On Nov. 24, the United States Commodity Futures Trading Commission (CFTC) unanimously proposed a set of sweeping rules that would govern individuals and entities engaged in automated trading on U.S. designated contract markets (DCM). One of the more notable components of these rules, collectively known as Regulation Automated Trading (Reg AT), governs the maintenance of source code for electronic trading systems.
Reg AT requires AT Persons – essentially, any individual or entity that engages in algorithmic trading on a DCM – to develop policies and procedures with respect to the design, testing, and supervision of algorithmic trading. Among the mandatory procedures is one that requires the establishment and maintenance of a “source code repository,” to retain copies of the trading software’s source code and all changes thereto, including an audit trail of material changes to the source code and the purposes behind the changes.
Importantly, the proposed rule specifies that the source code repository must be maintained in accordance with CFTC Regulation §1.31, “Books and Records; keeping and inspection.” Among other requirements, Regulation §1.31 requires that all records maintained pursuant thereto be “open to inspection by any representative of the Commission or the United States Department of Justice,” and that such records must be produced “promptly” upon such a request.
Such a requirement raises a number of concerns for the industry. Source code is the lifeblood of an automated trading firm, and constitutes its most important and valuable intellectual property. It is unlike traditional firm “books and records” in that it is not only a record of past activity, but a roadmap to future trading and business strategy. There are no similar analogous “books and records” to which CFTC – or, indeed, other federal agencies – would have such freedom to inspect and review, without the need for a subpoena or other showing of necessity. Industry members have raised concerns about providing not only unfettered access to their most confidential, proprietary information, but also copies thereof to be maintained outside of their control and subject to a host of risk, from inadvertent disclosure, to leak, to susceptibility to hacking.
Interested parties may submit comments during the comment period, which opened on Nov. 24 and runs for 90 days.