Public Statements & Remarks

Statement of Dissent by Commissioner J. Christopher Giancarlo Regarding Supplemental Notice of Proposed Rulemaking on Regulation Automated Trading

November 4, 2016

Introduction

I have previously said that proposed Regulation Automated Trading (Reg. AT) is a well-meaning attempt by the Commodity Futures Trading Commission (CFTC or Commission) to catch up to the digital revolution in U.S. futures markets.1 However, I have also raised some concerns ranging from the prescriptive compliance burdens to the disproportionate impact on small market participants to the regulatory inconsistencies of the proposed rule.2 I have also warned that any public good achieved by the rule is undone by the now notorious source code repository requirement.3 Not surprisingly, dozens of commenters to the proposal echoed my concerns and vehemently opposed the source code requirement.

So, here we are again almost a year later to consider a Supplemental Notice of Proposed Rulemaking on Regulation Automated Trading (Supplemental Notice) because proposed Reg. AT missed the mark the first time around.4

This Supplemental Notice does improve proposed Reg. AT in some respects, such as moving from three levels of risk controls to two levels in order to simplify the framework and narrowing the scope of registration so it may not capture smaller market participants. However, the Supplemental Notice does not go far enough. It subjects the source code retention and inspection requirements to the special call process and provides an unworkable compliance process for AT Persons5 that use software from third-party providers.

I proposed several reasonable changes to the Commission and staff in an effort to make the Supplemental Notice workable and less burdensome, while still achieving its objectives. It is disappointing that those changes were not accepted. On a brighter note, the Commission has agreed to extend the comment period from 30 days to 60 days. While a longer comment period may provide some comfort to commenters that they do not have to rush to finish their comment letters over the Thanksgiving holiday, it does nothing to address my substantive issues. I am certain that many commenters will once again echo my concerns.

While I could focus on a number of issues with proposed Reg. AT and the Supplemental Notice, I will first concentrate my statement on the source code issue and then the third-party software provider requirements. Thereafter, I will discuss a few other topics, such as the prescriptive nature of the proposal and burdensome reporting requirements. I welcome comments on all these issues and others.

Source Code Retention and Inspection Requirements

No Subpoena Means No Due Process of Law

Let me make clear at the outset that the CFTC can today obtain the computer source code of market participants pursuant to a subpoena. Therefore, the issue raised by proposed Reg. AT and this Supplemental Notice is NOT whether the CFTC can examine source code of automated traders where appropriate to investigate suspected market misbehavior. The issue raised by this proposal is whether the owners of source code have any say in the matter.

The subpoena process provides property owners with due process of law before the government can seize their property. It protects owners of property – not the government that already has abundant power. It allows property owners an opportunity to challenge the scope, timing and manner of discovery and whether any legal privileges apply to the process of surrendering property to the government.

The subpoena process therefore provides a fair compromise between the rights of property owners and the government’s right to seize their property. Without the subpoena process, there is no balance between the civil liberties of the governed and the unlimited power of the government.

As a foundation of civil liberties, the subpoena process precedes the American Republic going back to English common law. As a legal principle, it was woven into the Bill of Rights. As a bulwark of modern civil society, it protects the liberty of the governed from the tyranny of the government.

The Supplemental Notice before us today, however, would strip owners of intellectual property of due process of law. The CFTC justifies this abridgement of rights with the condition that before the Commission can take source code6 it will abide by two procedural hurdles – a majority vote of the Commission and the special call process operated by the Division of Market Oversight (DMO).7

This justification entirely misses the point. Abrogating the legal rights of property owners is not assuaged by imposing a few additional procedural burdens on the government agency seizing their property. Source code owners will have lost any say in the matter. The proposal gives unchecked power to the CFTC to decide if, when and how property owners must turn over their source code.

Moreover, the special call process provides the CFTC an end-run-around the subpoena process. While the Supplemental Notice states that the CFTC will use the special call process to obtain source code in carrying out its market oversight responsibilities, there is no limit in the proposed rule on DMO staff from sharing source code with staff of the Division of Enforcement. The proposal will allow the Enforcement Division to view source code without bothering with a subpoena. Such sharing of information will likely become routine if this proposal is finalized.

No Specific Source Code Protections

Commenters have rightly questioned what level of security the CFTC will deploy to safeguard seized source code. In an attempt to assure market participants that their source code will be kept secure, the Supplemental Notice lists the various statutes and regulations that require confidentiality of such information. The proposed rule text also includes a reference to Commodity Exchange Act (CEA) section 8(a), which prohibits the release of trade secrets and other information.8

Yet, these are not new protections. They are in place today. Simply citing them in the preamble and rule text of the Supplemental Notice gives little assurance that the CFTC will safeguard source code. If the agency is determined to protect confidentiality, then it should include specific protections in the rule. For example, the CFTC could provide that it will only review source code at a property owner’s premises or on computers not connected to the Internet. The CFTC could also state that it will return all source code to the property owner once its review is finished. The rule text provides no such assurances.

