Proposed Regulation AT: Has the CFTC Gone Too Far?

About our Contributors
ICS Group is a regulatory compliance consulting firm specializing in providing compliance support to the financial services and insurance industries. We help our clients comply with regulatory requirements and industry standards. Our clients include: registered investment advisers, private equity funds, hedge funds, mutual funds, broker-dealers, insurance companies and state pension plans. Our team of highly experienced compliance professionals know from first-hand experience what regulators are looking for, the industry standards that apply, and how to develop and implement cost-effective business-oriented solutions.

The Commodity Futures Trading Commission (“CFTC”) has recently caused quite a flurry among automated traders with its proposed Regulation Automated Trading (“Regulation AT”). The days of pit trading are long gone. Automated trades involving algorithms now make up a substantial portion of U.S. markets. Trading disruptions, unfortunately, have steadily increased as the use of automated trading has risen. Some of the more memorable trading glitches include: the ‘Flash Crash’ of 2010, where the market plunged $1 trillion in 36 minutes and then in 2012 when Knight Capital Group lost $10 million/per minute with total losses of more than $440 million in a 45-minute period due to a glitch in trading software. Flash crashes on a smaller scale occur very frequently, perhaps more frequently than most people realize. Stock exchanges do not publicly release data about mini-crashes, but most active traders say there are at least a dozen a day.

As fear of market disruptions from automated trading has escalated, the CFTC has decided to act. On November 24, 2015, the CFTC unanimously approved proposed rules to regulate the evolution of automated trading on U.S. designated contract markets.

Regulation AT is aimed at addressing the inherent risks in algorithmic trading that often cause computer glitches and sometimes catastrophic market crashes. CFTC Chairman Timothy Massad described Regulation AT as “merely the first step in a process”. He further remarked, Regulation AT “is a starter home rather than a two-story”.

The Source Code Provision
Immediately following the Regulation AT proposal, the CFTC was flooded with comment letters from trade organizations, vendors, market participants, public interest groups and individuals warning the CFTC that the proposed rules to regulate automated and algorithmic trading were too broad and that they would impose too many burdens on high-frequency traders. The most passionate specific objections were raised regarding the “source code provision”. The proposal to make the source codes available to the CFTC and DOJ received considerable criticism from the industry because the regulations would compromise firms’ valuable source code which includes intellectual property and business strategies.

“The potential cost of Regulation AT’s source code provisions, in terms of jeopardizing the sanctity of private intellectual property in the States, is potentially immeasurable.” – Information Technology Industry Council and the U.S. Chamber of Commerce, Comment Letter, March 16, 2016.

The Information Technology Industry Council (ITI), the U.S. Chamber of Commerce and member companies conveyed their concerns regarding the source code provision in a comment letter to the CFTC on March 16, 2016. The main concerns regarding the source code provision are summarized here:

• By mandating that companies store source codes in government accessible repositories, the availability of valuable intellectual property will be known and is likely to incentivize hackers to increase the number of cyber-attacks launched against such repositories;
• An untold amount of companies’ proprietary source codes will likely wind up residing on U.S. government agencies databases, whom have a poor track record of keeping sensitive information secure from cyberattacks and other data breaches; and
• It will be costly to maintain source code repositories which may potentially act as a market entry barrier for smaller and innovative firms in the automated trading space.

In response to comment letters from industry groups over the last several months, the CFTC has signaled a retreat from ‘source code’ repository. Recently the CFTC has stated that the agency will not require “warehousing” of source code, but instead intends the proposal to act as a record-keeping rule, where firms would be required to keep records of their source code that could be made available to agency staff during investigations.

Although, the CFTC stated they will not require “warehousing” of source code but only that firms make the source code “available” to agency staff during investigations, it is unclear at this time what exactly making it “available” will entail and thus, how much of a cybersecurity risk will be present in such investigations. In any event, it is unlikely that any provision of the regulation concerning source codes will be implemented this year. It is possible, however, that the CFTC could roll-out the non-controversial provisions of Regulation AT such as risk controls in 2016 and then the more controversial items such as registration requirements and source code provisions in 2017.

For more information regarding Proposed Regulation AT or for general assistance regarding your compliance program, contact ICSGroup. We’re here to help.

ICSGroup provides regulatory compliance services to registered investment advisors, including advisors to private equity funds, hedge funds and fund of funds. We help our clients meet regulatory expectations and enhance investor confidence by creating risk-appropriate compliance solutions, developing policies and procedures that integrate well with business practices and cultivating a culture of compliance through compliance training and education.