirely in-house — a structural feature of the larger Amsterdam prop trading cohort, where the boundary between trading strategy and execution infrastructure has historically been deliberately collapsed. FPGA-accelerated order entry, in-house FIX gateways and binary-protocol feed handlers, Aeron and Chronicle Queue for internal messaging, and a proprietary risk engine form the operational core.

Around this core, surveillance, reconciliation, and risk aggregation had grown as adjacent rather than integrated functions. Trade surveillance ran on a vendor platform of the NICE Actimize / Nasdaq SMARTS / Eventus Validus / Solidus Labs archetype. Reconciliation between prime broker, clearing broker, and internal book ran on a rule-based engine of the Duco / Gresham Clareti archetype. Risk aggregation across venues was performed by an in-house engine consuming per-venue feeds at differing latencies before aggregating to firm-level exposure.

Each component was, on its own terms, well-engineered. The systems did not fail individually. They failed at their seams. ISIN was adequate for cash equities but limited for derivatives; OCC option symbology covers US-listed options at the contract level, but Eurex, ICE Futures Europe, and CBOE Europe each maintain separate product code trees, and digital asset venues have no consistent identifier discipline at all. The firm did not have a definitional layer that committed, system-wide, to what each contract was, on which venue, under which corporate-action treatment, mapped to which internal position.

Operational systems at engagement start

In-house trading coreFPGA gateways · in-house FIX · binary-protocol feed handlers · Aeron · Chronicle Queue

Trade SurveillanceVendor platform (NICE Actimize / Nasdaq SMARTS / Eventus / Solidus archetype)

Reconciliation EngineRule-based (Duco / Gresham Clareti archetype) — per asset class

Risk AggregationProprietary in-house cross-venue engine — end-of-day cadence

Time SynchronizationPTP grandmaster + GPS/PPS · RTS 25 100µs UTC traceability

Drop-Copy SourcesEurex T7 EDCI · CME Globex (CG + MSGW) · ICE POF v3.4 · CBOE Europe · OCC clearing

Internal CaptureAeron-bridged from in-house FIX gateways via fingerprinted ingestion adapter

Identifier SurfacesISIN · FIGI · CFI · MIC · OCC · Eurex / ICE product codes · RIC · Bloomberg · internal IDs

Each component well-engineered on its own terms. The systems did not fail individually. They failed at their seams.

02 · The Challenge

Caught by attention, not by system.

2.1 The Visible Problem

Near-miss STOR escalationWedge — caught by analyst, not by system

A layering pattern stacked across two venues in the same Dutch blue-chip — bids at the three best book prices on Euronext Amsterdam while genuine sell flow executed on CBOE Europe — was caught by a senior compliance analyst cross-referencing manually. The vendor surveillance platform, configured per-venue, had scored both venues as in-range noise. The pattern was reportable. It was reported. The structural concern was that it had been caught by attention, not by system.

Hardened EU regulatory environmentFCA Market Watch 79 · AFM · AMF

FCA Market Watch 79 (May 2024) catalogued cases where surveillance gaps had gone undetected for two years or more. The AFM's December 2024 fine of VDVI BV for cross-day equity manipulation, the AMF's Nyenburgh layering settlement, and the AFM's April 2026 supervisory note on algorithmic trading — sharpening RTS 6, AI/ML explainability, algorithm definitions, and DEA controls — meant 'the alert engine flagged it correctly' was no longer adequate defence if upstream ingestion or cross-venue correlation was structurally incapable of seeing the pattern.

Aged reconciliation breaksT+5+ aging carrying capital cost

The rule-based reconciliation engine could match cleanly when fields aligned, but breaks driven by corporate-action handling differences between prime broker and internal book — different ex-dates, fractional handling, dividend accrual timing — were systematically aged into T+5+. Each carried a small capital cost under IFR Class 2 K-CMG and K-CON weighting; in aggregate, the carry was material.

Risk aggregation lagEnd-of-day cadence vs. intraday reality

Risk aggregation across venues lagged the trading desk's intraday mental model. The aggregation engine refreshed firm-level Greeks at intervals acceptable for end-of-day reporting but slow for intraday risk decisions on multi-venue underlyings. Traders maintained their own aggregated view in practice — exactly the kind of dependency on individual judgment the firm had been working to reduce.

Two prior partners, neither deployedPer-component extension proposals

A tier-1 risk-vendor consultant and a specialist surveillance house had been engaged separately on subsets of the problem. Both returned with proposals that extended the existing per-component logic rather than addressing the underlying definitional gap. Neither reached deployment.

Definitional drift at the seamsFour overlapping partial definitions

No system in the firm — not surveillance, not reconciliation, not risk aggregation — operated against a single committed definition of what each instrument was, across every venue and every counterparty. Reconciliation breaks, surveillance gaps, and risk aggregation drift surfaced in different operational queues but shared a single underlying cause.