Absent specific measures, it is absurd to suggest that source code will be kept secure. Just look at the area of government cybersecurity. In the six months after the CFTC proposed Reg. AT, hackers breached the computer networks of the Federal Deposit Insurance Corporation and the Federal Reserve.9 Incredibly, the U.S. Office of Personnel Management (OPM) that gave up 21.5 million personnel records in a year-long cyber penetration failed a security audit last November – six months after the breach was discovered.10 In fact, federal, state and local government agencies rank last in cybersecurity when compared against 17 major private industries, including transportation, retail and healthcare.11

The CFTC itself has an imperfect record as a guardian of confidential proprietary information.12 If this rule goes forward, the CFTC will make itself a target for a broader group of cyber criminals, including those engaged in commercial espionage.

Last Friday, we learned that a former employee of the Office of the Comptroller of the Currency (OCC) downloaded thousands of files from the agency’s servers onto two removable thumb drives without authorization prior to retiring from the agency.13 The OCC said that when it contacted the former employee about those files, he was “unable to locate or return the thumb drives to the agency.”14

The OCC breach surely sent shivers up the spines of source code owners who received notice that same day of the CFTC’s intention to move forward with the Supplemental Notice. They must have been doubly spooked when the CFTC’s own servers crashed a few hours later due to a denial-of-service attack.

Establishment of Dangerous Regulatory Precedent

If the CFTC adopts the source code provisions of the Supplemental Notice, the Securities and Exchange Commission (SEC) will likely copy it and so will other U.S. and overseas regulators – and not just regulators of financial markets.15 Regulators like the Federal Communications Commission may demand source code for Apple’s iPhone. The Federal Trade Commission may seek source code used in the matching engines of Google, Facebook and Snapchat. The National Security Agency may demand to see the source code of Cisco’s switches and Oracle’s servers. The Department of Transportation may demand Uber’s auction technology and Tesla’s driverless steering source code. Where does it end?

It certainly will not end on American shores. Overseas regulators will also mimic the rule. The German chancellor has said that she wants her government to examine the source code used in the matching engines of Google and Facebook because she does not like their political coverage of her administration.16 The Chinese government has already tried to put in place a rule to obtain the source code of U.S. technology firms.17 If the CFTC adopts this rule, it will make a mockery of the U.S. government’s past attempts to oppose China’s efforts to view proprietary commercial source code.18 It confirms that the CFTC is not on the same page as its own U.S. government counterparts.

Undoubtedly, this proposed rule is a reckless step onto a slippery slope. Today, the federal government is coming for the source code of seemingly faceless algorithmic trading firms. Tomorrow, however, governments worldwide may come for the source code underlying the organizing and matching of Americans’ personal information – their snapchats, tweets and instagrams, their online purchases, their choice of reading material and their political and social preferences. Seriously, where will it end?

Possible Constitutional Challenge

Fortunately, our country’s founders protected Americans against unreasonable searches and seizures and guaranteed them due process of law in the U.S. Constitution. The Supreme Court has routinely and recently upheld these fundamental civil rights. If the CFTC adopts the Supplemental Notice as proposed, its source code seizure provisions may be robustly challenged in federal court. The litigation will consume the agency’s precious, limited resources and its credibility in defending such a dubiously constitutional rule. That will be a sad waste of American taxpayer money.

The CFTC justifies its actions based on its need to oversee the growing incidence of algorithmic trading and disruption in the financial markets. Given the relative ease of obtaining an administrative subpoena,19 I disagree with the assertion in the proposal that the special call process is necessary to review source code in association with usual trading events or market disruptions. The subpoena and the proposed special call process both require a Commission vote. One process is therefore not faster than the other. The only difference is that the special call process is an end-run-around the subpoena process and deprives source code owners of due process of law.

Third-Party Software Providers

If the source code requirements are not bad enough, AT Persons who use third-party algorithmic trading systems and those third-parties are in for a real treat. Under the Supplemental Notice, AT Persons who use third-party trading systems are liable for turning over the source code of the third-party providers. An AT Person has no control over a third party’s source code. And, third-parties have already said that they will not give out their source code.20

In addition, the Supplemental Notice requires an AT Person who uses a third-party algorithmic trading system to obtain a certification and conduct due diligence to ensure that the third-party is complying with the development and testing requirements in proposed Reg. AT. The AT Person must obtain a new certification each time there is a material change to such third-party’s system.

