The Commodity Futures Trading Commission (CFTC) has proposed new rules — Regulation Automated Trading (Regulation AT)1 — that would impose new and potentially burdensome risk and compliance controls on any person engaged in “algorithmic trading” on any U.S. derivatives exchange that is a designated contract market (DCM).2 Algorithmic trading is defined broadly, and the proposed rules would subject any person engaged in it on a DCM to new regulatory requirements including testing, monitoring, pretrade risk controls, annual compliance reports, extensive recordkeeping and registration with the CFTC.
The CFTC describes its proposed rules, in large part, as codifying existing industry best practices and necessary to ensure market integrity in light of potential market disruptions such as the May 2010 flash crash. One CFTC commissioner, however, has questioned Regulation AT’s value given that it simply codifies certain industry best practices while substantially increasing compliance burdens on all algorithmic traders.3 CFTC staff estimates algorithmic traders represent, depending on the asset class, between nearly 50 percent and 80 percent of trading volume on DCMs.4Therefore, the proposed rules could have a substantial impact on market compliance costs.
Two years before the Regulation AT proposal, the CFTC issued a Concept Release5requesting public comment on the necessity and operation of a variety of risk controls and measures related to automated trading. The CFTC incorporated information from the public comments and an advisory meeting that followed into the Regulation AT proposal, which is over 500 pages.
Algorithmic Trading Defined
Proposed Regulation AT defines algorithmic trading to include any computer algorithm or system that determines whether to initiate, modify or cancel an order where such order is electronically transmitted to the DCM.6 The proposed definition would capture nearly all forms of automated trading, from the highly sophisticated proprietary trading firms and financial institutions to small market participants using off-the-shelf automated systems or even simple Excel spreadsheets that enable automated trading. Proposed Regulation AT does not define “high frequency trading” and applies whether the automated trading is high- or low-frequency. These broad definitions exemplify a theme throughout Regulation AT, where the CFTC attempts to effectuate its stated goal of minimizing the potential for disruptions and other operational problems that may arise from algorithmic trading.7
The proposal would impose new compliance, reporting and registration requirements, and establish review programs. Regulation AT applies to all CFTC registrants8engaged in algorithmic trading on or subject to the rules of a DCM — each defined as an “AT Person.” Furthermore, the term “AT Person” also includes any person not currently registered with the CFTC, who is engaged in algorithmic trading through direct electronic access (DEA) to the DCM. Any such person not currently registered would have to register with the CFTC as a “floor trader.” Finally, Regulation AT establishes new supervisory functions for DCMs, futures commission merchants that clear trades for AT Persons (“clearing member FCMs”) and registered national futures associations.
As proposed, risk controls would be implemented at three levels for algorithmic trading — with the DCM, the clearing member FCM and each AT Person. The DCM, clearing member FCM and AT Person each would be required to include pretrade risk controls (such as order message and execution frequency limits per unit time, and parameters for order price and size) and order cancellation systems.9 Notably, DCMs also would be required to implement parallel controls to address potential market disruptions from manual traders that are not engaged in algorithmic trading. The CFTC stated that it intends to allow flexibility in the design of the risk controls.10
Furthermore, clearing member FCMs would be required to implement DCM-provided risk controls for DEA orders and to establish their own controls for non-DEA orders. Specifically, clearing member FCMs would be required to have pretrade risk controls reasonably designed to prevent or mitigate an algorithmic trading disruption11 for its AT Persons.
Regulation AT proposes a number of new reporting requirements for clearing member FCMs and AT Persons. Proposed Rule 1.83 would require that clearing member FCMs and AT Persons prepare, certify and submit annual compliance reports to DCMs regarding their risk controls. The reports must include a description of the pretrade risk controls in place and a certification by the chief executive officer or chief compliance officer that the information in the report is accurate and complete. AT Persons must also include copies of policies and procedures they develop to comply with the requirements regarding the testing and development of algorithmic trading systems and how those systems comply with the Commodity Exchange Act (CEA) and the CFTC’s regulations.
Regulation AT would also mandate that DCMs establish and maintain a program for review and evaluation of the annual compliance reports submitted by each AT Person and clearing member FCM, in which the DCMs would be required to identify outliers and provide instruction for remediation. Additionally, DCMs would be required to review books and records of AT Persons and their clearing member FCMs regarding algorithmic trading procedures. Regulation AT also would require DCMs to implement rules reasonably designed to prevent self-trading, excluding certain “permitted self-trades,” and to publish quarterly statistics disclosing self-trading permitted by the DCM.12
The proposal would impose multiple regulatory requirements for development and testing. For example, Regulation AT proposes a new requirement that each AT Person must implement written policies and procedures for developing, testing and monitoring its algorithmic trading systems.13
Source Code Audit Trail and Inspection
Each AT Person would be required to maintain a source code repository to manage source code access, persistence, copies of all code used in the production environment and any changes to the source code. Each AT Person would be required to retain such source code repository as part of its recordkeeping obligations and to make the code available for inspection upon request by any representative of the CFTC or the Department of Justice (DOJ). The proposed rule also would allow the CFTC Division of Enforcement staff and the DOJ unfettered access to algorithmic traders’ source code without obtaining a subpoena. Many have already expressed serious concern about the government’s access to intellectual property and business strategies should Regulation AT be adopted as proposed.14 Likewise, CFTC Commissioner J. Christopher Giancarlo has questioned the government’s ability to adequately protect this type of sensitive information from potential data breaches. 15
The comment period for proposed Regulation AT is open until March 16, 2016.