Following its initial 2013 Concept Release on Risk Controls and System Safeguards for Automated Trading Environments, the Commodity Futures Trading Commission (CFTC) is proposing new risk control, transparency and regulatory compliance measures for automated trading on U.S. designated contract markets (Regulation AT).1 The proposed Regulation AT aims to address the inherent risks in algorithmic trading that may undermine the integrity and safety of U.S. markets.
Though Regulation AT would require market participants that engage in automated trading to build certain safeguards into their operations with respect to designated contract market (DCM) activities, the majority of the required measures to be adopted by both AT Persons (as defined below) and DCMs are already broadly used in the industry. However, as further discussed below, such voluntary best practices are set to become mandatory for all AT Persons and DCMs and will become subject to new compliance reporting and examination requirements upon the adoption of the proposed rule (including a requirement for an auditable source code repository to be kept as part of the books and records of AT Persons).
In addition, certain market participants not previously required to register with the CFTC will now be swept into the amended “floor trader” definition in 17 CFR § 1.3(x) of CFTC Regulations and will be required to register with both the CFTC and at least one registered futures association (RFA).
Though Regulation AT proposes a number of regulations affecting DCMs, only those regulations that concern AT Persons are discussed in this alert. Further, Regulation AT proposes regulations broadly similar to those discussed in this alert for futures commission merchants (FCMs), which are beyond the scope of this alert and, accordingly, are not discussed herein.
Regulation AT’s components are addressed below as follows:
- The Scope of Regulation AT and New Defined Terms Proposed
- New Obligations for AT Persons Imposed by Regulation AT
- New Obligations for DCMs that May Impact AT Persons
- Effects of DCM Controls on AT Persons
The Scope of Regulation AT and New Defined Terms Proposed
The CFTC has proposed new definitions to delineate the scope of Regulation AT, as set out below:
- Algorithmic Trading. A person or entity engages in algorithmic trading if it is trading in any commodity interest2 on, or subject to the rules of, a U.S. DCM where one or more computer algorithms or systems makes determinations with respect to the order (e.g., whether to initiate, modify or cancel an order) and such order determination is electronically submitted for processing on, or subject to the rules of, a DCM. Thus, where a person enters every parameter of an order into a front-end system, and there is no further discretion by any computer system or algorithm prior to submission for processing, it is not considered algorithmic trading.
- AT Person. A person or entity that: (1) is registered or required to be registered as an FCM, floor broker, swap dealer, major swap participant, commodity pool operator, commodity trading advisor, introducing broker or floor trader (as expanded upon below); and (2) engages in Algorithmic Trading.
- Algorithmic Trading Event. Either an Algorithmic Trading Compliance Issue or an Algorithmic Trading Disruption:
- Algorithmic Trading Compliance Issue. An event at an AT Person that has caused any Algorithmic Trading to operate in violation of: (1) the CEA or the rules or regulations thereunder; (2) the rules of any DCM to which such AT Person submits orders through Algorithmic Trading; (3) the rules of an RFA of which such AT Person is a member; (4) the AT Person’s internal requirements; or (5) the requirements of the AT Person’s clearing member.
- Algorithmic Trading Disruption. An event originating with an AT Person that disrupts or materially degrades: (1) the Algorithmic Trading of such AT Person; (2) the operation of the DCM on which the entity is trading; or (3) the ability of other market participants to trade on such DCM.
- AT Order Message. A new order, quote, change or deletion submitted through Algorithmic Trading by an AT Person.
- Direct Electronic Access (DEA). An arrangement where a person electronically transmits an order to a DCM without the order first being routed through a separate person who is a member of the derivatives clearing organization to which the DCM submits transactions for clearing.
New Obligations for AT Persons Imposed by Regulation AT
With the goal of minimizing the risk of an Algorithmic Trading Event, the CFTC is proposing new requirements that all AT Persons: (1) that are registered with the CFTC become a member of at least one RFA3; (2) implement pre-trade and other risk control measures reasonably designed to prevent an Algorithmic Trading Event for all AT Order Messages4; (3) develop written policies for the development, testing, monitoring and compliance of Algorithmic Trading Systems (ATS) based on a given set of standardized principles;5 and (4) comply with certain annual reporting and new recordkeeping requirements.6
The CFTC recognizes the quickly evolving technological environment in which AT Persons operate, as well as the need for any adopted policies and procedures to be responsive to the individual needs of each strategy and ATS. Therefore, the proposed requirements do not dictate how an AT Person should operate its risk control and compliance programs, but rather provide for minimum required mechanisms and policies that each AT Person can implement and supplement, when appropriate, in whatever way best fits the strategy and operations of its specific ATS.
