Dear Mr. Kirkpatrick:
Thank you for the opportunity to comment on the proposed Regulation Automated Trading by the Commodity Futures Trading Commission (CFTC or Commission). The Mercatus Center at George Mason University is dedicated to bridging the gap between academic ideas and real-world problems and advancing knowledge about the effects of regulation on society. My comments do not reflect the views of any affected party or special interest group, but are designed to assist the Commission in the rulemaking process and reflect our general concerns about the proposed regulation. Specifically, this letter focuses on the following points:
- This regulation is not necessary given ongoing, voluntary industry efforts to address risks surrounding algorithmic trading, other rules, and the Commission’s existing enforcement authority.
- The proposed regulation is overly broad in reach and excessively prescriptive in nature.
- Allowing regulators and others unfettered access to firms’ source code unnecessarily compromises proprietary business information.
I. The Proposed Regulation Is Redundant and Burdensome
The Commission’s proposal does not clearly identify a problem in need of a solution. Without first identifying a problem, the Commission cannot know whether its proposed solutions will be effective. The proposed rule describes a number of market disruptions over the past five years—primarily in the securities markets and foreign markets—in which algorithmic trading played a role. The CFTC does not show that these incidents are representative of a more pervasive issue. More generally, as I noted in my comment letter in response to the concept release, the problems on which the CFTC is focused are not products of the technology being used in today’s markets, but rather are products of “the human interaction with the technology, particularly system programming and oversight.” Many of the market-disrupting events described in the Commission’s proposal are examples of human factor errors, which can be better addressed cooperatively rather than through additional regulatory oversight.
Market participants are keenly aware of the issues that can arise when humans engage with technology and take steps of their own accord to implement safeguards. In a competitive market, where a misstep can destroy a firm, there are strong incentives to develop and maintain effective risk controls. Market participants also have an incentive to monitor one another. As I noted in my prior comment letter, because “no legitimate market participant ultimately has anything to gain in an unstable or chaotic market,” market participants engage in “self-monitoring, self-regulation, and internal controls.”
The Commission does not question the existence or efficacy of these existing private sector mechanisms. Quite the opposite, the notice frequently praises the general adequacy of the industry’s ongoing self-regulatory efforts and best practices. As Commissioner J. Christopher Giancarlo points out in his statement regarding the proposal, “Regulation AT simply codifies a small subset of industry best practices, while adding heavy compliance burdens.”
The CFTC’s conclusion that the rules do not add to existing industry practices is evident in the discussion of benefits and costs, which downplays the significance of both benefits and costs of the proposed rule. The CFTC states, for example, that the proposal merely “standardizes existing industry practices in this area, and does not impose additional requirements beyond existing best practices that most market participants satisfy.” The discussion of costs does not acknowledge that complying with a government mandate is inherently more costly than adhering to best practices, because of the potential that an innocuous misstep could produce an enforcement action.
Why proceed with a proposal that merely affirms what industry is already doing? The Commission explains that the proposal is designed to stop “an outlier firm without sufficient risk controls [from causing] significant market disruption” and speculates that the proposal “may serve to limit a ‘race to the bottom’ in which certain entities sacrifice effective risk controls in order to minimize costs or increase the speed of trading.” The CFTC does not provide evidence that such a race to the bottom is occurring. Discipline of potential outliers is already provided by exchanges or futures commission merchants. Moreover, the outlier firms at which the rule is directed are the firms least likely to worry about violating regulations. Thus, the rule will burden already diligent firms and employees with the fear of an enforcement action based on effectively harmless noncompliance with the rules.
By turning algorithmic trading risk control into a regulation-based exercise, the Commission risks compromising market participants’ ability to quickly respond to disruptive events with well-tailored solutions. In addition, the rules-based approach may dissuade regulated entities from notifying the CFTC of problems as they arise and working collaboratively with the Commission on solutions. As I noted in my response to the concept release: “Implementing formal and highly specific regulation implies the desire to impose sanctions when there is a technological failure or other problem with trading systems. This environment may discourage expeditious self-reporting of events to the public and regulators.”
As the CFTC recognizes, the industry’s self-regulatory efforts are already bolstered through other regulatory efforts. The notice mentions the Commission’s new authority regarding manipulative and deceptive devices, price manipulation, and spoofing. The notice also mentions other regulators’ efforts, including the two Securities and Exchange Commission (SEC) initiatives, Regulation Systems Compliance and Integrity (Reg SCI), and Consolidated Audit Trail. The Commission does not explain why existing regulations, and targeted enforcement actions based on these regulations, are not adequate to address its concerns about the potential for algorithmic trading to destabilize markets.
It is also worth noting that while the SEC has made similar efforts to codify best practices through Reg SCI, market participants have expressed little confidence that this additional regulation has or will in the future reduce technology problems, whereas regulators and legislators express nearly four times as much confidence. Instead of imposing additional costs and punitive measures on market participants in an effort to solve political problems, it is better to strive to reestablish consultative relationships between regulators and participants while continuing to enforce existing rules.
II. The Proposed Regulation is Overly Broad and Prescriptive
The proposal’s definition of algorithmic trading is very broad and makes the rule unnecessarily expansive in reach. Absent “every parameter or attribute” of an order being entered by a natural person, an order for which any determination is made by a computer algorithm or system will be deemed algorithmic trading. The Commission is contemplating further broadening the definition to include any order “generated using algorithmic methods,” even if the order is manually entered. With or without this change, the term encompasses most trading.
