Commissioner Luis A. Aguilar
Nov. 19, 2014
Today, the Commission considers adopting Regulation Systems, Compliance, and Integrity (or Regulation SCI). These rules and amendments are intended to establish a foundational regulatory framework for the technological market infrastructure that has become increasingly intertwined with the functioning of our securities markets.[1] The rules being considered for adoption today represent a clear improvement over the proposed version, which offered only a hollow promise that our markets would be safer, more resilient, and more stable.
The Promise and Perils of Technology
It´s true that modern information technology has revolutionized the infrastructure of the nation´s capital markets in beneficial ways.[2] But this technology also presents significant risks, and carries the potential for immense harm to investors. This is particularly true as to our nation´s equity markets, where the vast majority of trade quotations are generated by pre-programmed, automatic algorithms.[3]
Many of these algorithms have hair-trigger settings, and, as market crisis after market crisis has shown, they are able to unleash massive waves of quotations the instant certain circumstances arise.[4] Because these automated systems execute trades at blinding speeds, humans cannot keep up, and may not be able to intervene quickly when something goes awry.[5]
Consequently, in today´s markets, a single rogue algorithm can trigger a cascading series of errant trades, destroying billions of dollars of market value in the blink of an eye.[6] This destruction of market value and subsequent upheaval harm investors and undermine their faith in the fair and orderly functioning of the capital markets.[7] Each new market crisis increasingly jeopardizes the Commission´s mission to protect investors, maintain fair and orderly markets, and facilitate capital formation.
Over the past several years, market disruptions have illustrated the dangers of automated trading systems in stark relief. Exchanges are proving especially vulnerable. In fact, there have been at least 27 serious technical malfunctions at exchanges around the world in the last three years alone.[8] For example, the BATS exchange has suffered three serious software mishaps in the past two years, including a long-lived failure to provide the best price for 433,000 separate trades over a five-year period.[9] But BATS is certainly not unique. For example, over the last two years, several of the largest exchanges have suffered software malfunctions, including the New York Stock Exchange, the Chicago Board of Options Exchange, and Direct Edge.[10] And, in perhaps one of the most publicized mishaps, a software glitch badly disrupted the Facebook IPO.[11]
Providers of stock quotes, which are known as securities information providers (or SIPs),[12] are also at risk. Trading on Nasdaq was paralyzed for three hours last year when its quotation system malfunctioned, and Nasdaq suffered a similar mishap just two weeks later.[13]
Additionally, I am increasingly concerned about the cybercriminals that are targeting our capital markets by attacking or exploiting weaknesses in its technological infrastructure. Cyber-criminals succeeded in penetrating Nasdaq´s peripheral computer systems repeatedly in 2011, and even succeeded in planting a so-called "digital bomb" in Nasdaq´s servers.[14] And, in 2012, more than half of the world´s exchanges were the subject of a cyber-attack.[15] It seems rare when a week goes by without some report of a cyber-attack.
A Proposal Redeemed
This dismal catalogue of technical glitches and cyber-attacks demands a robust, comprehensive, and thoughtful response. Unfortunately, the Commission´s original SCI rule proposal failed to adequately fortify the markets´ technological infrastructure. At the time, I delineated a number of fundamental concerns that would need to be addressed before adoption.[16] To that end, I am pleased that the Commission is now considering an improved set of rules that will actually tackle the critically important task of strengthening the technological infrastructure that underlies our capital markets.
In particular, the final rules remedy three of the proposal´s most acute shortcomings:
First, I noted that the proposal failed to mandate a set of minimum standards that SCI entities must include in their policies and procedures to ensure compliance with Regulation SCI and the Exchange Act. By failing to require minimum standards, the Commission would have been codifying a toothless rule that lacked any real substance. This glaring shortcoming is rectified in the final rules.
The final rules now mandate a set of minimum standards that include a requirement to test all SCI systems, and modifications to such systems, before they are implemented. SCI entities must also devise and implement a set of internal controls to govern all changes to SCI systems. These requirements are important because of the experience with market disruptions that resulted from software changes that were not sufficiently tested prior to implementation.[17] In addition, the final rules require SCI entities to develop plans to assess their systems to ensure they continue to be compliant with the Exchange Act and Regulation SCI. The inclusion of these minimum standards in the final rules represents a substantial victory for market stability, resiliency, and security.
