This article was written by Steve Snyder, a partner in King & Spalding’s Intellectual Property group and a member of the firm’s Data, Privacy, and Security working group. He leverages his technical and legal expertise to advise clients on cybersecurity, privacy, trade secrets, and technology. Steve provides guidance across many sectors including financial, medical devices, retail, internet, and mobile telecommunications. He regularly publishes articles and participates on panels involving emerging issues.
On November 24, 2015 the Commodity Futures Trading Commission (“CFTC”) issued a notice of proposed rulemaking concerning the Regulation of Automated Trading (“Regulation AT”). Regulation AT reflects the effort of the CFTC to enhance its regulatory regime relating to automated trading in U.S. designated contract markets (“DCMs”). The CFTC is seeking to update its rules to account for the evolution from pit trading to electronic trading and in doing so, to promote best practices for algorithm trading systems, electronic trade matching engines and new connectivity methods. The full publication of the notice of proposed rulemaking (“Notice”) for Regulation AT can be found here.
The Notice is over 500 pages and contains over 150 enumerated requests for comments. These figures demonstrate the breadth and significance of the proposed rules. The proposed rules apply to a newly defined class called “AT Persons,” which include various types of entities that “engage in Algorithmic Trading on or subject to the rules of a DCM, or persons registered or required to be registered as floor traders as defined. . . .” See Notice Section IV(D)(6). The Notice sets forth an estimate of the number of entities subject to Regulation AT. They include an estimated 420 firms that are actively sending in algorithmic orders to DCMs. See Notice Section V(A). Another estimated 100 firms would be implicated due to allowing Direct Electronic Access (“DEA”) for Algorithmic Trading as defined. See Notice Section V(A); see also Regulation AT § 1.3 Definitions ¶(x)(3). Finally, approximately 57 clearing member futures commission merchants and 15 DCMs would be implicated as well. See Notice Section V(A).
At a high level, Regulation AT provides a set of controls to mitigate risks from the use of automated trading as well as a framework for oversight to insure appropriate measures are being taken by the regulated entities. It includes a codification of terms, a set of risk controls, compliance reporting requirements, and provisions for testing, monitoring and supervision. See Notice Section I(C)(1). The Notice discusses over 20 specific provisions in depth, including the proposed changes and the rationale behind them. Some particularly notable provisions relate to new entities subject to regulation, the requirement to join a registered futures association (“RFA”) and requirements regarding the storage and accessibility of source code.
Of the entities subject to the proposed regulation, a group that stands out are those implicated through providing DEA. Although some of these firms may be registered with the CFTC and are already subject to regulation, others will be required to register as a function of the implementation of Regulation AT. These would be any firms that provide DEA for Algorithmic Trading and are not currently registered with the CFTC. Under Regulation AT these entities would be required to register with the CFTC and be subject to the oversight and risk management controls specified. See Notice Section IV(E). This requirement is implemented through including such entities in the definition of “floor trader,” which in turn would make them “AT Persons” subject to various provisions such as pre-trade risk controls including maximum execution frequencies and maximum order size limits. See Notice Section IV(E).
How the FX Industry Can Benefit from Outsourced ITGo to article >>
Another significant provision requires all “AT Persons” to become registered with an RFA. An RFA is a registered association of persons that serve a self-regulatory role while subject to CFTC oversight. See Notice Section IV(G). It is noted that many entities will already be members of RFAs and thereby unaffected by this provision. Some entities such as floor traders may not have previously been members of RFAs and therefore would now be required to become members. RFAs provide various mechanisms of governance including binding compliance requirements. The Notice discusses one specific RFA, the National Futures Association (“NFA”), which has promulgated Compliance Rule 2-9 and Interpretive Notice 9046 which require NFA members to “adopt and enforce written procedures to examine the security, capacity, and credit and risk-management controls provided by the firm’s automated order-routing systems.” See Notice Section II(D)(1).
While RFA requirements such as the NFA provisions cited in the Notice may be compatible and in some cases duplicative of the new proposed rule provisions, RFA requirements can go further. For example, the NFA recently adopted cybersecurity requirements in an interpretive notice not cited in the Regulation AT Notice. These provisions go beyond the requirements of Regulation AT, which are directed primarily at preventing errors or malfunctions in technology from disrupting the systems. The NFA cybersecurity guidance includes identifying threats and vulnerabilities and implementing a formal information systems security program. See here. Therefore, any AT Person required to join an RFA may be subject to a broader set of requirements than those specified in the Notice, including cybersecurity provisions.
Additionally, proposed § 170.19 requires RFAs to “establish and maintain a program for the prevention of fraud and manipulation.” While this section provides latitude for RFAs it suggests that all AT Persons may be ultimately be subject to some form of cybersecurity provisions indirectly through the adoption of Regulation AT. On one hand, it may require them to join an RFA and the RFA may have cybersecurity provisions in place already. Or alternatively, they may join an RFA that does not currently have cybersecurity provisions but will implement them pursuant to § 170.19. Therefore, for any AT Person, Regulation AT could be viewed as including some form of cybersecurity requirement to prevent “fraudulent and manipulative acts.”
With respect to Regulation AT risk controls and oversight provisions, one to focus attention on is the requirement that each AT person must: “Maintain a source code repository to manage source code access, persistence, copies of all code used in the production environment, and changes to such code. Such source code repository must include an audit trail of material changes to source code that would allow the AT Person to determine, for each such material change: who made it; when they made it; and the coding purpose of the change. Each AT Person shall keep such source code repository, and make it available for inspection, in accordance with § 1.31.” See proposed § 1.81(a)(1)(vi). The cited provisions, 17 C.F.R. § 1.31 requires that “records shall be open to inspection by any representative of the Commission, or the United States Department of Justice.”
These proposed source code requirements may be of particular concern to traders engaged in high-frequency trading (“HFT”), which often employ highly sophisticated algorithms that are heavily guarded trade secrets. The requirements to maintain the source code in human readable form with an audit trail detailing all of the changes, and to further make all of that information readily available for inspection could raise concerns for a firm trying to protect its trade secrets from both insider and external threats. The countervailing consideration by the CFTC is that HFT is one of the primary concerns from a market disruption standpoint, as illustrated by the citation in the Notice to the Knight Capital trading malfunction which cause a market disturbance in 2012 (and cost Knight $460 Million. See Notice Section II(C)(1).
Impacted and potentially impacted entities have 90 days from the notice to submit comments (until February 22, 2016). Section VII of the Notice lists all 164 questions contained throughout but also notes that parties are welcome to submit general comments as well. All entities should consider submitting comments as to provisions that may have a significant impact. Some of the provisions relating to cybersecurity and trade secrets may be of particular concern to many entities, but each entity should take the time to examine the Notice with the guidance of trusted advisors and determine whether to submit comments on particularly sensitive aspects.