Font Size: AAA // Print // Bookmark

2016-27250

  • Federal Register, Volume 81 Issue 227 (Friday, November 25, 2016)

    [Federal Register Volume 81, Number 227 (Friday, November 25, 2016)]

    [Proposed Rules]

    [Pages 85334-85399]

    From the Federal Register Online via the Government Publishing Office [www.gpo.gov]

    [FR Doc No: 2016-27250]

    [[Page 85333]]

    Vol. 81

    Friday,

    No. 227

    November 25, 2016

    Part II

    Commodity Futures Trading Commission

    -----------------------------------------------------------------------

    17 CFR Parts 1, 38, 40, et al.

    Regulation Automated Trading; Proposed Rule

    Federal Register / Vol. 81 , No. 227 / Friday, November 25, 2016 /

    Proposed Rules

    [[Page 85334]]

    -----------------------------------------------------------------------

    COMMODITY FUTURES TRADING COMMISSION

    17 CFR Parts 1, 38, 40, and 170

    RIN 3038-AD52

    Regulation Automated Trading

    AGENCY: Commodity Futures Trading Commission.

    ACTION: Supplemental notice of proposed rulemaking.

    -----------------------------------------------------------------------

    SUMMARY: On December 17, 2015, the Commodity Futures Trading Commission

    (``CFTC'' or ``Commission'') published in the Federal Register a notice

    of proposed rulemaking (``NPRM'') proposing a series of risk controls,

    transparency measures, and other safeguards to enhance the safety and

    soundness of automated trading on all designated contract markets

    (``DCMs'') (collectively, ``Regulation Automated Trading'' or

    ``Regulation AT''). Through this supplemental notice of proposed

    rulemaking for Regulation AT (``Supplemental NPRM''), the Commission is

    proposing to modify certain rules set forth in the NPRM. Any new or

    amended rules proposed in this Supplemental NPRM reflect only those

    areas where the Commission believes that additional notice and comment

    may be appropriate before enacting final rules. Procedurally, this

    Supplemental NPRM is not a replacement or withdrawal of rules proposed

    in the NPRM. Unless specifically amended herein, all regulatory text

    proposed in the NPRM remains under active consideration for adoption as

    final rules. The Commission welcomes public comment on all aspects of

    the Supplemental NPRM.

    DATES: Comments must be received on or before January 24, 2017.

    ADDRESSES: You may submit comments, identified by RIN 3038-AD52, by any

    of the following methods:

    CFTC Web site: http://comments.cftc.gov. Follow the

    instructions for submitting comments through the Comments Online

    process on the Web site.

    Mail: Send to Christopher Kirkpatrick, Secretary of the

    Commission, Commodity Futures Trading Commission, Three Lafayette

    Centre, 1155 21st Street NW., Washington, DC 20581.

    Hand Delivery/Courier: Same as Mail, above.

    Federal eRulemaking Portal: http://www.regulations.gov.

    Follow the instructions for submitting comments.

    Please submit comments by only one method. All comments should be

    submitted in English or accompanied by an English translation. Comments

    will be posted as received to http://www.cftc.gov. You should submit

    only information that you wish to make available publicly. If you wish

    the Commission to consider information that may be exempt from

    disclosure under the Freedom of Information Act (``FOIA''), a petition

    for confidential treatment of the exempt information may be submitted

    according to the procedures established in 17 CFR 145.9. The Commission

    reserves the right, but shall have no obligation, to review, prescreen,

    filter, redact, refuse, or remove any or all of your submission from

    http://www.cftc.gov that it may deem to be inappropriate for

    publication, such as obscene language. All submissions that have been

    so treated that contain comments on the merits of the rulemaking will

    be retained in the public comment file and will be considered as

    required under the Administrative Procedure Act and other applicable

    laws, and may be accessible under FOIA.

    FOR FURTHER INFORMATION CONTACT: Sebastian Pujol Schott, Associate

    Director, Division of Market Oversight, sps@cftc.gov or 202-418-5641;

    Marilee Dahlman, Special Counsel, Division of Market Oversight,

    mdahlman@cftc.gov or 202-418-5264; Joseph Otchin, Special Counsel,

    Division of Market Oversight, jotchin@cftc.gov or 202-418-5623; Andrew

    Ridenour, Special Counsel, Division of Market Oversight,

    aridenour@cftc.gov or 202-418-5438; Brian Robinson, Special Counsel,

    Division of Market Oversight, CFTC.gov">brobinson@CFTC.gov or 202-418-5385;

    Michael Penick, Economist, Office of the Chief Economist,

    mpenick@cftc.gov or 202-418-5279; Richard Haynes, Economist, Office of

    the Chief Economist, rhaynes@cftc.gov or 202-418-5063; Carlin Metzger,

    Trial Attorney, Division of Enforcement, cmetzger@cftc.gov or 312-596-

    0536; or John Dunfee, Assistant General Counsel, Office of General

    Counsel, jdunfee@cftc.gov or 202-418-5396.

    SUPPLEMENTARY INFORMATION:

    Table of Contents

    I. Introduction: The NPRM and Supplemental NPRM for Regulation AT

    A. Basic Structure of Regulation AT: The NPRM and the

    Supplemental NPRM

    B. Opportunities for Public Comment on NPRM Proposals During Two

    Public Comment Periods and Public Staff Roundtable

    C. Overview of Comments Received

    II. AT Person Status and Requirements for AT Persons

    A. Overview and Policy Rationale for New Proposal

    B. NPRM Proposal and Comments

    C. Substance of New Proposal

    1. Volume Threshold Test for AT Persons

    2. Registration as a Floor Trader

    3. Anti-Evasion

    4. Registration for Membership With a Registered Futures

    Association

    D. Commission Questions

    III. Proposed Definition of DEA

    A. Overview and Policy Rationale for New Proposal

    B. NPRM Proposal and Comments

    C. Substance of New Proposal

    D. Commission Questions

    IV. Algorithmic Trading Source Code Retention and Inspection

    Requirements

    A. Overview and Policy Rationale for New Proposal

    B. NPRM Proposal and Comments

    C. Substance of New Proposal

    D. Commission Questions

    V. Testing, Monitoring and Recordkeeping Requirements in the Context

    of Third-Party Providers

    A. Overview and Policy Rationale for New Proposal

    B. NPRM Proposal and Comments

    C. Substance of New Proposal

    D. Commission Questions

    VI. Changes to Overall Risk Control Framework

    A. Change From Three Level to Two Level Risk Control Framework

    1. Overview and Policy Rationale for Proposal

    2. NPRM Proposal and Comments

    3. Substance of New Proposal

    4. Commission Questions

    B. Electronic Trading at the AT Person, FCM, and DCM Levels

    1. Overview and Policy Rationale for New Proposal

    2. NPRM Proposal and Comments

    3. Substance of New Proposal

    4. Commission Questions

    C. New and Revised Definitions; Change from ``Clearing Member''

    to ``Executing'' FCMs

    1. Overview and Policy Rationale for New Proposal

    2. NPRM Proposal and Comments

    3. Substance of New Proposal

    4. Commission Questions

    D. AT Person Delegation to FCM

    1. Overview and Policy Rationale for New Proposal

    2. NPRM Proposal and Comments

    3. Substance of New Proposal

    4. Commission Questions

    VII. Reporting and Recordkeeping Obligations

    A. Overview and Policy Rationale for New Proposal

    B. NPRM Proposal and Comments

    C. Substance of New Proposal

    D. Commission Questions

    VIII. Additional Changes to NPRM Proposed Rules Under Consideration

    A. Commission Questions

    IX. Related Matters

    A. Cost-Benefit Considerations

    1. The Statutory Requirement for the Commission To Consider the

    Costs and Benefits of Its Actions

    2. Comments Regarding Costs and Benefits of Regulation AT

    [[Page 85335]]

    3. The Commission's Cost-Benefit Consideration of Regulation

    AT--Baseline Point

    4. The Commission's Cost-Benefit Consideration of Regulation

    AT--Cross-Border Effects

    5. Introduction: The NPRM and Supplemental NPRM for Regulation

    AT

    6. Proposed New Definitions and Changes to NPRM Proposed

    Definitions

    7. Requirements for AT Persons

    8. Source Code Retention and Inspection Requirements

    9. Testing, Monitoring and Recordkeeping Requirements in the

    Context of Third-Party Providers

    10. Changes to Overall Risk Control Framework

    11. Reporting, Testing and Recordkeeping Requirements

    12. Section 15(a) Factors

    B. Regulatory Flexibility Act

    1. A Description, and, Where Feasible, an Estimate of the Number

    of Small Entities to Which the Proposed Rules Will Apply.

    2. A Description of the Projected Reporting, Recordkeeping, and

    Other Compliance Requirements of the Rules, Including an Estimate of

    the Classes of Small Entities Which Will Be Subject to the

    Requirements and the Type of Professional Skills Necessary for

    Preparation of the Report or Record.

    C. Paperwork Reduction Act

    1. Sec. 1.3(x)(1)(iii)--Submissions by Newly Registered Floor

    Traders

    2. Sec. 1.80(d) Pre-Trade Risk Controls for AT Persons--

    Delegation

    3. Sec. 1.83(a)--AT Person Retention and Production of Books

    and Records

    4. Sec. 1.83(b)--Executing FCM Retention and Production of

    Books and Records

    5. Sec. 1.84--Retention, Production and Confidentiality of

    Algorithmic Trading Records

    6. Sec. 1.85--Third-Party Algorithmic Trading Systems or

    Components

    7. Sec. 38.255(c) Risk Controls for Trading--FCM Certification

    to DCM

    8. Sec. 40.22(a)-(c)--Compliance With DCM Reviews

    9. Sec. 40.22(d) Certification Requirement

    10. Commission Questions

    I. Introduction: The NPRM and Supplemental NPRM for Regulation AT

    Regulation Automated Trading is a comprehensive Commission effort

    to reduce risk and increase transparency in algorithmic order

    origination and electronic trade execution on all U.S. futures

    exchanges. The proposed rules, both in the NPRM and the Supplemental

    NPRM, modernize the Commission's regulatory regime, promote the safety

    and soundness of trading on all contract markets, and seek to keep pace

    with evolving technologies. This Supplemental NPRM builds on the

    Commission's December 2015 NPRM for Regulation AT,\1\ and is a

    continuation of the underlying policies and objectives reflected

    therein. The Supplemental NPRM responds to persuasive public comments

    to help ensure appropriate final rules for Regulation AT.\2\

    ---------------------------------------------------------------------------

    \1\ Regulation Automated Trading, Proposed Rule, 80 FR 78824

    (Dec. 17, 2015) (hereinafter ``NPRM'').

    \2\ Sections I-III of the NPRM provided a fulsome discussion of

    the policy considerations, market events, existing best practices,

    and procedural history that informed the Commission's development of

    Regulation AT. The Commission explained that ``the basic structure

    of [open-outcry trading] remained constant for decades, and produced

    a parallel regulatory framework also premised on natural persons and

    human decision-making speeds.'' See NPRM at 78825. It contrasted

    now-obsolete manual processes against the ``wide array of electronic

    systems for the generation, transmission, management, and execution

    of orders'' used today by DCMs and DCM market participants,

    including high-speed communication networks to confirm transactions,

    communicate market data, and link markets and market participants.

    See id.

    The Commission provided information indicating that over 95% of

    all on-exchange futures trading was electronic by 2014, with many

    exchanges having closed their open-outcry trading pits well before

    then. It also indicated that by 2014, ATSs were present on at least

    one side of almost 80% of trading volume in some asset classes. The

    Commission noted that ``[t]he largely complete transition of DCMs to

    electronic trade matching platforms has occurred alongside an

    equally important shift in the technologies used by market

    participants to place and manage orders.'' These include ATSs, high-

    speed communication networks, and the use of direct access and

    colocation services to ``minimize latencies between ATS, market data

    systems, and DCMs' electronic trading platform[s].'' See NPRM at

    78826.

    The Commission explained that ``an overarching goal'' of

    Regulation AT is to update its rules in response to the evolution

    from pit to electronic trading, including by focusing on

    ``algorithmic order origination or routing by market participants,

    and electronic trade execution by DCMs.'' It also observed that

    ``[m]arket participants using automated trading include an important

    population of proprietary traders that, while responsible for

    significant volume and liquidity in key futures products, are not

    registered with the Commission.'' The Commission emphasized that

    Regulation AT is focused on the ``automation of order generation,

    transmission, and execution, and the risks that may arise from such

    activity.'' It identified ``appropriate pre-trade and other risk

    controls'' as an important element in ``ensur[ing] the integrity of

    Commission-regulated markets'' and fostering market participants'

    confidence in the transactions being executed. See NPRM at 78827-

    78828.

    The Commission also summarized the broad array of resources that

    it consulted in preparing the NPRM for Regulation AT, including

    ``industry practices, measures taken by other U.S. and foreign

    regulators, and best practices or guidance set forth by other

    informed parties.'' It noted the ``emerging consensus around pre-

    trade risk controls for automated trading and supervision standards

    for ATSs.'' Finally, the Commission emphasized that ``Regulation AT

    attempts to balance flexibility in a rapidly changing technological

    landscape with the need for a regulatory baseline that provides a

    robust and sufficiently clear standard for pre-trade risk controls,

    supervision standards, and other safeguards for automated trading

    environments.'' See NPRM at 78828. This Supplemental NPRM continues

    to build on the policy determinations and regulatory objectives set

    forth in the NPRM for Regulation AT.

    ---------------------------------------------------------------------------

    Procedurally, the Supplemental NPRM is a continuation of the NPRM.

    All rules in the NPRM remain under consideration as originally proposed

    unless specifically modified in the proposed rule text in this

    Supplemental NPRM.\3\ Accordingly, this Supplemental NPRM begins with

    an overview of Regulation AT across the NPRM and the Supplemental NPRM

    (Section I(A)). It continues with a summary of the opportunities for

    public comment provided by the Commission (Section I(B)), and an

    overview of the comments received (Section I(C)). Sections II through

    VII discuss specific proposed rules in the Supplemental NPRM that add

    to, remove, or otherwise amend the Commission's original proposals in

    the NPRM. Sections II through VII also provide a summary of the

    comments and policy considerations that led to the Commission's new or

    amended proposals. Section VIII provides preamble discussion and seeks

    comment regarding additional areas where the Commission's final rules

    for Regulation AT may amend the NPRM. However, such potential

    amendments are not included as proposed regulatory text in this

    Supplemental NPRM. The Commission believes that the further amendments

    under consideration do not impact new parties, create new obligations,

    or otherwise increase burdens. Section IX includes the Commission's

    Paperwork Reduction Act, Regulatory Flexibility Act, and Cost-Benefit

    discussions for the regulatory text proposed herein. Finally, the

    Commission presents the proposed new or modified regulatory text

    following the end of the preamble. Any sections or paragraphs marked as

    ``Reserved'' are not addressed in this Supplemental NPRM. The

    provisions proposed for such sections or paragraphs in the NPRM are

    unchanged from that document and remain under active consideration by

    the Commission. (Note, however, that proposed reserved Sec. 1.3(aaaaa)

    is not the subject of either this Supplemental NPRM or the NPRM. That

    definitions paragraph is the subject of another pending unrelated

    Commission rulemaking proposal.) Please note also that the provisions

    proposed in the NPRM for Sec. Sec. 38.401 and 40.1(i), and for

    Appendix B to part 38, are not shown as reserved in this Supplemental

    NPRM for technical reasons. Nonetheless, the provisions proposed in the

    NPRM for those two sections and that appendix are unchanged and remain

    under active consideration by the Commission.

    ---------------------------------------------------------------------------

    \3\ The Commission's new proposed regulatory text is presented

    in this document following the end of the preamble.

    ---------------------------------------------------------------------------

    [[Page 85336]]

    A. Basic Structure of Regulation AT: The NPRM and the Supplemental NPRM

    The basic structure of Regulation Automated Trading is set forth in

    the NPRM, and remains largely intact. However, through this

    Supplemental NPRM, the Commission is proposing certain changes to

    Regulation AT to address comments received in response to the NPRM and

    during a day-long staff roundtable on Regulation AT held in June 2016.

    This Section I(A) provides an overview of Regulation AT by summarizing

    several of the principal changes that the Supplemental NPRM proposes to

    make to the NPRM.

    First, Regulation AT would require pre-trade risk controls and

    other measures for the Algorithmic Trading of AT Person customers in

    order to promote the continued safety and soundness of Commission-

    regulated markets. In the NPRM, the Commission proposed placing such

    risk controls at three levels: The AT Person, the FCM and the DCM. Many

    commenters asserted that a three-layer structure could be redundant and

    costly, and some indicated that a two-level structure would be

    preferable. After careful consideration, the Commission is proposing to

    move Regulation AT from a three-level risk control structure to a

    modified two-level structure, with risk controls set at the levels of

    (1) the AT Person \4\ or its FCM; and (2) the DCM. Under the two-level

    structure proposed in the Supplemental NPRM, an AT Person would have

    the option of delegating its pre-trade risk control requirements to an

    FCM rather than implementing its own controls.

    ---------------------------------------------------------------------------

    \4\ ``AT Person'' is defined in proposed Sec. 1.3(xxxx) of the

    NPRM, and includes existing Commission registrants engaged in

    ``Algorithmic Trading'' on a DCM, as well as market participants

    required to register as floor traders pursuant to proposed Sec.

    1.3(x)(3) of the NPRM. Algorithmic Trading is defined in proposed

    Sec. 1.3(zzzz) of the NPRM. Electronic Trading is defined in

    Supplemental NPRM in proposed Sec. 1.3(ddddd).

    ---------------------------------------------------------------------------

    Second, the NPRM proposed requiring risk controls only with respect

    to the Algorithmic Trading of AT Persons. In contrast, the Supplemental

    NPRM addresses not only Algorithmic Trading, but also Electronic

    Trading at the AT Person, FCM, and DCM levels. The Commission's amended

    proposal is consistent with comments stating that all electronic

    trading--not just the narrower set of Algorithmic Trading--should pass

    through pre-trade risk controls.

    Third, in the NPRM, the Commission proposed requiring that pre-

    trade risk controls be set at the level of each AT Person or market

    participant, or other more granular levels as the AT Person, FCM or DCM

    determined appropriate. The Supplemental NPRM responds to comments that

    it may not be efficient or possible for DCMs and FCMs to set controls

    at the level of individual market participants. Accordingly, in the

    Supplemental NPRM, the Commission revises the risk control provisions

    to provide AT Persons, FCMs and DCMs greater flexibility regarding the

    level at which pre-trade controls must be set.

    Fourth, Regulation AT would require the registration of certain

    market participants who are not already registered with the Commission.

    Such market participants would be required to register as ``floor

    traders,'' as defined in the Supplemental NPRM in proposed Sec.

    1.3(x)(1)(iii) (``New Floor Traders''), and would also be required to

    become members of a registered futures association (``RFA''). Together

    with certain existing registrants, New Floor Traders would be

    considered AT Persons and be subject to all relevant requirements of

    Regulation AT. Pursuant to the NPRM, the proposed registration criteria

    for New Floor Traders \5\ were that such persons be engaged in (1)

    proprietary, (2) Algorithmic Trading (3) through Direct Electronic

    Access (``DEA'') on a DCM. The Supplemental NPRM retains these

    requirements but also incorporates a volume-based quantitative test for

    registration as a New Floor Trader. This amendment responds to concerns

    that the NPRM would have imposed registration and its consequent

    obligations on too large a population of market participants. The

    Commission also proposes to apply this same volume-based quantitative

    test to existing registrants and persons otherwise required to register

    with the Commission to determine whether they are AT Persons.\6\

    ---------------------------------------------------------------------------

    \5\ For purposes of this Supplemental NPRM, registrants under

    Supplemental proposed Sec. 1.3(x)(1)(iii) are deemed ``New Floor

    Traders.''

    \6\ To be considered AT Persons, existing registrants and

    persons otherwise required to register with the Commission must be

    engaged in Algorithmic Trading on our subject to the rules of a DCM.

    Unlike for New Floor Traders, however, direct electronic access is

    not a relevant consideration for existing registrants and persons

    otherwise required to register with the Commission (e.g., FCMs,

    floor brokers, swap dealers, major swap participants, commodity pool

    operators, commodity trading advisors, and introducing brokers).

    ---------------------------------------------------------------------------

    The Commission estimates that its proposed volume-based criteria

    would result in approximately 120 AT Persons, including some of who are

    already registered with the Commission in some capacity. This stands in

    contrast to some commenters' estimates that the NPRM could have

    required thousands of persons to register. While any volume-based

    metric has limitations, the Commission believes that this is the best

    way to focus the registration-related obligations on the appropriate

    class of persons. This approach, coupled with other changes in the

    Supplemental NPRM regarding the obligations of AT Persons as discussed

    below, also addresses many of the concerns expressed about the NPRM

    registration requirement.

    Fifth, in the NPRM, the Commission proposed requiring that AT

    Persons provide the DCMs on which they operate with annual reports

    containing information on the AT Persons' compliance with requirements

    concerning risk controls. The NPRM further would have required DCMs to

    establish a program for effective review and evaluation of the reports.

    The Commission received comments that the proposed reporting

    requirements were overly burdensome and would provide little benefit in

    mitigating the risks of Algorithmic Trading. In the Supplemental NPRM,

    the Commission proposes replacing the annual compliance report

    requirement for AT Persons with a streamlined annual certification

    requirement. The Commission also proposes to retain certain

    recordkeeping requirements, as well as the requirement that DCMs

    establish a program for effective periodic review and evaluation of AT

    Persons' compliance with elements of Regulation AT. Similarly, the NPRM

    imposed annual reporting requirements on FCMs and required DCMs to

    review these reports. The Supplemental NPRM also replaces the annual

    reporting obligations for FCMs with a certification requirement, and

    also retains the requirement that FCMs maintain certain records. As

    with AT Persons, the Supplemental NPRM requires DCMs to establish a

    program for effective periodic review and evaluation of FCMs'

    compliance with Regulation AT.

    Sixth, Regulation AT requires that algorithmic trading source code

    be preserved and made available to the Commission when necessary.\7\

    The NPRM required that AT Persons maintain a ``source code repository''

    and make it available for inspection in accordance with the

    Commission's general recordkeeping requirements. These provisions

    provoked extensive

    [[Page 85337]]

    comments. Notably, commenters may have misunderstood the Commission's

    intent, which was never to require that all source code to be provided

    routinely to a Commission or third-party repository. The Supplemental

    NPRM acknowledges the concerns regarding the confidentiality and

    proprietary value of Algorithmic Trading Source Code and revises these

    provisions extensively. While Algorithmic Trading Source Code and

    related records are still required to be preserved, they are not

    subject to the Commission's general recordkeeping provisions. Instead,

    preservation and access obligations are set forth in new provisions in

    the Supplemental NPRM that reflect market participants' concerns. The

    Supplemental NPRM provides that the Commission would have access to

    Algorithmic Trading Source Code and related records only via a subpoena

    or a special call approved by the Commission itself, not by staff, and

    that any such access would be subject to policies and procedures to

    protect confidentiality.

    ---------------------------------------------------------------------------

    \7\ ``Algorithmic Trading Source Code'' is defined in

    Supplemental proposed Sec. 1.3(ccccc). The Commission notes that

    source code was not defined in the NPRM. In this Supplemental NPRM,

    the Commission uses ``source code'' in connection with its proposal

    in the NPRM, and uses the term ``Algorithmic Trading Source Code''

    when referring to Supplemental proposed Sec. 1.3(ccccc).

    ---------------------------------------------------------------------------

    Seventh, the Supplemental NPRM discusses a number of changes to

    certain defined terms proposed in the NPRM, as well as other provisions

    that the Commission is considering in response to comments from market

    participants. These include limiting the scope of ``Algorithmic Trading

    Compliance Issue,'' ``Algorithmic Trading Disruption,'' and

    ``Algorithmic Trading Event.''

    Eighth, Regulation AT includes a number of additional rules focused

    specifically on DCMs. As reflected in the NPRM, these proposals

    include: (1) Greater transparency around DCMs' electronic trade

    matching platforms and (2) promoting the use of self-trade prevention

    tools.\8\ The Commission is contemplating deferring further

    consideration of such provisions to a second phase of rules to be

    finalized at a later date. The Commission seeks comments regarding

    deferral of these two provisions to a later date.

    ---------------------------------------------------------------------------

    \8\ The NPRM proposed amendments to existing Sec. 38.255, to

    require DCMs to have in place systems reasonably designed to

    facilitate the FCM's management of the risks that may arise from

    their customers' Algorithmic Trading using DEA. Regulation AT would

    also amend existing Sec. 38.401(a) to require DCMs to provide

    additional public disclosure regarding their electronic matching

    platforms. In part 40, the NPRM proposed the following new

    regulations: Sec. 40.20--requiring DCMs to implement pre-trade risk

    controls and other related measures; Sec. 40.21--requiring DCMs to

    provide a test environment to AT Persons; Sec. 40.22--requiring

    DCMs to implement a review program for compliance reports regarding

    Algorithmic Trading submitted by AT Persons and clearing member

    FCMs, require that certain books and records be maintained by such

    persons, and review such books and records as necessary; Sec.

    40.23--requiring DCMs to implement self-trade prevention tools,

    mandate their use, and publish statistics concerning self-trading;

    and Sec. Sec. 40.25-40.28--requiring DCMs to provide disclosure and

    implement other controls regarding their market maker and trading

    incentive programs. Regulation AT would amend the definition of

    ``rule'' in Sec. 40.1(i) in response to certain of the changes

    proposed above.

    ---------------------------------------------------------------------------

    Finally, specific regulatory provisions addressed in the

    Supplemental NPRM include a number of new or revised defined terms,

    such as revised Sec. 1.3(x)--Floor trader; revised Sec. 1.3(wwww)--AT

    Order Message; revised Sec. 1.3(xxxx)--AT Person; revised Sec.

    1.3(yyyy)--Direct Electronic Access; new Sec. 1.3(ddddd)--Electronic

    Trading; new Sec. 1.3(bbbbb)--Electronic Trading Order Message; and

    new Sec. 1.3(ccccc)--Algorithmic Trading Source Code. Other new or

    revised regulatory provisions include: (1) New Sec. 1.80(d)--

    Delegation of pre-trade risk controls by AT Persons; (2) new Sec.

    1.80(g) --AT Persons' pre-trade risk controls for Electronic Trading;

    (3) revised Sec. 1.81--Standards for the development, monitoring, and

    compliance of Algorithmic Trading systems; (4) revised Sec. 1.82--FCM

    pre-trade risk controls and other related measures for orders from

    their AT Person customers; (5) revised Sec. 1.83--AT Person and

    executing FCM recordkeeping; (6) new Sec. 1.84--Maintenance of

    Algorithmic Trading Source Code and related records; (7) new Sec.

    1.85--Use of third-party Algorithmic Trading systems or components; \9\

    (8) revised Sec. Sec. 38.255 and 40.20--Risk controls for trading; (9)

    revised Sec. 40.22--DCM requirements for AT Persons and executing

    FCMs, and DCM review program; and (10) revised Sec. 170.18--AT Person

    registration for membership in at least one ``RFA''.

    ---------------------------------------------------------------------------

    \9\ Including, for example, options for complying with elements

    of NPRM Sec. 1.81--``Standards for the development, monitoring, and

    compliance of Algorithmic Trading systems.'' See Section V below.

    ---------------------------------------------------------------------------

    This Supplemental NPRM modifies some, but not all, of the NPRM.

    Where this Supplemental NPRM proposes rule text in full, such text

    replaces what was proposed in the NPRM. With the exceptions noted in

    this paragraph, where this Supplemental NPRM reserves a section or

    paragraph for which provisions were proposed in the NPRM, the

    previously proposed provisions of such section or paragraph remain

    unchanged from the NPRM and continue to be under active consideration

    by the Commission. For technical reasons, Sec. Sec. 38.401 and

    40.1(i), and Appendix B to part 38, are not shown as reserved in this

    Supplemental NPRM; however, the amended provisions proposed for those

    sections and that appendix in the NPRM also remain unchanged and under

    active consideration. (Please note that proposed reserved Sec.

    1.3(aaaaa) is not the subject of either this Supplemental NPRM or the

    NPRM. That definitions paragraph is the subject of another pending

    unrelated Commission rulemaking proposal.)

    B. Opportunities for Public Comment on NPRM Proposals During Two Public

    Comment Periods and Public Staff Roundtable

    In response to the NPRM, the Commission received 54 comment letters

    from an array of market participants, exchanges, industry trade

    associations, public interest organizations, and others.\10\ During the

    initial comment period, Commission staff also met in person and via

    telephone with interested parties who requested meetings. Market

    participants and other interested parties were also provided extensive

    opportunities to comment on the Commission's 2013 Concept Release on

    Risk Controls and

    [[Page 85338]]

    System Safeguards for Automated Trading Environments (``Concept

    Release''), which included an initial 90-day comment period and a

    subsequent three-week comment period in conjunction with a public

    meeting of the Commission's Technology Advisory Committee.\11\ The

    Concept Release and comments thereto helped inform a number of the

    proposals reflected in Regulation AT.

    ---------------------------------------------------------------------------

    \10\ During the 90-day comment period following the Commission's

    issuance of the NPRM, the Commission received comment letters from:

    Aesthetic Integration Ltd. (``AI''); Allen, Theo (``Allen'');

    Alternative Investment Management Association (``AIMA''); American

    Gas Association (``AGA''); Americans for Financial Reform (``AFR'');

    Anonymous (non-responsive comment); Asset Management Group of the

    Securities Industry and Financial Markets Association (``SIFMA'');

    National Introducing Broker Association (``NIBA''); Barnard, Chris

    (``Barnard''); Better Markets Inc. (``Better Markets''); Bloomberg

    Tradebook LLC (``Bloomberg''); CBOE Futures Exchange, LLC

    (``CBOE''); Citadel LLC (``Citadel''); CME Group Inc. (``CME'');

    Commercial Energy Working Group and Commodity Markets Council

    (collectively, the ``Commercial Alliance''); Committee on Capital

    Markets Regulation (``CCMR''); Cordova, Alex (``Cordova''); CTC

    Trading Group, L.L.C. (``CTC''); Futures Industry Association

    (``FIA''); Hudson River Trading LLC (``Hudson Trading'');

    Information Technology Industry Council and U.S. Chamber of Commerce

    (``ITI and Commerce''); Institute for Agriculture and Trade Policy

    (``IATP''); Intercontinental Exchange, Inc. (``ICE''); International

    Energy Credit Association (``IECA''); International Swaps and

    Derivatives Association, Inc. (``ISDA''); Investment Adviser

    Association (``IAA''); LCHF Capital Management, Inc. (``LCHF'');

    Lelli, Carmen (``Lelli''); Leuchtkafer, RT (``Leuchtkafer'');

    Managed Funds Association (``MFA''); Mercatus Center at George Mason

    University (``Mercatus''); Minneapolis Grain Exchange, Inc.

    (``MGEX''); Modern Markets Initiative (``MMI''); NASDAQ Futures,

    Inc. (``NASDAQ''); National Grain and Feed Association (``NGFA'');

    Nodal Exchange, LLC (``Nodal''); North American Derivatives

    Exchange, Inc. (``Nadex''); Olam International Limited (``Olam'');

    OneChicago, LLC (``OneChicago''); Quantitative Investment

    Management, LLC (``QIM''); Schwartz, Peter (``Schwartz''); Shatto,

    Suzanne (``Shatto''); Summers, Neil (``Summers''); TraderServe

    Limited (``TraderServe''); Trading Technologies International, Inc.

    (``TT''); trueEX LLC (``trueEX''); Two Sigma Investments, LP (``Two

    Sigma''); Virtu Financial, Inc. (``Virtu''); Weaver, Jack

    (``Weaver''); and XTX Markets Limited (``XTX'').

    \11\ Concept Release on Risk Controls and System Safeguards for

    Automated Trading Environments, 78 FR 56542 (Sept. 12, 2013);

    Reopening of Comment Period, 79 FR 4104 (Jan. 24, 2014).

    ---------------------------------------------------------------------------

    Comments received during the initial comment period described above

    helped to identify areas that warranted further consideration by staff.

    Accordingly, on June 10, 2016, Commission staff held a public

    roundtable (``Roundtable'') to discuss certain elements of the NPRM.

    The topics discussed at the Roundtable included (1) the definition of

    DEA; (2) quantitative measures to establish the population of AT

    Persons; (3) alternatives to imposing pre-trade risk controls and

    development, testing, and monitoring standards on AT Persons; (4) AT

    Persons' compliance with elements of the proposed rules when using

    third-party algorithms or systems; and (5) Algorithmic Trading Source

    Code access and retention. The Roundtable included representatives from

    a broad cross-section of entities potentially impacted by Regulation

    AT.\12\ A transcript of the Roundtable proceedings is available on the

    Commission's Web site at CFTC.gov.\13\ In connection with the staff

    Roundtable, the Commission reopened the comment period for elements of

    Regulation AT for an additional two weeks. The Commission received an

    additional 19 comment letters during the reopened comment period.\14\

    ---------------------------------------------------------------------------

    \12\ The participants at the Roundtable included CME; Deutsche

    Bank; ICE; QIM; Tethys Technology (``Tethys''); Virtu; OneChicago;

    European Securities and Markets Authority (``ESMA''); ABN AMRO

    Clearing Chicago LLC (``ABN AMRO''); AFR; Shell Energy North America

    (U.S.), L.P. (``Shell''); Hartree Partners (``Hartree''); J.P.

    Morgan; KCG Holdings (``KCG''); AQR Capital Management (``AQR'');

    TT; Optiver US LLC (``Optiver''); and Hudson Trading.

    \13\ See http://www.cftc.gov/PressRoom/Events/opaevent_cftcstaff061016.

    \14\ In response to the NPRM, the Commission received: (i)

    Written comments submitted during the initial 90 day comment period

    (``Initial Comment Period''); comments by Roundtable participants;

    and (iii) written comments submitted during the reopened comment

    period (``Second Comment Period''). Some commenters submitted

    multiple comments. Accordingly, this Supplemental NPRM identifies

    Roundtable comments with a Roman numeral ``II'' and Second Comment

    Period comments with a Roman numeral ``III.'' For example, CME's

    comments are identified as CME (its Initial Comment Period comment

    letter); CME II (its Roundtable comments); and CME III (its Second

    Comment Period comment letter). During the Second Comment Period,

    the Commission received comment letters from: AIMA; Chilton, Bart;

    Better Markets; the Chamber of Commerce (together with ISDA, FIA and

    others); CME; Commercial Alliance; an industry group consisting of

    FIA, FIA Principal Traders Group, MFA, ISDA, and SIFMA Asset

    Management Group (collectively, the ``Industry Group''); Hartree;

    Hudson Trading; ICE; KCG; MFA; MGEX; Milliman Financial Risk

    Management LLC (``Milliman''); MMI; Nadex; QIM, Schwartz; and TT.

    ---------------------------------------------------------------------------

    C. Overview of Comments Received

    The comments that the Commission received in written letters and at

    the Roundtable addressed a range of matters in Regulation AT. For

    purposes of this Supplemental NPRM, the Commission is focusing solely

    on comments related to new or amended rules proposed herein.\15\ For

    example, several commenters suggested that the proposed rules could

    impact a larger number of market participants (including new and

    existing Commission registrants) than would be appropriate or than the

    Commission estimated in the NPRM.\16\ The Commission found these

    comments persuasive, as a result of which it developed the volume-based

    quantitative test for AT Persons described in Section II below and

    reflected in Supplemental proposed Sec. 1.3(x)(2) (the ``volume

    threshold test''). Some commenters also expressed concern regarding the

    NPRM's proposal to require risk controls for Algorithmic Trading at

    three levels (i.e., at the DCM, FCM and AT Person levels).\17\ Although

    most saw value in pre-trade risk controls administered by DCMs, some

    commenters encouraged the Commission to limit any further risk control

    requirements to either AT Persons or FCMs, but not both. After careful

    consideration, the Commission is proposing the hybrid two-level risk

    control structure in which the first level would be at the level of the

    AT Person or FCM, as reflected in Supplemental proposed Sec. Sec.

    1.80(d) and (g), 1.82, and 1.3(xxxx)(2).\18\

    ---------------------------------------------------------------------------

    \15\ The preamble to any final rules that the Commission may

    adopt for Regulation AT would provide a more complete summary of all

    comments received, including in response to the NPRM.

    \16\ E.g., CME A-7; ICE 6; MFA 34; Nadex 1-2.

    \17\ FIA 5; CME 6, A-14; ICE 5; MFA 4-5; Nadex 3; SIFMA 20; NIBA

    1-2.

    \18\ As explained in Sections II and VI below, these provisions

    would establish a framework where FCMs act as one of two pre-trade

    risk control layers for all electronic trading not originating with

    an AT Person (see Supplemental proposed Sec. 1.82). AT Persons

    would remain responsible for their own pre-trade risk controls in

    lieu of any FCM (see NPRM proposed Sec. 1.80). However, the

    Supplemental NPRM provides additional flexibility by permitting AT

    Persons to delegate their pre-trade risk control functions to an

    FCM, while retaining legal responsibility for such controls (see

    Supplemental proposed Sec. 1.80(d) and (g)). The Supplemental NPRM

    would also permit a non-AT Person to administer its own pre-trade

    risk controls if it so desired by voluntarily assuming AT Person

    status pursuant to Supplemental proposed Sec. 1.3(xxxx)(2).

    ---------------------------------------------------------------------------

    A significant source of discussion in response to the NPRM focused

    on the source code provisions in NPRM proposed Sec. 1.81(a)(vi).

    Commenters raised confidentiality, intellectual property, and

    information security as primary concerns. Many recommended that

    registrants' source code should be available to the Commission only

    through subpoena.\19\ Some commenters also noted that source code by

    itself may be of limited value to the Commission, and noted the

    importance of records such as log files in understanding the market

    behavior of an ATS.

    ---------------------------------------------------------------------------

    \19\ E.g., AIMA 10-11; Barnard 2; Citadel 2; FIA 48; Hudson

    Trading 3; ICE 7; ISDA 6; MFA 23; MGEX 24-25; MMI 5; Commercial

    Alliance 12; QIM 5; TraderServe 1; TT 7; Two Sigma 4-5.

    ---------------------------------------------------------------------------

    The Commission is sensitive to commenters' confidentiality and

    information security concerns as summarized above and in Section IV of

    this Supplemental NPRM. As explained above, the Commission believes

    that its intent with respect to source code was misunderstood.

    Specifically, the Commission did not intend for a source code

    repository be maintained at the Commission or with third-parties.

    However, the Commission also emphasizes that preservation of source

    code, and Commission access to such source code, is vital.

    Recordkeeping and access to records are and have always been central to

    the Commodity Exchange Act's (``Act'' or ``CEA'') statutory framework

    for regulated derivatives markets. Further, as a civil law enforcement

    agency, the Commission already handles sensitive, proprietary and trade

    secret information on a daily basis under strict retention and use

    requirements. Cybersecurity and the protection of confidential

    information are a top priority for the Commission, and all current and

    former CFTC employees are prohibited by 17 CFR 140.735-5 from

    disclosing confidential or non-public commercial, economic or official

    information.

    Through this Supplemental NPRM, the Commission seeks to balance

    commenters' concerns against its legitimate regulatory interest in

    ensuring that the Algorithmic Trading Source Code that is often

    essential for transacting in modern electronic markets is preserved and

    is available to the Commission when necessary. Source code related

    provisions are now reflected in a new Supplemental proposed Sec. 1.84,

    which provides that any CFTC access to Algorithmic Trading Source Code

    must be authorized by the Commission itself through either the part 11

    subpoena process or through a

    [[Page 85339]]

    new ``special call'' process set forth in the proposal. Supplemental

    proposed Sec. 1.84 also addresses records required to be maintained,

    confidentiality protections, and the time period for which records must

    be maintained. Supplemental proposed Sec. 1.84 would replace NPRM

    proposed Sec. 1.81(a)(vi) in its entirety.

    Other amendments in the Supplemental NPRM address commenters'

    concerns regarding the proposed definition of DEA, AT Persons'

    compliance with rules when using third-party providers for their

    Algorithmic Trading technology, and other areas. With respect to third-

    party providers, for example, the Commission is adding Supplemental

    proposed Sec. 1.85, which would permit AT Persons to rely on

    certifications from their third-party providers to meet certain

    requirements in Regulation AT. Such certifications would be permitted

    primarily with respect to NPRM proposed Sec. 1.81(a), which requires

    AT Persons to follow certain standards in the development and testing

    of their ATSs.

    Comments received in response to specific proposals in the NPRM are

    discussed in greater detail below.

    II. AT Person Status and Requirements for AT Persons

    A. Overview and Policy Rationale for New Proposal

    The proposed rules in Regulation AT apply in large part to market

    participants who meet the requirements to be an ``AT Person'' as

    defined in NPRM proposed Sec. 1.3(xxxx).\20\ AT Persons include

    existing Commission registrants engaged in Algorithmic Trading,\21\ as

    well as certain unregistered market participants who would be required

    to register as New Floor Traders pursuant to NPRM proposed Sec.

    1.3(x)(1)(iii). Registration criteria proposed in NPRM Sec.

    1.3(x)(1)(iii) for currently unregistered market participants include

    that such market participant be engaged in: (1) Proprietary (2)

    Algorithmic Trading (3) through DEA on a DCM. In the NPRM, the

    Commission preliminarily determined that these criteria could function

    as ``filters'' on the population of AT Persons, and therefore on the

    overall scope of the proposed rules. The Commission estimated that this

    definition would result in a total of 420 potential AT Persons, and

    believed that this would represent the top end of the range of AT

    Persons. The Commission based its proposal, in part, on the view that

    proprietary trading, DEA, and Algorithmic Trading together could

    appropriately identify those market participants, including new and

    existing registrants, that any rulemaking should encompass to

    effectively address risks associated with Algorithmic Trading.

    ---------------------------------------------------------------------------

    \20\ In addition to AT Persons, Regulation AT also includes

    requirements for FCMs, DCMs, and RFAs.

    \21\ Algorithmic Trading is defined in NPRM proposed Sec.

    1.3(zzzz) to mean trading in any commodity interest as defined in

    paragraph (yy) of this section on or subject to the rules of a

    designated contract market, where: (1) One or more computer

    algorithms or systems determines whether to initiate, modify, or

    cancel an order, or otherwise makes determinations with respect to

    an order, including but not limited to: The product to be traded;

    the venue where the order will be placed; the type of order to be

    placed; the timing of the order; whether to place the order; the

    sequencing of the order in relation to other orders; the price of

    the order; the quantity of the order; the partition of the order

    into smaller components for submission; the number of orders to be

    placed; or how to manage the order after submission; and (2) Such

    order, modification or order cancellation is electronically

    submitted for processing on or subject to the rules of a designated

    contract market; provided, however, that Algorithmic Trading does

    not include an order, modification, or order cancellation whose

    every parameter or attribute is manually entered into a front-end

    system by a natural person, with no further discretion by any

    computer system or algorithm, prior to its electronic submission for

    processing on or subject to the rules of a designated contract

    market.

    ---------------------------------------------------------------------------

    The Commission's estimates notwithstanding, a number of commenters

    have opined that the NPRM would capture substantially more than 420 AT

    Persons. Commenters indicated that DEA is a widespread practice,

    including potentially among proprietary retail market participants.

    Some commenters also suggested that the Commission's proposed

    definition of Algorithmic Trading may be of limited value in filtering

    the number of AT Persons because, for example, it incorporates certain

    automated order routing systems (``AORSs''). At one end of the comment

    spectrum, several commenters stated that AT Persons could number in the

    thousands.\22\

    ---------------------------------------------------------------------------

    \22\ See, e.g., MFA 6, 12-13 (indicating that potentially

    thousands of market participants would be subject to Regulation AT);

    Nadex 1-2 (indicating that estimated number of affected participants

    would be significantly higher than 100, potentially in the

    thousands); FIA 91 (stating that ``DCMs will be flooded by hundreds,

    if not thousands, of annual reports'' pursuant to NPRM proposed

    Sec. Sec. 1.83 and 40.22); CME A-7 (indicating that the DEA

    definition would capture trading activity of thousands of firms).

    ---------------------------------------------------------------------------

    The Commission has carefully considered all comments regarding the

    number of potential AT Persons pursuant to the proposed rules,

    particularly those comments indicating that the NPRM's defined terms

    and other elements may not successfully filter the scope of the rules.

    The Commission is therefore proposing in this Supplemental NPRM the

    addition of a volume threshold test to the definition of AT Person. In

    doing so, the Commission has also considered comments that any volume

    of trading potentially could pose risks. However, status as an AT

    Person involves compliance costs due to Regulation AT risk control,

    testing, recordkeeping and other requirements, and accordingly the

    Commission has determined that, at this time, it is appropriate to

    limit the population of AT Persons to larger market participants,

    including those responsible for significant trading volumes and

    liquidity in CFTC-regulated markets. The Commission emphasizes that its

    proposed framework requires FCMs to act as one of two pre-trade risk

    control layers for all Electronic Trading not originating with an AT

    Person (see Supplemental proposed Sec. 1.82). Accordingly, the

    proposed risk control framework is not limited to the trading of AT

    Persons who satisfy a quantitative threshold (i.e., the volume

    threshold test described in Section II below).

    The Commission emphasizes, as stated above, that Regulation AT is

    not intended to capture large swaths of new or existing registrants.

    The focus on Algorithmic Trading and DEA, among other criteria,

    reflects the Commission's interest in sophisticated market participants

    that can bring significant human capital, information technology, or

    other resources to bear on trading in modern markets. The definition of

    AT Person in Regulation AT is centered on larger market participants,

    including, those ``responsible for significant trading volumes and

    liquidity.'' \23\ Such market participants include existing Commission

    registrants, and an important population of proprietary traders who

    heretofore have remained outside of the Commission's registration

    regime. The Commission has determined to address both sets of market

    participants through a straightforward test for potential AT Persons

    that measures all market participants' presence on DCMs: Total trading

    volume for all products across all DCMs, as described below.

    ---------------------------------------------------------------------------

    \23\ See NPRM at 78827.

    ---------------------------------------------------------------------------

    Taking these considerations into account, the Commission has

    determined that a quantitative volume threshold test is best suited to

    identifying larger market participants who should be brought within the

    Commission's regulatory purview. To that end, the Commission is

    proposing a new approach that includes quantitative metrics based on a

    market participant's average daily trading volume across all products.

    Specifically,

    [[Page 85340]]

    the Commission is proposing a volume threshold of 20,000 contracts

    traded on average per day, including for a firm's own account, the

    accounts of customers, or both, over a six month period. The Commission

    believes that this approach will facilitate the identification of AT

    Persons through the use of clear, numerical standards that can be

    calculated easily by market participants and are verifiable in the

    Commission's data. The Commission further believes that the proposed

    volume threshold test is an appropriate vehicle to define the scope of

    AT Persons, in combination with the proposed definition of Algorithmic

    Trading and the proposed amended definition of DEA.\24\ As discussed

    below, the Commission also considered a variety of quantitative

    thresholds in formulating the Supplemental NPRM proposal, including

    order related measurements and frequency metrics.

    ---------------------------------------------------------------------------

    \24\ The Commission also considered alternatives based on

    defined terms such as ``DEA'' and ``Algorithmic Trading'' that also

    serve to define the scope of AT Persons. The Supplemental NPRM

    proposes revisions to the definition of DEA based on public comments

    that the NPRM proposed definition was ambiguous, but does not

    propose amendments to the definition of Algorithmic Trading. The

    Commission believes the volume-based approach proposed herein is a

    better option as it is based on verifiable and easily observed data

    regarding the trading volumes of all market participants on DCMs.

    ---------------------------------------------------------------------------

    B. NPRM Proposal and Comments

    The term ``AT Person,'' as defined in the NPRM, involves several

    interrelated terms, including AT Person, floor trader, DEA, and

    Algorithmic Trading. The definitions proposed in the NPRM for each of

    those terms are discussed below, and changes thereto are noted where

    applicable.

    AT Person. The NPRM proposed to define AT Person as an existing

    Commission registrant that engages in Algorithmic Trading on or subject

    to the rules of a DCM, or a New Floor Trader. In this Supplemental

    NPRM, the Commission is proposing an additional requirement for AT

    Person status: A volume threshold test, as described in Section II(C)

    below. In addition, as discussed below in Section VI(D)(3)(c), the

    Commission is also proposing to permit market participants to

    voluntarily elect AT Person status.\25\

    ---------------------------------------------------------------------------

    \25\ See Supplemental proposed Sec. 1.3(xxxx)(2). The

    Commission is providing flexibility so that non-AT Person market

    participants can administer their own pre-trade risk controls in

    lieu of controls that its FCM must otherwise impose. Such market

    participants must register as New Floor Traders and comply with

    obligations imposed on AT Persons.

    ---------------------------------------------------------------------------

    The defined term ``AT Person'' remains central to the structure of

    the proposed rules. Regulation AT defines the term ``AT Person'' in

    order to identify which entities are subject to the proposed

    regulations addressing trading firms' management of the risks

    associated with automated trading. These regulations include, for

    example, pre-trade and other risk controls on the orders initiated by

    the trading firm, and standards for the development, testing and

    supervision of ATSs. The definition of AT Person under NPRM proposed

    Sec. 1.3(xxxx) lists those persons or entities that may be considered

    an AT Person, namely (1) persons registered or required to be

    registered as FCMs, floor brokers, swap dealers (``SDs''), major swap

    participants (``MSPs''), commodity pool operators (``CPOs''), commodity

    trading advisors (``CTAs''), or introducing brokers (``IBs'') that

    engage in Algorithmic Trading on or subject to the rules of a DCM; or

    (2) persons registered or required to be registered as floor traders as

    defined in Sec. 1.3(1)(iii).\26\

    ---------------------------------------------------------------------------

    \26\ In the NPRM, the Commission proposed amending the

    definition of ``floor trader'' in existing Sec. 1.3(x) to

    facilitate the registration of proprietary traders using DEA for

    Algorithmic Trading on a DCM. The NPRM proposed requiring such

    persons (i.e., New Floor Traders) to register as floor traders,

    assuming they were not already registered or required to register

    with the Commission in another capacity.

    ---------------------------------------------------------------------------

    Direct Electronic Access. Through this Supplemental NPRM, the

    Commission is proposing to amend the definition of DEA originally

    proposed in the NPRM. In the NPRM, the Commission proposed a new Sec.

    1.3(yyyy) that defined DEA as an arrangement where a person

    electronically transmits an order to a DCM, without the order first

    being routed through a separate person who is a member of a DCO to

    which the DCM submits transactions for clearing. By using the word

    ``routed,'' the Commission indicated that it means the process by which

    an order physically goes from a customer to a DCM. Section III below

    discusses the Commission's revisions to the proposed definition of DEA

    as part of this Supplemental.

    Algorithmic Trading. The Commission is not proposing to amend the

    definition of Algorithmic Trading originally proposed in the NPRM.\27\

    ---------------------------------------------------------------------------

    \27\ In the NPRM, the Commission proposed a new Sec. 1.3(zzzz)

    that defines Algorithmic Trading as trading in any commodity

    interest as defined in Regulation 1.3(yy) on or subject to the rules

    of a DCM, where: (1) One or more computer algorithms or systems

    determines whether to initiate, modify, or cancel an order, or

    otherwise makes determinations with respect to an order, including

    but not limited to: the product to be traded; the venue where the

    order will be placed; the type of order to be placed; the timing of

    the order; whether to place the order; the sequencing of the order

    in relation to other orders; the price of the order; the quantity of

    the order; the partition of the order into smaller components for

    submission; the number of orders to be placed; or how to manage the

    order after submission; and (2) such order, modification or order

    cancellation is electronically submitted for processing on or

    subject to the rules of a DCM; provided, however, that Algorithmic

    Trading does not include an order, modification, or order

    cancellation whose every parameter or attribute is manually entered

    into a front-end system by a natural person, with no further

    discretion by any computer system or algorithm, prior to its

    electronic submission for processing on or subject to the rules of a

    DCM.

    ---------------------------------------------------------------------------

    As the Commission explained in the NPRM, ``[t]he term `Algorithmic

    Trading' is a critical underpinning'' of Regulation AT.\28\ It noted

    that the proposed definition of Algorithmic Trading is similar to that

    which was adopted by the European Commission under MiFID II, except

    that it also includes AORSs.\29\ It observed that ``automated order

    routers have the potential to disrupt the market to a similar extent as

    other types of automated systems, and therefore should not be treated

    differently'' under Regulation AT. It also explained that ``given the

    interconnectedness of trading firm systems, carving out a particular

    subset of automated systems from the definition of Algorithmic Trading,

    e.g., order routing systems, would introduce unnecessary complexity and

    reduce the effectiveness of the safeguards provided in its proposed

    regulations.'' \30\ The Commission is cognizant of comments indicating

    some commenters' belief that the proposed definition of Algorithmic

    Trading should be revised to exclude certain systems such as AORSs.

    However, the Commission has thus far been presented with no persuasive

    evidence establishing that the operation of AORSs presents less risk to

    the market than other types of automated or algorithmic systems.

    ---------------------------------------------------------------------------

    \28\ See NPRM at 78840.

    \29\ See id.

    \30\ See id.

    ---------------------------------------------------------------------------

    Comments Received. As discussed above, the NPRM proposed to define

    AT Person as an existing Commission registrant that engages in

    Algorithmic Trading on or subject to the rules of a DCM, or a New Floor

    Trader (i.e., a market participant that engages in (1) proprietary (2)

    Algorithmic Trading (3) through DEA on a DCM). In addition to receiving

    comments on the substance of NPRM proposed terms such as ``Algorithmic

    Trading'' and ``DEA,'' \31\ the Commission also received comments

    concerning the number of market participants that would qualify as AT

    Persons under the proposed rules, particularly as a function of the

    defined terms discussed above. Several

    [[Page 85341]]

    commenters asserted that the number of persons or entities that would

    come within the NPRM proposed definition of AT Person is higher than

    the Commission's estimate of 420 AT Persons. ICE commented that ``[i]f

    read broadly (i.e. orders routed through an FCM's risk management

    controls located at the exchange but not physically routed . . .

    through the FCM are considered DEA), the Commission's estimated 100

    market participants that would be impacted by Regulation AT would

    increase to include the vast majority of all market participants.''

    \32\ The Commercial Alliance stated that Regulation AT could apply to

    ``a large segment of commercial energy and agricultural firms,''

    contrary to the Commission's intent to limit its scope to one hundred

    new registrants.\33\ MFA commented that ``the breadth of the Regulation

    AT definitions are [sic] likely to capture many more market

    participants as AT Persons than the 420 persons that the Commission

    estimates.'' \34\ MFA estimated that if even half of the CTAs and CPOs

    registered with the Commission used an algorithmic trading execution

    system, there would be at least 1,270 CTAs and CPOs that would be AT

    Persons, exclusive of other registrant categories.\35\

    ---------------------------------------------------------------------------

    \31\ The comments received regarding the NPRM proposed

    definition of DEA are discussed in Section III(B) below. The

    Commission is proposing a revised definition of DEA, as set forth in

    Section III(C) below. The Commission is not proposing to amend the

    NPRM proposed definition of Algorithmic Trading.

    \32\ ICE 6.

    \33\ Commercial Alliance 2; see also IECA 6 (asserting that

    Regulation AT could affect ``vastly more'' than 100 proprietary

    trading firms).

    \34\ MFA 34.

    \35\ See id.

    ---------------------------------------------------------------------------

    Several commenters estimated the total number of AT Persons could

    number in the thousands. Specifically, MFA asserted that if a commodity

    pool or managed account could be considered an AT Person, ``there could

    be tens of thousands of AT Persons.'' \36\ CME commented that ``the

    CFTC should recognize that orders can pass through software that is

    calibrated by clearing members but maintained and owned by a clearing

    member's IT provider (e.g., TT or Bloomberg). If these orders are

    viewed as DEA orders because they are mischaracterized as bypassing

    clearing FCM controls, then the DEA definition will capture trading

    activity from significantly more firms (1000s) than the 100 firms

    mentioned in the rulemaking.'' \37\

    ---------------------------------------------------------------------------

    \36\ MFA 12 n.23.

    \37\ CME A-7. See also TT 3 (commenting that ``the definition of

    DEA will likely capture within the definition of `floor trader' many

    single traders, small trading groups and even larger companies like

    energy firms who hedge on futures exchanges, all of whom trade

    through FCMs and are often substantial liquidity providers.'').

    ---------------------------------------------------------------------------

    During the Roundtable and the Second Comment Period, the Commission

    received several comments regarding potential quantitative measures to

    establish the population of AT Persons. Better Markets commented that

    ``[r]egarding a quantitative threshold, the CFTC must adopt a threshold

    using a metric that sets limits on volume and frequency.'' \38\ Better

    Markets further commented that ``[f]or registration purposes, FCMs

    should be tasked with monitoring proposed metrics and communicating

    these metrics to the CFTC because their `know your customer' rules make

    them the most fit.'' \39\ AIMA expressed concerns regarding

    quantitative measures, commenting that it ``considers that additional

    metrics on top of the current proposed definition of AT Person may not

    be the optimal solution to avoid the disproportionately broad scope

    capturing excessive numbers of registered firms. The fundamental

    problem causing a large population of potential AT Persons is the

    inappropriately broad definition of [Algorithmic Trading].'' \40\ The

    Commercial Alliance also took the position that the Commission should

    not adopt a quantitative approach to establish the population of AT

    Persons.\41\

    ---------------------------------------------------------------------------

    \38\ Better Markets III 2.

    \39\ Id.

    \40\ AIMA III 3.

    \41\ Commercial Alliance III 2-4.

    ---------------------------------------------------------------------------

    Commenters raised a number of concerns regarding potential

    quantitative measures, including that all algorithmic or electronic

    trading should be subject to appropriate risk controls; \42\ that even

    a small volume of trading could pose risks to the marketplace; \43\

    that any quantitative measure would necessarily be arbitrary; \44\ and

    that market participants could seek to modify their trading to ``game''

    any quantitative measure.\45\ The Commission has carefully considered

    all comments received, and believes that the proposals set forth in

    this Supplemental NPRM address the comments regarding quantitative

    measures raised during the Roundtable and in written comments.

    ---------------------------------------------------------------------------

    \42\ ICE, transcript of June 10, 2016 Roundtable (``Roundtable

    Tr.''), available at http://www.cftc.gov/idc/groups/public/@newsroom/documents/file/transcript061016.pdf, 110:14-114:5;

    Optiver, Roundtable Tr. 119:11-120:17; see also FIA 6, 13, 21; ICE

    4; and MGEX 20-21 (commenting that all market participants trading

    electronically should use pre-trade and other risk controls

    appropriate to their trading).

    \43\ Hudson Trading, Roundtable Tr. 95:10-97:8, 135:12-136:19;

    Optiver, Roundtable Tr. 119:11-19; KCG, Roundtable Tr. 120:21-121:8.