Second, I noted that the proposal failed to require senior management to certify that they had implemented policies and procedures reasonably designed to ensure compliance with Regulation SCI. Accordingly, the proposal provided no personal accountability. The final rules remedy this flaw by requiring senior managers to review the annual reports that assess SCI entities´ compliance with Regulation SCI. And, to ensure that those in positions of authority and responsibility will be included in the process, the final rules define senior management to include not only an SCI entity´s Chief Technology Officer, but also its CEO, CFO, General Counsel, and Chief Compliance Officer.[18] Moreover, as the final rules now make clear, these annual reports will be "filed" with the Commission—not just furnished—which means that the senior managers who are required to review them will have a heightened interest in the completeness and accuracy of those reports.[19] The final rules also require that the Board of Directors receive copies of the annual SCI reviews, which provides further assurance that a company´s leadership will have the opportunity to confirm the reports´ accuracy and completeness—and to ask appropriate questions.
Finally, I had serious concern with the expansive exemption from liability for entities that was included in the proposal. Such a "safe harbor" provision has never before been included in a rulemaking such as this, and for good reason. It seriously compromised the rule. The Commission has consistently recognized that granting regulated entities blanket immunity if they merely adopt certain policies and procedures is fundamentally antithetical to an effective regulatory regime. Fortunately, the ill-considered exemption from liability for entities is not a component of the final rules. Although the final rules retain a safe harbor for individual employees, the release makes it clear that employees bear the burden of demonstrating that they are entitled to the safe harbor because they have discharged their duties in a reasonable manner.[20]
There Is More Work to Be Done
Despite the clear improvements that have been made, I recognize that today´s rules fail to provide even basic protections for certain aspects of our capital markets´ technological infrastructure. For example, the final rules do not apply to market participants, like broker-dealers, that operate proprietary trading platforms. It is estimated that nearly 18% of all trade volume and virtually all retail investor orders are executed by broker-dealers on proprietary systems or via over-the-counter transactions, and therefore will not be executed on the venues that will be subject to Regulation SCI.[21] This is a disconcerting gap in Regulation SCI´s coverage.
Furthermore, Regulation SCI will not apply to broker-dealers and other entities that run proprietary trade algorithms. These entities present very serious risks, both to themselves and to the broader financial system. It was precisely these sorts of trade algorithms that triggered the so-called "flash crash" in 2010, which obliterated $1 trillion in market value in less than ten minutes,[22] and the Knight Capital debacle in 2012, which caused that firm to lose $461 million in only 45 minutes.[23] Extending Regulation SCI to these entities is critical to the reduction of such mishaps.[24]
Conclusion
In the end, although I would have supported a more comprehensive rule, I will vote to approve these rules and amendments because they mark a significant step forward in the Commission´s efforts to address what is clearly a serious threat to the stability, integrity, and security of our financial markets.[25]
Moreover, I am optimistic that Chair White´s direction to the staff to develop recommendations to expand Regulation SCI´s reach to additional market participants will be acted upon promptly in order to make a future "flash crash" or Knight Capital debacle less likely.
In closing, I commend the staff for their efforts in developing and refining these rules and amendments. In particular, I would like to call attention to the efforts of the Division of Trading and Markets, the Office of Information Technology, the Division of Economic and Risk Analysis, and the Office of General Counsel. I appreciate your hard work and diligence.
Thank you.
[1] Regulation Systems Compliance and Integrity, Securities Exchange Act Release No. XXXXX (Nov. 19, 2014) (S7-01-03).
[2] Automated trading systems have democratized markets, vastly enhanced liquidity, and driven transaction costs to historical lows. See John V. Duca, The Democratization of America´s Capital Markets, Dallas Federal Reserve Economic and Financial Review (2001); Terrence Hendershott, Charles M. Jones, and Albert J. Menkveld, Does Algorithmic Trading Improve Liquidity?, The Journal of Finance (Feb. 2011) (noting that automated trading "improves liquidity and enhances the informativeness of quotes," particularly for large cap stocks). In fact, automated trading systems have allowed U.S. transaction costs to go from being the highest in the world to the lowest. But technological advances have also brought new challenges. For example, technology has given rise to high frequency trading, which, in the view of some critics, takes advantage of slower retail and institutional investors. Peter J. Henning, Why High-Frequency Trading Is So Hard to Regulate, The New York Times (Oct. 20, 2014), available at http://dealbook.nytimes.com/2014/10/20/why-high-frequency-trading-is-so-hard-to-regulate/?_r=0. The Commission is assessing the extent to which specific elements of the high-frequency trading environment "may be working against investors rather than for them." Chair Mary Jo White, Enhancing Our Equity Market Structure (June 5, 2014) available at http://www.sec.gov/News/Speech/Detail/Speech/1370542004312#_ednref9.
