Comment Text:
Dear Mr Kirkpatrick,
AIMA Response to reopened CFTC Regulation Automated Trading
The Alternative Investment Management Association (AIMA) is grateful for the opportunity to respond to the reopened Commodity Futures Trading Commission (the Commission) proposed rulemaking for Regulation Automated Trading (Regulation AT), (Reopened Regulation AT).
AIMA’s response to Regulation AT (the AIMA Response) was broadly supportive of the Commission’s overall approach for Regulation AT – focusing on minimum rules that are sufficiently flexible and specific for different entities involved in the algorithmic trading (AT) process. We, nonetheless, had certain concerns relating to the specific definitions and proposals contained within Regulation AT.
Our response to the reopened proposals seeks to deal specifically with the key topics covered by the Commission Roundtable on Regulation AT held on Friday 10 June 2016 (the Roundtable). However, unfortunately due to the very short time-frame within which responses have been requested, we have been unable to garner sufficient levels of feedback from members to provide responses to many of the complex and specific questions posed. We would strongly recommend that the Commission provide a full consultation period to enable all relevant stakeholders in the Regulation AT debate to consider and formulate complete and well-tailored answers to the specific questions raised during the Roundtable and other outstanding contentious issues.
If you have any questions or would like to discuss any aspect of this response in more detail, please contact Jiri Król ([email protected]) or Oliver Robinson ([email protected]).
Yours sincerely,
Jiri Król
Deputy CEO, Global Head of Government Affairs
Alternative Investment Management Association (AIMA)
ANNEX
A) Quantitative measures to establish the population of AT Persons
The roundtable agenda posited the idea of introducing quantitative measures in order to further define the population of AT Persons. However, AIMA believes that the key way to limit the population of AT Persons is to ensure that the definition of algorithmic trading is correctly formulated and is not set so broadly as to capture trading activities which are clearly not ‘algorithmic’.
As we noted in the AIMA Response, the definition of AT is a vital foundation upon which an appropriate regulatory regime for such trading should be built. However, AIMA believes strongly that the proposed definition of AT within Regulation AT is excessively broad and would capture systems and activities that: (i) are demonstrably not considered to be AT by the market or regulators more broadly; and (ii) are not of the kind that pose any material risk to market stability.
It is AIMA’s opinion that AT involves situations in which one or more algorithms within an ATS control the key parameters of orders initiated, amended and/or cancelled on a market, with limited or no human intervention. The important aspect here is the ATS’s connection with the market and its ability to submit and tailor the parameters of orders actually submitted to the market with limited or no human intervention. We consider, therefore, that the use of a pure ‘investment decision’ algorithm should not constitute AT unless it is also accompanied by automated execution with limited or no human intervention.
If an ATS does not make determinations in relation to a specific list of parameters of a particular order, AIMA does not believe that it should fall within the scope of AT. In particular, to this end, we believe that the particular venue to which an order is routed should not be considered to be a ‘parameter’ of the order. AIMA, therefore, believes that automated order routers (AORs) that function merely to route orders to particular venues without amending their particular parameters should fall outside of Regulation AT. The AIMA Response also disagreed with the Regulation AT proposal to only exclude orders ‘…whose every parameter or attribute is manually entered into a front-end system by a natural person, with no further discretion by any computer system or algorithm…’. We would be especially concerned if this wording was included within the final Regulation AT definition.
Overall, AIMA considers that additional metrics on top of the current proposed definition of AT Person may not be the optimal solution to avoid the disproportionately broad scope capturing excessive numbers of registered firms. The fundamental problem causing a large population of potential AT Persons is the inappropriately broad definition of AT. We do not advocate the use of additional metrics to narrow the definition whilst ignoring the underlying issue that has caused its breadth in the first instance. Notwithstanding, we suggest that additional quantitative metrics could well be considered for the purposes of implementing the rules proportionately; namely whether an AT Person has applied relevant controls and testing methodologies in a way that is suitable to the nature, scale and complexity of its business activities.
B) Alternative to imposing direct CFTC pre-trade risk control and development, testing and monitoring standards on AT Persons
AIMA recognises and has consistently advocated for the benefits of proportionate and appropriately calibrated risk controls in markets that permit AT in order to prevent the magnification of trading errors and prevent market disorder. It is in all of our members’ interests to be able to trade on stable, consistent and efficient markets. We believe that it is beneficial to ensure that pre-trade and other risk controls are applied in a coordinated manner by each participant in the AT order submission process. Nonetheless, we agree that the principal role should be played by the DCMs - as the owners of the relevant markets - and FCMs - as the gatekeepers to the relevant markets. Both parties are best placed to understand and enforce the relevant controls and testing obligations.
We would also suggest that there is no reason to limit the rules to Clearing FCMs. We believe that any intermediary that provides DEA should have appropriate operational and technical capabilities to manage risks to the DCM of their service provision. AIMA would recommend, therefore, that at least that Regulation AT rules apply not only to Clearing FCMs, but to any market access services in the AT transaction chain. To this end, robust due diligence by DEA providers of potential clients is an important focus – as well as ensuring that FCMs and DCMs provide sufficiently robust controls and effective testing tools.
C) Compliance with elements of the proposed rules when using third-party algorithms or systems
AIMA notes that specific consideration should be had for how controls and testing obligations are to be applied in circumstances in which algorithms and trading systems are manufactured and remain the property of a third-party. Although our position that all algorithms and systems used in a production environment on live markets should be subject to sufficient controls and be sufficiently tested.
Please also see below in section D covering the impact of source code access and retention rules on availability of third-party algorithms.