    \44\ Hartree, Roundtable Tr. 100:7-101:7; AQR, Roundtable Tr.

    106:5-107:17, 109:9-110:13.

    \45\ Milliman III 3; Hudson Trading, Roundtable Tr. 97:15-98:4;

    AQR, Roundtable Tr. 107:18-108:7; QIM, Roundtable Tr. 117:13-114:10.

    ---------------------------------------------------------------------------

    Specifically, the Commission is proposing to establish a framework

    where FCMs act as one of two pre-trade risk control layers for all

    Electronic Trading not originating with an AT Person (see Supplemental

    proposed Sec. 1.82). The volume threshold test would identify those

    market participants with the most significant presence in CFTC-

    regulated markets. The Commission is also proposing an anti-evasion

    provision in Supplemental proposed Sec. 1.3(xxxx)(4) to address

    commenters' concerns that a quantitative measure could be ``gamed'' by

    market participants.\46\ As discussed in Section II(C) below, the

    proposed anti-evasion provision states that no person shall trade

    contracts or cause contracts to be traded through multiple entities for

    the purpose of evading the floor trader registration requirements under

    Supplemental proposed Sec. 1.3(x)(3), or to avoid meeting the

    definition of AT Person under Supplemental proposed Sec. 1.3(xxxx).

    ---------------------------------------------------------------------------

    \46\ See AQR, Roundtable Tr. 107:18-108:7; Hudson River Trading,

    Roundtable Tr. 97:19-21.

    ---------------------------------------------------------------------------

    C. Substance of New Proposal

    In light of comments received, the Commission is proposing an

    additional requirement for AT Person status: A volume threshold test.

    Pursuant to Supplemental proposed Sec. 1.3(xxxx), a market participant

    may fall under the definition of AT Person in one of three ways. First,

    the category of AT Persons includes persons registered or required to

    be registered as an FCM, floor broker, SD, MSP, CPO, CTA, or IB that

    (1) engages in Algorithmic Trading and (2) satisfies the volume

    threshold test under Supplemental proposed Sec. 1.3(x)(2) (as

    discussed in greater detail below).\47\ Second, AT Persons include New

    Floor Traders under Supplemental proposed Sec. 1.3(x)(1)(iii).\48\

    Such New Floor Traders must engage in Algorithmic Trading, utilize DEA,

    and satisfy the volume threshold test under Supplemental proposed Sec.

    1.3(x)(2). Third, a person who does not satisfy either of the other two

    prongs of the AT Person definition may nevertheless elect to become an

    AT Person, provided that such person registers as a floor trader and

    complies with all requirements of AT Persons pursuant to Commission

    regulations.\49\ In addition, each AT Person who is not already a

    member of an RFA must submit an application for

    [[Page 85342]]

    membership to at least one RFA, as discussed below.

    ---------------------------------------------------------------------------

    \47\ See Supplemental proposed Sec. 1.3(xxxx)(1)(i).

    \48\ See Supplemental proposed Sec. 1.3(xxxx)(1)(ii).

    \49\ See Supplemental proposed Sec. 1.3(xxxx)(2).

    ---------------------------------------------------------------------------

    1. Volume Threshold Test for AT Persons

    In light of commenter views that the Commission has underestimated

    the number of AT Persons that would fall within the scope of Regulation

    AT, the Commission proposes modifying the proposed definition of AT

    Person to incorporate a volume threshold test. Specifically,

    Supplemental proposed Sec. 1.3(x)(2) would require potential AT

    Persons to determine whether they trade an aggregate average daily

    volume of at least 20,000 contracts for their own account, the accounts

    of customers, or both. The Commission notes that while many Commission

    registration categories (e.g., FCM, CPO, floor broker, etc.) may trade

    both their proprietary and customer accounts, New Floor Traders are

    likely to trade solely for themselves. Accordingly currently

    unregistered market participants would likely look to their proprietary

    trading volume when determining whether they satisfy the volume

    threshold test.\50\ For purposes of the volume threshold test,

    potential AT Persons would be required to calculate their aggregate

    average daily volume across all products on the electronic trading

    facilities \51\ of all DCMs on which they trade.\52\ Aggregate average

    daily volume would be calculated in six-month periods, from each

    January 1 through June 30 and each July 1 through December 31, based on

    all trading days in the respective period.\53\ For purposes of

    calculating the aggregate average daily volume, AT Persons would also

    be required to aggregate their own trading volume and that of any other

    persons controlling, controlled by or under common control with the

    potential AT Person.\54\

    ---------------------------------------------------------------------------

    \50\ However, if a currently unregistered market participant is

    in fact trading the accounts of customers consistent with the Act

    and Commission regulations, such market participant should include

    their customer trading volume, in addition to their proprietary

    volume, when determining whether it satisfies the volume threshold

    test.

    \51\ ``Electronic trading facility'' is defined in section

    1a(16) of the CEA. The aggregate average daily volume would not

    include block trades, exchange for related positions, pit trades, or

    other transactions outside a DCM's electronic trading platform.

    \52\ See Supplemental proposed Sec. 1.3(x)(2)(i).

    \53\ See Supplemental proposed Sec. 1.3(x)(2)(ii).

    \54\ See Supplemental proposed Sec. 1.3(x)(2)(iii).

    ---------------------------------------------------------------------------

    The Commission believes that a volume threshold test based on total

    trading volume across the electronic trading facilities of all DCMs

    best matches the goals of AT Person regulation, including risk

    controls, recordkeeping and testing and monitoring of automated systems

    requirements that will prevent and reduce the potential risk of market

    disruption caused by technological malfunction or other error. This

    volume threshold test would apply to both current and new Commission

    registrants to help define whether they are AT Persons.

    In making this determination, the Commission reviewed other

    quantitative thresholds proposed, or finalized, for regulatory purposes

    similar to those in Regulation AT. These other quantitative thresholds

    include, for example, tests proposed by ESMA for identifying high-

    frequency traders in European markets, i.e., average resting order

    times and daily number of messages sent by a trading entity. The

    Commission's purpose in creating the new AT Person category is to

    ensure that risk management, testing and monitoring standards are

    sufficiently high for larger market participants in futures markets,

    regardless of strategy or firm type. The Commission believes that, out

    of all actions taking place on an electronic platform, consummated

    transactions are the key element of market processes such as price

    discovery and risk transfer. For this reason, larger entities, across

    products taken as a whole, should be held to standards sufficient to

    mitigate the risks of general market disruptions or degradations in the

    quality of trading.

    The Commission proposes setting a six-month window for calculating

    average daily trading volume. The Commission's intent is that a longer

    window will smooth out episodic volume fluctuations experienced by a

    firm through the year for a variety of reasons, including, for example,

    hedging practices, roll activity, or other seasonal reasons. By doing

    this, the set of AT Persons should be restricted to entities that are

    larger, sufficiently high-volume traders. The averaging window also

    should moderate the effect of market events where there is unusually

    high volume relative to historical levels.

    The volume threshold test definition does not make a distinction

    between futures products or between futures and options contracts for

    the purposes of aggregation. The Commission believes this is

    appropriate to help facilitate the volume calculation for potential AT

    Persons. Accordingly, the proposed volume threshold test instead

    results in an averaging across markets and products.

    Using the proposed definition, and a trading volume threshold of

    20,000 contracts traded per day on DCM electronic trading facilities--

    including for a firm's own account, the accounts of customers, or both,

    over a six month period--the Commission estimates that there would be

    approximately 120 AT Persons, a portion of which would be newly

    registered under the amended definition of floor trader.\55\ In order

    to derive this estimate, the Commission made use of daily trading audit

    trail data, for futures and options on futures, received from a number

    of DCMs. This audit trail data included information about the trading

    activity of market participants on the electronic trading facility of

    each DCM, coinciding with the order and trade activity associated with

    electronic trading, the focus of many other elements of this

    Supplemental NPRM. Because the volume threshold test is based on

    activity within a semi-annual period, the Commission calculated the

    average activity of individual firms during the first half of 2016 and

    used these aggregate numbers as an activity benchmark. Aggregating this

    activity across the DCMs for which the Commission had firm

    identification provided a basis for estimating the number of potential

    AT Persons. The Commission notes that its data provides a significantly

    comprehensive, but not a full, identification of the firms associated

    with each trade; in other cases, the firm associated with a trade may

    be the broker rather than the principal. For these reasons, the

    Commission estimates for the number of AT Persons may omit some firms

    that would meet the volume threshold requirements.

    ---------------------------------------------------------------------------

    \55\ The Commission notes that over time it may amend the volume

    threshold it adopts in any final rules for Regulation AT. Such

    amendments would be an outgrowth of the Commission's experience with

    the volume threshold it adopts in final rules. As the Commission is

    proposing to codify the volume threshold in its rules, any future

    changes would necessarily be pursued through further notice and

    comment rulemaking.

    ---------------------------------------------------------------------------

    Because trading patterns for a given entity or firm may change over

    time, the Commission acknowledges that traders who are active enough to

    fall above the AT Person volume threshold test during a given semi-

    annual period may, over time, reduce their activity levels. To

    accommodate changes in strategy and in the use of futures markets, the

    AT Person definition allows for current AT Persons to drop their

    designation as an AT Person if they fall below the volume threshold for

    two consecutive six-month periods.\56\

    ---------------------------------------------------------------------------

    \56\ The Commission's proposed volume threshold test helps

    determine, together with other factors, a market participant's

    obligation to register as a New Floor Trader. As described above,

    any Commission registrant who is also an AT Person, including a

    floor trader, may cease to be bound by the requirements applicable

    to AT Persons if such registrant falls below the volume threshold

    test for two consecutive six-month periods. The Commission notes,

    however, that a floor trader who ceases to be an AT Person shall

    still be registered as a floor trader unless it formally applies for

    withdrawal from registration as described in Commission Sec. 3.33.

    ---------------------------------------------------------------------------

    [[Page 85343]]

    2. Registration as a Floor Trader

    Supplemental proposed Sec. 1.3(x) modifies the new definition of

    floor trader, which also make up the group of AT Persons under

    Supplemental proposed Sec. 1.3(xxxx)(1)(ii). Under the Supplemental

    proposed definition, a floor trader must, in addition to using DEA to

    conduct Algorithmic Trading (as proposed in the NPRM), also satisfy the

    volume threshold test set forth in Supplemental proposed Sec.

    1.3(x)(2). This proposal will help to address concerns that too many

    market participants would be captured by the new definition of floor

    trader proposed in the NPRM.

    Supplemental proposed Sec. 1.3(x)(3) specifies the period of time

    provided to an entity meeting these conditions to register as a floor

    trader and come into compliance with the requirements for AT Persons.

    Specifically, Supplemental proposed Sec. 1.3(x)(3) provides that an

    unregistered person who satisfies Supplemental proposed Sec. Sec.

    1.3(x)(1)(iii)(A), (x)(1)(iii)(B) and (x)(1)(iii)(C), and who meets the

    volume threshold test in Supplemental Sec. 1.3(x)(2) in any January 1

    through June 30 or July 1 through December 31 period, shall register as

    a floor trader within 30 days after the end of such period and shall

    comply with all requirements of AT Persons pursuant to Commission

    regulations within 90 days after the end of such period.

    Supplemental proposed Sec. 1.3(x)(3)(ii) describes which person or

    persons must register if there is an ``affiliate group,'' under common

    control, that meets the volume threshold test in the aggregate.

    Supplemental proposed Sec. 1.3(x)(3)(ii) states that for any group

    consisting of a person and any other persons controlling, controlled by

    or under common control of such person, if such group of persons in the

    aggregate satisfies the volume threshold test set forth in Supplemental

    proposed Sec. 1.3(x)(2), then one or more persons in such group must

    register as floor traders. These registrations would need to continue

    across affiliated entities until the aggregate average daily volume of

    the unregistered persons in the group trade an aggregate average daily

    volume below the volume threshold test set forth in Sec.

    1.3(x)(2).\57\

    ---------------------------------------------------------------------------

    \57\ The Commission's proposal for aggregating the trading

    volume of affiliated entities under common control is modeled on

    analogous provisions in the Commission's swap dealer registration

    requirements. See existing Sec. 1.3(ggg)(4) and Interpretative

    Guidance and Policy Statement Regarding Compliance With Certain Swap

    Regulations, 78 FR 45292 (July 26, 2013).

    ---------------------------------------------------------------------------

    3. Anti-Evasion

    Supplemental proposed Sec. 1.3(x)(4) provides that no person shall

    trade contracts or cause contracts to be traded through multiple

    entities for the purpose of evading the registration requirements

    imposed on New Floor Traders under Sec. 1.3(x)(3), or to avoid meeting

    the definition of AT Person under Sec. 1.3(xxxx). The purpose of this

    provision is to prevent market participants whose trading volume would

    otherwise cause them to fall within the definition of New Floor Trader

    (and, therefore, AT Person), but who trade through multiple entities

    for the purpose of falling below the volume threshold test, from

    avoiding registration. By including such anti-evasion provision, the

    Commission seeks to prevent market participants from structuring

    transactions and legal entities in order to avoid the requirements of

    Regulation AT. Examples of these structures might include trading

    through multiple ``shell'' companies that individually trade below the

    threshold, or trading through one entity for part of the year, then

    ceasing all trading activity for that entity and trading instead

    through a newly formed entity, similarly leaving average daily volume

    under the threshold.

    4. Registration for Membership With a Registered Futures Association

    In addition to being registered with the Commission in some

    capacity, AT Persons must also submit applications for membership in at

    least one RFA.\58\ In particular, Supplemental proposed Sec. 170.18

    requires that an AT Person not yet a member of an RFA must submit an

    application for membership in at least one RFA within 30 days of such

    AT Person satisfying the volume threshold test set forth in

    Supplemental proposed Sec. 1.3(x)(2).\59\ In addition, Supplemental

    proposed Sec. 1.3(xxxx) provides that any person that elects to become

    an AT Person must submit an application for membership to at least one

    RFA pursuant to Supplemental proposed Sec. 170.18 within 30 days of

    such person choosing to become an AT Person.\60\

    ---------------------------------------------------------------------------

    \58\ The Commission is cognizant that upon the adoption of final

    rules for Regulation AT, an RFA may need additional time to prepare

    its governance structure, membership categories, application

    materials, and other internal processes to accommodate New Floor

    Traders. Accordingly, the Commission may determine to delay the

    compliance date for Supplemental proposed Sec. 170.18 for a short

    period of time so that an RFA may complete such processes prior to

    receiving its first application for membership from a New Floor

    Trader.

    \59\ Any unregistered person who meets the requirements to

    register as a New Floor Trader would have identical 30-day periods

    in which to both register with the Commission and apply for

    membership in an RFA.

    \60\ The Commission does not require such membership to be in a

    specific membership category. An RFA may register such AT Persons as

    ``floor traders,'' or choose to create a subset or other category of

    Regulation AT floor traders for membership purposes.

    ---------------------------------------------------------------------------

    D. Commission Questions

    1. The Commission invites comment on the proposed volume threshold

    test set forth in Supplemental proposed Sec. 1.3(x)(2). In particular,

    the Commission specifically invites comment on whether the volume

    threshold test is an appropriate means of identifying those market

    participants who should qualify as AT Persons and therefore be subject

    to the proposed risk control, recordkeeping testing and monitoring and

    other requirements in Regulation AT.

    2. If you believe that AT Persons should be identified by a

    quantitative measure other than the proposed volume threshold test,

    please identify and describe such alternative measure, including the

    number and types of market participants that would qualify as AT

    Persons.

    3. The proposed volume threshold test would require a potential AT

    Person to determine whether it trades an aggregate average daily volume

    of at least 20,000 contracts over a six month period. Do you believe

    that a potential AT Person's average daily volume for purposes of the

    volume threshold test should instead be calculated only over the days

    in which the potential AT Person trades during the six month period?

    Would such alternative better address potential AT Persons who may

    trade infrequently over the course of a six month period, but in large

    quantities when they do trade?

    4. The Commission estimates that its proposed volume threshold of

    20,000 contracts traded per day, including for a firm's own account,

    the accounts of customers, or both, across all products and DCMs, would

    capture approximately 120 market participants, including new and

    existing registrants. Please comment on the Commission's estimate. Do

    you believe that the number of market participants captured by this

    volume threshold test would be greater or fewer than 120? Please

    indicate how many of these market participants are currently registered

    with the Commission and how many are not.

    [[Page 85344]]

    5. With the addition of the proposed volume threshold test, do you

    believe that any AT Person will be a natural person or a sole

    proprietorship with no employees other than the sole proprietor?

    6. For the proposed volume threshold test, please explain any

    challenges that could arise with respect to implementation. For

    example, what difficulties might an entity potentially subject to

    Regulation AT encounter in calculating whether it meets the volume

    threshold? Will the entity be able to readily distinguish between

    trades executed on a DCM's electronic trading facility and other trades

    executed on or pursuant to the rules of the DCM? Does the volume

    threshold test potentially capture a set of entities that should not be

    subject to Regulation AT?

    7. For the proposed volume threshold test, please explain whether

    the proposed rule should specify a different aggregation level for

    purposes of deciding who is an AT Person (e.g., individual DCMs,

    individual products), or whether the aggregation should be done over a

    time period different than the proposed semi-annual window.

    8. For the proposed volume threshold test, please explain whether

    certain trades should be weighted differently in calculating the volume

    aggregation, or whether certain trades such as spread trades should be

    excluded from the aggregation.

    9. For the proposed volume threshold test, the Commission proposes

    to set a single threshold incorporating trading in all products and on

    all DCMs in order to facilitate calculations for potential AT Persons.

    Please explain whether the Commission should instead set different

    thresholds for groups of related products, or on a per-DCM basis, or

    other more granular measures than the aggregation of a potential AT

    Person's trading across all products and DCMs. Please also discuss the

    added complexity of any such alternate system, and explain why such

    system is preferable despite such complexity.

    10. Supplemental proposed Sec. 1.3(x)(2)(ii) calls for aggregate

    average daily volume to be calculated in six-month periods, from each

    January 1 through June 30 and each July 1 through December 31. The

    Commission requests comment regarding when to begin the first six-month

    measurement period for any final rules that the Commission adopts. For

    example, the Commission anticipates that for any final rules with an

    effective date prior to July 1, 2017, the first measurement period will

    be July 1 through December 31, 2016. Alternatively, the Commission

    could delay the effective date for certain elements of the final rules

    to a date from July 1, 2017 onwards. In such case, the first

    measurement period could be January 1 to June 30, 2017.

    11. The Commission invites comment on whether any future changes to

    the volume threshold deemed appropriate by the Commission (subsequent

    to a final rulemaking on Regulation AT) should be made by notice and

    comment rulemaking. Commenters are particularly invited to address

    potential alternatives to updating the volume threshold, if any.

    12. The Commission invites comment as to how the proposed volume

    threshold test should be applied to members of an affiliated group.

    Commenters are particularly invited to address how the Commission

    should interpret common control for these purposes, and whether this

    interpretation should be limited to wholly-owned affiliates.

    13. The Commission requests comment regarding the appropriate

    amount of time for an entity to register as a New Floor Trader and come

    into compliance with all requirements applicable to AT Persons, once

    such entity has triggered the criteria for registration and AT Persons

    status.

    III. Proposed Definition of DEA

    A. Overview and Policy Rationale for New Proposal

    The Commission proposed in NPRM Sec. 1.3(yyyy) to define DEA for

    purposes of Regulation AT as an arrangement where a person

    electronically transmits an order to a DCM, without the order first

    being routed through a separate person who is a member of a DCO to

    which the DCM submits transactions for clearing.\61\ The NPRM explained

    that the term ``routed'' was intended to mean the process by which an

    order physically goes from a customer to a DCM. The Commission proposed

    this definition of DEA in the NPRM as a filter, along with Algorithmic

    Trading, to help define the category of proprietary traders that would

    be required to register as floor traders under Regulation AT. The

    Commission anticipated that the proposed definition of DEA could help

    to define the number of entities required to register as New Floor

    Traders, and to focus registration on larger market participants not

    otherwise registered with the Commission. In light of comments received

    on the NPRM, and in light of the proposed addition of a volume

    threshold test to filter out smaller market participants from floor

    trader registration and its attendant obligations, the Commission is

    proposing an amended definition of DEA, as described below.

    ---------------------------------------------------------------------------

    \61\ See NPRM at 78844.

    ---------------------------------------------------------------------------

    The Supplemental proposed defined term DEA means the electronic

    transmission of an order for processing on or subject to the rules of a

    contract market, including the electronic transmission of any

    modification of such order. DEA would not include orders, or

    modifications or cancellations thereof, (i) electronically transmitted

    to a DCM (ii) by an FCM (iii) that such FCM received from an

    unaffiliated natural person \62\ (iv) by means of oral or written

    communications.\63\ The amended definition differs from the NPRM

    definition in four key areas: (a) Eliminating the term ``routed

    through''; (b) clarifying that DEA does not include orders submitted to

    a DCM by an FCM where such FCM received the order from an unaffiliated

    natural person by means of written or oral communication; \64\ (c)

    changing the proposed rule's reference to ``clearing members'' of DCOs

    to any FCM; and (d) expanding the term ``order'' to include the

    cancellation or modifications of such order.

    ---------------------------------------------------------------------------

    \62\ The Commission notes that an ``unaffiliated natural

    person'' is one who has no affiliation with, and whose employer has

    no affiliation with, the FCM receiving the order. Such natural

    person may be communicating the order for another (unaffiliated)

    Commission registrant, an (unaffiliated) unregistered market

    participant, an (unaffiliated) end customer, etc. Examples of

    scenarios that are not DEA include: (1) An employee of a Commission

    registrant communicates an order to an unaffiliated FCM, verbally or

    in writing, for onward transmission by such FCM to a DCM; (2) A

    natural person customer communicates an order to an unaffiliated

    FCM, verbally or in writing, for onward transmission by such FCM to

    a DCM; and (3) An employee of customer that is a legal entity not

    registered with the Commission communicates an order to an

    unaffiliated FCM, verbally or in writing, for onward transmission by

    such FCM to a DCM. The Commission emphasizes that an unaffiliated

    natural person has no relationship, and their employer has no

    relationship, with the FCM receiving the order for submission to a

    DCM.

    \63\ The Commission notes that ``written communications'' may

    include email, text messages, or instant messaging ``chat'' tools,

    in addition to communications on paper. The common denominator is

    that such communications are in each instance specifically written

    by a natural person.

    \64\ The Commission notes that this exclusion addresses the

    ``how'' and ``by whom'' of an order's communication to the FCM. Such

    communication must be made by a (1) unaffiliated (2) natural person

    (3) verbally or in writing.

    ---------------------------------------------------------------------------

    B. NPRM Proposal and Comments

    In the NPRM, DEA was relevant to several of the proposed

    regulations. It was used as a filter to define the category of market

    participants required to register as floor traders and be subject to

    the requirements of Regulation AT

    [[Page 85345]]

    (see proposed Sec. 1.3(x)(3)). In addition, DEA was relevant to

    revised Sec. 38.255, which requires DCMs to have in place systems and

    controls reasonably designed to facilitate an FCM's management of the

    risks that may arise from Algorithmic Trading, and proposed Sec. 1.82,

    which requires FCMs to implement such DCM-provided controls for DEA

    orders. This approach of enabling clearing FCMs to implement DCM-based

    controls is similar to how the Commission addresses financial risk

    management by FCMs, as reflected in existing DCM regulation Sec.

    38.607. Existing Sec. 38.607 describes DEA as allowing customers of

    futures commission merchants to enter orders directly into a designated

    contract market's trade matching system for execution.\65\ As discussed

    below, the Commission proposes to amend the definition of DEA to

    address various commenter concerns, and the term continues to be

    relevant to Supplemental proposed Sec. Sec. 1.3(x)(1)(iii), 1.82 and

    38.255.

    ---------------------------------------------------------------------------

    \65\ In addition, in the context of foreign boards of trade,

    section 4(b)(1)(A) of the CEA defines ``direct access'' as an

    explicit grant of authority by a foreign board of trade to an

    identified member or other participant located in the United States

    to enter trades directly into the trade matching system of the

    foreign board of trade.

    ---------------------------------------------------------------------------

    Comments Received. The Commission received a range of comments

    concerning the scope and clarity of the definition of DEA proposed in

    the NPRM. Better Markets commented that the NPRM's definition of DEA

    encompassed all types of access commonly understood in Commission-

    regulated markets as ``direct market access.'' \66\ Other commenters

    raised a number of concerns over the NPRM proposed definition of DEA

    and its application to various types of market participants. One

    commenter cautioned that the NPRM proposed definition of DEA would not

    capture any market participants because clearing members are required

    to have risk controls over automated customer orders under existing

    Sec. 1.73.\67\ Some commenters found the NPRM definition too broad,

    and argued that it would capture individual traders and small trading

    groups, as well as large corporations using futures markets to hedge

    risks.\68\ CME stated that this broader reading of DEA would capture

    thousands of firms if the term includes orders that pass through

    software calibrated by clearing members but maintained and owned by a

    clearing member's IT provider (e.g., TT or Bloomberg).\69\ Two

    commenters suggested that the definition of DEA is unnecessary because

    any market participant trading electronically must utilize pre-trade

    and other risk controls appropriate to the nature of their trading.\70\

    ---------------------------------------------------------------------------

    \66\ Better Markets 3; Better Markets III 3-4.

    \67\ CME, 12.

    \68\ TT 3.

    \69\ CME A-7.

    \70\ FIA 6; ICE 4-5.

    ---------------------------------------------------------------------------

    Several commenters asserted that the NPRM proposed definition of

    DEA lacks clarity,\71\ and that the definition does not provide

    sufficient guidance as to what ``being routed through a separate

    person'' that is a member of a DCO means.\72\ Many commenters argued

    that DEA should not include DCM-offered connectivity platforms such as

    WebICE or CME Direct.\73\ Commenters also argued that DEA should not

    include platforms provided by third-party ISVs; \74\ one commenter

    considered such ISVs to be an extension of the FCM's infrastructure

    where the FCM was able to control a risk control module on the

    platform.\75\

    ---------------------------------------------------------------------------

    \71\ TT 2; MFA 15; CME 11-12; ICE 4; IECA 7.

    \72\ TT 2; CME 11-12; ICE 4.

    \73\ FIA A-17; MFA 15; AGA 3; Commercial Alliance III 4; ICE 5;

    CME A-7.

    \74\ FIA A-6; MFA 15; TT 3; Commercial Alliance 4.

    \75\ FIA A-6.

    ---------------------------------------------------------------------------

    Some commenters also suggested that the NPRM definition was too

    narrowly focused on the role of clearing FCMs, as opposed to executing

    FCMs. Several commenters argued that executing FCMs could better act as

    gatekeepers over customer order flow than clearing FCMs.\76\ For

    example, Milliman commented that NPRM proposed Sec. 1.3(yyyy) should

    be modified to refer to an order being routed through a separate person

    who is an ``executing agent'' (rather than a clearing member).\77\ QIM

    raised the issue of FCM ``gateways'' through which customers could

    submit orders, and commented that only the person or agent directly

    placing trades on a DCM should be considered to possess DEA \78\

    ---------------------------------------------------------------------------

    \76\ Milliman III 2. One commenter also noted that there may be

    non-FCM clearing members of a DCM, which could create situations

    under the NPRM proposed rules where there would be ``no second line

    of pre-trade risk control administered by an FCM.'' Industry Group

    III 15 n.12. One commenter also suggested that limiting the

    exclusion to instances where a clearing member had risk controls in

    place would incentivize market participants to move away from the

    use of executing FCMs and give-up arrangements. See Bloomberg 7.

    \77\ Milliman III 2.

    \78\ QIM III 1.

    ---------------------------------------------------------------------------

    Commenters offered a variety of alternate definitions of DEA, with

    the intent that DEA not capture certain types of market participants.

    Bloomberg and TT offered alternate definitions that would exclude

    market participants using third-party software platforms provided by

    FCMs.\79\ CME offered an alternative definition that would exclude

    orders passing through risk controls administered by a clearing

    member.\80\ FIA and the Commercial Alliance offered an alternative

    definition that would exclude orders that are first routed through an

    order routing system under the control of an FCM.\81\ Better Markets

    proposed a definition that would take into consideration colocation and

    the use of FCM-provided software.\82\ Nadex supported defining DEA,

    consistent with existing Commission Sec. 38.607, as ``allowing

    customers of FCMs to enter orders directly into a DCM's trade matching

    system for execution.'' \83\ Similarly, Nodal commented that the

    definition of DEA in Sec. 38.607 ``is an accurate definition of Direct

    Electronic Access that does not need revision.'' \84\

    ---------------------------------------------------------------------------

    \79\ Bloomberg 8-9; TT 3.

    \80\ CME 12.

    \81\ FIA 6; Commercial Alliance 6.

    \82\ Better Markets III 4.

    \83\ Nadex III 2.

    \84\ Nodal 2.

    ---------------------------------------------------------------------------

    C. Substance of New Proposal

    The Commission proposes to amend the definition of DEA in Sec.

    1.3(yyyy) of the NPRM to address the comments summarized above,

    including with respect to potential ambiguities in the NPRM's

    definition of DEA. At the same time, the Supplemental NPRM retains DEA

    as one of the criteria for defining who must register as a New Floor

    Trader. The addition of the volume threshold test pursuant to

    Supplemental proposed Sec. 1.3(x)(2) will act as a further filter for

    New Floor Traders, limiting registration to large market participants.

    This will limit AT Person status and its attendant obligations to only

    those market participants who meet the volume threshold test.

    The Commission intends for the amended proposed definition of DEA

    to cover any arrangement where a market participant electronically

    transmits an order, modification or cancellation to a DCM. However, the

    amended proposed definition excludes from the definition of DEA any

    orders submitted by an FCM where the FCM receives such order from an

    unaffiliated natural person by means of written or oral communication.

    As noted in Section III(A) above, an ``unaffiliated'' natural person is

    one who has no affiliation with the FCM receiving the order for

    submission to a DCM. Similarly, the natural person's employer can have

    no affiliation with such FCM.

    [[Page 85346]]

    The NPRM definition of DEA exempted orders that were ``routed

    through'' a clearing FCM. After receiving comments requesting

    clarification on this phrase, the Commission proposes changing the

    definition of DEA so that it does not include orders electronically

    submitted to a DCM by an FCM that such FCM first receives from an

    unaffiliated natural person by means of oral or written communications.

    The Commission believes that this revision clarifies which order

    submission methods are DEA, and which are not, for purposes of

    Regulation AT. The Commission expects that the language in which an FCM

    electronically submitting orders first received from an unaffiliated

    natural person by means of oral or written communications will only

    encompass situations where the FCM is acting in a true intermediating

    role: i.e., where the FCM receives an order from a third-party (who may

    or may not be a Commission registrant) and the FCM then submits such

    order to a DCM for or on behalf of the third party. Each element of

    Supplemental proposed Sec. 1.3(yyyy) is intended to emphasize an FCM's

    active, involved intermediation as a necessary condition for non-DEA

    order submission, modification, or cancellation. Accordingly, non-DEA

    orders must be received by an FCM orally or in writing, from a natural

    person, who is unaffiliated and whose employer is unaffiliated with the

    FCM.

    Because technological innovations have created, and may continue to

    create, new methods for market participants to connect to DCMs, the

    Commission has determined not to differentiate between currently

    existing connection types. Instead, the amended proposed definition

    would capture all electronic order submissions to a DCM as DEA, unless

    the order is first received by an FCM from an unaffiliated natural

    person by means of written or oral communication prior to being

    submitted to the DCM by the FCM.\85\ To identify specific connection

    types in this definition--such as connection through a DCM's

    application program interface (``API'')--risks having the definition

    become outdated with changes in technology while simultaneously

    creating uncertainty over the regulatory standing of such new

    technology.

    ---------------------------------------------------------------------------

    \85\ The Commission understands that written or oral

    communications are not computer-generated, and therefore such

    communications would come from a natural person. The Commission

    notes that ``written communications'' may include email, text

    messages, or instant messaging ``chat'' tools, in addition to

    communications on paper. The common denominator is that such

    communications are in each instance specifically written by a

    natural person.

    ---------------------------------------------------------------------------

    Second, the exclusion would apply only where an FCM receives an

    oral or written communication from a natural person for a particular

    order or series of orders. The exclusion would not apply to orders

    received through electronic systems or automated means, such as through

    any API or graphical user interfaces (``GUIs'') provided by an FCM. The

    exclusion also would not apply to any third-party ISV platforms, such

    as those provided by Bloomberg or TT, even if the FCM were able to

    calibrate or implement risk controls over customer order flow submitted

    through those platforms. Further, the exclusion would not apply to any

    orders submitted through DCM-provided APIs, such as WebICE or CME

    Direct. In each case, current and potential technological practices may

    serve to reduce or eliminate the role of an FCM or other Commission

    registrant as a true intermediary to the transaction.

    Third, the Commission's amended proposed definition also would

    change the entity that must be involved in an order's transmittal to

    the DCM for such order not to be considered DEA. The NPRM proposal

    would exclude orders routed through a clearing member of a DCO to which

    the DCM submits trades for clearing, thus applying to clearing FCMs.

    The amended proposal would expand the exclusion from DEA to certain

    types of orders submitted by any FCM, including those FCMs that a

    market participant may use only to execute trades as well as those used

    to clear trades. This change is in response to various comments

    suggesting that executing FCMs could better act as gatekeepers on

    customer order flow than clearing FCMs.

    Fourth, the amended proposal differs from the NPRM proposal in that

    the definition of DEA proposed in this Supplemental NPRM applies

    explicitly to modifications and cancellations of orders, not only

    initial order submissions. The Commission considers this a non-

    substantial clarification intended to align the DEA definition with the

    proposed definition of Algorithmic Trading (NPRM proposed Sec.

    1.3(zzzz)).

    D. Commission Questions

    14. Does the amended proposed definition of DEA appropriately

    capture all order submission methods to which the additional filters

    for New Floor Trader status (i.e., Algorithmic Trading and the volume

    threshold test) should be applied?

    IV. Algorithmic Trading Source Code Retention and Inspection

    Requirements

    A. Overview and Policy Rationale for New Proposal

    The Commission proposed NPRM Sec. 1.81(a)(vi) to ensure that

    source code is preserved and available to the Commission when

    necessary. The NPRM required that AT Persons maintain a ``source code

    repository'' and make it available for inspection in accordance with

    existing Sec. 1.31. The requirements proposed in the NPRM were

    intended to be consistent with the Commission's traditional statutory

    and regulatory authorities governing recordkeeping and access to

    records; however, as explained below, some commenters misconstrued the

    proposal as requiring more than the Commission intended. Specifically,

    NPRM proposed Sec. 1.81(a)(vi) did not require the transfer of all

    source code to the Commission or other third party for centralized

    storage. It also did not require that AT Persons provide their

    Algorithmic Trading Source Code to the Commission on a regular basis.

    Comments received in response to NPRM proposed Sec. 1.81(a)(vi)

    expressed intellectual property and information security concerns among

    numerous market participants and other observers. The Commission

    appreciates these concerns, including the commercial and enterprise

    value of market participants' Algorithmic Trading Source Code. The

    Commission is proposing to revise NPRM proposed Sec. Sec.

    1.81(a)(1)(v) and (vi) as reflected in Supplemental proposed Sec.

    1.84. This new proposal directly addresses commenters' concerns

    regarding Commission access to source code in several respects. Most

    importantly, access to Algorithmic Trading Source Code would not be

    governed by Sec. 1.31. Instead, access to Algorithmic Trading Source

    Code and related records described in the proposed rule would require a

    subpoena approved by the Commission pursuant to part 11 or a ``special

    call'' which must also be approved by the Commission itself, a

    heightened procedural step that responds to concerns raised by market

    participants.

    Through Supplemental proposed Sec. 1.84, the Commission is

    endeavoring to balance its responsibility to oversee markets and market

    participants--including the operation of ATSs which have become highly

    pervasive in modern electronic markets--with market participants'

    strongly-held privacy and confidentiality concerns. Ultimately, it is

    imperative that the Commission have access to all information necessary

    for effective

    [[Page 85347]]

    regulatory oversight, including market surveillance and maintaining the

    safety and soundness of markets. The Commission believes that

    Supplemental proposed Sec. 1.84 strikes an appropriate balance between

    regulatory needs and privacy concerns.

    The Commission emphasizes that recordkeeping and Commission access

    to books and records are central to the Act's statutory framework for

    the oversight of regulated derivatives markets. Sections 4g, 4n(3)(A),

    4r(c), and 4s(f)(1)(C) of the Act require all registrants and

    registered entities to maintain books and records, and provide for

    prompt access by the Commission and its staff. They include nearly

    identical language stating that registrants and registered entities

    shall keep books and records in such form and manner and for such

    period as may be required by the Commission; and shall keep such books

    and records open to inspection by any representative of the

    Commission.\86\ These core statutory provisions recognize that the

    Commission must have adequate information to oversee markets and market

    participants subject to its jurisdiction.\87\ Required books and

    records include not only those that must be reported to the Commission

    on a routine basis, but also books and records that registrants must

    maintain in their own possession and make available upon request by the

    Commission or its staff. The Act and Commission rules contemplate a

    range of mechanisms to obtain books and records, from prompt production

    to Commission staff through on-site inspection,\88\ to subpoenas in

    investigative proceedings pursuant to part 11 of the Commission's

    regulations.

    ---------------------------------------------------------------------------

    \86\ 17 CFR 1.31. See Section 4g(a) of the Act, 7 U.S.C. 6g(a);

    Section 4n(3)(A) of the Act, 7 U.S.C. 6n(3)(A); Section 4r(c) of the

    Act, 7 U.S.C. 4r(c); and Section 4s(f)(1)(C) of the Act, 7 U.S.C.

    6s(f)(1)(C). Sections 1.31 and 1.35 of the Commission's rules build

    on these statutory provisions by requiring registrants to keep full,

    complete, and systematic records, and to produce such records as

    required by any representative of the Commission. See 17 CFR 1.35;

    17 CFR 1.31. Records must be kept for at least five years, and must

    be ``readily accessible'' during the first two years. See 17 CFR

    1.31(a)(1). Records must be produced to the Commission in a form

    specified by any representative of the Commission, and production

    shall be made, at the expense of the person required to keep the

    book or record. See 17 CFR 1.31(a)(2).

    \87\ In addition to the statutory authority cited above under

    Sections 4g, 4n(3)(A), 4r(c), and 4s(f)(1)(C) of the Act, the

    Commission notes that Section 8a(5) of the Act provides additional

    authority for the proposed recordkeeping and inspection rules.

    Section 8a(5) authorizes the Commission to make and promulgate such

    rules and regulations as, in the judgment of the Commission, are

    reasonably necessary to effectuate any of the provisions or to

    accomplish any of the purposes of this Act. 7 U.S.C. 12a(5).

    \88\ See 17 CFR 1.31(a)(2).

    ---------------------------------------------------------------------------

    As a civil law enforcement agency, the Commission handles

    sensitive, proprietary and trade secret information under strict

    retention and use requirements.\89\ Further, cybersecurity and the

    protection of confidential information are a top priority for the

    Commission.\90\ The Commission receives confidential information on a

    daily basis in a variety of contexts, and takes its legal obligation to

    protect such information seriously. The Commission has significant data

    security measures in place to protect sensitive information from

    internal or external threats. In addition, all current and former CFTC

    employees are prohibited by 17 CFR 140.735-5 from disclosing

    confidential or non-public commercial, economic or official information

    to any unauthorized person, or releasing such information in advance of

    authorization for its release.

    ---------------------------------------------------------------------------

    \89\ See Section 8(a) of the Act, 7 U.S.C. 12(a) (providing that

    except as otherwise specifically authorized in the Act, the

    Commission may not publish data and information that would

    separately disclose the business transactions or market positions of

    any person and trade secrets or names of customers); Section 8(e) of

    the Act, 7 U.S.C. 12(e) (providing that the Commission shall not

    furnish any information to a foreign futures authority or to a

    department, central bank and ministries, or agency of a foreign

    government or political subdivision thereof unless the Commission is

    satisfied that the information will not be disclosed by such foreign

    futures authority, department, central bank and ministries, or

    agency except in connection with an adjudicatory action or

    proceeding brought under the laws of such foreign government or

    political subdivision to which such foreign government or political

    subdivision or any department, central bank and ministries, or

    agency thereof, or foreign futures authority, is a party); 17 CFR

    145.5 (providing that the Commission may decline to publish or make

    available to the public certain nonpublic records, including records

    specifically exempted from disclosure by statute, including data and

    information which would separately disclose the business

    transactions or market positions of any person and trade secrets or

    names of customers); see also 5 U.S.C. 552(b)(4) (providing

    exemption from FOIA for trade secrets and commercial or financial

    information obtained from a person and privileged or confidential).

    \90\ See System Safeguards Testing Requirements, Final Rule, 81

    FR 64272 (Sept. 19, 2016); System Safeguards Testing Requirements

    for Derivatives Clearing Organizations, Final Rule, 81 FR 64322

    (Sept. 19, 2016).

    ---------------------------------------------------------------------------

    In sum, this Supplemental NPRM and the Algorithmic Trading Source

    Code amendments proposed herein achieve four important goals. First,

    the Commission is clarifying its intent regarding Algorithmic Trading

    Source Code. The Commission's interest is in ensuring that Algorithmic

    Trading Source Code is preserved by AT Persons and that it be available

    for inspection by the Commission when needed to investigate,

    understand, and respond, for example, to significant market events,

    including market disruptions and failures of the price discovery

    process. The Commission does not seek routine access to Algorithmic

    Trading Source Code, nor is it requiring that Algorithmic Trading

    Source Code be provided to repositories maintained by the CFTC or a

    third party.

    Second, the Commission is proposing to codify in Supplemental

    proposed Sec. 1.84(b) that any access to Algorithmic Trading Source

    Code must be authorized by the Commission itself. Such access could be

    authorized via subpoena, in an investigatory proceeding pursuant to

    part 11 of the Commission's regulations, or via special call authorized

    by the Commission and executed by the Director of the Division of

    Market Oversight (``DMO'' or ``Division'') pursuant to Supplemental

    proposed Sec. 1.84(b). The Commission notes that the different methods

    of access to source code--subpoena or special call--depend on whether

    Commission staff is: (1) Formally investigating potential violations of

    law; or (2) carrying out its market oversight responsibilities.

    Subpoenas are typically issued in connection with enforcement

    investigations. The proposed special call authority and process is

    intended to require similar Commission approval, but to recognize, for

    example, the potential need for DMO to review source code, such as in

    association with unusual trading events or market disruptions. While

    some commenters recommended that the Commission rely on subpoenas for

    access to source code in all circumstances, the Commission believes it

    is important to distinguish investigatory proceedings from access to

    records by DMO in connection with market surveillance and related

    work.\91\ However, both the subpoena and the special call would require

    approval by the Commission itself.

    ---------------------------------------------------------------------------

    \91\ The Commission notes that it would continue to possess

    subpoena authority with respect to source code, as it does today.

    ---------------------------------------------------------------------------

    The Commission notes Supplemental proposed Sec. 1.84's emphasis on

    access to Algorithmic Trading Source Code and related files in support

    of the Commission's market and trade practice surveillance functions.

    In executing the special call, communications from DMO to the AT Person

    could specify further procedures undertaken by the Division to help

    ensure the security of records provided. For example, the Division

    could specify the means by which it will access Algorithmic Trading

    Source Code or other records required by the special call, including

    on-site inspection at the facilities of the AT Person; the provision of

    records to the Commission on secure storage media or on

    [[Page 85348]]

    computers lacking network connectivity; or the transfer of records to

    secure Commission systems with controlled access.

    Third, and building on public comments regarding additional

    information necessary for the Commission to understand the operation of

    Algorithmic Trading in regulated markets, the Commission is proposing

    in Supplemental proposed Sec. 1.84(a)(3) that AT Persons be required

    to keep records of log files generated in the ordinary course by their

    ATSs. Absent subpoena, access to such log files would also be limited

    to special call by the Commission. As with other regulatory records,

    both Algorithmic Trading Source Code and log files would be required to

    be maintained for a period of five years.\92\ Pursuant to Supplemental

    proposed Sec. 1.84(b)(2), AT Persons would be required to maintain

    records ``in a form and manner that ensures the authenticity and

    reliability of the information in such records,'' and would also be

    required to have available ``systems to promptly retrieve and display''

    records required to be maintained under Supplemental proposed Sec.

    1.84.\93\

    ---------------------------------------------------------------------------

    \92\ See Supplemental proposed Sec. 1.84(a).

    \93\ In this regard, Supplemental proposed Sec. 1.84(b)(2) is

    modeled on existing Commission recordkeeping rules in Sec. 1.31,

    which also call for persons subject to recordkeeping to maintain

    capabilities by which the Commission can view required records.

    ---------------------------------------------------------------------------

    Finally, consistent with section 8(a) of the CEA, the Commission is

    emphasizing in Supplemental proposed Sec. 1.84(b)(3) that key

    confidentiality protections would apply to any records provided to the

    Commission pursuant to Sec. 1.84. The Commission notes that section 8

    of the Act and other Commission rules governing confidential

    information would apply to Algorithmic Trading Source Code and related

    files even in the absence of Supplemental proposed Sec.

    1.84(b)(3).\94\

    ---------------------------------------------------------------------------

    \94\ In this regard, Supplemental proposed Sec. 1.84(b)(3) is

    intended to emphasize the confidential nature of any Algorithmic

    Trading Source Code provided to the Commission. The protections of

    section 8 would apply even absent codification by the Commission in

    Supplemental proposed Sec. 1.84(b)(3). Section 8 provides, among

    other things, that except as otherwise specifically authorized the

    Commission may not publish data and information that would

    separately disclose the business transactions or market positions of

    any person and trade secrets or names of customers. See 7 U.S.C.

    8(a)(1).

    ---------------------------------------------------------------------------

    B. NPRM Proposal and Comments

    The NPRM proposed that each AT Person maintain a ``source code

    repository'' to manage source code access, persistence, copies of all

    code used in the production environment, and changes to such code. The

    NPRM further required that such source code repository would include an

    audit trail of material changes to source code that would allow AT

    Persons to determine, for each such material change: Who made it; when

    they made it; and the coding purpose of the change. The NPRM also

    required that AT Persons maintain source code in accordance with Sec.

    1.31.

    Several commenters expressed support for the proposal that source

    code should be a required record under Commission rules.\95\ Better

    Markets called the source code provisions ``the most important and

    effective provision in the proposed rule'' and noted ``the clear and

    many benefits arising from the Commission's ability to perform post-

    mortems after disruptive market events.'' \96\ Better Markets pointed

    out that ``it is crucial that regulators have access to HFT algorithm

    source code, rather than facing the impossible task of reconstructing

    manipulative algorithms from market data alone.'' \97\ Another

    commenter stated that if an algorithm or source code has caused, or has

    the potential to cause, damage to the U.S. financial markets,

    regulators have not only a right, but a duty to inspect source

    code.\98\ MFA supported a source code and audit trail record retention

    requirement, but objected to a source code ``repository.'' \99\ MFA

    stated that it understands the Commission's need ``to be able to obtain

    and review confidential, proprietary material that trading firms and

    other businesses maintain. We also understand the need for a

    preservation requirement that will ensure that the source code and any

    audit trails that are relevant to a given investigation be preserved

    and be made available to the Commission . . . when appropriate.'' \100\

    MFA recommended that the Commission adopt a principles-based rule

    requiring that market participants adopt a mechanism to preserve source

    code, produce current and prior versions of such source code, and track

    material change to the source code.\101\ AIMA commented that it is

    ``supportive of an obligation for AT Persons to maintain internal

    source code repositories.'' \102\

    ---------------------------------------------------------------------------

    \95\ AFR 3; Better Markets 2; Better Markets III 2-3; Shatto 1;

    Summers 1.

    \96\ Better Markets 2.

    \97\ Better Markets 2-3.

    \98\ Summers 1.

    \99\ MFA 3, 21.

    \100\ MFA 21.

    \101\ MFA III 3.

    \102\ AIMA III 4.

    ---------------------------------------------------------------------------

    Many commenters expressed concerns about the confidentiality of

    source code, and in particular making source code subject to Sec.

    1.31.\103\ Several stated that source code should only be available

    pursuant to a subpoena,\104\ which some described as a procedural

    safeguard.\105\ Others, such as FIA and Mercatus, noted the potential

    impracticality of certain requirements of Sec. 1.31 in the context of

    source code, such as duplicate storage, indexes of stored records, and

    the potential retention of a third-party technical consultant with

    access to the records.\106\

    ---------------------------------------------------------------------------

    \103\ MFA 29; ISDA 6; NASDAQ 2; Two Sigma 4; CCMR 5; FIA A-49,

    54; Mercatus 6.

    \104\ AIMA 10-11; AIMA III 5; Barnard 2; Citadel 2; FIA A-48;

    Hudson Trading 3; KCG III 4-5; ICE 7; ICE III 4; ISDA 6; MFA 23; MFA

    III 3; MGEX 24-25; MMI 5; Commercial Alliance 12; QIM 5; TraderServe

    1; TT 7; Two Sigma 4-5.

    \105\ Industry Group 6.

    \106\ FIA A-54; Mercatus 6.

    ---------------------------------------------------------------------------

    Numerous commenters described source code as valuable intellectual

    property and raised concerns about information security if source code

    were to be provided to regulators.\107\ Some raised the possibility

    that source code stored on government servers or government-mandated

    repositories could be vulnerable to cyberattack and other system

    breaches or misappropriation.\108\ Some commenters took the position

    that making source code subject to Sec. 1.31 would violate

    Constitutional protections.\109\

    ---------------------------------------------------------------------------

    \107\ Hudson Trading 1-2; IAA 10; ICE 7; ISDA 6; ITI 2, 4; MMI

    3; Commercial Alliance 12; Nadex 7; Two Sigma 2; Virtu 3; TT 4, 3

    n.2; QIM 2.

    \108\ LCHF 3; Mercatus 6; MFA 22, 24, 25; CTC 9-10; IAA 10; CCMR

    4-5; MMI 3-4; MMI III 2; Commercial Alliance 12; Chamber of Commerce

    III 2, 4-5; NIBA 2; QIM 5; TT 4; Two Sigma 2, 3, 6; Mercatus 6; AIMA

    10; FIA A-52; Bloomberg 2-3; Citadel 2; SIFMA 16.

    \109\ ITI 2; FIA A-46; MMI 4; MMI III 1-2; TT 4.

    ---------------------------------------------------------------------------

    Several commenters questioned the scope of the records to be

    retained as source code.\110\ MMI stated that ``source code'' should be

    defined to avoid confusion.\111\ FIA stated that ``it is not clear

    under Sec. 1.81(a)(vi) whether the referenced source code refers to

    Algorithmic Trading code only, or includes the code of `related

    systems' or separate `software' as well.'' \112\ One commenter even

    speculated that the rule might be broad enough to require Microsoft to

    permit inspection of the code underlying its Excel program if a trader

    developed an algorithm using an Excel spreadsheet.\113\

    ---------------------------------------------------------------------------

    \110\ FIA A-47; MMI 2; TT 3-4.

    \111\ MMI 2.

    \112\ FIA A-47.

    \113\ TT 4.

    ---------------------------------------------------------------------------

    Several commenters and Roundtable participants noted that a review

    of source code alone without additional context would be insufficient

    to identify the cause of a trading discrepancy.\114\

    [[Page 85349]]

    Several commenters also posited that source code would be

    unintelligible to regulators,\115\ or that the CFTC lacked the

    resources to understand it.\116\ Several participants at the Roundtable

    suggested that it may be necessary to review log files in order to gain

    further context regarding trading activity under review.\117\

    Participants indicated that a review of log files might assist in

    identifying a trigger for specific trading behavior such as market

    data, a change in parameters, or a component of source code.\118\

    ---------------------------------------------------------------------------

    \114\ ITI 6; MMI 2; TT 5.

    \115\ Hudson Trading 1-2; MMI 2; TraderServe 2; ITI 6; MMI 2; TT

    5-6.

    \116\ ITI 5; Weaver 2.

    \117\ KCG Holdings II, Roundtable Tr. 263:2-13 (one of the first

    items to look at when addressing a trading discrepancy would be

    ``log files to see was it a data issue, incoming data issue, was it

    something that was part of the algorithm, was it a control that

    misfired. You'd look at the log data to see if there's anything in

    there that would start to point you in a direction of where the

    issue might become. At that point in time you might bring in a

    developer to help walk through the code.''); TT II, Roundtable Tr.

    264:9-11 (noting that a developer would ``probably comb through log

    files'' to narrow down where a discrepancy occurred).

    \118\ Optiver II, Roundtable Tr. 267:18-268:21 (describing

    ``looking in the log file . . . to figure out . . . the trigger for

    . . . [an] order,'' including whether it was ``human interaction, .

    . . market data, a ``change in parameters,'' or ``source code.'').

    ---------------------------------------------------------------------------

    C. Substance of New Proposal

    Through this Supplemental NPRM, the Commission is proposing to

    replace NPRM Sec. 1.81(a)(1)(vi) with Supplemental proposed Sec.

    1.84, entitled ``Maintenance of records of Algorithmic Trading Source

    Code and related records.'' \119\ Supplemental proposed Sec. 1.84

    requires AT Persons to retain three categories of records for a period

    of five years: (1) Algorithmic Trading Source Code; (2) records that

    track changes to Algorithmic Trading Source Code; and (3) log files

    that record the activity of the AT Person's Algorithmic Trading

    system.\120\ These records would be required to be maintained in their

    native format. Supplemental proposed Sec. 1.84 does not require that

    records be generated; rather, it only requires the retention of such

    records to the extent they are generated by an AT Person (or by a

    third-party on behalf of the AT Person) in the ordinary course of their

    business. It also requires that these records be kept in a form and

    manner that ensures the authenticity and reliability of the information

    contained in the records, and that AT Persons have systems available to

    promptly retrieve and display the records.\121\

    ---------------------------------------------------------------------------

    \119\ The Commission notes that in addition to proposing new

    Sec. 1.84 (addressing Algorithmic Trading Source Code) and Sec.

    1.85 (addressing use of third party systems or components), it has

    made several changes to proposed Sec. 1.81. The Supplemental NPRM

    withdraws Sec. Sec. 1.81(a)(1)(v) and (vi). Provisions relating to

    documenting the strategy and design of Algorithmic Trading software

    and maintenance of Algorithmic Trading Source Code are now contained

    in Supplemental proposed Sec. Sec. 1.84 and 1.85.

    In addition, NPRM proposed Sec. 1.81(a)(1)(ii) required testing

    of all Algorithmic Trading code and any changes to such systems.

    This language has been modified so that it is consistent with the

    Commission's intent that the AT Person be required to test systems,

    not merely the source code related to such systems. The changes to

    the second sentence, resulting in the language in Supplemental

    proposed Sec. 1.81(a)(1)(ii) that such testing shall be reasonably

    designed to effectively identify circumstances that may contribute

    to future Algorithmic Trading Events, are intended to improve

    clarity. The Commission deleted the provision's final sentence,

    ``Such testing must be conducted both internally within the AT

    Person and on each designated contract market on which Algorithmic

    Trading will occur.'' The Commission has also withdrawn

    corresponding NPRM proposed Sec. 40.21, which had required DCMs to

    provide test environments to AT Persons. Supplemental proposed Sec.

    1.81(a)(1)(ii) now provides discretion to the AT Person as to where

    testing should occur.

    \120\ Commenters at the Roundtable recognized that in order to

    assess a trading discrepancy they would need to review their own log

    files and potentially the source code for their trading algorithms.

    KCG II, Roundtable Tr. 262:17-263:10; 267:18-268:21; TT II,

    Roundtable Tr. 264:3-20.

    \121\ The Commission notes that Supplemental proposed Sec.

    1.84's requirement that records be maintained in their ``native

    format'' is distinct from the proposed requirement that such records

    be maintained in a manner that ensures the ``authenticity and

    reliability'' of information contained in such records. The

    retention of a record in ``native format'' equates to a requirement

    that such record be retained in the same format as it was originally

    created. Authenticity and reliability, in contrast, address the

    accuracy of a record as genuine, unchanged iteration of the

    original.

    ---------------------------------------------------------------------------

    Algorithmic Trading Source Code is defined broadly in Supplemental

    proposed Sec. 1.3(ccccc), and is intended to capture the various types

    of code and related components used in connection with Algorithmic

    Trading. It includes computer code, hardware description language,

    scripts and formulas, as well as the configuration files and parameters

    used to carry out the trading.\122\ The term Algorithmic Trading Source

    Code should be construed broadly to encompass field-programmable gate

    array (``FPGA'') technology including the logic built onto chips or

    embedded in electronic circuits. Logic embedded in electronic circuits

    is sometimes referred to as ``hardware description language (``HDL'').

    On the other hand, Algorithmic Trading Source Code does not include the

    underlying code to a program used to develop a formula or algorithm

    (i.e., Microsoft Excel).

    ---------------------------------------------------------------------------

    \122\ Parameters include settings or variables that are relied

    on by an algorithm to make determinations in a system's Algorithmic

    Trading. For example, parameters may include settings or variables

    impacting order type, order quantity, order price, order side,

    position size, number of orders, and duration of orders.

    ---------------------------------------------------------------------------

    The Commission recognizes the confidentiality and value of

    Algorithmic Trading Source Code. Accordingly, the Commission has

    endeavored in this Supplemental NPRM to enhance the procedural

    protections afforded to Algorithmic Trading Source Code in the rule

    text and to expressly reference the statutory and regulatory provisions

    that protect all confidential information to which the Commission has

    access. As a threshold matter, the Commission emphasizes that

    Supplemental proposed Sec. 1.84 makes Algorithmic Trading Source Code,

    change logs, and log files subject to recordkeeping requirements that

    are separate from the general recordkeeping provisions under Sec. 1.31

    of the Commission's rules. Supplemental proposed Sec. 1.84 also makes

    clear that these records are subject to section 8(a) of the Act.\123\

    Section 8(a) prohibits the release of data or information that would

    disclose business transactions or market positions of any person and

    trade secrets or names of customers, and any data or information

    concerning or obtained in connection with any pending investigation of

    any person. Separately, confidential information received by Commission

    employees is also subject to Sec. 140.735-5 of the Commission's rules,

    which prohibits a Commission employee or former employee from

    disclosing, or causing or allowing to be disclosed, confidential or

    non-public commercial, economic or official information to any

    unauthorized person.\124\ The Commission also notes that Section 1905

    of Title 18 specifically prohibits the disclosure of confidential

    information, including trade secrets, by all officers or employees of

    the United States and any department or agency thereof, including the

    CFTC. Violations of this statutory provision carry significant

    penalties, including fines, loss of employment, and imprisonment.\125\

    Commission staff are

    [[Page 85350]]

    annually trained on the prohibitions against disclosing confidential or

    non-public commercial, economic or official information, and

    specifically are provided with post-employment guidance regarding these

    prohibitions, in addition to other applicable ethics restrictions,

    prior to their departure from the Commission.

