Opening Statement of Commissioner J. Christopher Giancarlo before the CFTC Staff Roundtable on Regulation Automated Trading
June 10, 2016
My thanks to the agency staff for arranging today’s roundtable. This hearing is important and timely. I intend to follow the discussion closely.
Regulation Automated Trading (Regulation AT) is a significant and challenging proposal. I believe it is a well-meaning attempt by the agency to catch up to the digital revolution in U.S. futures markets. As I said at the time of adopting the Notice of Proposed Rulemaking,1 it seeks to draw on industry best practices, provides some flexibility in setting risk control parameters and does not require the pre-approval or pre-testing of algorithms. That is positive.
Less positive is the proposal’s seemingly broad scope, hazy objectives and several significant inconsistencies. Its burdensome and overlapping compliance costs will serve as a regressive tax on market activity, will be borne disproportionately by smaller market participants and will be passed on to end-users. It is not clear whether the proposal enhances the safety and soundness of America’s futures markets enough to outweigh these additional costs and burdens.
No Subpoena Required
Regulation AT contains the notorious requirement that proprietary source code be accessible to the CFTC and the Justice Department without a subpoena. As I anticipated at the time of the proposal, this requirement has garnered an enormous amount of concern from market participants.
Subpoenas have served well both the Commission and market participants for over forty years. Under the CFTC’s well-established subpoena authority, the Commission “is entitled to gather information that is ‘reasonably relevant’ to an inquiry within its purview.”2 It may do so, however, only pursuant to a Commission vote. Moreover, parties subject to a subpoena may seek judicial review to determine whether the request for information is within the Commission’s power.3
There appears to be no practical reason why these important legal protections afforded by an administrative subpoena should be abridged in the case of proprietary source code. I am not sympathetic to the CFTC’s contention that proprietary source code embodying instructions for future commercial strategy is equivalent to books and records of past trading activity obtainable without a subpoena. I am also not sympathetic to the concerns that in a market crisis there is no time to obtain a subpoena because minutes matter. The subpoena process is not burdensome and if the CFTC is envisioning looking at millions of lines of source code during a crisis then we have bigger problems. In my time at the agency, I have not observed any instance in which a subpoena request from the Division of Enforcement did not receive prompt and careful attention by the Commission. I do not anticipate this will change in the future.
As a lawyer, I am aware of no legal foundation on which to haphazardly set aside long-established, due process protections afforded by agency subpoena practice. Of all the components of the Commission’s proposal, the extraordinary requirement that proprietary source code be accessible to the government without a subpoena is the most unsettling. It disrupts the traditional relationship between the CFTC and market participants and the Constitutional relationship between American citizens and the federal government, the authority of which is both limited and specifically enumerated in law. It is for the people’s representatives in Congress, and not an unelected agency, to decide whether valuable private property may be taken without specific authority arising from a legal proceeding.
Moreover, law abiding businesses have every reason to be concerned about the government’s handling of their proprietary intellectual property, such as source code. In just the six months since Regulation AT was proposed, we have learned that hackers have breached the computer networks of some of the country’s most prestigious law firms,4 the Federal Deposit Insurance Corporation,5 the Internal Revenue Service6 and the Federal Reserve.7 Incredibly, the U.S. Office of Personnel Management (OPM) that gave up 21.5 million personnel records in a year-long cyber penetration was still unable to pass a security audit last November – six months after the breach was discovered.8 In fact, federal, state and local government agencies rank last in cyber security when compared against 17 major private industries, including transportation, retail and healthcare.9 The CFTC itself has an imperfect record as a guardian of confidential proprietary information.10
Therefore, it should come as no surprise that law abiding businesses are very concerned with the prospect of handing over highly valuable, proprietary business source code to the CFTC. As someone whose personnel records at OPM were hacked and may still today remain unprotected, I can sympathize with market participants’ skepticism of any “trust us” assurances that their intellectual property will be safe and secure in government hands.
Like the rest of the world around us, financial and derivative markets have transformed from analog to digital, from stand-alone markets to seamless trading webs, and from human action to algorithmic trading and artificial intelligence. The electronification of markets over the past 30 to 40 years and the advent of exponential digital technologies have altered financial businesses, trading and entire industries, with far ranging implications for capital formation and risk transfer.