1. Registration with the CFTC and RFA Membership
Registration with the CFTC
The CFTC is proposing that proprietary traders using DEA for Algorithmic Trading on a DCM register with the CFTC if the traders were not previously registered. This is to be accomplished by amending the current definition of “floor trader” 7 to further include persons who, solely for their own account, purchase or sell swaps or futures in a place provided by a contract market for the meeting of similarly engaged persons, and such place is accessed, at least in part, through DEA.
The CFTC is proposing that AT Persons who are registered with the CFTC must also become a member of at least one RFA and thus be subject to the membership rules of at least one RFA. This proposed regulation particularly affects floor brokers and floor traders who are not otherwise required to be RFA members.
2. Risk Control Measures
While the CFTC allows AT Persons the discretion to tailor their risk control programs to their own strategies, the proposed regulation outlines six elements that AT Persons must adopt at a minimum. The CFTC believes that these six elements are already widely used in the industry, and, to ease the burden further, an AT Person may outsource its risk management to an external vendor or, where applicable, comply with the below requirements through DCM-provided controls, as long as such DCM policies are compliant with Regulation AT.
Prior to Trading
The proposed regulation imposes two requirements on all AT Persons prior to the submission of their initial message or order to a DCM’s trading platform. First, § 1.80(d) would require that the AT Person notify its clearing member FCM, as well as the DCM on which it will trade, that it will engage in Algorithmic Trading. Second, § 1.80(b)(2) would require that the AT Person notify the DCM whether, upon a disconnection between the DCM platform and the ATS, all of its resting orders should be canceled, suspended or neither. In this case, though the regulation requires a predetermined policy to be in place, it allows for such policy to provide different commands to the DCM based on facts and circumstances and does not mandate an outcome.
Message and Execution Throttles
AT Persons’ pre-trade risk controls would require establishing maximum AT Order Message and execution frequencies to be implemented at the AT Person level. However, each AT Person would be required to evaluate and, if appropriate to the strategy, implement such “message and execution throttles” at further levels, such as for instance by product, account number or designation, or natural person identifier. The regulation does not set specific thresholds, allowing AT Persons the discretion to set levels that are best suited for them, but would require prompt notice of a breach to be given to the monitors responsible for the ATS (as further discussed below).
Order Price Parameters and Maximum Order Size Limits
Proposed § 1.80 would require that AT Persons establish pre-trade risk controls limiting both the price and the quantities associated with each individual order message, often called “price collars” or “price tolerance limits” and “fat-finger limits.” Each order must past through a predetermined limit check that sets a maximum quantity and a maximum deviation level in order price as measured against a predetermined price (e.g., last trade price, market open price).
Order Management Control
The proposed regulation would require that AT Persons have a “kill switch” control that immediately stops Algorithmic Trading, cancels some or all of the resting orders, and prevents any new AT Order Messages. The regulation, however, does not state when such a kill switch should be triggered. Further, AT Persons must maintain systems that monitor connectivity with the trading platform and any system used by a DCM to provide the AT Person with market data.
Self-Trade Prevention Tools
The proposed regulation would require that AT Persons comply with any new DCM requirements that DCMs may impose on AT Persons as part of new self-trade prevention rules to be implemented (further discussed below in § 40.23 under “Effects of DCM Controls on AT Persons”).
Periodic Review for Sufficiency and Effectiveness
AT Persons would be required to periodically review their compliance with the above rules and promptly remedy any deficiencies.