    ---------------------------------------------------------------------------

    \123\ Section 8(a) of the Act, 7 U.S.C. 12(a).

    \124\ 17 CFR 140.735-5.

    \125\ See 18 U.S.C. 1905, which provides that whoever, being an

    officer or employee of the United States or of any department or

    agency thereof, publishes, divulges, discloses, or makes known in

    any manner or to any extent not authorized by law any information

    coming to him in the course of his employment or official duties or

    by reason of any examination or investigation made by, or return,

    report or record made to or filed with, such department or agency or

    officer or employee thereof, which information concerns or relates

    to the trade secrets, processes, operations, style of work, or

    apparatus, or to the identity, confidential statistical data, amount

    or source of any income, profits, losses, or expenditures of any

    person, firm, partnership, corporation, or association; or permits

    any income return or copy thereof or any book containing any

    abstract or particulars thereof to be seen or examined by any person

    except as provided by law; shall be fined under Title 18 of the

    United States Code, or imprisoned not more than one year, or both;

    and shall be removed from office or employment.

    ---------------------------------------------------------------------------

    Supplemental proposed Sec. 1.84 sets out a procedure for requests

    for production or inspection of these records that requires Commission

    approval by means of a special call for the records. The Commission

    would also retain its existing authority to seek access to such records

    through a subpoena, which would typically be used in an enforcement

    matter. If the Commission approves a special call, it may authorize the

    Director of the Division of Market Oversight to execute the special

    call, and may also authorize the Director to specify the form and

    manner in which the required records must be produced. The Commission

    notes that Supplemental proposed Sec. 1.84 does not alter any aspect

    of part 11 of the Commission's rules relating to investigations. For

    clarity, Supplemental proposed Sec. 1.84 provides that the records

    required by the section must also be available by subpoena issued

    pursuant to part 11 of the Commission's regulations.

    Supplemental proposed Sec. 1.84(a)(2) requires that AT Persons

    retain records tracking material changes to Algorithmic Trading Source

    Code, including a record of when and by whom such changes were made,

    when such records are generated in the ordinary course of business. The

    Commission notes that this new proposed rule does not require that such

    records be generated, but does require that they be maintained if they

    are generated in the ordinary course of business.

    Supplemental proposed Sec. 1.84(a)(3) requires that AT Persons

    retain any logs or log files generated by the AT Person in the ordinary

    course of business that record the activity of the AT Person's ATS,

    including a chronological record of such system's actions. As noted

    above, this provision was added to address the concerns of some

    commenters that source code alone is insufficient to review trading

    activity of an AT Person, and the suggestion that log files may provide

    important context to a review of source code. The new proposal does not

    mandate the retention of specific log files or even the form or

    specific content of log files. The new proposal simply requires that

    log files be retained to the extent such files are generated in the

    ordinary course of business. The Commission recognizes that various

    exchanges require persons with direct access to maintain audit trails

    with detailed information about trading activity.\126\ The Commission

    expects that log files will contain a similar level of detail and in

    some cases a greater level of detail than the electronic audit trails

    required by these exchanges. To the extent log files are generated,

    they must be maintained in a form and manner that ensures the

    authenticity and reliability of the information contained in the

    records. In addition, AT Persons must have systems available to

    promptly retrieve and display these records to the Commission in the

    event of a special call.

    ---------------------------------------------------------------------------

    \126\ For example, ICE Futures U.S. Rule 27.12A requires certain

    clearing members and direct access members to maintain electronic

    audit trials of electronic orders submitted through direct access

    connections. CME Rule 536.B.2. also requires an electronic audit

    trail for systems accessing the CME Globex platform through the CME

    iLink gateway. Both CME and ICE require the retention of these

    electronic audit trails for five years.

    ---------------------------------------------------------------------------

    D. Commission Questions

    15. Please comment on whether, through Supplemental proposed Sec.

    1.84, the Commission has appropriately balanced its responsibility to

    oversee markets and market participants with the privacy and

    confidentiality concerns that market participants have raised with

    respect to access to Algorithmic Trading Source Code.

    16. Please comment on the Commission's determination to obtain

    access to Algorithmic Trading Source Code via special call, rather than

    have such access be governed by Sec. 1.31.

    17. Is the definition of ``Algorithmic Trading Source Code''

    sufficiently clear to allow AT Persons to comply with the recordkeeping

    requirements in Supplemental proposed Sec. 1.84? Which, if any,

    components of Algorithmic Trading systems should be added to the

    definition of Algorithmic Trading Source Code? Which, if any, should be

    excluded?

    18. Are log files described in sufficient detail in the

    Supplemental NPRM? Please explain why or why not.

    19. The NPRM's Question 131 (NPRM at 78913) sought comment on NPRM

    proposed Sec. 1.81(a)'s standards for the development and testing of

    Algorithmic Trading systems and procedures, including requirements for

    AT Persons to test all Algorithmic Trading code and related systems and

    any changes to such code and systems prior to their implementation. The

    Commission renews that question here as to Supplemental proposed Sec.

    1.84(a). Are any of the requirements of Supplemental proposed Sec.

    1.84(a) not already followed by the majority of market participants

    that would be subject to Sec. 1.84(a) (or some particular segment of

    market participants), and if so, how much will it cost for a market

    participant to comply with such requirement(s).

    20. If a firm uses FPGA or a similar technology, how would it

    record the design of the programming?

    21. How do firms store or record configurations and parameters that

    impact their trading system? For example, are these components stored

    or recorded in their Algorithmic Trading Source Code or log files?

    22. If a firm uses a chip or FPGA as a part of its ATS, how does it

    describe the records?

    V. Testing, Monitoring and Recordkeeping Requirements in the Context of

    Third-Party Providers

    A. Overview and Policy Rationale for New Proposal

    Regulation AT, as proposed in the NPRM, required AT Persons to

    comply with a number of standards regarding pre-trade risk controls and

    other measures; the development, testing and supervision of ATSs; and

    the retention and potential production of source code. In order to be

    effective, Regulation AT should be uniformly applied across the breadth

    of business arrangements that AT Persons may elect to pursue. As

    detailed below, commenters to the NPRM's proposed rules noted that AT

    Persons whose ATSs are sourced in whole or in part from third parties

    face challenges in complying with certain elements of NPRM proposed

    Sec. Sec. 1.80 and 1.81. The Commission has considered these comments

    and is sensitive to the concerns raised. However, the use of third-

    party systems should not exempt market participants from compliance

    with regulatory standards designed to increase the safety and soundness

    of Algorithmic Trading. The rules set forth in Supplemental proposed

    Sec. 1.85 seek to strike an appropriate balance by permitting AT

    Persons to comply with certain elements of Sec. Sec. 1.81 and 1.84

    through a combination of certifications from their service providers,

    due diligence by the AT Persons and, in most cases,\127\ a retention of

    legal

    [[Page 85351]]

    responsibility for compliance with the rules by the AT Person.\128\

    ---------------------------------------------------------------------------

    \127\ As discussed below, Supplemental proposed Sec. 1.85(d)

    requires that an AT Person is responsible for ensuring that records

    are retained and produced as required pursuant to Supplemental

    proposed Sec. 1.84. A certification and due diligence alone will

    not satisfy an AT Person's obligation to ensure that Algorithmic

    Trading Source Code is retained as required by Supplemental proposed

    Sec. 1.84.

    \128\ In the context of the Securities and Exchange Commission's

    (``SEC'') Market Access Rule, 75 FR 69792 (Nov. 15, 2010), the SEC

    allows a broker-dealer relying on third-party technology or software

    to perform appropriate due diligence to assure that its controls and

    procedures are consistent with the rule. See SEC, Responses to

    Frequently Asked Questions Concerning Risk Management Controls for

    Brokers and Dealers with Market Access (Apr. 15, 2014) (Question

    14), available at https://www.sec.gov/divisions/marketreg/faq-15c-5-risk-management-controls-bd.htm.

    ---------------------------------------------------------------------------

    B. NPRM Proposal and Comments

    NPRM proposed Sec. 1.81(a) required AT Persons to implement

    written policies and procedures for the development and testing of

    ATSs. Among other things, such policies and procedures must at a

    minimum include documenting the strategy and design of proprietary

    Algorithmic Trading software, as well as any changes to software that

    are implemented in a production environment, pursuant to NPRM proposed

    Sec. 1.81(a)(v). NPRM proposed Sec. 1.81(a)(vi) required an AT Person

    to maintain a source code repository, which included an audit trail of

    material changes to source code that would allow AT Persons to

    determine, for each such material change: Who made it; when they made

    it; and the coding purpose of the change. The source code was also

    required to be maintained in accordance with Sec. 1.31.

    Comments received. Several commenters noted that AT Persons using

    third-party systems licensed or purchased from vendors or DCMs do not

    have access to the systems' algorithmic code, and therefore would be

    unable to comply with the source code provisions.\129\ IAA identified

    this as an issue for registered CPOs and CTAs using an ISV's or other

    third-party's system,\130\ SIFMA identified it as an issue for asset

    managers,\131\ and AIMA identified it as an issue for buy-side

    participants. AIMA stated that requiring access and disclosure of

    third-party code, particularly best-execution algorithms, as provided

    in the NPRM, would cause third parties to stop providing software

    services to AT Persons.\132\ The Commercial Alliance also confirmed

    that the vast majority of its members use third-party source code

    provided by ISVs or DCMs.\133\ TT commented that the testing

    requirements under NPRM proposed Sec. 1.81(a) should focus on the

    output of an ATS or software, rather than the underlying source

    code.\134\

    ---------------------------------------------------------------------------

    \129\ FIA A-53; ISDA 5; CME 38; AIMA 11; AIMA III 5-6; IAA 11;

    Commercial Alliance 12; SIFMA 15; TT III 2.

    \130\ IAA 11.

    \131\ SIFMA 15.

    \132\ AIMA 11.

    \133\ Commercial Alliance 12.

    \134\ TT III 1.

    ---------------------------------------------------------------------------

    At the Roundtable, Commission staff asked for industry comment

    regarding how such issues involving third-party providers should be

    addressed. Generally, industry participants stated that AT Persons

    lacked access to source code of third parties.\135\ Tethys commented

    that AT Persons exhibit a range of control over source code; \136\

    while some AT Persons may write their own code, others use off-the-

    shelf third-party software, and others may add additional controls to

    third-party software as necessary.\137\ TT stated that as a third-party

    provider, it did not provide its customers with access to its source

    code.\138\

    ---------------------------------------------------------------------------

    \135\ Tethys II, Roundtable Tr. 236:2-14; TT II, Roundtable Tr.

    216:22-217:1-3, 250:9-13; ABN AMRO, Roundtable Tr. 249:4-10.

    \136\ Tethys II, Roundtable Tr. 236:2-14.

    \137\ Tethys II, Roundtable Tr. 236:2-14.

    \138\ TT II, Roundtable Tr. 216:22-217:1-3.

    ---------------------------------------------------------------------------

    Commission staff also asked for comment at the Roundtable on a

    potential approach where AT Persons would obtain certifications from

    third parties regarding development requirements and would conduct due

    diligence. TT said that because it provides customers with the

    opportunities to test algorithms built using its software,\139\ it

    would be unnecessary and burdensome to require AT Persons to obtain

    certifications from third-party providers.\140\ AQR, Tethys, and TT

    argued that it would be difficult to fairly impose a certification

    requirement.\141\ ABN AMRO and Tethys commented that AT Persons may not

    have the necessary expertise to perform extensive due diligence

    regarding software code.\142\ ABN AMRO said that customers would not

    want to have access to source code.\143\ In addition, TT stated that

    the Commission can understand how technology functions without seeing

    source code.\144\

    ---------------------------------------------------------------------------

    \139\ TT II, Roundtable Tr. 237:17-238:6.

    \140\ TT II, Roundtable Tr. 238:7-239:3.

    \141\ AQR, Roundtable Tr. 240: 15-2, 242:17-243:19; Tethys II,

    Roundtable Tr. 240:4-14; TT II, Roundtable Tr. 239:4-15.

    \142\ ABN AMRO, Roundtable Tr. 245:12-246:14; Tethys II,

    Roundtable Tr. 247:18-249:3.

    \143\ ABN AMRO, Roundtable Tr. 249:4-10.

    \144\ See TT II, Roundtable Tr. 250:14-252:7; TT III 2-3.

    ---------------------------------------------------------------------------

    C. Substance of New Proposal

    The NPRM comments discussed above cite potential compliance

    challenges when AT Persons obtain their ATSs, in whole or in part, from

    third-party providers. Accordingly, this Supplemental NPRM proposes an

    alternative framework for AT Persons to comply with their obligations

    related to the development and testing of ATSs, and for the retention

    and production of Algorithmic Trading Source Code and related records.

    Specifically, Supplemental proposed Sec. 1.85 allows AT Persons

    who, due solely to their use of third-party system or components, are

    unable to comply with a particular development or testing requirement

    (NPRM proposed Sec. Sec. 1.81(a)(1)(i), 1.81(a)(1)(iii),

    1.81(a)(1)(iv), 1.81(a)(2), or Supplemental proposed Sec. Sec.

    1.81(a)(1)(ii) or 1.84) \145\ or a particular maintenance or production

    requirement related to Algorithmic Trading Source Code and related

    records (Supplemental proposed Sec. 1.84), to comply with such

    proposed regulatory obligations by satisfying two requirements: (i)

    Obtaining a certification that the third party is complying with the

    obligation; and (ii) conducting due diligence regarding the accuracy of

    the certification.\146\ While obtaining such certifications and

    conducting due diligence as to their accuracy may still be challenging

    for some AT Persons, the Commission has determined that such

    requirements, at this stage, appear more practical compared to the

    NPRM's proposal that AT Persons themselves comply with all NPRM Sec.

    1.81 requirements. The Commission believes that the certification and

    due diligence requirements present a workable alternative that will

    ensure that all AT Persons--regardless of whether they develop their

    own ATSs, or use the systems of a third party--are subject to the same

    standards.

    ---------------------------------------------------------------------------

    \145\ These subsections were also proposed in the NPRM, although

    this Supplemental NPRM proposes several changes to the text of Sec.

    1.81(a)(1)(ii).

    \146\ The Supplemental NPRM provides flexibility and does not

    set forth the means by which due diligence must be conducted. The

    Commission expects that due diligence may take a variety of forms,

    all of which can potentially be effective in helping AT Persons

    fulfill their regulatory obligations pursuant to Supplemental

    proposed Sec. 1.85. Due diligence may include, for example, a

    combination of (1) information gathering, including with respect to

    prevailing best practices and a third party's own practices; (2) on-

    site inspection; (3) communications between the AT Person and its

    third-party provider, including in writing, in person, via email,

    and telephone or video; and (4) review and evaluation of files,

    documents, and other information gathered. The Commission offers

    this list by way of example only, and notes that each AT Person

    should arrive at its own determination regarding an appropriate due

    diligence process. The Commission encourages each AT Person making

    use of Supplemental proposed Sec. 1.85 to perform such diligence as

    is necessary for the AT Person to have comfort that the underlying

    substantive regulatory requirements are being met.

    ---------------------------------------------------------------------------

    [[Page 85352]]

    Supplemental proposed Sec. 1.85(d) requires that, in all cases, an

    AT Person is responsible for ensuring that records are retained and

    produced as required pursuant to Supplemental proposed Sec. 1.84.\147\

    In other words, an AT Person's certification and due diligence will

    establish that it has complied with testing obligations pursuant to

    NPRM proposed Sec. Sec. 1.81(a)(1)(i), 1.81(a)(1)(iii),

    1.81(a)(1)(iv), 1.81(a)(2), or Supplemental proposed Sec.

    1.81(a)(1)(ii), but certification and due diligence alone will not

    satisfy an AT Person's obligation to ensure that Algorithmic Trading

    Source Code is retained and produced as required by Supplemental

    proposed Sec. 1.84. Even where an AT Person obtains a certification

    and conducts due diligence with respect to a third party's obligations,

    the AT Person will remain responsible for ensuring that Algorithmic

    Trading Source Code retention and production requirements are met. For

    example, if the Commission were to issue a special call or a subpoena

    to an AT Person for the production of Algorithmic Trading Source Code

    maintained by a third party, the AT Person would be responsible for

    complying with the Commission request, regardless of the certification

    or the due diligence performed by the AT Person. Such compliance could

    be achieved by making sure that the third party produced the required

    records, but a failure by the third party to produce such records would

    not relieve the AT Person of its own obligations.

    ---------------------------------------------------------------------------

    \147\ The proposed rules do not require that the certifications

    be filed with the Commission. However, the certifications would be

    subject to Sec. 1.31 recordkeeping requirements.

    ---------------------------------------------------------------------------

    Pursuant to the Commission's Supplemental proposal, AT Persons may

    not rely on Sec. 1.85 for any element of Sec. Sec. 1.81(a)(1) and

    1.84 with which they have the ability to comply. For example, an AT

    Person who uses a combination of third-party and internally developed

    ATS components would be expected to comply with NPRM proposed

    Sec. Sec. 1.81(a)(1)(i), 1.81(a)(1)(iii), 1.81(a)(1)(iv), 1.81(a)(2),

    and Supplemental proposed Sec. Sec. 1.81(a)(1)(ii) and 1.84 for all

    such components that the AT Person itself develops or modifies. The

    Commission also notes that Supplemental proposed Sec. 1.85 provides an

    alternative means of compliance in circumstances where the use of a

    third-party system or component is the sole reason why an AT Person

    cannot otherwise comply with its obligations. Although an AT Person may

    be motivated to make use of Supplemental proposed Sec. 1.85 for

    reasons of potential costs or administrative ease, such considerations

    are not permissible rationales for use of Supplemental proposed Sec.

    1.85.

    In many cases, the Commission expects that AT Persons and third

    parties will each have developed different portions of an ATS. If an AT

    Person develops an algorithm using third-party software, the AT Person

    would remain responsible for development and testing requirements with

    respect to the algorithm, and for the retention and production of

    Algorithmic Trading Source Code and related records requirements for

    that algorithm. Further, whether a third-party certification is

    appropriate under Supplemental proposed Sec. 1.85 may depend on the

    amount of control the AT Person has over the development of algorithms

    it employs. If the AT Person, for example, has a limited ability to

    affect or modify an algorithm, then the Commission expects that the AT

    Person would comply with NPRM proposed Sec. Sec. 1.81(a)(1)(i),

    1.81(a)(1)(iii), 1.81(a)(1)(iv), 1.81(a)(2), and Supplemental proposed

    Sec. Sec. 1.81(a)(1)(ii) and 1.84 by obtaining a certification and

    conducting due diligence pursuant to Supplemental proposed Sec. 1.85.

    However, the Commission notes that as to Supplemental proposed Sec.

    1.84 requirements, the AT Person remains responsible for compliance

    with Algorithmic Trading Source Code retention and production

    requirements are met.

    The Commission expects that the certifications required by

    Supplemental proposed Sec. 1.85 would, at a minimum, list the specific

    regulatory obligations that the third party is certifying compliance

    with, describe the component of the ATS at issue (or the whole system,

    if applicable), and explain how such component or system complies with

    the regulatory obligation. The Commission recognizes that some system

    components may be standard products offered to multiple customer

    trading firms, and others may be custom-designed for one customer

    trading firm. With respect to standard products, the third party's

    certification may take the same form for multiple customers.

    Supplemental proposed Sec. 1.85(b) requires that the AT Person

    must obtain a certification each time there has been a material change

    to such third-party provided systems or components. Accordingly, there

    is no specific periodic deadline for certification; rather, the third

    party must only re-certify when there has been a material change. The

    Commission intends that the due diligence requirement imposed by

    Supplemental proposed Sec. 1.85(c) includes an obligation on AT

    Persons to determine whether a material change to third-party provided

    systems or components has occurred.

    The Commission understands that AT Persons who use third-party

    system components or Algorithmic Trading Source Code may not have the

    same level of development and testing expertise as third-party

    providers who routinely develop such systems or code. Accordingly, the

    due diligence required to be performed by the AT Person under

    Supplemental proposed Sec. 1.85(c) is limited to the accuracy of the

    certification. Due diligence may require the involvement of technology

    support staff from the AT Person, but detailed technical audits are not

    required on behalf of the AT Person with respect to Supplemental

    proposed Sec. 1.85(c).

    D. Commission Questions

    23. The Commission invites comment on all aspects of Supplemental

    proposed Sec. 1.85.

    24. Should the requirements for AT Persons who develop their own

    systems and code differ from requirements imposed on AT Persons that

    use systems or components provided by a third party? If so, how should

    the requirements be different, while continuing to ensure a consistent

    baseline of effectiveness in the development and testing of ATSs?

    25. What specific steps should AT Persons take when conducting due

    diligence of the accuracy of a certification from a third party, as

    required by Supplemental proposed Sec. 1.85? Should proposed Sec.

    1.85(c) provide greater detail with respect to such due diligence? For

    example, should due diligence be required to specifically include

    review of technical design information, testing protocols and test

    results, documented dialogue between staff of the AT Person and the

    third party, or other measures?

    26. Supplemental proposed Sec. 1.85(b) requires that the AT Person

    must obtain a certification each time there has been a material change

    to third-party provided systems or components. What is a reasonable

    estimate as to the average frequency of such material changes? Should

    the Commission base the certification requirement on another timing

    metric?

    [[Page 85353]]

    VI. Changes to Overall Risk Control Framework

    A. Change From Three Level to Two Level Risk Control Framework

    1. Overview and Policy Rationale for Proposal

    In the NPRM, the Commission sought to take a principles-based

    approach to addressing the potential risks associated with Algorithmic

    Trading.\148\ NPRM proposed Sec. Sec. 1.80, 1.82, 38.255 and 40.20

    imposed pre-trade risk control and other requirements, such as order

    cancellation systems, at three points in the order submission and

    execution chain: AT Persons, FCMs and DCMs. The NPRM approach proposed

    to allow the relevant entity--AT Person, FCM, or DCM--discretion in the

    design and parameters of such controls. In general, while some

    commenters supported the multi-layered approach described above,

    numerous commenters viewed the framework as unnecessarily redundant and

    prescriptive. Accordingly, the Commission in this Supplemental NPRM

    proposes a risk control framework with controls at two, rather than

    three, levels: (i) AT Person or FCM; and (ii) DCM. The Commission

    believes that this structure still achieves the goal of protecting

    market integrity, while simultaneously reducing the complexity of the

    risk controls and overall costs of compliance.

    ---------------------------------------------------------------------------

    \148\ See NPRM at 78837-78839.

    ---------------------------------------------------------------------------

    By requiring two levels of risk controls, mistakes or omissions

    made at one level will have a backstop, potentially mitigating the

    possibility of a trading disruption. Because the unexpected or

    disruptive behavior of an algorithm would affect other market

    participants at the DCM level, thus leading to potential system risk,

    the Commission is requiring DCM controls for all electronic orders,

    regardless of source. The second set of controls may be implemented at

    either the AT Person or the FCM level, depending on whether an order is

    originated by AT Person or non-AT Person market participant. In

    addition, under specific circumstances, AT Persons will have discretion

    to delegate certain of their pre-trade risk control functions to an

    FCM, if they so choose. The Supplemental proposed rules continue to

    provide discretion in how entities design and calibrate the controls.

    Further, as discussed below, the Commission has revised the rules to

    allow greater flexibility for AT Persons, FCMs and DCMs to determine

    the level of granularity at which controls are set.

    2. NPRM Proposal and Comments

    As discussed above, NPRM proposed Sec. Sec. 1.80, 1.82, 38.255 and

    40.20 imposed risk control and similar requirements, such as order

    cancellation systems, at three levels: the AT Person, FCM and DCM.

    Comments Received. The Commission received numerous comments on the

    proposed risk control structure during the Initial Comment Period, the

    Second Comment Period, and at the Roundtable. As discussed in more

    detail below, some commenters during the Second Comment Period and at

    the Roundtable suggested a two-level structure instead of the three

    level structure proposed in the NPRM. For example, the Industry Group

    suggested a framework in which responsibility for implementing

    appropriate pre-trade risk controls lies either (i) with the FCM

    registrant that is facilitating access to the DCM, or (ii) in the case

    of a market participant that is not trading through the risk controls

    of an FCM, with that participant. Industry Group further stated that in

    both cases, the pre-trade risk controls must be supplemented by DCM-

    provided risk controls configured by the member of the DCO that grants

    access to the DCM.\149\ CME suggested a similar approach, commenting

    that: ``Two layers of market risk controls would apply to all

    Algorithmic Trading orders. The first layer would be administered by

    either an AT Person or the gatekeeper clearing member, and could be

    developed internally or obtained from an independent third-party source

    (such as the DCM or a software provider). The second layer would be

    developed and administered by the DCM.'' \150\ The framework proposed

    in this Supplemental NPRM involves a similar two-level approach, which

    is intended to address the complexity and cost concerns expressed by

    Industry Group, CME and other commenters.

    ---------------------------------------------------------------------------

    \149\ Industry Group 8.

    \150\ CME III 9-10.

    ---------------------------------------------------------------------------

    Further, some commenters supported expanding risk controls

    requirements to all electronic orders, rather than applying controls to

    only algorithmic trading orders. For example, the Industry Group stated

    that ``all electronic trading must be subject to pre-trade and other

    risk controls administered by a CFTC registrant that are appropriate to

    the nature of the activity.'' \151\ ICE stated that ``all market

    participants that engage in electronic trading on a DCM should maintain

    . . . risk controls, regardless of how market participants access a DCM

    or whether the market participants engage in algorithmic trading.''

    \152\ The Commission has addressed such comments by expanding the scope

    of the risk control requirements to include Electronic Trading. Further

    detail on the addition of Electronic Trading to Regulation AT's risk

    control framework is discussed below in Section VI(B), and discussion

    of the relevant new definitions related to such changes is provided in

    Section VI(C).

    ---------------------------------------------------------------------------

    \151\ Industry Group 8.

    \152\ ICE III 2.

    ---------------------------------------------------------------------------

    Numerous commenters opposed the NPRM's proposed three-level

    approach to risk controls or otherwise characterized it as a ``one size

    fits all'' model. Specifically, FIA, CME, ICE, MFA, Nadex, NIBA, SIFMA

    and Mercatus indicated that the multiple layers of risk controls across

    the market--at the AT Person, clearing member FCM, and DCM levels--are

    too prescriptive, duplicative, costly and inefficient.\153\ FIA, CME,

    OneChicago, LCHF and QIM commented that Regulation AT's required

    duplication of risk controls across the lifecycle of a trade actually

    introduces risk.\154\ CME, MFA, SIFMA and NIBA characterized the

    proposed rules as a ``one size fits all'' model that doesn't

    appropriately take into account the different types of automated

    systems, business, or operational size of market participants.\155\ FIA

    did not support requiring every market participant to implement its own

    risk controls; rather, such controls could be provided by FCMs or

    DCMs.\156\

    ---------------------------------------------------------------------------

    \153\ FIA 5; CME 6, A-14; ICE 8; Mercatus 4-5; MFA 4-5; Nadex 3;

    SIFMA 20; NIBA 1.

    \154\ FIA 7, A-25; CME A-11; OneChicago 3; LCHF 2-3; QIM 2.

    \155\ CME A-11; MFA 2, 4; SIFMA 20; NIBA 1.

    \156\ FIA 4, A-24.

    ---------------------------------------------------------------------------

    In contrast, other commenters supported the multi-layered approach

    (either fully or with reservations that the approach could create some

    risks), or supported more centralized controls at the FCM and DCM

    levels. Specifically, IATP supported a multi-layered approach to risk

    controls and believed it will mitigate the risks of algorithmic

    trading.\157\ In addition, AIMA supported the principle that risk

    controls are to be maintained at three levels--the exchange, the

    clearing member and the trading firm.\158\ LCHF also recommended a

    three-level structure for risk controls.\159\ Virtu generally

    [[Page 85354]]

    supported a multi-layered approach to risk controls as well, but warned

    of potential risks if the multiple controls are applied or calibrated

    independently, since market participants may not be able to predict

    which orders will reach the order book and which may be screened by a

    ``downstream'' risk layer.\160\ Similarly, MFA and LCHF acknowledged

    that multiple risk filters across different entities may reduce the

    probability that a wrong message reaches the market, but stated that

    such redundancy may be inefficient or increase complexity and possible

    errors if the risk parameters are not coordinated properly.\161\

    ---------------------------------------------------------------------------

    \157\ IATP 7.

    \158\ AIMA 7.

    \159\ LCHF 2-3. LCHF recommended a structure with risk controls

    at (1) the trading participant level, requiring all the proposed

    Sec. 1.80 controls, which should be adopted at the most granular

    level and tailored to the particular trading technology used by the

    market participant; (2) the FCM/broker level, requiring order size,

    position and margin controls; and (3) the DCM level, continuing the

    adoption of existing controls, such as kill switch or self-trade

    prevention, with no further risk filter imposed on market

    participants.

    \160\ Virtu 2.

    \161\ MFA 5-6; LCHF 2-3.

    ---------------------------------------------------------------------------

    Several commenters supported centralizing controls at the DCM and

    FCM levels. AIMA stated that DCMs should play a central role in

    maintaining risk controls internally and through mandates upon their

    FCMs, and believed that DCMs and FCMs should have the principal

    obligations to protect the stability of DCM markets.\162\ Similarly,

    MFA commented that the Commission should require centralized pre-trade

    risk controls at DCMs and clearing member FCMs, and that the proposed

    Sec. 1.80 risk controls should be applied at the DCM level and the

    clearing member FCM level.\163\ MFA indicated that this would ensure

    that all orders go through the same set of controls.\164\ MFA further

    commented that the general infrastructure for such a centralized

    approach already exists, given that DCMs provide clearing FCMs with

    controls to manage risk with respect to clients, and that this

    structure would be more transparent and easier for regulators to

    oversee and enforce.\165\

    ---------------------------------------------------------------------------

    \162\ AIMA 2, 7, 12.

    \163\ MFA 2, 5-6, 10.

    \164\ MFA 2, 5-6, 10.

    \165\ MFA 2, 5-6, 10.

    ---------------------------------------------------------------------------

    During the Second Comment Period, the Commission received

    additional comments on the proposed risk control structure. The

    Industry Group proposed the following two-level structure. Rather than

    defining ``AT Person,'' the Commission should require pre-trade risk

    controls on all electronic orders. Orders from market participants

    leveraging FCM-administered systems, including those provided by third

    parties, may use pre-trade risk controls administered by the FCM.\166\

    Market participants not using FCM-administered risk controls must apply

    risk controls to their own orders.\167\ In both cases, the pre-trade

    risk controls must be supplemented by DCM-provided risk controls

    configured by the member of the DCO that grants access to the DCM.\168\

    ---------------------------------------------------------------------------

    \166\ Industry Group 4-5.

    \167\ Industry Group 5.

    \168\ Industry Group 8.

    ---------------------------------------------------------------------------

    CME suggested a similar two-layer approach for all Algorithmic

    Trading orders, commenting that the first layer ``would be administered

    by either an AT Person or the gatekeeper clearing member'' and the

    second layer ``would be developed and administered by the DCM.'' \169\

    MFA also commented that it supports risk controls at both the DCM and

    the FCM providing trading access.\170\ MFA also supported ``a

    regulatory framework where a market participant could choose to

    implement the Commission's required marketplace risk controls in lieu

    of going through an FCM's risk controls, and be subject to Commission

    oversight.'' \171\

    ---------------------------------------------------------------------------

    \169\ CME III 9-10.

    \170\ MFA III 2.

    \171\ MFA III 2.

    ---------------------------------------------------------------------------

    AIMA commented that the principal role in application of risk

    controls should be played by the DCMs--as the owners of the relevant

    markets--and FCMs--as the gatekeepers to the relevant markets.\172\

    AIMA stated that ``both parties are best placed to understand and

    enforce the relevant controls and testing obligations.'' \173\

    Sutherland commented that as an alternative to the NPRM's proposed

    framework, DCMs under Part 38 core principles should establish and

    oversee pre-trade risk and other control requirements applicable to AT

    Persons. Sutherland stated that DCMs have the expertise and are best

    positioned to implement and enforce the use of controls to mitigate

    risks on their markets.\174\ Hartree also emphasized the importance of

    DCMs in implementing risk controls, stating that ``DCMs are very well

    suited to not only police these markets, but also to . . . administer

    CFTC's rules and regulations as SROs.'' \175\ Hartree suggested a

    framework in which AT Persons are divided into three categories based

    on the risk they pose to the market: Category 1 Risk (very little risk,

    including persons who do not use DEA or who use FCMs to access the

    DCM); Category 2 Risk (some increased risk, including persons who use

    DEA and algorithmic trading); and Category 3 Risk (enhanced risk,

    including persons who can cause significant market disruption, e.g., a

    flash crash).\176\ Third parties such as the FCM and DCM would

    administer risk controls for Category 1. The trading firm itself and

    DCM would administer risk controls for Category 2. Enhanced risk

    controls would apply to Category 3.\177\

    ---------------------------------------------------------------------------

    \172\ AIMA III 4.

    \173\ Id.

    \174\ Sutherland 7.

    \175\ Hartree 8.

    \176\ Id. at 6.

    \177\ Hartree 6-7.

    ---------------------------------------------------------------------------

    ICE commented that ``all market participants that engage in

    electronic trading on a DCM should maintain . . . risk controls,

    regardless of how market participants access a DCM or whether the

    market participants engage in algorithmic trading.'' \178\ ICE further

    stated that the Commission ``should not mandate the same risk control

    requirements across DCMs, FCMs and AT Persons.'' \179\ Similarly,

    another exchange, MGEX, commented that ``DCMs, FCMs, and market

    participants should all have some level of responsibility over the

    development, deployment, and use of pre-trade risk controls. Each

    market participant needs to have pre-trade risk controls applied to

    electronically submitted orders, but how that is accomplished should

    depend on the circumstances.'' \180\ MGEX stated that the Commission

    should take a principles-based approach to risk controls at the DCM,

    FCM, and market participant level.\181\

    ---------------------------------------------------------------------------

    \178\ ICE III 2.

    \179\ Id.

    \180\ MGEX III 2.

    \181\ Id. at 5.

    ---------------------------------------------------------------------------

    At the Roundtable, Commission staff asked for industry comment on a

    potential approach where three levels of risk controls remain but

    FCMs--not the Commission--impose pre-trade risk control and other

    requirements on their AT Person customers. Generally, industry

    participants disagreed with this approach. For example, industry

    participants expressed concern over cost and burden to FCMs.\182\ In

    addition, Virtu and Hartree indicated that certain trading firms prefer

    to implement their own controls, rather than allow FCMs to continuously

    oversee whether trading firms have adequate controls on their order

    flow.\183\ CME expressed the view that each and every market

    participant should be responsible for its order flow.\184\ Hudson

    Trading suggested that such an approach had potential for an un-level

    playing field, with different FCMs applying different standards.\185\

    ---------------------------------------------------------------------------

    \182\ JPMorgan, Roundtable Tr. 171:11-172:17; ABN AMRO,

    Roundtable Tr. 175:16-176:176:17; Deutsche Bank, Roundtable Tr.

    193:10-14.

    \183\ Virtu II, Roundtable Tr. 177:1-13; Hartree, Roundtable Tr.

    185:4-15.

    \184\ CME II, Roundtable Tr. 177:18-178:7.

    \185\ Hudson Trading, Roundtable Tr. 187:10-188:1.

    ---------------------------------------------------------------------------

    [[Page 85355]]

    Instead, industry participants were more supportive of a two-level

    approach to risk controls. Tethys described a ``two factor'' model with

    the first layer at the DCM and the second layer at the level of who has

    control of the order being submitted to the DCM.\186\ At the second

    layer, the entity with control of the order would be the clearing

    broker, the executing FCM, or a firm that connects directly to the DCM.

    Tethys indicated that this approach would reduce costs and the number

    of entities subject to the regulation.\187\ Hudson Trading also

    expressed support for a potential two layer approach, with the DCM as

    one layer.\188\ JPMorgan stated that ``the two layers of control can be

    easily crystalized as the matching engine, and the wall around the

    matching engine that's run by the DCM, and those who implement the

    interface that's provided by the DCM.'' \189\

    ---------------------------------------------------------------------------

    \186\ Tethys, Roundtable Tr. 37:11-38:8.

    \187\ Tethys, id. at 38:1-40:7.

    \188\ Hudson Trading, id. at 189:8-190:5.

    \189\ JPMorgan, Roundtable Tr. 47:22:48:5.

    ---------------------------------------------------------------------------

    With respect to the risk control framework, commenters also

    addressed the levels at which the NPRM proposed rules required the

    controls to be set, and expressed particular concern that FCMs and DCMs

    would be unable to comply with NPRM proposed Sec. Sec. 1.82, 38.255

    and 40.20 at the levels of granularity required by those rules. As to

    NPRM proposed Sec. 1.82, FIA indicated that the level of granularity

    which controls are set should be left to FCM discretion and that

    compliance with NPRM Sec. 1.82, as proposed, would require FCMs to

    develop additional technology.\190\

    ---------------------------------------------------------------------------

    \190\ FIA A-36.

    ---------------------------------------------------------------------------

    As to NPRM proposed Sec. 38.255, FIA, CBOE, CME, OneChicago and

    ICE disagreed with the proposal as to the levels at which DCMs must

    offer the controls to FCMs.\191\ FIA indicated that DCMs do not have

    sufficient information to set controls at the market participant

    level.\192\ In addition, FIA stated that DCM order size limits are set

    at the highest level of access and not by market participant or account

    number, and the higher level is meant as a ``last back stop'' to

    prevent unintentionally blocking orders already controlled at the

    market participant or FCM level.\193\ CBOE believed that a DCM should

    set maximum controls at the clearing firm level and at the level of AT

    Person with DEA, rather than aggregating risk controls for AT Persons

    with DEA across multiple clearing firms.\194\ CBOE indicated that its

    system allows clearing firms to set controls for customers, and that

    clearing firms are not responsible for an order for which another

    clearing firm is designated for that customer.\195\ CBOE further

    indicated that requiring DCMs to build controls at a more granular

    level than clearing firm level and AT Person with DEA level would be

    difficult and cumbersome, because the DCM does not have a direct

    relationship with participants that do not have DEA.\196\ CME stated

    that DCMs generally do not have the ability to provide risk controls to

    clearing FCMs that can be set at the AT Person, product, account number

    or designations, and one or more identifiers of natural persons

    associated with an AT Order Message.\197\ OneChicago indicated that

    requiring risk controls for each different product would be a

    substantial burden and may increase the possibility of a disruption

    event.\198\ ICE opposed NPRM proposed Sec. 38.255 mandating the

    specific levels at which a DCM is required to offer risk controls.\199\

    ---------------------------------------------------------------------------

    \191\ Id. at A-38, 40; CBOE 3; OneChicago 4; ICE 9.

    \192\ FIA A-38.

    \193\ FIA A-40.

    \194\ CBOE 3.

    \195\ Id.

    \196\ Id.

    \197\ CME 19, A-32.

    \198\ OneChicago 4.

    \199\ ICE 9.

    ---------------------------------------------------------------------------

    As to NPRM proposed Sec. 40.20, FIA, CME, MGEX, CBOE and

    OneChicago opposed requiring DCM controls to be set at the AT Person or

    market participant level.\200\ FIA stated that DCMs should not

    implement the NPRM proposed Sec. Sec. 1.80 and 1.82 risk controls at

    the same level of granularity that is expected of market participants

    and FCMs.\201\ Rather, FIA asserted that DCMs should implement controls

    that apply across all orders and that protect the overall quality of

    the market.\202\ CME stated that the DCM's controls should be set at

    the ``direct connect'' or the particular market level.\203\ CBOE

    indicated that requiring DCMs to build controls at levels more granular

    level than clearing firm and AT Person with DEA would be difficult and

    cumbersome, because the DCM does not have a direct relationship with

    participants that do not have DEA.\204\ Similarly, OneChicago believed

    that DCMs should be able to establish controls at the FCM level, but

    also believed that DCMs must have discretion in terms of the level at

    which controls should be applied.\205\

    ---------------------------------------------------------------------------

    \200\ FIA A-38; CME 18-19, A-32.; MGEX 7; CBOE 3; OneChicago 5.

    \201\ FIA A-43.

    \202\ Id.

    \203\ CME A-14.

    \204\ CBOE 3.

    \205\ OneChicago 5.

    ---------------------------------------------------------------------------

    3. Substance of New Proposal

    In light of comments received during the comment periods, including

    at the Roundtable, the Commission has revised the overall framework for

    risk controls and other measures required pursuant to NPRM proposed

    Sec. Sec. 1.80, 1.82, 38.255 and 40.20. This Supplemental NPRM

    proposes a framework with two, rather than three, levels of risk

    controls: (1) At the AT Person or FCM level, and (2) at the DCM level.

    With respect to algorithmic orders originating with AT Persons (i.e.,

    AT Order Messages), the NPRM required all AT Persons to implement the

    risk controls and other measures required pursuant to Sec. 1.80. By

    contrast, the Supplemental NPRM requires AT Persons to implement those

    risk controls, but would also permit AT Persons to delegate compliance

    with Sec. 1.80(a) to FCMs, as discussed below. The Supplemental NPRM

    also requires that AT Persons implement pre-trade risk controls on

    their Electronic Trading Order Messages similar to those required by

    Sec. 1.80(a).\206\ In addition, pursuant to the Supplemental NPRM,

    FCMs are not required to implement risk controls on AT Order Messages

    that are subject to AT Person-administered controls. AT Order Messages

    and Electronic Trading Order Messages originating from AT Persons would

    instead be subject to a second level of risk controls at the DCM level

    pursuant to Supplemental proposed Sec. 40.20.

    ---------------------------------------------------------------------------

    \206\ See Supplemental proposed Sec. 1.80(g)(2) and (g)(3). AT

    Persons would also be permitted to delegate compliance with Sec.

    1.80(g) risk controls to their FCMs.

    ---------------------------------------------------------------------------

    Electronic orders originating with a non-AT Person are subject to

    risk controls implemented by executing FCMs pursuant to Supplemental

    proposed Sec. 1.82. Those orders are subject to the second level of

    risk controls at the DCM level pursuant to Supplemental proposed Sec.

    40.20.

    Prompted by some commenters' concern that a three-layer structure

    may be redundant, the Commission has determined to propose this two-

    layer structure. The Commission particularly took into account

    commenters' opinion that multiple controls, if applied or calibrated

    independently, may cause market participants to be unable to predict

    which orders will reach the order book, increasing rather than

    mitigating market risk. The Commission also carefully considered the

    Roundtable comments indicating support for a two-level approach.

    The Commission believes that two levels of risk control are

    beneficial, both to provide a backstop to a malfunction

    [[Page 85356]]

    or other failure at one level, and because different levels of the

    order submission chain often monitor different characteristics of the

    risk associated with an order. For instance, an FCM may be more capable

    of determining whether an individual order would breach the risk limits

    of the AT Person or the clearing firm guaranteeing a potential trade;

    in contrast, a DCM may be more likely to identify orders that could

    lead to price dislocations in a given product, or that would lead to

    market instabilities affecting all market participants. The Commission

    also recognizes that trading firms are in the best position to

    understand their own systems, technology, and trading strategies, and

    that they are best positioned to prevent and reduce the potential risk

    of certain types of risk. Accordingly, the Commission proposes that

    certain trading firms--i.e., AT Persons--implement their own pre-trade

    risk controls and other measures pursuant to Supplemental proposed

    Sec. 1.80.\207\

    ---------------------------------------------------------------------------

    \207\ Supplemental proposed Sec. 1.80(d) and (g) permit AT

    Persons to delegate compliance with Sec. 1.80(a) to FCMs.

    ---------------------------------------------------------------------------

    The Commission has also revised the proposed risk control rules to

    provide greater flexibility regarding the level of granularity at which

    risk controls must be set. Previously, the controls proposed in NPRM

    Sec. Sec. 1.80, 1.82, 38.255 and 40.20 were required to be set at the

    AT Person level, or other more granular levels the AT Person, FCM or

    DCM determined appropriate, including by product, account number or

    designation, or one or more identifiers of natural persons associated

    with an AT Order Message. In this Supplemental NPRM, the Commission

    intends to increase the flexibility and decrease the burden on AT

    Persons, FCMs and DCMs in terms of the level of granularity at which

    controls must be set. Specifically, Supplemental proposed Sec. Sec.

    1.80(a)(2) 1.82(a)(2), 38.255(b)(1)(ii) and (2), and 40.20(a)(2) now

    require controls to be set at a level or levels of granularity which

    shall include, as appropriate, the level of each firm, product, account

    number or designation, or one or more identifiers of the natural

    persons or the order strategy or ATS associated with an AT Order

    Message or Electronic Trading Order Message (new terms related to

    Electronic Trading are discussed in Section VI(C) below).\208\ By ``as

    appropriate,'' the Commission means such level or levels of granularity

    as are technologically feasible and reasonably effective at preventing

    and reducing the potential risk of an Electronic Trading disruption.

    The proposed rules do not require AT Persons, FCMs or DCMs reorganize

    their trading infrastructure or develop new technologies solely to

    ensure that controls are implemented at each of the potential levels

    enumerated in Supplemental proposed Sec. Sec. 1.80(a)(2) 1.82(a)(2),

    38.255(b)(1)(ii) and (2), and 40.20(a)(2). Rather, as implementation of

    controls at each such level becomes technologically feasible, AT

    Persons, FCMs and DCMs should update their practices to optimize the

    placement of their risk controls at the most effective level.

    ---------------------------------------------------------------------------

    \208\ Supplemental proposed Sec. Sec. 1.80(a)(2) 1.82(a)(2),

    38.255(b)(1)(ii) and (2), and 40.20(a)(2) are amended from the NPRM

    proposal to incorporate ``order strategy'' or ``ATS'' as potential

    levels of granularity where risk controls may appropriately be set.

    ---------------------------------------------------------------------------

    4. Commission Questions

    27. Will two levels of risk controls sufficiently prevent and

    reduce the potential risks of algorithmic and electronic trading? If

    there is any element of the revised proposed risk control framework

    that is not feasible or will not sufficiently address the risks of

    algorithmic and electronic trading, please explain.

    B. Electronic Trading at the AT Person, FCM, and DCM Levels

    1. Overview and Policy Rationale for New Proposal

    The Commission proposes to amend NPRM proposed Sec. Sec. 1.80,

    1.82, 38.255 and 40.20 so that the risk control and order cancellation

    provisions applicable to AT Persons, FCMs, and DCMs now apply to

    Electronic Trading,\209\ rather than only to Algorithmic Trading. As a

    result, a larger number of orders would be subjected to two levels of

    risk controls, a change that addresses comments that all electronic

    trading, not only Algorithmic Trading, has the potential to cause

    market disruption.

    ---------------------------------------------------------------------------

    \209\ The proposed new defined term ``Electronic Trading'' is

    discussed in Section VI(C) below.

    ---------------------------------------------------------------------------

    2. NPRM Proposal and Comments

    The NPRM proposed that AT Persons and FCMs must apply risk controls

    to AT Order Messages (see NPRM proposed Sec. Sec. 1.80, 1.82, and

    38.255). In addition, NPRM proposed Sec. 40.20 required that DCMs

    ``implement pre-trade and other risk controls reasonably designed to

    prevent an Algorithmic Trading Disruption'' or similar disruption that

    results from manual or other non-algorithmic order entry, though the

    general focus of the risk controls was on AT Order Messages.

    Comments Received. Several commenters suggested requiring that all

    electronic trading (not just Algorithmic Trading) be subject to risk

    controls. FIA, ICE, and MGEX all supported applying risk controls to

    all electronic trading, and indicated that DCMs are best suited to

    implement certain controls.\210\ FIA stated that all electronic trading

    has the potential to disrupt markets and should be subject to pre-trade

    and other risk controls reasonably designed to mitigate market

    disruption, regardless of the registration status of the person or

    entity trading.\211\ Similarly, ICE commented that there is potential

    for all persons trading electronically to impact a market, and all

    market participants have a responsibility to implement risk

    controls.\212\ ICE commented that some algorithmic traders submit

    orders across multiple clearing firms throughout a trading

    session.\213\ Therefore, DCMs are better suited to administer certain

    risk controls--including order throttling and price collars--than

    trading firms and the FCM.\214\

    ---------------------------------------------------------------------------

    \210\ FIA 4, 7, A-24; ICE 2, 5; MGEX 2, 6-7.

    \211\ FIA 4, 7, A-24.

    \212\ ICE 5.

    \213\ Id.

    \214\ Id.

    ---------------------------------------------------------------------------

    Another exchange, MGEX, commented that all orders submitted

    electronically should be subject to pre-trade risk controls, regardless

    of how the order accesses the matching engine.\215\ MGEX recommended

    that any order that is electronically submitted must go through pre-

    trade risk controls at some stage before it reaches the matching

    engine, and that some controls must, at a minimum, reside at the

    matching engine.\216\ MGEX suggested that this would avoid the need for

    defined terms, better achieve the Commission's objective, and would

    provide the public with enhanced clarity.\217\ MGEX further stated that

    market participants should develop their own controls where they use

    trading technology that has direct market access and the DCM-provided

    controls would not prevent or mitigate market disruption risk.\218\

    ---------------------------------------------------------------------------

    \215\ MGEX 2, 6.

    \216\ Id. at 6.

    \217\ Id. at 2, 6-7.

    \218\ Id. at 12.

    ---------------------------------------------------------------------------

    Commenters further addressed this issue during the Second Comment

    Period. The Industry Group commented that ``all electronic trading must

    be subject to pre-trade and other risk controls administered by a CFTC

    registrant that are appropriate to the nature of the activity.'' \219\

    The Industry Group suggested a framework in which the responsibility

    for implementing risk controls lies either with the FCM facilitating

    electronic access to the DCM, or with the market participant, if

    [[Page 85357]]

    it is not trading through the risk controls of an FCM.\220\ Similarly,

    ICE reiterated its position that all market participants that engage in

    electronic trading should maintain appropriate pre-trade and other risk

    controls, regardless of how they access the market or whether they

    engage in algorithmic trading. ICE further stated that limiting

    mandatory risk controls to AT Persons complicates the proposal and does

    not enhance oversight of algorithmic trading activity.\221\ MGEX stated

    that ``each market participant needs to have pre-trade risk controls

    applied to electronically submitted orders, but how that is

    accomplished should depend on the circumstances.'' \222\

    ---------------------------------------------------------------------------

    \219\ Industry Group 8.

    \220\ Id.

    \221\ ICE 2 III.

    \222\ MGEX 2 III.

    ---------------------------------------------------------------------------

    Finally, CME commented on the NPRM's proposed standards regarding

    whether AT Persons, FCMs and DCMs must ``prevent'' or must ``mitigate''

    an Algorithmic Trading Disruption or similar disruption are

    inconsistent. CME stated that the preamble indicates that risk controls

    only need to ``mitigate'' risk, while the rule text requires that AT

    Persons and DCMs both mitigate and ``prevent'' risk.\223\ Further,

    proposed Sec. 1.82 provides that clearing member FCM controls must

    ``prevent or mitigate'' an Algorithmic Trading Disruption.\224\ CME

    stated that Regulation AT should only require AT Persons, clearing FCMs

    and DCMs to mitigate, not prevent, disruptions arising from algorithmic

    trading.\225\ CME further stated that it is impossible to prevent every

    possible disruption caused by algorithmic trading, and therefore the

    standard should be mitigation, not prevention.\226\

    ---------------------------------------------------------------------------

    \223\ CME 4-5, 22-26.

    \224\ Id. at 24-25.

    \225\ Id. at 23, 26.

    \226\ Id. at 23; CME III 3.

    ---------------------------------------------------------------------------

    3. Substance of New Proposal

    In light of the above comments supporting the implementation of

    risk controls on all electronic orders, the Commission has amended the

    requirements of NPRM proposed Sec. Sec. 1.80, 1.82, 38.255 and 40.20.

    Pursuant to the Supplemental proposed rules, AT Persons' risk control

    obligations would be expanded to include not only Algorithmic Trading,

    but also Electronic Trading (in Supplemental proposed Sec. 1.80(g)).

    In the case of FCMs and DCMs, however, the Supplemental proposed rules

    shift the focal point of risk control from Algorithmic Trading to

    Electronic Trading.\227\ More specifically, Supplemental proposed

    Sec. Sec. 1.82 and 38.255 requires FCMs to implement risk controls and

    other measures on all Electronic Trading Order Messages not originating

    with an AT Person. Supplemental proposed Sec. 40.20 requires that DCMs

    implement risk controls on all Electronic Trading Order Messages,

    regardless of their source. As a whole, the Commission's revised risk

    control framework addresses concerns regarding market disruptions

    arising from Electronic Trading, while also preserving an important

    focus on the unique risks of Algorithmic Trading in modern markets. In

    addition, the Commission's revised framework streamlines risk controls

    from three levels to two, and provides AT Persons with the flexibility

    to delegate certain risk control functions to their FCM(s).

    ---------------------------------------------------------------------------

    \227\ In this regard, the Commission notes that Algorithmic

    Trading is a subset of Electronic Trading. Risk control mechanisms

    to address Electronic Trading would necessarily also address

    Algorithmic Trading.

    ---------------------------------------------------------------------------

    The risk control requirements for AT Persons in Supplemental

    proposed Sec. 1.80 apply primarily to AT Order Messages. However, the

    Commission is proposing in new Supplemental proposed Sec. 1.80(g) that

    AT Persons also apply pre-trade risk controls to their Electronic

    Trading Order Messages. The NPRM's original approach, which required AT

    Persons to implement risk controls only to their AT Order Messages,

    left a potentially significant gap in Regulation AT's overall framework

    for reducing risk in modern markets. Specifically, non-algorithmic

    Electronic Trading Order Messages originating with AT Persons would

    have been left with only one level of required risk controls (i.e., at

    the DCM). To ensure two levels of risk controls on all Electronic

    Trading Order Messages, the Commission is proposing Supplemental

    proposed Sec. 1.80(g)(1), which provides that AT Persons must apply

    the risk controls required by Supplemental proposed Sec. 1.80(a), (b)

    and (c) to their Electronic Trading Order Messages that do not arise

    from Algorithmic Trading. AT Persons may make appropriate adjustments

    in their Sec. 1.80(g)(1) risk controls mechanisms to accommodate the

    application of such mechanisms to Electronic Trading Order

    Messages.\228\ Supplemental proposed Sec. 1.80(g)(2) and (3) provides

    a delegation provision similar to Supplemental proposed Sec. 1.80(d),

    in which an AT Person may delegate to an executing FCM compliance with

    Sec. 1.80(a) risk control requirements as to Electronic Trading Order

    Messages.

    ---------------------------------------------------------------------------

    \228\ Certain provisions of Sec. 1.80(a), (b) and (c) reference

    ``Algorithmic Trading'' and ``AT Order Message.'' The language ``to

    accommodate the application of such mechanisms to Electronic Trading

    Order Messages'' means that the risk control mechanisms implemented

    pursuant to Supplemental proposed Sec. 1.80(g) should be designed

    and calibrated to apply to Electronic Trading and Electronic Trading

    Order Messages, rather than to Algorithmic Trading and AT Order

    Messages.

    ---------------------------------------------------------------------------

    The Commission has also revised NPRM proposed Sec. Sec. 1.80, 1.82

    and 40.20 to address the inconsistency noted by CME as to whether risk

    controls must ``prevent'' or ``prevent and mitigate'' risk.

    Supplemental proposed Sec. Sec. 1.80, 1.82 and 40.20 all now provide

    for the standard of ``reasonably designed'' to ``prevent and reduce the

    potential risk of . . . .'' As to the concern raised by CME that

    ``prevent'' is a difficult standard to meet, the Commission notes that

    existing Sec. 38.255 imposes on DCMs an obligation to ``prevent and

    reduce the potential risk of price distortions and market disruptions .

    . .'' which is not modified by ``reasonably designed.'' \229\ The

    statutory text of the related core principle also requires that DCMs

    have the capacity and responsibility to prevent manipulation, price

    distortion, and disruptions of the delivery or cash settlement process

    (also without the ``reasonably designed'' modification).\230\ The

    Commission believes that ``reasonably designed'' to ``prevent'' means

    that the relevant entity--AT Person, FCM or DCM--does those things that

    are under its control, at its level in the lifecycle of an order, to

    prevent a disruption from reaching the next level closer to the DCM or

    at the DCM.

    ---------------------------------------------------------------------------

    \229\ See existing Sec. 38.255, 17 CFR 38.255.

    \230\ DCM Core Principle 4, Section 5(d)(4) of the Act, 7 U.S.C.

    7(d)(4) (2012).

    ---------------------------------------------------------------------------

    Discussed below are changes to rule text addressing the change in

    focus to Electronic Trading in Supplemental proposed Sec. Sec. 1.82,

    38.255 and 40.20.

    Proposed Sec. 1.82. In the NPRM, proposed Sec. 1.82 required risk

    controls and other measures to be reasonably designed to prevent or

    mitigate an ``Algorithmic Trading Disruption.'' Supplemental proposed

    Sec. 1.82 now requires that FCM risk controls and other measures be

    reasonably designed to prevent and reduce the potential risk of a

    disruption associated with Electronic Trading (including an Algorithmic

    Trading Disruption). The Commission discusses the newly defined terms

    Electronic Trading and Electronic Trading Order Message in Section

    VI(C) below.

    The Commission considers a disruption associated with Electronic

    Trading to mean an event that disrupts, or materially degrades, the

    Electronic Trading of a market participant, the

    [[Page 85358]]

    operation of the DCM on which the market participant is trading, or the

    ability of other market participants to trade on the DCM on which the

    market participant is trading. An Algorithmic Trading Disruption, as

    defined under Regulation AT, is a subset of the types of Electronic

    Trading disruptions that could occur.

    Supplemental proposed Sec. 1.82 also includes several changes to

    the enumerated risk controls and order cancellation system requirements

    based on the addition of Electronic Trading to Regulation AT's risk

    control framework. In the NPRM, proposed Sec. 1.82(a)(1) required risk

    controls by reference to the controls listed in Sec. 1.80(a)(1). The

    Supplemental NPRM now explicitly lists those controls within the

    regulation text of Supplemental proposed Sec. 1.82(a)(1). In addition,

    Supplemental proposed Sec. 1.82(a)(1)(i) changes the words ``Maximum

    AT Order Message frequency'' to ``maximum Electronic Trading Order

    Message frequency.'' Similarly, the Supplemental proposed rule now

    explicitly lists required order cancellation systems within the

    regulation text of Sec. 1.82(a)(1) and makes such systems applicable

    to Electronic Trading Order Messages and Electronic Trading, rather

    than AT Order Messages and Algorithmic Trading. Supplemental proposed

    Sec. 1.82(a), (b) and (c) include similar conforming changes in light

    of the proposed shift in focal point of FCM risk controls from

    Algorithmic Trading to Electronic Trading.