[3] Richard Finger, High Frequency Trading: Is It A Dark Force Against Ordinary Human Traders And Investors?, Forbes (Sept. 30, 2013), available at http://www.forbes.com/sites/richardfinger/2013/09/30/high-frequency-trading-is-it-a-dark-force-against-ordinary-human-traders-and-investors/ (quoting Nanex LLC founder, Eric Hunsader, as stating that "[t]oday, 90 to 95 percent of all quotes emanate from High Frequency machines"); see also World Federation of Exchanges, Understanding High Frequency Trading, 2, available at http://modernmarketsinitiative.org/wp-content/uploads/2013/10/WFE_Understanding-HFT_May-2013.pdf (noting that high frequency trading, which is a subset of algorithmic trading, "was estimated in 2012 by consultancy Tabb Group to make up 51% of equity trades in the US" (internal citation omitted)).
[4] John Naughton, Fragile systems let hoax tweets make twits of us all, The Guardian (Apr. 27, 2013), available at http://www.theguardian.com/technology/2013/apr/28/fragile-systems-hoax-tweets-naughton.
[5] Jerry Adler, Raging Bulls: How Wall Street Got Addicted to Light-Speed Trading, Wired (Aug. 3, 2012), available at http://www.wired.com/2012/08/ff_wallstreet_trading/2/.
[6] Findings Regarding The Market Events of May 6, 2010: Report of The Staffs of The CFTC and SEC to The Joint Advisory Committee On Emerging Regulatory Issues (Sept. 30, 2010), available at http://www.sec.gov/news/studies/2010/marketevents-report.pdf.
[7] John McCrank, Facebook IPO mishandling hurt investor confidence: TD Ameritrade, Reuters (June 7, 2012), available at http://www.reuters.com/article/2012/06/07/us-facebook-investors-tdameritrade-idUSBRE8560SN20120607; Stephen Rusolillo, Facebook IPO Fallout on Par With Flash Crash, The Wall Street Journal (June 21, 2012); Testimony of Kevin Cronin, Global Head of Trading, Invesco Ltd., before the Senate Committee on Banking, Housing, and Urban Affairs (July 8, 2014), available at http://www.banking.senate.gov/public/index.cfm?FuseAction=Files.View&FileStore_id=32d50b9e-3ddf-4611-b223-9465138d61dc.
[8] Standard & Poor´s RatingsDirect®, Exchanges' Technical Glitches Reveal Growing Operational Risk--And Could Trigger Downgrades (Sept. 19, 2013), available at http://www.standardandpoors.com/servlet/BlobServer?blobheadername3=MDT-Type&blobcol=urldata&blobtable=MungoBlobs&blobheadervalue2=inline%3B+filename%3DExchanges_Technical_Glitch_9_26_13.pdf&blobheadername2=Content-Disposition&blobheadervalue1=application%2Fpdf&blobkey=id&blobheadername1=content-type&blobwhere=1244323920646&blobheadervalue3=UTF-8; see also Nasdaq Market System Status Updates for the Nasdaq Options Market (Nov. 1, 2013), available at http://www.nasdaqtrader.com/Trader.aspx?id=MarketSystemStatus; NYSE Amex Options and NYSE Arca Options Trader Update, Erroneous Complex Order Executions (Apr. 29, 2014), available at http://www1.nyse.com/pdfs/2014_04_29_NYSE_Amex_and_Arca_Options_Erroneous_Complex _Order_Executions.pdf; NYSE Service Advisory, CTA Update (Oct. 30, 2014), available at https://markets.nyx.com/nyse/market-status/view/13467; NYSE Market Status Alert, NMS SIP market wide issue (Oct. 30, 2014), available at https://markets.nyx.com/nyse/market-status/view/13465.
[9] Nina Mehta and Eleni Himaras, Bats Says System Errors Cause Pricing Problems, Bloomberg (Jan. 10, 2013), available at http://www.bloomberg.com/news/2013-01-10/bats-says-system-errors-caused-pricing-problems-over-4-years-1-.html. One of these technical malfunctions caused BATS to abandon its own public offering. See Matthew Philips, Exchange Glitches Pile Up as BATS Halts Trading, Bloomberg Businessweek (Sept. 26, 2013), available at http://www.businessweek.com/printer/articles/155396-exchange-glitches-pile-up-as-bats-halts-trading; see also Dan Beucke, Bats: The Epic Fail of the Worst IPO Ever, Bloomberg Businessweek (Mar. 23, 2012), available at http://www.businessweek.com/articles/2012-03-23/bats-all-folks-the-epic-fail-of-the-worst-ipo-ever.
