Risk & Compliance Framework | OpenClaw Trading

🚨 Non-Negotiable Rules

NEVER give an agent withdrawal permissions on day one (or ever, if possible)
ALWAYS start with read-only API keys, graduate to trading permissions only after extensive paper trading
ALWAYS paper trade for at least 3 months before live deployment
NEVER run automated trading without a kill switch
ALWAYS rotate API keys regularly and use IP allowlists
NEVER store API keys, wallet addresses, or credentials in workspace files

💥 Common Failure Modes (With Real Examples)

1. Hallucinated Financial Data

AI agents can confidently state incorrect prices, earnings figures, or analyst ratings. This is the #1 risk.

Real example: Agent reported AAPL earnings beat by $0.50 when actual miss was $0.30. User nearly traded on false info.

Mitigation: Always verify critical data against primary sources before trading. Build cross-checks into your agent.

2. Latency Issues (Not HFT)

OpenClaw is NOT suitable for high-frequency trading. Browser automation, API calls, and model inference add seconds to minutes of latency.

Real example: User's breakout strategy failed because by the time agent detected and executed, price had already moved 2%.

Mitigation: Use for swing trading (hours/days), not intraday. Understand your latency budget.

3. API Rate Limits

Free tier APIs have strict rate limits. Exceeding them causes missed signals or failed orders.

Real example: Alpha Vantage free tier (5/min) hit limit during volatile market, missed 3 entry points.

Mitigation: Monitor API usage. Implement exponential backoff. Upgrade to paid tier for production.

4. Backtest ≠ Live Performance

Strategies that look great in backtest often fail live due to slippage, fees, and market impact.

Real example: Mean reversion strategy showed 40% annual return in backtest, lost 15% in first month live.

Mitigation: Paper trade extensively. Include realistic slippage and fees in backtests.

5. Agent Runaway

Bugs in logic can cause repeated unwanted trades (e.g., buy signal triggers 10x in one minute).

Real example: User's DCA bot bought $10k of BTC instead of $1k due to loop bug.

Mitigation: Implement per-trade and daily limits. Use idempotency keys. Monitor actively.

🔒 Security Checklist

API Key Security: Store keys in environment variables, never in workspace files or SOUL.md

Key Permissions: Use trade-only keys, disable withdrawal permissions

IP Allowlisting: Enable IP allowlist on all broker/exchange accounts

2FA: Enable two-factor authentication on all trading accounts

Key Rotation: Rotate API keys every 30-90 days

Sandboxing: Run trading agents in isolated sessions with limited permissions

Audit Logging: Log all agent decisions and executions for review

Network Security: Use firewall rules, don't expose Gateway publicly without auth

📊 Position Limits & Risk Management

Encode these rules in your SOUL.md or agent configuration:

Rule	Beginner	Intermediate	Advanced
Max position size	2% of portfolio	5% of portfolio	10% of portfolio
Max daily loss	1% of portfolio	2% of portfolio	3% of portfolio
Max concurrent positions	3 positions	10 positions	20 positions
Stop-loss requirement	Mandatory	Mandatory	Strategy-dependent
Leverage allowed	None (1x)	2x max	Strategy-dependent

🔴 Kill Switch Patterns

Every automated trading agent MUST have an emergency stop mechanism.

Pattern 1: Telegram Command Kill Switch

# In your trading agent's SOUL.md or config:

## Kill Switch Commands
- /killswitch HALT - Immediately stop all trading, cancel open orders
- /killswitch STATUS - Show current kill switch status
- /killswitch RESUME - Resume trading (requires manual confirmation)

## Implementation
When /killswitch HALT is received:
1. Cancel all open orders via broker API
2. Set trading_enabled = false in state file
3. Send confirmation to Telegram
4. Log the event with timestamp and reason
5. Require manual /killswitch RESUME to restart

Pattern 2: Time-Based Auto-Shutoff

# Agent automatically stops trading:
- After 3 consecutive losing trades
- After hitting daily loss limit
- Outside of defined trading hours
- When volatility exceeds threshold (e.g., VIX > 40)

Pattern 3: Human Approval Gate

# For high-risk actions, require human approval:
- Any trade > 5% of portfolio
- Any options trade
- First trade of the day
- Trades during earnings announcements

Agent sends: "🚨 Approval Required: Buy 50 NVDA @ $450 ($22,500, 5% of portfolio). Reply YES to confirm, NO to cancel."

⚖️ Regulatory Overview (High-Level, Not Legal Advice)

⚠️ This is NOT legal advice. Consult a qualified attorney in your jurisdiction.

Jurisdiction	Regulator	Key Considerations
United States	SEC, FINRA, CFTC	Pattern Day Trader rule (25k min for 4+ day trades/week). Advisers Act may apply if managing others' money. Tax: wash sale rules.
Singapore	MAS	Personal trading generally unregulated. Crypto trading legal but unregulated (MAS warnings apply). No PDT rule. Tax: no capital gains tax.
United Kingdom	FCA	Personal trading unregulated. Crypto regulated for AML. Tax: capital gains tax applies, annual allowance £6,000 (2024).
European Union	ESMA, national regulators	MiFID II applies to firms, not personal trading. Crypto: MiCA regulation coming. Leverage restrictions on retail CFDs.

Key Regulatory Questions to Ask:

Are you trading your own money or others'? (Advisers Act, fund registration)
Does your strategy constitute a "security" or "derivative"? (Product regulation)
Are you crossing borders? (Jurisdictional issues)
What are the tax implications? (Capital gains, income, reporting)
Does your broker have restrictions on automated trading? (Terms of service)

🚩 Red Flags: Signs Your Agent is Malfunctioning

CRITICAL Executing trades outside defined trading hours

CRITICAL Position sizes exceeding limits

CRITICAL Repeated identical trades (loop bug)

WARNING Unusual increase in trade frequency

WARNING Consistent losses on a previously profitable strategy

WARNING API errors or rate limit warnings

WARNING Agent making "confident" statements about uncertain data

🚨 Emergency Procedures

If Your Agent Goes Rogue:

Immediately send kill switch command (/killswitch HALT)
If that fails: Log into broker/exchange directly and cancel all open orders
Revoke API keys in your broker/exchange account settings
Stop the OpenClaw Gateway: openclaw gateway stop
Review logs to understand what went wrong
Do NOT restart until you've identified and fixed the root cause

Emergency Contacts to Have Ready:

Broker/exchange support phone number (not just email)
API kill switch command (memorized or in secure location)
Backup internet connection (in case primary fails during emergency)

📋 Insurance & Liability Considerations

Hard truth: If your agent loses money due to a bug, you have no recourse. This is your responsibility.

Broker SIPC insurance (US) covers broker failure, NOT trading losses
Exchange insurance (crypto) varies widely, often limited
Personal insurance typically does NOT cover algorithmic trading losses
Legal liability if your agent affects market prices or trades on material non-public information

💡 Bottom Line

Only risk money you can afford to lose
Start small, scale gradually
Paper trade extensively
Monitor actively, especially in early days
Accept that bugs WILL happen

Last updated: 2026-03-29 | ← Back to Home | This is NOT legal or financial advice