While our futures and derivatives markets have changed dramatically, CFTC rules have stayed pretty much the same. Most of the CFTC’s rules were written for 20th century analog markets, in which futures trading pits in Minneapolis, New York and Chicago conducted open outcry trading with its distinctive shouting and famous hand signals. Today, trading floors are dormant, largely supplanted with electronic trade execution by remote software algorithms and, increasingly, artificial intelligence. Yet, CFTC oversight is still founded on recognition of such occupations as “floor traders” and “floor brokers.” In a new world of automated, non-human decision making, CFTC market supervision and enforcement still turns on human states of mind underlying the traditional legal concepts of foreseeability, mens rea and failure to supervise.
Compared to the brashness of its dispensation with subpoena authority, Regulation AT’s most notable feature is the meagerness of its response to the emerging challenges of algorithmic trading. In essence, Regulation AT is a 20th century analog response to the 21st century digital revolution in trading markets. Regulation AT is designed to compel a broader swath of market participants to register with a federal overseer subjecting them to additional rules and regulations, fees and costs. It is a classic Washington maneuver: force as many businesses as possible into the regulatory framework and then figure out what needs to be done. Ready, fire, aim.
Yet, registration is not public policy and policy making is not necessarily furthered by registration. The relatively blunt act of registering automated traders does not begin to address the complex public policy considerations that arise from the digital revolution in modern markets.
As I have publicly noted, automated trading presents a host of new and novel issues. They include inadvertently limited or flawed algorithms,11 position crowding,12 increased risk of sudden spikes in market volatility and “phantom” liquidity.13 They also include the risk of misinterpretation of trading and event data by computerized analysis and mathematical models that increasingly replace human thought and deliberation.14
Legal scholars raise important concerns about how widely held assumptions guiding regulation have come to sit uneasily in innovative, evolving markets.15 They question the continued applicability of conventional legal notions governing civil and criminal liability.16 For example,
- What do traditional legal concepts like reasonableness, foreseeability, mens rea, scienter, and failure to supervise mean in transactions that are not initiated by immediate human action, but by pre-set programming and even artificial intelligence?
- How do we adapt regulatory frameworks and surveillance practices designed to catch “bad-guys” to detect purposefully bad or intentionally manipulative algorithms?
- What regulatory penalty, if any, should market participants, service providers and market operators face for inadvertently limited or unintentionally flawed algorithms and what public policy is served by any such imposition?
- What rules are appropriate to recondition 20th century trading markets and their essential institutions so as to benefit from 21st century automated trading while maximizing marketplace safety, soundness, efficiency and resiliency?
The world is changing. Our father’s futures markets are gone. Tired, old command and control government solutions are bumping up against the new flexible, sharing economy. It is time for government agencies like this one to take smarter approaches. Before we entangle several thousand automated traders in old, analog regulations, we should first establish the full implications of new, digital trading markets. We should determine what existing rules need to be updated to enhance American markets and the participants they serve. We should confer with leading academics and legal scholars, technologists, market operators and traders and, yes, non-partisan public advocates. We should figure out how to effectively repurpose the CFTC’s regulations for the challenges of 21st century digital markets, not just extend them to cover a lot more registrants. It is time to formulate and establish well-considered policy responses to the digitization of contemporary markets and then take action in a deliberate and thorough manner to enhance market liquidity, safety and soundness.
Despite its rather aggressive approach to proprietary source code, Regulation AT is not a very holistic and forward-looking response to the regulatory challenges presented by the automated trading transformation of contemporary markets. That is a disappointment for those of us who believe that it is in America’s vital national interest to retain the world’s deepest, most durable and most vibrant trading markets in the algorithmic, digital world of the 21st century.
Nevertheless, I remain open minded to the improvement of this ruleset and look forward to today’s important discussion. I also expect staff to remain open-minded to various viewpoints on the issues raised by the proposal and consider them in working to improve the rule.
