The Convergence We've Been Anticipating
In September 2025, something remarkable happened in the world of financial regulation. The Malta Financial Services Authority (MFSA), through its newly launched Journal of Financial Supervisors Academy (JFSA), published what may become one of the most consequential academic papers on AI-driven trading since the EU AI Act was adopted.
Professor Filippo Annunziata of Bocconi University—one of Europe's foremost authorities on financial market regulation and a member of the Board of Appeal for EBA, ESMA, and EIOPA—delivered a comprehensive analysis titled "Artificial Intelligence and Market Abuse Regulation." His findings confirm what we at VeritasChain Standards Organization have been building toward: the current regulatory framework lacks the technical infrastructure to actually verify AI trading system compliance.
This isn't just an academic observation. It's a clarion call for the industry to move from trust-based compliance to verification-based compliance. And it happens to describe, with remarkable precision, exactly what the VeritasChain Protocol (VCP) v1.1 was designed to solve.
Who Is Professor Annunziata, and Why Does His Opinion Matter?
Before diving into the substance, let's establish why this paper carries unusual weight in regulatory circles.
Professor Filippo Annunziata is not merely an academic observer of financial regulation—he is deeply embedded in its institutional fabric:
Academic Credentials
- Full Professor of Financial Market Law at Bocconi University, Milan (since 2017)
- Professor of International Financial Market Regulation at Ca' Foscari University, Venice
- Co-Director of the BAFFI-CAREFIN RULES Unit, one of Europe's premier financial regulation research centers
Regulatory Authority
- Member (Alternate) of the Joint Board of Appeal for EBA, ESMA, and EIOPA — the independent body that reviews decisions by the three European Supervisory Authorities
- Regular contributor to MFSA's Market Abuse Regulation review initiatives
- Member of the Academic Committee of the European Banking Institute (EBI)
Relevant Publications
- "Artificial Intelligence and Market Abuse Legislation: A European Perspective" (Edward Elgar, 2023)
- "Markets in Crypto-Assets Regulation (MiCA) and the EU Digital Finance Strategy" (Capital Markets Law Journal, 2021)
When Professor Annunziata identifies a gap in EU financial regulation, policymakers pay attention. His JFSA paper is not speculative—it's a carefully documented analysis from someone who reviews regulatory decisions at the highest European level.
The Core Argument: AI Creates Risks That Current Frameworks Cannot Address
Professor Annunziata's paper examines the intersection of AI with the Market Abuse Regulation (MAR) through two critical lenses:
Lens 1: Insider Information and Disclosure
AI systems are increasingly involved in processing and acting on potentially price-sensitive information. But here's the problem: when an AI system "decides" whether information is material and when to trigger disclosure obligations, what happens if it fails? What constitutes "insider information" when the "insider" is an algorithm processing data at superhuman speeds?
The current disclosure framework under MAR Article 17 assumes human judgment at critical decision points. AI disrupts this assumption fundamentally.
Lens 2: Market Manipulation and Algorithmic Trading
This is where the paper's implications become particularly relevant to VCP. Professor Annunziata documents how AI-driven trading creates new manipulation risks that existing surveillance frameworks struggle to detect:
Quote Stuffing — Flooding order books with messages faster than competitors can process them
Layering/Spoofing — Placing orders with no intention of execution to move prices
Momentum Ignition — Triggering trend-following algorithms through strategic order placement
The critical insight: these behaviors often cannot be identified post-hoc without complete, tamper-evident, and verifiable audit trails that capture not just what happened, but the AI's decision-making context at microsecond resolution.
The Regulatory Landscape in 2026: Three Frameworks, One Compliance Challenge
To understand why VCP matters, we need to examine the regulatory requirements that algorithmic trading firms now face simultaneously.
Framework 1: EU AI Act (Regulation 2024/1689)
The EU AI Act becomes fully applicable to high-risk AI systems on August 2, 2026. While algorithmic trading systems aren't explicitly listed in Annex III, credit scoring and insurance risk assessment AI are classified as high-risk, and ESMA's guidance suggests similar treatment for trading AI.
| Article | Requirement | Technical Implication |
|---|---|---|
| Article 12 | Automatic event logging throughout the AI lifecycle | Complete audit trail of inputs, outputs, and decisions |
| Article 13 | Transparency and explainability | Documentation of decision factors and model states |
| Article 14 | Human oversight | Records of human approvals and interventions |
| Article 15 | Accuracy, robustness, cybersecurity | Protection against data poisoning and adversarial attacks |
"High-risk AI systems shall technically allow for the automatic recording of events ('logs') over the lifetime of the system."