The Commission’s proposal would require proprietary trading firms that use algorithmic trading and access the market directly to register as floor traders, be subject to the CFTC’s associated risk control and recordkeeping requirements, and register with the National Futures Association. Requiring firms engaged in trading for their own account to register and be subject to a host of new requirements creates an unnecessary barrier to participating in the markets. The CFTC explains that this expansion is necessary because “a technological malfunction in a single trading firm’s systems can significantly impact other markets and market participations.” Even before using the technologies they use today, proprietary traders had the potential to impact markets. The designated contract markets (DCMs) to which these traders have direct access are already able to monitor these firms and ensure that they are not posing problems to the rest of the market.
The Commission is to be commended for allowing some flexibility in its proposal, but the proposal remains more prescriptive than it needs to be. The Commission describes its approach in the proposed rule as “balanced” and “principles-based” because the rule allows some tailoring by firms. Nevertheless, the proposal imposes a number of specific requirements.
For example, the notice specifies that “staff persons who are responsible for monitoring the trading of other AT Person staff should typically not be actively engaged in trading at the same time, because it would be difficult to adequately and consistently monitor trading of other AT Person staff while engaged in trading activities.” The required separation of trading and monitoring functions is akin to requiring that every firm engaged in algorithmic trading have a dedicated compliance person. Further burdening small firms, the Commission requires “staff of the AT Person to review Algorithmic Trading systems in order to detect potential Algorithmic Trading Compliance Issues” and specifies that “such staff must include staff of the AT Person familiar with” the relevant laws, regulations, and rules. This language would seem to preclude the use of outside consultants, which could be a more affordable method of compliance for small firms.
The proposal also sets out a prescriptive training regimen for trading staff. More generally, the proposal takes a self-described “multi-layered approach” to controlling algorithmic trading risk, which means that trading firms, Futures Commission Merchants (FCMs), and DCMs may perform overlapping and duplicative work. A less prescriptive approach would allow market participants to divide the risk control work among themselves in whatever way they deem to be most effective.
Another portion of the rule requires firms using algorithmic trading to meticulously document all changes to their code. This bureaucratization of the process for updating and refining code may harm markets by making it more difficult for market participants to respond to problems as they arise. The source code requirement is the subject of the next section.
III. The Proposal Places Firms’ Source Code at Unnecessary Risk
The proposal’s requirement that algorithmic traders maintain a source code repository is burdensome and unnecessarily places confidential business information at risk—a cost the Commission does not recognize in its consideration of benefits and costs. The Commission proposes specifically to require each person covered by the rule to have policies and procedures in place that include:
Maintaining a source code repository to manage source code access, persistence, copies of all code used in the production environment, and changes to such code. Such source code repository must include an audit trail of material changes to source code that would allow the AT Person to determine, for each such material change: who made it; when they made it; and the coding purpose of the change. Each AT Person shall keep such source code repository, and make it available for inspection, in accordance with § 1.31.
Under section 1.31, records are “open to inspection by any representative of the Commission, or the United States Department of Justice.” Commissioner Giancarlo correctly captured the magnitude of this brief piece of the new rule: “I am unaware of any other industry where the federal government has such easy access to a firm's intellectual property and future business strategies. . . . Any data breach of this information would be devastating for such entities and, potentially, for the safety and orderly operation of U.S. markets.” Allowing government employees, many of whom may move to the private sector or trade on their own personal accounts, to comb through source code exposes a key asset of algorithmic traders to theft.
Firms’ proprietary data could also be inadvertently exposed to unauthorized persons through poor federal information security practices. In 2012 an investigation into the computer security lab within a program called Automation Review Policy in the SEC’s Division of Trading and Markets found that laptops were not properly encrypted, lacked virus protection, and were being taken off-site and left unsecured in hotel rooms and offices outside the SEC. These same laptop computers were also at times hooked up to public wireless connections or the lab’s “unfiltered, unmonitored . . . Internet connection” to access personal email and download freeware. More recently, an audit of CFPB information security practices found that the agency uses outdated cryptographic technologies to secure remote access to its IT infrastructure that the NIST has identified as having known security vulnerabilities.
Under the proposal, the source code may also be accessible to nongovernmental employees. Under the CFTC’s general books and records rules, “any person who uses only electronic storage media to preserve some or all of its required records” must contract with “at least one third party technical consultant” who can facilitate government access to the records. These existing rules could further compound hacking and theft liabilities for firms subject to the new rules.
Further, under the proposed rules, DCMs must monitor compliance by algorithmic traders with the proposed rule and, as part of their monitoring, may “require each AT Person to keep and provide to the designated contract market books and records regarding” the AT Person’s compliance with the proposed rules. Arguably, the DCM could use its inspection authority under these rules to look at source code repositories.
In requiring such broad access to source code, the Commission does not take into account the potential for confidential business information to be compromised. By contrast, the notice of proposed rulemaking took steps to ensure that the rule did not “require the disclosure of trade secrets by any DCM.” Source code is a target not only for competitors, but also for people intent on disrupting markets. The CFTC should reconsider whether requiring the retention of detailed information about code changes will stymie market participants’ legitimate efforts to fine-tune algorithms—while simultaneously opening the door to illegitimate efforts to steal or manipulate algorithms.
Ill-considered regulation regarding algorithmic trading will adversely affect the ability of legitimate market participants to contribute to liquidity, price discovery, narrow spreads, and low trading costs. The CFTC shares with market participants a growing interest in algorithmic trading and its potential effects on the markets. Rather than working with market participants cooperatively, the Commission proposes a prescriptive regime applicable to virtually any firm that trades in the futures (and swaps) markets. If finalized, this proposal will establish an approach dominated by enforcement that will chill firms’ willingness to work with the Commission to address emerging problems in the area. In addition, by opening firms’ source code to unlimited inspection by the Commission and others, the proposal creates dangerous vulnerabilities for an asset of utmost importance to trading firms.