3. Written Policies
To minimize the operational risk of Algorithmic Trading, Regulation AT would require that AT Persons develop and implement written policies in the following four areas: (1) ATS development and testing; (2) ATS monitoring; (3) ATS compliance; and (4) Algorithmic Trading staff designation and trading. To standardize such written policies, the regulation requires the following:
ATS Development and Testing
An AT Person would be required to establish written policies and procedures that provide for the following:
- development and production trading environments that are adequately isolated from one another (including physical equipment);
- all Algorithmic Trading code and related systems, and any changes to such code and systems, to be tested prior to use, both internally with the AT Person and on each contract market to be used, including specific testing to identify circumstances that may lead to an Algorithmic Trading Event;
- regular back-testing of Algorithmic Trading using historical data to identify circumstances that may lead to an Algorithmic Trading Event;
- regular stress testing under a variety of market conditions;
- procedures for documenting the strategy and development of proprietary Algorithmic Trading software and any such changes; and
- maintenance of a source code repository.
This source code repository must manage source code access, persistence, copies of all code used in the production environment and changes to such code (including an audit trail of material changes to the source code, who made the material change, when it was made and the coding purpose for such material changes). Most significantly, the CFTC is proposing that such source code be maintained in accordance with CFTC Reg. 1.31. as part of an AT Person’s books and records open to inspection by the CFTC.
Written policies and procedures should ensure that each ATS is monitored by knowledgeable and qualified staff, and must include the following:
- continuous, real-time monitoring of Algorithmic Trading to catch Algorithmic Trading Events before they happen;
- automated alerts when an AT Order Message breaches design parameters, upon loss of network connectivity or data feeds, or when market conditions are moving away from those within which the ATS is designed to operate;
- monitoring staff who have sufficient authority and ability to trigger the “kill switch” control, including the ability to coordinate with the DCM and clearing firm staff to obtain information and cancel orders;
- dashboards to monitor and interact with the ATS; and
- sufficient procedures to track which monitoring staff is responsible for an ATS.
Staff responsible for monitoring ATS should not be concurrently engaged in trading.
Written policies and procedures should ensure that each ATS’s operations comply with the CEA and the rules and regulations thereunder, and the rules and requirements of each applicable DCM, RFA and clearing member FCM, as well as the AT Person’s internal requirements. Further, the regulations call for a plan of coordination and communication between the AT Person’s compliance staff and the design, testing and control staff of the AT Person designed to detect and prevent Algorithmic Trading Compliance Issues.
Algorithmic Trading Staff Designation and Trading
Written policies and procedures should ensure that each ATS monitor is able to quickly prevent or resolve any ATS issues, and must provide for the following:
- procedures for designation and training of all staff involved in designing, testing and monitoring algorithmic testing;
- procedures for documentation of training events;
- training policies to ensure that each person responsible for monitoring is sufficiently trained for, and is up to date on, each ATS or strategy that he or she monitors, including, at a minimum, the ATS’s trading strategy, its applicable risk controls and when they may be triggered, the proper response to such triggers, and the typical behavior of each ATS and strategy; and
- escalation procedures to notify senior staff when Algorithmic Trading Events are identified.
4. Annual Report and Recordkeeping
Finally, Regulation AT § 1.83 would require annual reporting on AT Persons’ compliance with the regulation, as well as new requirements for Regulation AT compliance recordkeeping.
If the proposed regulation becomes effective, each AT Person must file an annual report by June 30, covering May 1 of the previous year to April 30 of the year reported, with each DCM on which such AT Person engaged in Algorithmic Trading. Such report must describe the AT Person’s pre-trade risk controls, including specific parameters and quantitative settings for: (1) maximum AT Order Message frequency; (2) maximum execution frequency; (3) order price parameters; and (4) maximum order size. The report must be submitted along with copies of an AT Person’s written policies addressing § 1.81(a) and (c) (“ATS Development and Testing” and “ATS Compliance”). The AT Person’s chief executive officer or chief compliance officer must certify the information contained in the report as accurate and complete to the best of his or her knowledge and reasonable belief.
In addition to the annual report, AT Persons would be required to maintain books and records of their compliance with Regulation AT §§1.80 and 1.81, to be provided upon request to applicable DCMs. Pursuant to the proposed regulation § 40.22(d) (further discussed below), DCMs are tasked with review and evaluation of such books and records and may request access as deemed necessary, for example, if an AT Person’s kill switch is frequently activated. Regulation AT does not set forth a minimum time that these records are to be preserved.