— EU AI Act, Article 12
Framework 2: MiFID II and RTS 25 (Timestamp Precision)
MiFID II Article 17 mandates comprehensive record-keeping for algorithmic trading, but RTS 25 gets specific about precision:
| Trading Activity Type | Maximum UTC Divergence | Timestamp Granularity |
|---|---|---|
| High-Frequency Trading (HFT) | 100 microseconds | 1 microsecond or better |
| Standard Algorithmic Trading | 1 millisecond | 1 millisecond or better |
| Voice Trading Systems | 1 second | 1 second or better |
This isn't just about accurate clocks—it's about proving that your timestamps were accurate at the time of recording. Current approaches rely on attestations and periodic audits. They don't provide cryptographic proof.
Framework 3: MAR (Regulation 596/2014) and Surveillance Obligations
MAR Article 12 defines market manipulation to include algorithmic behaviors that:
- Disrupt or delay trading system functioning
- Make identification of genuine orders difficult
- Create false or misleading signals about supply, demand, or price
The surveillance requirements demand continuous monitoring, alert generation, and minimum annual audits.
The Gap That No Existing Solution Fills
Here's the uncomfortable truth that Professor Annunziata's analysis illuminates: no currently deployed solution provides verifiable compliance across all three frameworks simultaneously.
FIX Protocol
- Standardized trading messages
- No cryptographic integrity
- No tamper detection
- No AI governance metadata
ISO 20022
- Open standard for financial messaging
- Designed for payments, not trading
- No audit trail mechanisms
- No AI-specific extensions
Blockchain/DLT Solutions
- Cryptographic integrity
- External verifiability
- Not designed for trading events
- Latency inappropriate for HFT
- No AI governance integration
RegTech Platforms
- Trading surveillance
- Some AI integration
- No cryptographic proof
- Proprietary, vendor-locked
- Trust-based, not verification-based
The Missing Requirement: Completeness Guarantees
All existing solutions share a critical limitation: they can only prove that recorded data hasn't been altered—they cannot prove that all data was recorded. Under MAR surveillance requirements, how does an auditor verify that a firm didn't simply omit incriminating order flow?
How VCP v1.1 Addresses Every Requirement
The VeritasChain Protocol v1.1 was designed from first principles to provide cryptographically verifiable compliance across the EU regulatory framework.
Three-Layer Architecture
| Layer | Name | Function | Technical Implementation |
|---|---|---|---|
| L1 | Event Generation | Per-event integrity | RFC 8785 canonical JSON, SHA-256 hash, Ed25519 signature |
| L2 | Local Integrity | Per-batch integrity | RFC 6962 Merkle Tree, prev_hash chaining |
| L3 | External Verifiability | Third-party verification | Mandatory external anchoring |
VCP-CORE: Foundation Logging
| VCP Component | Technical Specification | Regulatory Mapping |
|---|---|---|
| EventID | UUIDv7 (RFC 9562) time-sortable | MiFID II RTS 25 traceability |
| TraceID | Cross-event correlation | EU AI Act Article 12 lifecycle |
| Timestamp | ISO 8601 with precision tier | RTS 25 100µs/1ms/1s requirements |
| ClockSyncStatus | PTP_LOCKED / NTP_SYNCED / FREE_RUNNING | RTS 25 Article 4 UTC traceability proof |
| Hash Chain | SHA-256 prev_hash linking | MAR surveillance tamper detection |
| Merkle Tree | RFC 6962 compliant | Selective disclosure, inclusion proofs |
VCP-GOV: AI Governance (EU AI Act Compliance)
| VCP Component | Function | Regulatory Mapping |
|---|---|---|
| ModelHash | SHA-256 of model parameters | Article 11 technical documentation |
| DecisionFactors | Input features, internal state | Article 13 explainability |
| OperatorID | Responsible human identifier | Article 14 human oversight |
| LastApprovalBy | Final approver + timestamp | RTS 6 Article 11 material change approval |
| ConfidenceScore | AI decision confidence | Article 86 right to explanation |
VCP-PRIVACY: GDPR Compliance Through Crypto-Shredding
Reconciling GDPR Article 17 with Permanent Audit Trails
VCP-PRIVACY implements crypto-shredding:
- Personal data is encrypted with keys stored in a separate Key Management System
- When erasure is required, keys are destroyed
- Audit trail integrity is preserved (hashes remain valid)
- Personal data becomes cryptographically unrecoverable
The Completeness Guarantees: VCP's Decisive Advantage
VCP v1.1's most significant innovation is completeness guarantees—the ability to prove not just that data wasn't altered, but that all data was recorded.
