In 1977, Coca-Cola abruptly withdrew from India where it had been operating for more than 20 years. In doing so, it abandoned a market that was more than three times the size of the United States, with profit potential in the hundreds of millions. Why? The Indian government demanded the cola maker’s secret formula in accordance with its safeguards for companies operating in their country. Coca-Cola decided complying was too risky. So it left the country and in its absence, a lucrative Coca-Cola smuggling business flourished until the soda maker returned in 1993.
Flash forward to today. The U.S. Commodity Futures Trading Commission (CFTC) unanimously approved a proposed rule on automated trading. Reg AT, as it is known, is an effort to stay ahead of markets where “more than 70% of all trading has become automated.” I largely applaud the proposal and its thoughtful set of risk controls and transparency measures that incorporate the best practices of responsible market participants. But Reg AT contains a provision requiring automated traders to have the means to produce “all code used in the production environment” to regulators. Source code is the secret formula of the industry, and like Coca-Cola in 1977, balancing transparency and trade secrets gets somewhat “sticky.”
Clarifying the rules for trading is welcomed by members of Modern Markets Initiative, all of whom are significant liquidity providers in these asset classes and already adhere to many of the proposals. But, the Commission already has a transparent and accountable process to formally request source code inspections. This new proposal circumvents that and creates risks for traders.
First and foremost, the threat of hackers demands special vigilance among algorithmic trading firms for whom stealing the proprietary code is essentially stealing the company. While hack attacks can happen to anyone, it is relevant to remember the CFTC itself suffered a data breach in 2012 that put the Social Security numbers and personal information of its employees at risk. Algorithmic trading firms spend tens of millions of dollars on cybersecurity to protect source code valued in the billions. In addition, procedures around the hiring, supervision and post-employment confidentiality of employees who work with code are very robust.
Most algorithmic trading firms already keep internal source code repositories as required by this proposal. Examining source code is already within the purview of regulators, but it requires a formal and fairly rare protocol, including the knowledge of CFTC Commissioners. But under this proposal, that protocol can be bypassed and presumably algorithmic traders will be subject to more frequent regulator access to the source code under circumstances where regulators even have the discretion to “temporarily remove” the code from the premises.
While not questioning the integrity of CFTC staff, it is common for government employees to seek employment in the private sector, so it is reasonable to assume that CFTC staff reviewing the source code of top algorithmic traders could apply that proprietary knowledge to future employment. There are big concerns by algorithmic trading firms about the post-employment confidentiality of employees. The prospect of periodic, random probes of source code by a revolving staff of regulators is a situation fraught with peril.
With much of the nation’s algorithmic trading source code available in multiple places, it is appropriate to assess whether the risk/reward ratio makes sense. A proposal requiring the submission of all code used in the production environment is a large request with many pieces. There are dozens of components in a production environment outside the core algorithm source code, including: Execution algorithms, execution algorithm interpreters, real-time market data interfaces, parser and distribution platforms, smart order routing modules, exchange interface modules, and the list goes on. Excluding any one of these items could hinder efforts to test an algorithm effectively. Even with all these elements in place, effectively testing source code is difficult. Our members train employees for months to become effective on just a small portion of software.
The algorithmic trading community are vocal supporters of standards and procedures that strengthen the integrity of the markets. The CFTC’s Reg AT goes a long way toward achieving that goal. But our business relies on relentless vigilance in safeguarding proprietary code. The threats are not imagined. It’s the real thing.