Goldman Sachs & Co. agreed to pay a fine of US $7 million to the Securities and Exchange Commission related to alleged programming and oversight errors that caused an avalanche of unintended sell orders to be entered on US options exchanges on August 20, 2013, prior to market open. As a result of these alleged errors, GSCO received executions on a portion of the sell orders representing 1.5 million options contracts, and sustained a loss of approximately US $38 million. According to the SEC, GSCO’s problems “resulted from a series of failures in [its] then-existing system of risk management controls and supervisory procedures.” The SEC claimed that, prior to August 20, GSCO had been consolidating certain client service functions previously operated by an affiliated broker dealer into GSCO, and configured software to facilitate this. Following implementation of the new configuration, said the SEC, certain types of internal orders that were never intended to go to an options exchange without a matching customer order inadvertently were permitted to route to exchanges. This, the SEC claimed, was because one employee did not “fully understand the technical operation of the new … options order flow at the time he performed the configuration.” Also, noted the SEC, his work was not adequately reviewed prior to implementation. Moreover, alleged the SEC, after the avalanche of sell orders began on August 20, another GSCO employee disengaged certain circuit breaker blocks that were meant to limit potentially large volumes of unintended orders that had been triggered by the large volume without receiving any authorization. As a result of these and other alleged breakdowns, the SEC charged GSCO with wilfully violating various provision of "Reg MAR" — the SEC's market access rule. Generally, Reg MAR requires broker-dealers with market access to establish and maintain a system of risk management controls and supervisory procedures reasonably designed “to manage the financial, regulatory and other risks” associated with providing market access. GSCO settled the SEC matter without admitting or denying any of the Commission’s findings.
My View: Although settlements help limit potential damages and litigation costs, as well as minimize the time officers and employees need dedicate to litigation, they deny respondents the opportunity to present their side of the story publicly. Without knowing anything more about this matter other than what I read in the relevant SEC order, it is hard to imagine that, if given a chance, GSCO wouldn’t have argued (as it appears to have been the case) that it had policies and procedures reasonably designed to ensure its compliance with Reg MAR, but they weren’t perfect and a few employees violated the spirit if not the letter of those policies — giving rise to the firm’s August 20, 2013 problems. However, as a result of its settlement, GSCO is required to be mute and we will never know its side of this story. As I told a reporter last week when she asked me whether today, could an SEC or Commodity Futures Trading Commission registrant be prosecuted if they were cyber hacked despite a lack of specific regulatory proscriptions — yes, of course! It would not matter whether a specific regulation applied. If regulators determine something is problematic (e.g., an event causes a media sensation), even if not expressly prohibited, they may use existing tangential regulations to prosecute the perceived offense, and a firm will be left with the uneasy option of fighting the regulatory action at great cost (even if to a successful end), or settling at a likely lesser cost and biting its proverbial lips. Unfortunately, a policy and procedure that appears reasonably designed when implemented, may be considered unreasonable after the fact if it was not perfect in anticipating every conceivable breakdown -- if the breakdown caused a noticeable public event, as happened on August 20, 2013. That's not supposed to be the standard (certainly not under Reg MAR), but, unfortunately, it's the regulatory reality.