On June 10, 2016, Staff for the Commodity Futures Trading Commission (“CFTC”) held a public roundtable to discuss its proposed Regulation Automated Trading (“Regulation AT”).1 The CFTC proposed Regulation AT in an attempt to reduce the risk of market disruptions caused by automated trading. Proposed Regulation AT includes risk controls and transparency measures for futures commission merchants (“FCMs”), designated contract markets (“DCMs”), and CFTC registrants using algorithmic trading systems. The proposed rule also includes a new registration requirement for persons engaged in proprietary algorithmic trading on a DCM through direct electronic access (“DEA”). Panelists at the roundtable – including representatives of FCMs, DCMs, and market participants with DEA – expressed concerns about the broad and prescriptive scope of Regulation AT and advocated a more flexible, principles-based, approach.
The roundtable explored several issues, including: (1) the appropriate definition of an “AT Person”; (2) amendments to the definition of DEA; (3) an alternative to imposing certain regulatory burdens on AT Persons; and (4) the requirement that AT Persons maintain and make available for inspection source code repositories. In his opening remarks, Commissioner Giancarlo expressed concern that the CFTC does not yet fully understand the implications of the new digital trading environments and cautioned that Regulation AT is “a 20th Century analog response to the 21st Century digital revolution in trading markets.” Chairman Massad, in turn, emphasized the need to proceed with a deliberate approach. Despite expressing her goal to finalize Regulation AT by the end of the year, Commissioner Bowen recognized that the current proposal is a “first cut” that may need to be updated. The CFTC reopened the comment period to June 24, 2016 so that it may receive comments related to the specific issues discussed at the roundtable.
Possible Revisions to the Definition of AT Person and Appropriate Quantitative Metrics to Identify AT Persons
In one of the roundtable panels, the CFTC and industry panelists discussed Regulation AT’s broad definition of “AT Person,” which includes market participants that use algorithmic trading systems and are registered with the CFTC as one of the following: (1) FCM; (2) floor trader; (3) swap dealer; (4) major swap participant; (5) commodity pool operator; (6) commodity trading advisor; or (7) introducing broker.2 Based on this structure, algorithmic traders that are not registered with the CFTC and do not engage in DEA trading are not subject to the proposed requirements. Industry panelists questioned the logic of distinguishing between CFTC and non-CFTC registrants that use algorithmic trading. In addition, Regulation AT does not define AT Persons on a granular level, including through means of access or trading frequency. All of the panelists agreed that the definition captures too many market participants, with some panelists asserting that the definition should focus more on the “who” – the trader’s specific attributes – and others advocating a focus on the “what” – the type of activity.
In light of these extensive regulations, and the fact that the current definition of AT Person includes a broad swath of market participants, this panel considered potential quantitative metrics to better identify what constitutes an AT Person. One panelist, a representative of the European Securities and Markets Authority (“ESMA”), described the quantitative metrics developed by the organization to identify algorithmic trading, high-frequency trading, and investment firms. The CFTC then solicited the panelists’ feedback regarding thresholds on, for example, order resting time, trade counts, and trade volume. Most panelists urged a principles-based approach to defining AT person that targets market risk, as opposed to specific quantitative measures. These panelists warned that any quantitative metrics would be too difficult to apply in a one-size-fits-all approach across several markets and product types. Moreover, they advised, quantitative measures may create artificialities by incentivizing market participants to change their behavior to avoid arbitrary thresholds.
Potential Amendments to the Direct Electronic Access Definition
Industry panelists also expressed concerns that the proposed definition of DEA in Section 1.3(yyyy) is overly broad and vague. As proposed, DEA is “an arrangement where a person electronically transmits an order to a DCM, without the order first being routed through a separate person who is a member of a [DCO] to which the DCM submits transactions for clearing.”3 When an AT Person with DEA submits an algorithmic order to a DCM, Regulation AT obligates the DCM to create risk controls for the order and the clearing member FCM must use the DCM-created risk controls.
During the panel, industry panelists advocated a more precise definition of DEA that strikes an appropriate balance between addressing the various means of accessing the market directly and avoiding a definition that ensnares all market participants. For example, a representative of CME Group argued that the DEA definition should not consider whose server the order goes through and whether human involvement exists, but rather hinge on whether an order passes through market risk controls administered by a DCO clearing member. The panelist explained that this definition aligns with a principles-based approach that more precisely addresses the market risk that Regulation AT seeks to prevent.