2.2 The Structural Gap

No unified order book to score against

Vendor surveillance platforms were not failing at scoring — they were failing at the prior question. What is the unified order book this pattern is forming inside? The firm did not have an answer that survived a cross-venue audit. Per-venue configuration, by architectural standard, scored each venue as in-range noise on patterns that only resolved across venues.

Three definitions of post-corporate-action instruments

Two prior internal projects had tried to extend the rule-based engine to handle corporate-action breaks. Both concluded the matching logic was not the problem. Prime broker, clearing broker, and internal book held three different definitions of what the post-corporate-action instrument was. Without a definitional layer that resolved pre- and post-action identifier states simultaneously, the reconciliation could not converge.

Identifier proliferation without commitment

ISIN, FIGI, CFI, MIC, OCC, Eurex and ICE product codes, RIC, Bloomberg ticker, internal IDs — all referenced by different systems against different scopes. No system held the firm's commitment to which instrument each identifier referred to, in which venue, under which corporate-action treatment. The cross-mapping lived in adapters between systems, not in a system of truth.

Definitional gap, not analytics gap

The firm was not querying a representation of trading reality — it was producing one, on demand, with each query, by stitching adapter outputs. The structural problem behind the surveillance near-miss, the aged breaks, and the risk aggregation lag was the same: no committed definitional layer. This was not a missing report. It was a missing structural commitment to interoperability at the instrument level.

Per-component extension was unavailable

Two prior partners had returned with extension proposals. That work was not architecturally available, because the per-component logic was downstream of a definitional gap that no extension could close. The work was not engineering capability — it was the prior commitment that engineering had been built without.

The vendor surveillance platforms were not failing at scoring. They were failing at the prior question — what is the unified order book this pattern is forming inside? The firm did not have an answer that survived a cross-venue audit.
Engagement framing

2.3 Integration Surface

The integration position was deliberately narrow at entry: not to replace the in-house trading platform, the vendor surveillance system, or the rule-based reconciliation engine, but to operate as the definitional and continuity layer beneath them. The firm’s engineering culture is characteristically reluctant to accept third-party integration into the trading-adjacent path; the engagement model became co-design with embedded engineers rather than vendor delivery.

Drop-copy and Private Order Feed sources

Eurex T7 EDCIEnhanced Drop Copy Service / Enhanced Drop Copy Interface — drop-copy capture via member infrastructure. Member-test environment certification ran eight weeks against a planned six.

CME GlobexDrop copy via Convenience Gateway and Market Segment Gateway source sessions, two source groups. AutoCert+ certification with weekly target-session renewals during testing and re-conformance after a CME release.

ICE Futures EuropePrivate Order Feed v3.4 conformance — clean, plus two weeks of firm-internal change review.

CBOE EuropeEquivalent capture via member infrastructure for the cross-venue pattern reconstruction layer.

US option venuesDrop copy via OCC clearing infrastructure for cross-venue order-book reconstruction.

Aeron internal captureIn-house FIX gateway events bridged into the unified event stream via fingerprinted ingestion adapter. No latency change, no behavioural change.

RTS 25 timestamp auditPTP grandmaster + GPS reference met 100µs UTC traceability comfortably; documentation of point-of-timestamp application for cross-venue order-book reconstruction had to be reconstructed end-to-end for evidentiary purposes.

03 · The Engagement

Three phases.

Forge Tier deployment of all four modules. The in-house trading core, the vendor surveillance system, and the rule-based reconciliation engine remain operational. The integration position attached beneath them.

Phase 1

Arché: Definition & Integration Spine

Weeks 1–6 (+4 wk slip)

Definitional model built

Instrument graph: ISIN, FIGI, CFI, MIC, OCC, Eurex/ICE codes, RIC, Bloomberg, internal IDs against single internal entity

Pre- and post-corporate-action identifier states held simultaneously — splits and mergers do not destroy lineage

Event schema: unified order/trade/position/break taxonomy consumed by all modules without further translation

MAR Article 12 manipulation patterns encoded; STOR obligation surface across NCAs the firm reports to

Workflow state model: alert-to-STOR lifecycle, break-to-resolution lifecycle

Core: integration spine live

Eurex T7 EDCI member-test certification — 8 weeks against planned 6

CME Globex AutoCert+ — weekly target-session renewals; re-conformance after CME release

ICE POF v3.4 conformance — clean, +2 weeks firm-internal change review

Aeron-bridged internal event capture — no latency change at the trading edge

Idempotent state transitions, source system fingerprinting per venue and counterparty

RTS 25 timestamp audit-trail documentation reconstructed end-to-end (Article 4)

FPGA, FIX gateways, in-house feed handlers, proprietary risk engine — unmodified

Phase 2

Athena & Aegis: First Live Capabilities

Months 3–5

Cross-venue surveillance scoring — advisory mode

MAR Article 12 patterns (layering, spoofing, momentum ignition, marking the close, wash-trade structure) operating against the unified order book reconstructed from drop-copy and POF. Probabilistic scoring engine attenuated alert volume via cross-venue correlation strength, sub-millisecond time proximity, and historical pattern fingerprint match.

