Protecting the Technological Infrastructure of Our Capital Markets

Posted by Luis A. Aguilar, Commissioner, U.S. Securities and Exchange Commission, on
Tuesday, November 25, 2014
Comments Off on Protecting the Technological Infrastructure of Our Capital Markets print this page Print
, , , , , , ,
More from: ,

Luis A. Aguilar is a Commissioner at the U.S. Securities and Exchange Commission. This post is based on Commissioner Aguilar’s remarks at a recent open meeting of the SEC; the full text, including footnotes, is available here. The views expressed in the post are those of Commissioner Aguilar and do not necessarily reflect those of the Securities and Exchange Commission, the other Commissioners, or the Staff.

Today [November 19, 2014], the Commission considers adopting Regulation Systems, Compliance, and Integrity (or Regulation SCI). These rules and amendments are intended to establish a foundational regulatory framework for the technological market infrastructure that has become increasingly intertwined with the functioning of our securities markets. The rules being considered for adoption today represent a clear improvement over the proposed version, which offered only a hollow promise that our markets would be safer, more resilient, and more stable.

The Promise and Perils of Technology

It’s true that modern information technology has revolutionized the infrastructure of the nation’s capital markets in beneficial ways. But this technology also presents significant risks, and carries the potential for immense harm to investors. This is particularly true as to our nation’s equity markets, where the vast majority of trade quotations are generated by pre-programmed, automatic algorithms.

Many of these algorithms have hair-trigger settings, and, as market crisis after market crisis has shown, they are able to unleash massive waves of quotations the instant certain circumstances arise. Because these automated systems execute trades at blinding speeds, humans cannot keep up, and may not be able to intervene quickly when something goes awry.

Consequently, in today’s markets, a single rogue algorithm can trigger a cascading series of errant trades, destroying billions of dollars of market value in the blink of an eye. This destruction of market value and subsequent upheaval harm investors and undermine their faith in the fair and orderly functioning of the capital markets. Each new market crisis increasingly jeopardizes the Commission’s mission to protect investors, maintain fair and orderly markets, and facilitate capital formation.

Over the past several years, market disruptions have illustrated the dangers of automated trading systems in stark relief. Exchanges are proving especially vulnerable. In fact, there have been at least 27 serious technical malfunctions at exchanges around the world in the last three years alone. For example, the BATS exchange has suffered three serious software mishaps in the past two years, including a long-lived failure to provide the best price for 433,000 separate trades over a five-year period. But BATS is certainly not unique. For example, over the last two years, several of the largest exchanges have suffered software malfunctions, including the New York Stock Exchange, the Chicago Board of Options Exchange, and Direct Edge. And, in perhaps one of the most publicized mishaps, a software glitch badly disrupted the Facebook IPO.

Providers of stock quotes, which are known as securities information providers (or SIPs), are also at risk. Trading on Nasdaq was paralyzed for three hours last year when its quotation system malfunctioned, and Nasdaq suffered a similar mishap just two weeks later.

Additionally, I am increasingly concerned about the cybercriminals that are targeting our capital markets by attacking or exploiting weaknesses in its technological infrastructure. Cyber-criminals succeeded in penetrating Nasdaq’s peripheral computer systems repeatedly in 2011, and even succeeded in planting a so-called “digital bomb” in Nasdaq’s servers. And, in 2012, more than half of the world’s exchanges were the subject of a cyber-attack. It seems rare when a week goes by without some report of a cyber-attack.

A Proposal Redeemed

This dismal catalogue of technical glitches and cyber-attacks demands a robust, comprehensive, and thoughtful response. Unfortunately, the Commission’s original SCI rule proposal failed to adequately fortify the markets’ technological infrastructure. At the time, I delineated a number of fundamental concerns that would need to be addressed before adoption. To that end, I am pleased that the Commission is now considering an improved set of rules that will actually tackle the critically important task of strengthening the technological infrastructure that underlies our capital markets.

