Wall Street’s Resistance to Technology Standards Is Dangerous

Regulation SCI is the SEC’s latest attempt to try to grapple with the complexity of the modern electronic marketplace. In the wake of the Knight Capital debacle, last October the SEC convened a Technology Roundtable, on which I had the honor of participating. Regulation SCI (Systems, Compliance and Integrity) has largely come from that discussion and others among regulators and the industry. The comment period on the rule proposal recently ended, and the comment letters are exactly what one would have expected: Little talk of whether SCI is an objectively sound proposal, but non-stop pushback by various parties on parts of the proposal that would increase their cost of doing business. Whether we should expect anything else is perhaps a naïve (or plain silly) question.

It’s important to highlight three main contentious points from the SCI proposal, which is broadly an attempt to mandate technology standards for any entities previously subject to ARP, the SEC’s technology audit process for exchanges and ATSs/ECNs. It’s also important to note that ARP and any recommendations that arose from it were voluntary (although exchanges generally treated them as mandatory), whereas SCI is an attempt to expand, codify and enforce such standards. The three overarching questions are:

  1. Should SCI only apply to exchanges/ATSs/ECNs, or also to broker-dealers?
  2. Should SCI apply to all ATSs, or only those that reach a certain market share?
  3. Should SCI mandate explicit standards for coding, testing, security and high-availability?

There are, of course, many other issues contained in this 377-page proposal. Notably, the burden it places on SCI Entities to track incidents and report them created a contentious debate. However, these three questions received the most attention from commentors, and I believe they are the most important.

The industry’s general reaction can be summed up with a quote from FINRA’s comment letter:

“FINRA requests that the Commission reconsider the scope of Regulation SCI. While FINRA supports the goals of the proposal, we note that the burden of compliance will be substantial and could escalate dramatically depending on the scope of the requirements”

In other words, FINRA wants technology systems to be more stable, but certainly doesn’t want to spend any money or change what it’s doing in order to accomplish that. Now, on first glance, one would be taken aback by the so-called self-regulator taking such a dramatic stance against the scope of SCI. However, upon investigating FINRA’s broad business model and extreme conflicts of interest in regulating its members, one would be far less surprised.

Now, the first two questions above deal broadly with a similar issue: How do you define an “SCI Entity.” The first question is whether SCI should apply to broker-dealers. The FIA’s Principal Traders Group obviously has a strong opinion on the matter, stating definitively that: “The Reg SCI Entity Definition Should Not Be Expanded to Include Broker Dealers—Which Are Already Subject to Substantial Continuity, Testing, Control and Integrity Requirements.” FIA then goes on to list several regulations and venue rules to which BDs are subjected, concluding that “[t]hese requirements provide a sound basis for testing, continuity and system integrity,” when in fact the rules they cite have nothing to do with testing.

This is a question on which I completely agree with R.T. Leuchtkafer, the enigmatic anonymous submitter of SEC Comment Letters on any issues surrounding High-Frequency Trading and technology systems. As I stated in my comment letter, anybody with direct market access should be covered by Regulation SCI and have stringent and robust technology standards imposed on their processes. As R.T. states eloquently in his comment letter:

“Recall that it was Knight Capital’s failings on August 1, 2012 that prompted then SEC Chairman Mary Schapiro to issue a statement on August 3, 2012 announcing that she had directed SEC staff to draft Reg SCI. In that light, it would be peculiar if Reg SCI at adoption didn’t apply to at least some segments of the high frequency trading industry.”

In its current state, the US equity market can be disrupted by a single server sending hundreds of thousands of orders per second via a hardware-accelerated system over extremely high-speed network connections. While the Market Access Rule is designed to ensure technology standards, it does not come close to the SCI proposal. We need more specificity in mandated standards, and Regulation SCI is an excellent start. It will prove to be far more effective if the scope is broadened to include any firm that has direct electronic market access, and therefore to supersede that part of the Market Access Rule. We cannot leave the health of our marketplace in the hands and judgment of participants – this has proven to be a disastrous approach thus far.

The same principle applies when determining whether there should be “significant-volume” thresholds to trigger whether Reg SCI applies to ECN’s and ATSs. The SEC has proposed that for SCI to apply, an ECN/ATS must meet a “significant-volume” threshold of 5% or more in a single NMS stock, or 0.25% across all NMS stocks, as measured in 4 of the preceding 6 months. SIFMA obviously has a strong opinion on this, and pushes back, stating: “Alternatively, we propose that the test for an SCI ATS trading NMS securities be whether the ATS was responsible for 5% or more of the volume in all NMS stocks during any 12-month period.”

First, SIFMA wants to increase the threshold so that it does not apply to any ATS or ECN. Not surprising. Further, neither the SEC nor SIFMA is able to say on what their arbitrary threshold is based. The SEC itself admits there is no “obvious threshold level above which a particular subset of ATSs may be considered to have a significant impact on individual NMS stocks or the overall market, as compared to another subset of ATSs.” I therefore urged in my comment letter that all ATSs and ECNs are subject to Regulation SCI, or at the very least that a threshold is chosen that covers 99% of all ATSs and ECNs, and that the threshold measurement period is shortened to weeks, rather than months.

While I believe that any ATS/ECN can have a substantial and outsized impact on markets, or provide a platform for poorly tested systems with direct market access to do so, I think there is another consideration here. Regulation SCI mandates proper standards and technology testing processes, and as such imposes a burden on venues. This burden is desirable!

We have gone too far in the wrong direction as a marketplace, emphasizing competition over any other considerations, such as stability. That has resulted in the extreme fragmentation we see now, and the complexity that firms must contend with on a daily basis. The market is a complex system that few understand, and it makes the job of the regulators nearly impossible. A regulatory mandate for minimum technology standards may drive some ATSs/ECNs out of business – maybe even some exchanges. I can’t imagine in the light of all the technology incidents over the past few years, and the fragility of our complex market, how this isn’t seen as a benefit.

The final question is whether Reg SCI should mandate specific standards for coding, testing, security and high-availability. I applaud the SEC’s effort here to try to delineate specific standards in these categories. They could certainly have spent more time researching and coming up with a more robust or expansive list of development methodologies. They could have realized that there are even some methodologies that combine testing and development, resulting in test-driven development. They could have included alternative security standards, such as the OSSTMM (Open Source Testing Methodology Manual) to which I am proud to have contributed to. But that should not detract from the spirit of this idea, which is to mandate basic, minimally acceptable standards in an industry that has been flying by the seat of its pants up until now. This is an area in which this Regulation will undoubtedly evolve, and I look forward to helping with that effort.

If you’re interested in some of the more philosophical issues at work here, I encourage you to read my comment letter. In it, I discuss some of the broad issues at work, specifically with regard to regulation in a complex environment, and some of the important ideas around Complexity Theory and Systems Theory.

The task the SEC has given itself is unfortunately Sisyphean. Not only is it trying to do something extremely difficult (reasonably regulate complex technology systems), but it is doing so in an extraordinarily hostile lobbying and litigation environment. In its comment letter, the NYSE questions whether the SEC even has the legal authority to pass anything approaching Reg SCI. That being said, I hope the SEC makes substantial improvements to this proposal, and pushes forward with it. Technological stability should be one of the primary goals for our markets, above and beyond any others. It is only through a robust, resilient technology infrastructure in which complexity is reduced as much as is reasonable that we can hope to continue to have the best markets in the world for the foreseeable future.