Market anomaly: Layering

• MEXC (March–May 2025): The exchange publicly stated that it had stopped a coordinated network; among the named behaviours were spoofing and layering. Additionally, MEXC published risk-control guidelines that explicitly list layering as a practice to be prevented. Status: exchange statement / policy documentation.
• Note: In supervisory practice, layering has been classified for years as a variant of spoofing – several US enforcement cases define layering precisely; I use those references in the comparison with regulated exchanges below.

In one sentence: With layering, an actor places several large, visibly staggered limit orders on one book side (e.g. three to five price levels below the best bid) without true execution intent, to signal pseudo-depth and steer price flow.

How it works in practice

1. The actor builds a "ladder" of limit orders (e.g. at −5, −10, −15 basis points) on one side of the order book.
2. Other participants see the apparently broad demand/supply and adjust their quotes or trades (e.g. market-makers pull bids closer).
3. As soon as the price moves toward the ladder, large portions of the visible layers are cancelled synchronously or shifted as a block; the ladder is therefore deception rather than real liquidity.
4. The initiator exploits the induced price movement and trades on the opposite side (e.g. sells into the briefly pulled-up bid).

Core idea: Not a single "wall" but several staged fake levels create a convincing depth image that temporarily influences order flow and micro price path. This structure – multiple non-bona-fide orders across levels – is precisely what regulators in supervised markets categorise as "layering".

• Staggered depth: 3–5 large limit orders on one side with 10–25 bp spacing that appear, move or disappear together.
• Short lifetime & synchrony: Markedly increased cancel rate and synchronous removal of large parts of the ladder exactly when the price approaches.
• Imbalance flip + contra-trade: After ladder cancel the book balance flips and fills occur on the opposite side shortly thereafter.
• Disproportionate price reaction relative to actual executions (sign of deceptive depth rather than genuine liquidity).

These signatures align with established supervisory and research literature on layering/spoofing.

• High API cadence: Large CEXs permit very high order/cancel rates – enough to build and remove ladders with millisecond precision.
• Single-venue view: Unlike equity markets there is no CAT-like cross-venue audit trail; external parties only see the respective order book. That makes reconstruction of intent and multi-account networks across venues harder.

• Explicit prohibition: US supervisors and exchanges explicitly define layering as placing multiple non-bona-fide limit orders on one side to create artificial impression of supply/demand, followed by a trade on the opposite side and cancelling the staged orders. (SEC cases such as Avalon/LEK; Nasdaq rule material cites the definition verbatim.)
• Surveillance & tooling: FINRA cross-market reports explicitly address layering/spoofing; exchanges and SROs monitor across venues. EU-MAR (Art. 12) prohibits "false or misleading signals" - order-based deception like layering is subsumed.

• Market quality: Layering distorts spread, depth, price path and can trigger momentum/arb cascades – especially in thin books.
• EU-MiCA & ESMA: With applicability since 30 Dec 2024 and the transitional framework, the EU increasingly demands data-driven surveillance of order signals vs. execution; providers will be measured against clear, documentable controls.

Adaptive, quantile-based, measured per symbol/venue against a 30-day baseline at the same time of day. Required: L2/L3 events Add/Modify/Cancel at ms resolution + trades.

E3 (high) – "classic ladder" with spoof signature

• ≥3 price levels @ ≤ 25 bp show simultaneous notional ≥ p99, and
• ≥ 70 % of this notional is synchronously deleted/moved within ≤ 800 ms on price approach, and
• Cancel-to-Trade (C2T) > p99 on the ladder side plus contra-fill (small/medium) within ≤ 2 s after the cancel.

E2 (medium)

• Ladder with 2–3 levels, partial-synchronous cancel/shift, C2T > p97 and short imbalance flip.

E1 (low)

• Recurrent mini-ladders (2 levels) @ ≤ 15 bp, without clear opposite-side fills → watchlist.

• Differentiate legitimate market-making: Short quote updates are normal. Therefore examine lifetime, C2T and price reaction together – not isolated metrics.
• Distance binning to the touch: Layering signals sit close to the touch; analyse 0–10 bp / 10–25 bp / 25–50 bp separately (granularity improves precision).
• Exclude technical artefacts: Deploys, gateway outages, rate-limit brakes can create cancel clusters; consult logs.
• Check account coherence: Synchronized cancels across multiple accounts (shared KYC/IP/key families) are stronger evidence than signals from a single account.

• For traders: Early recognition of layering prevents fills against false depth, reduces slippage and protects against false breakouts.
• For operators / compliance: Clean evidentiary chains (timestamps, C2T, lifetime, distance bins, contra-fills) ease internal reviews, customer communication and – if needed – cooperation with supervisors in the sense of MiCA/MAR.

• MEXC – Blog post "MEXC Detects and Eliminates Coordinated Market Manipulation Scheme", March 25, 2025. Exchange statement; names spoofing/layering among addressed behaviours.
• MEXC – "Risk Control Guideline", May 1, 2025. Policy document; lists wash trading, spoofing, layering, front-running as prohibited activities.
• Nasdaq – Federal Register notice re SR-NASDAQ-2016-092 (rule material), July 7, 2016. Defines "layering" explicitly as multiple non-bona-fide limit orders on one market side whose cancel/shift creates an artificial price position.
• SEC – press release "SEC Charges Firms Involved in Layering… (Avalon/LEK)", March 10, 2017; and "SEC Obtains Final Judgments Against Lek Securities…", October 2, 2019. Enforcement cases; layering definition and practice context.
• FINRA – "Cross-Market Equities Supervision: Potential Manipulation Report", May 26, 2016. Surveillance report incl. layering/spoofing alerts.
• Regulation (EU) No 596/2014 (MAR), Art. 12. Prohibition of "false or misleading signals"; order-based deception (like layering) is subsumed.
• Vega Economics (2021): "Spoofing Enforcement in an Increasingly Complex World" – describes layering as a spoofing variant with multi-level orders.