These requirements are infeasible and could harm innovation and intellectual property rights. Participants at the Regulation AT roundtable also found the certification and due diligence suggestion impractical.21 One commenter said it could hurt smaller third-party vendors.22 Another commenter said that AT Persons may not have the necessary expertise to perform due diligence of third-party systems.23 They are correct. The CFTC must revisit these requirements. I invite commenters to propose less burdensome solutions.

Other Issues

Finally, let me highlight three issues: (1) the prescriptive nature of risk controls and development and testing requirements; (2) burdensome reporting requirements; and (3) the need for a phased-in implementation process. I reassert the issues I raised from proposed Reg. AT last year. I thank the many commenters for responding to those questions and concerns.

Prescriptive Nature of Risk Controls and Development and Testing Requirements

When proposed Reg. AT was issued, I noted that the CFTC is basically playing catch-up to an industry that has already developed and implemented risk controls and related testing standards for automated trading.24 I supported a principles-based approach to risk controls and testing that built upon, rather than hindered ongoing industry efforts.25

Many commenters to Reg. AT supported such a principles-based approach to risk controls and development and testing requirements and noted that proposed Reg. AT was too prescriptive.26 Commenters supported providing participants’ flexibility to determine which risk controls are needed and how those controls are applied and administered based on each participant’s unique risk profile and business situation.27 Commenters also noted that many of the proposed development and testing requirements are not practical and do not reflect how software is customarily developed, tested, deployed and monitored.28

I believe that the marketplace has implemented effective best practices and procedures for risk controls and development and testing of automated trading systems that account for different types of systems and businesses. Reg. AT’s approach is a one-size-fits-all model that does not take into account individual circumstances. For example, the proposed risk controls may not apply to all market participants or at all levels and may have negative unintended consequences.29 The proposed development and testing requirements will require AT Persons to make costly changes to existing business practices and procedures with no material market benefit.30 Once again, I urge the CFTC to adopt a principles-based approach in the final rule so that AT Persons have the necessary flexibility to administer controls and testing based on their trading and risk profiles.

Still Burdensome Reporting Requirements

The Supplemental Notice replaces the requirement in proposed Reg. AT that AT Persons and clearing member futures commission merchants (FCMs) prepare certain annual reports with an annual certification requirement. While that is positive, the Supplemental Notice requires designated contract markets (DCMs) to establish a program for effective periodic review and evaluation of AT Persons’ and FCMs’ compliance with risk controls and other requirements. The Supplemental Notice also retains proposed Reg. AT’s requirement that the DCM must identify and remediate any insufficient mechanisms, policies and procedures, including identification and remediation of any inadequate quantitative settings or calibrations of pre-trade risk controls required of AT Persons.

The Supplemental Notice touts the significantly decreased costs and enhanced flexibility to DCMs in designing a compliance program by replacing the annual reports with a certification requirement. I am not so sure that will be the case. The Supplemental Notice does not eliminate the compliance program altogether and replace it with a certification requirement. DCMs must still establish such a program and review and evaluate AT Persons’ and FCMs’ compliance with risk control and other requirements. I am concerned that this requirement could necessitate DCMs hiring additional staff to conduct periodic reviews with limited benefits for reducing risk.

Even more problematic, DCMs are on the hook to identify and remediate any insufficient mechanisms, policies and procedures, including inadequate quantitative settings or calibrations of pre-trade risk controls. The Supplemental Notice acknowledges, but dismisses, DCMs’ own concerns that they lack the technical capability to assess whether the quantitative settings or calibrations of AT Persons’ controls are sufficient.31 In my statement on proposed Reg. AT, I suggested a much simpler process of self-assessments like FINRA requires.32 Commenters also suggested similar less burdensome processes.33 I urge the Commission to revisit this provision and provide a more workable solution that does not hold DCMs liable for identifying and remediating inadequate settings of AT Persons.

Any Final Rule Must be Phased-In

Proposed Reg. AT and this Supplemental Notice if finalized in their current form will be a huge undertaking for all parties involved. The Futures Industry Association (FIA) estimated that it could take several years to implement.34 In this regard, FIA recommended that the CFTC implement Reg. AT in three separate rules: pre-trade and other risk controls, policies and procedures regarding development and testing of algorithmic trading systems and registration.35 Other commenters also recommended phased-in rulemakings.36

Reg. AT is a major rulemaking that covers a broad range of automated trading issues. Commenters asserted that the costs of the proposal are substantially higher than estimated by the Commission and provided quantitative estimates to back up their assertions.37 The Supplemental Notice does not do enough to fix the issues with proposed Reg. AT and reduce unnecessary costs on the marketplace. Given the scope of Reg. AT and the cost concerns, I believe the CFTC should at least phase-in the implementation process for any final Reg. AT rulemaking. I invite commenters to provide suggestions on how to do so.

