CFTC Rule Gives Regulators End-Run around Fourth Amendment

The Commodity Futures Trading Commission wants to stop the next flash crash. But one of the tools the agency is seeking — unfettered access to the computer-based source code of algorithmic traders — will not stop another market tumble. More importantly, such a move sets a dangerous precedent of financial regulators impinging on firms’ Fourth Amendment rights and putting valuable trade secrets, and the markets, at risk.

Late last year, the CFTC proposed a new rule ,Regulation AT, aimed at algorithmic traders. The proposal would define traders’ source code as “books and records” under the commission’s regulations, among other requirements. Theoretically, the agency would use greater access to the computer data to investigate causes behind trading abnormalities.

Federal regulators have long had the ability to examine, without a warrant or subpoena, the books and records of the firms under their jurisdiction. But the desire to include source code in this easily accessible repository reflects regulators’ concern about the perceived volatility of markets where algorithmic traders work.

There is no reason for the CFTC — or any regulator — to have such broad access to traders’ source code.

To be sure, the 2010 flash crash still looms large. Although there is still debate about what caused the crash, regulators want to be able to assess and address any wild market swings in the future. But the ability to access source code in books and records creates a shortcut around the Fourth Amendment, allowing quick access without the need for a warrant. Such shortcuts should always be created cautiously, defined narrowly and policed vigorously.

CFTC Chairman Timothy Massad has recently tried to assuage industry concerns about source code access. At a February congressional hearing, he was reported as saying that companies would not have to necessarily provide their code to regulators, just “preserve it.” In a speech earlier this month, Massad said the agency is sensitive to confidentiality concerns while not backing down from arguing that code access is necessary.

“Let me underscore my commitment to a final rule that respects and protects confidentiality while at the same time ensuring that source code is preserved and is available to us when we need to reconstruct market events,” he said.

But the chairman’s remarks have not been accompanied by any commitment to change the proposed rule, and the commission’s assurance that it will not use its power to access the code rings hollow without action to back it up. Additionally, equal to the concern of trading firms is the precedent that would be set for banks and other regulatory agencies should the CFTC set a precedent of skirting constitutional protection of search and seizure by including source code in the books and records definition.

Historically, books and records have included documents such as records of trade orders, purchase confirmations, communications related to trades and similar records of already-completed trades. Algorithmic traders’ source code, however, is nothing like an order or a purchase confirmation. Source code is the template that traders’ computer systems use to decide what to buy or sell, when, and at what price.

While most materials currently covered under the books and records definition record past activity, source code — for those able to decipher it — predicts future activity. Because the code encompasses a firm’s entire trading strategy, it can be the firm’s most valuable asset. Traders therefore go to great lengths to protect it, both erecting barriers to prevent its transfer outside the firm and vigorously pursuing anyone suspected of trying to steal it.

Although regulators can typically access information necessary to an investigation, including most information outside the scope of the books and records designation, that access is subject to several layers of legal protection. The government must obtain a warrant or issue a subpoena, which can be challenged both in legal sufficiency and scope, and the lawyer for the firm can negotiate the terms on which the firm will provide access or information to the government. This limits the government to what it truly needs, and allows the firm to negotiate for confidentiality safeguards.

But the books and records designation goes further than just allowing access, and this is why algorithmic traders are at exceptional risk. Under the CFTC’s regulations, a firm must not only maintain the documents designated “books and records,” but must provide them to the CFTC on demand.

The traders would be required to relinquish all control over their most valuable assets, allowing the code to leave the traders’ possession and be entrusted to the government for potentially indefinite storage. While the CFTC may intend to provide protection for this information, the government does not have the motivation that the individual firms have and could subject the firms to incalculable loss if a hacker gained access to the code. Worse, it could allow hackers to wreak havoc with the markets.

There’s more. Under existing regulations, if a firm stores its records electronically it must engage a third-party technical consultant who must not only have access to the information, but also be able to download it. Assuming that under the proposed rule source code would be deemed an electronically stored record, the firm would have to allow a third party to both view and hold its code. The code might be better protected by a third-party consultant than in the government’s hand — third-party consultants would presumably compete over the ability to provide the best-protected storage — but the rule would still require traders to give yet more people access to their prized secrets.

There is no reason for the CFTC — or any regulator — to have such broad access to traders’ source code. A rule that simply required traders to retain their source code for a period of years would provide ample access for any investigation. There is no need for warrantless, immediate access and possession. If the chairman and his fellow commissioners find such a rule acceptable, they should support their words with actions and revise the rule in its final version to remove source code from the books and records definition.

The flash crash lasted 36 minutes. It took the Department of Justice five years to arrest Navinder Singh Sarao, the trader accused of contributing to the crash through the use of illegal algorithmic trading practices. It is unlikely that the CFTC would be able to locate and address a similar crash within minutes, even with access to traders’ code. If it took five years to identify and arrest Sarao, surely waiting just a few days to get the necessary warrants is worth protecting not only traders’ dearest secrets but also their constitutional rights.

Thaya Brook Knight is associate director of financial regulation studies at the Cato Institute.