The panelists also asserted that flexible, principles-based requirements for DEA trading would enable risk controls to adapt as the market evolves and to be tailored to specific types of market access. Echoing this, one panelist stated that the proposed rule should focus on defining “risks” and permit market participants to build controls around these defined risks. All panelists supported imposing risk controls on market participants engaged in DEA trading, reasoning that “with direct access comes direct responsibility.” Some panelists also advocated for a second layer of risk control at the DCM level as an “ultimate backstop” to prevent market disruption. However, they noted that DCMs typically lack knowledge of customer trading patterns to tailor their risk controls to specific customers. The panelists generally agreed that the CFTC should require two layers of risk controls. The first layer is the matching engine run by the DCM, and the second layer should be with the FCM or AT Person with DEA who implements the interface provided by the DCM. One of the panelists advocated a separation of risk controls between the source of the technology and the user. He asserted that the provider of the technology, the FCM, should have responsibility for risk controls and not the trader using it, explaining as an analogy that “there are drivers who are using the FCM’s car, but the FCM is the exclusive owner of the car, so it should be responsible for the risk controls.”
Alternatives to Imposing Certain Regulatory Burdens on AT Persons
The CFTC considered alternative risk control structures in one of the panels, noting commenters’ concerns that the proposed risk controls were duplicative and applied in a one-size-fits-all fashion. The ESMA representative described the organization’s regulatory framework establishing risk controls for automated trading with trading firms and DEA providers. The CFTC then solicited the panelists’ feedback on an FCM-based risk control alternative that would require FCMs to: (1) implement their own risk controls for all proprietary and customer orders; (2) require that AT Person customers apply pre-trade risk controls and develop, test, and monitor standards for their own algorithmic trading systems; and (3) perform due diligence regarding the compliance of AT Person customers.
Industry panelists urged against an FCM-based approach because of the significant personnel and technology costs that FCMs would incur in their compliance efforts. For example, an FCM representative estimated that his company would spend about $1 million annually and need to embed one employee in each of its customer’s businesses to ensure effective due diligence. He also emphasized that this approach would need to reflect the significant differences among FCMs and their clients. Other market participants expressed similar reluctance to adopt this alternative because those qualifying as AT Persons would have to pay FCMs for their enhanced due diligence. Moreover, as one FCM panelist noted, FCMs compete with their customers in certain circumstances and an FCM-based approach would create an un-level playing field in certain markets. Instead, industry panelists generally expressed a preference for a DCM-based approach. All panelists, however, supported risk control parameters on AT Persons.
One panel also discussed the potential compliance issues regarding AT Persons using third-party algorithms, an issue raised by some commenters. Panelists who develop and lease algorithms described the exhaustive testing that their companies undertake, in collaboration with their customers, before that algorithm goes into operation. In light of this extensive testing, these panelists argued that Regulation AT should not distinguish between AT Persons that use third-party algorithms from those that develop their own algorithm. Others expressed concern that traders using vended algorithms should not bear responsibility for code that they did not design.
Source Code Access and Retention
In the final panel, the CFTC addressed the concerns of several commenters – and Commissioner Giancarlo – that Regulation AT requires AT Persons to maintain and provide the CFTC and Justice Department with access to a source code repository. In his opening remarks, Commissioner Giancarlo described the “extraordinary requirement” that proprietary source code be accessible without a subpoena as “unsettling.” Panelists emphasized that source code is not analogous to books and records because it exceeds documenting an order. By contrast, source code reveals higher-level details about why and how a trading decision was made. During the roundtable, Chairman Massad recognized that source code provides significant value to firms and emphasized the CFTC’s commitment to protecting confidentiality. One panelist recommended defining source code to account for the execution path of an order, how and why an order was created, and the decision to create, modify or cancel that order.
Moreover, the panelists argued that this requirement would not benefit the CFTC because of the difficulty in identifying operational issues solely by looking at source code. Two industry panelists explained that, in the rare instances where they had seen the CFTC request source code, the CFTC reviewed the source code on-site, a developer explained the code, and the parties carefully recorded who viewed which portions of the code. The industry panelists all argued that in light of the significant risks, and lack of clear benefits, the CFTC should revise the proposed rule to require only the preservation of source code.
The roundtable discussion revealed significant concerns related to the broad nature of proposed Regulation AT along with the extensive regulations imposed on AT Persons. Industry panelists generally urged against prescriptive risk control parameters that apply across all markets and product types. Such an approach, they argued, would drastically increase regulatory costs, decrease market liquidity, and potentially undermine the proposal’s underlying goal of minimizing market disruptions. In a public speech the day before the roundtable, Chairman Massad expressed his willingness to finalize Regulation AT in phases.4