New Obligations for DCMs that May Impact AT Persons
In addition, Regulation AT would also impose similar requirements on DCMs in relation to pre-trading and trading risk controls, as well as additional disclosures related to the DCM trade matching systems. The following outlines new mandates for DCMs that may impact AT Persons and Algorithmic Trading in general:
Risk Controls for Trading: DEA Provided by DCMs - § 38.255
Since DCMs are already subject to regulation requiring risk controls for trading, the proposed regulation expands DCMs’ obligations to provide risk control systems that directly address DEA market participants.
The new § 38.255(b) and (c) would require DCMs to: (1) implement systems and controls that are reasonably designed to facilitate a clearing member FCM’s management of Algorithmic Trading risks arising from its DEA customers; and (2) further require such FCMs to use the implemented systems and controls in relation to every AT Order Message submitted through DEA.
The requirements for these systems and controls are the same as those mandated for AT Persons in the “Message and Execution Throttles,” “Order Price Parameters and Maximum Order Size Limits” and “Order Management Control” sections above. Similarly, the regulation requires only that: (1) FCMs are able to set these controls at each one of the following levels: AT Person, product, account number or designation, and one or more identifiers of natural persons associated with an AT Order Message; and (2) DCMs must set controls at one of the above-mentioned levels at a minimum.
Disclosure and Transparency in DCM Trade Matching Systems - § 38.401(a)
Currently, DCMs are required to have procedures, arrangements and resources for disclosing to the CFTC, market participants, and the public accurate information related to rules and specifications pertaining to the electronic matching platform or trade execution facility operations.8
The CFTC proposes to amend § 38.401(a)(1)(iii) to explicitly include within such operations any operations that materially affect the time, priority, price or quantity of execution, or the ability to cancel, modify or limit display of market participant orders. In addition, pursuant to the new § 38.401(a)(1)(iv), DCMs will have to disclose to all market participants, to the extent not already disclosed, any attributes of the electronic matching platform that have the same material effect as described above, as well as those that materially affect the dissemination of real-time market data to market participants (e.g., latencies or other variability in the electronic matching platform and the transmission and dissemination of any order or market data). Such attributes include both those that are known and those about which the DCM “should have known.” The CFTC is careful to highlight, however, that the proposed regulations are not meant to require DCM disclosure of any trade secrets.
Finally, the regulation would require that a DCM place on its website the information required under § 38.401(a)(1)(iii) and (iv) within a reasonable time, but no later than 10 business days following the identification of, or changes to, the attributes that prompt the disclosure. The description of any information provided pursuant to § 38.401 must, to the best of the DCM’s knowledge, be accurate and complete, and include all material information.9 All such information should be disclosed “prominently and clearly” on the DCM’s website, in plain English.
Pre-trade and Other Risk Controls at DCMs - § 40.20
In order to encourage all market participants to develop and implement risk controls and systems that safeguard the system, Regulation AT would impose much the same requirements on DCMs as it does on AT Persons in § 1.80. As such, DCMs, much like AT Persons, must develop risk controls, including message and execution throttles, price and size parameters, and order cancellation and connectivity monitoring systems. However, a DCM’s cancellation and connectivity monitoring systems must also incorporate an AT Person’s disconnection policies. Therefore, a DCM’s monitoring system must have the ability to:
- immediately disengage Algorithmic Trading;
- cancel certain orders when market conditions require doing do;
- prevent acceptance or submission of any new orders; and
- cancel or suspend orders from AT Persons in the event that the trading platform is disconnected.
A major difference between the obligations placed on AT Persons and DCMs, however, is that DCMs must also implement the same risk controls for manual orders that do not originate from Algorithmic Trading.
Effects of DCM Controls on AT Persons
As part of the CFTC’s effort to facilitate compliance by AT Persons subject to Regulation AT, the CFTC seeks to add an additional level of DCM controls that directly impacts AT Persons’ conduct.
DCM Test Environments for AT Persons - § 40.21
Regulation AT proposes that DCMs provide a test environment that enables AT Persons to simulate production trading. The DCM test environment aids AT Persons meeting the Regulation AT mandate to conduct §1.81(a)(1) testing of Algorithmic Trading code and related systems, both internally and on each applicable DCM (addressed above under “New Obligations for AT Persons Imposed by Regulation AT”).
