Securities Regulation Daily Trading firms fight back on proposed Regulation AT source code requirements
News
Friday, June 10, 2016

Trading firms fight back on proposed Regulation AT source code requirements

By Lene Powell, J.D.

Members of proprietary trading firms remain strongly opposed to a controversial provision in proposed CFTC automated trading rules that would require firms to keep records of the source code for their algorithmic trading software in a repository and make it available to the CFTC upon request. In a public roundtable discussing various aspects of proposed Regulation AT, many participants said it would be dangerous to provide this information because it contains their proprietary trading strategies, and might be of limited use to the CFTC in any case.

Under the proposed rule, market participants covered by the rule would have to maintain algorithmic source code in a repository and make it available to the CFTC upon request. According to Sebastian Pujol Schott, associate director of the Division of Market Oversight, staff views the provision as a recordkeeping rule to ensure that records are maintained and are provided to the Commission when necessary. He noted that commenters have said source code is a unique kind of record, and the CFTC respects that it has unique characteristics and is balancing that against the policy aims of the regulation.

Due process concerns. In a written statement, Commissioner J. Christopher Giancarlo criticized the provision, saying subpoenas have served the CFTC and market participants well for over 40 years. He does not see any practical reason the existing process should be abridged, nor any legal foundation for doing so.

"Of all the components of the Commission’s proposal, the extraordinary requirement that proprietary source code be accessible to the government without a subpoena is the most unsettling," Giancarlo wrote.

Giancarlo explained that the CFTC’s existing subpoena authority allows the Commission to gather information "reasonably relevant" to an inquiry within its purview, but only upon a Commission vote. Further, parties subject to a subpoena can seek judicial review to determine whether the request for information is within the Commission’s power. Giancarlo does not believe this process is burdensome for the CFTC. As for time needed to gather information, if the CFTC is envisioning looking at millions of lines of source code during a crisis, then it has bigger problems, he said.

Confidentiality and security. Giancarlo is also concerned that source code provided to the CFTC may not be kept confidential. He pointed out that in just the six months since Regulation AT was proposed, hackers have breached computer networks at some of the country’s most prestigious law firms, the FDIC, the IRS, and the Federal Reserve. The Office of Personnel Management failed a security audit last November—more than six months after a breach of 21 million personnel records was discovered. Federal, state, and local government agencies rank last in cybersecurity compared to 17 major private industries. And, the CFTC itself has an imperfect record as a guardian of confidential proprietary information, he said.

Roundtable participants echoed these concerns, observing that their source code is their firms’ "secret sauce." One participant described a series of "ring fences" of restrictions at each level of access, from the all-firm level, to having access to some code portions, to being able to access the most sensitive parts of the code. Asking to see a firm’s source code would be like demanding to see Google’s search algorithm or Coca-Cola’s recipe for Coke, he said.

Another participant acknowledged a possible need for regulators to view code, but said code should not leave the firm. Perhaps regulators could look at code on-site, he suggested. That way, the firm could log exactly what regulatory personnel viewed exactly what code portions, and firm members could show regulators how the code worked.

Limited usefulness. Some participants said it was not clear what would need to be provided: machine-readable code or the human-readable text? Others said that without knowing how a given section of code functions, having access to source code might not be very useful to regulators. They said that without context, it’s very difficult to know what a piece of code does, and you really need the developer sitting next to you and saying "This is what this section does. This is what that section does." And, the whole dataset is needed. One asked what good it would be to have the source code from three years ago—but not the market data or inputs.

Support for proposal. A representative of Americans for Financial Reform supported the source code proposal. He said that although often complex, source code is not unique, but really just a type of trading instructions. He added that it’s routine for trading instructions to be included in recordkeeping rules, including algorithmic instructions like limit orders. As such, source code should not be exempt from recordkeeping regulations. Moreover, keeping a record of changes to the source code is a good business practice so that an audit trail is available, he said.

Regarding the confidentiality issue, he said that banking regulators get access to a lot of highly confidential information and are able to keep it safe.

MainStory: TopStory CommodityFutures Derivatives ExchangesMarketRegulation

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More