D) Source Code Access and Retention
Overall, AIMA members are supportive of an obligation for AT Persons to maintain internal source code repositories. It is existing best practice for AT firms to maintain a proportionate change management audit trail for material changes to their production algorithms. Such an audit-trail obligation is also due to be introduced on 3 January 2018 under Article 5 of MiFID II RTS 6 which specifies that investment firms must maintain records of material changes to software, including: (a) when a change is made; (b) the nature of the change; (c) who made the change; and (d) who approved the change.
However, our members strongly disagree and have significant security concerns about the Regulation AT proposal for firms’ source code and related documents to be available for summary inspection by the Commission and Department of Justice (DoJ). We note that no equivalent obligation is due to be introduced under MiFID II and is not a current obligation in any other major jurisdiction. We do not believe that any attempt to undertake ex ante review of source code by the CFTC would be an efficient or effective way to monitor and protect DCMs from abuse or disorder. In terms of the potential for source code to behave abusively or to exacerbate market disorder, we consider that the central role ought to be played by Clearing FCMs, other DEA providers and the DCMs themselves by providing adequate test functionality to help ensure that all algorithms used in live markets are sufficiently tested for stability and propensity for abusive behaviour.
We articulated several main arguments against summary source code access within the AIMA Response, these included:
• Security of source code and confidential descriptions - Market participants exert significant effort and go to great lengths to protect both their source code and commercially sensitive descriptions thereof – such as internal ‘White Papers’ developed by internal research teams and other commercially sensitive descriptions of source code and its functioning. Policies and procedures maintained by firms include requiring employees to sign non-competition agreements with the firm, as well as severely restricting employees’ access to code internally.
If the DOJ or the Commission were to obtain either hard or soft copies of source code or commercially sensitive descriptions thereof on a summary basis, AIMA’s AT Person members would be extremely concerned about these safeguards being undermined and the security and confidentiality of AT Persons’ proprietary intellectual property being put at significant risk.
AIMA would also suggest that the potential financial and/or disruptive benefits for criminals, hacktivists or government sponsored groups of attacking a government system which maintained the detailed source code data summarily obtained by the Commission or DoJ would actually serve to encourage attacks which would otherwise not occur. Should such sensitive information be kept at the AT Person level, so kept spread behind hundreds of discrete physical and cybersecurity measures, the cost/benefit payoff for any potential hacker becomes much reduced.
• Lack of utility of such information - We stress the fundamental point that primary source code – or even descriptions thereof - provides very little supervisory or investigative utility to anyone seeking to ‘read’ it. It is our belief that accessing it without a specific court-upheld reason would simply risk the commercially sensitive IP of AT Persons without providing any additional benefit.
Without higher-degree level qualifications in advanced mathematics and related subjects, extensive experience of different coding languages, as well as an in-depth understanding of the coding style of a particular developer responsible for a specific set of algorithms, source code is likely to be meaningless and would not hope to assist in identifying potential market abuse or contribution to market disorder.
In fact, AIMA suggests that is not theoretically or practically possible to be able to simply look at source code in isolation and to tell whether it will be problematic from the perspective of market stability or abuse. Due to the non-linear nature of the interaction between different algorithms in a trading environment, you must have the actual matching engine involved as well as all other participants in the market present to make a true evaluation.
Further to this, for the DoJ in particular, we do not envisage any circumstance whereby the DoJ would require source code outside the specific circumstances of criminal proceedings, for which a subpoena would surely be obtainable.
• Consequences for third-party and ‘off-the-shelf’ algorithms – As we noted in the AIMA Response, it is currently impossible for an AT Person utilising third-party algorithms and software to provide summary access to the source code of that third party software without then being in breach of confidentiality obligations to the third-party provider. We would also stress that this would not change even if such summary access rights were to be mandatory under Regulation AT – with providers likely simply to cease trading rather than risking their fundamental trade secrets.
The source code of third-party algorithm providers, as for AT Persons developing their own proprietary code, represents the fundamental source of commercial value to the third party provider. Algorithm providers, for example, maintain a significant degree of confidentiality protection even from their clients, with the underlying source code never actually being disclosed to the client. Information to clients is limited strictly to only the information needed to understand the high-level functioning and use the system.
In the context of third-party execution algorithms, AIMA notes that it is also not as simple as being able to disclose a single or set of algorithms responsible for best execution. To understand how an individual algorithm works requires disclosure of the entire platform of the third-party algorithm provider. This represents the career’s work of many such providers and their fundamental trade secrets, such that they would simply cease providing third-party software services to AT Persons rather than disclose it to either clients or the Commission in absence of a subpoena.
To require access and disclosure of third-party software source code – in particular best execution algorithms - would, therefore, result in a reduction in the number of providers willing to offer their services to AT Persons trading on US DCMs, a reduction in competition and a reduction in conditions of best execution on US DCMs at the expense of smaller market participants. AIMA, on behalf of buy-side participants, stresses the importance of avoiding this consequence.
In response to the question posed by the roundtable agenda of which particular software or hardware components should be included within the term ‘Algorithmic Trading system’ to help ensure that appropriate systems are subject to the Regulation AT regime, it is AIMA’s belief that only those software and hardware components with a direct connection to markets with limited or no human intervention should be included. For example, AIMA has sought to ensure that pre-trade controls and testing rules are applied, as appropriate, to those algorithms that are actually responsible for the submission of orders to the market i.e., execution algorithms, rather than those algorithms that merely compute market data to reach particular investment decisions i.e., decision algorithms, unless those decision algorithms feed directly into an automated execution system with limited or no human intervention.