Conclusion

It has been my general practice as a CFTC commissioner to vote in support of publishing proposed rules for public comment even when I have substantial concerns and issues. That is because on most proposals reasonable people can have differences of opinion. I try to hear a broad range of sensible views before making a final decision. I have also taken this approach because of the enormous respect I have for my two fellow commissioners. It continues to be an honor to serve alongside them.

So, it is a disappointment that on this rule I must depart from my preferred practice of voting in favor of proposed rulemakings.

Reg. AT is unlike any other rule proposal that I have seen in my time of service. What should be a step forward by the agency in its mission to oversee twenty-first century digital markets is squandered by its giant stumble backwards in undoing Americans’ legal and Constitutional rights.

The Commission recommends that we adopt this Supplemental Notice in order to address the growing incidence of algorithmic trading and to determine if algorithms are disrupting financial markets. That is all well and good. Automated trading presents a number of critical challenges to our markets.38 My many meetings with America’s farmers and ranchers have confirmed the importance of enhancing the CFTC’s ability to catch-up to the digital transformation of twenty-first century futures markets.39

Yet, jettisoning the subpoena process does nothing to address the challenge of automated trading given the existing ease and speed of obtaining an administrative subpoena.40

Benjamin Franklin is said to have warned that “A people that are willing to give up their liberty for temporary security deserve neither – and will lose both.”

Franklin was right. Reg. AT is a threat to Americans’ liberty AND their security. After twelve score years of ordered freedom, it is a degree turn in the direction of unchecked state authority. If adopted in its present form, it will put out of balance centuries-old rights of the governed against the creeping power of the government.

Thus, I have no choice but to vote against this proposal.

1 Opening Statement of Commissioner J. Christopher Giancarlo before the CFTC Staff Roundtable on Regulation Automated Trading, June 10, 2016, http://www.cftc.gov/PressRoom/SpeechesTestimony/giancarlostatement061016.

2 Regulation Automated Trading, 80 Fed. Reg. 78824, 78945-48 (Dec. 17, 2015).

3 Id. at 78947.

4 I note that at a time when the CFTC continuously pleads for additional resources, this is an example where the Commission could have saved a lot of time and effort if it spent a little more time up front to craft a sensible proposed Reg. AT.

5 As defined in the Supplemental Notice.

6 I also note my concern with the breadth of the new Algorithmic Trading Source Code definition and invite comment on it.

7 The Supplemental Notice allows the Commission to authorize the Director of DMO to execute the special call and to specify the form and manner in which records shall be produced. DMO’s existing special call process has not operated without operational error or inadvertent disclosure of confidential information. The process should be subject to enhanced checks and balances, procedural controls and greater objectivity in targeting market behavior.

8 7 U.S.C. § 12(a); CEA section 8(a).

9 Katie Bo Williams, Criminal Investigation Underway into Banking Regulator Data Breach, The Hill, May 12, 2016, http://thehill.com/policy/cybersecurity/279752-criminal-investigation-open-in-fdic-data-breach; Dustin Volz & Jason Lange, U.S. Lawmakers Probe Fed Cyber Breaches, Cite 'Serious Concerns', Reuters, June 3, 2016, http://t.reuters.com/article/topNews/idUSKCN0YP281.

10 U.S. Office of Pers. Mgmt. Office of the Inspector Gen. Office of Audits, 4A-CI-00-15-011, Federal Information Security Modernization Act Audit FY 2015, Nov. 10, 2015; See also, Jack McCarthy, OIG Finds OPM Still Struggling with Security, Healthcare IT News, Nov. 30, 2015, http://www.healthcareitnews.com/blog/oig-finds-opm-still-struggling-security (discussing OIG’s findings of OPM’s security protocols six months after a massive data breach).

11 Dustin Volz, U.S. Government Worse than All Major Industries on Cyber Security: Report, Reuters, Apr. 14, 2016, http://mobile.reuters.com/article/idUSKCN0XB27K.

12 See generally Bart Chilton, The Government Can’t be Trusted to Collect Source Code and Other Private Property, Business Insider, Nov. 1, 2016, http://www.businessinsider.com/bart-chilton-government-cant-be-trusted-to-collect-source-code-2016-11; Gregory Meyer and Philip Stafford, US Regulators Propose Powers to Scrutinise Algo Traders’ Source Code, Financial Times, Dec. 1, 2015, https://www.ft.com/content/137f81bc-944f-11e5-b190-291e94b77c8f.