In particular, the final rules remedy three of the proposal’s most acute shortcomings:

First, I noted that the proposal failed to mandate a set of minimum standards that SCI entities must include in their policies and procedures to ensure compliance with Regulation SCI and the Exchange Act. By failing to require minimum standards, the Commission would have been codifying a toothless rule that lacked any real substance. This glaring shortcoming is rectified in the final rules.

The final rules now mandate a set of minimum standards that include a requirement to test all SCI systems, and modifications to such systems, before they are implemented. SCI entities must also devise and implement a set of internal controls to govern all changes to SCI systems. These requirements are important because of the experience with market disruptions that resulted from software changes that were not sufficiently tested prior to implementation. In addition, the final rules require SCI entities to develop plans to assess their systems to ensure they continue to be compliant with the Exchange Act and Regulation SCI. The inclusion of these minimum standards in the final rules represents a substantial victory for market stability, resiliency, and security.

Second, I noted that the proposal failed to require senior management to certify that they had implemented policies and procedures reasonably designed to ensure compliance with Regulation SCI. Accordingly, the proposal provided no personal accountability. The final rules remedy this flaw by requiring senior managers to review the annual reports that assess SCI entities’ compliance with Regulation SCI. And, to ensure that those in positions of authority and responsibility will be included in the process, the final rules define senior management to include not only an SCI entity’s Chief Technology Officer, but also its CEO, CFO, General Counsel, and Chief Compliance Officer. Moreover, as the final rules now make clear, these annual reports will be “filed” with the Commission—not just furnished—which means that the senior managers who are required to review them will have a heightened interest in the completeness and accuracy of those reports. The final rules also require that the Board of Directors receive copies of the annual SCI reviews, which provides further assurance that a company’s leadership will have the opportunity to confirm the reports’ accuracy and completeness—and to ask appropriate questions.

Finally, I had serious concern with the expansive exemption from liability for entities that was included in the proposal. Such a “safe harbor” provision has never before been included in a rulemaking such as this, and for good reason. It seriously compromised the rule. The Commission has consistently recognized that granting regulated entities blanket immunity if they merely adopt certain policies and procedures is fundamentally antithetical to an effective regulatory regime. Fortunately, the ill-considered exemption from liability for entities is not a component of the final rules. Although the final rules retain a safe harbor for individual employees, the release makes it clear that employees bear the burden of demonstrating that they are entitled to the safe harbor because they have discharged their duties in a reasonable manner.

There Is More Work to Be Done

Despite the clear improvements that have been made, I recognize that today’s rules fail to provide even basic protections for certain aspects of our capital markets’ technological infrastructure. For example, the final rules do not apply to market participants, like broker-dealers, that operate proprietary trading platforms. It is estimated that nearly 18% of all trade volume and virtually all retail investor orders are executed by broker-dealers on proprietary systems or via over-the-counter transactions, and therefore will not be executed on the venues that will be subject to Regulation SCI. This is a disconcerting gap in Regulation SCI’s coverage.

Furthermore, Regulation SCI will not apply to broker-dealers and other entities that run proprietary trade algorithms. These entities present very serious risks, both to themselves and to the broader financial system. It was precisely these sorts of trade algorithms that triggered the so-called “flash crash” in 2010, which obliterated $1 trillion in market value in less than ten minutes, and the Knight Capital debacle in 2012, which caused that firm to lose $461 million in only 45 minutes. Extending Regulation SCI to these entities is critical to the reduction of such mishaps.

Conclusion

In the end, although I would have supported a more comprehensive rule, I will vote to approve these rules and amendments because they mark a significant step forward in the Commission’s efforts to address what is clearly a serious threat to the stability, integrity, and security of our financial markets.

Moreover, I am optimistic that Chair White’s direction to the staff to develop recommendations to expand Regulation SCI’s reach to additional market participants will be acted upon promptly in order to make a future “flash crash” or Knight Capital debacle less likely.

Both comments and trackbacks are currently closed.