    The Supplemental NPRM's proposed FCM rules do not specify the exact

    stage at which the FCM needs to implement its controls on an Electronic

    Trading Order Message. In cases where an order is transmitted

    electronically to, or through, the FCM, the FCM may have significant

    flexibility in when and how the risk controls are applied prior to

    dissemination to the DCM. In cases where an order is communicated

    manually to the FCM, who would then submit the order in the electronic

    system, risk controls may need to be applied later in the submission

    process.

    In the NPRM, the location of the FCM's controls varied according to

    whether an AT Person's orders were placed through DEA or intermediated

    by the FCM. The Supplemental NPRM's proposed FCM rule retains that

    basic structure. However, with respect to those orders that are

    submitted through DEA, Supplemental proposed Sec. 1.82(b) and (c) now

    provide greater discretion to the FCM regarding how to comply with its

    Sec. 1.82 obligations. FIA's comment letter indicated that pre-trade

    risk controls can be administered by the FCM facilitating electronic

    access to the market, ``and implemented within the appropriate system

    that the FCM has administrative control over, including third-party

    vendor systems and exchange provided graphical user interfaces.'' \231\

    The revised proposed rule now provides discretion to executing FCMs to

    comply with Sec. 1.82(b) in the DEA context using the FCM's own

    controls, or controls provided by a DCM or other third party, as long

    as these controls satisfy the requirements of Sec. 1.82(b). Further,

    NPRM proposed Sec. 1.82(c) had provided that for non-DEA orders, the

    FCM must itself establish and maintain pre-trade risk controls and

    order cancellation systems. Supplemental proposed Sec. 1.82(c) now

    provides that the FCM may also comply with Sec. 1.82(c) by using the

    pre-trade risk controls and order cancellation systems provided by DCMs

    pursuant to Sec. 38.255. The Commission intends that this change will

    provide increased flexibility and decreased costs on FCMs, and allows

    the FCM to choose what it judges to be the most appropriate, and

    robust, risk control system from a broader set of options.

    ---------------------------------------------------------------------------

    \231\ FIA 3, 5. An industry participant during the Roundtable

    also indicated that some FCMs may use third party tools to perform

    certain services to clients. See Roundtable Tr. 166:17-167:5.

    ---------------------------------------------------------------------------

    Proposed Sec. 38.255. The Commission made conforming changes to

    NPRM proposed Sec. 38.255 consistent with its decision to shift the

    focal point of FCM risk control obligations from Algorithmic Trading

    orders to Electronic Trading orders. These include use of the newly

    defined terms ``Electronic Trading'' and ``Electronic Trading Order

    Message.'' The Commission has also adjusted several regulation cross-

    references in light of changes made to NPRM proposed Sec. 1.82 (see

    Sec. Sec. 38.255(b)(1)(i) and 38.255(b)(2)).

    Finally, as noted above with respect to Sec. 1.82, an FCM now has

    discretion in the DEA context as to whether it will use DCM-provided

    controls to comply with Sec. 1.82 requirements. Consistent with that

    change, Supplemental proposed Sec. 38.255(c) now allows a DCM that

    permits DEA to require that an FCM use the DCM-provided controls, or

    substantially equivalent controls developed by the FCM itself or a

    third party. Prior to an FCM's use of its own or a third party's

    systems and controls, the FCM must certify to the DCM that such systems

    and controls are in fact substantially equivalent to the systems and

    controls that the DCM makes available pursuant to Supplemental proposed

    Sec. 38.255(b).

    Proposed Sec. 40.20. The Commission made conforming changes to

    proposed Sec. 40.20 consistent with its decision to require DCMs to

    apply risk controls and other measures to electronic trading orders,

    rather than only to Algorithmic Trading orders. These include changes

    to use the terms ``Electronic Trading'' and ``Electronic Trading Order

    Message.'' In addition, the regulatory text of Supplemental proposed

    Sec. 40.20 now explicitly lists risk controls and order cancellation

    systems within the regulation text of Sec. Sec. 40.20(a)(1) and

    40.20(b)(1)(i).

    Like Supplemental proposed Sec. 1.82, Supplemental proposed Sec.

    40.20 now requires DCMs to implement pre-trade and other risk controls

    reasonably designed to prevent a disruption associated with Electronic

    Trading (including an Algorithmic Trading Disruption). As discussed

    above, the Commission considers a disruption associated with Electronic

    Trading to mean an event that disrupts, or materially degrades, the

    Electronic Trading of a market participant, the operation of the DCM on

    which the market participant is trading, or the ability of other market

    participants to trade on the DCM on which the market participant is

    trading.

    Finally, NPRM proposed Sec. 40.20(d) had required that DCMs

    implement risk control mechanisms for manual order entry and other non-

    Algorithmic Trading. Given the change in overall applicability of Sec.

    40.20 to Electronic Trading, the Commission has determined to withdraw

    Sec. 40.20(d).

    4. Commission Questions

    28. Supplemental proposed Sec. Sec. 1.82(b) and 38.255(c) provide

    discretion to the FCM to comply with Sec. 1.82(b) in the DEA context

    using its controls, or controls provided by a DCM or other third party,

    as long as those controls are substantially similar to the controls

    provided by the DCM. Do you agree with this level of discretion, or do

    you believe that FCMs should be required to use DCM-provided controls

    in the DEA context to comply with Sec. 1.82?

    29. Supplemental proposed Sec. 1.82(c) provides that the FCM may

    also comply with Sec. 1.82(c) by using the pre-trade risk controls and

    order cancellation systems provided by DCMs pursuant to Sec. 38.255.

    Do you agree with this discretion? Given the revised definition of DEA,

    should proposed Sec. Sec. 1.82 and 38.255 make any distinction between

    DEA and non-DEA orders?

    30. The Commission assumes that, given the definition of DEA

    provided in Supplemental proposed Sec. 1.3(yyyy), risk controls

    implemented by an FCM for non-DEA orders might function similarly to a

    DCM-provided controls

    [[Page 85359]]

    implemented by an FCM for DEA orders. Should Regulation AT therefore

    require that DCMs provide Sec. 1.82 risk controls for both DEA and

    non-DEA orders?

    C. New and Revised Definitions; Change From ``Clearing Member'' to

    ``Executing'' FCMs

    1. Overview and Policy Rationale for New Proposal

    As discussed above, the Commission has decided to modify its

    framework such that risk controls would be required at two, rather than

    three, levels of the order submission process. The DCM will always be

    one level of risk controls. The second level will be either an AT

    Person or an executing FCM.\232\ In addition, the Supplemental proposed

    rules require DCMs (and FCMs, when such firms implement risk controls)

    to implement risk controls on all electronic orders. Paired with those

    rule changes, the Commission is proposing new defined terms

    ``Electronic Trading'' and ``Electronic Trading Order Message.'' The

    Commission has also changed terminology in Regulation AT relating to

    FCMs. In the NPRM, proposed Sec. Sec. 1.82, 1.83, 38.255, and 40.22

    applied to or referred to ``clearing member'' FCMs. Now such rules

    apply or refer to ``executing'' FCMs. These additional changes are

    responses to commenter concerns with the prior proposed risk control

    framework, particularly comments that even non-algorithmic electronic

    orders have the potential to cause disruption and that ``clearing

    member'' FCMs may not have the ability to implement certain controls on

    a pre-trade basis.

    ---------------------------------------------------------------------------

    \232\ Whether the second level of risk controls is implemented

    by the AT Person or an executing FCM depends on whether the order

    originated with an AT Person and whether the AT Person has delegated

    risk control implementation to the executing FCM.

    ---------------------------------------------------------------------------

    2. NPRM Proposal and Comments

    The NPRM proposed to define the terms ``Algorithmic Trading'' and

    ``AT Order Message'' (see NPRM proposed Sec. Sec. 1.3(zzzz) and

    1.3(wwww), respectively), but not the terms ``Electronic Trading'' and

    ``Electronic Trading Order Message.'' Pursuant to the NPRM, the

    proposed term AT Order Message was defined as each new order or quote

    submitted through Algorithmic Trading to a designated contract market

    by an AT Person and each change or deletion submitted through

    Algorithmic Trading by an AT Person with respect to such an order or

    quote. This term was used in the proposed regulations requiring AT

    Persons, clearing member FCMs and DCMs to implement pre-trade risk

    controls and other measures with respect to AT Order Messages.

    Comments Received. Commenters generally supported the NPRM proposed

    definition of AT Order Message. CME commented that the term should not

    include any ``non-actionable'' messages, such as requests for quotes,

    requests for cross, heartbeat messages, and mass quotes.\233\ CME

    further indicated that DCMs should be able to determine what activity

    may be disruptive in the context of non-actionable messages.\234\ FIA

    commented that message throttles should not reject cancellation

    messages because such messages may be risk-minimizing.\235\ FIA further

    stated that it should be in the discretion of the person supervising

    order messages to take action if excessive cancellation messages are

    disruptive.\236\

    ---------------------------------------------------------------------------

    \233\ CME A-5. On its Web site, CME states that ``mass quotes''

    allow authorized CME Globex customers to create and maintain a

    market on a large number of instruments simultaneously. See http://www.cmegroup.com/confluence/display/EPICSANDBOX/Mass+Quotes.

    \234\ CME A-5.

    \235\ FIA A-13.

    \236\ Id. at 13.

    ---------------------------------------------------------------------------

    The NPRM proposed several rules that impose risk control and

    reporting requirements on clearing member FCMs (i.e., Sec. Sec. 1.82

    and 1.83) or that otherwise refer to FCMs (i.e., Sec. Sec. 38.255 and

    40.22). The principal risk control rule applicable to FCMs is NPRM

    proposed Sec. 1.82. AIMA commented that the pre-trade risk controls

    proposed in the NPRM ``represent a strong foundation for ensuring the

    most obvious safeguards are in place to protect markets from the risks

    of automated execution.'' \237\ AIMA further commented on the type of

    entity that should be subject to NPRM proposed Sec. 1.82, stating that

    the rule should apply to any AT Person providing market access services

    in the Algorithmic Trading transaction chain, not only to clearing

    member FCMs.\238\ Similarly, other commenters took the position that

    NPRM proposed Sec. 1.82 did not apply to the correct set of FCMs. For

    example, FIA stated that the Sec. 1.82 requirements should be on the

    FCM ``facilitating access to the DCM.'' \239\ In support of its

    position, FIA noted that market participants ``can choose to route

    orders through an FCM that is not their clearer and give up the trades

    after execution on the DCM.'' \240\ FIA stated that non-clearing FCMs

    should provide the same standard of pre-trade risk management as an FCM

    that executes and clears for a market participant.\241\ Accordingly,

    FIA asserted that any clearing member of a DCM that provides electronic

    access for its customers or its own trading on a DCM should implement

    appropriate risk controls.\242\ FIA further stated that if a clearing

    FCM delegates facilitation of electronic access to another entity, the

    delegated entity should implement the appropriate controls and the

    delegating FCM should help ensure that such controls are in place.\243\

    ---------------------------------------------------------------------------

    \237\ AIMA III 2.

    \238\ AIMA 14; see also AIMA III 3.

    \239\ FIA A-29.

    \240\ Id.

    \241\ Id.

    \242\ Id.

    \243\ Id. at A-30 n.28.

    ---------------------------------------------------------------------------

    The Industry Group expanded on this point in their comment letter

    submitted during the Second Comment Period. The Industry Group

    indicated that a customer may use the same FCM to provide both

    execution and clearing services, or may use one FCM for execution and

    choose to clear trades through another FCM.\244\ In that instance, the

    executing FCM acts as the ``gatekeeper'' to the DCM matching engine,

    and is the only FCM that can administer pre-trade risk controls.\245\

    Any other FCMs that may subsequently clear trades can only provide

    controls on a post-trade basis.\246\

    ---------------------------------------------------------------------------

    \244\ Industry Group 4-5 n.4.

    \245\ Id.

    \246\ Id.

    ---------------------------------------------------------------------------

    3. Substance of New Proposal

    a. Defined Terms Electronic Trading and Electronic Trading Order

    Message

    The NPRM did not propose definitions of ``Electronic Trading'' or

    ``Electronic Trading Order Message.'' Because the Commission has

    decided to expand some AT Person, FCM and DCM requirements to

    electronic orders, these new defined terms are necessary.

    Supplemental proposed Sec. 1.3(ddddd) defines ``Electronic

    Trading,'' for purposes of Sec. Sec. 1.80, 1.82, 1.83, 38.255, 40.20

    and 40.22, as trading in any commodity interest (as defined in

    paragraph (yy) of Sec. 1.3) on an electronic trading facility (as such

    term is defined by section 1a(16) of the Act), where the order, order

    modification or order cancellation is electronically submitted for

    processing on or subject to the rules of a DCM. The scope of the

    defined term is intended to be expansive, covering, for example, all

    order activity on CME Globex.

    Supplemental proposed Sec. 1.3(bbbbb) defines ``Electronic Trading

    Order Message'' as each new order submitted using Electronic Trading

    and each modification or cancellation submitted using Electronic

    Trading with respect to

    [[Page 85360]]

    such an order. This defined term largely tracks the term ``AT Order

    Message'' as proposed in the NPRM and as revised in this Supplemental

    NPRM.

    b. Revisions to Defined Term ``AT Order Message''

    In this Supplemental NPRM, the Commission makes several changes to

    the definition of AT Order Message (Sec. 1.3(wwww)), mainly for the

    purposes of simplification. The words ``modification or cancellation''

    have replaced the words ``change or deletion'' because it is the

    Commission's understanding that ``modification'' and ``cancellation''

    are more commonly used terms in the industry. The words ``to a

    designated contract market'' were deleted as unnecessary, because the

    concept of an order being submitted specifically to a DCM, as opposed

    to any other type of exchange, is embedded in the definition of

    Algorithmic Trading (see NPRM proposed Sec. 1.3(zzzz)).

    Finally, in this Supplemental NPRM, the Commission has deleted the

    word ``quote'' from the definition of AT Order Message. The word

    ``quote'' is also not contained in the Electronic Trading Order

    Message, Algorithmic Trading, or Electronic Trading definitions. The

    Commission intends that the term ``order'' means any firm, actionable

    messages to the DCM. Accordingly, the term ``order'' includes quotes or

    mass quotes as long as such quotes are firm and actionable. In response

    to the NPRM, CME commented that the term AT Order Message should not

    include any ``non-actionable'' messages, such as requests for quotes,

    requests for cross, heartbeat messages, and mass quotes.\247\ To the

    extent that certain types of messages, such as requests for quote,

    requests for cross, and heartbeat messages, are not actionable, then

    such messages would not fall within the definition of AT Order Message

    or Electronic Trading Order Message. However, the Commission

    understands from CME's Web site that mass quotes can be

    actionable.\248\ In cases where the use of quotes (such as mass quotes)

    is similar to the submission of other order types in that they are

    actionable, such quotes would have the potential to cause market

    disruption and, therefore, should be included within the meaning of the

    terms AT Order Message and Electronic Trading Order Message.

    ---------------------------------------------------------------------------

    \247\ CME A-5.

    \248\ For example, CME Group's Web page on mass quotes indicates

    that successfully accepted quotes act as limit orders. See http://www.cmegroup.com/confluence/display/EPICSANDBOX/Mass+Quotes.

    ---------------------------------------------------------------------------

    c. Change in Terminology From ``Clearing Member'' to ``Executing'' FCMs

    In light of the comments received, the Commission determined that

    applying NPRM proposed Sec. 1.82 to clearing member FCMs would be too

    limiting. Depending on the order submission process, executing FCMs,

    rather than clearing member FCMs, may be in the best position to apply

    risk controls on a pre-trade basis; in many cases, the clearing FCM and

    the executing FCM will be the same firm, so the wording change will not

    result in a requirement change. Accordingly, the Commission has revised

    NPRM proposed Sec. 1.82 (and made conforming changes in Supplemental

    proposed Sec. Sec. 1.80, 1.83, 38.255, 40.20 and 40.22) so that the

    risk control and recordkeeping requirements previously applicable to

    clearing member FCMs now apply to executing FCMs.

    The Commission is seeking comment on whether the change from

    ``clearing member'' FCMs to ``executing'' FCMs is appropriate. If

    commenters raise concerns with this change, and prefer an alternate

    description, including a return to the prior language, the Commission

    may adjust the final rules in light of such comments. With respect to

    Regulation AT, the Commission seeks to ensure that electronic order

    messages are subject to risk controls by an FCM who provides access to

    a DCM and can monitor that order message flow prior to its arrival at

    the DCM.\249\ Accordingly, all FCMs facilitating such access should be

    aware that they may be subject to final rules under Regulation AT

    including, without limitation, Supplemental proposed Sec. 1.82

    required controls and Sec. 1.83 required recordkeeping. FCMs are

    encouraged to submit comments concerning such rules and whether certain

    FCMs should, or should not, be subject to Regulation AT.

    ---------------------------------------------------------------------------

    \249\ In some instances, an order may flow through multiple

    FCMs. The Commission expects that in such a scenario, each executing

    FCM must comply with Sec. 1.82 with respect to such order.

    ---------------------------------------------------------------------------

    4. Commission Questions

    31. With respect to the term ``Electronic Trading,'' should the

    definition exclude trading on a hybrid trade execution model, i.e., one

    that includes non-electronic components? \250\

    ---------------------------------------------------------------------------

    \250\ With respect to hybrid trade execution models, the

    Commission means the unlikely event of a DCM employing a trade

    execution model that has a voice component, as opposed to an

    entirely electronic model.

    ---------------------------------------------------------------------------

    32. The Commission considers the term ``order'' to include all

    firm, actionable messages, and understands mass quotes to be actionable

    messages. Are there other types of firm, actionable messages that

    constitute orders--and therefore fall within the scope of the terms AT

    Order Message and Electronic Trading Order Message--that the Commission

    should clarify in the final rules? If mass quotes are not firm,

    actionable messages, please explain.

    33. The Commission has changed Regulation AT references to

    ``clearing member'' FCMs to ``executing'' FCMs. Do you agree or

    disagree with this change? Is the term ``executing'' FCMs sufficiently

    clear? Does the term ``executing'' FCMs more appropriately capture the

    type of FCMs that can apply pre-trade risk controls and order

    cancellation systems to electronic trading orders? Does the term

    ``executing'' FCMs inappropriately exclude certain FCMs that should

    otherwise comply with Sec. 1.82 obligations?

    D. AT Person Delegation to FCM

    1. Overview and Policy Rationale for New Proposal

    As explained above, the Commission proposes streamlining risk

    controls from three levels to two and shifting the focal point of risk

    control from Algorithmic Trading to Electronic Trading. The number of

    AT Persons may be reduced as a result of the proposed volume threshold

    test, but the obligations of AT Persons pursuant to NPRM proposed Sec.

    1.80 will remain largely the same, with several exceptions. As

    discussed below, the changes to NPRM proposed Sec. 1.80 are: (1) AT

    Persons would be required to implement certain risk controls to their

    Electronic Trading Order Messages, in addition to their AT Order

    Messages; (2) AT Persons would be permitted to delegate certain pre-

    trade risk control obligations to their executing FCMs; (3) AT Persons

    would no longer be required to notify their clearing member and DCM of

    their intended use of Algorithmic Trading; and (4) the provisions

    proposed in NPRM Sec. 1.80(e) regarding self-trade prevention tools

    are reserved, as the Commission anticipates postponing consideration of

    self-trade prevention to a second phase of Regulation AT rulemaking in

    the future. The Commission proposes the delegation option in order to

    provide increased flexibility and decreased burden on AT Persons, and

    eliminates the notification requirement in response to commenter

    concerns that such provision is unnecessary.

    [[Page 85361]]

    2. NPRM Proposal and Comments

    The NPRM proposed Sec. 1.80, which required that AT Persons

    implement pre-trade risk controls and other measures for all AT Order

    Messages that are reasonably designed to prevent an Algorithmic Trading

    Event.\251\ Relevant controls and measures required by NPRM proposed

    Sec. 1.80 included maximum AT Order Message frequency and maximum

    execution frequency per unit time; order price parameters and maximum

    order size limits; order cancellation and ATS disconnect systems; and

    connectivity monitoring systems. They also included several other

    specific requirements, such as notification by AT Persons to applicable

    DCMs and clearing member FCMs that they will engage in Algorithmic

    Trading; calibrating or otherwise implementing DCM-provided self-trade

    prevention tools; and periodic review of the sufficiency and

    effectiveness of the controls implemented by the AT Person.

    ---------------------------------------------------------------------------

    \251\ See NPRM at 78849-78855.

    ---------------------------------------------------------------------------

    Comments Received. Commenters addressed various aspects of the

    proposed rule, including the enumerated risk control requirements and

    order cancellation requirements. The Commission is continuing to review

    such comments, and may make additional changes to such provisions as

    part of the final rules. This Supplemental NPRM eliminates the

    notification requirement and reserves for later consideration the self-

    trade tool implementation requirements, proposed in the NPRM,

    respectively, as Sec. Sec. 1.80(d) and 1.80(e). As stated in the NPRM,

    the purpose of the Sec. 1.80(d) notification provision was to ensure

    that clearing member FCMs and exchanges have sufficient advance notice

    to implement and calibrate pre-trade and other risk controls to manage

    risks arising from the AT Person's trading.\252\

    ---------------------------------------------------------------------------

    \252\ Id. at 78854.

    ---------------------------------------------------------------------------

    In response to the NPRM, FIA and CME opposed proposed Sec.

    1.80(d).\253\ FIA commented that pre-notification of a market

    participant's initial use of Algorithmic Trading is unnecessary and

    overly burdensome.\254\ FIA stated that when an FCM accepts a client,

    the client informs the FCM if they will be conducting Algorithmic

    Trading, and that most exchanges require operator IDs for algorithmic

    traders.\255\ FIA further stated that the breadth of the term

    Algorithmic Trading would require almost every FCM and DCM client to

    notify the FCM and DCM of their use of Algorithmic Trading

    technology.\256\ Finally, FIA commented that identifying each change to

    a system would be counterproductive and burdensome, as it would require

    thousands of notices per year by each participant.\257\ CME agreed that

    FCMs already obtain a significant amount of information from clients

    about the type of trading they anticipate engaging in so that the FCM

    can comply with existing Sec. Sec. 1.11 and 1.73, and that the

    Commission should not prescribe that additional information must be

    communicated.\258\ The Industry Group recommended that market

    participants trading electronically, without passing through FCM-

    administered risk controls, should self-identify to applicable DCMs

    prior to trading, or may be identified via tags on order messages.\259\

    Nadex requested a change to Sec. 1.80(d), stating that compliance

    rests entirely on the AT Person providing the notification, and

    therefore the regulation should specify that in the absence of such

    notification, the FCM and DCM are absolved of any liability for non-

    compliance with Regulation AT.\260\ In contrast, AIMA supported the

    proposed Sec. 1.80(d) notification requirement.\261\

    ---------------------------------------------------------------------------

    \253\ FIA A-26; CME A-12.

    \254\ FIA A-26.

    \255\ Id.

    \256\ Id.

    \257\ Id.

    \258\ CME A-12.

    \259\ Industry Group 8.

    \260\ Nadex 5.

    \261\ AIMA 14.

    ---------------------------------------------------------------------------

    3. Substance of New Proposal

    a. Delegation to Executing FCMs

    The Commission proposes a change to NPRM proposed Sec. 1.80 so

    that AT Persons may delegate compliance with Sec. 1.80(a) pre-trade

    risk control requirements to their executing FCMs. Supplemental

    proposed Sec. 1.80(d)(1) provides that an AT Person may choose to

    comply with Sec. 1.80(a) by implementing required pre-trade risk

    controls, or it may instead delegate compliance with such obligations

    to its executing futures commission merchant(s). As noted above,

    commenters generally found the NPRM's risk control framework as too

    ``one size fits all,'' and recommended a more principles-based rule.

    The Commission believes that the delegation provision provides AT

    Persons with increased flexibility and decreased burden and compliance

    costs with respect to Sec. 1.80 compliance. The Supplemental proposed

    rules do not require the FCM to accept the delegation. If the executing

    FCM declines to comply with Sec. 1.80(a), the AT Person must implement

    the risk controls itself.

    Supplemental proposed Sec. 1.80(d)(2) provides that an AT Person

    may only delegate such functions when (i) it is technologically

    feasible for each relevant futures commission merchant to comply with

    Sec. 1.80(a) with a level of effectiveness reasonably designed to

    prevent and reduce the potential risk of an Algorithmic Trading Event;

    and (ii) each relevant futures commission merchant notifies the AT

    Person in writing that the futures commission merchant has accepted the

    AT Person's delegation and that it will comply with Sec. 1.80(a) on

    behalf of the AT Person.'' The purpose of Sec. 1.80(d)(2)(i) is to

    ensure that the FCM is actually able to effectively implement pre-trade

    risk controls, order cancellation systems and order connectivity

    systems on behalf of the AT Person. The Commission believes that

    generally, use of DEA or some other trading technology that is outside

    the control of the executing FCM may prevent the FCM from effectively

    implementing controls on a pre-trade basis. Such delegation would be

    improper under Supplemental proposed Sec. 1.80(d). The purpose of

    Sec. 1.80(d)(2)(ii) is to ensure that it is clear, as between the AT

    Person and the FCM, who is responsible for complying with Sec.

    1.80(a).

    Finally, Supplemental proposed Sec. 1.80(f) continues to require

    an AT Person to periodically review its compliance with Sec. 1.80 to

    determine whether it has effectively implemented sufficient measures.

    The Commission has revised this section so that its standard is

    consistent with the ``reasonably designed to prevent and reduce the

    potential risk of'' an Algorithmic Trading Event standard discussed

    above. In addition, the Commission has revised this section to account

    for the possibility that an AT Person has delegated Sec. 1.80(a)

    compliance to an FCM, and requires the AT Person to periodically review

    such FCM's compliance with Sec. 1.80(a).

    b. Proposed Use of Algorithmic Trading Notification Requirement

    Based on the addition of Electronic Trading to Regulation AT's risk

    control framework, the Commission has determined that mandatory

    notification from an AT Person to an FCM or DCM is no longer warranted.

    Accordingly, the Commission proposes to withdraw the notification

    requirements provided in NPRM Sec. 1.80(d). The Commission emphasizes,

    however, that DCMs must have an appropriate awareness of its market

    participants engaged in Algorithmic Trading, as well as the systems and

    strategies used by market participants. Such understanding is

    [[Page 85362]]

    necessary not only for DCMs' role as self-regulatory organizations with

    plenary responsibility for the oversight of their markets, but also to

    comply with the requirements of Supplemental proposed Sec. 40.22. This

    provision, explained in detail below, requires each DCM to establish an

    effective program for periodic review and evaluation of AT Persons'

    compliance with Sec. Sec. 1.80 and 1.81. The Commission expects that

    DCMs will establish their own rules and procedures to ensure that they

    are aware of the AT Persons trading on their markets, and to

    successfully comply with Supplemental proposed Sec. 40.22.

    c. Voluntary Election of AT Person Status

    Finally, the Commission, as part of its changes to the definition

    of ``AT Person,'' proposes Sec. 1.3(xxxx)(2), which allows a person

    that does not satisfy the conditions of Sec. 1.3(xxxx)(1) to

    nevertheless elect to become an AT Person. Prior to becoming an AT

    Person, such person must register as a floor trader as defined in Sec.

    1.3(x)(1)(ii) and submit an application for membership in at least one

    RFA pursuant to Sec. 170.18. A person that elects to become an AT

    Person pursuant to Supplemental proposed Sec. 1.3(xxxx)(2)(i) must

    comply with all requirements of AT Persons pursuant to Commission

    regulations.\262\ The Commission proposes Sec. 1.3(xxxx)(2) in order

    to provide increased flexibility to persons that prefer to implement

    their own pre-trade risk controls, rather than leaving implementation

    of such measures to executing FCMs.

    ---------------------------------------------------------------------------

    \262\ See Supplemental proposed Sec. 1.3(xxxx)(2)(ii).

    ---------------------------------------------------------------------------

    4. Commission Questions

    34. Please explain whether you support or oppose the ability of AT

    Persons to delegate certain Sec. 1.80 obligations to FCMs, including

    implementation of pre-trade risk controls, order cancellation systems

    and system connectivity requirements.

    a. Does the language of Supplemental proposed Sec. Sec. 1.80(d)(2)

    and (g)(3) providing that an AT Person may only delegate such functions

    when (i) it is technologically feasible adequately ensure that

    delegation only occurs when the FCM can implement controls on a pre-

    trade basis?

    b. Should the Commission require the AT Person to conduct due

    diligence or obtain a certification to ensure that the FCM is

    implementing sufficient controls?

    c. Should the Commission allow AT Persons to delegate to FCMs

    compliance with other Sec. 1.80 obligations, such as Sec. 1.80(b)

    order cancellation requirements? For which obligations would FCM

    delegation be technologically feasible?

    35. Do you agree with the Commission's determination to eliminate

    the notification of the use of Algorithmic Trading requirement that had

    been required in NPRM proposed Sec. 1.80(d)? If you believe that the

    Commission should retain such a requirement, please explain why.

    36. Will DCMs be able to comply with Supplemental proposed Sec.

    40.20(c)'s system connectivity requirements as to AT Persons without an

    explicit requirement that AT Persons or FCMs notify DCMs that the AT

    Persons will be conducting Algorithmic Trading?

    VII. Reporting and Recordkeeping Obligations

    A. Overview and Policy Rationale for New Proposal

    NPRM proposed Sec. Sec. 1.83 and 40.22 required that AT Persons

    and clearing member FCMs provide the DCMs on which they operate annual

    reports containing information on their compliance with Sec. Sec.

    1.80(a) and 1.82(a)(1), and that DCMs establish a program for effective

    review and evaluation of such reports. The proposed rules also provided

    recordkeeping requirements regarding NPRM proposed Sec. Sec. 1.80,

    1.81 and 1.82 compliance. The reports, recordkeeping requirements, and

    review program were intended to enable DCMs to understand the pre-trade

    risk controls and compliance procedures of AT Persons and FCMs with

    respect to Algorithmic Trading and to identify and take remedial action

    to address potential risks and compliance concerns.

    In response to the NPRM, the Commission received comments

    indicating that the reporting requirements were overly burdensome and

    would provide little benefit with respect to mitigating the risks of

    Algorithmic Trading. Accordingly, as described below, the Commission

    has eliminated the annual compliance reports requirement; retained the

    recordkeeping requirements; and changed the DCM annual compliance

    report review program to a more general program for review of AT Person

    and FCM compliance with Sec. Sec. 1.80, 1.81 and 1.82. The Commission

    further proposes requiring DCMs to mandate that AT Persons and

    executing FCMs provide DCMs with an annual certification attesting that

    the AT Person or FCM complies with the requirements of Sec. Sec. 1.80,

    1.81, and 1.82, as applicable. The Commission believes that these

    changes will significantly decrease the cost of compliance by AT

    Persons and FCMs with Regulation AT, while at the same time providing

    enhanced flexibility and discretion to DCMs in terms of designing and

    implementing an effective program for review of AT Person and FCM

    controls and procedures related to Algorithmic Trading.

    B. NPRM Proposal and Comments

    NPRM proposed Sec. 1.83(a) and (b) required that AT Persons and

    clearing member FCMs provide the DCMs on which they operate with

    information regarding their compliance with Sec. Sec. 1.80(a) and

    1.82(a)(1). NPRM proposed Sec. 40.22 required that each DCM that

    receives a report described in Sec. 1.83 establish a program for

    effective review and evaluation of the reports. The reports proposed by

    Sec. 1.83 and the review program proposed by Sec. 40.22 were intended

    to ensure that AT Persons and clearing FCMs implement effective risk

    controls and regularly review these risk controls. NPRM Sec. 1.83(c)

    and (d) complimented the compliance report review program by requiring

    that AT Persons and clearing member FCMs keep and provide upon request

    to DCMs books and records regarding their compliance with proposed

    Sec. Sec. 1.80 and 1.81 (for AT Persons) and Sec. 1.82 (for clearing

    member FCMs). NPRM proposed Sec. 40.22(d) required DCMs to implement

    rules that require AT Persons and FCMs to keep and provide to the DCM

    books and records regarding compliance with Sec. Sec. 1.80, 1.81 and

    1.82. Finally, NPRM proposed Sec. 40.22(e) required DCMs to review and

    evaluate, as necessary, such books and records maintained by AT Persons

    and clearing member FCMs regarding their Regulation AT compliance.

    Comments Received. Numerous commenters opposed the NPRM requirement

    that AT Persons file an annual report.\263\ AIMA expressed concern

    about the burden that reviewing the filings would have on DCMs,\264\

    and CME, FIA, MGEX, Commercial Alliance and Nadex suggested that the

    cost of requiring participants to prepare and submit compliance reports

    to DCMs outweighs any benefit.\265\ Furthermore, CME, FIA and ICE all

    indicated that information in the reports would be

    [[Page 85363]]

    outdated and no longer useful by the time a report is reviewed.\266\

    ---------------------------------------------------------------------------

    \263\ AIMA 17; CME 20, A-20-A-21; FIA 10, A-90; MGEX 15, 16, 25-

    26; Commercial Alliance 12; Nadex 5; OneChicago 6; ISDA 71; MFA 29;

    ICE 10, A-30, A-31; NIBA 2; NASDAQ 4.

    \264\ AIMA 17.

    \265\ CME 20; FIA 10; MGEX 15, 25-26; Commercial Alliance 12;

    Nadex 5.

    \266\ CME 20, A-21; FIA 10; ICE A-30.

    ---------------------------------------------------------------------------

    In addition, commenters questioned the technical capability of DCMs

    to perform a meaningful review of AT Persons' reports or to assess

    whether the quantitative settings or calibrations of any AT Person's

    controls are sufficient.\267\ MGEX stated that ``it is impracticable to

    expect DCMs to understand all unconventional or proprietary trading

    strategies or the varied technological systems that market participants

    employ.'' \268\ Nadex and OneChicago were concerned that DCMs would be

    responsible for the manner an AT Persons sets or calibrates risk

    controls.\269\ MGEX was skeptical that reviewing compliance reports

    would ensure that AT Persons are actually following these measures in

    practice.\270\ MGEX believed that clear rules and robust surveillance

    are a better way to ensure market integrity.\271\ CME and FIA further

    commented that compliance reports would be duplicative for clearing

    FCMs, which already undergo review by their Designated Self-Regulatory

    Organization (``DSRO'') and clearing organizations.\272\

    ---------------------------------------------------------------------------

    \267\ CME 20, A-20; FIA 10; ICE 10, A-30.

    \268\ MGEX 16.

    \269\ Nadex 5-6; OneChicago 6. Nadex also asserted in its

    comment letter that ``the proposed regulations would essentially

    place the DCM in the role of an advisor or consultant to the AT

    Person. The AT Person could hold the DCM responsible for any errors

    or malfunctions that occur as the result of the DCM's `remediation',

    or shift blame to the DCM in the event those changes are found

    inappropriate or insufficient by the CFTC or RFA.'' Nadex 6.

    \270\ MGEX 16.

    \271\ Id.

    \272\ CME 20; FIA 10, A-90.

    ---------------------------------------------------------------------------

    Several commenters were concerned about the cost of

    compliance.\273\ For example, ICE believed that DCMs would have to hire

    additional staff to conduct a comprehensive review of reports and

    expressed concern regarding the potential additional cost.\274\ LCHF

    and NIBA commented that only large market participants should be

    required to submit compliance reports, noting concerns as to the costs

    for small firms or IBs.\275\ MGEX and NASDAQ commented that small DCMs

    will be particularly burdened because they will need to hire additional

    staff.\276\ NASDAQ believed that the proposed requirements ``could

    potentially cause some DCMs to cease or scale back operation, and

    impact the entry of new DCMs.'' \277\

    ---------------------------------------------------------------------------

    \273\ ISDA 7l; MFA 29.

    \274\ ICE A-31.

    \275\ LCHF 3; NIBA 2.

    \276\ MGEX 16.

    \277\ NASDAQ 4.

    ---------------------------------------------------------------------------

    As an alternative process to mandatory filing of annual reports a

    number of commenters suggested certification processes and outlined

    different processes that could be required.\278\ For example, LCHF

    suggested that compliance reports be reviewed in situations limited to

    those involving an ``open investigation'' or ``complaint filed on a

    market participant.'' \279\ MGEX similarly suggested that if compliance

    report reviews were included, they should only occur as a part of an

    investigation of a market disruption, or alternatively that the FCM or

    DSRO would have the responsibility for conducting such a review.\280\

    ---------------------------------------------------------------------------

    \278\ CME 20, A-21, 22; FIA 10, FIA A-90; ICE 9-10; MFA 29;

    NASDAQ 4; OneChicago 6.

    \279\ LCHF 3.

    \280\ MGEX 17.

    ---------------------------------------------------------------------------

    Commenters also expressed concern over the confidentiality of

    information required to be provided to DCMs in compliance reports.\281\

    AIMA suggested that language be added to the proposed rule to require

    that DCMs maintain compliance reports in confidence, and that the

    Commission treat these as non-public reports for FOIA purposes.\282\

    ---------------------------------------------------------------------------

    \281\ AIMA 18; FIA A-91, A-92.

    \282\ AIMA 18.

    ---------------------------------------------------------------------------

    With respect to the DCM's role in the reporting and recordkeeping

    framework, OneChicago, CME, FIA and ICE commented that the compliance

    reports provided to DCMs would be overly burdensome and ineffective in

    reducing risk.\283\ FIA and ICE commented that DCMs already follow

    procedures that effectively reduce the risk from Algorithmic

    Trading.\284\ ICE further commented that the compliance reports are

    unnecessary, because ``DCMs have implemented comprehensive market

    surveillance and regulation programs that include automated reports and

    alerts designed to identify instances of aberrant or abnormal order or

    trade activity. These programs are already effective at identifying

    specific events of concern that involve Algorithmic Trading.'' \285\

    CME, FIA and ICE also commented that the reports would include stale

    and irrelevant data, which would not be helpful to DCMs in preventing

    future market risk or disruptive practices.\286\ FIA commented that

    ``DCMs are likely not to know the trading strategies or risk tolerances

    of any particular AT Person and thus are unable to assess the adequacy

    of their development and testing protocols, their procedures to help

    detect Algorithmic Trading Compliance Issues, or their pre-trade risk

    and other controls.'' `` \287\

    ---------------------------------------------------------------------------

    \283\ OneChicago 6; CME 20; FIA A-90-91; ICE 33.

    \284\ FIA A-94; ICE 33.

    \285\ ICE 33.

    \286\ CME A-21; FIA A-91; ICE 30-31.

    \287\ FIA A-91.

    ---------------------------------------------------------------------------

    CBOE commented on the preamble language, stating that a DCM may

    want to review an AT Person's books and records, pursuant to Sec.

    40.22(d)-(e), if the AT Person represents significant volume in a

    particular product.\288\ CBOE stated that ``the trigger for a review of

    risk control books and records should be potential or actual

    problematic behavior by the AT Person that suggests the need for

    heightened scrutiny of the AT Person in relation to its risk

    controls,'' but that high volume should not be a trigger for

    review.\289\ In addition, OneChicago found the text of Sec. 40.22

    vague and questioned what would be considered appropriate remediation

    of any deficiency found in an AT Person or FCM report.\290\

    ---------------------------------------------------------------------------

    \288\ NPRM 78876.

    \289\ CBOE 7-8.

    \290\ OneChicago 6.

    ---------------------------------------------------------------------------

    Some commenters also asserted that the Commission's estimated cost

    for DCMs to comply with Sec. 40.22 is too low.\291\ CME stated that

    the annual cost for each of its four exchanges would be closer to

    $525,000, stating that ``this figure assumes that across all four

    Exchanges, approximately 650 entities would come within the scope of

    the proposed compliance report requirements and each entity would be

    reviewed once every four years (across all four Exchanges). If CME

    Group Exchanges were required to review each entity's annual report

    once every two years, the cost would double as CME Group would need to

    hire twice as many full-time employees. CME Group estimates that it

    would take approximately one month for a full-time employee to complete

    each review.'' \292\ MGEX estimated that it would need to hire at least

    two additional full time employees to review the reports, and that

    reviewing each report would take significantly longer than the 15 hours

    estimated in the NPRM.\293\

    ---------------------------------------------------------------------------

    \291\ CME 22; MGEX 26.

    \292\ CME 22.

    \293\ MGEX 26.

    ---------------------------------------------------------------------------

    Commenters further discussed the reporting structure during the

    Second Comment Period. The Industry Group commented that the annual

    reports requirement was ``ineffective, unnecessary, and redundant with

    other requirements to which registrants are subject. Additionally, the

    proposed reports will inundate DCMs with voluminous policies and

    procedures related to the development and compliance of algorithmic

    trading systems, as well as mountainous

    [[Page 85364]]

    snapshots of stale qualitative risk parameter settings particularized

    to a given market participant that will be virtually impossible for a

    DCM to meaningfully assess.'' \294\ The Industry Group stated that as

    an alternative, the Commission should require a certification process

    that affected parties materially comply with relevant aspects of the

    rule.\295\ In addition, consistent with its recommendation of a two-

    level risk control structure with AT Persons/FCMs at one level, and

    DCMs as the second level, the Industry Group suggested a due diligence

    requirement in which FCMs must perform due diligence on customers that

    transmit orders without such orders going through FCM-administered risk

    controls.\296\

    ---------------------------------------------------------------------------

    \294\ Industry Group 7.

    \295\ Id.

    \296\ Id. at 9.

    ---------------------------------------------------------------------------

    In its Second Comment Period letter, CME reiterated its opposition

    to the reporting structure as creating an unnecessary administrative

    burden without a corresponding benefit to market integrity.\297\ Among

    other things, CME noted that DCMs would not have sufficient information

    about AT Persons' systems to meaningfully assess Regulation AT

    compliance, and DCMs would appear to be endorsing the policies and

    procedures of AT Persons if they receive compliance reports but remain

    silent.\298\ CME also commented on the substantial costs of the report

    review program.\299\ Finally, CME suggested a similar due diligence

    process where the clearing member who granted DEA to an AT Person (a

    ``gatekeeper clearing member'') should obtain certifications of

    compliance from their customers.\300\

    ---------------------------------------------------------------------------

    \297\ CME III 4.

    \298\ Id. at 4.

    \299\ Id.

    \300\ Id. at 5.

    ---------------------------------------------------------------------------

    C. Substance of New Proposal

    In light of the concerns raised by commenters to NPRM proposed

    Sec. Sec. 1.83 and 40.22, the Commission has determined to make

    several changes to the proposed rules. First, and most significantly,

    the Commission has eliminated the requirement that AT Persons and FCMs

    prepare compliance reports. The requirements proposed as NPRM

    Sec. Sec. 1.83(a) (AT Person reports) and 1.83(b) (FCM reports) are

    withdrawn in Supplemental proposed Sec. 1.83. However, the Commission

    has determined to retain the AT Person and FCM recordkeeping

    requirements, and such requirements proposed in the NPRM as Sec. Sec.

    1.83(c) and 1.83(d) are now re-numbered as Sec. Sec. 1.83(a) and

    1.83(b).

    The Commission in this Supplemental NPRM has made conforming

    changes to Sec. 40.22. Specifically, the NPRM required that DCMs

    review AT Person and FCM annual reports, identify deficiencies in AT

    Persons' and FCMs' compliance programs, and take remedial action as

    needed. The Commission has eliminated DCMs' obligation to review annual

    compliance reports. In place of that obligation, Supplemental proposed

    Sec. 40.22(a) now requires DCMs to periodically review AT Persons' and

    FCMs' programs for compliance with Sec. Sec. 1.80, 1.81 and 1.82. The

    Commission expects that DCMs' periodic review programs would be similar

    to their existing programs for periodically reviewing members' and

    market participants' compliance with audit trail recordkeeping

    requirements.

    Supplemental proposed Sec. 40.22(b) (formerly Sec. 40.22(d))

    continues to require DCMs to implement rules requiring AT Persons and

    FCMs (now executing FCMs) to keep and provide to the DCM books and

    records regarding compliance with Sec. Sec. 1.80, 1.81 and 1.82.

    Proposed Sec. 40.22(c) replaces the previous requirement that DCMs

    review and evaluate such books and records with a more general

    requirement that DCMs require such periodic reporting from AT Persons

    and executing futures commission merchants as is necessary to fulfill

    the designated contract market's obligations pursuant to paragraph (a)

    of Sec. 40.22.

    Supplemental proposed Sec. 40.22(d) provides that DCMs must

    require by rule that AT Persons and executing FCMs provide DCMs with an

    annual certification attesting that the AT Person or FCM complies with

    the requirements of Sec. Sec. 1.80, 1.81, and 1.82, as applicable.

    Such annual certification shall be made by the chief compliance officer

    or chief executive officer of the AT Person or FCM and must state that,

    to the best of his or her knowledge and reasonable belief, the

    information contained in the certification is accurate and complete.

    The Commission believes that the annual certification requirement

    proposed in Supplemental proposed Sec. 40.22(d) will be substantially

    less burdensome than the review of compliance reports proposed under

    NPRM proposed Sec. 40.22. The Commission also believes that the

    periodic review program required by Supplemental proposed Sec.

    40.22(a), and the annual certifications required by Supplemental

    proposed Sec. 40.22(d), will together impose an important discipline

    on actors in the Algorithmic and Electronic Trading space to help

    ensure compliance with Regulation AT's key risk control and algorithm

    development provisions, including Sec. Sec. 1.80, 1.81 and 1.82.

    The Commission acknowledges the comments from Industry Group and

    CME suggesting an FCM-based due diligence program. The Commission will

    continue to consider such comments and whether such a structure should

    be incorporated into a final rule. However, at this time the Commission

    believes that the DCM is the appropriate entity to review the

    compliance programs of AT Persons. The DCM will have a broader

    perspective of the entire market compared to an FCM, and is better

    situated to ensure that there is a consistent baseline of sufficient

    controls across all AT Persons and executing FCMs.

    D. Commission Questions

    37. Do you agree with the elimination of the annual compliance

    report requirement? Do you believe that the current AT Person/executing

    FCM recordkeeping and DCM review program proposed rules will

    sufficiently ensure that AT Persons and executing FCMs have effective

    risk controls? Is there any aspect of Supplemental proposed Sec. Sec.

    1.83 and 40.22 that should be changed to better ensure that AT Persons

    and executing FCMs are implementing effective risk controls?

    VIII. Additional Changes to NPRM Proposed Rules Under Consideration

    The Commission is considering certain additional changes to the

    rules proposed in the NPRM, apart from the proposed rule text

    provisions set forth in this Supplemental NPRM. The Commission

    preliminarily believes that such additional changes could be adopted

    without further notice and comment, since they do not impact new

    parties, create new obligations, or otherwise increase burdens. The

    following is a summary of certain discrete areas that are under

    consideration. The Commission emphasizes that it has yet to make final

    determinations with respect to the items below, and that their final

    disposition may depend in part on how the Commission proceeds with

    other proposals in the NPRM and Supplemental NPRM.

    NPRM proposed Sec. 1.3(tttt) defines the term Algorithmic Trading

    Compliance Issue.\301\ The term is relevant to the pre-

    [[Page 85365]]

    trade risk and other control requirements for AT Persons under NPRM

    proposed Sec. 1.80, the testing requirements on AT Persons under

    proposed Sec. 1.81(c), and the pre-trade and other risk controls for

    DCMs under NPRM proposed Sec. 40.20. Several commenters noted that the

    scope of an Algorithmic Trading Compliance Issue should not include

    breaches of an AT Person's own internal requirements.\302\ For example,

    SIFMA recommended that the definition be revised to remove references

    to an AT Person's internal policies to prevent unduly burdening DCMs

    and AT Persons with notifications of internal events that do not impact

    the market.\303\ MFA commented that including violations of the AT

    Person's own internal requirements, or the requirements of the AT

    Person's clearing member, is too general and broad.\304\ Citadel

    commented that the Commission should ``focus on trading activity that

    can impact the proper functioning of the market, instead of purely

    internal events within a firm that do not impact other market

    participants, such as an inadvertent violation of an internal trading-

    related process.'' \305\ CME indicated that applying a causation

    standard to internal policies may cause uncertainty.\306\ In response

    to the concerns expressed by commenters, the Commission is considering

    limiting the scope of the term to violations of applicable law,

    including the Act and CFTC regulations. To that end, the Commission is

    considering whether to eliminate from NPRM proposed Sec. 1.3(tttt)

    references to an AT Person's own internal rules, those of its clearing

    member, any DCM on which it trades, or an RFA.\307\

    ---------------------------------------------------------------------------

    \301\ NPRM proposed Sec. 1.3(tttt) defines ``Algorithmic

    Trading Compliance Issue'' to mean an event at an AT Person that has

    caused any Algorithmic Trading of such entity to operate in a manner

    that does not comply with the CEA or the rules and regulations

    thereunder, the rules of any designated contract market to which

    such AT Person submits orders through Algorithmic Trading, the rules

    of any registered futures association of which such AT Person is a

    member, the AT Person's own internal requirements, or the

    requirements of the AT Person's clearing member, in each case as

    applicable.

    \302\ See AIMA 8; Citadel 3; CME A-3; CTC 14; IAA 9; ICE 10; FIA

    Appendix A 5, 11; ISDA 4; MFA 13; SIFMA 3.

    \303\ SIFMA 3, 1; see also Citadel 3.

    \304\ MFA 13.

    \305\ Citadel 3.

    \306\ CME A-3-4.

    \307\ The Commission notes, however, that its regulation 166.3

    requires each Commission registrant (except certain associated

    persons) to ``diligently supervise'' the handling by its partners,

    officers, employees, agents, and persons occupying a similar status

    or performing a similar function, of all commodity interest accounts

    carried, operated, advised, or introduced by the registrant, and all

    other activities of its partners, officers, employees, agents, etc.

    AT Persons would be included among the Commission registrants

    subject to Sec. 166.3

    ---------------------------------------------------------------------------

    NPRM proposed Sec. 1.3(uuuu) defines the term Algorithmic Trading

    Disruption.\308\ The term is relevant to Regulation AT's pre-trade risk

    and other control requirements for AT Persons and FCMs that are

    clearing members for a DCO, as provided in NPRM proposed Sec. Sec.

    1.80 and 1.82(a), respectively. Several commenters asserted that the

    proposed definition is too broad \309\ or lacks clarity.\310\

    Commenters also recommended excluding events originating within an AT

    Person from the scope of an Algorithmic Trading Disruption.\311\ The

    Commission is considering potentially eliminating references in the

    definition to a disruption of an AT Person's own ability to trade, and

    limiting the scope of the term to disruptions of the market and others'

    ability to trade on it.

    ---------------------------------------------------------------------------

    \308\ NPRM proposed Sec. 1.3(uuuu) provides that the term

    ``Algorithmic Trading Disruption'' means an event originating with

    an AT Person that disrupts, or materially degrades, (1) the

    Algorithmic Trading of such AT Person, (2) the operation of the

    designated contract market on which such AT Person is trading or (3)

    the ability of other market participants to trade on the designated

    contract market on which such AT Person is trading.

    \309\ AIMA 9; CME A-4; MMI 2; SIFMA 3, 19; CME A-4; FIA Appendix

    A-5, A-6.

    \310\ CME A-4; FIA Appendix A-5, A-6.

    \311\ SIFMA 3, 19; CME A-4; AIMA 2, 9; MMI 2.

    ---------------------------------------------------------------------------

    The Commission is also considering whether to make analogous

    changes to the defined term Algorithmic Trading Event. NPRM proposed

    Sec. 1.3(vvvv) defined the term Algorithmic Trading Event to mean

    either an Algorithmic Trading Compliance Issue or an Algorithmic

    Trading Disruption. The term is used in NPRM proposed Sec. 1.80, which

    required AT Persons to implement risk controls that are reasonably

    designed to prevent or mitigate an Algorithmic Trading Event.\312\ The

    term is also used in NPRM proposed Sec. 1.81(a) (requiring AT Persons

    to conduct regular back-testing using historical data to identify

    circumstances that may contribute to Algorithmic Trading Events), NPRM

    proposed Sec. 1.81(b) (requiring AT Persons to conduct real-time

    monitoring of Algorithmic Trading to identify potential Algorithmic

    Trading Events), and NPRM proposed Sec. 1.81(d) (requiring AT Persons

    to establish training procedures for communicating and escalating to

    appropriate personnel instances of Algorithmic Trading Events). Several

    commenters stated that the proposed definition of Algorithmic Trading

    Event is unnecessary \313\ or overly broad.\314\ Consistent with the

    proposed changes to NPRM proposed Sec. Sec. 1.3(tttt) and 1.3(uuuu)

    described above, the Commission is considering clarifying in the final

    rules for Regulation AT that an AT Person's internal policies, or the

    disruption of its own Algorithmic Trading, are outside the scope of an

    Algorithmic Trading Event.

    ---------------------------------------------------------------------------

    \312\ This provision now requires AT Persons to implement

    controls reasonably designed to prevent and reduce the potential

    risk of an Algorithmic Trading Event.

    \313\ MFA 15; MMI 2.

    \314\ SIFMA 3, 19.

    ---------------------------------------------------------------------------

    Additionally, the Commission is considering whether to modify

    certain requirements regarding the development, monitoring, and

    compliance of ATSs under NPRM proposed Sec. 1.81. CME, MFA, AIMA and

    FIA commented that the requirement under NPRM proposed Sec.

    1.81(a)(1)(ii) \315\ to test all changes to Algorithmic Trading code

    prior to implementation is too broad.\316\ CME also raised concerns

    that this requirement would impose significant costs for AT Persons and

    DCMs.\317\ MFA and AIMA recommended that this requirement be limited by

    a materiality standard.\318\ FIA commented that ```any changes' should

    be clarified to be limited to any change that directly impacts source

    code associated with determining when and how to send an order or

    otherwise impact an order on a DCM.'' \319\ FIA also commented that

    ```related systems' should be clarified to pertain only to those

    systems that have the ability to determine when and how to send an

    order or otherwise affect an order on a DCM.'' \320\ The Commission has

    withdrawn the requirement under NPRM proposed Sec. 1.81(a)(1)(ii) that

    AT Persons must test all Algorithmic Trading code and related systems

    on each DCM on which Algorithmic Trading will occur. The Commission is

    also considering whether to modify the requirement that AT Persons must

    test all changes to code by adding a materiality standard.

    ---------------------------------------------------------------------------

    \315\ NPRM proposed Sec. Sec. 1.81(a)(1)(ii) (requiring AT

    Persons to implement written policies and procedures for the testing

    of all Algorithmic Trading code and related systems and any changes

    to such code and systems prior to their implementation and that such

    testing must be conducted both internally within the AT Person and

    on each designated contract market on which Algorithmic Trading will

    occur.).

    \316\ CME A-16; MFA 19; AIMA 16; FIA 61.

    \317\ CME A-16.

    \318\ MFA 19; AIMA 16.

    \319\ FIA 61.

    \320\ Id.

    ---------------------------------------------------------------------------

    The Commission is considering whether to modify the algorithm

    monitoring requirements under NPRM proposed Sec. 1.81(b), which

    requires continuous real-time monitoring of

    [[Page 85366]]

    ATSs.\321\ Several commenters recommended changes to the proposed

    requirements for real-time monitoring. CME stated that ``any final

    regulation should be flexible enough to allow the most reasonable

    approach for real-time monitoring that is proportional to the AT

    Person's size and risk profile.'' \322\ FIA recommended that the

    Commission ``only mandate that: (1) One or more specifically

    identifiable persons at an AT Person must have the authority to address

    system breakdowns that might cause an Algorithmic Trading Disruption;

    and (2) systems must be in place to help such persons monitor for

    potential problems and interact with each Algorithmic Trading system.''

    \323\ IAA commented that the monitoring and compliance requirements of

    Sec. 1.81 should be replaced with a more general requirement for AT

    Persons to design a compliance program that is reasonably designed to

    meet the requirements of the rule. The Commission is considering

    whether to eliminate certain language in the NPRM preamble regarding

    CFTC expectations that the person monitoring an algorithm should

    simultaneously be engaged in trading.

    ---------------------------------------------------------------------------

    \321\ NPRM proposed Sec. 1.81(b) provides, inter alia, that

    each AT Person shall implement written policies and procedures

    reasonably designed to ensure that each of its Algorithmic Trading

    systems is subject to continuous real-time monitoring by

    knowledgeable and qualified staff while such Algorithmic Trading

    system is engaged in trading.

    \322\ CME A-18.

    \323\ FIA 66.

    ---------------------------------------------------------------------------

    The Commission is also considering whether to eliminate in its

    entirety NPRM proposed Sec. 1.81(c)(2)(ii). The provision provided

    that each AT Person must implement written policies and procedures

    requiring a plan of internal coordination and communication between

    compliance staff of the AT Person and staff of the AT Person

    responsible for Algorithmic Trading regarding Algorithmic Trading

    design, changes, testing, and controls, which plan should be designed

    to detect and prevent Algorithmic Trading Compliance Issues.

    In addition, the Commission is continuing to evaluate comments

    regarding certain of the enumerated risk control mechanisms in the NPRM

    (and retained in this Supplemental). For example, the Commission is

    considering the appropriateness of a maximum execution frequency

    control at the DCM level. The Commission is also considering clarifying

    in any final rules it may adopt for Regulation AT that the requirements

    for market maker and trading incentive programs under NPRM proposed

    Sec. 40.25 do not apply retroactively, i.e., to programs established

    prior to the Regulation AT effective date. In addition to proposing the

    changes to NPRM proposed rules set forth above, the Commission notes

    that it has determined to defer to a later date the final rules

    regarding self-trading \324\ and disclosure and transparency of DCM

    trade matching systems.\325\ The Commission anticipates finalizing

    those rules after finalizing the other rules proposed in the NPRM and

    this Supplemental NPRM.

    ---------------------------------------------------------------------------

    \324\ See NPRM proposed Sec. 40.23.

    \325\ See NPRM proposed Sec. 38.401(a).

    ---------------------------------------------------------------------------

    D. Commission Questions

    38. The Commission welcomes all comments regarding its

    consideration of potential amendments, deferral, or elimination of

    provisions proposed in the NPRM as discussed in this Section VIII of

    the Supplemental NPRM.