13 Ben Lane, OCC Reveals Major Information Security Breach Involving Former Employee, HousingWire, Oct. 28, 2016, http://www.housingwire.com/articles/38402-occ-reveals-major-information-security-breach-involving-former-employee.

14 Id.

15 Congressman Sean P. Duffy Letter to SEC Chair Mary Jo White, Aug. 10, 2016, http://modernmarketsinitiative.org/wp-content/uploads/2016/08/16.08.10-Automated-Trading-Letter-to-SEC.pdf.

16 Article, Angela Merkel wants Facebook and Google’s Secrets Revealed, BBC, Oct. 28, 2016, http://www.bbc.com/news/technology-37798762.

17 Eva Dou, U.S., China Discuss Proposed Banking Security Rules, The Wall Street Journal, Feb. 13, 2015, http://www.wsj.com/articles/china-banking-regulator-considering-source-code-rules-1423805889; Shannon Tiezzi, US-China Talk Intellectual Property, Market Access at Trade Dialogue, The Diplomat, Nov. 25, 2015, http://thediplomat.com/2015/11/us-china-talk-intellectual-property-market-access-at-trade-dialogue/.

18 Id. Congressmen Scott Garrett and Randy Neugebauer Letter to CFTC Chairman Timothy Massad, Aug. 3, 2016, http://modernmarketsinitiative.org/wp-content/uploads/2016/08/20160802-ESG-RN-Letter-to-CFTC-re-Reg-AT2.pdf.

19 United States v. Morton Salt Company, 338 U.S. 632 (1950).

20 Trading Technologies, Staff Roundtable, Elements of Proposed Regulation Automated Trading, Transcript, at 250-252, June 10, 2016 (Roundtable Tr.), http://www.cftc.gov/idc/groups/public/@newsroom/documents/file/transcript061016.pdf.

21 Id. at 239.

22 Id.

23 Tethys Technology, Roundtable Tr. at 248.

24 80 Fed. Reg. at 78945.

25 Id. at 78946.

26 See, e.g., FIA Comment Letter at 3, 4-5 (Mar. 16, 2016); CME Comment Letter at 6, 7-8 (Mar. 16, 2016); ICE Comment Letter at 10 (Mar. 16, 2016); CTC Comment Letter at 1 (Mar. 15, 2016).

27 See, e.g., FIA Comment Letter at 3 (Mar. 16, 2016); CME Comment Letter at 7-8 (Mar. 16, 2016).

28 See, e.g., FIA Comment Letter at 5 (Mar. 16, 2016); CTC Comment Letter at 12-14 (Mar. 15, 2016).

29 See, e.g., FIA Comment Letter, Attachment A at 24-25 (Mar. 16, 2016).

30 See, e.g., CTC Comment Letter at 12 (Mar. 15, 2016).

31 CME Comment Letter at 20 (Mar. 16, 2016); ICE Comment Letter at 9-10 (Mar. 16, 2016); FIA Comment Letter at 10 (Mar. 16, 2016); MGEX Comment Letter at 16-17 (Mar. 16, 2016).

32 80 Fed. Reg. at 78947.

33 CME Comment Letter at 20 (Mar. 16, 2016); ICE Comment Letter at 9-10 (Mar. 16, 2016); FIA Comment Letter at 10 (Mar. 16, 2016); MGEX Comment Letter at 16-17 (Mar. 16, 2016).

34 FIA Comment Letter at 11 (Mar. 16, 2016).

35 Id. at Attachment A at 14-15.

36 MGEX Comment Letter at 3 (Mar. 16, 2016); NASDAQ Futures Comment Letter at 2 (Mar. 16, 2016).

37 See, e.g., CME Comment Letter at 5 (Mar. 16, 2016); MFA Comment Letter at 34-35 (Mar. 16, 2016); MGEX Comment Letter at 25-28 (Mar. 16, 2016).

38 See Guest Lecture of Commissioner J. Christopher Giancarlo, Harvard Law School, Fidelity Guest Lecture Series on International Finance, Dec. 1, 2015, http://www.cftc.gov/PressRoom/SpeechesTestimony/opagiancarlo-11.

39 See Address of CFTC Commissioner J. Christopher Giancarlo to the American Enterprise Institute, 21st Century Markets Need 21st Century Regulation, Sept. 21, 2016, http://www.cftc.gov/PressRoom/SpeechesTestimony/opagiancarlo-17.

40 United States v. Morton Salt Company, 338 U.S. 632 (1950).

Last Updated: December 20, 2017