[10] See Agustino Fontevecchia, NYSE Trading Glitch Hits 216 Securities, Zaps Half Of Average Trading Volume, Forbes (Nov. 12, 2012), available at http://www.forbes.com/sites/afontevecchia/2012/11/12/nyse-trading-glitch-hits-216-securities-zaps-half-of-average-trading-volume/; Nikolaj Gammeltoft, Nina Mehta, and Lu Wang, CBOE Reopens After Malfunction Shuts Options Exchange, Bloomberg (Apr. 25, 2013), available at http://www.bloomberg.com/news/2013-04-25/cboe-holdings-delays-open-for-exchange-after-system-problems.html; Chris Dieterich and Jacob Bunge, System Problems Hit BATS, Direct Edge: Trading hiccups hit a pair of U.S. stock exchanges Tuesday in unrelated disruptions, The Wall Street Journal (Aug. 6, 2013), available at http://online.wsj.com/articles/SB10001424127887323968704578652183716990670.
[11] Michael J. Moore, Lee Spears, and Douglas MacMillan, Facebook IPO Debacle Triggers Legal Debate, Bloomberg (May 24, 2012), available at http://www.bloomberg.com/news/2012-05-24/facebook-ipo-debacle-triggers-legal-debate.html; Tomio Geron, Facebook Prices Third-Largest IPO Ever, Valued at $104 Billion, Forbes (May 17, 2012), available at http://www.forbes.com/sites/tomiogeron/2012/05/17/facebook-prices-ipo-at-38-per-share/; Jenny Strasburg, Facebook Losses Slice UBS Profits, The Wall Street Journal (July 31, 2012), available at http://online.wsj.com/articles/SB10000872396390444405804577560220392935282.
[12] Securities Information Processors ("SIPs") are the systems that consolidate quote and trade data for all exchange-traded stocks. The data is provided by the exchanges, is processed by the SIPs, and fed back out as a single stream of data. The SIPs were created to give investors and market professionals access to real time price information. They also act as the benchmark used by regulators and others to determine the NBBO (National Best Bid and Offer). There are currently three SIPs, one operated by Nasdaq for stocks listed on Nasdaq, and two operated by NYSE (one for NYSE-listed stocks and one for formerly Amex-listed stocks). See Ivy Schmerken, Nasdaq OMX Won Over SIP Committee With Latency Reductions & Tech Upgrades, InformationWeek WallStreet &Technology, available at http://www.wallstreetandtech.com/infrastructure/nasdaq-omx-won-over-sip-committee-with-latency-reductions-and-tech-upgrades/d/d-id/1317316.
[13] Whitney Kisling, Nasdaq Fixes Another Malfunction With Price Feed, Bloomberg (Sept. 4, 2013), available at http://www.bloomberg.com/news/2013-09-04/direct-edge-halts-some-nasdaq-stocks-citing-feed-issue-correct-.html. Furthermore, less than a month ago, all trading in over-the-counter stocks had to be halted for nearly two hours when a software upgrade prevented quotes from displaying accurately. Bradley Hope, Trading Resumes on OTC Markets, The Wall Street Journal (Oct. 17, 2014), available at http://online.wsj.com/articles/finra-halts-trading-on-otc-markets-1413562993.
[14] Michael Riley, How Russian Hackers Stole the Nasdaq, Bloomberg Businessweek (July 17, 2014), available at http://www.businessweek.com/printer/articles/213544-how-russian-hackers-stole-the-nasdaq; Paul Szoldra, Hacker Reveals How Devastating A Cyberattack On The Stock Market Could Be, Business Insider (Aug. 21, 2013), available at http://www.businessinsider.com/hacker-reveals-how-devastating-a-cyberattack-on-the-stock-market-could-be-2013-8; Phil Albinus, Hackers to Exchanges: You´re Next, InformationWeek WallStreet & Technology (August 2, 2013), available at http://www.wallstreetandtech.com/security/hackers-to-exchanges-youand-8217re-next/d/d-id/1268314?itc=edit_in_body_cross. Some experts have noted that the risks associated with cyber-attacks are particularly acute for financial markets. The highly interconnected nature of our marketplace means that just one compromised market participant can quickly spread contagion throughout the broader financial system. See Daniel R. Bryer and Monet H. Duval, Cybersecurity, The Stock Market And The Potential For Individual Statutory Liability, CM Report on Cybersecurity (Fall 2013), 10, available at http://www.clausen.com/dir_docs/firm_pubs/2a674cc2-ac6b-4076-ad33-ca19afba9576_pdfdocument.pdf.