    IX. Related Matters

    A. Cost-Benefit Considerations

    1. The Statutory Requirement for the Commission To Consider the Costs

    and Benefits of Its Actions

    Section 15(a) of the CEA requires the Commission to ``consider the

    costs and benefits'' of its actions before promulgating a regulation

    under the CEA or issuing certain orders.\326\ Section 15(a) further

    specifies that the costs and benefits must be evaluated in light of the

    following five broad areas of market and public concern: (1) Protection

    of market participants and the public; (2) efficiency, competitiveness,

    and financial integrity of futures markets; (3) price discovery; (4)

    sound risk management practices; and (5) other public interest

    considerations. The Commission considers the costs and benefits

    resulting from its discretionary determinations with respect to the

    section 15(a) factors below. As a general matter, the Commission

    considers the incremental costs and benefits of the new and amended

    rules proposed in this supplemental notice of proposed rulemaking for

    Regulation Automated Trading,\327\ taking into account what it believes

    is industry practice given the Commission's existing regulations and

    industry best practices, as described below. Where reasonably feasible,

    the Commission has endeavored to estimate quantifiable costs and

    benefits. The Commission also identifies and describes costs and

    benefits qualitatively.

    ---------------------------------------------------------------------------

    \326\ 7 U.S.C. 19(a).

    \327\ As explained, infra, on December 17, 2015, the Commission

    published in the Federal Register a notice of proposed rulemaking

    (``NPRM'') proposing a series of risk controls, transparency

    measures, and other safeguards to enhance the safety and soundness

    of automated trading on all designated contract markets (``DCMs'')

    (collectively, ``Regulation Automated Trading'' or ``Regulation

    AT''). Regulation Automated Trading, Proposed Rule, 80 FR 78824

    (Dec. 17, 2015) (hereinafter ``NPRM'').

    Through this supplemental notice of proposed rulemaking for

    Regulation AT (``Supplemental NPRM''), the Commission is proposing

    certain modifications and additions to rules set forth in the NPRM.

    This discussion refers to rules originally proposed in the NPRM as

    ``NPRM proposed'' and rules proposed in the Supplemental NPRM as

    ``Supplemental proposed.''

    ---------------------------------------------------------------------------

    2. Comments Regarding Costs and Benefits of Regulation AT \328\

    ---------------------------------------------------------------------------

    \328\ This summary of comments is limited to those relevant to

    the costs and benefits of the Supplemental proposed rules that are

    the subject of this Supplemental NPRM. Comments addressing the costs

    and benefits of NPRM proposed rules not modified by this

    Supplemental NPRM will be included in the final rulemaking release

    for Regulation AT.

    ---------------------------------------------------------------------------

    a. Pre-Trade Risk Controls and Other Measures

    Some commenters addressing Regulation AT requirements generally

    (including pre-trade risk controls, recordkeeping, and compliance

    report costs) indicated that costs are substantially higher than

    estimated in the proposed rule and the articulated benefits do not

    justify the costs.\329\ As to DCMs, FIA commented that certain of the

    Commission's proposed pre-trade and other risk controls for DCMs are

    overly prescriptive and would result in costly investment in controls

    that would not be sufficiently flexible to adapt to further market

    evolution.\330\

    ---------------------------------------------------------------------------

    \329\ See, e.g., FIA 1-3; 10-11; A-78; MFA 34-25; QIM 3; SIFMA

    20.

    \330\ FIA A-41.

    ---------------------------------------------------------------------------

    b. Testing and Supervision of Automated Systems

    Rules applicable to DCMs: CBOE recommended that any requirements

    for testing environments be principles-based and not prescriptive in

    order to accommodate the current best practices of the industry and to

    avoid requiring the development of costly new systems that are not

    currently in existence at DCMs.\331\

    ---------------------------------------------------------------------------

    \331\ CBOE 6-7.

    ---------------------------------------------------------------------------

    ICE, CME, and FIA each stated that the requirement to have DCM test

    environments offer simulation of production trading, contained in NPRM

    proposed Sec. 40.21, was impractical. ICE stated that requiring DCM

    test environments to support the simulation of real market conditions

    or historical transaction, order or message data in its test

    environment is not practical, and that any benefits that this type of

    simulation may produce would not be commensurate with the substantial

    cost

    [[Page 85367]]

    associated with developing it. Without the actual interaction of real

    trades and the wide range of market conditions that can occur in a live

    trading environment, ICE stated that it is unclear what benefits would

    arise from this type of simulation. ICE also commented that the

    implementation would require significant financial investment to

    develop and maintain.\332\

    ---------------------------------------------------------------------------

    \332\ ICE A-10.

    ---------------------------------------------------------------------------

    CME commented that the Commission fails to clearly define the term

    ``simulate'' in NPRM proposed Sec. 40.21. In addition, CME stated if

    the Commission interprets Regulation AT to require DCMs to maintain and

    provide a test environment that includes a production parallel facility

    that utilizes real-time or near real-time market and transaction data

    for testing of a market participant's algorithm, the Commission's cost

    analysis of NPRM proposed Sec. 40.21 is incorrect.\333\

    ---------------------------------------------------------------------------

    \333\ CME 35.

    ---------------------------------------------------------------------------

    FIA commented that although it is possible to include historical

    data in test environments that can be replayed to simulate stress

    conditions in DCM stress environments, such environments would not be

    able to interact with the market. As a result, FIA asserted that a true

    simulation is not possible. Requiring historical data would add costs

    without producing the intended improvement in the DCM test environment.

    FIA also indicated that a test environment as prescribed in NPRM

    proposed Sec. 40.21 would not be possible within the bounds of

    reasonable investment, and that any costs would far outweigh the

    purported benefits.\334\

    ---------------------------------------------------------------------------

    \334\ FIA A-44-A-45.

    ---------------------------------------------------------------------------

    FIA and CME both stated that the costs of NPRM proposed Sec. 1.81

    exceed the benefits. CME stated that the prescriptive nature of the

    requirements set forth in NPRM Proposed Sec. 1.81 will introduce

    significant cost and inefficiencies without the benefit of reduced risk

    to DCMs and market participants. Moreover, FIA and CME commented that

    the Commission has significantly underestimated the cost to both market

    participants and DCMs to support performance level production

    testing.\335\ FIA also stated that the proposed prescriptive

    requirements with respect to DCM test environments are cost prohibitive

    with no justifiable benefit.\336\

    ---------------------------------------------------------------------------

    \335\ CME A-16.

    \336\ FIA A-38, A-39 and A-44.

    ---------------------------------------------------------------------------

    CME further commented that back testing is a complex and costly

    exercise with a limited scope for mitigating risk; therefore, NPRM

    proposed Sec. 1.81 should not be adopted.\337\ CME asserted that the

    costs to AT Persons and DCMs to establish the extensive infrastructure

    needed for back testing far exceed the benefits. CME also stated that

    requiring AT Persons to test ``any'' change with DCMs, as set forth in

    NPRM proposed Sec. 1.81(a)(1)(ii), is too vague. Moreover, CME

    commented that the requirement was too expansive in that it would

    encompass testing for changes to systems which would not reduce risk to

    the AT Person or the overall markets, but would instead be a

    significant cost burden for AT Persons and the DCM.\338\ CME further

    indicated that requiring DCMs to provide test environments that

    simulate production performance levels would be costly and less

    effective than the current market practice, whereby AT Persons design

    and develop their own scaled environment with the support of DCMs.\339\

    ---------------------------------------------------------------------------

    \337\ CME A-15.

    \338\ CME A-16.

    \339\ Id.

    ---------------------------------------------------------------------------

    TT commented that the testing requirements under NPRM proposed

    Sec. 1.81(a) ``should focus on the output of an Algorithmic Trading

    system or software rather than the source code underlying such systems

    or software, which would yield no material benefit.'' \340\

    ---------------------------------------------------------------------------

    \340\ TT III 1.

    ---------------------------------------------------------------------------

    Rules applicable to AT Persons: A Roundtable participant stated

    that Regulation AT is ``a very, very heavy burden'' and ``an extreme

    cost to be an AT person.'' \341\ CTC commented that NPRM proposed Sec.

    1.81(a) would require CTC to draft, implement, and test a whole new

    series of policies. Altering its procedures to conform to the

    regulation, CTC explained, would be costly and would not provide

    sufficient benefit to justify the costs. CTC further indicated that the

    cost-benefit analysis contained in the NPRM fails to adequately explain

    the benefits, only citing an event involving Knight Capital. According

    to CTC, the event ``is a threadbare justification for imposing

    prescriptive requirements on AT Persons.'' CTC further stated that

    proposed Sec. 1.81(b), which requires AT Persons to provide for

    continuous, real-time monitoring of ATSs, entails significant staffing

    and other resource costs. CTC commented that real-time monitoring is a

    standard that is impossible to meet.\342\ CTC proposed ``near real

    time'' as an alternative standard.\343\

    ---------------------------------------------------------------------------

    \341\ See CME, Roundtable Tr. 28:12-18.

    \342\ CTC 14.

    \343\ Id. at 12-13.

    ---------------------------------------------------------------------------

    FIA, SIFMA, and Mercatus objected to the rule requiring monitoring

    of algorithmic trading by a natural person separate from the trader.

    FIA stated that hiring an activity monitor that is independent of the

    trader would not be operationally efficient or reasonable from a cost

    perspective.\344\ SIFMA also noted that requiring separate monitors to

    those implementing a training strategy is overly burdensome and

    inconsistent with typical CPO/CTA trading behavior. SIFMA argued that

    the requirement to ``oversee a trader's actions continuously and in

    real time is a burdensome measure that is not common practice in the

    industry and may not be capable of being accomplished fully.'' Instead,

    SIFMA stated that traders would have the appropriate monitoring

    knowledge and can respond best in real time.\345\

    ---------------------------------------------------------------------------

    \344\ FIA A-77.

    \345\ SIFMA 16.

    ---------------------------------------------------------------------------

    Mercatus argued that requiring the separation of algorithmic

    monitoring and trading would create undue burdens on small firms.

    Specifically, Mercatus stated that ``the required separation of trading

    and monitoring functions is akin to requiring that every firm engaged

    in algorithmic trading have a dedicated compliance person. Further

    burdening small firms, the Commission requires `staff of the AT Person

    to review ATSs in order to detect potential Algorithmic Trading

    Compliance Issues' and specifies that `such staff must include staff of

    the AT Person familiar with' the relevant laws, regulations, and rules.

    This language would seem to preclude the use of outside consultants,

    which could be a more affordable method of compliance for small

    firms.'' \346\

    ---------------------------------------------------------------------------

    \346\ Mercatus 4.

    ---------------------------------------------------------------------------

    MFA argued that a separate physical structure for algorithm testing

    would be unnecessarily burdensome to smaller AT Persons. In contrast to

    physical separation, MFA commented that virtual separation (ensuring

    that testing software does not connect to active markets) rather than

    physical separation, would reduce costs and more easily allow for the

    sharing of components between test and production environments such as

    ``market data infrastructure or reference data files.'' MFA also noted

    concerns with code testing, stating that the requirement is broad. MFA

    pointed out that only material changes should be required to be tested.

    MFA stated that it is not uncommon for CTAs and CPOs to make minor

    adjustments to certain parameters embedded in their investment trading

    software on a daily

    [[Page 85368]]

    basis, including administrative changes, or enhancements.\347\

    ---------------------------------------------------------------------------

    \347\ MFA 18-19.

    ---------------------------------------------------------------------------

    SIFMA commented that the definition of AT Person extends to systems

    in which trades are communicated to the FCM/other trader for execution.

    SIFMA indicated that such execution management systems are often not

    under the development or control of the CPO/CTA and therefore cannot be

    fully monitored by them. In addition, SIFMA stated that CPO/CTAs may

    make use of routing software (AORSs) provided by the FCM that often

    have risk controls built in.\348\

    ---------------------------------------------------------------------------

    \348\ SIFMA 4-5, 16.

    ---------------------------------------------------------------------------

    FIA commented that the CFTC needs a better understanding of, among

    other things, the anticipated benefits and actual costs of the proposed

    requirements for policies and procedures for the development, testing,

    deployment, and monitoring of ATSs.\349\ FIA further asserted that

    several of the requirements in NPRM proposed Sec. 1.81(a)-(d) are not

    standard industry practice and would impose costs on AT Persons,

    including costs stemming from the hiring of additional staff. In

    addition, FIA commented that the rules would require extensive

    narrative documentation, testing of every change to an ATS at every

    DCM, historical back-testing of all changes to source code, separation

    of the trading function and the monitoring function associated with

    Algorithmic Trading, and documentation of system strategy and design

    independently of the software responsible for executing the

    strategy.\350\

    ---------------------------------------------------------------------------

    \349\ FIA 3-4.

    \350\ FIA A-72.

    ---------------------------------------------------------------------------

    c. Requirements To Maintain and Make Available Source Code Records

    In support of the NPRM proposed rules regarding source code, Better

    Markets commented that ``the clear and many benefits arising from the

    Commission's ability to perform post-mortems after disruptive market

    events far outweigh any legitimate concerns, which haven't been

    proffered.'' \351\ In contrast, other commenters expressed concerns

    regarding potential costs regarding source code recordkeeping. CME

    commented that maintaining a source code repository would impose

    significant burdens and costs on any entity that does not currently do

    so.\352\ CME further commented that the CFTC has not demonstrated any

    need for AT Persons to make source code available, ``let alone a need

    that outweighs the cost and confidentiality concerns attendant to such

    a requirement.'' \353\

    ---------------------------------------------------------------------------

    \351\ Better Markets III 3.

    \352\ CME 38.

    \353\ CME III 9.

    ---------------------------------------------------------------------------

    The Industry Group commented that the proposed source code

    requirement ``puts highly proprietary information at risk without

    measurable benefits.'' \354\ FIA stated that the requirement in NPRM

    proposed Sec. 1.81(a)(v) for AT Persons to maintain a source code

    repository in accordance with Sec. 1.31 is impractical and unduly

    burdensome.\355\ FIA noted that the proposed rule captures Algorithmic

    Trading source code as well as the source code of ``related systems''

    in its retention and access requirements.\356\ FIA asserted that

    ``related systems'' is vague and could encompass all, or nearly all,

    source code utilized by an AT Person, including, but not be limited to,

    source code associated with back-office, portfolio risk management,

    monitoring, and user interfaces. FIA indicated that such a broad

    interpretation would dramatically increase the cost of complying with

    the proposed rules. Relatedly, a Roundtable participant noted that

    storage of source code is not free.\357\

    ---------------------------------------------------------------------------

    \354\ Industry Group 6 (emphasis omitted).

    \355\ FIA A-54.

    \356\ Id. at A-55.

    \357\ AQR, Roundtable Tr. at 281:9-10.

    ---------------------------------------------------------------------------

    AIMA commented that source code ``provides very little supervisory

    or investigative utility to anyone seeking to `read' it'' and that

    accessing source code ``without a specific court-upheld reason would

    simply risk the commercially sensitive IP of AT Persons without

    providing any additional benefit.'' \358\ The Chamber of Commerce

    asserted that ``the CFTC has not provided an estimate of the costs for

    hiring qualified developers that could actually analyze the proprietary

    source code, meaning that the CFTC currently does not know how much it

    would even cost to review information within its possession.'' \359\

    The Chamber of Commerce further asserted that the proposed source code

    requirements would ``not provid[e] any tangible benefit to the CFTC.''

    \360\

    ---------------------------------------------------------------------------

    \358\ AIMA III 5.

    \359\ Chamber of Commerce III 4.

    \360\ Chamber of Commerce III 6.

    ---------------------------------------------------------------------------

    KCG commented that ``it seems clear that the risks (and costs) of

    allowing on-demand access to proprietary source code outweigh any

    potential benefit.'' \361\ Similarly, MGEX also expressed concern that

    the costs of the proposed source code requirement outweigh the

    benefits.\362\ MMI commented that ``the costs associated with creating

    a new regulatory requirement and the risks associated to the disclosure

    of such information [i.e., source code] to regulators (and perhaps

    inadvertently to the public) defy an acceptable cost-benefit analysis

    of the proposed Sec. 1.81(a).'' \363\ Finally, QIM asserted that the

    proposed source code requirement ``would not provide the benefits

    envisioned by the Commission.'' \364\

    ---------------------------------------------------------------------------

    \361\ KCG III 5.

    \362\ MGEX III 7.

    \363\ MMI III 2-3.

    \364\ QIM III 2.

    ---------------------------------------------------------------------------

    d. Requirement To Submit Compliance Reports and Other Related

    Algorithmic Trading Requirements

    Costs and Benefits to DCMs: ICE commented that the burden on DCMs

    to collect and review the proposed annual reports is significant. ICE

    indicated that undertaking the type of review necessary to verify and

    evaluate the information contained in the proposed annual reports would

    be both costly and resource intensive. The number of AT Persons and

    clearing FCMs that would be required to file annual reports with DCMs

    would far exceed the number of clearing FCMs that are currently

    reviewed under DSRO audit today. Further, ICE stated that DCMs do not

    have the resources or qualified expertise that would be required to

    conduct a comprehensive review of the proposed annual reports and the

    algorithms developed and operated by AT Persons. ICE recommended that

    the annual report requirement set forth in NPRM proposed Sec. 1.83 be

    replaced with a certification process.\365\

    ---------------------------------------------------------------------------

    \365\ ICE A-31.

    ---------------------------------------------------------------------------

    CME commented that the annual compliance report requirement creates

    an unnecessary administrative burden on all parties involved without

    generating a significant benefit.\366\ CME asserted that the

    information in the reports would be stale and that CME would need to

    hire additional staff with the expertise to evaluate the reports.

    Moreover, CME indicated that compliance reports would be onerous and

    duplicative for clearing FCMs, as they already undergo significant

    review by their DSRO and clearing organizations. CME argued that

    further unnecessary duplication would result from AT Persons submitting

    reports to multiple DCMs.

    ---------------------------------------------------------------------------

    \366\ CME 20; CME III 4.

    ---------------------------------------------------------------------------

    With regard to specific cost estimates, CME stated that the

    Commission has significantly underestimated the ongoing costs to DCMs

    of complying with the NPRM's requirement to periodically review AT

    Person and clearing FCM compliance reports and books and records, and

    to identify and

    [[Page 85369]]

    remediate any insufficient mechanisms, policies and procedures

    discovered. In the NPRM, the Commission estimated that it would cost

    each DCM approximately $244,080 per year to comply with NPRM proposed

    Sec. 40.22. CME believes this estimate is deficient by approximately

    50% and estimated the annual cost for each of its four DCMs to be

    closer to $525,000, assuming that across all four DCMs, approximately

    650 entities would come within the scope of the proposed compliance

    report requirements and that each entity would be reviewed once every

    four years (across all four DCMs). CME estimated that it would take

    approximately one month for a full-time employee to complete each

    review. According to CME, the biggest flaw in the CFTC's analysis is

    its assumption that new full-time employees dedicated to compliance

    with Sec. 40.22 would not be required. Moreover, for the compliance

    report to provide any meaningful benefit to market integrity, DCM

    personnel would need to spend far more than 15 hours reviewing each

    report and related books and records.\367\

    ---------------------------------------------------------------------------

    \367\ CME at 22.

    ---------------------------------------------------------------------------

    MGEX commented that costs are likely to be higher for DCMs than

    those calculated by the Commission, especially for the requirement that

    DCMs review, analyze and remediate compliance programs of AT

    Persons.\368\ In extremis, elevated costs could leave the marketplace

    in a situation of reduced competition between DCMs. MGEX provided

    estimates for the costs associated with DCM compliance, and stated that

    the per-form review time would exceed the Commission's 15 hour estimate

    because such forms would not be standardized. MGEX indicated that the

    review process would require the hiring of at least two additional full

    time employees. Finally, MGEX argued that these costs are especially

    burdensome for smaller DCMs, stating: ``[T]he costs associated with new

    compliance obligations disproportionally impacts existing DCMs. With

    every new compliance obligation, there are new costs. For smaller DCMs,

    the cost are often more severe. This is because smaller DCMs do not

    have the benefit of large staffs and resources to leverage. Put

    differently, it is more likely smaller DCMs will have to hire

    additional staff to meet new compliance obligations, and therefore

    their cost assessment is fundamentally different than larger DCM.''

    \369\

    ---------------------------------------------------------------------------

    \368\ MGEX 25-26.

    \369\ Id. at 27.

    ---------------------------------------------------------------------------

    Costs and Benefits to Market Participants and FCMs: MFA commented

    that Regulation AT reporting, compliance and recordkeeping costs far

    outweigh the benefits, and proposed that reporting/compliance could be

    incorporated in the NFA review program which is already CPO/CTA common

    practice.\370\

    ---------------------------------------------------------------------------

    \370\ MFA 9

    ---------------------------------------------------------------------------

    FIA recommended that each AT Person periodically review and test

    the effectiveness of its policies and procedures related to Algorithmic

    Trading and take prompt action to remedy any deficiencies.\371\

    However, because there is no materiality threshold associated with the

    remediated deficiencies in the proposed rule, FIA does not support

    documenting each incident of remediation. FIA indicated that many

    deficiencies are immaterial and the costs associated with their

    documentation would outweigh the marginal benefit, if any. In addition,

    FIA asserted that extensive documentation of policies and procedures

    associated with trading system design, development, testing,

    operations, and compliance does little to reduce any perceived risks

    associated with Algorithmic Trading. FIA stated that the application of

    sound policies and procedures, rather than the documentation of those

    policies and procedures, has a material impact on reducing risk.\372\

    ---------------------------------------------------------------------------

    \371\ FIA A-63.

    \372\ Id. at A-73.

    ---------------------------------------------------------------------------

    FIA opposes requiring AT Persons or clearing member FCMs to prepare

    annual reports because, among other things, the burden of preparing and

    filing an annual report may be extensive, especially if Regulation AT

    applies to AT Persons of different sizes and complexities.\373\ FIA

    noted that IBs, CTAs, CPOs who are small entities may be

    disproportionately adversely impacted by Regulation AT. FIA also argued

    that since FCMs are already required to prepare CCO Annual Reports

    under Sec. 3.3 and subject to risk management requirements under

    Sec. Sec. 1.11 and 1.73, there is no marginal benefit in requiring

    FCMs to produce an additional annual report. FIA expects that such a

    report would cost substantially higher than the Commission's estimates.

    ---------------------------------------------------------------------------

    \373\ Id. at A-91-A-92.

    ---------------------------------------------------------------------------

    CME commented that the ``proposed requirement that AT Persons and

    clearing FCMs prepare and submit extensive annual compliance reports to

    DCMs creates an unnecessary administrative burden on all parties

    involved without providing significant benefit to market integrity.''

    \374\ In addition, a Roundtable participant representing an FCM

    estimated that the compliance costs for Regulation AT would be $1

    million annually for the participant's firm.\375\ Another Roundtable

    participant questioned whether all FCMs could afford that cost and

    suggested that ``we could potentially lose'' some FCMs.\376\

    ---------------------------------------------------------------------------

    \374\ CME III 4.

    \375\ ABN AMRO, Roundtable Tr. 176: 13-17.

    \376\ OneChicago, Roundtable Tr. 197: 11-15.

    ---------------------------------------------------------------------------

    e. Requirements for Certain Entities to Register as New Floor Traders

    MFA commented that, as currently proposed, Regulation AT would

    apply to the majority of futures market participants, significantly

    increasing compliance costs relative to a framework where risk controls

    are applied at the DCM and clearing-FCM level. Specifically, MFA stated

    that it ``is concerned that the Regulation AT framework is overly broad

    and elaborate, which would make implementation expensive and burdensome

    for market participants and regulators. Regulation AT, as proposed,

    would regulate--in the same manner--virtually any market participant

    that uses any automation with respect to trading, without taking into

    consideration the type of automation or the different category,

    business or operational size of the market participant. Based on the

    Commission's own cost-benefit and regulatory flexibility analyses, we

    believe this is not the Commission's intent.'' MFA acknowledged that

    risk controls are appropriate for all entities, but requiring the same

    risk controls at all levels of trading is unreasonably costly.\377\

    ---------------------------------------------------------------------------

    \377\ MFA 5-6.

    ---------------------------------------------------------------------------

    The Commercial Alliance commented that a quantitative measure to

    identify the population of AT Persons ``would require the CFTC to

    revise the metric frequently'' and such revisions would ``increase

    costs for market participants to update their IT systems and monitoring

    practices accordingly, which could cause a lag in the markets and

    reduce liquidity.'' \378\ The Commercial Alliance further commented

    that a registration framework for AT Persons would ``impose significant

    cost burdens to market participants'' but would not provide any

    ``additional regulatory benefit.'' \379\

    ---------------------------------------------------------------------------

    \378\ Commercial Alliance III 3.

    \379\ Id. at III 6.

    ---------------------------------------------------------------------------

    3. The Commission's Cost-Benefit Consideration of Regulation AT--

    Baseline Point

    In the NPRM, the Commission took account of the incremental costs

    and

    [[Page 85370]]

    benefits of the proposed rules relative to what it understood as the

    general industry status quo conditions (reflective of the Commission's

    existing regulations and industry best practices). As noted in the

    NPRM, elements of Regulation AT sought to codify existing norms and

    best practices of trading firms, FCMs, and DCMs, meaning that the costs

    and benefits to firms already satisfying these norms and employing the

    proposed codified practices would be minimal. The Commission, however,

    also recognized in the NPRM that some individual firms currently may

    not be operating at industry best practice levels; for such firms,

    costs and benefits attributable to the proposed regulations will be

    incremental to a lower status quo baseline.

    To assist the Commission and the public in assessing and

    understanding the economic costs and benefits of the Supplemental

    proposed rules as revised in this Supplemental NPRM, the Commission

    has, in general, analyzed the costs of the proposed regulations as

    compared to the analogous regulations as proposed in the original

    NPRM.\380\ In doing so, the Commission notes how the Supplemental

    proposed rules alter the previous NPRM assessment relative to the

    status quo baseline. As noted in the NPRM, in many instances, full

    quantification of the costs is not reasonably feasible because costs

    depend on the size, structure, and practices of trading firms, FCMs and

    DCMs. Within each category of entity, the size, structure and practices

    of such entities will vary markedly. In addition, the quantification

    may require information or data, some of which may be proprietary, that

    the Commission lacks means to access. Further, with exceptions noted in

    the IX.A.2 discussion of cost-benefit comments, interested parties have

    not provided information in response to the Concept Release and NPRM to

    assist the Commission in quantifying costs. The Commission notes that

    to the extent that the regulations proposed in this rulemaking result

    in additional costs, those costs will be realized by trading firms,

    FCMs and exchanges in order to protect market participants and the

    public. Finally, in general, full quantification of the benefits of the

    proposed rule is also not reasonably feasible, due to the difficulty in

    quantifying the benefits of a reduction in market disruptions and other

    significant market events due to the risk controls and other measures

    proposed in Regulation AT.

    ---------------------------------------------------------------------------

    \380\ The Commission notes that the costs and benefits of NPRM

    Sec. 1.81(vi), regarding the source code and log file retention,

    were not explicitly discussed in the NPRM. Therefore, as discussed

    below, for Supplemental proposed Sec. 1.84, the Commission is using

    current industry practice as the baseline.

    ---------------------------------------------------------------------------

    4. The Commission's Cost-Benefit Consideration of Regulation AT--Cross-

    Border Effects

    The Commission notes that the consideration of costs and benefits

    below is based on the understanding that the markets function

    internationally, with many transactions involving U.S. firms taking

    place across international boundaries; with some Commission registrants

    being organized outside of the United States; with leading industry

    members typically conducting operations both within and outside the

    United States; and with industry members commonly following

    substantially similar business practices wherever located. Where the

    Commission does not specifically refer to matters of location, the

    below discussion of costs and benefits refers to the effects of the

    proposed rules on all activity subject to the proposed and amended

    regulations, whether by virtue of the activity's physical location in

    the United States or by virtue of the activity's connection with or

    effect on U.S. commerce under CEA section 2(i).\381\ In particular, the

    Commission notes that some AT Persons are located outside of the United

    States.

    ---------------------------------------------------------------------------

    \381\ 7 U.S.C. 2(i).

    ---------------------------------------------------------------------------

    5. Introduction: The NPRM and Supplemental NPRM for Regulation AT

    The consideration of costs and benefits for this Supplemental NPRM

    for Regulation AT builds on the cost-benefit considerations contained

    in the NPRM. Regulation AT reflects a comprehensive effort to reduce

    risk and increase transparency across algorithmic order origination and

    electronic trade execution on all U.S. futures exchanges. The proposed

    rules, both in the NPRM and the Supplemental NPRM, seek to modernize

    the Commission's regulatory regime, keep pace with evolving markets and

    technologies, and to promote the continued safety and soundness of

    trading on all contract markets. The Commission is endeavoring, through

    this Supplemental NPRM, to incorporate persuasive comments received

    during numerous opportunities for public comment, and to address

    concerns raised by market participants including concerns related to

    the costs and benefits of Regulation AT as proposed in the NPRM. Many

    of the changes in the Supplemental NPRM are designed to mitigate cost

    concerns while retaining the important benefits of Regulation AT. For

    example, as discussed below, the Commission is proposing to reduce the

    number of levels at which risk controls are typically applied to two

    (the DCM and either the FCM or AT Person) from three (the DCM, FCM, and

    AT Person) and proposing a volume threshold to limit the number of AT

    Persons under the Supplemental NPRM relative to the number of AT

    Persons under the NPRM. Both of these changes are designed to reduce

    costs while retaining the essential benefits associated with the risk

    controls and the rules applicable to AT Persons.

    6. Proposed New Definitions and Changes to NPRM Proposed Definitions

    The Commission proposes in this Supplemental NPRM new defined terms

    ``Electronic Trading'' and ``Electronic Trading Order Message'' as well

    as ``Algorithmic Trading Source Code.'' The Commission also proposes to

    modify certain definitions proposed in the NPRM, including ``Direct

    Electronic Access'' (``DEA'') and ``AT Order Message.'' Finally, the

    Commission in this Supplemental NPRM changes various references in

    Regulation AT from ``clearing member'' to ``executing'' FCM. The

    Commission believes that these definitions and changes in terminology

    do not impose costs or confer benefits in and of themselves. However,

    as discussed below, changes in definition or new definitions may affect

    the costs and benefits of rules where defined terms are used.

    7. Requirements for AT Persons

    a. Summary of Proposal

    The Commission proposes changes to modify the definition of AT

    Person. Pursuant to Supplemental proposed Sec. 1.3(xxxx), a market

    participant may fall under the definition of AT Person in one of three

    ways. First, the category of AT Persons includes persons registered or

    required to be registered as an FCM, floor broker, swap dealer, major

    swap participant, commodity pool operator, commodity trading advisor,

    or introducing broker that (1) engages in Algorithmic Trading and (2)

    satisfies the volume threshold of 20,000 contracts traded per day over

    a six month period under Supplemental proposed Sec. 1.3(x)(2).\382\

    Second, AT Persons include New Floor Traders under Supplemental

    proposed Sec. 1.3(x)(1)(iii).\383\ Such New Floor Traders must engage

    in Algorithmic Trading, utilize DEA under the revised

    [[Page 85371]]

    definition,\384\ and satisfy the volume threshold under Supplemental

    proposed Sec. 1.3(x)(2). Third, a person who does not satisfy either

    of the other two prongs of the AT Person definition may nevertheless

    elect to become an AT Person, provided that such person registers as a

    floor trader and complies with all requirements of AT Persons pursuant

    to Commission regulations.\385\ Further, Supplemental proposed Sec.

    1.3(x)(4) contains an anti-evasion provision prohibiting the trading of

    contracts through multiple entities for the purpose of evading the

    registration requirements imposed on New Floor Traders under Sec.

    1.3(x)(3), or to avoid meeting the definition of AT Person under Sec.

    1.3(xxxx).

    ---------------------------------------------------------------------------

    \382\ See Supplemental proposed Sec. 1.3(xxxx)(1)(i).

    \383\ See Supplemental proposed Sec. 1.3(xxxx)(1)(ii).

    \384\ Under the revised definition in Sec. 1.3(yyyy), DEA

    includes any electronic order submissions to a DCM, unless the order

    is first received by an FCM from a separate natural person by means

    of written or oral communication prior to being submitted to the DCM

    by the FCM.

    \385\ See Supplemental proposed Sec. 1.3(xxxx)(2).

    ---------------------------------------------------------------------------

    Under the volume threshold, if a floor trader or other registrant

    who is a potential AT Person (including other entities under common

    control) trades an aggregate average daily volume on electronic trading

    facilities across all products and all DCMs of at least 20,000

    contracts, including for a firm's own account, the accounts of

    customers, or both,\386\ over a six-month period (either January-June

    or July-December), that registrant will be an AT Person.

    ---------------------------------------------------------------------------

    \386\ As discussed above in Section II(C), New Floor Traders who

    are not otherwise registered with the Commission would be expected

    to trade only for their own accounts, not on behalf of customers.

    Absent any trading for a customer account consistent with the Act

    and Commission regulations, New Floor Traders would therefore be

    expected to apply the volume threshold test solely to their

    proprietary trading volume.

    ---------------------------------------------------------------------------

    Further, under NPRM proposed Sec. 170.18, AT Persons also must

    register for membership in at least one RFA. Supplemental proposed

    Sec. 170.18 clarifies that an AT Person not yet a member of an RFA

    must submit an application for membership in at least one RFA within 30

    days of such registrant satisfying the volume test set forth in

    Supplemental proposed Sec. 1.3(x)(2).

    Finally, under Supplemental proposed Sec. 1.3(xxxx)(2), an entity

    may voluntarily choose to become an AT Person even if it does not

    otherwise meet the definition of AT Person by choosing to register as a

    floor trader and applying for membership with an RFA.

    b. Costs

    The NPRM's cost-benefit considerations for rules applicable to AT

    Persons, and for rules on other market participants that depend on the

    number of AT Persons (i.e., Sec. 40.22 DCM compliance report review

    program), were based on an estimate of 420 AT Persons. That estimate

    was based on a sample of order messages sent to DCMs and was based on

    the NPRM proposed definition of DEA.\387\ This data included new

    orders, modifications to orders, and cancellations, and the methodology

    for estimating that number was specified in the NPRM.\388\

    ---------------------------------------------------------------------------

    \387\ Under NPRM proposed Sec. 1.3(yyyy), DEA was defined as an

    arrangement where a person electronically transmits an order to a

    DCM, without the order first being routed through a separate person

    who is a member of a DCO to which the DCM submits transactions for

    clearing.

    \388\ NPRM at 78884.

    ---------------------------------------------------------------------------

    In response to comments asserting that the actual number of AT

    Persons under the proposed rule would be much larger than the 420

    entities estimated the Commission, the Commission is proposing a volume

    threshold to limit the number of AT Persons. The volume threshold would

    be set at 20,000 contracts aggregated across a market participant's own

    account, the accounts of customers, or both, over a six-month period.

    The Commission estimates that the proposed volume threshold will reduce

    the number of AT Persons to approximately 120.

    In order to derive this estimate, the Commission made use of daily

    trading audit trail data, for futures and options on futures, received

    from each DCM. Because the volume threshold is based on activity within

    a semi-annual period, the Commission calculated the average activity of

    individual firms during the first half of 2016 and used these aggregate

    numbers as an activity benchmark. Aggregating this activity across the

    DCMs for which the Commission had firm identification provided a basis

    for estimating the number of potential AT Persons. The Commission notes

    that its data provides a significantly comprehensive, but not a full,

    identification of the firms associated with each trade; in other cases,

    the firm associated with a trade may be the broker rather than the

    principal. For these reasons, the Commission estimate for the number of

    AT Persons may omit some firms that would meet the volume threshold

    requirements.

    The Commission notes that the definition of ``Direct Electronic

    Access'' is an element of the definition of ``floor trader'' and, thus,

    AT Person. The Commission is modifying the definition of DEA. Under

    Supplemental proposed Sec. 1.3(yyyy), DEA includes any electronic

    order submissions to a DCM, unless the order is first received by an

    FCM from an unaffiliated natural person by means of written or oral

    communication prior to being submitted to the DCM by the FCM. This

    definition, in and of itself, is broad enough to potentially include

    most participants on DCMs. However, merely meeting the definition of

    DEA will not impose costs on market participants trading for their own

    account who are not AT Persons; that is, to incur costs, they must also

    engage in Automated Trading and meet the volume threshold.

    The clarifying changes to Supplemental proposed Sec. 170.18 should

    not materially affect the costs associated with the RFA membership

    requirement for AT Persons. Supplemental proposed Sec. 1.3(xxxx)(2),

    which permits an entity to voluntarily become an AT Person, does not

    impose any mandatory costs since it does not require anyone who

    otherwise does not meet the definition of AT Person to become an AT

    Person. An entity that does voluntarily become an AT Person presumably

    has determined that the benefits of doing so warrant accepting the

    costs imposed on AT Persons.

    c. Benefits

    The volume threshold and changes to the definition of AT Person

    will limit the number of firms subject to Regulation AT while

    preserving the benefits of Regulation AT for the larger firms trading

    on DCMs. The Commission believes that the benefits associated with

    requirements such as risk controls, testing and monitoring,

    recordkeeping, and other provisions applicable to AT Persons are

    greatest for this subset of market participants because errors related

    to malfunctions at the firms with highest activity will likely have the

    largest impact on other market participants and the market as a whole.

    As evidence for this, FIA indicated in its December 2013 response to

    the Concept Release that most, if not all, large automated firms have

    extensive risk controls across all of their algorithmic activity, often

    calibrated at multiple levels, along with other quality control schemes

    to minimize the chance of error.\389\ Such firms, understanding the

    effect they may have on the marketplace due to unanticipated behavior,

    have voluntarily chosen to incorporate measures similar to those

    required in Regulation AT to mitigate these risks. The anti-evasion

    provisions will help ensure that entities that should be AT Persons are

    not able to readily avoid AT Person status by trading through multiple

    entities.

    ---------------------------------------------------------------------------

    \389\ FIA, Comment in Response to Concept Release (Dec. 11,

    2013).

    ---------------------------------------------------------------------------

    [[Page 85372]]

    The clarifying changes to Supplemental proposed Sec. 170.18 should

    not materially affect the benefits associated with the RFA membership

    requirement for AT Persons. Supplemental proposed Sec. 1.3(xxxx)(2),

    which permits an entity to voluntarily become an AT Person, provides an

    entity that does not otherwise meet the definition of AT Person with

    the flexibility to become an AT Person so that it can realize the

    benefits of implementing its own risk controls, rather than accepting

    an FCM's risk controls.

    d. Consideration of Alternatives

    The Commission considered not adopting a registration requirement

    for AT Persons in response to comments. This would have made the

    definition of DEA and the volumetric threshold unnecessary. However,

    the Commission continues to believe that there are certain larger

    market participants whose automated trading represents an elevated risk

    to market integrity and who, for the protection of market participants

    and the public, should therefore be subject to enhanced oversight

    relative to other market participants. The Commission also considered

    not using a volume threshold or other quantitative threshold (as

    suggested by some commenters) and instead responding to commenter

    concerns that the NPRM would capture substantially more than 420 AT

    Persons by revising the definition of DEA so that the term captures a

    narrower scope of trading activity. The Commission was unable to

    identify a definition of DEA that would reduce the number of AT Persons

    and provide a low-cost way for entities to determine whether they are

    AT Persons as defined under Regulation AT. The Commission thus

    determined to propose a quantitative threshold (i.e., the volume

    threshold test), while at the same time defining DEA broadly.

    The Commission considered other quantitative metrics including

    tests proposed by ESMA for identifying high-frequency traders in

    European markets, i.e., average resting order times and daily number of

    messages sent by a trading entity. However, the new AT Person category

    is intended to ensure that risk management, testing and monitoring

    standards are sufficiently high for the class of market participants

    who are largest, regardless of strategy or firm type. The Commission

    believes that volume is a key element of market processes such as price

    discovery and risk transfer, is simpler than other potential metrics,

    and can be calculated at lower cost than metrics such as average order

    resting times and message frequency.

    The Commission also considered volume thresholds at other levels

    higher and lower than 20,000 contracts. However, the Commission has

    preliminarily determined that 20,000 contracts will result in the

    registration of those firms for whom Regulation AT proposed rules

    applicable to AT Persons are needed most and will provide the greatest

    benefit.

    e. Commission Questions

    39. Beyond specific questions concerning specific Supplemental

    proposed rules interspersed throughout its discussion, the Commission

    generally requests comment on all aspects of its consideration of costs

    and benefits of this Supplemental NPRM, including: (a) Identification,

    quantification, and assessment of any costs and benefits not discussed

    therein; (b) whether any of the proposed regulations may cause FCMs or

    DCMs to raise their fees for their customers, or otherwise result in

    increased costs for market participants and, if so, to what extent; (c)

    whether any category of Commission registrants will be

    disproportionately impacted by the proposed regulations, and if so

    whether the burden of any regulations should be appropriately shifted

    to other Commission registrants; (d) what costs, if any, would likely

    arise from market participants engaging in regulatory arbitrage by

    restructuring their trading activities to trade on platforms not

    subject to the proposed regulations, or taking other steps to avoid

    costs associated with the proposed regulations; (e) quantitative

    estimates of the impact on transaction costs and liquidity of the

    proposals contained herein; (f) the potential costs and benefits of the

    alternatives that the Commission discussed in this release, and any

    other alternatives appropriate under the CEA that commenters believe

    would provide superior benefits relative to costs; (g) data and any

    other information to assist or otherwise inform the Commission's

    ability to quantify or qualitatively describe the benefits and costs of

    the proposed rules; and (h) substantiating data, statistics, and any

    other information to support positions posited by commenters with

    respect to the Commission's consideration of costs and benefits.

    40. As noted above, some commenters opined that the NPRM would

    capture substantially more than 420 AT Persons. Is there a definition

    of DEA that should be adopted that would appropriately limit the scope

    of the definition of AT Person, without use of a quantitative

    threshold? Further, is there a definition of DEA that would serve as a

    low-cost method of enabling entities to determine if they are AT

    Persons?

    41. Are there quantitative thresholds other than volume that would

    provide a superior cost-benefit profile to the Commission's proposal?

    42. Would a volume threshold at levels higher or lower than 20,000

    contracts provide a superior cost-benefit profile to the Commission's

    proposal?

    43. Should volume threshold calculations exclude or weigh

    differently spread trades or any other types of trades, and if so,

    should the volume threshold level be adjusted? What are the costs and

    benefits of excluding or weighing differently certain types of trades?

    8. Source Code Retention and Inspection Requirements

    a. Summary of New Proposal

    Under the NPRM proposal, each AT Person was required to maintain a

    ``source code repository'' to manage source code access, persistence,

    copies of all code used in the production environment, and changes to

    such code. Such source code repository was required to include an audit

    trail of material changes to source code that would allow AT Persons to

    determine, for each such material change: Who made it; when they made

    it; and the coding purpose of the change. The NPRM also required that

    AT Persons maintain source code in accordance with Sec. 1.31 and make

    source code available for inspection by Commission staff and the

    Department of Justice pursuant to Sec. 1.31.

    Under Supplemental proposed Sec. 1.84, AT Persons are required to

    retain (to the extent that they are generated by an AT Person) three

    categories of records for a period of five years: (1) Algorithmic

    Trading Source Code; (2) records that track changes to Algorithmic

    Trading Source Code; and (3) log files that record the activity of the

    AT Person's Algorithmic Trading system. Instead of making Algorithmic

    Trading Source Code available for inspection by Commission staff and

    the Department of Justice pursuant to Sec. 1.31, under Supplemental

    proposed Sec. 1.84, action by the Commission itself would be required,

    either in the form of a special call for these records or pursuant to a

    subpoena. The Commission may authorize the Director of the Division of

    Market Oversight to execute the special call, and to specify the form

    and manner in which the required records must be produced. This

    procedure is similar to the procedure for the Commission to

    [[Page 85373]]

    grant subpoena power to staff. The Commission will retain the authority

    to grant subpoena power with respect to Algorithmic Trading Source

    Code, change logs, and log files.

    b. Costs

    The Commission estimates that a typical AT Person without the

    hardware and software in place to maintain the records required by

    Supplemental proposed Sec. 1.84(a) would incur a cost of $41,840 to

    purchase and set up the required hardware and software, migrate

    existing Algorithmic Trading Source Code and logs into the software,

    draft appropriate recordkeeping policies and procedures and make

    technology improvements to recordkeeping infrastructure. This cost is

    broken down as follows: Hardware costing $12,000,\390\ software costing

    $2,000,\391\ 1 Project Manager for the Algorithmic Trading Source Code

    and log migration effort, working for 60 hours (60 x $70 = $4,200); 1

    Developer for the Algorithmic Trading Source Code and log migration

    effort, working for 60 hours (60 x $75 = $4,500), 1 Project Manager to

    develop the related policies and procedures, working for 120 hours (120

    x $70 = $8,400), 1 Business Analyst to develop the related policies and

    procedures, working for 120 hours (120 x $52 = $6,240), and 1 Developer

    to develop the related policies and procedures, working for 60 hours

    (60 x $75 = $4,500). The 120 AT Persons therefore would incur a total

    initial cost of $5,020,800 (120 x $41,840).

    ---------------------------------------------------------------------------

    \390\ The Commission estimates that the hardware could cost from

    $1,000 to $25,000 depending on factors including which hardware

    vendor an AT Person chooses, the amount of business the AT Person

    does with the hardware vendor and the pricing the hardware vendor

    provides the AT Person as a result.

    \391\ The Commission estimates that the software could cost from

    $0 to $5,000 depending on factors including which hardware vendor an

    AT Person chooses, the amount of business the AT Person does with

    the hardware vendor and the pricing the hardware vendor provides the

    AT Person as a result.

    ---------------------------------------------------------------------------

    The Commission estimates that, on an initial basis, an AT Person

    with the hardware and software in place to maintain the records

    required by Supplemental proposed Sec. 1.84(a) would incur a cost of

    $12,160 to purchase and set up the required hardware and software,

    migrate existing Algorithmic Trading Source Code and logs into the

    software, draft appropriate recordkeeping policies and procedures and

    make technology improvements to recordkeeping infrastructure. This cost

    is broken down as follows: Hardware costing $4,000, 1 Project Manager

    to develop the related policies and procedures, working for 30 hours

    (30 x $70 = $2,100), 1 Business Analyst to develop the related policies

    and procedures, working for 30 hours (30 x $52 = $1,560), and 1

    Developer to develop the related policies and procedures, working for

    60 hours (60 x $75 = $4,500). The 120 AT Persons therefore would incur

    a total initial cost of $1,459,200 (120 x $12,160).

    The Commission also has estimated the cost of complying with

    Supplemental proposed Sec. 1.84(b), which require AT Persons to

    produce records of Algorithmic Trading in response to a special call.

    The Commission estimates that, on an annual basis, an AT Person will

    incur a cost of $51,840 to draft and update recordkeeping policies and

    procedures and make technology improvements to recordkeeping

    infrastructure. This cost is broken down as follows: 1 Project Manager,

    working for 36 hours per month x 12 months = 432 hours per year (432 x

    $70 = $30,240); and 1 Developer, working for 24 hours per month x 12

    months = 288 hours per year (288 x $75 = $21,600). The 120 AT Persons

    would therefore incur a total initial cost of $2,894,400 (120 x

    $51,840).

    The Commission does not estimate a specific number of special calls

    per year that AT Persons will receive. Rather, such special calls would

    occur on an intermittent basis and the Commission estimates the cost

    for one response. The Commission estimates that, on an intermittent

    basis, an AT Person will incur a cost of $5,844 to ensure compliance

    with those aspects of Supplemental proposed Sec. 1.84(b) requiring AT

    Persons to produce records of Algorithmic Trading in response to a

    special call. This cost is broken down as follows: 1 Project Manager,

    working for 12 hours (12 x $70 = $840); 1 Developer, working for 36

    hours (36 x $75 = $2,700); and 1 Compliance Attorney, working for 24

    hours (24 x $96 = $2,304). The 120 AT Persons would therefore incur a

    total annual cost of $701,280 (120 x $5,844).

    The Commission expects that AT Persons already retain Algorithmic

    Trading Source Code and log files and to some extent are incurring such

    costs under current practice. The Commission believes that with the

    numerous protections to Algorithmic Trading Source Code confidentiality

    provided in Supplemental proposed Sec. 1.84, including removal of the

    applicability of Sec. 1.31, the various costs attributed to the NPRM

    source code rule by commenters generally do not apply to Supplemental

    proposed Sec. 1.84.

    For more detail on the estimated costs of Sec. 1.84, see Sections

    IX(B)(2)(d) and (e) below.

    c. Benefits

    As noted, Supplemental proposed Sec. 1.84 is first and foremost a

    recordkeeping rule. Requiring AT Persons to retain Algorithmic Trading

    Source Code and log files will ensure that the Commission is able to

    access this information (through a special call or subpoena) on the,

    presumably infrequent, occasions when it is needed to investigate or

    inquire into an Algorithmic Trading Compliance Issue or disruption.

    Supplemental proposed Sec. 1.84(b), which would require the Commission

    to issue a special call in order to enable Commission staff to review

    Algorithmic Trading Source Code and log files as part of its market

    oversight responsibilities. The Commission could also access source

    code by issuing subpoenas that are typically used in enforcement

    investigations. For example, the Commission might issue a special call

    to inquire into a market disruption without launching a formal

    enforcement investigation or implying that the disruption was caused by

    a violation of the CEA or Commission regulations. Further, Commission

    access to Algorithmic Trading Source Code and log files should not

    compromise their integrity as trade secrets or other confidential

    information; the confidentiality provisions of Supplemental proposed

    Sec. 1.84(b)(3) are designed to preserve their confidential status.

    The Commission notes that Supplemental proposed Sec. 1.84(b)(3) is in

    addition to existing confidentiality protections provided in section

    8(a) of the Act.

    d. Consideration of Alternatives

    The Commission considered the alternative of maintaining the NPRM

    proposal that Algorithmic Trading Source Code would be subject to the

    inspection and production provisions of Sec. 1.31, but the Commission

    acknowledges the concerns of commenters regarding Algorithmic Trading

    Source Code confidentiality and trade secret preservation and

    determined to provide Algorithmic Trading Source Code and log files

    with the greater protection provided by Supplemental proposed Sec.

    1.84 as compared to Sec. 1.31.

    The Commission also considered not promulgating an Algorithmic

    Trading Source Code rule, but determined that it is essential for the

    protection of market participants and the public to ensure that

    Algorithmic Trading Source Code

    [[Page 85374]]

    and log file records be retained and, when necessary, made available to

    the Commission.

    e. Commission Questions

    44. The Commission requests comment on the costs and benefits of

    Supplemental proposed Sec. 1.84 including the accuracy of its cost

    estimates.

    45. To what extent do AT Persons currently retain Algorithmic

    Trading Source Code and log files and for what period of time?

    46. To what extent do the protections to Algorithmic Trading Source

    Code confidentiality in Supplemental proposed Sec. 1.84 address the

    concerns of commenters regarding the NPRM proposed Sec. 1.81(a)(1)(vi)

    Algorithmic Trading Source Code rule, particularly with respect to

    costs and benefits?

    9. Testing, Monitoring and Recordkeeping Requirements in the Context of

    Third-Party Providers

    a. Summary of New Proposal

    NPRM proposed Sec. 1.81(a) required AT Persons to implement

    written policies and procedures for the development and testing of

    ATSs. Among other things, such policies and procedures must at a

    minimum include documenting the strategy and design of proprietary

    Algorithmic Trading software, as well as any changes to software that

    are implemented in a production environment, pursuant to NPRM proposed

    Sec. 1.81(a)(v). Under NPRM proposed Sec. 1.81(a)(vi), a source code

    repository was required to be maintained, as discussed above.

    Supplemental proposed Sec. 1.85 allows AT Persons who are unable

    to comply with a particular development and testing requirement \392\

    or a particular maintenance or production requirement related to

    Algorithmic Trading strategy (including Algorithmic Trading Source Code

    and log files),\393\ due solely to their use of third-party system

    components, to obtain a certification that the third party is complying

    with the obligation. AT Persons would need to obtain a new

    certification whenever there is a material change to the third-party

    system or system components. The proposed rule also would require AT

    Persons to conduct due diligence regarding the accuracy of the

    certification. In addition, in all cases, under the Supplemental NPRM,

    an AT Person is responsible for ensuring that records are retained and

    produced as required pursuant to Supplemental proposed Sec. 1.84 from

    third-party providers.

    ---------------------------------------------------------------------------

    \392\ See NPRM proposed Sec. Sec. 1.81(a)(1)(i),

    1.81(a)(1)(iii), and 1.81(a)(1)(iv), and Supplemental NPRM proposed

    Sec. 1.81(a)(1)(ii).

    \393\ See Supplemental proposed Sec. 1.84.

    ---------------------------------------------------------------------------

    b. Costs

    Costs to AT Persons: As discussed in further detail in the PRA

    section, the Commission estimates that each AT Person will incur a one-

    time cost of $4,884 to establish the process for initially obtaining

    the third-party certifications permitted by Supplemental proposed Sec.

    1.85, conduct the related due diligence and obtain the initial

    certifications. This cost is broken down as follows: 1 Project Manager,

    working for 24 hours (24 x $70 = $1,680); 1 Compliance Attorney,

    working for 24 hours (24 x $96 = $2,304); and 1 Developer working for

    12 hours (12 x $75 = $900). The estimated 120 AT Persons that will rely

    on Sec. 1.85 would therefore incur a total one-time cost of $586,080

    (120 x $4,884).

    The Commission expects that the approximately 120 AT Persons, on

    average, will need to review approximately one certification each,

    assuming that some AT Persons use more than one third-party system or

    system component, while others use only their own systems. For purposes

    of this cost analysis, the Commission estimates that an AT Person will

    need to acquire a new certification approximately once per year due to

    a material change in the third-party system or component. The

    Commission estimates that, on an annual basis, an AT Person will incur

    a cost of $2,892 to obtain the third-party certifications permitted by

    Supplemental proposed Sec. 1.85 and conduct the related due

    diligence.\394\ This cost is broken down as follows: 1 Project Manager,

    working for 12 hours (12 x $70 = $840); 1 Compliance Attorney, working

    for 12 hours (12 x $96 = $1,152); and 1 Developer working for 12 hours

    (12 x $75 = $900). The estimated 120 AT Persons that will rely on Sec.

    1.85 would therefore incur a total annual cost of $347,040 (120 x

    $2,892).

    ---------------------------------------------------------------------------

    \394\ The Supplemental NPRM does not set forth the means by

    which due diligence must be conducted. The Commission expects that

    due diligence may take a variety of forms, including but not limited

    to, email exchanges, teleconferences, reviews of files, and in-

    person meetings.

    ---------------------------------------------------------------------------

    The provision making an AT Person responsible for ensuring that

    records are retained and produced as required pursuant to Supplemental

    proposed Sec. 1.84, should not impose direct costs on AT Persons

    unless there is an instance the third party is found to have failed to

    retain and produce records. The costs, in such an event, would depend

    on the nature and extent of the violation, and it is not reasonably

    feasible for the Commission to quantify such costs at this time.

    The Commission also anticipates that an AT Person will incur a one-

    time cost of $2,304 to re-write its contracts with third parties, so

    that the AT Persons can comply with the recordkeeping and production

    provisions of Supplemental proposed Sec. 1.84. This cost is broken

    down as follows: 1 Compliance Attorney, working for 24 hours (24 x $96

    per hour = $2,304).

    AT Persons may incur additional costs as a result of Supplemental

    proposed Sec. 1.85, depending on the response of third-party providers

    to implementation of the rule. It is possible that third-party

    providers may pass on the costs that they incur as a result of

    Supplemental proposed Sec. 1.85 to their AT Person customers (or all

    of their customers) in the form of higher prices or an AT Person

    surcharge.

    Costs to Third-Party Providers: The Commission expects that all

    third-party providers combined will need to provide approximately 120

    certifications to the 120 AT Persons, assuming that some AT Persons use

    more than one third-party system or system component, while others use

    only their own systems. For purposes of this cost-benefit analysis, the

    Commission estimates that a third-party provider will need to provide a

    new certification to its AT Person customers approximately once per

    year due to a material change in the third-party system or component.

    The Commission also expects third-party providers to cooperate with AT

    Person due diligence for each certification provided, for a total of

    120 due diligence occurrences.

    The Commission estimates that each third-party provider will incur

    a one-time cost of $4,884 to establish the process for initially

    providing the third-party certifications permitted by Supplemental

    proposed Sec. 1.85 and cooperating with AT Persons conducting the

    related due diligence. The Commission estimates that there will be a

    total of 50 third-party service providers to AT Persons for their ATSs

    or components, and seeks comment on this estimate. The one-time $4,884

    cost for each third-party provider is broken down as follows: 1 Project

    Manager, working for 24 hours (24 x $70 = $1,680); 1 Compliance

    Attorney, working for 24 hours (24 x $96 = $2,304); and 1 Developer

    working for 12 hours (12 x $75 = $900). The estimated 50 third parties

    that provide certifications pursuant to Supplemental proposed Sec.

    1.85 would therefore incur a total annual cost of $244,200 (50 x

    $4,884).

    [[Page 85375]]

    The Commission estimates that, on an annual basis, an average third

    party will incur a cost of $2,892 to provide AT Persons the third-party

    certifications permitted by Supplemental proposed Sec. 1.85 and

    cooperate with AT Persons conducting the related due diligence. This

    cost is broken down as follows: 1 Project Manager, working for 12 hours

    (12 x $70 = $840); 1 Compliance Attorney, working for 12 hours (12 x

    $96 = $1,152); and 1 Developer working for 12 hours (12 x $75 = $900).

    The estimated 50 third parties that will rely on Sec. 1.85 would

    therefore incur a total annual cost of $146,600 (50 x $2,892).

    In addition to the costs of providing certifications, the

    Commission anticipates that third-party providers will incur additional

    costs relating to Supplemental proposed Sec. 1.85(a), which

    contemplates that third parties will provide to AT Persons systems or

    components that comply with NPRM proposed Sec. Sec. 1.81(a)(1)(i),

    1.81(a)(1)(iii), 1.81(a)(1)(iv), 1.81(a)(2), or Supplemental proposed

    Sec. Sec. 1.81(a)(1)(ii) or 1.84. The Commission estimates that, on an

    annual basis, a third party will incur costs to comply with the

    proposed rules listed above that are comparable to the costs that an AT

    Person would incur to comply with such rules. The estimated costs for

    an AT Person to comply with Supplemental proposed Sec. 1.84 are

    discussed in Section IX(A)(8) above. The estimated costs for an AT

    Person to comply with proposed Sec. 1.81(a) were discussed in detail

    in the NPRM.\395\

    ---------------------------------------------------------------------------

    \395\ See NPRM at 78900. In the NPRM, the Commission estimated

    that an AT Person that has not implemented any of the requirements

    of proposed Sec. 1.81(a) (development and testing of ATSs) would

    incur a total cost of $349,865 to implement those requirements. This

    cost was broken down as follows: 1 Project Manager, working for

    1,707 hours (1,707 x $70 = $119,490); 2 Business Analysts, working

    for a combined 853 hours (853 x $52 = $44,356); 3 Testers, working

    for a combined 2,347 hours (2,347 x $52 = $122,044); and 2

    Developers, working for a combined 853 hours (853 x $75 = $63,975).

