The Regulation of Automated Trading and the Slippery Slope for FinTech
In November 2015, the CFTC unanimously approved rules governing automated trading that included a new requirement (§ 1.81(a)(1)) that tasks automatic trading (AT) Persons – “those persons or entities subject to the CFTC’s proposed new pre-trade risk control requirements” – with maintaining the firm’s source code “in accordance with Commission regulation § 1.31.”
Included within § 1.31 Books and records; keeping and inspection, are a few troubling requirements for algorithmic trading firms, including the storage of a duplicate record of the source code “at a location separate from the original for the period of time required for maintenance of the original”; entering into agreement with at least one third-party technical consultant who “will have access to, and the ability to download” said source code, and the ability to provide CFTC and the U.S. Department of Justice (DOJ) staff with access to a firm’s source code without the need for a subpoena.
To be fair, federal regulators do not need a subpoena to examine the books and records of a firm under their jurisdiction. However, the inclusion of source code into the mix, as proposed under Regulation AT, marks a deviation from the way the CFTC and DOJ would normally go about examining an algorithmic trader’s source code. Under current practice, the CFTC and the DOJ are required to obtain a subpoena or warrant prior to algorithmic trading firms unveiling said code to government officials, in a controlled environment where the code never leaves the firm’s premises. In the current proposal, however, these due process protections appear to be reduced. In my view, the CFTC has not offered a convincing explanation about why source code should be included in a firm’s books and records and why current practice is insufficient.
So, why is this a significant issue? For algorithmic trading firms, source code is their key intellectual property asset. It drives a firm’s trading decisions and may hold substantial value. More importantly, the proposed rule, if finalized as is, could set a damaging precedent. As previously stated by CFTC Commissioner Christopher Giancarlo, who, despite his reservations, approved the proposed rule, “I am aware of no legal foundation on which to haphazardly set aside long-established, due process protections afforded by agency subpoena practice.” He added: “It is for the people’s representatives in Congress, and not an unelected agency, to decide whether valuable private property may be taken without specific authority arising from a legal proceeding.”
There are also safety and security concerns in holding the source code off-site and providing access to said code to more people than algorithmic trading firms would like. Regulators, wherever they're located, are still prone to leaks — the removal of several confidential living wills by a former U.S. Federal Deposit Insurance Corp. employee is one recent example. Similarly, both the U.S. Government Accountability Office and the CFTC’s Office of the Inspector General have cited the FDIC and the CFTC for information security vulnerabilities. Given the cyberattacks on government institutions in the past year, it is no wonder that algorithmic trading firms are concerned about the security of their intellectual property, despite assurances of protection.
Beyond algorithmic trading, the proposed rule would establish a precedent that could reverberate across the FinTech industry, where a number of firms and platforms rely on proprietary code, whether used for credit underwriting or other transactional purpose. If the CFTC can access proprietary information at a moment’s notice without a subpoena, then what’s to stop other regulators from doing the same? In a recent letter to the CFTC, eight members of Congress shared their concerns, in part, “about the precedential value the rule could have if technology companies are forced to comply with this provision.” In addition to data security risks and potential abuse of sensitive information, the proposed rule “also establishes a United States federal policy that could be copied by other agencies and impact how other countries define best practices,” they said.
We are already beginning to see the proprietary information debate between the CFTC and algorithmic trading firms seep into conversations regarding how to regulate FinTech innovations. For instance, comments to the U.S. Treasury and the Office of the Comptroller of the Currency have pressed regulators to shine additional light on the “secret sauce” or “black boxes” within FinTech firms and practices. These comments have been heard by financial regulators (see U.S. Treasury’s final report on online marketplace lending, pages 20 and 34).
It remains to be seen whether and how regulators will approach such questions as they continue to explore FinTech, but if the results are anything like what the CFTC is proposing, it should concern all who are involved in efforts to reshape the financial services industry.