CFTC Pushes Forward with Reg AT, Source Code Provision as Giancarlo Dissents

You might not expect English common law, the US Bill of Rights, and Ben Franklin to be evoked in a discussion about algorithmic trading, but that's where CFTC commissioner J. Christopher Giancarlo's argument against Regulation AT ended up.

In a 2–1 vote—with Giancarlo voting no, and chairman Timothy Massad and commissioner Sharon Bowen voting in favor—the CFTC approved the "Supplemental Notice of Proposed Rulemaking—Regulation Automated Trading." The body will now publish the Supplemental Notice in the Federal Register, which will be followed by a 60-day period for people to submit comment letters. From there, the CFTC staff will read those letters, incorporate any new thoughts/ideas/changes into the rule, and send it to the commissioners as a "Final Rule." It's unknown, at this point, how long the whole process will take before a final vote is taken.

The proposed new rule, designated as regulation 1.84, which would supplement regulation 1.31, more clearly articulates that staff's access to source code is limited to subpoena or special call. Execution of a special call must be authorized by the Commission itself and execution would be limited to the director of the Division of Market Oversight (DMO). The new proposal also stipulates that an AT person—the definition of which the commission also addressed during the meeting—keep records of the log files of those using the code. Absent a subpoena, access to the log files will also be limited to special call. Firms must maintain both source codes and log files for five years.

Constitutional Issue?

The CFTC's procedural burden for acquiring a firm's source code would remain essentially the same as it is today. Where Giancarlo objected, though, was the potential stripping of a firm's Fourth Amendment rights.

"Under this proposal, while it may remain the same procedurally for the CFTC, we take away the procedural rights of the property owner. They have no choice—if this rule is passed—but to hand over their source code and basically shut up. How is that fair?" J. Christopher Giancarlo, CFTC

As it stands today, a firm is protected by the Fourth Amendment against unreasonable searches and seizures of their property without a subpoena. The process itself allows firms to go to a judge and seek to have the request limited in scope, in duration or have other controls put in place around the data being turned over. These new proposals, Giancarlo contended, would remove those rights.

"Under this proposal, while it may remain the same procedurally for the CFTC, we take away the procedural rights of the property owner. They have no choice—if this rule is passed—but to hand over their source code and basically shut up. How is that fair?" Giancarlo asked. "Any public good achieved by the rule is, in my mind, undone by this provision that proprietary source code used in trading algorithms be accessible at anytime, anywhere, to the CFTC and the Justice Department without a subpoena."

The special call provision, which is designed to gain additional information about a firm's traders and/or about a participant's trading and delivery activity, including information on persons who control or have a financial interest in the account, allows the CFTC's enforcement division to circumvent having to acquire a subpoena to look at the source code.

"Utilizing DMO's special call procedures to seize source code provides [a way of avoiding] the subpoena process; there's nothing in the supplemental notice that I can see to limit DMO's sharing of gathered source code with the staff of the division of enforcement," Giancarlo said. "The proposal would allow enforcement to view source code without having—as they do today—to get a subpoena."

Security Concerns

Giancarlo also worried about security issues. The rule cross-references existing confidentiality requirements and does not create any new rules around security.

Giancarlo asked why they wouldn't create new provisions that would stipulate that the CFTC has to immediately give back the code or destroy it—rather than leave it on the CFTC's premises—after use, or only view the code at the firm's offices. He also questioned why they didn't build protections around who has access to the code or ensure that the code is only used on an air-gap computer that's not connected to the internet.

While algorithmic technology has become exponentially more sophisticated, Giancarlo was concerned that this proposal doesn't incorporate new thought in protecting these new technologies. He then proceeded to tick off several instances of hacks and information leakages at the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC) and the CFTC itself.

"Absent specific measures, I have to say it's absurd to suggest that source code will be kept secure," he said. "The CFTC itself has an imperfect record as a guardian of confidential proprietary information. If this rule proposal goes forward, it will make itself a target for a broader group of cyber criminals, including those engaged in cyber espionage."

For his closing salvo, he called these proposals a "reckless step onto a slippery slope."

In Favor

Still, the measure passed. Massad said that without Reg AT's source code provision, algorithmic traders would have less oversight than those who trade using email and voice.

Today, if there is suspicious activity in the market, the DMO calls up the trading participant and—without needing a vote by the Commission—gets an idea of what their position in the market is and what their intentions are.

But Massad believes that right now the CFTC is giving off the appearance that since the strategy isn't in emails, phone calls or other "old-world" formats, the CFTC isn't allowed to easily get its hands on that information for surveillance purposes (rather than enforcement, which has always required a subpoena).

"If you trade in our markets under the old-world ways, you're subject to surveillance; if you trade in our markets under the new-world ways of algos, that's a violation of the Constitution," he said. "We're not changing our process; we're updating our rules for the fact that the way trading is conducted has changed."