    The Commission notes that this calculation would apply only to third

    parties that have not implemented any of the requirements of

    proposed Sec. 1.81(a). However, the Commission anticipates that

    many third-party providers--e.g., software development firms--

    already develop and test systems or components in the ordinary

    course of their business. Indeed, the Commission anticipates that

    third-party providers would generally be as sophisticated, if not

    more sophisticated, than AT Persons with respect to the development

    and testing of ATSs. Therefore, the Commission believes that the

    cost of compliance for third parties would be lower than the

    estimate calculated above. In addition, the Commission anticipates

    that compliance costs under Supplemental proposed Sec.

    1.81(a)(1)(ii) will be lower than the costs estimated in the NPRM,

    since the Commission is proposing to eliminate the requirement under

    NPRM proposed Sec. 1.81(a)(1)(ii) that AT Persons must test all

    Algorithmic Trading code and related systems on each DCM on which

    Algorithmic Trading will occur (while retaining a more general

    requirement that AT Persons must test all ATSs).

    ---------------------------------------------------------------------------

    The Commission also anticipates that a third-party will incur a

    one-time cost of $2,304 to re-write its contracts with AT Persons, so

    that the AT Persons can comply with the recordkeeping and production

    provisions of Supplemental proposed Sec. 1.84. This cost is broken

    down as follows: 1 Compliance Attorney, working for 24 hours (24 x $96

    per hour = $2,304).

    These cost estimates represent an average across all of the

    estimated 50 firms offering ATS systems or components of systems for

    use on DCMs. However, the costs to particular firms will vary depending

    on how many products they offer and how many AT Person customers they

    do business with. For example, the Commission understands that a small

    number of firms have a predominant share in the market for third-party

    provided ATS. Accordingly, the largest providers may have several dozen

    AT Person customers (as well as a much larger number of non-AT Person

    customers) while other firms among these 50 currently may have no or

    few AT Person customers.

    The Commission anticipates that much of the cost of providing

    certifications will result from the initial costs of researching the

    requirements for certifications and creating the first certification.

    The Commission expects that a third-party provider can create a single

    certification for a particular ATS product or component and provide the

    same certification to all AT Person customers using that product.

    Certifications for other software products offered by a third-party

    vendor are likely to be similar to the certification for the initial

    product. Thus, the cost of creating a certification for an additional

    software product is likely to be substantially lower than the cost of

    creating the initial certification. For the same reason, the cost of

    modifying a certification to reflect material changes to a product is

    also likely to be much lower than the cost of creating the initial

    certification. Accordingly, the Commission expects that there will be

    economies of scale associated with providing certifications to AT

    Persons, and costs for firms with many AT Person customers may not be

    substantially greater than such costs for firms with only one AT Person

    customer.

    However, a firm with many AT Person customers is likely to incur

    much higher costs associated with cooperating with AT Person due

    diligence than a firm with only one or a few AT Person customers. This

    is because a third-party provider will have to cooperate with due

    diligence separately for each AT Person customer. If a firm has several

    dozen AT Person customers, it may be necessary for the project manager,

    compliance attorney, and developer noted above to devote an extended

    period of time to cooperating with AT Person due diligence, especially

    following issuance of the initial certification. On subsequent

    occasions when the software changes materially, the provider will again

    have to cooperate with AT Person due diligence, but this is likely to

    be less costly (albeit still significant) than cooperating with the

    initial due diligence. As noted, AT Persons would likely perform some

    due diligence even absent the proposed rule. However, they might

    perceive less need to perform extensive due diligence on firms with

    many AT Person customers and strong reputations than on firms new to

    the market or with few AT Person customers. Moreover, AT Persons may

    tend to perform less due diligence over time, if there are no problems

    and they come to trust their providers. Thus, Supplemental proposed

    Sec. 1.85 may result in more extensive due diligence being performed

    on established firms with many AT Person customers than would occur

    absent the Supplemental proposed rule.

    It is highly likely, especially given the small number of third

    party providers, that these third-party providers will pass on these

    costs to their AT Person customers or to all of their customers. It is

    also possible that third-party providers will elect to avoid these

    costs by no longer providing their systems to AT Persons, especially if

    (as is likely given the small number of AT Persons) AT Persons

    represent a relatively small percentage of their customers.

    For more detail on the estimated costs of Sec. 1.85, see Section

    IX(B)(2)(f).

    c. Benefits

    The certification requirements of Supplemental proposed Sec. 1.85

    will improve the safety of ATSs by ensuring that ATSs and components

    provided by third parties to AT Persons are compliant with the

    development and testing requirements of Regulation AT even when the AT

    Persons themselves otherwise are unable to comply with those

    requirements. The due diligence requirements will further ensure that

    third-party systems are compliant with Regulation AT. Moreover, the

    recordkeeping and production requirements of Sec. 1.85(d) (by

    reference to Sec. 1.84(a) and (b)) will ensure the

    [[Page 85376]]

    Commission is able to access the Algorithmic Trading Source Code and

    log files of third parties via special call to an AT Person or via

    subpoena in the event they are needed to investigate or inquire into a

    disruption. Finally, placing ultimate responsibility for compliance

    with the recordkeeping and production requirements of Supplemental

    proposed Sec. 1.84 with the AT Person will further ensure that the

    benefits of these requirements are fully realized.

    d. Consideration of Alternatives

    The Commission considered not requiring AT Persons to conduct due

    diligence of third-party certifications in order to reduce costs, but

    determined that requiring due diligence is essential to market

    integrity and protection of market participants and the public. The

    Commission preliminarily believes that certification alone is not

    sufficient to ensure that third-party systems and components are

    compliant with Regulation AT.

    The Commission also considered making an AT Person ultimately

    responsible for ensuring that third-party systems are compliant with

    the development and testing requirements of Supplemental proposed Sec.

    1.81, but was concerned that this might deter AT Persons from utilizing

    third-party systems for which they are ultimately responsible but lack

    control. Moreover, the Commission preliminarily believes that

    certification and due diligence are sufficient to ensure that the

    benefits of Supplemental proposed Sec. 1.81 are realized with regard

    to third-party systems.

    e. Commission Questions

    47. The Commission requests comment on its cost-benefit

    considerations related to Supplemental proposed Sec. 1.85, including

    the accuracy of its cost estimates.

    48. The Commission requests comment on the costs of Sec. 1.85 to

    third-party providers with few AT Person customers as compared to the

    costs to third-party providers with many AT Person customers.

    49. To what extent does requiring due diligence of third-party

    certifications provide additional benefits beyond those of

    certification requirement itself?

    50. To what extent would AT Persons perform due diligence of third-

    party certifications absent the proposed rule requiring such due

    diligence?

    51. Would placing ultimate responsibility for third-party

    compliance with Supplemental proposed Sec. 1.81 with the AT Person

    provide benefits beyond those of certification and due diligence?

    52. For purposes of this cost analysis, the Commission estimated

    that an AT Person will need to acquire a new certification

    approximately once per year due to a material change in the third-party

    system or component. Please comment on whether the estimate of a

    material change occurring approximately once per year is an appropriate

    assumption.

    53. The Commission requests any additional quantitative information

    that commenters can provide regarding the costs and benefits of Sec.

    1.85.

    54. How many third parties are actively providing Algorithmic

    Trading software in the futures and option markets on DCMs?

    55. To what extent will third-party providers pass on the costs

    that they incur as a result of Sec. 1.85 to their AT Person customers

    or to all of their customers?

    10. Changes to Overall Risk Control Framework

    a. Summary of New Proposal

    NPRM proposed Sec. Sec. 1.80, 1.82, 38.255 and 40.20 imposed risk

    control and similar requirements, such as order cancellation systems,

    at three levels: the AT Person, FCM and DCM. The NPRM also contained

    definitions for various terms, including ``Algorithmic Trading'' and

    ``AT Order Message.'' Under the NPRM, risk controls applied to AT Order

    Messages, but not to order messages entered onto an exchange's matching

    engine manually.

    In the Supplemental NPRM, the Commission proposes a risk control

    framework with controls at two, rather than three, levels: (i) AT

    Person or FCM; and (ii) DCM. With respect to algorithmic orders

    originating with AT Persons (AT Order Messages), the proposed rules

    require all AT Persons to implement the risk controls and other

    measures required pursuant to Sec. 1.80 (although AT Persons may

    delegate compliance with Sec. 1.80(a) to FCMs). The Supplemental NPRM

    also adds new Sec. 1.80(g), which requires AT Persons to apply the

    risk control mechanisms described in Sec. 1.80(a), (b) and (c) on its

    Electronic Trading Order Messages that do not arise from Algorithmic

    Trading, after making any adjustments in the risk control mechanisms to

    accommodate the application of such mechanisms to Electronic Trading

    Order Messages. FCMs are not required to implement risk controls on AT

    Order Messages that are subject to AT Person-administered controls.

    Those AT Order Messages originating from AT Persons will be subject to

    a second level of risk controls at the DCM level pursuant to proposed

    Sec. 40.20.

    AT Order Messages originating with a non-AT Person are subject to

    risk controls implemented by executing FCMs pursuant to proposed Sec.

    1.82. Those orders will be subject to the second level of risk controls

    at the DCM level pursuant to proposed Sec. 40.20.

    The Commission is proposing two additional definitions in the

    Supplemental NPRM for the terms Electronic Trading and Electronic

    Trading Order Message, since many of the risk controls will also apply

    to manually-entered electronic trades. Pursuant to these definitions,

    Electronic Trading Order Messages are subject to risk controls

    implemented by executing FCMs pursuant to proposed Sec. 1.82 or by AT

    Persons pursuant to supplemental proposed Sec. 1.80(g). Those orders

    will be subject to the second level of risk controls at the DCM level

    pursuant to proposed Sec. 40.20. The Supplemental NPRM eliminates NPRM

    proposed Sec. 1.80(d) which required notification by AT Persons to

    applicable DCMs and clearing member FCMs that they will engage in

    Algorithmic Trading.

    Finally, Supplemental proposed Sec. 38.255(c) requires a DCM that

    permits DEA to require that an FCM use DCM-provided risk controls, or

    substantially equivalent controls developed by the FCM itself or a

    third party. Prior to an FCM's use of its own or a third party's

    systems and controls, the FCM must certify to the DCM that such systems

    and controls are substantially equivalent to the systems and controls

    that the DCM makes available pursuant to Supplemental proposed Sec.

    38.255(b).

    b. Costs

    Requiring risk controls at two levels rather than three will reduce

    the costs to FCMs and AT Persons associated with these risk controls

    (relative to those in the NPRM) by requiring either the AT Person or

    the FCM to implement risk controls, but not both. As discussed in the

    NPRM, the Commission estimated those costs as: each AT Person--$79,680;

    and each clearing member FCM--$49,800 (as to DEA orders) and $159,360

    (as to non-DEA orders).\396\ FCMs generally will be required to

    implement risk controls only for non-AT Person accounts. AT Persons

    will be permitted to delegate their risk control responsibilities to

    FCMs under Supplemental proposed Sec. Sec. 1.80(d) and 1.80(g)(2) and

    the Commission expects

    [[Page 85377]]

    that AT Persons may do so if it reduces their costs.\397\

    ---------------------------------------------------------------------------

    \396\ See NPRM at 78898 and 78903.

    \397\ FCMs would be permitted to charge AT Person customers to

    implement risk controls on their behalf.

    ---------------------------------------------------------------------------

    Imposing risk controls on all electronic order messages will cause

    a modest increase in costs on AT Persons and DCMs, but the Commission

    expects this increase in costs to be minimal since the marginal cost of

    imposing existing risk controls on additional orders is low once the

    risk controls have been created and are up and running and AT Persons

    can make appropriate adjustments to the risk controls set out in

    Sec. Sec. 1.80(a), (b), and (c) since some of these controls need not

    be applied to manual orders. Similarly, imposing FCM-level risk

    controls on all Electronic Trading Order Messages not originating with

    an AT Person will only increase costs modestly. Moreover, the

    Commission estimates that at least 95% of all order messages on DCM

    matching engines are generated by ATSs, so that relatively few order

    messages are affected by this Supplemental proposed rule. This estimate

    was based on order activity for one week in 2016, as reported in the

    audit trail for all futures products on the CME Globex platform.

    The withdrawal of the notification requirement of NPRM proposed

    Sec. 1.80(d) eliminates the costs associated with that NPRM proposal.

    The Commission expects that the written notifications pursuant to

    Supplemental proposed Sec. 38.255(c) from an FCM to a DCM that the

    FCM's risk controls are substantially equivalent to the risk controls

    available from the DCM will, as discussed in the PRA section below,

    cost approximately $235 per certification. The Commission is unable to

    estimate the exact number of FCMs that will choose to use its own or a

    third party's systems and controls. Assuming that all 70 executing FCMs

    were to do so for four DCMs each, the Commission estimates that the 70

    executing FCMs would incur a total one-time cost of $65,800 (70 x $235

    x 4).\398\

    ---------------------------------------------------------------------------

    \398\ DCMs will incur some costs with respect to preparing an

    exchange rule requiring FCMs to provide Sec. 38.255(c)

    certifications. Exchange rule-writing costs were generally covered

    in the cost-benefit considerations for the Part 40 final rule (76 FR

    44776, July 27, 2011).

    ---------------------------------------------------------------------------

    c. Benefits

    The Commission preliminarily believes that the benefits of risk

    controls will not be materially impacted by reducing the number of

    levels at which risk controls are imposed to two from three. As

    described in the NPRM, these benefits include, among other things,

    mitigating credit, market, and operational risks by ensuring that each

    order accurately reflects the intentions of market participants.\399\

    ---------------------------------------------------------------------------

    \399\ NPRM at 78899-78900.

    ---------------------------------------------------------------------------

    Requiring risk controls for all Electronic Trading Order Messages

    will, as discussed by commenters, ensure that the benefits of the risk

    controls are realized for all manually entered Electronic Trading Order

    Messages as well as AT Order Messages.

    d. Consideration of Alternatives

    In determining the appropriate risk control framework for AT

    Persons, FCMs and DCMs, the Commission considered a few alternatives.

    First, the Commission considered whether it should require AT Persons

    to implement their own controls to comply with Supplemental proposed

    Sec. 1.80(a), rather than allow AT Persons the choice to delegate

    their risk control duties to FCMs. However, in order to further

    mitigate costs, the Commission chose to allow this flexibility when it

    is technologically feasible for the FCM to implement such controls with

    the same level of effectiveness reasonably designed to prevent and

    reduce the risk of an Algorithmic Trading Event.

    The Commission also considered the alternative of not requiring AT

    Persons to apply risk controls to all Electronic Trading Order

    Messages, but rather applying such controls only to AT Order Messages

    as a way of reducing costs, but determined that two levels of risk

    controls should be applied to all Electronic Trading Order Messages,

    including those originating with an AT Person.

    e. Commission Questions

    56. The Commission requests comment on its cost-benefit

    considerations related to the revisions to Sec. Sec. 1.80, 1.82,

    38.255 and 40.20, including the accuracy of the Commission's cost

    estimates or assumptions concerning decreased cost.

    57. Does requiring risk controls at two levels rather than three

    materially alter the costs or benefits of the risk control framework?

    58. Does imposing risk controls on all Electronic Trading Order

    Messages materially increase costs? Please quantify any increase in

    costs if possible. What are the benefits of imposing risk controls on

    all Electronic Trading Order Messages, rather than just AT Order

    Messages?

    59. Does permitting AT Persons to delegate risk controls to an FCM

    reduce costs or materially alter the benefits of the risk controls?

    60. Should the Commission require AT Persons to apply risk controls

    to their manual Electronic Trading Order Messages? Would a single, DCM-

    level control applicable to such orders provide sufficient protection

    for markets and market participants?

    11. Reporting, Testing and Recordkeeping Requirements

    a. Summary of New Proposal

    NPRM proposed Sec. Sec. 1.83 and 40.22 required that AT Persons

    and clearing member FCMs provide the DCMs on which they operate with

    annual reports providing information on their compliance with

    Sec. Sec. 1.80(a) and 1.82(a)(1), and that DCMs establish a program

    for effective review and evaluation of the reports. NPRM proposed

    Sec. Sec. 1.83 and 40.22 also provided recordkeeping requirements

    regarding Sec. Sec. 1.80, 1.81 and 1.82 compliance. Further, NPRM

    proposed Sec. 1.81(a)(1)(ii) required AT Persons to test all

    Algorithmic Trading code and related systems both internally within the

    AT Person and on each DCM on which Algorithmic Trading will occur. NPRM

    proposed Sec. 40.21 had required DCMs to provide testing environments.

    In light of the concerns raised by commenters to proposed

    Sec. Sec. 1.83 and 40.22, the Commission has replaced the requirement

    that AT Persons and FCMs prepare compliance reports with a requirement

    that DCMs mandate that AT Persons and executing FCMs provide DCMs with

    an annual certification attesting that the AT Person or FCM complies

    with the requirements of Sec. Sec. 1.80, 1.81, and 1.82, as

    applicable, while maintaining the recordkeeping requirements. Also in

    lieu of requiring compliance reports, Supplemental proposed Sec.

    40.22(a) requires DCMs to periodically review AT Persons' and FCMs'

    programs for compliance with Sec. Sec. 1.80, 1.81 and 1.82.

    Additionally, the Commission is proposing to modify certain

    requirements regarding the development, monitoring, and compliance of

    ATSs under NPRM proposed Sec. 1.81. The Commission has withdrawn the

    requirement under NPRM proposed Sec. 1.81(a)(1)(ii) that AT Persons

    must test all Algorithmic Trading code and related systems on each DCM

    on which Algorithmic Trading will occur (while retaining a more general

    requirement in Supplemental proposed Sec. 1.81(a)(1)(ii) that AT

    Persons must test all ATSs, including Algorithmic Trading Source Code,

    any changes to such systems or code, prior to implementation, and such

    testing shall be reasonably designed to

    [[Page 85378]]

    effectively identify circumstances that may contribute to future

    Algorithmic Trading Events). The Commission has also withdrawn NPRM

    proposed Sec. 40.21, which had required DCMs to provide test

    environments that enable AT Persons to simulate production trading.

    b. Costs

    The Commission preliminarily believes that the costs associated

    with Supplemental proposed Sec. 40.22(a) (DCMs to periodically review

    AT Persons' and FCMs' programs for compliance with Sec. Sec. 1.80,

    1.81 and 1.82) are similar on a per-event basis to the costs associated

    with the NPRM requirements that DCMs review annual compliance reports

    from AT Persons and FCMs. However, the Commission expects that DCMs can

    appropriately perform these periodic reviews for most AT Persons and

    FCMs at a frequency less often than annually, generally reducing costs.

    The Commission notes that it may be necessary for DCMs to perform

    reviews more frequently for entities whose trading activities appear to

    impose greater potential risks to the marketplace. In the NPRM, the

    Commission estimated that the compliance reports would cost each

    clearing member FCM $7,090 annually and each AT Person $4,240

    annually.\400\ However, some commenters indicated that the Commission

    had underestimated such costs.

    ---------------------------------------------------------------------------

    \400\ See NPRM at 78904.

    ---------------------------------------------------------------------------

    The Commission estimated in the NPRM that it would cost each DCM

    approximately $244,080 per year to comply with NPRM proposed Sec.

    40.22, of which $133,200 is associated with review and remediation of

    compliance reports.\401\ CME believes the Commission's estimate for

    complying with Sec. 40.22's requirements that DCMs periodically review

    AT Person and clearing member FCM compliance reports and books and

    records, and identify and remediate any insufficient mechanisms,

    policies and procedures discovered, is too low. Instead, CME estimated

    the annual cost for each of its four DCMs \402\ to be closer to

    $525,000, assuming that across all four DCMs, approximately 650

    entities would come within the scope of the proposed compliance report

    requirements and each entity would be reviewed once every four years

    (across all four DCMs).\403\ CME estimated that it would take

    approximately one month for a full-time employee to complete each

    review.\404\ The Commission preliminarily adopts the CME cost estimate

    regarding the cost of each individual compliance review ($3,230), but

    at this time believes that it would be appropriate for a DCM to review

    AT Persons and FCMs on average every two years rather than every four

    years.\405\ As noted, the Commission expects the costs of Supplemental

    proposed Sec. 40.22(a) to be similar to the compliance review costs of

    NPRM Proposed Regulation 40.22. However, the Commission expects that

    the number of entities that would come within the scope of Supplemental

    proposed Sec. 40.22(a) would be approximately 180 (120 AT Persons and

    an additional 60 FCMs) \406\ and that the high-end cost to a large DCM

    (such as those operated by the CME) would thus be approximately

    $290,000 rather than $525,000. This cost is broken down as follows:

    $3,230 per review multiplied by 90 (180 AT Persons and FCMs half of

    which are reviewed each year for 90 reviews) is approximately $290,000.

    The costs would be lower for smaller DCMs with fewer AT Person market

    participants and fewer FCMs since they would need to conduct reviews

    for fewer entities.

    ---------------------------------------------------------------------------

    \401\ See NPRM at 78908. The remainder is associated with the

    costs of reviewing books and records (Sec. 40.22(e)) and self-

    trading requests (Sec. 40.22(c)). These provisions are not

    addressed in the Supplemental NPRM.

    \402\ CME Group is the parent company of the Chicago Mercantile

    Exchange, Chicago Board of Trade, New York Mercantile Exchange, and

    Commodity Exchange DCMs. Following the merger of the four exchanges,

    CME Group has a single Market Regulation Department which provides

    compliance, enforcement, and other self-regulatory services to all

    four of the CME Group DCMs. With respect to the four DCMs, CME

    Group's Market Regulation Department effectively functions as a

    single entity, sharing management, staff, information technology and

    other resources.

    \403\ CME 22.

    \404\ See id.

    \405\ As noted, more frequent reviews may be needed for firms

    that appear to present more risk.

    \406\ The Commission is using 60, as opposed to 70, FCMs for

    purposes of this calculation because every FCM does not operate on

    all DCMs. Accordingly, a single DCM would not necessarily have to

    review every FCM.

    ---------------------------------------------------------------------------

    FCMs and AT Persons will not incur costs associated with annual

    compliance reports since those reports will not be required under the

    Supplemental NPRM, but the Commission estimates that it will cost

    $2,480 for an FCM or an AT Person to cooperate with a DCM's periodic

    review. The Commission expects that on average, an FCM or AT Person

    will be subject to a periodic review every two years for each DCM on

    which it trades or once every year in total (with entities whose

    trading activities appear to impose greater potential risks to the

    marketplace needing more frequent reviews).

    Supplemental proposed Sec. 40.22(d) provides that DCMs must

    require by rule \407\ that AT Persons and executing FCMs provide DCMs

    with an annual certification attesting that the AT Person or FCM

    complies with the requirements of Sec. Sec. 1.80, 1.81, and 1.82, as

    applicable. Such annual certification shall be made by the chief

    compliance officer or chief executive officer of the AT Person or FCM

    and must state that, to the best of his or her knowledge and reasonable

    belief, the information contained in the certification is accurate and

    complete. The Commission estimates that each DCM's chief compliance

    officer will spend approximately one hour receiving and reviewing the

    certification from approximately 120 AT Persons and 60 executing FCMs,

    for a total of 180 hours and a cost of $28,620 per DCM. This cost is

    broken down as follows: 1 Chief Compliance Officer, working for 1 hour

    (1 x $159 per hour x 180 certifications = $28,620). The Commission

    notes that this cost is significantly lower than the $111,000 per-DCM

    cost estimated in the NPRM for review of compliance reports.\408\ As to

    AT Person and executing FCM costs, the Commission expects that the

    annual certification requirement will involve preparation and

    transmittal of a document that makes the required certification, and

    that most of the hours associated with this requirement would involve

    review and analysis by compliance personnel of the entity's compliance

    with Sec. Sec. 1.80, 1.81, and 1.82, as necessary to enable the CCO or

    CEO to sign the certification. The Commission expects that each AT

    Person or FCM will transmit the essentially same certifications to each

    DCM that it is trading or operating on, without the need to prepare a

    unique certification for each DCM. The Commission also expects that to

    the extent that an AT Person's or FCM's interaction with the various

    DCMs' electronic trading facilities are similar, the review and

    analysis of the entity's compliance with Sec. Sec. 1.80, 1.81, and

    1.82 will also be similar. Therefore, the Commission preliminarily

    believes that the marginal cost of submitting certifications to

    additional DCMs will be much less than the cost of submitting a

    certification to the first DCM.

    ---------------------------------------------------------------------------

    \407\ DCMs will incur some costs with respect to preparing an

    exchange rule requiring FCMs and AT Persons to provide Sec.

    40.22(d) certifications. Exchange rule-writing costs were generally

    covered in the cost-benefit considerations for the Part 40 final

    rule (76 FR 44776, July 27, 2011).

    \408\ See NPRM at 78907.

    ---------------------------------------------------------------------------

    The Commission estimates that, on an annual basis, an AT Person and

    an FCM will each incur a cost of $1,176 to submit the compliance

    certification to

    [[Page 85379]]

    four DCMs. This cost is broken down as follows: 1 Senior Compliance

    Specialist, working for 6 hours (6 x $57 = $342); and 1 Chief

    Compliance Officer, working for 6 hours (6 x $139 = $834), for each

    certification.\409\ The 120 AT Persons that will be subject to DCM

    rules implemented pursuant to Sec. 40.22(d) would therefore incur a

    total annual cost of $141,120 (120 x $1,176). Similarly, the 70

    executing FCMs that will be subject to DCM rules implemented pursuant

    to Sec. 40.22(d) would therefore incur a total annual cost of $82,320

    (70 x $1,176). The Commission notes that the $1,176 per-entity cost of

    submitting certifications is substantially lower than the $4,240 per-AT

    Person cost and the $7,090 per-FCM cost estimated in the NPRM for

    submission to DCMs of annual compliance reports.\410\ Finally,

    withdrawing the requirement under NPRM proposed Sec. 1.81(a)(1)(ii)

    that AT Persons must test Algorithmic Trading code and related systems

    on each DCM on which Algorithmic Trading will occur, and withdrawing

    NPRM proposed Sec. 40.21, which had required DCMs to provide test

    environments that enable AT Persons to simulate production trading,

    will eliminate the costs associated with those NPRM proposed rules.

    ---------------------------------------------------------------------------

    \409\ The six hours of work for each employee consists of five

    hours for the initial certification and one hour to prepare

    additional certifications for three other DCMs.

    \410\ See NPRM at 78904.

    ---------------------------------------------------------------------------

    c. Benefits

    The Commission expects that the benefits of proposed Sec. 40.22(a)

    will be similar to the benefits of the compliance report requirements

    of NPRM proposed Sec. Sec. 1.83(a) and (b) and 40.22(c). As stated in

    the NPRM, those benefits were to enable ``DCMs to have a clearer

    understanding of the pre-trade risk controls of all AT Persons that are

    engaged in Algorithmic Trading on such DCM'' and to ``improve the

    standardization of market participants' pre-trade risk controls.''

    \411\ In those years in which entities are not reviewed, DCMs will at

    least receive notifications pursuant to supplemental proposed Sec.

    40.22(d) confirming that such entities are in compliance with

    Sec. Sec. 1.80, 1.81 and 1.82, as applicable. An AT Person's or FCM's

    failure to provide the required certification would indicate a basis

    for the DCM to engage in a review of such entity's risk controls and

    testing program.

    ---------------------------------------------------------------------------

    \411\ NPRM at 78905.

    ---------------------------------------------------------------------------

    The withdrawal of the requirement under NPRM proposed Sec.

    1.81(a)(1)(ii) that AT Persons must test Algorithmic Trading code and

    related systems on each DCM on which Algorithmic Trading will occur,

    and the withdrawal of NPRM proposed Sec. 40.21, which had required

    DCMs to provide test environments that enable AT Persons to simulate

    production trading, will eliminate any benefits directly associated

    with those particular NPRM proposed rules. The Commission is revising

    or withdrawing those NPRM proposed rules in response to comments

    discussed above indicating that they were costly and impracticable. The

    Commission expects that the remaining testing requirements in

    Supplemental proposed Sec. 1.81 generally will continue to provide the

    benefits described in the NPRM, including the potential to reduce

    market disruptions.\412\

    ---------------------------------------------------------------------------

    \412\ Id. at 78901 and 78907.

    ---------------------------------------------------------------------------

    d. Consideration of Alternatives

    The Commission considered the alternative of eliminating the

    compliance requirements of NPRM proposed Sec. 40.22(c) without

    proposing either Sec. 40.22(a) or Sec. 40.22(d) in its place. The

    Commission determined to propose Sec. 40.22(a) and Sec. 40.22(d)

    because it preliminarily determined that these supplemental proposed

    rules are necessary to ensure that the benefits of Regulation AT are

    fully realized, including the goal of ensuring that risk controls are

    effectively implemented across AT Persons and FCMs, and that

    insufficient controls at such entities are identified and remediated.

    Specifically, the Commission preliminarily believes that it is

    necessary for DCMs to periodically review compliance by AT Persons and

    FCMs and for AT Persons and FCMs to review their own compliance in

    order to make certifications.

    e. Commission Questions

    61. The Commission requests comment on its cost-benefit

    considerations related to Supplemental proposed Sec. Sec.

    1.81(a)(1)(ii), 1.83, 40.22, and NPRM proposed Sec. 40.21, including

    the accuracy of its cost estimates or assumptions regarding decreased

    costs and the accuracy of its assumptions regarding the amount of work

    that would be required of AT Persons and FCMs to comply with the

    certification requirements of Regulation AT.

    62. How do the costs and benefits of Supplemental proposed Sec.

    40.22(a) compare to the compliance costs and benefits associated with

    NPRM proposed Sec. 40.22(c)?

    12. Section 15(a) Factors

    This section discusses the CEA section 15(a) factors for the

    proposals in this Supplemental NPRM.

    a. Protection of Market Participants and the Public

    The Commission preliminarily believes that, as modified by the

    Supplemental NPRM, Regulation AT would continue to, as stated in the

    NPRM, protect market participants and the public by limiting a ``race

    to the bottom,'' in which certain entities sacrifice effective risk

    controls in order to minimize costs or increase the speed of trading.

    The Supplemental proposal to set risk controls at two levels rather

    than three will reduce costs while maintaining Regulation AT's

    protection of market participants and the public. The proposal to apply

    risk controls to Electronic Trading Order Messages as well as AT Order

    Messages will protect market participants and the public by providing

    the benefits of risk controls to all order submissions to a DCM's

    electronic trading facility. The requirements of Supplemental proposed

    Sec. 40.22(a), which requires DCMs to periodically review AT Persons'

    and FCMs' programs for compliance with Sec. Sec. 1.80, 1.81 and 1.82,

    and the certification requirements of Sec. 40.22(d), will promote

    protection of market participants and the public by helping to ensure

    that the risk control rules are followed in a consistent manner and may

    further reduce the likelihood of Algorithmic Trading Events and

    Algorithmic Trading Disruptions.

    Supplemental proposed Sec. 1.84 will protect market participants

    and the public by ensuring that the Commission has access to the

    Algorithmic Trading Source Code and log files of AT Persons in the

    event they are needed to investigate or inquire into an Algorithmic

    Trading Event or Algorithmic Trading Disruption.

    Supplemental proposed Sec. 1.85 will protect market participants

    and the public by ensuring that ATSs and components provided by third

    parties to AT Persons are compliant with the development and testing

    requirements of Regulation AT, even when the AT Persons themselves are

    otherwise unable to comply with those requirements. Moreover, the

    recordkeeping requirements of Sec. 1.85(d) (by reference to Sec.

    1.84(a) and (b)) will protect market participants and the public by

    ensuring that the Commission has access to the Algorithmic Trading

    Source Code and log files of third parties in the event they are needed

    to investigate or inquire into a an

    [[Page 85380]]

    Algorithmic Trading Event or Algorithmic Trading Disruption.

    b. Efficiency, Competitiveness, and Financial Integrity of Futures

    Markets

    The Commission preliminarily believes that by addressing pre-trade

    risk controls, testing, and order management controls at two market

    levels--the exchange and either the trading firm or the executing FCM--

    Regulation AT, as modified by this Supplemental NPRM, will continue to

    provide standards that can be interpreted and enforced in a uniform

    manner. Implementation of Regulation AT to electronic order messages

    will help mitigate instabilities in the markets and ensure market

    efficiency and financial integrity, as discussed in the NPRM.\413\

    Supplemental proposed Sec. 1.85 will further these goals as well by

    ensuring that third-party systems used by AT Persons are compliant with

    Regulation AT.

    ---------------------------------------------------------------------------

    \413\ NPRM at 78909-78910.

    ---------------------------------------------------------------------------

    Supplemental proposed Sec. 1.84 will further market efficiency and

    financial integrity by ensuring that the Commission has access to the

    Algorithmic Trading Source Code and log files of AT Persons in the

    event they are needed to investigate or inquire into an Algorithmic

    Trading Event or Algorithmic Trading Disruption.

    c. Price Discovery

    Requiring both exchanges and either trading firms or executing FCMs

    to implement pre-trade risk controls, testing, and order management

    control requirements in order to mitigate the risk of a malfunctioning

    trading algorithm or automated trading disruption promotes the price

    discovery process by reducing the likelihood of transactions at prices

    that do not accurately reflect market forces.

    d. Sound Risk Management Practices

    The Commission believes that the pre-trade risk and order

    management control requirements contained in Regulation AT, as modified

    by this Supplemental NPRM, will contribute to a system-wide reduction

    in operational risk, and will help standardize risk management

    practices across similar entities within the marketplace. The reduction

    in operational risk may simplify the tasks associated with sound risk

    management practices. These enhanced risk management practices should

    help reduce unintended market volatility, which will aid in efficient

    market making, and reduce overall transaction costs as they relate to

    price movements, which should encourage market participants to trade in

    Commission-regulated markets. Market participants and those who rely on

    prices as determined within regulated markets should benefit from

    markets that behave in an orderly and expected fashion.

    e. Other Public Interest Considerations

    The Commission has not identified any effects that these proposed

    rules would have on other public interest considerations other than

    those addressed above.

    f. Commission Questions

    63. The Commission requests comment on its consideration of the CEA

    section 15(a) factors.

    B. Regulatory Flexibility Act

    The Regulatory Flexibility Act requires that agencies consider

    whether the rules they propose will have a significant economic impact

    on a substantial number of small entities and, if so, provide a

    regulatory flexibility analysis regarding the impact.\414\ A regulatory

    flexibility analysis or certification is typically required for any

    rule for which the agency publishes a general notice of proposed

    rulemaking pursuant to the notice-and-comment provisions of the

    Administrative Procedure Act, 5 U.S.C. 553(b).\415\

    ---------------------------------------------------------------------------

    \414\ 5 U.S.C. 601 et. seq.

    \415\ 5 U.S.C. 601(2), 603, 604, and 605.

    ---------------------------------------------------------------------------

    In the NPRM, the Commission provided a regulatory flexibility

    analysis pursuant to the Regulatory Flexibility Act.\416\ Regulation AT

    impacts three broad types of market participants: DCMs, FCMs, and AT

    Persons.\417\ In the NPRM, the Chairman, on behalf of the Commission,

    certified pursuant to 5 U.S.C. 605(b) that the rules proposed in

    Regulation AT imposing requirements on FCMs and DCMs would not have a

    significant economic impact on a substantial number of small

    entities.\418\

    ---------------------------------------------------------------------------

    \416\ NPRM at 78885.

    \417\ Supplemental proposed Sec. 1.85 will impact another type

    of market participant, third-party service providers providing

    software or systems to AT Persons for Algorithmic Trading.

    \418\ NPRM at 78885.

    ---------------------------------------------------------------------------

    With respect to AT Persons, the NRPM provided a regulatory

    flexibility analysis addressing whether Regulation AT would have a

    significant economic impact on a substantial number of AT Persons that

    were small entities. As defined in the NPRM, the term AT Persons

    included various entities that engaged in Algorithmic Trading,

    including New Floor Traders under NPRM proposed Sec. 1.3(x)(3), FCMs,

    floor brokers, SDs, MSPs, CPOs, CTAs and IBs.\419\ The NPRM noted that

    the Commission previously determined that FCMs, foreign brokers, SDs,

    MSPs, CPOs, and natural persons are not small entities for purposes of

    the Regulatory Flexibility Act.\420\ The NPRM stated that the

    Commission believes it is likely that no natural persons will be AT

    Persons, given the technological and personnel costs associated with

    Algorithmic Trading.\421\ The Commission then considered whether, in

    the context of Regulation AT, floor brokers, floor traders, CTAs, and

    IBs that engage in Algorithmic Trading should be considered small

    entities for purposes of the Regulatory Flexibility Act.\422\ The

    Commission concluded that it did not believe that a substantial number

    of small entities will be impacted by Regulation AT.\423\

    ---------------------------------------------------------------------------

    \419\ Id. at 78885-6.

    \420\ Id. at 78885.

    \421\ Id. at 78885-6.

    \422\ Id. at 78885.

    \423\ Id. at 78886.

    ---------------------------------------------------------------------------

    The Commission has made a number of substantive additions and

    changes to Regulation AT in this Supplemental NPRM, some of which may

    impact small entities. Significantly, while the Commission estimated

    that there would be 420 AT Persons under the NPRM proposed rules for

    Regulation AT, the Commission has revised its estimate to 120 AT

    Persons under the modified rules proposed in this Supplemental NPRM. As

    discussed below, the Commission believes that the Supplemental proposed

    rules will have a significant economic impact on fewer (if any) small

    entities than the NPRM proposed rules.

    Pursuant to 5 U.S.C. 603, the Commission offers for public comment

    the following supplemental analysis to its initial regulatory

    flexibility analysis addressing the impact of Regulation AT on small

    entities. The Commission's analysis in the NPRM consisted of six parts,

    as generally set forth in section 603(b) of the Regulatory Flexibility

    Act. The Supplemental NPRM does not alter the Commission's analysis of

    four of the areas: (1) A description of the reasons why action is being

    considered; (2) a succinct statement of the objectives of, and legal

    basis for, the proposals; (3) an identification of all relevant federal

    rules that may duplicate, overlap, or conflict with the proposed rule;

    and (4) a description of significant alternatives. The Commission

    offers the following supplemental analysis for two areas: (1) A

    description of and, where feasible, an estimate of the number of small

    entities to which the proposed rules will apply; and (2) a description

    of the projected

    [[Page 85381]]

    reporting, recordkeeping, and other compliance requirements of the

    rules, including an estimate of the classes of small entities which

    will be subject to the requirements and the type of professional skills

    necessary for preparation of the report or record.

    1. A Description, and, Where Feasible, an Estimate of the Number of

    Small Entities to Which the Proposed Rules Will Apply

    The Commission noted in the NPRM that the definition of AT Person

    is limited to entities that conduct Algorithmic Trading and the

    definition of New Floor Traders under NPRM proposed Sec.

    1.3(x)(1)(iii) is further limited to those entities with DEA. The

    Commission believes that entities with such capabilities are generally

    not small entities.

    Supplemental proposed Sec. 1.3(xxxx)(1)(i)(B) adds a volume

    threshold test to the definition of AT Person, which measure is also

    set forth in definition of New Floor Trader pursuant to Supplemental

    proposed Sec. Sec. 1.3(x)(1)(iii)(D) and 1.3(x)(2). The Commission

    believes that adding this volume threshold to further reduce the scope

    of Regulation AT will ensure that a substantial number of small

    entities will not be impacted by the information collection. In the

    NPRM, the Commission estimated that approximately 420 persons will be

    AT Persons. The regulatory flexibility analysis contained in the NPRM

    concluded that Regulation AT would not impact a substantial number of

    small entities.\424\ In this supplemental NPRM, the Commission

    estimates that approximately 120 persons will be AT Persons, and a

    smaller number would be New Floor Traders under 1.3(x)(1)(iii).

    Accordingly, the Commission believes that under the modified definition

    of AT Person set forth in Supplemental proposed Sec. 1.3(xxxx), the

    Supplemental proposed rules will impact significantly fewer small

    entities than the NPRM proposed rules and, in particular, that there

    will not be a substantial number of small entities impacted by the

    information collection.

    ---------------------------------------------------------------------------

    \424\ Id. at 78886.

    ---------------------------------------------------------------------------

    2. A Description of the Projected Reporting, Recordkeeping, and Other

    Compliance Requirements of the Rules, Including an Estimate of the

    Classes of Small Entities Which Will Be Subject to the Requirements and

    the Type of Professional Skills Necessary for Preparation of the Report

    or Record

    The following section discusses the projected reporting,

    recordkeeping, and other compliance requirements that will be imposed

    upon AT Persons \425\ under the proposed rules.

    ---------------------------------------------------------------------------

    \425\ This analysis discusses estimated costs for AT Persons,

    irrespective of whether they are small entities. However, the

    Commission believes that the associated costs for small entity AT

    Persons would be no more than the costs for any other AT Persons.

    ---------------------------------------------------------------------------

    a. Sec. 1.3(x)(1)(iii)--Registration of New Floor Traders

    Regulation AT would impose new registration requirements on certain

    entities with Direct Electronic Access who meet a volumetric test as a

    result of the proposed amendment to the definition of ``floor trader''

    in Supplemental proposed Sec. 1.3(x)(1)(iii). The Commission provided

    detailed estimates of the costs associated with registration as a New

    Floor Trader in the NPRM.\426\ The Commission estimated that new

    registrants would incur a one-time cost of approximately $2,106 per

    registrant ($1,050 in application fees plus $1,056 in preparation

    costs). In the NPRM, the Commission estimated that there would be

    approximately 100 new Floor trader registrants. The Commission believes

    that the volume threshold test will likely result in fewer than 100 new

    Floor trader registrants. The Commission further believes that the

    volume threshold test proposed in the Supplemental NPRM will reduce the

    impact on small entities as compared with the NPRM, since the

    registration requirements of Regulation AT will only apply to entities

    with high trading volumes when measured across all products and DCMs.

    ---------------------------------------------------------------------------

    \426\ NPRM at 78925.

    ---------------------------------------------------------------------------

    b. Sec. 1.80--Pre-Trade Risk Controls

    NPRM proposed regulations Sec. Sec. 1.80, 1.82, 38.255 and 40.20

    imposed risk control and similar requirements, such as order

    cancellation systems, on three levels: AT Person, FCM and DCM. As

    discussed above, this Supplemental NPRM changes the overall framework

    for risk controls and other measures required pursuant to NPRM proposed

    Sec. Sec. 1.80, 1.82, 38.255 and 40.20. This Supplemental NPRM

    proposes a revised framework with two levels of risk controls: (1) At

    the AT Person or FCM level, and (2) the DCM level. With respect to

    orders originating with AT Persons (AT Order Messages), the rules would

    require all AT Persons to implement the risk controls and other

    measures required pursuant to Sec. 1.80 (although AT Persons may

    delegate compliance with Sec. 1.80(a) to FCMs, as discussed above). In

    the NPRM, the Commission estimated that it would cost an AT Person

    approximately $79,680 to upgrade its controls to comply with Sec.

    1.80. In the NPRM, the Commission estimated that there would be 420 AT

    Persons. However, under this Supplemental NPRM, the Commission

    estimates that there will be approximately 120 AT Persons. Assuming

    that there are 120 AT Persons, the Commission estimates that the total

    industry cost to implement Sec. 1.80 would be approximately

    $9,561,600.

    The Commission also proposes a change to NPRM proposed Sec. 1.80

    in which AT Persons may delegate compliance with pre-trade risk control

    requirements (Sec. 1.80(a)) to their executing FCMs. Supplemental

    proposed Sec. 1.80(d) provides that an AT Person may choose to comply

    with paragraph (a) of Sec. 1.80 by itself implementing such pre-trade

    risk controls, or may instead delegate compliance with such obligations

    to its executing futures commission merchant. Supplemental proposed

    Sec. 1.80(f) continues to require an AT Person to periodically review

    its compliance with Sec. 1.80 to determine whether it has effectively

    implemented sufficient measures reasonably designed to prevent an

    Algorithmic Trading Event.\427\ The Commission has revised this section

    to account for the possibility that an AT Person has delegated Sec.

    1.80(a) compliance to an FCM, and requires the AT Person to

    periodically review such FCM's compliance with Sec. 1.80(a). The

    Commission assumes that some AT Persons will delegate compliance with

    Sec. 1.80 to its executing FCM under Sec. 1.80(d), and thus review

    such FCM's compliance with Sec. 1.80(a) pursuant to Supplemental

    proposed Sec. 1.80(f). While the Commission cannot estimate how many

    AT Persons will delegate compliance, the Commission believes that the

    costs associated with review are the same as those associated with

    compliance with Sec. 1.80 generally.

    ---------------------------------------------------------------------------

    \427\ The Commission notes that the Supplemental proposes a

    reasonably designed to prevent and reduce the potential risk of

    standard under Sec. 1.80.

    ---------------------------------------------------------------------------

    c. Sec. 1.83(a)--AT Person Recordkeeping Requirements

    As discussed above, the Commission estimated in the NPRM that 420

    entities would qualify as AT Persons under Regulation AT. Pursuant to

    Supplemental proposed Sec. 1.3(xxxx), the Commission now estimates

    that 120 entities will be AT Persons. The Commission's new, lower

    estimate for the number of AT Persons is a function of the volume

    threshold test that market participants would have to satisfy to fall

    within the definition of AT Person

    [[Page 85382]]

    under Supplemental proposed Sec. 1.3(xxxx).

    The Commission has updated its Regulatory Flexibility Act analysis

    from the NPRM for proposed Sec. 1.83, based on its updated estimate of

    120 AT Persons in the Supplemental NPRM (as opposed to the 420 AT

    Persons estimated in the NPRM). The Commission's Regulatory Flexibility

    Act analysis for Supplemental proposed Sec. 1.83 assumes the same cost

    on a per AT Person basis as was used in the NPRM analysis.

    Specifically, the Commission estimated in the NPRM that proposed Sec.

    1.83 requirements that AT Persons keep and provide books and records

    relating to NPRM proposed Sec. Sec. 1.80 and 1.81 compliance would

    result in initial outlay of 60 hours of burden per AT Person. Under

    Supplemental proposed Sec. 1.83(a), the 120 AT Persons would therefore

    initially incur 7,200 burden hours in total. In the NPRM, the

    Commission estimated that, on an initial basis, an AT Person would

    incur a cost of $5,130 to draft and update recordkeeping policies and

    procedures and make technology improvements to recordkeeping

    infrastructure. Under Supplemental proposed Sec. 1.83(a), the 120 AT

    Persons would therefore incur a total initial cost of $615,600.

    The Commission estimated in the NPRM that proposed Sec. 1.83

    requirements that AT Persons keep and provide books and records

    relating to NPRM proposed Sec. Sec. 1.80 and 1.81 compliance would

    result in annual costs of 30 hours of burden per AT Person. Under

    Supplemental proposed Sec. 1.83(a), the 120 AT Persons would therefore

    incur 3,600 burden hours in total. In the NPRM, the Commission

    estimated that, on an annual basis, an AT Person would incur a cost of

    $2,670 to ensure compliance with the NPRM proposed Sec. 1.83(a)

    recordkeeping rules relating to NPRM proposed Sec. 1.82 compliance.

    Under Supplemental proposed Sec. 1.83(a), the 120 AT Persons would

    therefore incur a total annual cost of $320,400.

    d. Sec. 1.84--Maintenance of Algorithmic Trading Source Code and

    Related Records

    Supplemental proposed Sec. 1.84 would require AT Persons to retain

    three categories of records for a period of five years: (1) Algorithmic

    Trading Source Code; (2) records that track changes to Algorithmic

    Trading Source Code; and (3) log files that record the activity of the

    AT Person's ATS. For purposes of Supplemental proposed Sec. 1.84,

    Algorithmic Trading Source Code includes computer code, hardware

    description language, scripts and formulas as well as the configuration

    files and parameters used to carry out the trading. These records are

    required to be maintained in their native format. Supplemental proposed

    Sec. 1.84 also requires that these records be kept in a form and

    manner that ensures the authenticity and reliability of the information

    contained in the records, and that AT Persons have systems available to

    promptly retrieve and display the records.

    Supplemental proposed Sec. 1.84 applies to AT Persons, including

    any AT Persons that are floor brokers, floor traders, CTAs, or IBs. The

    Commission's best understanding is that at this time, all floor brokers

    are natural persons. Given the technological and personnel costs

    associated with Algorithmic Trading, the Commission's expectation is

    that only entities, not natural persons, would meet the definition of

    ``AT Person.'' Accordingly, the Commission does not believe that any

    floor brokers would be AT Persons impacted by Supplemental proposed

    Sec. 1.84.

    With respect to New Floor Traders, CTAs, and IBs that would meet

    the definition of AT Person, the Commission does not believe it is

    feasible to estimate the total number of such entities that would be

    small entities. However, under this Supplemental NPRM, the Commission

    estimates that there will be a total of 120 AT Persons, a subset of the

    estimated 420 AT Persons described in the NPRM. The Commission noted in

    the NPRM that the proposed definition of AT Person was limited to

    entities that conduct Algorithmic Trading, and the NPRM proposed

    definition of New Floor Traders was further limited to those entities

    with DEA.\428\ The Commission stated that it believed entities with

    such capabilities are generally not small entities.\429\ Thus, the

    population of AT Persons under the Supplemental NPRM is even less

    likely to include small entities, since they must meet the additional

    volume threshold measures discussed above. Consequently, the Commission

    does not believe that Supplemental proposed Sec. 1.84 will impact a

    substantial number of small entities.

    ---------------------------------------------------------------------------

    \428\ NPRM at 78886.

    \429\ Id.

    ---------------------------------------------------------------------------

    In order to comply with the requirements set out in Supplemental

    proposed Sec. 1.84(a), an AT Person must have a version control system

    and an application log management system in place. The Commission

    expects that most AT Persons have version control software to manage

    each change made to their software and identify who made the change and

    why. The Commission also expects that most AT Persons manage their

    application logs through some form of application log management

    system.

    For firms that do not have version control systems and application

    log management systems in place, the effort involved in setting one up

    includes the acquisition of the hardware to run the system, the

    application software itself, the migration of the existing Algorithmic

    Trading Source Code and logs into the software, and the creation of

    policy and procedures related to the use of the system by the firm. For

    appropriate hardware to accomplish this task, a machine with sufficient

    storage space and sufficient redundancy will be needed. The Commission

    expects that ten terabytes of data would constitute sufficient storage

    capacity. A number of software options are available, from open-source

    products to industry-standard tools.

    i. Firms Without Sufficient Hardware and Software in Place

    The Commission estimates that Supplemental proposed Sec. 1.84(a),

    which requires AT Persons to maintain specified records related to

    their Algorithmic Trading Source Code and their Algorithmic Trading

    systems' activity, will result in initial outlay of 420 hours of burden

    per AT Person without sufficient hardware and software in place to

    comply with proposed Sec. 1.84(a), and 33,600 burden hours in total.

    The estimated burden was calculated as follows:

    Burden: Supplemental proposed Sec. 1.84(a), which would require AT

    Persons to maintain certain records.

    Respondents/Affected Entities: 120 AT Persons.

    Estimated total burden on each AT Person or executing FCM: 420

    hours.

    Burden statement-all AT Persons and executing FCMs: 120 respondents

    x 420 hours = 50,400 Burden Hours initial year.

    The Commission estimates that an AT Person without the hardware and

    software in place to maintain the records required by Supplemental

    proposed Sec. 1.84(a) would incur a cost of $41,840 to purchase and

    set up the required hardware and software, migrate existing Algorithmic

    Trading Source Code and logs into the software and draft appropriate

    recordkeeping policies and procedures and make technology improvements

    to recordkeeping infrastructure. This cost is broken down as follows:

    Hardware costing $12,000,\430\

    [[Page 85383]]

    software costing $2,000,\431\ 1 Project Manager for the Algorithmic

    Trading Source Code and log migration effort, working for 60 hours (60

    x $70 = $4,200); 1 Developer for the Algorithmic Trading Source Code

    and log migration effort, working for 60 hours (60 x $75 = $4,500), 1

    Project Manager to develop the related policies and procedures, working

    for 120 hours (120 x $70 = $8,400), 1 Business Analyst to develop the

    related policies and procedures, working for 120 hours (120 x $52 =

    $6,240), and 1 Developer to develop the related policies and

    procedures, working for 60 hours (60 x $75 = $4,500). The 120 AT

    Persons would therefore incur a total initial cost of $5,020,800 (120 x

    $41,840).

    ---------------------------------------------------------------------------

    \430\ The Commission estimates that the hardware could cost from

    $1,000 to $25,000 depending on factors including which hardware

    vendor an AT Person chooses, the amount of business the AT Person

    does with the hardware vendor and the pricing the hardware vendor

    provides the AT Person as a result.

    \431\ The Commission estimates that the software could cost from

    $0 to $5,000 depending on factors including which hardware vendor an

    AT Person chooses, the amount of business the AT Person does with

    the hardware vendor and the pricing the hardware vendor provides the

    AT Person as a result.

    ---------------------------------------------------------------------------

    ii. Firms With Sufficient Hardware and Software in Place

    Firms that have the necessary systems in place may nevertheless

    need to make changes to their policies and procedures and enhance their

    hardware to provide more storage capacity, in each case to address the

    requirements of Supplemental proposed Sec. 1.84(a). The discussion

    below addresses both the effort it takes to determine what upgrades

    need to be made, and to implement those upgrades.

    The Commission estimates that Supplemental proposed Sec. 1.84(a)

    requiring AT Persons to maintain specified records related to their

    Algorithmic Trading Source Code and their Algorithmic Trading systems'

    activity will result in initial outlay of 90 hours of burden per AT

    Person with sufficient hardware and software to comply with

    Supplemental proposed Sec. 1.84(a), and 10,800 burden hours in total.

    The estimated burden was calculated as follows:

    Burden: Supplemental proposed Sec. 1.84(a), which would require AT

    Persons to maintain certain records.

    Respondents/Affected Entities: 120 AT Persons.

    Estimated total burden on each respondent: 90 hours.

    Burden statement--all respondents: 120 respondents x 90 hours =

    10,800 Burden Hours initial year.

    The Commission estimates that, on an initial basis, an AT Person

    with the hardware and software in place to maintain the records

    required by Supplemental proposed Sec. 1.84(a) would incur a cost of

    $12,160 to purchase and set up the required hardware and software,

    migrate existing Algorithmic Trading Source Code and logs into the

    software and draft appropriate recordkeeping policies and procedures

    and make technology improvements to recordkeeping infrastructure. This

    cost is broken down as follows: Hardware costing $4,000,\432\ 1 Project

    Manager to develop the related policies and procedures, working for 30

    hours (30 x $70 = $2,100), 1 Business Analyst to develop the related

    policies and procedures, working for 30 hours (30 x $52 = $1,560), and

    1 Developer to develop the related policies and procedures, working for

    60 hours (60 x $75 = $4,500). The 120 AT Persons would therefore incur

    a total initial cost of $1,459,200 (120 x $12,160).

    ---------------------------------------------------------------------------

    \432\ The Commission estimates that the hardware could cost from

    $1,000 to $10,000 depending on factors including which hardware

    vendor an AT Person chooses, the amount of business the AT Person

    does with the hardware vendor and the pricing the hardware vendor

    provides the AT Person as a result.

    ---------------------------------------------------------------------------

    e. Supplemental Proposed Sec. Sec. 1.84(b) and (c)

    In order to comply with the requirements set out in Supplemental

    proposed Sec. Sec. 1.84(b) and 1.84(c), AT Persons will have to use

    their version control software to manage their software's version

    history. This will require a standard monthly effort to maintain the

    environment so that each AT Person is able to respond to special calls

    and/or subpoenas.

    Monthly Maintenance: The Commission estimates that Supplemental

    proposed Sec. Sec. 1.84(b) and 1.84(c), which require AT Persons to

    produce records of Algorithmic Trading in response to a special call or

    subpoena, will result in ongoing costs of 324 hours of burden per AT

    Person per year, and 38,880 annual burden hours in total. The estimated

    burden was calculated as follows:

    Burden: Rule requiring AT Persons to produce Algorithmic Trading

    records in response to a Special Call or Subpoena.

    Respondents/Affected Entities: 120 AT Persons.

    Estimated total burden on each respondent: 324 hours.\433\

    ---------------------------------------------------------------------------

    \433\ The Commission estimates 27 burden hours per respondent/

    affected entity per month. Annualizing this monthly figure by

    multiplying by 12 results in the 324 total burden hour estimate.

    ---------------------------------------------------------------------------

    Burden statement-all respondents: 120 respondents x 324 hours =

    38,880 Burden Hours per year.

    The Commission estimates that, on an annual basis, an AT Person

    will incur a cost of $25,380 to draft and update recordkeeping policies

    and procedures and make technology improvements to recordkeeping

    infrastructure. This cost is broken down as follows: 1 Project Manager,

    working for 3 hours per month x 18 months = 54 hours per year (54 x $70

    = $3,780); and 1 Developer, working for 24 hours per month x 12 months

    = 288 hours per year (288 x $75 = $21,600). The 120 AT Persons would

    therefore incur a total initial cost of $3,045,600 (120 x $25,380).

    Costs Per Response to a Special Call or Subpoena. The Commission

    estimates that Supplemental proposed Sec. Sec. 1.84(b) and 1.84(c),

    which require AT Persons to produce records of Algorithmic Trading in

    response to a special call or subpoena, will result in costs per

    response of 48 hours of burden per AT Person, and 12,960 burden hours

    in total. The estimated burden was calculated as follows:

    Burden: Rule requiring AT Persons to produce Algorithmic Trading

    records in response to a Special Call or Subpoena.

    Respondents/Affected Entities: 120 AT Persons.

    Estimated number of responses: 120.

    Estimated total burden on each respondent: 108 hours.

    Frequency of collection: Intermittent.

    Burden statement-all respondents: 120 respondents x 108 hours =

    12,960 Burden Hours per year.

    The Commission estimates that, on an intermittent basis, an AT

    Person will incur a cost of $5,844 to ensure compliance with those

    aspects of Supplemental proposed Sec. Sec. 1.84(b) and 1.84(c)

    requiring AT Persons to produce records of Algorithmic Trading in

    response to a special call or subpoena. This cost is broken down as

    follows: 1 Project Manager, working for 12 hours (12 x $70 = $840); 1

    Developer, working for 36 hours (36 x $75 = $2,700); and 1 Compliance

    Attorney, working for 24 hours (24 x $96 = $2,304). The 120 AT Persons

    would therefore incur a total annual cost of $701,280 (120 x $5,844).

    f. Sec. 1.85--Use of Third-Party Algorithmic Trading Systems or

    Components

    Supplemental proposed Sec. 1.85 would allow AT Persons who are

    unable to comply with a particular development and testing requirement

    or a particular maintenance or production requirement related to

    Algorithmic Trading strategy, due solely to their use of third-party

    system components, to obtain a certification that the third party is

    complying with the obligation. Pursuant to Supplemental proposed Sec.