Two tuning cycles over 45 days

Initial false-positive rate on layering detection ran approximately 2× the firm's internal target. One tuning cycle on cross-venue time-window parameters; one on order-cancellation-velocity feature weighting. Brought FP rate within operational range; rule recall against the firm's historical reportable-pattern test set held at pre-deployment level.

Mid-Phase 2 operational moment

Layering pattern flagged within eleven seconds of the second leg: stacked bids at the three best book prices on Euronext Amsterdam in a Dutch index constituent, with genuine sell volume printing on CBOE Europe's same underlying. Single-venue surveillance, still operating in parallel, registered both venues as in-range noise. The pattern matched the AMF Nyenburgh archetype. STOR filed by the firm's compliance analyst — not because Athena recommended it, but because the human analyst, presented with the unified order book reconstruction, could now see what was happening.

Event-driven reconciliation — two break categories

Corporate-action-driven breaks between prime broker and internal book, and timing-driven breaks between drop-copy receipt and internal OMS booking. Adjunct to the rule-based engine, not replacement: re-runs matching against pre- and post-corporate-action identifier states held simultaneously by Arché's instrument graph, and against fingerprinted source-system event lineage when timing was the cause.

€1.4M break closed

Aged six days. The rule-based engine had marked it unresolvable — prime had booked a corporate-action adjustment against a different ex-date than internal. Core's event-driven re-evaluation aligned the records against both identifier states. The break was closed. Capital that had been held against the disputed position under IFR K-CMG weighting was released.

Surveillance team adoption — uneven

Two senior analysts adopted within three weeks. The remainder required structured side-by-side review sessions extending operational handover by approximately five weeks. Characteristic of the cohort, not a deployment fault — surveillance teams develop calibrated intuition against the false-positive textures of their existing systems and require recalibration before trust transfers.

Aegis: machine queries at audit parity with humans

Every Athena scoring call against position or order data logged in the same audit stream as a human compliance analyst's lookup. Deliberate architectural commitment, not a compliance afterthought: under the AFM's April 2026 supervisory expectations on AI in algorithmic trading and DORA's ICT incident management, the firm's ability to evidence what its scoring models had access to, when, and under what controls had become a non-negotiable audit surface.

Phase 3

Expansion & Roadmap

Current — Month 15+

Cross-venue Greeks aggregation — advisory

Unified position view computed from the event stream presented to traders alongside the in-house aggregation engine. Not yet wired into pre-trade kill-switch logic; not yet a system-of-record for intraday risk decisions. Validation window scoped into next quarter.

Crypto venue ingestion — pilot

Data quality variance, order-book snapshot reliability, trade-print delays, clock-sync claims being characterized in a separate ingestion track. Explicitly outside the MAR-scoped surveillance event stream until MiCA-equivalent venues can be cleanly included.

Third reconciliation category — development

Give-up and allocation difference breaks between executing and clearing brokers. Extends event-driven re-evaluation against the instrument graph to a third category. Not in the validated outcome set yet.

04 · Outcomes

What changed.

Validated outcomes after the first ten months of live operation, deliberately constrained. Three figures matter in the main narrative; the rest belong to the technical appendix or to ongoing measurement. All figures validated over a 90-day production window against a matched 90-day pre-deployment baseline with the alert taxonomy held constant.

Layering / spoofing FP rate

Per-venue baseline→

−~1/3

90-day production window · rule recall held flat

Scoped break aging

T+5+→

Within-day

Corporate-action and timing-driven categories

Middle-office capacity

Break investigation triage→

400–560 hrs/mo

Redirected to capital-impact case work

Aged break tail (T+5+)

Baseline→

−~3/4

Two scoped categories, 90-day window

Cross-venue alert latency

Manual cross-reference→

<5 sec median

Second-leg event to surveillance review queue

Audit event store

—

~4× volume

Human + machine queries at parity, no perf degradation

Reconciliation — nature of the change

For the scoped break categories, breaks that previously aged through the rule-based matcher’s exhaustion path before being routed to manual investigation now enter event-driven re-evaluation against the instrument graph at the moment of statement receipt. The middle office is no longer reasoning about post-trade reconciliation as a problem of investigation. It is reasoning about it as a problem of definition.

Surveillance — nature of the change

The compliance team is no longer reasoning about cross-venue manipulation as a problem of correlation between separate systems. It is reasoning about it as a problem of pattern recognition over a single unified order book. STOR filing decisions remain entirely with human compliance analysts — this is the operational design, not a transitional state.