[15] Trillion dollar risk: Cyberattackers target markets, Reuters (July 17, 2013), available at http://www.cnbc.com/id/100892575.
[16] Commissioner Luis A. Aguilar, Developing Solutions to Ensure that the Automated Systems of Our Marketplace are Secure, Robust, and Reliable (Mar. 7, 2013), available at http://www.sec.gov/News/Speech/Detail/Speech/1365171515056.
[17] Christopher Steiner, Knight Capital's Algorithmic Fiasco Won't Be The Last of its Kind, Forbes (Aug. 2. 2012), available at http://www.forbes.com/sites/christophersteiner/2012/08/02/knight-capitals-algorithmic-fiasco-wont-be-the-last-of-its-kind/; see also supra note 13, Bradley Hope, Trading Resumes on OTC Markets.
[18] 17 CFR 242.1000.
[19] Section 32(a) of the Exchange Act makes it a crime to willfully and knowingly make a materially false or misleading statement, or cause such a statement to be made, in any report or document required to be filed with the Commission. 15 U.S.C. 78ff(a). Accordingly, the individual senior managers of an SCI entity could face criminal liability if they knowingly cause, or aid and abet, the filing of an SCI report that contains a materially false or misleading statement.
[20] Supra note 1; see also 17 CFR 242.1001(b)(4).
[21] Rhodri Preece, Dark Pools, Internalization, and Equity Market Quality, CFA Institute (Oct. 2012), available at http://www.cfapubs.org/doi/pdf/10.2469/ccb.v2012.n5.1 (noting that "[i]nternalization and other over-the-counter (OTC) transactions represent approximately 18% of consolidated volume. Internalization is also thought to account for almost 100% of all retail marketable order flow.").
[22] Supra note 6, Findings Regarding The Market Events of May 6, 2010: Report of The Staffs of The CFTC and SEC to The Joint Advisory Committee On Emerging Regulatory Issues.
[23] Supra note 17, Christopher Steiner, Knight Capital's Algorithmic Fiasco Won't Be The Last of its Kind.
[24] Before Knight Capital´s algorithm malfunctioned, the firm´s computer systems sent out a flurry of email messages warning of the impending problem. Unfortunately, these warnings went unheeded. See Jacob Bunge, SEC: Knight Capital Missed Warnings Before Errant Trades, The Wall Street Journal (Oct. 16, 2013), available at http://online.wsj.com/news/articles/SB10001424052702303680404579139480277246674. But had Knight Capital been subject to Regulation SCI, it would have had an express obligation to monitor its systems in order to identify potential problems—an obligation that is not explicitly required by the Commission´s Market Access Rule. Compare 17 CFR 242.1001(a)(2)(vii) with 17 CFR 240.15c3-5. The duty to monitor its systems may very well have led Knight Capital to review the warning emails, and saved the firm. Regulation SCI´s surveillance requirement could thus help other broker-dealers avoid Knight Capital´s fate.
[25] Depository Trust Clearing Corporation, Beyond the Horizon: A White Paper to the Industry on Systemic Risk, iii (Aug. 2013) (noting that cyber security "has emerged as arguably the top systemic threat . . . [to] global financial markets and associated infrastructures"), available at http://www.dtcc.com/~/media/Files/Downloads/WhitePapers/Beyond_the_Horizon_White_Paper_Systemic_Risk.ashx; J. Carter Dougherty, Banks Dreading Computer Hacks Call for Cyber War Council, Bloomberg (July 8, 2014), available at http://www.bloomberg.com/news/2014-07-08/banks-dreading-computer-hacks-call-for-cyber-war-council.html; Jo Kinsella, More Exchange Outages: Do We Learn from the Past?, InformationWeek WallStreet & Technology (Aug. 14, 2013), available at http://www.wallstreetandtech.com/risk-management/more-exchange-outages-do-we-learn-from-the-past/a/d-id/1268335.