    1.84, AT Persons must also conduct due diligence regarding the accuracy

    of the

    [[Page 85384]]

    certification.\434\ In addition, in all cases, under the Supplemental

    NPRM, an AT Person is responsible for ensuring that records are

    retained and produced as required pursuant to Supplemental proposed

    Sec. 1.84.

    ---------------------------------------------------------------------------

    \434\ The Supplemental NPRM does not set forth the means by

    which due diligence must be conducted. The Commission expects that

    due diligence may take a variety of forms, including but not limited

    to, email exchanges, teleconferences, reviews of files, and in-

    person meetings.

    ---------------------------------------------------------------------------

    Supplemental proposed Sec. 1.85 would have the effect of reducing

    the burdens on AT Persons under Supplemental proposed Sec. 1.84

    because an AT Person could effectively shift its burden to comply with

    certain obligations onto a third party, provided that the third party

    provides a certification to the AT Person. Since Supplemental proposed

    Sec. 1.85 is burden reducing with respect to AT Persons, the

    Commission does not believe that the proposed rule would have a

    ``significant economic impact'' on AT Persons for purposes of the

    Regulatory Flexibility Act.

    Additionally, the Commission assumes that the third parties that

    would provide certifications under Supplemental proposed Sec. 1.85

    would not be small entities, given the levels of complexity and

    sophistication required to provide third-party system components to AT

    Persons in connection with such AT Person's Algorithmic Trading

    strategy. The Commission invites comment on the accuracy of its

    assumption.

    The Commission estimates that the requirement under Supplemental

    proposed Sec. 1.85 that an AT Person may comply with an obligation

    under NPRM proposed Sec. Sec. 1.81(a)(1)(i), 1.81(a)(1)(iii),

    1.81(a)(1)(iv), 1.81(a)(2), or Supplemental proposed Sec. Sec.

    1.81(a)(1)(ii) or 1.84 by obtaining a certification from a third party

    that the third party is fulfilling the obligation, will result in: (1)

    60 one-time hours of burden per AT Person, and 7,200 burden hours in

    total; (2) 36 hours (on a recurring annual basis) of burden per AT

    Person, and 4,320 burden hours in total; (3) 60 one-time hours of

    burden per third party, and 3,000 burden hours in total; and (4) 36

    hours (on a recurring annual basis) of burden per third party, and

    1,800 burden hours in total. The estimated burden was calculated as

    follows:

    Burden: AT Person establishing the process for obtaining third-

    party certifications, obtaining the initial certifications and

    conducting due diligence on the accuracy thereof.

    Respondents/Affected Entities: 120.\435\

    Estimated number of responses: 120.\436\

    Estimated total burden on each respondent: 60 hours.\437\

    Frequency of collection: One-time.

    Burden statement-all respondents: 120 respondents x 60 hours =

    7,200 Burden Hours per year.

    ---------------------------------------------------------------------------

    \435\ The Commission estimates 120 AT Persons will rely on third

    party certifications pursuant to Supplemental proposed Sec. 1.85.

    This estimate is based on an assumption that each AT Person will

    rely on one third party service providers for such AT Person's ATS

    or components. In fact, the Commission anticipates that some AT

    Persons will not rely on any third party service providers for their

    ATSs or components, while other AT Persons will rely on two third

    party service providers. For purposes of this PRA analysis, the

    Commission believes that the best available estimate is that there

    will be a total of 120 Respondents/Affected Entities. The Commission

    seeks comment on this estimate.

    \436\ This is calculated as the product of 120 estimated

    Respondents/Affected Entities and one initial response (i.e.,

    establishing the process for obtaining third party certifications,

    obtaining the initial certifications and conducting due diligence on

    the accuracy thereof).

    \437\ The Commission estimates that the initial response will

    take a Project Manager 24 hours, a Compliance Attorney 24 hours and

    a Developer 12 hours. The sum of those hours is 60 hours.

    ---------------------------------------------------------------------------

    The Commission estimates that an AT Person will incur a one-time

    cost of $3,506 to establish the process for initially obtaining the

    third-party certifications permitted by Supplemental proposed Sec.

    1.85, conduct the related due diligence and obtain the initial

    certifications. This cost is broken down as follows: 1 Project Manager,

    working for 24 hours (24 x $70 = $1,680); 1 Compliance Attorney,

    working for 24 hours (24 x $96 = $2,304); and 1 Developer working for

    12 hours (12 x $75 = $900). The estimated 120 AT Persons that will rely

    on Sec. 1.85 would therefore incur a total one-time cost of $586,080

    (120 x $4,884).

    Burden: AT Person updating its certifications from third parties

    and conducting updated due diligence on the accuracy thereof.

    Respondents/Affected Entities: 120.

    Estimated number of responses: 120.

    Estimated total burden on each respondent: 54 hours.

    Frequency of response: Annual.

    Burden statement-all respondents: 120 respondents x 54 hours =

    6,480 Burden Hours per year.

    The Commission estimates that, on an annual basis, an AT Person

    will incur a cost of $2,892 to obtain the third-party certifications

    permitted by Supplemental proposed Sec. 1.85 and conduct the related

    due diligence. This cost is broken down as follows: 1 Project Manager,

    working for 12 hours (12 x $70 = $840); 1 Compliance Attorney, working

    for 12 hours (12 x $96 = $1,152); and 1 Developer working for 12 hours

    (12 x $75 = $900). The estimated 120 AT Persons that will rely on Sec.

    1.85 would therefore incur a total annual cost of $347,040 (120 x

    $2,892).

    The Commission also anticipates that an AT Person will incur a one-

    time cost of $2,304 to re-write its contracts with third parties, so

    that the AT Persons can comply with the recordkeeping and production

    provisions of Supplemental proposed Sec. 1.84. This cost is broken

    down as follows: 1 Compliance Attorney, working for 24 hours (24 x $96

    per hour = $2,304).

    Burden: Third party establishing the process for providing

    certifications to AT Persons, providing the initial certifications and

    cooperating with AT Persons conducting due diligence on the accuracy

    thereof.

    Respondents/Affected Entities: 50.\438\

    Estimated number of responses: 50.\439\

    Estimated total burden on each respondent: 60 hours.\440\

    Frequency of response: One-time.

    Burden statement-all respondents: 50 responses x 60 hours = 3,000

    Burden Hours per year.

    ---------------------------------------------------------------------------

    \438\ The Commission estimates that there will be a total of 50

    third party service providers to AT Persons for their ATSs or

    components. The Commission seeks comment on this estimate.

    \439\ This is calculated as the product of 50 third parties and

    one initial response (i.e., establishing the process for providing

    third party certifications, providing the initial certifications and

    cooperating with AT Persons conducting due diligence on the accuracy

    thereof). The Commission assumes that each third party will provide

    a single certification to all AT Persons using a product or service

    from the third party. The Commission seeks comment on this estimate.

    \440\ The Commission estimates that, as with the initial

    collection burden on AT Persons, the initial response will take a

    third party Project Manager 24 hours, a third party Compliance

    Attorney 24 hours and a third party Developer 12 hours. The sum of

    those hours is 60 hours.

    ---------------------------------------------------------------------------

    The Commission estimates that a third party will incur a one-time

    cost of $4,884 to establish the process for initially providing the

    third-party certifications permitted by Supplemental proposed Sec.

    1.85 and cooperate with AT Persons conducting the related due

    diligence. This cost is broken down as follows: 1 Project Manager,

    working for 24 hours (24 x $70 = $1,680); 1 Compliance Attorney,

    working for 24 hours (24 x $96 = $2,304); and 1 Developer working for

    12 hours (12 x $75 = $900). The Commission estimates that third-party

    ATS providers will issue 120 certifications per year, either as initial

    or annual certifications. This reflects the Commission's estimate of

    120 AT Persons, and the fact that some AT Persons will rely on multiple

    third-party providers, while others will develop their systems entirely

    in-house. The estimated 50 third parties that provide certifications

    pursuant to Supplemental

    [[Page 85385]]

    proposed Sec. 1.85 would therefore incur a total annual cost of

    $244,200 (50 x $4,884).

    Burden: Third parties annually updating their certifications to AT

    Persons and cooperating with AT Persons conducting due diligence on the

    accuracy thereof.

    Respondents/Affected Entities: 50.\441\

    Estimated number of responses: 120.

    Estimated total burden on each respondent: 36 hours.\442\

    Frequency of response: Annual.

    Burden statement-all respondents: 120 responses x 36 hours = 4,320

    Burden Hours per year.

    ---------------------------------------------------------------------------

    \441\ The Commission estimates that there will be a total of 50

    third party service providers to AT Persons for their ATSs or

    components.

    \442\ The Commission estimates that, as with the recurring

    annual collection for AT Persons, the annual collection will take a

    third party Project Manager 12 hours, a third party Compliance

    Attorney 12 hours and a third party Developer 12 hours. The sum of

    those hours is 36 hours. However, the Commission believes that in a

    typical year, the actual number of burden hours would be lower,

    provided that the product or service the AT Person receives from the

    third party provider has not changed substantially.

    ---------------------------------------------------------------------------

    The Commission estimates that, on an annual basis, a third party

    will incur a cost of $2,892 to provide AT Persons the third-party

    certifications permitted by Supplemental proposed Sec. 1.85 and

    cooperate with AT Persons conducting the related due diligence. The

    Commission estimates that third-party ATS providers will issue 120

    certifications per year, either as initial or annual certifications.

    This reflects the Commission's estimate of 120 AT Persons, and the fact

    that some AT Persons will rely on multiple third-party providers, while

    others will develop their systems entirely in-house. This cost is

    broken down as follows: 1 Project Manager, working for 12 hours (12 x

    $70 = $840); 1 Compliance Attorney, working for 12 hours (12 x $96 =

    $1,152); and 1 Developer working for 12 hours (12 x $75 = $900). The

    estimated 50 third parties that will rely on Sec. 1.85 would therefore

    incur a total annual cost of $144,600 (50 x $2,892).

    In addition to the costs of providing certifications, the

    Commission anticipates that third-party providers will incur additional

    costs relating to Supplemental proposed Sec. 1.85(a), which

    contemplates that third parties will provide to AT Persons systems or

    components that comply with NPRM proposed Sec. Sec. 1.81(a)(1)(i),

    1.81(a)(1)(iii), 1.81(a)(1)(iv), 1.81(a)(2), or Supplemental proposed

    Sec. Sec. 1.81(a)(1)(ii) or 1.84. The Commission estimates that, on an

    annual basis, a third party will incur costs to comply with the

    proposed rules listed above that are comparable to the costs that an AT

    Person would incur to comply with such rules. The estimated costs for

    an AT Person to comply with Supplemental proposed Sec. 1.84 are

    discussed in Section IX(B)(2)(e) above. The estimated costs for an AT

    Person to comply with proposed Sec. 1.81(a) were discussed in detail

    in the NPRM.\443\

    ---------------------------------------------------------------------------

    \443\ See NPRM at 78888, 78900. In the NPRM, the Commission

    estimated that an AT Person that has not implemented any of the

    requirements of proposed Sec. 1.81(a) (development and testing of

    ATSs) would incur a total cost of $349,865 to implement those

    requirements. This cost was broken down as follows: 1 Project

    Manager, working for 1,707 hours (1,707 x $70 = $119,490); 2

    Business Analysts, working for a combined 853 hours (853 x $52 =

    $44,356); 3 Testers, working for a combined 2,347 hours (2,347 x $52

    = $122,044); and 2 Developers, working for a combined 853 hours (853

    x $75 = $63,975). The Commission notes that this calculation would

    apply only to third parties that have not implemented any of the

    requirements of proposed Sec. 1.81(a). However, the Commission

    anticipates that many third-party providers--e.g., software

    development firms--already develop and test systems or components in

    the ordinary course of their business. Indeed, the Commission

    anticipates that third-party providers would generally be as

    sophisticated, if not more sophisticated, than AT Persons with

    respect to the development and testing of ATSs. Therefore, the

    Commission believes that the cost of compliance for third parties

    would be lower than the estimate calculated above. In addition, the

    Commission anticipates that compliance costs under Supplemental

    proposed Sec. 1.81(a)(1)(ii) will be lower than the costs estimated

    in the NPRM, since the Commission is proposing to eliminate the

    requirement under NPRM proposed Sec. 1.81(a)(1)(ii) that AT Persons

    must test all Algorithmic Trading code and related systems on each

    DCM on which Algorithmic Trading will occur (while retaining a more

    general requirement that AT Persons must test all ATSs).

    ---------------------------------------------------------------------------

    The Commission also anticipates that a third-party will incur a

    one-time cost of $2,304 to re-write its contracts with AT Persons, so

    that the AT Persons can comply with the recordkeeping and production

    provisions of Supplemental proposed Sec. 1.84. This cost is broken

    down as follows: 1 Compliance Attorney, working for 24 hours (24 x $96

    per hour = $2,304).

    g. Sec. 40.22--Compliance With DCM Reviews

    The Commission expects that Supplemental proposed Sec. 40.22,

    which requires DCMs to periodically review AT Persons' compliance with

    Sec. Sec. 1.80 and 1.81 executing FCMs' compliance with Sec. 1.82,

    will also impose burdens on the AT Persons that will be subject to such

    reviews. The Commission believes that an adequate review program will

    typically require DCMs to evaluate AT Persons' compliance every two

    years. Low-risk parties may require less frequent review, while high-

    risk parties could require more frequent evaluation. The Commission

    estimates (on an annual basis) 48 hours of burden per AT Person, and

    2,880 burden hours in total per year. The estimated burden was

    calculated as follows:

    Burden: Compliance by AT Persons with DCM Reviews.

    Respondents/Affected Entities: 120.

    Estimated number of responses: 60 per year (120/2, or half of the

    total population per year).

    Estimated total burden on each AT Person or executing FCM: 48

    hours.

    Frequency of response: Once every two years.

    Burden statement-all AT Persons and executing FCMs: 60 respondents

    x 48 hours = 2,880 Burden Hours per year.

    The Commission estimates that, on an annual basis, an AT Person

    will incur a cost of $3,720 to facilitate a DCM's compliance with

    Supplemental proposed Sec. 40.22. Such costs reflect to the burden to

    an AT Person of providing written information, responding to questions,

    and otherwise furnishing such information as the DCM may need to

    discharge its responsibilities. This cost is broken down as follows: 1

    Senior Compliance Specialist, working for 36 hours (36 x $57 = $2,052);

    and 1 Chief Compliance Officer, working for 12 hours (12 x $139 =

    $1,668). The 120 AT Persons that will be subject to Sec. 1.83(a) would

    therefore incur a total annual cost of $446,400 (120 x $3,720).

    h. Sec. 40.22(d)--Certification Requirement

    The Commission estimates that Supplemental proposed Sec. 40.22(d),

    which states that DCMs must require each AT Person to provide the DCM

    an annual certification attesting that the AT Person complies with the

    requirements of Sec. Sec. 1.80 and 1.81, will result in (on an annual

    basis) 12 hours of burden per AT Person and 1,440 burden hours total.

    The Commission expects that the annual certification requirement will

    involve preparation and transmittal of a document that makes the

    required certification, and that most of the burden hours associated

    with this requirement would involve review and analysis by compliance

    personnel of the entity's compliance with Sec. Sec. 1.80 and 1.81

    necessary to enable the CCO or CEO to sign the certification. The

    estimated burden was calculated as follows:

    Burden: Compliance certifications submitted by AT Persons to DCMs.

    Respondents/Affected Entities: 120 AT Persons.

    Estimated number of responses: 120.

    Estimated total burden on each respondent: 12 hours.

    Frequency of collection: Annual.

    Burden statement-all respondents: 120 respondents x 12 hours =

    1,440 Burden Hours per year.

    [[Page 85386]]

    The Commission estimates that, on an annual basis, an AT Person

    will incur a cost of $1,176 to submit the compliance certification that

    will be required by proposed Sec. 40.22(d). This cost is broken down

    as follows: 1 Senior Compliance Specialist, working for 6 hours (6 x

    $57 = $342); and 1 Chief Compliance Officer, working for 6 hours (6 x

    $139 = $834), for each certification to one DCM. The 120 AT Persons

    that will be subject to DCM rules implemented pursuant to Sec.

    40.22(d) would therefore incur a total annual cost of $141,120 (120 x

    $1,176).\444\

    ---------------------------------------------------------------------------

    \444\ The six hours of work for each employee consists of five

    hours for the initial certification and one hour to prepare

    additional certifications for three other DCMs.

    ---------------------------------------------------------------------------

    64. The Commission invites comment on its Regulatory Flexibility

    Act analysis. In particular, the Commission specifically invites

    comment on the accuracy of its assumption that the third parties

    referenced in Supplemental proposed Sec. 1.85 would not be ``small

    entities'' for Regulatory Flexibility Act purposes.

    65. Do you agree that revising the definition of AT Person to

    include one of the proposed volume threshold will mean that no natural

    persons will be AT Persons?

    66. Do you agree that revising the definition of AT Person to

    include one of the proposed quantitative measures will mean that there

    will not be a substantial number of small entities impacted by the

    information collection?

    C. Paperwork Reduction Act

    The Paperwork Reduction Act (``PRA'') \445\ imposes certain

    requirements on federal agencies in connection with their conducting or

    sponsoring any collection of information as defined by the PRA. As

    discussed in the NPRM, Regulation AT would result in new collection of

    information requirements within the meaning of the PRA. As explained

    above, the Commission believes that the proposed volume threshold will

    reduce the number of AT Persons, which would accordingly reduce the PRA

    estimates provided in the NPRM. The Commission invites the public to

    comment on any aspect of how the proposed volume threshold would impact

    the paperwork burdens discussed in the NPRM.

    ---------------------------------------------------------------------------

    \445\ 44 U.S.C. 3501 et seq.

    ---------------------------------------------------------------------------

    1. Sec. 1.3(x)(1)(iii)--Submissions by Newly Registered Floor Traders

    \446\

    ---------------------------------------------------------------------------

    \446\ 78 FR 78891.

    ---------------------------------------------------------------------------

    In the NPRM, the Commission estimated that there would be 100 new

    Floor trader registrants under the proposed definition of floor trader

    in Sec. 1.3(x)(3). The Commission estimated that the NPRM proposed

    rules requiring registration would result in 11 hours of burden per

    affected entity, and 1,100 burden hours total. The Commission estimated

    that new registrants would incur a one-time cost of $1,056. While the

    Commission estimated that there would be 420 AT Persons under the NPRM

    proposed rules for Regulation AT, and approximately 100 would be

    required to register as Floor traders, the Commission has revised its

    estimate to 120 AT Persons under the modified rules proposed in this

    Supplemental NPRM.\447\ While the Commission recognizes that the

    modifications in the Supplemental NPRM may reduce the number of

    entities required to register, the Commission estimates that there will

    be approximately 100 new Floor trader registrants under Supplemental

    proposed Sec. 1.3(x)(1)(iii). The Commission estimates that the 100

    entities subject to the registration requirement would incur a total

    one-time cost of $105,600 (100 x $1,056).

    ---------------------------------------------------------------------------

    \447\ See Section II(C)(1).

    ---------------------------------------------------------------------------

    2. Sec. 1.80(d)--Pre-Trade Risk Controls for AT Persons--Delegation

    Supplemental proposed Sec. 1.80(d) allows an AT Person to delegate

    compliance with Sec. 1.80(a) to its executing FCM. Under Supplemental

    proposed Sec. 1.80(d)(2), an AT Person may only delegate such

    functions when (i) it is technologically feasible for each relevant FCM

    to comply with Sec. 1.80(a) with a level of effectiveness reasonably

    designed to prevent and reduce the potential risk of an Algorithmic

    Trading Event; and (ii) each relevant FCM notifies the AT Person in

    writing that the FCM has accepted the AT Person's delegation and that

    it will comply with Sec. 1.80(a) on behalf of the AT Person. The

    Commission expects that the written notification pursuant to

    Supplemental proposed Sec. 1.80(d)(2)(ii) will involve preparation and

    transmittal of a document that confirms that the FCM accepted the

    delegation and will comply with Sec. 1.80(a). Accordingly, the

    Commission estimates that Supplemental proposed Sec. 1.80(d)(2)(ii)

    will result in two burden hours per affected entity to prepare and send

    the notification: 1 Compliance Attorney, working for 1 hour (1 x $96 =

    $96); and 1 Chief Compliance Officer, working for 1 hour (1 x $139).

    The Commission is unable to estimate the exact number of the 120 AT

    Persons that will choose to delegate Sec. 1.80(d) compliance. Assuming

    that all 70 executing FCMs accept delegation for at least one AT

    Person, the Commission estimates that the 70 executing FCMs would incur

    a total one-time cost of $16,450 (70 x $235).

    3. Sec. 1.83(a)--AT Person Retention and Production of Books and

    Records \448\

    ---------------------------------------------------------------------------

    \448\ Supplemental proposed Sec. 1.83(a) is identical to NPRM

    proposed Sec. 1.83(c). NPRM proposed Sec. Sec. 1.83(a) and (b)

    have been removed in this Supplemental NPRM, and Sec. 1.83 has been

    renumbered accordingly.

    ---------------------------------------------------------------------------

    As discussed above, the Commission estimated in the NPRM that 420

    entities would qualify as AT Persons under Regulation AT. Pursuant to

    Supplemental proposed Sec. 1.3(xxxx), the Commission now estimates

    that 120 entities will be AT Persons. The Commission's new, lower

    estimate for the number of AT Persons is a function of the volume

    threshold test that market participants would have to satisfy to fall

    within the definition of AT Person under Supplemental proposed Sec.

    1.3(xxxx).

    The Commission has updated its PRA analysis from the NPRM for

    proposed Sec. 1.83, based on its updated estimate of 120 AT Persons in

    the Supplemental NPRM (as opposed to the 420 AT Persons estimated in

    the NPRM). The Commission's PRA analysis for Supplemental proposed

    Sec. 1.83 assumes the same cost on a per AT Person basis as was used

    in the NPRM analysis. Specifically, the Commission estimated in the

    NPRM that proposed Sec. 1.83 requirements that AT Persons keep and

    provide books and records relating to NPRM proposed Sec. Sec. 1.80 and

    1.81 compliance would result in initial outlay of 60 hours of burden

    per AT Person. Under Supplemental proposed Sec. 1.83(a), the 120 AT

    Persons would therefore initially incur 7,200 burden hours in total. In

    the NPRM, the Commission estimated that, on an initial basis, an AT

    Person would incur a cost of $5,130 to draft and update recordkeeping

    policies and procedures and make technology improvements to

    recordkeeping infrastructure. Under Supplemental proposed Sec.

    1.83(a), the 120 AT Persons would therefore incur a total initial cost

    of $615,600.

    The Commission estimated in the NPRM that proposed Sec. 1.83

    requirements that AT Persons keep and provide books and records

    relating to NPRM proposed Sec. Sec. 1.80 and 1.81 compliance would

    result in annual costs of 30 hours of burden per AT Person. Under

    Supplemental proposed Sec. 1.83(a), the 120 AT Persons would therefore

    incur 3,600 burden hours in total. In the NPRM, the Commission

    estimated that, on an annual basis, an AT Person would incur a cost of

    $2,670 to ensure

    [[Page 85387]]

    compliance with the NPRM proposed Sec. 1.83(a) recordkeeping rules

    relating to NPRM proposed Sec. 1.82 compliance. Under Supplemental

    proposed Sec. 1.83(a), the 120 AT Persons would therefore incur a

    total annual cost of $320,400.

    4. Sec. 1.83(b)--Executing FCM Retention and Production of Books and

    Records \449\

    ---------------------------------------------------------------------------

    \449\ Supplemental proposed Sec. 1.83(b) amends the provisions

    of NPRM Sec. 1.83(d). NPRM Sec. Sec. 1.83(a) and (b) have been

    removed in this Supplemental NPRM, and Sec. 1.83 has been

    renumbered accordingly.

    ---------------------------------------------------------------------------

    As discussed above, Supplemental proposed Sec. 1.83(b) would

    govern FCM retention and production of books and records relating to

    Sec. 1.82 compliance. NPRM Sec. 1.83(d) applied to ``clearing'' FCMs.

    In contrast, Supplemental proposed Sec. 1.83(b) would apply to

    ``executing'' FCMs. The Commission's PRA analysis for Supplemental

    proposed Sec. 1.83 assumes the same cost on a per AT Person basis as

    was used in the NPRM analysis. In the NPRM, the Commission estimated

    that compliance with Sec. 1.83(d) would result in initial outlay of 60

    hours of burden per FCM, and 3,420 burden hours total. In the NPRM, the

    Commission estimated that, on an initial basis, an FCM would incur a

    cost of $5,130 to draft and update recordkeeping policies and

    procedures and make technology improvements to recordkeeping

    infrastructure. Under Supplemental proposed Sec. 1.83(b), the 70

    executing FCMs would therefore incur a total initial cost of $359,100.

    The Commission estimated in the NPRM that proposed Sec. 1.83

    requirements that clearing FCMs keep and provide books and records

    relating to NPRM proposed Sec. 1.82 compliance would result in annual

    costs of 30 hours of burden per FCM. In the NPRM, the Commission

    estimated that compliance with Sec. 1.83(d) would result in annual

    costs of 30 hours of burden per FCM, and 1,710 burden hours total. In

    the NPRM, the Commission estimated that, on an initial basis, an FCM

    would incur a cost of $2,670 relating to Sec. 1.82 compliance,

    including the updating of policies and procedures and technology

    infrastructure, and to respond to DCM record requests. Under

    Supplemental proposed Sec. 1.83(b), the 70 executing FCMs would

    therefore incur a total annual cost of $186,900.

    5. Sec. 1.84--Retention, Production and Confidentiality of Algorithmic

    Trading Records

    a. Supplemental Proposed Sec. 1.84(a)

    In order to comply with the requirements set out in Supplemental

    proposed Sec. 1.84(a), an AT Person must have a version control system

    and an application log management system in place. The Commission

    expects that most AT Persons have version control software to manage

    each change made to their software and identify who made the change and

    why. The Commission also expects that most AT Persons manage their

    application logs through some form of application log management

    system.

    For firms that do not have version control systems and application

    log management systems in place, the effort involved in setting one up

    includes the acquisition of the hardware to run the system, the

    application software itself, the migration of the existing Algorithmic

    Trading Source Code and logs into the software, and the creation of

    policy and procedures related to the use of the system by the firm. For

    appropriate hardware to accomplish this task, a machine with sufficient

    storage space and sufficient redundancy will be needed. The Commission

    expects that 10 terabytes of data would constitute sufficient storage

    capacity. A number of software options are available, from open-source

    products to industry-standard tools.

    i. Firms Without Sufficient Hardware and Software in Place

    The Commission estimates that Supplemental proposed Sec. 1.84(a),

    which requires AT Persons to maintain specified records related to

    their Algorithmic Trading Source Code and their Algorithmic Trading

    systems' activity, will result in initial outlay of 420 hours of burden

    per AT Person without sufficient hardware and software in place to

    comply with proposed Sec. 1.84(a), and 50,400 burden hours in total.

    The estimated burden was calculated as follows:

    Burden: Supplemental proposed Sec. 1.84(a), which would require AT

    Persons to maintain certain records.

    Respondents/Affected Entities: 120 AT Persons.

    Estimated total burden on each respondent: 420 hours.

    Burden statement-all respondents: 120 respondents x 420 hours =

    50,400 Burden Hours initial year.

    The Commission estimates that an AT Person without the hardware and

    software in place to maintain the records required by Supplemental

    proposed Sec. 1.84(a) would incur a cost of $41,840 to purchase and

    set up the required hardware and software, migrate existing Algorithmic

    Trading Source Code and logs into the software and draft appropriate

    recordkeeping policies and procedures and make technology improvements

    to recordkeeping infrastructure. This cost is broken down as follows:

    Hardware costing $12,000,\450\ software costing $2,000,\451\ 1 Project

    Manager for the Algorithmic Trading Source Code and log migration

    effort, working for 60 hours (60 x $70 = $4,200); 1 Developer for the

    Algorithmic Trading Source Code and log migration effort, working for

    60 hours (60 x $75 = $4,500), 1 Project Manager to develop the related

    policies and procedures, working for 120 hours (120 x $70 = $8,400), 1

    Business Analyst to develop the related policies and procedures,

    working for 120 hours (120 x $52 = $6,240), and 1 Developer to develop

    the related policies and procedures, working for 60 hours (60 x $75 =

    $4,500). Therefore, if none of the 120 AT Persons had sufficient

    hardware and software to comply, they would therefore incur a total

    initial cost of $5,020,800 (120 x $41,840).

    ---------------------------------------------------------------------------

    \450\ The Commission estimates that the hardware could cost from

    $1,000 to $25,000 depending on factors including which hardware

    vendor an AT Person chooses, the amount of business the AT Person

    does with the hardware vendor and the pricing the hardware vendor

    provides the AT Person as a result.

    \451\ The Commission estimates that the software could cost from

    $0 to $5,000 depending on factors including which hardware vendor an

    AT Person chooses, the amount of business the AT Person does with

    the hardware vendor and the pricing the hardware vendor provides the

    AT Person as a result.

    ---------------------------------------------------------------------------

    ii. Firms With Sufficient Hardware and Software in Place

    Firms that have the necessary systems in place may nevertheless

    need to make changes to their policies and procedures and enhance their

    hardware to provide more storage capacity, in each case to address the

    requirements of Supplemental proposed Sec. 1.84(a). The discussion

    below addresses both the effort it takes to determine what upgrades

    need to be made, and to implement those upgrades.

    The Commission estimates that Supplemental proposed Sec. 1.84(a)

    requiring AT Persons to maintain specified records related to their

    Algorithmic Trading Source Code and their Algorithmic Trading systems'

    activity will result in initial outlay of 90 hours of burden per AT

    Person with sufficient hardware and software to comply with

    Supplemental proposed Sec. 1.84(a), and 10,800 burden hours in total.

    The estimated burden was calculated as follows:

    Burden: Supplemental proposed Sec. 1.84(a), which would require AT

    Persons to maintain certain records.

    Respondents/Affected Entities: 120 AT Persons.

    Estimated total burden on each respondent: 90 hours.

    [[Page 85388]]

    Burden statement--all respondents: 120 respondents x 90 hours =

    10,800 Burden Hours initial year.

    The Commission estimates that, on an initial basis, an AT Person

    with the hardware and software in place to maintain the records

    required by Supplemental proposed Sec. 1.84(a) would incur a cost of

    $12,160 to purchase and set up the required hardware and software,

    migrate existing Algorithmic Trading Source Code and logs into the

    software and draft appropriate recordkeeping policies and procedures

    and make technology improvements to recordkeeping infrastructure. This

    cost is broken down as follows: Hardware costing $4,000,\452\ 1 Project

    Manager to develop the related policies and procedures, working for 30

    hours (30 x $70 = $2,100, 1 Business Analyst to develop the related

    policies and procedures, working for 30 hours (30 x $52 = $1,560), and

    1 Developer to develop the related policies and procedures, working for

    60 hours (60 x $75 = $4,500). The 120 AT Persons would therefore incur

    a total initial cost of $1,459,200 (120 x $12,160).

    ---------------------------------------------------------------------------

    \452\ The Commission estimates that the hardware could cost from

    $1,000 to $10,000 depending on factors including which hardware

    vendor an AT Person chooses, the amount of business the AT Person

    does with the hardware vendor and the pricing the hardware vendor

    provides the AT Person as a result.

    ---------------------------------------------------------------------------

    b. Supplemental Proposed Sec. Sec. 1.84(b) and (c)

    In order to comply with the requirements set out in Supplemental

    proposed Sec. Sec. 1.84(b) and 1.84(c), AT Persons will have to use

    their version control software to manage their software's version

    history. This will require a standard monthly effort to maintain the

    environment so that each AT Person is able to respond to special calls

    and/or subpoenas.

    Monthly Maintenance: The Commission estimates that Supplemental

    proposed Sec. Sec. 1.84(b) and 1.84(c), which require AT Persons to

    produce records of Algorithmic Trading in response to a special call or

    subpoena, will result in ongoing costs of 324 hours of burden per AT

    Person per year, and 38,880 annual burden hours in total. The estimated

    burden was calculated as follows:

    Burden: Rule requiring AT Persons to produce Algorithmic Trading

    records in response to a Special Call or Subpoena.

    Respondents/Affected Entities: 120 AT Persons.

    Estimated total burden on each respondent: 324 hours.\453\

    ---------------------------------------------------------------------------

    \453\ The Commission estimates 27 burden hours per respondent/

    affected entity per month. Annualizing this monthly figure by

    multiplying by 12 results in the 324 total burden hour estimate.

    ---------------------------------------------------------------------------

    Burden statement--all respondents: 120 respondents x 324 hours =

    38,880 Burden Hours per year.

    The Commission estimates that, on an annual basis, an AT Person

    will incur a cost of $24,120 to draft and update recordkeeping policies

    and procedures and make technology improvements to recordkeeping

    infrastructure. This cost is broken down as follows: 1 Project Manager,

    working for 3 hours per month x 12 months = 36 hours per year (36 x $70

    = $2,520); and 1 Developer, working for 24 hours per month x 12 months

    = 288 hours per year (288 x $75 = $21,600). The 120 AT Persons would

    therefore incur a total annual cost of $2,894,400 (120 x $24,120).

    Costs per Response to a Special Call or Subpoena: The Commission

    estimates that Supplemental proposed Sec. Sec. 1.84(b) and 1.84(c),

    which require AT Persons to produce records of Algorithmic Trading in

    response to a special call or subpoena, will result in costs per

    response of 72 hours of burden per AT Person, and 12,960 burden hours

    in total. The estimated burden was calculated as follows:

    Burden: Rule requiring AT Persons to produce Algorithmic Trading

    records in response to a Special Call or Subpoena.

    Respondents/Affected Entities: 120 AT Persons.

    Estimated number of responses: 120.

    Estimated total burden on each respondent: 108 hours.

    Frequency of collection: Intermittent.

    Burden statement--all respondents: 120 respondents x 108 hours =

    12,960 Burden Hours per year.

    The Commission estimates that, on an intermittent basis, an AT

    Person will incur a cost of $5,844 to ensure compliance with those

    aspects of Supplemental proposed Sec. Sec. 1.84(b) and 1.84(c)

    requiring AT Persons to produce records of Algorithmic Trading in

    response to a special call or subpoena. This cost is broken down as

    follows: 1 Project Manager, working for 12 hours (12 x $70 = $840); 1

    Developer, working for 36 hours (36 x $75 = $2,700); and 1 Compliance

    Attorney, working for 24 hours (24 x $96 = $2,304). The 120 AT Persons

    would therefore incur a total annual cost of $701,280 (120 x $5,844).

    6. Sec. 1.85--Third-Party Algorithmic Trading Systems or Components

    The Commission estimates that the requirement under Supplemental

    proposed Sec. 1.85 that an AT Person may comply with an obligation

    under NPRM proposed Sec. Sec. 1.81(a)(1)(i), 1.81(a)(1)(iii),

    1.81(a)(1)(iv), 1.81(a)(2), or Supplemental proposed Sec. Sec.

    1.81(a)(1)(ii) or 1.84 by obtaining a certification from a third party

    that the third party is fulfilling the obligation, will result in: (1)

    60 one-time hours of burden per AT Person, and 7,200 burden hours in

    total; (2) 36 hours (on a recurring annual basis) of burden per AT

    Person, and 4,320 burden hours in total; (3) 60 one-time hours of

    burden per third party, and 3,000 burden hours in total; and (4) 36

    hours (on a recurring annual basis) of burden per third party, and

    1,800 burden hours in total. The estimated burden was calculated as

    follows:

    Burden: AT Person establishing the process for obtaining third-

    party certifications, obtaining the initial certifications and

    conducting due diligence on the accuracy thereof.

    Respondents/Affected Entities: 120.\454\

    ---------------------------------------------------------------------------

    \454\ The Commission estimates 120 AT Persons will rely on third

    party certifications pursuant to Supplemental proposed Sec. 1.85.

    This estimate is based on an assumption that each AT Person will

    rely on one third party service providers for such AT Person's ATS

    or components. In fact, the Commission anticipates that some AT

    Persons will not rely on any third party service providers for their

    ATSs or components, while other AT Persons will rely on two third

    party service providers. For purposes of this PRA analysis, the

    Commission believes that the best available estimate is that there

    will be a total of 120 Respondents/Affected Entities. The Commission

    seeks comment on this estimate.

    ---------------------------------------------------------------------------

    Estimated number of responses: 120.\455\

    ---------------------------------------------------------------------------

    \455\ This is calculated as the product of 120 estimated

    Respondents/Affected Entities and one initial response (i.e.,

    establishing the process for obtaining third party certifications,

    obtaining the initial certifications and conducting due diligence on

    the accuracy thereof).

    ---------------------------------------------------------------------------

    Estimated total burden on each respondent: 60 hours.\456\

    ---------------------------------------------------------------------------

    \456\ The Commission estimates that the initial response will

    take a Project Manager 24 hours, a Compliance Attorney 24 hours and

    a Developer 12 hours. The sum of those hours is 60 hours.

    ---------------------------------------------------------------------------

    Frequency of collection: One-time.

    Burden statement--all respondents: 120 respondents x 60 hours =

    7,200 Burden Hours per year.

    The Commission estimates that an AT Person will incur a one-time

    cost of $4,884 to establish the process for initially obtaining the

    third-party certifications permitted by Supplemental proposed Sec.

    1.85, conduct the related due diligence and obtain the initial

    certifications. This cost is broken down as follows: 1 Project Manager,

    working for 24 hours (24 x $70 = $1,680); 1 Compliance Attorney,

    working for 24 hours (24 x $96 = $2,304); and 1 Developer working for

    12 hours (12 x $75 = $900). The estimated 120 AT Persons that will rely

    on Sec. 1.85 would therefore incur a total one-time cost of $586,080

    (120 x $4,884).

    Burden: AT Person updating its certifications from third parties

    and

    [[Page 85389]]

    conducting updated due diligence on the accuracy thereof.

    Respondents/Affected Entities: 120.

    Estimated number of responses: 120.

    Estimated total burden on each respondent: 36 hours.\457\

    ---------------------------------------------------------------------------

    \457\ The Commission estimates that the annual collection will

    take a Project Manager 12 hours, a Compliance Attorney 12 hours and

    a Developer 12 hours. The sum of those hours is 36 hours. However,

    the Commission believes that in a typical year, the actual number of

    burden hours would be lower, provided that the product or service

    the AT Person receives from the third party provider has not changed

    substantially.

    ---------------------------------------------------------------------------

    Frequency of collection: Annual.

    Burden statement--all respondents: 120 respondents x 36 hours =

    4,320 Burden Hours per year.

    The Commission estimates that, on an annual basis, an AT Person

    will incur a cost of $2,892 to obtain the third-party certifications

    permitted by Supplemental proposed Sec. 1.85 and conduct the related

    due diligence. This cost is broken down as follows: 1 Project Manager,

    working for 12 hours (12 x $70 = $840); 1 Compliance Attorney, working

    for 12 hours (12 x $96 = $1,152); and 1 Developer working for 12 hours

    (12 x $75 = $900). The estimated 120 AT Persons that will rely on Sec.

    1.85 would therefore incur a total annual cost of $347,040 (120 x

    $2,892).

    Burden: Third party establishing the process for providing

    certifications to AT Persons, providing the initial certifications and

    cooperating with AT Persons conducting due diligence on the accuracy

    thereof.

    Respondents/Affected Entities: 50.\458\

    ---------------------------------------------------------------------------

    \458\ The Commission estimates that there will be a total of 50

    third party service providers to AT Persons for their ATSs or

    components. The Commission seeks comment on this estimate.

    ---------------------------------------------------------------------------

    Estimated number of responses: 50.\459\

    ---------------------------------------------------------------------------

    \459\ This is calculated as the product of 50 third parties and

    one initial response (i.e., establishing the process for providing

    third party certifications, providing the initial certifications and

    cooperating with AT Persons conducting due diligence on the accuracy

    thereof). The Commission assumes that each third party will provide

    a single certification to all AT Persons using a product or service

    from the third party. The Commission seeks comment on this estimate.

    ---------------------------------------------------------------------------

    Estimated total burden on each respondent: 60 hours.\460\

    ---------------------------------------------------------------------------

    \460\ The Commission estimates that, as with the initial

    collection burden on AT Persons, the initial response will take a

    third party Project Manager 24 hours, a third party Compliance

    Attorney 24 hours and a third party Developer 12 hours. The sum of

    those hours is 60 hours.

    ---------------------------------------------------------------------------

    Frequency of collection: One-time.

    Burden statement--all respondents: 50 responses x 60 hours = 3,000

    Burden Hours per year.

    The Commission estimates that a third party will incur a one-time

    cost of $4,884 to establish the process for initially providing the

    third-party certifications permitted by Supplemental proposed Sec.

    1.85 and cooperate with AT Persons conducting the related due

    diligence. This cost is broken down as follows: 1 Project Manager,

    working for 24 hours (24 x $70 = $1,680); 1 Compliance Attorney,

    working for 24 hours (24 x $96 = $2,304); and 1 Developer working for

    12 hours (12 x $75 = $900). The estimated 50 third parties that provide

    certifications pursuant to Supplemental proposed Sec. 1.85 would

    therefore incur a total initial cost of $244,200 (50 x $4,884).

    Burden: Third parties annually updating their certifications to AT

    Persons and cooperating with AT Persons conducting due diligence on the

    accuracy thereof.

    Respondents/Affected Entities: 50.\461\

    ---------------------------------------------------------------------------

    \461\ The Commission estimates that there will be a total of 50

    third party service providers to AT Persons for their ATSs or

    components.

    ---------------------------------------------------------------------------

    Estimated number of responses: 120.

    Estimated total burden on each respondent: 36 hours.\462\

    ---------------------------------------------------------------------------

    \462\ The Commission estimates that, as with the recurring

    annual collection for AT Persons, the annual collection will take a

    third party Project Manager 12 hours, a third party Compliance

    Attorney 12 hours and a third party Developer 12 hours. The sum of

    those hours is 36 hours. However, the Commission believes that in a

    typical year, the actual number of burden hours would be lower,

    provided that the product or service the AT Person receives from the

    third party provider has not changed substantially.

    ---------------------------------------------------------------------------

    Frequency of collection: Annual.

    Burden statement--all respondents: 120 responses x 36 hours = 4,320

    Burden Hours per year.

    The Commission estimates that, on an annual basis, a third party

    will incur a cost of $2,892 to provide AT Persons the third-party

    certifications permitted by Supplemental proposed Sec. 1.85 and

    cooperate with AT Persons conducting the related due diligence. This

    cost is broken down as follows: 1 Project Manager, working for 12 hours

    (12 x $70 = $840); 1 Compliance Attorney, working for 12 hours (12 x

    $96 = $1,152); and 1 Developer working for 12 hours (12 x $75 = $900).

    The estimated 50 third parties that will rely on Sec. 1.85 would

    therefore incur a total annual cost of $144,600 (50 x $2,892).

    7. Sec. 38.255(c)--Risk Controls for Trading--FCM Certification to DCM

    Supplemental proposed Sec. 38.255(c) requires a DCM that permits

    DEA to require that an FCM use DCM-provided risk controls, or

    substantially equivalent controls developed by the FCM itself or a

    third party. Prior to an FCM's use of its own or a third party's

    systems and controls, the FCM must certify to the DCM that such systems

    and controls are in fact substantially equivalent to the systems and

    controls that the DCM makes available pursuant to Supplemental proposed

    Sec. 38.255(b). The Commission expects that the written notification

    pursuant to Supplemental proposed Sec. 38.255(c) will involve

    preparation and transmittal of a certification document. Accordingly,

    the Commission estimates that Supplemental proposed Sec. 38.255(c)

    will result in two burden hours per affected entity to prepare and send

    the notification: 1 Compliance Attorney, working for 1 hour (1 x $96 =

    $96); and 1 Chief Compliance Officer, working for 1 hour (1 x $139).

    The Commission is unable to estimate the exact number of FCMs that will

    choose to use its own or a third party's systems and controls. Assuming

    that all 70 executing FCMs were to do so for four DCMs, the Commission

    estimates that the 70 executing FCMs would incur a total one-time cost

    of $65,800 (70 x $235 x 4).\463\

    ---------------------------------------------------------------------------

    \463\ DCMs will incur some costs with respect to preparing an

    exchange rule requiring FCMs to provide Sec. 38.255(c)

    certifications. Exchange rule-writing costs are generally covered in

    the existing Part 40 PRA collection.

    ---------------------------------------------------------------------------

    8. Sec. 40.22(a)-(c)--Compliance With DCM Reviews

    The Commission expects that Supplemental proposed Sec. 40.22(a)-

    (c), which requires DCMs to periodically review AT Persons' compliance

    with Sec. Sec. 1.80 and 1.81 executing FCMs' compliance with Sec.

    1.82, will also impose burdens on the AT Persons and executing FCMs

    that will be subject to such reviews. The Commission believes that an

    adequate review program will typically require DCMs to evaluate AT

    Persons' and executing FCMs' compliance every two years. Low-risk

    parties may require less frequent review, while high-risk parties could

    require for frequent evaluation. The Commission estimates (on an annual

    basis) 48 hours of burden per AT Person and executing FCM, and 4,320

    burden hours in total per year. The estimated burden was calculated as

    follows:

    Burden: Compliance by AT Persons and FCMs with DCM Reviews.

    Respondents/Affected Entities: 180 (120 AT Persons + 60 FCMs).\464\

    ---------------------------------------------------------------------------

    \464\ The Commission is using 60, as opposed to 70, FCMs for

    purposes of this calculation because every FCM does not operate on

    all DCMs. Accordingly, a single DCM would not necessarily have to

    review every FCM.

    ---------------------------------------------------------------------------

    Estimated number of responses: 90 per year (180/2, or half of the

    total population per year).

    Estimated total burden on each AT Person or executing FCM: 48

    hours.

    Frequency of response: Once every two years.

    [[Page 85390]]

    Burden statement--all AT Persons and executing FCMs: 90 respondents

    x 48 hours = 4,320 Burden Hours per year.

    The Commission estimates that, on an annual basis, an AT Person or

    an executing FCM will incur a cost of $3,720 to facilitate a DCM's

    compliance with Supplemental proposed Sec. 40.22. Such costs reflect

    to the burden to an AT Person or executing FCM of providing written

    information, responding to questions, and otherwise furnishing such

    information as the DCM may need to discharge its responsibilities. This

    cost is broken down as follows: 1 Senior Compliance Specialist, working

    for 36 hours (36 x $57 = $2,052); and 1 Chief Compliance Officer,

    working for 12 hours (12 x $139 = $1,668). The 180 AT Persons and

    executing FCMs that will be subject to Sec. 40.22 DCM review programs

    would therefore incur a total annual cost of $334,800 (90 x $3,720).

    9. Sec. 40.22(d)--Certification Requirement

    The Commission estimates that Supplemental proposed Sec. 40.22(d),

    which states that DCMs must require each AT Person to provide the DCM

    an annual certification attesting that the AT Person complies with the

    requirements of Sec. Sec. 1.80 and 1.81, will result in (on an annual

    basis) 12 hours of burden per AT Person and 1,440 burden hours total.

    The Commission expects that the annual certification requirement will

    involve preparation and transmittal of a document that makes the

    required certification, and that most of the burden hours associated

    with this requirement would involve review and analysis by compliance

    personnel of the entity's compliance with Sec. Sec. 1.80 and 1.81

    necessary to enable the CCO or CEO to sign the certification. The

    estimated burden was calculated as follows:

    Burden: Compliance certifications submitted by AT Persons to DCMs.

    Respondents/Affected Entities: 120 AT Persons.

    Estimated number of responses: 120.

    Estimated total burden on each respondent: 12 hours.

    Frequency of collection: Annual.

    Burden statement--all respondents: 120 respondents x 12 hours =

    1,440 Burden Hours per year.

    The Commission estimates that, on an annual basis, an AT Person

    will incur a cost of $1,176 to submit the compliance certification that

    will be required by proposed Sec. 40.22(d). This cost is broken down

    as follows: 1 Senior Compliance Specialist, working for 6 hours (6 x

    $57 = $342); and 1 Chief Compliance Officer, working for 6 hours (6 x

    $139 = $834), for each certification to one DCM. The 120 AT Persons

    that will be subject to DCM rules implemented pursuant to Sec.

    40.22(d) would therefore incur a total annual cost of $141,120 (120 x

    $1,176).

    Proposed Sec. 40.22(d) also states that DCMs must require that

    each executing FCM provide the DCM with an annual certification

    attesting that the executing FCM complies with the requirements of

    Sec. 1.82. The Commission estimates that this requirement will result

    in (on an annual basis), 10 hours of burden per executing FCM, and

    2,800 burden hours total. The Commission expects that the annual

    certification requirement will involve preparation and transmittal of a

    document that makes the required certification, and that most of the

    burden hours associated with this requirement would involve review and

    analysis by compliance personnel of the entity's compliance with Sec.

    1.82 necessary to enable the CCO or CEO to sign the certification. The

    estimated burden was calculated as follows:

    Burden: Compliance certifications submitted by executing FCMs to

    DCMs.

    Respondents/Affected Entities: 70 executing FCMs.

    Estimated number of responses: 70.

    Estimated total burden on each respondent: 12 hours.

    Frequency of collection: Annual.

    Burden statement--all respondents: 70 respondents x 12 hours = 840

    Burden Hours per year.

    The Commission estimates that, on an annual basis, an executing FCM

    will incur a cost of $1,176 to submit the compliance certification

    required by proposed Sec. 40.22(d). This cost is broken down as

    follows: 1 Senior Compliance Specialist, working for 6 hours (6 x $57 =

    $342); and 1 Chief Compliance Officer, working for 5 hours (5 x $139 =

    $834), for each certification to one DCM. The 70 executing FCMs that

    will be subject to DCM rules implemented pursuant to Sec. 40.22(d)

    would therefore incur a total annual cost of $82,320 (70 x $1,176).

    10. Commission Questions

    67. The Commission welcomes all comments on the PRA analysis set

    forth in this Supplemental NPRM and, in particular, all comments

    regarding the accuracy of its estimate that 120 AT Persons would rely

    on third-party certifications pursuant to Supplemental proposed Sec.

    1.85.

    68. The Commission seeks comment on its estimate that 50 third

    parties would provide certifications to AT Persons pursuant to

    Supplemental proposed Sec. 1.85.

    69. The Commission seeks comment on its estimated costs on AT

    Persons and third parties in connection with Supplemental proposed

    Sec. 1.85.

    70. The Commission is assuming that each third party that provides

    certifications under Supplemental proposed Sec. 1.85 will provide a

    single certification to all AT Persons that use a product or service

    from such third party. The Commission seeks comment on whether it is

    feasible for a third party to provide a single certification to all AT

    Persons using such third party's products or services.

    List of Subjects

    17 CFR Part 1

    Commodity futures, Commodity pool operators, Commodity trading

    advisors, Definitions, Designated contract markets, Floor brokers,

    Futures commission merchants, Introducing brokers, Major swap

    participants, Reporting and recordkeeping requirements, Swap dealers.

    17 CFR Part 38

    Commodity futures, Designated contract markets, Reporting and

    recordkeeping requirements.

    17 CFR Part 40

    Commodity futures, Definitions, Designated contract markets,

    Reporting and recordkeeping requirements.

    17 CFR Part 170

    Commodity futures, Commodity pool operators, Commodity trading

    advisors, Floor brokers, Futures commission merchants, Introducing

    brokers, Major swap participants, Reporting and recordkeeping

    requirements, Swap dealers.

    For the reasons stated in the preamble, the Commodity Futures

    Trading Commission proposes to amend 17 CFR chapter I as follows:

    PART 1--GENERAL REGULATIONS UNDER THE COMMODITY EXCHANGE ACT

    0

    1. The authority citation for part 1 continues to read as follows:

    Authority: 7 U.S.C. 1a, 2, 5, 6, 6a, 6b, 6c, 6d, 6e, 6f, 6g,

    6h, 6i, 6k, 6l, 6m, 6n, 6o, 6p, 6r, 6s, 7, 7a-1, 7a-2, 7b, 7b-3, 8,

    9, 10a, 12, 12a, 12c, 13a, 13a-1, 16, 16a, 19, 21, 23, and 24

    (2012).

    0

    2. Amend Sec. 1.3 as follows:

    0

    a. Revise paragraph (x);

    0

    b. Reserve paragraphs (tttt)-(vvvv);

    0

    c. Add paragraphs (wwww), (xxxx), and (yyyy);

    0

    d. Reserve paragraphs (zzzz) and (aaaaa); and

    0

    e. Add paragraphs (bbbbb), (ccccc), and (ddddd).

    [[Page 85391]]

    The revisions and additions to read as follows:

    Sec. 1.3 Definitions.

    * * * * *

    (x) Floor trader--(1) In general. This term means any person:

    (i) Who, in or surrounding any pit, ring, post or other place

    provided by a contract market for the meeting of persons similarly

    engaged, purchases, or sells solely for such person's own account--

    (A) Any commodity for future delivery, security futures product, or

    swap; or

    (B) Any commodity option authorized under section 4c of the Act; or

    (ii) Who is registered with the Commission as a floor trader; or

    (iii)(A) Who, in or surrounding any other place provided by a

    contract market for the meeting of persons similarly engaged, purchases

    or sells solely for such person's own account--

    (1) Any commodity for future delivery, security futures product, or

    swap; or

    (2) Any commodity option authorized under section 4c of the Act;

    (B) Who uses Direct Electronic Access as defined in paragraph

    (yyyy) of this section, in whole or in part, to access such other place

    for Algorithmic Trading;

    (C) Who is not registered with the Commission as a futures

    commission merchant, floor broker, swap dealer, major swap participant,

    commodity pool operator, commodity trading advisor, or introducing

    broker; and

    (D) Who, with respect to purchases or sales on any designated

    contract market of any commodity for future delivery, security futures

    product, or swap, or any commodity option authorized under section 4c

    of the Act, satisfies the volume threshold test set forth in paragraph

    (x)(2) of this section.

    (2) Volume threshold test. A person satisfies the volume threshold

    test for purposes of paragraph (x)(1)(iii)(D) of this section if such

    person trades an aggregate average daily volume of at least 20,000

    contracts for such person's own account, the accounts of customers, or

    both where:

    (i) Such person shall calculate the aggregate average daily volume

    across all products and on the electronic trading facilities of all

    designated contract markets where such person trades;

    (ii) Such person shall calculate the aggregate average daily volume

    for each January 1 through June 30 and July 1 through December 31

    period, based on all trading days in the respective period; and

    (iii) For purposes of calculating the aggregate average daily

    volume, such person shall aggregate its own trading volume and that of

    any other persons controlling, controlled by or under common control

    with such person.

    (3) Registration period. (i) Unregistered persons who satisfy

    paragraphs (x)(1)(iii)(A)-(C) of this section, and who satisfy the

    volume threshold test set forth in paragraph (x)(2) of this section in

    any January 1 through June 30 or July 1 through December 31 period,

    shall register as a floor trader within 30 days after the end of such

    period and shall comply with all requirements of AT Persons pursuant to

    Commission regulations in this chapter within 90 days after the end of

    such period.

    (ii) For any group consisting of a person and any other persons

    controlling, controlled by or under common control with such person, if

    such group of persons in the aggregate satisfies the volume threshold

    test set forth in paragraph (x)(2) of this section, then one or more

    persons in such group shall register as floor traders under paragraph

    (x)(3)(i) of this section, so that the aggregate average daily volume

    of the unregistered persons in the group trade an aggregate average

    daily volume below the volume threshold test set forth in paragraph

    (x)(2) of this section.

    (4) Anti-Evasion. (i) No person shall trade contracts or cause

    contracts to be traded through multiple entities for the purpose of

    evading the registration requirements imposed on floor traders under

    paragraph (x)(3) of this section, or to avoid meeting the definition of

    AT Person under paragraph (xxxx) of this section.

    (ii) Contracts that any person trades or causes to be traded

    through multiple entities for the purpose of evading the registration

    requirements imposed on floor traders under paragraph (x)(3) of this

    section, or to avoid meeting the definition of AT Person under

    paragraph (xxxx) of this section, shall be attributed to such person

    for purposes of the volume threshold test calculation contained in

    paragraph (x)(2) of this section.

    * * * * *

    (tttt)-(vvvv) [Reserved]

    (wwww) AT Order Message. This term means each new order submitted

    through Algorithmic Trading by an AT Person and each modification or

    cancellation submitted through Algorithmic Trading by an AT Person with

    respect to such an order.

    (xxxx) AT Person. (1) This term means any person registered or

    required to be registered as a--

    (i) Futures commission merchant, floor broker, swap dealer, major

    swap participant, commodity pool operator, commodity trading advisor,

    or introducing broker that--

    (A) Engages in Algorithmic Trading on or subject to the rules of a

    designated contract market; and

    (B) With respect to purchases or sales of any commodity for future

    delivery, security futures product, or swap, or any commodity option

    authorized under section 4c of the Act, satisfies, or has satisfied,

    the volume threshold test set forth in paragraph (x)(2) of this

    section; provided, however, that if an AT Person does not satisfy such

    volume threshold test for two consecutive semi-annual periods, as

    outlined in paragraph (x)(2) of this section, then such person shall no

    longer be considered an AT Person; or

    (ii) Floor trader as defined in paragraph (x)(1)(iii) of this

    section.

    (2)(i) A person who does not satisfy the conditions of paragraph

    (xxxx)(1) of this section may elect to become an AT Person, provided

    that such person:

    (A) Registers as a floor trader as defined in paragraph (x)(1)(ii)

    of this section; and

    (B) Submits an application for membership in at least one

    registered futures association pursuant to Sec. 170.18 of this

    chapter.

    (ii) A person that elects to become an AT Person pursuant to

    paragraph (xxxx)(2)(i) of this section shall comply with all

    requirements of AT Persons pursuant to Commission regulations in this

    chapter.

    (yyyy) Direct Electronic Access. For purposes of Sec. Sec. 1.3(x),

    1.3(xxxx), 1.80, 1.81, and 1.82, and Sec. Sec. 38.255 and 40.20 of

    this chapter, this term means the electronic transmission of an order

    for processing on or subject to the rules of a contract market,

    including the electronic transmission of any modification or

    cancellation of such order; provided however that this term does not

    include orders, or modifications or cancellations thereof,

    electronically transmitted to a designated contract market by a futures

    commission merchant that such futures commission merchant first

    received from an unaffiliated natural person by means of oral or

    written communications.

    (zzzz)-(aaaaa) [Reserved]

    (bbbbb) Electronic Trading Order Message. This term means each new

    order submitted by Electronic Trading and each modification or

    cancellation submitted by Electronic Trading with respect to such an

    order.