How It Works
- Continuous Merkle Root Computation: At regular intervals, VCP computes a Merkle root over all events in the batch
- External Anchoring: This root is committed to an external, independently verifiable timestamp service
- Consistency Proofs: Between consecutive batches, VCP generates Merkle consistency proofs per RFC 6962
- Split-View Attack Detection: Any attempt to present different logs to different parties is cryptographically detectable
Regulatory Significance
For EU AI Act Article 12: Post-market monitoring requires confidence that logs are complete. VCP's external anchoring provides mathematical proof that no events were omitted.
For MAR Surveillance: When investigating potential manipulation, regulators need assurance that the audit trail is comprehensive. VCP's completeness guarantees eliminate the possibility of selective evidence destruction.
For MiFID II RTS 6 Annual Self-Assessment: Firms must certify their algorithmic trading governance annually. VCP's verifiable completeness transforms this from an attestation-based process to a cryptographically provable one.
Tier-Based Implementation: From HFT to Retail
VCP v1.1 recognizes that different market participants have different precision requirements.
| Tier | Anchoring Mechanism | Precision | Target Use Case |
|---|---|---|---|
| Platinum | PTPv2 (IEEE 1588) + Blockchain | <1µs | HFT, exchanges, dark pools |
| Gold | Stratum-1 NTP + Distributed TSA | <1ms | Institutional investors, brokers |
| Silver | OpenTimestamps (Bitcoin) | Best effort | Retail, MT5/cTrader users |
The Strategic Imperative: 2026 and Beyond
The August 2026 Deadline
When EU AI Act high-risk requirements take full effect on August 2, 2026, firms operating AI-driven trading systems will face a stark choice:
- Trust-based compliance: Attestations, policies, manual audits—and hope regulators accept them
- Verification-based compliance: Cryptographic proof that satisfies regulatory requirements mathematically
The Enforcement Landscape
Recent Enforcement Actions
- CONSOB (Italy): Actions against Optiver and Flow Traders for algorithmic manipulation
- Energy Trading Enforcement Forum (November 2025): ESMA and ACER discussing algorithmic manipulation trends
EU AI Act penalties: Up to €15 million or 3% of global annual turnover for non-compliance with high-risk requirements. For prohibited practices: €35 million or 7%.
Conclusion: From Trust to Verification
The regulatory landscape facing algorithmic trading firms is unprecedented in its complexity and consequence. EU AI Act, MiFID II, and MAR create overlapping but distinct requirements that no existing solution fully addresses.
Professor Annunziata's MFSA/JFSA paper articulates what we've been building toward since VSO's founding: the financial industry needs cryptographic proof, not institutional trust.
VCP v1.1 Provides
- The only open standard combining RFC 6962 cryptographic techniques with trading-specific requirements
- The only protocol designed for both MiFID II RTS 25 timing and EU AI Act governance
- The only solution providing mathematical proof rather than institutional trust
- The only implementation with production-proven integration across FIX, NASDAQ, MT5, cTrader, and IBKR
- The only framework reconciling GDPR deletion rights with permanent audit trail obligations
The August 2026 deadline is approaching. Harmonized standards are delayed. Enforcement is intensifying.
The firms that adopt verification-based compliance now won't just meet regulatory requirements—they'll demonstrate a level of transparency that becomes a competitive advantage in a market where trust has been repeatedly violated.
Verify, don't trust. That's not just our philosophy. It's increasingly what regulators demand.
Get Started with VCP
Implement verification-based compliance before the August 2026 deadline.
Read VCP v1.1 Specification View on GitHubResources
- VCP v1.1 Specification: github.com/veritaschain/vcp-spec
- IETF Internet-Draft: draft-kamimura-scitt-vcp
- Technical Inquiries: technical@veritaschain.org
- Partnership Inquiries: partners@veritaschain.org
VeritasChain Standards Organization (VSO) is a non-profit, vendor-neutral standards body dedicated to developing cryptographic audit trail standards for AI-driven and algorithmic trading systems. VSO has submitted VCP documentation to 67 regulatory authorities across 50 jurisdictions.