The Death Knell Sounds for Reg AT's Source-Code Provision

On Tuesday, Commodity Futures Trading Commission (CFTC) chairman Timothy Massad announced he would step down from his post later this month. On Wednesday, President-Elect Donald Trump announced that he would appoint attorney Jay Clayton to head the Securities and Exchange Commission (SEC). Even though we're still 15 days away from Inauguration Day, the regulatory pieces are starting to take shape.

Reading the tea leaves, it appears that we're about to head into a period of—if not deregulation—then at least a freeze on new regulations coming out of the US. This is important, because as Regulation Automated Trading (AT) weaves its way through the final approval process, the controversial "source-code provision" may not make it to the finish line. (For more on Reg AT, why it was created, and some of its controversial aspects, you can read my feature from April.)

Here's the way I see it: With Massad departing, it would not be surprising at all to see his colleague, J. Christopher Giancarlo, a Republican, take over as chairman, or at least interim chair. The only other commissioner currently serving, Sharon Bowen, is a Democrat. With Trump as president, she will not get the head seat.

Massad was keen to advance the source-code provision of Reg AT. In November, the CFTC pushed forward with the source code rule, with Massad and Bowen in favor, and Giancarlo in strong dissent. From that meeting:

As it stands today, a firm is protected by the Fourth Amendment against unreasonable searches and seizures of their property without a subpoena. The process itself allows firms to go to a judge and seek to have the request limited in scope, in duration or have other controls put in place around the data being turned over. These new proposals, Giancarlo contended, would remove those rights.

"Under this proposal, while it may remain the same procedurally for the CFTC, we take away the procedural rights of the property owner. They have no choice—if this rule is passed—but to hand over their source code and basically shut up. How is that fair?" Giancarlo asked. "Any public good achieved by the rule is, in my mind, undone by this provision that proprietary source code used in trading algorithms be accessible at anytime, anywhere, to the CFTC and the Justice Department without a subpoena."

The special call provision, which is designed to gain additional information about a firm's traders and/or about a participant's trading and delivery activity, including information on persons who control or have a financial interest in the account, allows the CFTC's enforcement division to circumvent having to acquire a subpoena to look at the source code.

How Safe Is Safe?

At the time, Giancarlo gave what has turned out to be prescient declaration:

"Absent specific measures, I have to say it's absurd to suggest that source code will be kept secure," he said. "The CFTC itself has an imperfect record as a guardian of confidential proprietary information. If this rule proposal goes forward, it will make itself a target for a broader group of cyber criminals, including those engaged in cyber espionage."

Well, it turns out that SEC is in the same boat. The regulatory body's Office of Inspector General (OIC) put out a report and in it, the group found that an SEC quantitative analyst had downloaded confidential code to his personal computer. From ValueWalk:

The report revealed that an SEC quantitative analyst, empowered to inspect the algorithms behind many of the top fund managers, was charged with improperly requesting and downloading confidential computer code to his personal computer (along with defrauding the SEC regarding hours worked, an issue first reported in The Wall Street Journal). While the OIG did not affirm the allegation, according to OIG spokesperson Raphael Kozolchyk, the issue was nonetheless raised in the OIG's semi-annual report to Congress.

Looking Ahead

One source told me that there's a "very small chance that Massad and Bowen could officially get together before Massad officially leaves and out-vote Giancarlo to pass it. The timing on this would have to be very, very short, because the comment period doesn't end until January 24, and then staff has to read/analyze and make recommendations to the Commissioners. It's a long shot and would be a terrible breach of protocol, which is why it probably won't happen."

Giancarlo gave an impassioned speech during that November CFTC meeting, invoking English common law, the US Bill of Rights and Ben Franklin to drive home his distaste for the source-code provision. If he gets his way, that piece will be scrapped.

Consider, too, that Trump's pick to head the SEC, Jay Clayton, has been working to help Wall Street firms fight "regulatory scrutiny." From the Washington Post: "Clayton is a partner at Sullivan & Cromwell, a well-known law firm, and has represented some of the biggest names on Wall Street, including Goldman Sachs, and helped them weather regulatory scrutiny."

With Republicans in the majority of both the House and Senate, and with Trump's appointment of cabinet members who have worked at large Wall Street firms—most notably, from Goldman Sachs—the CFTC will be stocked with two more Republicans that would probably fall in line with Giancarlo. As is the rule, a Dem will have to be selected to fill the fifth seat, but that's still a likely 3-2 deficit for those in favor of the source-code provision.

The rest of Reg AT, though, may still be safe. Most industry participants, in comment letters, have said that there's a need for greater oversight of automated trading systems. Even Giancarlo has been in favor of the idea behind the rule.

But the source-code piece (and, perhaps also, the definition of what makes for an "AT Person") is in trouble. And that's not a bad thing, in my humble opinion. Until there is a sure way forward with a detailed, definitive plan as to how the Commission would protect those vital trading strategies, they need to find other ways to police algorithmic trading firms. Move forward with Reg AT, strip out and dual track the source code provision where it can die on the vine until there's a better option to secure those strategies.