CFTC plan to access source code slammed as regulatory overreach

The latest regulatory effort to improve oversight of high-speed, automated trades that, when they go bad, can trigger flash crashes and other market disruptions is a proposal advanced by the Commodity Futures Trading Commission on Nov. 4.

The plan, however, is not without controversy with Commissioner J. Christopher Giancarlo echoing concerns expressed by many of the covered firms and recoiling against what he described as a dangerous regulatory precedent.

The CFTC’s proposed amendments to its Regulation AT (for “automated trading”) would require “reasonable risk controls, using a principles-based approach that would codify many industry best practices,” according to Chairman Timothy Massad. It would also require testing and monitoring of algorithms and the preservation of source code and other records.

The most controversial aspect of what is planned for Regulation AT—and the proposal that has engendered the most furor—is that the CFTC would be authorized, without the need of a subpoena, to gain access to the software and source code that powers trading strategies and automates futures trading.

Some safeguards were offered. The proposal requires that the Commission itself to make the decision to seek access to source code and no staff member can do so without Commission approval. The proposal also describes measures needed to preserve the confidentiality of source code.

The vote to advance the proposed amendments to a 60-day public comment period was was 2-1, with Giancarlo voting against the proposal, largely because of the controversial source code provision.

“As we all know, automated trading dominates the markets we oversee,” Massad said. “More than 70 percent of trading in futures is now automated. And this is not just in financial futures; we see it in physical commodity futures as well…In just a few years, we have gone from open-outcry pits where floor traders jostled elbow-to-elbow to make trades, to a machine dominated market where a millisecond is considered slow.”

In another respect, the markets have not changed at all, he added. Farmers, ranchers, manufacturers, exporters—businesses of all types—still depend on them to hedge routine risk and engage in price discovery. “Whether it is corn or copper, crude oil or cocoa, equities or Treasuries, Japanese yen or British pounds—businesses need these markets,” he said. “They need them to function reliably, fairly, and free of manipulation or disruption.”

“It is especially important for us to be able to respond to the concerns of those who are not so-called ‘flash boys,’ and are only moving at human speed,” Massad said.”It is an illustration of the fact that our regulations have not kept up with our modern markets. [The] proposal is a part of what we need to do to keep our regulatory system up-to-date, just as you need updates for your phone’s operating system from time to time.”

“For those of you worried that automated trading is occurring free of any oversight or regulation, this rule seeks to allay some of those fears,” said Commissioner Sharon Bowen.

Giancarlo, however, warned that “any public good achieved by the rule is undone by the now notorious source code repository requirement.”

Among his complaints with the data collection provision: “No subpoena means no due process of law.”

“The issue raised by proposed Reg. AT and this supplemental notice is not whether the CFTC can examine source code of automated traders where appropriate to investigate suspected market misbehavior,” he said. “The issue raised by this proposal is whether the owners of source code have any say in the matter.”

The proposal “would strip owners of intellectual property of due process of law,” Giancarlo added. “The CFTC justifies this abridgement of rights with the condition that before the Commission can take source code it will abide by two procedural hurdles—a majority vote of the Commission and the special call process operated by the Division of Market Oversight.”

This justification “entirely misses the point,” he countered.  “Abrogating the legal rights of property owners is not assuaged by imposing a few additional procedural burdens on the government agency seizing their property. Source code owners will have lost any say in the matter. The proposal gives unchecked power to the CFTC to decide if, when and how property owners must turn over their source code.”

Giancarlo also protested “there is no limit in the proposed rule on DMO staff from sharing source code with staff of the Division of Enforcement.”

“The proposal will allow the Enforcement Division to view source code without bothering with a subpoena,” he said. “Such sharing of information will likely become routine if this proposal is finalized.”

Giancarlo said he agreed with critics who question the level of security the CFTC can deploy to safeguard seized source code. He wasn’t persuaded by the government’s ability to assure the safety of data. In recent months, he reminded, hackers breached the computer networks of the Federal Deposit Insurance Corporation and the Federal Reserve; the U.S. Office of Personnel Management gave up 21.5 million personnel records during a year-long cyber penetration; and, last month, it was uncovered that a former employee of the Office of the Comptroller of the Currency downloaded thousands of files from the agency’s servers onto thumb drives, without authorization, prior to his retirement.

“The OCC breach surely sent shivers up the spines of source code owners who received notice that same day of the CFTC’s intention to move forward with the supplemental notice,” Giancarlo said. “They must have been doubly spooked when the CFTC’s own servers crashed a few hours later due to a denial-of-service attack.”

Critics also say the proposal could also establish a dangerous regulatory precedent.

“If the CFTC adopts the source code provisions of the Supplemental Notice, the Securities and Exchange Commission will likely copy it and so will other U.S. and overseas regulators—and not just regulators of financial markets,” Giancarlo said. “Regulators like the Federal Communications Commission may demand source code for Apple’s iPhone. The Federal Trade Commission may seek source code used in the matching engines of Google, Facebook and Snapchat. The National Security Agency may demand to see the source code of Cisco’s switches and Oracle’s servers. The Department of Transportation may demand Uber’s auction technology and Tesla’s driverless steering source code. Where does it end?”