    (ccccc) Algorithmic Trading Source Code. Algorithmic Trading Source

    Code

    [[Page 85392]]

    generally means computer commands written in a computer programming

    language that is readable by natural persons. For purposes of

    Sec. Sec. 1.81 and 1.84, Algorithmic Trading Source Code shall include

    at minimum computer code, logic embedded in electronic circuits,

    scripts, parameters input into an Algorithmic Trading system, formulas,

    and configuration files.

    (ddddd) Electronic Trading. For purposes of Sec. Sec. 1.80, 1.82,

    and 1.83, and Sec. Sec. 38.255, 40.20, and 40.22 of this chapter, this

    term means trading in any commodity interest as defined in paragraph

    (yy) of this section on an electronic trading facility as such term is

    defined by section 1a(16) of the Act, where the order, order

    modification or order cancellation is electronically submitted for

    processing on or subject to the rules of a designated contract market.

    0

    3. Add subpart A to read as follows:

    Subpart A--Requirements for Algorithmic Trading

    Sec.

    1.80 Pre-trade risk controls for AT Persons.

    1.81 Standards for the development, monitoring, and compliance of

    Algorithmic Trading systems.

    1.82 Executing futures commission merchant risk management.

    1.83 AT Person and executing futures commission merchant

    recordkeeping.

    1.84 Maintenance of Algorithmic Trading Source Code and related

    records.

    1.85 Use of third-party Algorithmic Trading systems or components.

    Subpart A--Requirements for Algorithmic Trading

    Sec. 1.80 Pre-trade risk controls for AT Persons.

    For all AT Order Messages, an AT Person shall implement pre-trade

    risk controls and other measures reasonably designed to prevent and

    reduce the potential risk of an Algorithmic Trading Event, including

    but not limited to:

    (a) [Reserved]

    (1) [Reserved]

    (2) Pre-trade risk controls shall be set at a level or levels of

    granularity that shall include as appropriate the level of each AT

    Person, product, account number or designation, or one or more

    identifiers of the natural persons or the order strategy or Algorithmic

    Trading system associated with an AT Order Message.

    (b) [Reserved]

    (c) [Reserved]

    (d) Delegation. (1) An AT Person may choose to comply with

    paragraph (a) of this section by implementing required pre-trade risk

    controls, or it may instead delegate compliance with such obligations

    to its executing futures commission merchant(s).

    (2) An AT Person may only delegate such functions when--

    (i) It is technologically feasible for each relevant futures

    commission merchant to comply with paragraph (a) of this section with a

    level of effectiveness reasonably designed to prevent and reduce the

    potential risk of an Algorithmic Trading Event; and

    (ii) Each relevant futures commission merchant notifies the AT

    Person in writing that the futures commission merchant has accepted the

    AT Person's delegation and that it will comply with paragraph (a) of

    this section on behalf of the AT Person.

    (e) [Reserved]

    (f) Periodic review for sufficiency and effectiveness. Each AT

    Person shall periodically review its compliance with this section to

    determine whether it has effectively implemented sufficient measures

    reasonably designed to prevent and reduce the potential risk of an

    Algorithmic Trading Event. Each AT Person that has delegated its pre-

    trade risk controls to a futures commission merchant pursuant to

    paragraph (d) or paragraph (g)(2)-(3) of this section shall

    periodically review such futures commission merchant's compliance with

    the requirements of paragraph (a) of this section on behalf of the AT

    Person. Each AT Person shall take prompt action to remedy any

    deficiencies it identifies in its own measures or in those of a futures

    commission merchant to which it has delegated.

    (g) AT Persons' pre-trade risk controls for electronic trading. (1)

    An AT Person shall also apply the risk control mechanisms described in

    paragraphs (a), (b), and (c) of this section to its Electronic Trading

    Order Messages that do not arise from Algorithmic Trading, after making

    appropriate adjustments in the risk control mechanisms to accommodate

    the application of such mechanisms to Electronic Trading Order

    Messages.

    (2) An AT Person may choose to comply with paragraph (g)(1) of this

    section as to the risk controls in paragraph (a) of this section by

    implementing required pre-trade risk controls, or it may instead

    delegate compliance with such obligations to its executing futures

    commission merchant(s).

    (3) An AT Person may only delegate such functions when--

    (i) It is technologically feasible for each relevant futures

    commission merchant to comply with paragraph (g)(1) of this section as

    to risk control mechanisms required by paragraph (a) of this section

    with a level of effectiveness reasonably designed to prevent and reduce

    the potential risk of a disruption associated with Electronic Trading;

    and

    (ii) Each relevant futures commission merchant notifies the AT

    Person in writing that the futures commission merchant has accepted the

    AT Person's delegation and that it will comply with paragraph (a) of

    this section on behalf of the AT Person.

    Sec. 1.81 Standards for the development, monitoring, and compliance

    of Algorithmic Trading systems.

    (a) Development and testing of Algorithmic Trading Systems. (1)

    [Reserved]

    (i) [Reserved]

    (ii) Testing of all Algorithmic Trading systems, including

    Algorithmic Trading Source Code, and any changes to such systems or

    code, prior to their implementation. Such testing shall be reasonably

    designed to effectively identify circumstances that may contribute to

    future Algorithmic Trading Events.

    (iii)-(iv) [Reserved]

    (2) [Reserved]

    (b)-(d) [Reserved]

    Sec. 1.82 Executing futures commission merchant risk management.

    (a) Electronic Trading Order Messages not originating with an AT

    Person. Each executing futures commission merchant shall comply with

    the following requirements for all Electronic Trading Order Messages

    not originating with an AT Person:

    (1) Make use of pre-trade risk controls reasonably designed to

    prevent and reduce the potential risk of a disruption associated with

    Electronic Trading (including an Algorithmic Trading Disruption),

    including at a minimum:

    (i) Maximum Electronic Trading Order Message frequency per unit

    time and maximum execution frequency per unit time; and

    (ii) Order price parameters and maximum order size limits.

    (2) Pre-trade risk controls must be set at a level or levels of

    granularity that will prevent and reduce the potential risk of an

    Electronic Trading disruption, which shall include as appropriate the

    level of each customer, product, account number or designation, or one

    or more identifiers of the natural persons or the order strategy or

    Algorithmic Trading system associated with an Electronic Trading Order

    Message.

    (3) The futures commission merchant shall have policies and

    procedures reasonably designed to ensure that natural person monitors

    at the futures

    [[Page 85393]]

    commission merchant are promptly alerted when pre-trade risk control

    parameters established pursuant to this section are breached.

    (4) Make use of order cancellation systems that have the ability

    to:

    (i) Immediately disengage Electronic Trading;

    (ii) Cancel selected or up to all resting orders when system or

    market conditions require it; and

    (iii) Prevent submission of new Electronic Trading Order Messages.

    (b) Direct Electronic Access orders. For all Electronic Trading

    Order Messages not originating with an AT Person and that are submitted

    to a trading platform through Direct Electronic Access as defined in

    Sec. 1.3(yyyy), the futures commission merchant may comply with the

    requirements of paragraphs (a)(1), (2), and (4) of this section by

    implementing the pre-trade risk controls and order cancellation systems

    provided by designated contract markets pursuant to Sec. 38.255(b) and

    (c) of this chapter.

    (c) Non-Direct Electronic Access orders. For all Electronic Trading

    Order Messages not originating with an AT Person and that are not

    submitted to a trading platform through Direct Electronic Access as

    defined in Sec. 1.3(yyyy), the futures commission merchant shall

    comply with the requirements of paragraphs (a)(1), (2), and (4) of this

    section by--

    (i) Itself establishing and maintaining the pre-trade risk controls

    and order cancellation systems described in paragraphs (a)(1), (2), and

    (4) of this section; or

    (ii) Implementing the pre-trade risk controls and order

    cancellation systems provided by designated contract markets pursuant

    to Sec. 38.255(b) and (c) of this chapter.

    Sec. 1.83 AT Person and executing futures commission merchant

    recordkeeping.

    (a) AT Person recordkeeping. Each AT Person shall keep, and provide

    upon request to each designated contract market on which such AT Person

    engages in Algorithmic Trading, books and records regarding such AT

    Person's compliance with all requirements pursuant to Sec. Sec. 1.80

    and 1.81.

    (b) Executing futures commission merchant recordkeeping. Each

    executing futures commission merchant shall keep, and provide upon

    request to each designated contract market on which its customers

    engage in Electronic Trading, books and records regarding such futures

    commission merchant's compliance with all requirements pursuant to

    Sec. 1.82.

    Sec. 1.84 Maintenance of Algorithmic Trading Source Code and related

    records.

    (a) Records required to be maintained. Each AT Person shall retain

    the following records, in their native format, for a period of five

    years:

    (1) Any Algorithmic Trading Source Code used by the AT Person.

    (2) Any records generated by the AT Person in the ordinary course

    of business that track material changes to the Algorithmic Trading

    Source Code, including, if generated by the AT Person in the ordinary

    course of business, a record of when and by whom such changes were

    made.

    (3) Any logs or log files generated by the AT Person in the

    ordinary course of business that record the activity of the AT Person's

    Algorithmic Trading system, including a chronological record of such

    system's actions.

    (b) Commission access to required records pursuant to special call.

    AT Persons shall produce records required to be maintained pursuant to

    Sec. 1.84(a) as requested pursuant to special call of the Commission.

    (1) Form and manner. Such special call by the Commission may

    authorize the Director of the Division of Market Oversight to execute

    the special call and to specify the form and manner in which records

    shall be produced.

    (2) Accessibility and production of records of Algorithmic Trading

    activity. (i) The records required to be kept pursuant to Sec. 1.84(a)

    shall be maintained in a form and manner that ensures the authenticity

    and reliability of the information contained in such records.

    (ii) AT Persons shall have available at all times systems to

    promptly retrieve and display the records required to be maintained

    pursuant to Sec. 1.84(a) and the information contained in such

    records. Such systems shall, at a minimum, be equivalent to the systems

    used by the AT Persons when accessing records required to be maintained

    pursuant to Sec. 1.84(a) in the ordinary course of its business.

    (iii) Each AT Person must, at its own expense, produce promptly

    upon demand, such records as may be set forth in the Commission's

    special call or as specified by the Director of the Division of Market

    Oversight pursuant to special call by the Commission.

    (3) Confidentiality of records required to be maintained. Records

    required to be maintained pursuant to Sec. 1.84(a) are subject to

    section 8(a) of the Act when produced to the Commission pursuant to

    Sec. 1.84(b). Except as specifically authorized in the Act or the

    Commission's regulations in this chapter, the Commission shall not

    disclose any record provided pursuant to Sec. 1.84(b), including data

    and information that would separately disclose the market positions,

    business transactions, trade secrets, or names of customers of any

    person.

    (c) Subpoenas. The special call procedure set forth in paragraph

    (b) of this section in no way limits the ability of the Commission, any

    member of the Commission, or Commission staff to obtain records

    required to be maintained pursuant to paragraph (a) of this section via

    the subpoena procedure set forth in part 11 of this chapter.

    Sec. 1.85 Use of third-party Algorithmic Trading systems or

    components.

    (a) Use of third-party Algorithmic Trading systems or components.

    With respect to Algorithmic Trading systems or components, AT Persons

    who are otherwise unable to comply with an obligation set forth in the

    following provisions: Sec. Sec. 1.81(a)(1)(i), 1.81(a)(1)(ii),

    1.81(a)(1)(iii), 1.81(a)(1)(iv), 1.81(a)(2), or 1.84, due solely to

    their use of third-party systems or components may comply with such

    obligation by obtaining a certification from the third party that the

    relevant system or component meets applicable regulatory requirements.

    (b) AT Persons shall obtain a new certification described in

    paragraph (a) of this section each time there is a material change to

    such third-party provided systems or components.

    (c) Each AT Person shall conduct due diligence to reasonably

    determine the accuracy and sufficiency of a certification provided by a

    third party.

    (d) Notwithstanding the provisions of paragraphs (a)-(c) of this

    section, each AT Person shall remain responsible for compliance with

    the obligations set forth in Sec. 1.84. Each AT Person shall retain

    records pursuant to Sec. 1.84(a), or shall cause such records to be

    maintained. Each AT Person shall also produce records pursuant to Sec.

    1.84(b), or cause such records to be produced, when requested by the

    Commission.

    PART 38--DESIGNATED CONTRACT MARKETS

    0

    4. The authority citation for part 38 continues to read as follows:

    Authority: 7 U.S.C. 1a, 2, 6, 6a, 6c, 6d, 6e, 6f, 6g, 6i, 6j,

    6k, 6l, 6m, 6n, 7, 7a-2, 7b, 7b-1, 7b-3, 8, 9, 15, and 21, as

    amended by the Dodd-Frank Wall Street Reform and Consumer Protection

    Act, Pub. L. 111-203, 124 Stat. 1376.

    0

    5. Revise Sec. 38.255 to read as follows:

    Sec. 38.255 Risk controls for trading.

    (a) [Reserved]

    [[Page 85394]]

    (b) For all Electronic Trading Order Messages that are submitted to

    a designated contract market through Direct Electronic Access as

    defined in Sec. 1.3(yyyy) of this chapter, the designated contract

    market shall make available to the executing futures commission

    merchants effective systems and controls, reasonably designed to

    facilitate the items enumerated below:

    (1) The futures commission merchant's management of the risks,

    pursuant to Sec. 1.82(a)(1) and (2) of this chapter, that may arise

    from such Electronic Trading.

    (i) Such systems and controls shall include, at a minimum, the pre-

    trade risk controls described in Sec. 1.82(a)(1) of this chapter.

    (ii) Such systems shall, at a minimum, enable the futures

    commission merchant to set the pre-trade risk controls at a level or

    levels of granularity that will prevent and reduce the potential risk

    of an Electronic Trading disruption, which shall include as appropriate

    the level of each customer, product, account number or designation, and

    one or more identifiers of the natural persons or the order strategy or

    Algorithmic Trading system associated with an Electronic Trading Order

    Message.

    (2) The future commission merchant's ability to make use of the

    order cancellation systems required by Sec. 1.82(a)(4) of this

    chapter. The designated contract market shall enable the future

    commission merchant to apply such order cancellation systems to orders

    at a level or levels of granularity that will prevent and reduce the

    potential risk of an Electronic Trading disruption, which shall include

    as appropriate orders from each customer, product, account number or

    designation, or one or more identifiers of the natural persons or the

    order strategy or Algorithmic Trading system associated with an

    Electronic Trading Order Message.

    (c) A designated contract market that permits Direct Electronic

    Access as defined in Sec. 1.3(yyyy) of this chapter shall also require

    futures commission merchants to use the systems and controls described

    in paragraph (b) of this section, or substantially equivalent systems

    and controls developed by the futures commission merchant itself or

    provided by a third party, with respect to all Electronic Trading Order

    Messages not originating with an AT Person that are submitted through

    Direct Electronic Access. Prior to a futures commission merchants' use

    of its own or a third party's systems and controls, the futures

    commission merchant must certify to the designated contract market that

    such systems and controls are substantially equivalent to the systems

    and controls that the designated contract market makes available

    pursuant to paragraph (b) of this section.

    PART 40--PROVISIONS COMMON TO REGISTERED ENTITIES

    0

    6. The authority citation for part 40 continues to read as follows:

    Authority: 7 U.S.C. 1a, 2, 5, 6, 7, 7a, 8 and 12, as amended by

    Titles VII and VIII of the Dodd-Frank Wall Street Reform and

    Consumer Protection Act, Pub. L. 111-203, 124 Stat. 1376 (2010).

    Sec. Sec. 40.13 through 40.19 [Reserved]

    0

    7. Add reserved Sec. Sec. 40.13 through 40.19.

    0

    8. Add Sec. 40.20 to read as follows:

    Sec. 40.20 Risk controls for trading.

    A designated contract market shall implement pre-trade and other

    risk controls reasonably designed to prevent and reduce the potential

    risk of a disruption associated with Electronic Trading (including an

    Algorithmic Trading Disruption), including at a minimum all of the

    following:

    (a) Pre-trade risk controls. Pre-trade risk controls reasonably

    designed to address the risks from Electronic Trading on a designated

    contract market.

    (1) The pre-trade risk controls to be established and used by a

    designated contract market shall include:

    (i) Maximum Electronic Trading Order Message frequency per unit

    time and maximum execution frequency per unit time; and

    (ii) Order price parameters and maximum order size limits.

    (2) Designated contract markets must set the pre-trade risk

    controls at a level or levels of granularity that will prevent and

    reduce the potential risk of an Electronic Trading disruption, which

    shall include as appropriate the level of each trading firm, by product

    or one or more identifiers of the natural persons or the order strategy

    or Algorithmic Trading system associated with an Electronic Trading

    Order Message.

    (3) [Reserved]

    (b) Order cancellation systems. (1) Order cancellation systems that

    have the ability to:

    (i) Immediately disengage Electronic Trading;

    (ii) Cancel selected or up to all resting orders when system or

    market conditions require it;

    (iii) Prevent submission of new Electronic Trading Order Messages;

    and

    (iv) Cancel or suspend all resting orders from AT Persons in the

    event of disconnect with the trading platform.

    (2) [Reserved]

    (c) [Reserved]

    Sec. 40.21 [Reserved]

    0

    9. Add reserved Sec. 40.21.

    0

    10. Add Sec. 40.22 to read as follows:

    Sec. 40.22 DCM requirements for AT Persons and executing FCMs; DCM

    review program.

    A designated contract market shall comply with the following:

    (a) Compliance program. Establish a program for effective periodic

    review and evaluation of AT Persons' compliance with Sec. Sec. 1.80

    and 1.81 of this chapter and executing futures commission merchant

    compliance with Sec. 1.82 of this chapter. An effective program shall

    include measures by the designated contract market reasonably designed

    to identify and remediate any insufficient mechanisms, policies and

    procedures, including identification and remediation of any inadequate

    quantitative settings or calibrations of pre-trade risk controls

    required of AT Persons pursuant to Sec. 1.80(a) of this chapter;

    (b) Maintenance of books and records. Implement rules that require

    each AT Person to keep and provide to the designated contract market

    books and records regarding such AT Person's compliance with all

    requirements pursuant to Sec. Sec. 1.80 and 1.81 of this chapter, and

    require each executing futures commission merchant to keep and provide

    to the designated contract market books and records regarding such

    executing futures commission merchant's compliance with all

    requirements pursuant to Sec. 1.82 of this chapter; and

    (c) Reporting. Require such periodic reporting from AT Persons and

    executing futures commission merchants as is necessary to fulfill the

    designated contract market's obligations pursuant to paragraph (a) of

    this section.

    (d) Annual Certification. Require by rule that AT Persons and

    executing futures commission merchants provide the designated contract

    market with an annual certification attesting the AT Person or

    executing futures commission merchant complies with the requirements of

    Sec. Sec. 1.80, 1.81, and 1.82 of this chapter, as applicable. Such

    annual certification shall be made by the chief compliance officer or

    chief executive officer of the AT Person or the executing futures

    commission merchant, and shall state that, to the best of his or her

    knowledge and reasonable belief, the information contained in the

    certification is accurate and complete.

    Sec. Sec. 40.23 through 40.28 [Reserved]

    0

    11. Add reserved Sec. Sec. 40.23 through 40.28.

    [[Page 85395]]

    PART 170--REGISTERED FUTURES ASSOCIATIONS

    0

    12. The authority citation for part 170 continues to read as follows:

    Authority: 7 U.S.C. 6d, 6m, 6p, 6s, 12a, and 21.

    0

    13. Add Sec. 170.18 to subpart C to read as follows:

    Sec. 170.18 AT Persons.

    Each registrant, as defined in Sec. 1.3(oooo) of this chapter,

    that is an AT Person, as defined in Sec. 1.3(xxxx) of this chapter,

    that is not otherwise required to be a member of a futures association

    that is registered under section 17 of the Act pursuant to Sec. Sec.

    170.15, 170.16, or 170.17 must submit an application for membership in

    at least one futures association that is registered under section 17 of

    the Act and that provides for the membership therein of such

    registrant, unless no such futures association is so registered, within

    30 days of such registrant satisfying the volume threshold test set

    forth in Sec. 1.3(x)(2) of this chapter.

    Subpart D [Reserved]

    Sec. 170.19 [Reserved]

    0

    14. Add reserved subpart D, consisting of reserved Sec. 170.19.

    Issued in Washington, DC, on November 7, 2016, by the

    Commission.

    Christopher J. Kirkpatrick,

    Secretary of the Commission.

    Note: The following appendices will not appear in the Code of

    Federal Regulations.

    Appendices to Regulation Automated Trading--Commission Voting Summary,

    Chairman's Statement, and Commissioners' Statements

    Appendix 1--Commission Voting Summary

    On this matter, Chairman Massad and Commissioner Bowen voted in

    the affirmative. Commissioner Giancarlo voted in the negative.

    Appendix 2--Statement of Chairman Timothy G. Massad

    I support this supplemental proposal related to ``Regulation

    AT,'' our proposed rule to address the increased use of automated

    trading in our markets.

    Automated trading dominates the markets we oversee. More than 70

    percent of trading in futures is now automated. And this is not just

    in financial futures; we see it in physical commodity futures as

    well.

    Our markets have fundamentally changed as a result. In just a

    few years, we have gone from open-outcry pits where floor traders

    jostled elbow-to-elbow to make trades, to a machine dominated market

    where a millisecond is considered slow. In fact, the new measure is

    a microsecond. In the time it would take a trader to hang up the

    phone and signal a single bid with his hands in the pit, today's

    machines can potentially generate thousands of orders.

    But in another respect, our markets have not changed at all.

    Farmers, ranchers, manufacturers, exporters--businesses of all

    types--still depend on them to hedge routine risk and engage in

    price discovery. Whether it is corn or copper, crude oil or cocoa,

    equities or Treasuries, Japanese yen or British pounds--businesses

    need these markets. They need them to function reliably, fairly, and

    free of manipulation or disruption.

    If anything has changed, it is that those needs are greater

    today. Businesses operate worldwide, commodity markets are global,

    and products are more diverse.

    Market participants look to us to make sure these markets

    operate with integrity. So while the landscape has changed

    dramatically, our mission has stayed the same.

    I meet with market participants of all types, and I find that

    traditional end-users, such as those from the agricultural

    community, are particularly concerned about the effects of automated

    trading on these markets. It is especially important for us to be

    able to respond to the concerns of those who are not so-called

    ``flash boys,'' and are only moving at human speed.

    The fact is that our regulations have not kept up with our

    modern markets. Today's proposal is a part of what we need to do to

    keep our regulatory system up-to-date, just as you need updates for

    your phone's operating system from time to time. There are other

    things we need to do to modernize our regulatory oversight and, in

    particular, to engage in adequate surveillance of modern trading

    methods. For example, we must continue to enhance our ability to

    receive and analyze message and other types of data, and cooperation

    among regulators will become increasingly important given how

    today's global markets are linked.

    This proposal focuses on minimizing the risk of disruption and

    other problems that can be caused by automated trading, and making

    sure we have the tools to deal with those problems should they

    occur. It requires reasonable risk controls, using a principles-

    based approach that would codify many industry best practices. But

    it does not prescribe the parameters or limits of such controls,

    because we know how diverse market participants can be, and we

    believe they are the ones who should determine those specifics. It

    requires testing and monitoring of algorithms. It requires the

    preservation of source code and other records--the equivalent of the

    records that those trading at human speed have preserved for years.

    And it ensures that we would have access to such records when

    necessary, just as for years we have reviewed the records of non-

    automated traders.

    In the last year, we received significant feedback on the

    proposal that the Commission unanimously approved in November of

    2015. And today's supplemental proposal makes a number of changes to

    that initial measure. They reflect the helpful suggestions and

    comments we have received.

    First, while our original proposal called for risk controls at

    three levels--the exchange, the futures commission merchant (FCM)

    and the trading firm--we heard from many respondents that this was

    redundant and costly. Many instead favored a two-tier structure.

    Therefore, today's proposal would require risk controls at the

    exchange level, and either the trader or FCM level. So for example,

    a firm could have its own controls--or opt in to the FCM controls,

    but we would not require both.

    In addition, we heard from many that the controls should pertain

    to all electronic trading, not just algorithmic trading. The

    proposal approved today also makes that change. It also provides

    greater flexibility regarding the level at which pre-trade risk

    controls must be set.

    We also heard that our registration requirement was overly

    broad. Some claimed it would require thousands of firms to register.

    Some even argued that we should not require registration at all; we

    should simply require risk controls.

    We need a registration requirement to make sure that some of the

    biggest traders in our markets are following the basic risk controls

    required by our proposal. But I am willing to have it appropriately

    tailored to those who are most active in our markets. Today, a small

    number of traders can represent a large percentage of total trading

    volume, including during periods of high volatility. For example,

    the evening after the UK's vote to exit the European Union, the ten

    most active firms represented approximately 60 percent of trade

    activity in British pound futures. This is why our supplemental

    proposal adds a volumetric test to our registration requirement, so

    that it pertains to those firms that are doing most of the trading.

    In addition, this proposal reduces Regulation AT's reporting

    requirements, by replacing the annual compliance report with a

    streamlined annual certification report.

    Finally, the proposal revises our original proposal on the issue

    of algorithmic trading source code. I have said many times that I

    support a rule that respects the proprietary value and

    confidentiality of source code. At the same time, this information

    may be critical to understanding what happened in the event of a

    market disruption or whether someone is complying with the law. This

    is why preservation of source code, as well as access, is critical.

    Therefore, this supplemental proposal makes the following changes.

    First, the proposal requires the Commission itself to make the

    decision to seek access to source code. No staff member can do so

    without Commission approval. This is a significant departure from

    our standard practice, which allows staff to seek access to

    information that registrants are required to preserve without a

    subpoena or specific Commission authorization. We have proposed this

    change in recognition of the concerns raised.

    The Commission could authorize the staff to seek such access

    either by means of a subpoena--which is sometimes the means used in

    the context of an enforcement investigation into behavior that may

    be unlawful--or a ``special call.'' The special

    [[Page 85396]]

    call is the means our surveillance division has used for many years

    to obtain and review information in connection with their oversight

    of trading, and it is issued by the staff. But in this case, we are

    proposing a process that will require the same level of Commission

    approval that comes with the issuance of a subpoena, even if it is

    for surveillance purposes.

    Our proposal also describes the steps we can take to preserve

    the confidentiality of source code. Exactly what we would do in any

    particular situation would depend on the facts, but confidentiality

    must always be preserved. It could include precautions like

    reviewing the source code on a computer that is not connected to the

    internet or any network, and housing that computer in a secure room.

    Further, employees of the agency are under statutory obligation to

    keep proprietary information like source code confidential. There

    are criminal penalties associated with violating that requirement. I

    would note that we have protected the confidentiality of source code

    in the past when we have obtained it.

    Finally, I disagree with the characterization that what we are

    doing amounts to a ``slippery slope.'' I would call this an ``uphill

    climb.'' Our markets have evolved much faster than our regulatory

    framework. We are climbing a steep hill to catch up; and to make

    sure we can always see and understand what is going on in our

    markets today.

    We have long engaged in surveillance that involves reviewing

    information that has significant proprietary value. This may consist

    of information on trading strategies, including activities in

    related markets, or information that would go to whether a position

    truly is a bona fide hedge, such as purchase or supply commitments

    of related cash commodities, inventory levels, production

    expectations, and so forth. Much of this information is confidential

    and proprietary, and so we protect it. Our review of it is not a

    denial of due process rights, nor is the proposal we have adopted

    today.

    We should not have a regulatory regime where those who still

    trade at human speed are subject to effective surveillance, but

    those who use machines are not. Our rules should not favor one

    method over another, and nobody should be able to hide behind their

    machines.

    I thank the hardworking CFTC staff for their work on this

    supplemental proposal and I thank my fellow Commissioners for their

    consideration.

    Appendix 3--Concurring Statement of Commissioner Sharon Y. Bowen

    Thank you. I'm glad to be here this morning as the Commission

    considers this supplemental proposal to our rulemaking on Automated

    Trading. I've said several times that I am a firm believer in two

    things: The need to enhance our rules to ensure that they are

    appropriately rigorous and protective and to find a rule that works

    and can be effectively implemented. I am pleased to say that I

    believe today's release does both. I commend our staff for their

    hard work on this proposal.

    Following significant engagement with a variety of stakeholders,

    from exchanges and proprietary traders to advocates of financial

    reform, we are making several important revisions to our proposed

    rule on automated trading. Of these changes, there are two in

    particular that I want to flag. First, we are revising our

    registration regime to better focus our attention and regulations on

    the firms responsible for substantial amounts of automated trading

    in our markets. Under this proposal, firms that make use of Direct

    Electronic Access (DEA) to connect to our markets will not

    automatically have to register. Instead, only those firms which use

    DEA and also have an average of 20,000 or more trades each day over

    a six month period will be required to register.\1\ It only seems

    appropriate that the firms responsible for a substantial portion of

    trades in our markets should have heightened regulatory requirements

    than small firms only entering a handful of trades a day. While a

    one-size-fits-all system may work in some cases, I believe it would

    be unduly burdensome to small firms to require that anyone who uses

    DEA automatically has to register. By offering a specific threshold

    for registration, however, it is critical that we pick the right

    number. I therefore am looking forward to the comments from market

    participants on whether 20,000 trades per day is the right level,

    too high, or too low. Given the interest that our previous proposal

    on registration engendered, I am sure that there will be some

    spirited debates about just what the proper threshold should be.

    ---------------------------------------------------------------------------

    \1\ Supplemental Notice of Proposed Rulemaking on Regulation on

    Automated Trading at II.C.1 and proposed rule Sec. 1.3(x)(2).

    ---------------------------------------------------------------------------

    However, while small firms with small volumes will not be

    required to register, it is not the case that their trades will be

    unregulated. In fact, the second major revision of today's proposal

    will require that all electronic trading, algorithmic as well as

    non-algorithmic, will have two separate layers of pre-trade risk

    controls on it. For those trades originating from an AT Person, both

    the designated contract market (DCM) and the AT Person will be

    obligated to place pre-trade risk controls on their electronic

    trades, with the AT Person having the option of delegating this

    responsibility to the relevant futures commission merchant (FCM).

    Meanwhile, any electronic trading from entities other than AT

    persons will also be subject to two levels of pre-trade risk

    controls: One level set by the DCM and one by the FCM. As a result,

    under this proposal, we will be ensuring that every single

    electronic trade, automated as well as non-automated, in our markets

    is subject to two levels of pre-trade risk controls without

    exception. Given the nearly constant technological innovations and

    redesigns involving algorithmic trading, I believe having two levels

    of risk controls is not only the most prudent course of action for

    our markets, it is also critical protection against a market

    malfunction harming investors or our broader economy. For those of

    you worried that automated trading is occurring free of any

    oversight or regulation, this rule seeks to allay some of those

    fears.

    As I have said before, however, this regulation is merely a

    first cut. Having looked at this issue for nearly a year, I have

    some doubts whether we are doing enough to ensure that all market

    participants, especially end-users in certain markets, are being

    given a level-playing field at present due to the proliferation of

    algorithmic trading. I therefore believe that we should consider

    instituting pilot programs in certain small sections of the market

    that can test the effects of additional, more substantial

    restrictions on algorithmic trading on market operations. Please

    note, I do not believe it is the time to place more rigorous

    restrictions on algorithmic trading on all the markets we regulate.

    Instead, I believe only that we should see whether there are some

    markets where a significant percentage of end-users are interested

    in establishing greater monitoring and regulation of algorithmic

    trading. If one or two such markets do exist, then those markets

    could be candidates for a tailored pilot program to gather data on

    the effects of algorithmic trading on those markets. We could then

    gain important insight on the effects of new market dynamics that

    continue to evolve. If you are an end-user and believe that your

    market would benefit from such a tailored pilot program, I encourage

    you to convey that message to the Commission.

    I had the pleasure of meeting with some members of the National

    Cattlemen's Beef Association earlier this year and more recently,

    who informed me that they believe algorithmic trading is having a

    substantial impact on livestock markets and that they are interested

    in gaining more data on how algorithmic trading is influencing

    livestock prices. I share a desire for more information, both about

    whether this rule is regarded as being a step in the right direction

    and about what, if any, effects algorithmic trading is having on our

    markets. If an observer has an issue with any part of this rule,

    especially if you feel it is too weak, I sincerely hope you will lay

    out that concern in detail and let us know how we can improve it.

    Finally, I want to thank stakeholders, particularly several

    industry groups, for their engagement with the Commission since we

    released our proposal. I was very happy to learn that some aspects

    of this proposal, including the idea of requiring pre-trade risk

    controls on all electronic trades, were suggested by members of the

    industry. We have notice and comment requirements for many reasons:

    Increased transparency, an opportunity for public involvement, and

    of course to set procedural strictures on the government. But one of

    the reasons undergirding our system of notice and comment is the

    idea that regulators do not have all the answers all of the time,

    and there is a role for market participants to play during the

    regulatory process. The fact that industry participants were able to

    devise and endorse a broad regulatory requirement on all automated

    trading is to be commended.

    Appendix 4--Dissenting Statement of Commissioner J. Christopher

    Giancarlo

    Introduction

    I have previously said that proposed Regulation Automated

    Trading (Reg. AT) is a well-meaning attempt by the Commodity Futures

    Trading Commission (CFTC or

    [[Page 85397]]

    Commission) to catch up to the digital revolution in U.S. futures

    markets.\1\ However, I have also raised some concerns ranging from

    the prescriptive compliance burdens to the disproportionate impact

    on small market participants to the regulatory inconsistencies of

    the proposed rule.\2\ I have also warned that any public good

    achieved by the rule is undone by the now notorious source code

    repository requirement.\3\ Not surprisingly, dozens of commenters to

    the proposal echoed my concerns and vehemently opposed the source

    code requirement.

    ---------------------------------------------------------------------------

    \1\ Opening Statement of Commissioner J. Christopher Giancarlo

    before the CFTC Staff Roundtable on Regulation Automated Trading,

    June 10, 2016, http://www.cftc.gov/PressRoom/SpeechesTestimony/giancarlostatement061016.

    \2\ Regulation Automated Trading, 80 FR 78824, 78945-48 (Dec.

    17, 2015).

    \3\ Id. at 78947.

    ---------------------------------------------------------------------------

    So, here we are again almost a year later to consider a

    Supplemental Notice of Proposed Rulemaking on Regulation Automated

    Trading (Supplemental Notice) because proposed Reg. AT missed the

    mark the first time around.\4\

    ---------------------------------------------------------------------------

    \4\ I note that at a time when the CFTC continuously pleads for

    additional resources, this is an example where the Commission could

    have saved a lot of time and effort if it spent a little more time

    up front to craft a sensible proposed Reg. AT.

    ---------------------------------------------------------------------------

    This Supplemental Notice does improve proposed Reg. AT in some

    respects, such as moving from three levels of risk controls to two

    levels in order to simplify the framework and narrowing the scope of

    registration so it may not capture smaller market participants.

    However, the Supplemental Notice does not go far enough. It subjects

    the source code retention and inspection requirements to the special

    call process and provides an unworkable compliance process for AT

    Persons \5\ that use software from third-party providers.

    ---------------------------------------------------------------------------

    \5\ As defined in the Supplemental Notice.

    ---------------------------------------------------------------------------

    I proposed several reasonable changes to the Commission and

    staff in an effort to make the Supplemental Notice workable and less

    burdensome, while still achieving its objectives. It is

    disappointing that those changes were not accepted. On a brighter

    note, the Commission has agreed to extend the comment period from 30

    days to 60 days. While a longer comment period may provide some

    comfort to commenters that they do not have to rush to finish their

    comment letters over the Thanksgiving holiday, it does nothing to

    address my substantive issues. I am certain that many commenters

    will once again echo my concerns.

    While I could focus on a number of issues with proposed Reg. AT

    and the Supplemental Notice, I will first concentrate my statement

    on the source code issue and then the third-party software provider

    requirements. Thereafter, I will discuss a few other topics, such as

    the prescriptive nature of the proposal and burdensome reporting

    requirements. I welcome comments on all these issues and others.

    Source Code Retention and Inspection Requirements

    No Subpoena Means No Due Process of Law

    Let me make clear at the outset that the CFTC can today obtain

    the computer source code of market participants pursuant to a

    subpoena. Therefore, the issue raised by proposed Reg. AT and this

    Supplemental Notice is NOT whether the CFTC can examine source code

    of automated traders where appropriate to investigate suspected

    market misbehavior. The issue raised by this proposal is whether the

    owners of source code have any say in the matter.

    The subpoena process provides property owners with due process

    of law before the government can seize their property. It protects

    owners of property--not the government that already has abundant

    power. It allows property owners an opportunity to challenge the

    scope, timing and manner of discovery and whether any legal

    privileges apply to the process of surrendering property to the

    government.

    The subpoena process therefore provides a fair compromise

    between the rights of property owners and the government's right to

    seize their property. Without the subpoena process, there is no

    balance between the civil liberties of the governed and the

    unlimited power of the government.

    As a foundation of civil liberties, the subpoena process

    precedes the American Republic going back to English common law. As

    a legal principle, it was woven into the Bill of Rights. As a

    bulwark of modern civil society, it protects the liberty of the

    governed from the tyranny of the government.

    The Supplemental Notice before us today, however, would strip

    owners of intellectual property of due process of law. The CFTC

    justifies this abridgement of rights with the condition that before

    the Commission can take source code \6\ it will abide by two

    procedural hurdles--a majority vote of the Commission and the

    special call process operated by the Division of Market Oversight

    (DMO).\7\

    ---------------------------------------------------------------------------

    \6\ I also note my concern with the breadth of the new

    Algorithmic Trading Source Code definition and invite comment on it.

    \7\ The Supplemental Notice allows the Commission to authorize

    the Director of DMO to execute the special call and to specify the

    form and manner in which records shall be produced. DMO's existing

    special call process has not operated without operational error or

    inadvertent disclosure of confidential information. The process

    should be subject to enhanced checks and balances, procedural

    controls and greater objectivity in targeting market behavior.

    ---------------------------------------------------------------------------

    This justification entirely misses the point. Abrogating the

    legal rights of property owners is not assuaged by imposing a few

    additional procedural burdens on the government agency seizing their

    property. Source code owners will have lost any say in the matter.

    The proposal gives unchecked power to the CFTC to decide if, when

    and how property owners must turn over their source code.

    Moreover, the special call process provides the CFTC an end-run-

    around the subpoena process. While the Supplemental Notice states

    that the CFTC will use the special call process to obtain source

    code in carrying out its market oversight responsibilities, there is

    no limit in the proposed rule on DMO staff from sharing source code

    with staff of the Division of Enforcement. The proposal will allow

    the Enforcement Division to view source code without bothering with

    a subpoena. Such sharing of information will likely become routine

    if this proposal is finalized.

    No Specific Source Code Protections

    Commenters have rightly questioned what level of security the

    CFTC will deploy to safeguard seized source code. In an attempt to

    assure market participants that their source code will be kept

    secure, the Supplemental Notice lists the various statutes and

    regulations that require confidentiality of such information. The

    proposed rule text also includes a reference to Commodity Exchange

    Act (CEA) section 8(a), which prohibits the release of trade secrets

    and other information.\8\

    ---------------------------------------------------------------------------

    \8\ 7 U.S.C. 12(a); CEA section 8(a).

    ---------------------------------------------------------------------------

    Yet, these are not new protections. They are in place today.

    Simply citing them in the preamble and rule text of the Supplemental

    Notice gives little assurance that the CFTC will safeguard source

    code. If the agency is determined to protect confidentiality, then

    it should include specific protections in the rule. For example, the

    CFTC could provide that it will only review source code at a

    property owner's premises or on computers not connected to the

    Internet. The CFTC could also state that it will return all source

    code to the property owner once its review is finished. The rule

    text provides no such assurances.

    Absent specific measures, it is absurd to suggest that source

    code will be kept secure. Just look at the area of government

    cybersecurity. In the six months after the CFTC proposed Reg. AT,

    hackers breached the computer networks of the Federal Deposit

    Insurance Corporation and the Federal Reserve.\9\ Incredibly, the

    U.S. Office of Personnel Management (OPM) that gave up 21.5 million

    personnel records in a year-long cyber penetration failed a security

    audit last November--six months after the breach was discovered.\10\

    In fact, federal, state and local government agencies rank last in

    cybersecurity when compared against 17 major private industries,

    including transportation, retail and healthcare.\11\

    ---------------------------------------------------------------------------

    \9\ Katie Bo Williams, Criminal Investigation Underway into

    Banking Regulator Data Breach, The Hill, May 12, 2016, http://thehill.com/policy/cybersecurity/279752-criminal-investigation-open-in-fdic-data-breach; Dustin Volz and Jason Lange, U.S. Lawmakers

    Probe Fed Cyber Breaches, Cite `Serious Concerns', Reuters, June 3,

    2016, http://t.reuters.com/article/topNews/idUSKCN0YP281.

    \10\ U.S. Office of Pers. Mgmt. Office of the Inspector Gen.

    Office of Audits, 4A-CI-00-15-011, Federal Information Security

    Modernization Act Audit FY 2015, Nov. 10, 2015; See also, Jack

    McCarthy, OIG Finds OPM Still Struggling with Security, Healthcare

    IT News, Nov. 30, 2015, http://www.healthcareitnews.com/blog/oig-finds-opm-still-struggling-security (discussing OIG's findings of

    OPM's security protocols six months after a massive data breach).

    \11\ Dustin Volz, U.S. Government Worse than All Major

    Industries on Cyber Security: Report, Reuters, Apr. 14, 2016, http://mobile.reuters.com/article/idUSKCN0XB27K.

    ---------------------------------------------------------------------------

    [[Page 85398]]

    The CFTC itself has an imperfect record as a guardian of

    confidential proprietary information.\12\ If this rule goes forward,

    the CFTC will make itself a target for a broader group of cyber

    criminals, including those engaged in commercial espionage.

    ---------------------------------------------------------------------------

    \12\ See generally Bart Chilton, The Government Can't be Trusted

    to Collect Source Code and Other Private Property, Business Insider,

    Nov. 1, 2016, http://www.businessinsider.com/bart-chilton-government-cant-be-trusted-to-collect-source-code-2016-11; Gregory

    Meyer and Philip Stafford, US Regulators Propose Powers to

    Scrutinise Algo Traders' Source Code, Financial Times, Dec. 1, 2015,

    https://www.ft.com/content/137f81bc-944f-11e5-b190-291e94b77c8f.

    ---------------------------------------------------------------------------

    Last Friday, we learned that a former employee of the Office of

    the Comptroller of the Currency (OCC) downloaded thousands of files

    from the agency's servers onto two removable thumb drives without

    authorization prior to retiring from the agency.\13\ The OCC said

    that when it contacted the former employee about those files, he was

    ``unable to locate or return the thumb drives to the agency.'' \14\

    ---------------------------------------------------------------------------

    \13\ Ben Lane, OCC Reveals Major Information Security Breach

    Involving Former Employee, HousingWire, Oct. 28, 2016, http://www.housingwire.com/articles/38402-occ-reveals-major-information-security-breach-involving-former-employee.

    \14\ Id.

    ---------------------------------------------------------------------------

    The OCC breach surely sent shivers up the spines of source code

    owners who received notice that same day of the CFTC's intention to

    move forward with the Supplemental Notice. They must have been

    doubly spooked when the CFTC's own servers crashed a few hours later

    due to a denial-of-service attack.

    Establishment of Dangerous Regulatory Precedent

    If the CFTC adopts the source code provisions of the

    Supplemental Notice, the Securities and Exchange Commission (SEC)

    will likely copy it and so will other U.S. and overseas regulators--

    and not just regulators of financial markets.\15\ Regulators like

    the Federal Communications Commission may demand source code for

    Apple's iPhone. The Federal Trade Commission may seek source code

    used in the matching engines of Google, Facebook and Snapchat. The

    National Security Agency may demand to see the source code of

    Cisco's switches and Oracle's servers. The Department of

    Transportation may demand Uber's auction technology and Tesla's

    driverless steering source code. Where does it end?

    ---------------------------------------------------------------------------

    \15\ Congressman Sean P. Duffy Letter to SEC Chair Mary Jo

    White, Aug. 10, 2016, http://modernmarketsinitiative.org/wp-content/uploads/2016/08/16.08.10-Automated-Trading-Letter-to-SEC.pdf.

    ---------------------------------------------------------------------------

    It certainly will not end on American shores. Overseas

    regulators will also mimic the rule. The German chancellor has said

    that she wants her government to examine the source code used in the

    matching engines of Google and Facebook because she does not like

    their political coverage of her administration.\16\ The Chinese

    government has already tried to put in place a rule to obtain the

    source code of U.S. technology firms.\17\ If the CFTC adopts this

    rule, it will make a mockery of the U.S. government's past attempts

    to oppose China's efforts to view proprietary commercial source

    code.\18\ It confirms that the CFTC is not on the same page as its

    own U.S. government counterparts.

    ---------------------------------------------------------------------------

    \16\ Article, Angela Merkel wants Facebook and Google's Secrets

    Revealed, BBC, Oct. 28, 2016, http://www.bbc.com/news/technology-37798762.

    \17\ Eva Dou, U.S., China Discuss Proposed Banking Security

    Rules, The Wall Street Journal, Feb. 13, 2015, http://www.wsj.com/articles/china-banking-regulator-considering-source-code-rules-1423805889; Shannon Tiezzi, US-China Talk Intellectual Property,

    Market Access at Trade Dialogue, The Diplomat, Nov. 25, 2015, http://thediplomat.com/2015/11/us-china-talk-intellectual-property-market-access-at-trade-dialogue/.

    \18\ Id. Congressmen Scott Garrett and Randy Neugebauer Letter

    to CFTC Chairman Timothy Massad, Aug. 3, 2016, http://modernmarketsinitiative.org/wp-content/uploads/2016/08/20160802-ESG-RN-Letter-to-CFTC-re-Reg-AT2.pdf.

    ---------------------------------------------------------------------------

    Undoubtedly, this proposed rule is a reckless step onto a

    slippery slope. Today, the federal government is coming for the

    source code of seemingly faceless algorithmic trading firms.

    Tomorrow, however, governments worldwide may come for the source

    code underlying the organizing and matching of Americans' personal

    information--their snapchats, tweets and instagrams, their online

    purchases, their choice of reading material and their political and

    social preferences. Seriously, where will it end?

    Possible Constitutional Challenge

    Fortunately, our country's founders protected Americans against

    unreasonable searches and seizures and guaranteed them due process

    of law in the U.S. Constitution. The Supreme Court has routinely and

    recently upheld these fundamental civil rights. If the CFTC adopts

    the Supplemental Notice as proposed, its source code seizure

    provisions may be robustly challenged in federal court. The

    litigation will consume the agency's precious, limited resources and

    its credibility in defending such a dubiously constitutional rule.

    That will be a sad waste of American taxpayer money.

    The CFTC justifies its actions based on its need to oversee the

    growing incidence of algorithmic trading and disruption in the

    financial markets. Given the relative ease of obtaining an

    administrative subpoena,\19\ I disagree with the assertion in the

    proposal that the special call process is necessary to review source

    code in association with usual trading events or market disruptions.

    The subpoena and the proposed special call process both require a

    Commission vote. One process is therefore not faster than the other.

    The only difference is that the special call process is an end-run-

    around the subpoena process and deprives source code owners of due

    process of law.

    ---------------------------------------------------------------------------

    \19\ United States v. Morton Salt Company, 338 U.S. 632 (1950).

    ---------------------------------------------------------------------------

    Third-Party Software Providers

    If the source code requirements are not bad enough, AT Persons

    who use third-party algorithmic trading systems and those third-

    parties are in for a real treat. Under the Supplemental Notice, AT

    Persons who use third-party trading systems are liable for turning

    over the source code of the third-party providers. An AT Person has

    no control over a third party's source code. And, third-parties have

    already said that they will not give out their source code.\20\

    ---------------------------------------------------------------------------

    \20\ Trading Technologies, Staff Roundtable, Elements of

    Proposed Regulation Automated Trading, Transcript, at 250-252, June

    10, 2016 (Roundtable Tr.), http://www.cftc.gov/idc/groups/public/@newsroom/documents/file/transcript061016.pdf.

    ---------------------------------------------------------------------------

    In addition, the Supplemental Notice requires an AT Person who

    uses a third-party algorithmic trading system to obtain a

    certification and conduct due diligence to ensure that the third-

    party is complying with the development and testing requirements in

    proposed Reg. AT. The AT Person must obtain a new certification each

    time there is a material change to such third-party's system.

    These requirements are infeasible and could harm innovation and

    intellectual property rights. Participants at the Regulation AT

    roundtable also found the certification and due diligence suggestion

    impractical.\21\ One commenter said it could hurt smaller third-

    party vendors.\22\ Another commenter said that AT Persons may not

    have the necessary expertise to perform due diligence of third-party

    systems.\23\ They are correct. The CFTC must revisit these

    requirements. I invite commenters to propose less burdensome

    solutions.

    ---------------------------------------------------------------------------

    \21\ Id. at 239.

    \22\ Id.

    \23\ Tethys Technology, Roundtable Tr. at 248.

    ---------------------------------------------------------------------------

    Other Issues

    Finally, let me highlight three issues: (1) The prescriptive

    nature of risk controls and development and testing requirements;

    (2) burdensome reporting requirements; and (3) the need for a

    phased-in implementation process. I reassert the issues I raised

    from proposed Reg. AT last year. I thank the many commenters for

    responding to those questions and concerns.

    Prescriptive Nature of Risk Controls and Development and Testing

    Requirements

    When proposed Reg. AT was issued, I noted that the CFTC is

    basically playing catch-up to an industry that has already developed

    and implemented risk controls and related testing standards for

    automated trading.\24\ I supported a principles-based approach to

    risk controls and testing that built upon, rather than hindered

    ongoing industry efforts.\25\

    ---------------------------------------------------------------------------

    \24\ 80 FR at 78945.

    \25\ Id. at 78946.

    ---------------------------------------------------------------------------

    Many commenters to Reg. AT supported such a principles-based

    approach to risk controls and development and testing requirements

    and noted that proposed Reg. AT was too prescriptive.\26\ Commenters

    supported providing participants' flexibility to determine which

    risk controls are needed

    [[Page 85399]]

    and how those controls are applied and administered based on each

    participant's unique risk profile and business situation.\27\

    Commenters also noted that many of the proposed development and

    testing requirements are not practical and do not reflect how

    software is customarily developed, tested, deployed and

    monitored.\28\

    ---------------------------------------------------------------------------

    \26\ See, e.g., FIA Comment Letter at 3, 4-5 (Mar. 16, 2016);

    CME Comment Letter at 6, 7-8 (Mar. 16, 2016); ICE Comment Letter at

    10 (Mar. 16, 2016); CTC Comment Letter at 1 (Mar. 15, 2016).

    \27\ See, e.g., FIA Comment Letter at 3 (Mar. 16, 2016); CME

    Comment Letter at 7-8 (Mar. 16, 2016).

    \28\ See, e.g., FIA Comment Letter at 5 (Mar. 16, 2016); CTC

    Comment Letter at 12-14 (Mar. 15, 2016).

    ---------------------------------------------------------------------------

    I believe that the marketplace has implemented effective best

    practices and procedures for risk controls and development and

    testing of automated trading systems that account for different

    types of systems and businesses. Reg. AT's approach is a one-size-

    fits-all model that does not take into account individual

    circumstances. For example, the proposed risk controls may not apply

    to all market participants or at all levels and may have negative

    unintended consequences.\29\ The proposed development and testing

    requirements will require AT Persons to make costly changes to

    existing business practices and procedures with no material market

    benefit.\30\ Once again, I urge the CFTC to adopt a principles-based

    approach in the final rule so that AT Persons have the necessary

    flexibility to administer controls and testing based on their

    trading and risk profiles.

    ---------------------------------------------------------------------------

    \29\ See, e.g., FIA Comment Letter, Attachment A at 24-25 (Mar.

    16, 2016).

    \30\ See, e.g., CTC Comment Letter at 12 (Mar. 15, 2016).

    ---------------------------------------------------------------------------

    Still Burdensome Reporting Requirements

    The Supplemental Notice replaces the requirement in proposed

    Reg. AT that AT Persons and clearing member futures commission

    merchants (FCMs) prepare certain annual reports with an annual

    certification requirement. While that is positive, the Supplemental

    Notice requires designated contract markets (DCMs) to establish a

    program for effective periodic review and evaluation of AT Persons'

    and FCMs' compliance with risk controls and other requirements. The

    Supplemental Notice also retains proposed Reg. AT's requirement that

    the DCM must identify and remediate any insufficient mechanisms,

    policies and procedures, including identification and remediation of

    any inadequate quantitative settings or calibrations of pre-trade

    risk controls required of AT Persons.

    The Supplemental Notice touts the significantly decreased costs

    and enhanced flexibility to DCMs in designing a compliance program

    by replacing the annual reports with a certification requirement. I

    am not so sure that will be the case. The Supplemental Notice does

    not eliminate the compliance program altogether and replace it with

    a certification requirement. DCMs must still establish such a

    program and review and evaluate AT Persons' and FCMs' compliance

    with risk control and other requirements. I am concerned that this

    requirement could necessitate DCMs hiring additional staff to

    conduct periodic reviews with limited benefits for reducing risk.

    Even more problematic, DCMs are on the hook to identify and

    remediate any insufficient mechanisms, policies and procedures,

    including inadequate quantitative settings or calibrations of pre-

    trade risk controls. The Supplemental Notice acknowledges, but

    dismisses, DCMs' own concerns that they lack the technical

    capability to assess whether the quantitative settings or

    calibrations of AT Persons' controls are sufficient.\31\ In my

    statement on proposed Reg. AT, I suggested a much simpler process of

    self-assessments like FINRA requires.\32\ Commenters also suggested

    similar less burdensome processes.\33\ I urge the Commission to

    revisit this provision and provide a more workable solution that

    does not hold DCMs liable for identifying and remediating inadequate

    settings of AT Persons.

    ---------------------------------------------------------------------------

    \31\ CME Comment Letter at 20 (Mar. 16, 2016); ICE Comment

    Letter at 9-10 (Mar. 16, 2016); FIA Comment Letter at 10 (Mar. 16,

    2016); MGEX Comment Letter at 16-17 (Mar. 16, 2016).

    \32\ 80 FR at 78947.

    \33\ CME Comment Letter at 20 (Mar. 16, 2016); ICE Comment

    Letter at 9-10 (Mar. 16, 2016); FIA Comment Letter at 10 (Mar. 16,

    2016); MGEX Comment Letter at 16-17 (Mar. 16, 2016).

    ---------------------------------------------------------------------------

    Any Final Rule Must Be Phased-In

    Proposed Reg. AT and this Supplemental Notice if finalized in

    their current form will be a huge undertaking for all parties

    involved. The Futures Industry Association (FIA) estimated that it

    could take several years to implement.\34\ In this regard, FIA

    recommended that the CFTC implement Reg. AT in three separate rules:

    Pre-trade and other risk controls, policies and procedures regarding

    development and testing of algorithmic trading systems and

    registration.\35\ Other commenters also recommended phased-in

    rulemakings.\36\

    ---------------------------------------------------------------------------

    \34\ FIA Comment Letter at 11 (Mar. 16, 2016).

    \35\ Id. at Attachment A at 14-15.

    \36\ MGEX Comment Letter at 3 (Mar. 16, 2016); NASDAQ Futures

    Comment Letter at 2 (Mar. 16, 2016).

    ---------------------------------------------------------------------------

    Reg. AT is a major rulemaking that covers a broad range of

    automated trading issues. Commenters asserted that the costs of the

    proposal are substantially higher than estimated by the Commission

    and provided quantitative estimates to back up their assertions.\37\

    The Supplemental Notice does not do enough to fix the issues with

    proposed Reg. AT and reduce unnecessary costs on the marketplace.

    Given the scope of Reg. AT and the cost concerns, I believe the CFTC

    should at least phase-in the implementation process for any final

    Reg. AT rulemaking. I invite commenters to provide suggestions on

    how to do so.

    ---------------------------------------------------------------------------

    \37\ See, e.g., CME Comment Letter at 5 (Mar. 16, 2016); MFA

    Comment Letter at 34-35 (Mar. 16, 2016); MGEX Comment Letter at 25-

    28 (Mar. 16, 2016).

    ---------------------------------------------------------------------------

    Conclusion

    It has been my general practice as a CFTC commissioner to vote

    in support of publishing proposed rules for public comment even when

    I have substantial concerns and issues. That is because on most

    proposals reasonable people can have differences of opinion. I try

    to hear a broad range of sensible views before making a final

    decision. I have also taken this approach because of the enormous

    respect I have for my two fellow commissioners. It continues to be

    an honor to serve alongside them.

    So, it is a disappointment that on this rule I must depart from

    my preferred practice of voting in favor of proposed rulemakings.

    Reg. AT is unlike any other rule proposal that I have seen in my

    time of service. What should be a step forward by the agency in its

    mission to oversee twenty-first century digital markets is

    squandered by its giant stumble backwards in undoing Americans'

    legal and Constitutional rights.

    The Commission recommends that we adopt this Supplemental Notice

    in order to address the growing incidence of algorithmic trading and

    to determine if algorithms are disrupting financial markets. That is

    all well and good. Automated trading presents a number of critical

    challenges to our markets.\38\ My many meetings with America's

    farmers and ranchers have confirmed the importance of enhancing the

    CFTC's ability to catch-up to the digital transformation of twenty-

    first century futures markets.\39\

    ---------------------------------------------------------------------------

    \38\ See Guest Lecture of Commissioner J. Christopher Giancarlo,

    Harvard Law School, Fidelity Guest Lecture Series on International

    Finance, Dec. 1, 2015, http://www.cftc.gov/PressRoom/SpeechesTestimony/opagiancarlo-11.

    \39\ See Address of CFTC Commissioner J. Christopher Giancarlo

    to the American Enterprise Institute, 21st Century Markets Need 21st

    Century Regulation, Sept. 21, 2016, http://www.cftc.gov/PressRoom/SpeechesTestimony/opagiancarlo-17.

    ---------------------------------------------------------------------------

    Yet, jettisoning the subpoena process does nothing to address

    the challenge of automated trading given the existing ease and speed

    of obtaining an administrative subpoena.\40\

    ---------------------------------------------------------------------------

    \40\ United States v. Morton Salt Company, 338 U.S. 632 (1950).

    ---------------------------------------------------------------------------

    Benjamin Franklin is said to have warned that ``A people that

    are willing to give up their liberty for temporary security deserve

    neither--and will lose both.''

    Franklin was right. Reg. AT is a threat to Americans' liberty

    AND their security. After twelve score years of ordered freedom, it

    is a degree turn in the direction of unchecked state authority. If

    adopted in its present form, it will put out of balance centuries-

    old rights of the governed against the creeping power of the

    government.

    Thus, I have no choice but to vote against this proposal.

    [FR Doc. 2016-27250 Filed 11-23-16; 8:45 am]

    BILLING CODE 6351-01-P

    Last Updated: November 25, 2016