The Commodity Futures Trading Commission (CFTC or Commission) on November 3, 2016, proposed revisions (the Supplemental Proposal)1 to proposed Regulation Automated Trading (Reg AT).2 Reg AT, if adopted, will broadly affect those in the futures industry who trade electronically, imposing new registration and supervision requirements on algorithmic traders. The modifications would impose greater process requirements on the Commission in obtaining access to algorithmic trading source code, reduce necessary risk controls from three levels to two, introduce a minimum volume threshold to the “AT Person” definition, and substitute a certification for the previously proposed annual report. These changes should reduce some of the burdens of the rule as originally proposed. As the 2-1 vote of the Commission indicates, however, the provisions relating to Commission access to source code data, even as modified, no doubt will remain quite controversial.
Access to Algorithmic Trading Source Code—Procedural Framework
Reg AT proposed that algorithmic trading source code be preserved and made available to the Commission in accordance with the Commission's general recordkeeping requirements. Market participants expressed serious concerns regarding the confidentiality and security of such commercially sensitive data. Many commenters reasoned that proprietary source code is, and should remain, available to the Commission only through the subpoena process, expressing concern that source code obtained using more casual procedures and stored on government servers would be vulnerable to cyberattack.
In response, the Supplemental Proposal provides that CFTC access to algorithmic trading source code would require either (1) a subpoena, or (2) a “special call” approved by the Commission itself. The Supplemental Proposal notes that the Commission is legally obligated to protect confidential information and has data security measures in place to protect sensitive information.
Commissioner Giancarlo strongly opposed the proposal. Commissioner Giancarlo voiced serious doubt over this procedural framework, reasoning that it “would strip owners of intellectual property of due process of law,” and warned that, “[a]bsent specific measures, it is absurd to suggest that source code will be kept secure” in light of the Commission's “imperfect record as a guardian of confidential proprietary information.”3 He predicted that the Commission's source code provisions will be challenged in federal court.
Pre-Trade Risk Controls—Change from Three-Level to Two-Level Framework
Reg AT proposed placing risk controls on algorithmic trades at three levels in the order submission and execution chain: (1) the AT Person, (2) the futures commission merchant (FCM), and (3) the designated contract market (DCM). In response to comments that this redundancy could create its own set of risks, the Supplemental Proposal proposes a framework with risk controls relating to all electronic orders, not just algorithmic trading, at two levels: (1) AT Person or its FCM, and (2) DCM.
Registration of “AT Persons”—Volume-Based, Quantitative Test
Reg AT would apply to market participants that meet the definition of “AT Person,” including existing Commission registrants engaged in algorithmic trading, as well as certain unregistered market participants who would be required to register as new Floor Traders. The Supplemental Proposal modifies the definition of AT Person to incorporate a volume-based, quantitative threshold. Specifically, the threshold for potential AT Persons would be set at 20,000 contracts traded on average per day, aggregated across a firm's own account, the accounts of customers, or both, over a six-month period. This change limits the population of AT Persons to large market participants, estimated by the Commission to be 120 persons.
Annual Certification Process
Reg AT proposed that AT Persons and clearing member FCMs prepare annual compliance reports, and that DCMs establish a program for effective review and evaluation of such reports. In response to comments that these requirements were overly burdensome, the Supplemental Proposal replaces the annual reporting requirement with an annual certification process. DCMs are still required to establish programs periodically to review compliance by AT Persons with risk control mechanisms, policies, and procedures.
Use of Third-Party Algorithmic Trading Systems
Reg AT imposed on AT Persons certain obligations regarding pre-trade risk controls, the development and testing of algorithmic trading systems, the retention of source code, and other regulatory standards. In response to comments that AT Persons who rely on third-party algorithmic trading systems would be unable to satisfy such requirements, the Supplemental proposes an alternative compliance framework. Specifically, AT Persons who rely on third-party algorithmic trading systems may demonstrate compliance by (1) obtaining a certification from the third party, and (2) conducting due diligence regarding the accuracy of the certification.
Upon publication in the Federal Register, the Supplemental Proposal will be open to a 60-day comment period.