On November 4, 2016, the U.S. Commodity Futures Trading Commission approved a supplemental notice of proposed rulemaking concerning its access to algorithmic trading source code in a 2-1 vote. The supplemental notice amends proposed Regulation AT and outlines a new mechanism by which the CFTC can obtain the source code and related records of the automated traders it regulates as part of its routine surveillance of the market.
Algorithmic source code is the foundation of an automated trader’s business model, and as such it is usually the most valuable asset and fiercely protected trade secret an automated trader has. Currently, the CFTC may obtain source code only by issuing a subpoena, which provides the subpoena recipient with certain procedural safeguards such as the ability to challenge the subpoena before a federal judge.
Since the “flash crash” of 2010, during which the Dow lost and recovered 1,000 points within 20 minutes, the CFTC has desired greater insight into algorithmic trading, which enabled that crash and continues to present such a risk. With the initiative to revive the CFTC’s in-house judiciary stalled (likely due to ongoing constitutional challenges to the SEC’s in-house judiciary), the CFTC has sought an alternative way to streamline the process of obtaining market participants’ algorithmic source code.
The supplemental notice provides that the CFTC may access a market participant’s algorithmic trading source code during the course of its market oversight activities by a “special call” that is approved by the Commission. The Commission-approved “special call” is to be executed by the Director of the Division of Market Oversight, which means that the DMO determines the means of the CFTC’s access. This access could take the form of an onsite visit to view the source code, or a request that the source code be provided to the CFTC. Although the supplemental notice cites to applicable confidentiality rules to shore-up the notion that market participants’ algorithmic trading source code in the CFTC’s hands will be safe, rules and punishments are irrelevant to the technical cyber security of the CFTC’s computer network. In light of the acute and well-publicized data breaches at the Office of Personnel Management in 2014 and 2015, and the likely value of this source code, concerns regarding the confidentiality of source code handed over to the CFTC are well-founded.
What exactly is a “special call” and how is it determined? Scant information is provided, other than it is “the means [the CFTC’s] surveillance division has used for many years to obtain and review information.” Similarly, there is no guidance in the supplemental notice on how the Commission should reach its decision to approve or not approve this type of special call. Furthermore, the absence of any rules regarding how to dispute this type of special call makes it clear that automated trader market participants have no recourse should the CFTC ask them to divulge their most valuable trade secret. As underscored by the opposing commissioner in his statement of dissent, the CFTC is clearly setting itself up for a due process constitutional challenge should the supplemented Regulation AT be finalized.
The supplemental notice of Regulation AT will be open to public comment in the 60-day period following its publication in the Federal Register.