1 U.S. Commodity Futures Trading Commission, Statement of Commissioner J. Christopher Giancarlo Regarding Notice of Proposed Rulemaking on Regulation Automated Trading (Nov. 24, 2015), http://www.cftc.gov/PressRoom/SpeechesTestimony/giancarlostatement112415.
2 CFTC v. Monex Deposit Co., No. 15-1467, slip op. at 3 (7th Cir. Jun. 1, 2016) (citing United States v. Morton Salt Co., 338 U.S. 632, 652 (1950)).
3 See Morton Salt, 338 U.S. at 652.
4 Nell Gluckman & Christine Simmons, Cravath Admits Breach as Law Firm Hacks Go Public, Am. Law. (Mar. 30, 2016), http://www.americanlawyer.com/top-stories/id=1202753706763/Cravath-Admits-Breach-as-Law-Firm-Hacks-Go-Public-?mcode=1202615731542&curindex=136&slreturn=20160507114006.
5 Katie Bo Williams, Criminal investigation underway into banking regulator data breach, The Hill (May 12, 2016, 5:22 PM), http://thehill.com/policy/cybersecurity/279752-criminal-investigation-open-in-fdic-data-breach.
6 Kevin McCoy, Cyber Hack Got Access to Over 700,000 IRS Accounts, USA Today (February 26, 2016, 8:03PM), http://www.usatoday.com/story/money/2016/02/26/cyber-hack-gained-access-more-than-700000-irs-accounts/80992822/.
7 Dustin Volz & Jason Lange, U.S. lawmakers probe Fed cyber breaches, cite 'serious concerns', Reuters (June 3, 2016, 3:18 PM), http://t.reuters.com/article/topNews/idUSKCN0YP281.
8 U.S. Office of Pers. Mgmt. Office of the Inspector Gen. Office of Audits, 4A-CI-00-15-011, Federal Information Security Modernization Act Audit FY 2015 (Nov. 10, 2015); See also, Jack McCarthy, OIG finds OPM still struggling with security, Healthcare IT News (Nov. 30, 2015, 7:55 AM), http://www.healthcareitnews.com/blog/oig-finds-opm-still-struggling-security (discussing OIG’s findings of OPM’s security protocols six months after a massive data breach).
10 Gregory Meyer & Philip Stafford, US Regulators Propose Powers to Scrutinise AlgoTraders’ Source Code, FINANCIAL TIMES (Dec. 1, 2015, 10:45AM), http://www.ft.com/intl/cms/s/0/137f81bc-944f-11e5-b190-291e94b77c8f.html#axzz4AuRIpDDy. “In 2011, Bernie Sanders, the Vermont Senator, released confidential CFTC data identifying traders with large oil and gas positions…. In 2012 exchange operator CME Group alleged that CFTC economists had published reports that revealed individual customers’ positions…The other concern is that a government employee who has inspected a trader’s source code repositories could pass through Washington’s revolving door and share that lucrative knowledge with a rival trading firm.” Id.
11 Yesha Yadav, How Algorithmic Trading Undermines Efficiency in Capital Markets, 68 Vand. L. Rev. 101, 138–46 (2015) (forthcoming).
12 Tom C.W. Lin, The New Investor, 60 UCLA L.REV. 678 (2013)(citing Michael Riley & Ashlee Vance, The Code War, Business Week, July 25, 2011, at 716
13 Id, at 692, 703 (explaining that “[d]uring periods of high uncertainty . . . high-frequency trading can exacerbate volatility and hurt liquidity by removing significant trading positions from the markets at warp speeds” and that “[t]he enhanced speed and interconnectedness of cyborg finance makes it more endogenously vulnerable to volatile crashes . . . .”); Katy Burne, The New Bond Market: Algorithms Trump Humans, Wall St. J., Sept. 24, 2015, http://www.wsj.com/articles/the-new-bond-market-algorithms-trump-humans-1443051304.
14 Lin. at 712; Yadav at 107–08.
15 I note the scholarship of Yesha Yadav, Associate Professor of Law, Vanderbilt Law School, on the impact of algorithmic trading on foundational concepts in market regulation and governance and civil and criminal liability.
Last Updated: December 20, 2017