DCM Review of AT Persons’ Compliance Reports; DCM Rules Requiring Certain Books and Records; and DCM Review of Such Books and Records - § 40.22
Regulation AT affixes an additional layer of compliance and books and records regulation at the DCM level to ensure that AT Persons are complying with the pre-trade and other risk control requirements discussed above.
With respect to AT Persons’ annual reporting and recordkeeping requirements, DCMs must (1) require each AT Person that trades on the DCM to submit such reports to it by June 30 of each year; and (2) establish a program for effective review of such reports and remediation of any deficiencies found.
With respect to AT Persons’ risk control measures and written policies on compliance and monitoring, DCMs must also: (1) require that each AT Person keep and provide to the DCM books and records regarding the AT Person’s compliance with all of the requirements under Regulation AT; and (2) review, evaluate and remediate, as necessary, the books and records maintained by AT Persons. Though a DCM has discretion in deciding when such a review is necessary, the CFTC lists the following examples as possible triggers for a DCM review:
- the DCM becomes aware that an AT Person’s kill switch is frequently activated or otherwise performs in an unusual manner;
- the DCM becomes aware that an AT Person’s algorithm frequently performs in a manner inconsistent with its design (raising questions about the design or monitoring of the AT Person’s algorithms);
- the DCM identifies frequent trade practice violations at an AT Person related to the AT Person’s algorithm; or
- an AT Person represents significant volume in a particular product (thereby requiring heightened scrutiny).
Self-Trade Prevention Tools - § 40.23
The CFTC seeks to require DCMs to apply mechanisms (or to require that AT Persons use mechanisms provided by DCMs) reasonably designed to prevent self-trading. Self-trading is defined as the intentional or unintentional “matching of orders for accounts that have common beneficial ownership or are under common control.” These requirements are intended to prevent self-trading, which may inaccurately signal the level of market liquidity, while still allowing “bona fide and desirable self-match trades.”
The new rules on self-trade prevention are also intended to complement the prohibition under CEA regulations on wash trades. The CFTC defines wash trading as “entering into, or purporting to enter into, transactions to give the appearance that purchases and sales have been made, without incurring market risk or changing the trader’s market position.” While the wash-trading prohibition requires a level of intent, Regulation AT goes further by addressing and prohibiting unintentional self-trading. In fact, Regulation AT does not include a de minimus exception for a certain percentage of unintentional self-trading.
Regulation AT §40.23(a) sets out the general prohibition on self-trading for all orders on DCM electronic trade matching platforms. A DCM may either determine for itself which accounts should be prohibited from trading with each other or require that market participants identify to the DCM such prohibited accounts.
Regulation AT §40.23(b) provides the following “bona fide and desirable self-match trade” exceptions to the general prohibition on self-trading:
- a DCM may implement rules that permit a self-trade resulting from the matching of orders for accounts with common beneficial ownership where such orders are initiated by “independent decisions makers,” a term to be defined by DCMs; and
- a DCM may permit a self-trade resulting from the matching of orders for accounts under common control where such orders comply with the DCM’s cross-trade, minimum exposure requirements or similar rules, and are for accounts that are not under common beneficial ownership.
In both cases, a DCM will have to require that market participants receive DCM approval to forego self-trade prevention tools with respect to specific accounts under common beneficial ownership or control in such circumstances. Market participants’ approval request must be provided by a compliance officer or senior officer. The approval request must be withdrawn or amended if any change occurs that would cause the information provided in such approval request to be no longer accurate or complete. Any approval request submitted to the DCM will be subject to 7 U.S.C. 13(a)(4), which prohibits, among other things, making false or fraudulent statements to a registered entity.
DCM Market Maker and Trading Incentive Programs - §§ 40.25 – 20.28
Regulation AT would require DCMs to provide additional information to regulators and the public about their market maker and trading incentive programs. Regulation AT codifies the CFTC’s expectation that DCM market maker and trading incentive programs may not provide payments or incentives for market maker or trading activity between accounts under common beneficial ownership. Lastly, DCMs must provide information and data as may be requested by the CFTC or the Director of the Division of Market Oversight about participation in market maker or trading incentive programs, including, but not limited to, individual program agreements, names of program participants, benchmarks achieved by program participants, and payments or other benefits conferred upon program participants.