05 · Observations

What this case revealed.

Definitional gap, not analytics gap

Two prior partners had returned with proposals that extended the existing per-component logic. Neither reached deployment. The work was not architecturally available, because the per-component logic was downstream of a definitional gap that no extension could close. Once the instrument graph existed, once the event schema reconciled the systems beneath it, the analytics two prior partners had been unable to deploy became routine.

Beneath the trading core, not above it

FPGA gateways, in-house FIX adapters, Aeron messaging, the proprietary risk engine — none modified, none replaced, none re-architected. The vendor surveillance platform, the rule-based reconciliation engine, and the in-house cross-venue aggregation engine all remain in operation. What changed is the layer they now operate against. They process the same events, drawn from a single committed definition rather than from four overlapping partial ones.

Audit logging at machine-human parity

Every Athena scoring call against position or order data logged in the same audit stream as a human compliance analyst's lookup. Under the AFM's April 2026 supervisory expectations on AI in algorithmic trading and DORA's ICT incident management obligations, the firm's ability to evidence what its scoring models had access to, when, and under what controls is no longer a compliance afterthought — it is a non-negotiable audit surface, designed in from Phase 1.

STOR filing remains with humans — by design

Cross-venue surveillance scoring operates in advisory mode for the surveillance team. STOR filing decisions remain with human compliance analysts. This is the operational design, not a transitional state. The unified order book reconstruction surfaces what the analyst could not previously see; the analyst, presented with that reconstruction, makes the regulatory escalation decision.

The firm received structural capacity, not software. What two prior partners had returned as architecturally extending in scope but unsolvable at root was not a technical limitation — it was a question of whether the firm was willing to commit to a single definition of what its instruments were, across every venue and every counterparty, before extending the analytics on top.
Stathon deployment conclusion

06 · What Is Live, What Is Next

Forward roadmap.

In active production

Cross-venue MAR alert scoring (5 patterns)

Unified order book reconstruction

Event-driven recon — 2 break categories

STOR filing remains with human analysts

In pilot / advisory mode

Cross-venue Greeks aggregation

Crypto venue surveillance ingestion

Trading desk advisory view alongside in-house

Validation extending into next quarter

On roadmap

Third recon break category in development

Predictive market-impact scoring

DORA-aligned ICT incident workflow

IFR/IFD ICAAP/ILAAP integration

Next quarter

Cross-venue Greeks aggregation — non-advisory promotion

Validation window for promoting the unified position view from advisory mode to system-of-record for intraday risk decisions, including pre-trade kill-switch wiring. Sequenced under MiFID II RTS 6 self-assessment and DNB-supervised ICAAP/ILAAP documentation refresh under the IFR/IFD prudential regime.

Phase 4

Third reconciliation break category

Give-up and allocation difference breaks between executing and clearing brokers. Currently in development; extends the event-driven re-evaluation engine against the instrument graph to a third category.

Phase 4

Predictive market-impact scoring

Momentum ignition pre-detection — addressing the decision problem of distinguishing aggressive legitimate liquidity provision from manipulation under conditions where intent is structurally unobservable.

Phase 4

DORA-aligned ICT incident workflow

Initial notification clock for major ICT incidents, measured from classification and subject to the wider 24-hour detection backstop. ICT third-party register population aligned with the firm's DORA register submission to the AFM. TLPT cycle support included.

Phase 4

MiCA-equivalent crypto venue inclusion

Digital asset venues with MAR-equivalent treatment promoted into the surveillance event stream once data quality and clock-sync variance are characterized. Currently in pilot ingestion track outside the MAR-scoped surveillance scope.

07 · Engagement Parameters

Deployment record.

Engagement TypeForge Tier · Multi-asset proprietary trading · Single-firm

Engagement StartFebruary 2025

Validation Window90-day production window across surveillance and reconciliation paths

Current PhasePhase 3 — production expansion across asset classes; cross-venue Greeks aggregation in advisory mode

Firm FootprintSeveral hundred to low-thousands global staff · dozens of trading venues across Europe, US, APAC · regulated and non-regulated digital asset venues

Scope HeadcountTrade surveillance, middle office, risk operations, compliance — combined ~30–45 FTE

Client Systems (unchanged)FPGA / FIX gateways · in-house feed handlers · proprietary risk engine · vendor surveillance · rule-based reconciliation

Compliance AnchorsMAR (596/2014) · MiFID II RTS 6 / RTS 25 · IFR / IFD (Class 2) · DORA · GDPR · AFM April 2026 algorithmic trading note

Stathon · Definitional Infrastructure Company. Client identity withheld by agreement. Deployment metrics reflect production conditions as of May 2026.

← Back to Field Reports