In a recent speech, CFTC Commissioner Sharon Bowen offered suggestions for how her agency can address concerns related to algorithmic trading and cybersecurity. In the face of rapid change, Bowen argued that more action is needed because “the stakes of not acting are so high.” She suggested that “[i]n today’s automated, integrated financial networks, damage from errors and infections travels instantaneously.” Bowen recounted the rise of electronic trading in markets under the supervision of the CFTC and cited estimates that “for the most liquid U.S. futures contracts which account for over 75% of total trading volume, more than 90 percent of all trades make use of algorithms or some other form of automation.”
As a first step, she suggested that algorithmic and high frequency trading be defined. She argued that no widely-accepted definitions exist and that providing precise definitions would aid in measuring the effect of the activities on the markets. Bowen herself sees “high frequency trading as a subset of algorithmic trading, and algorithmic trading as a subset of automated trading.”
Despite the lack of clear definitions, Bowen noted “what is clear is trades involving algorithms make up a substantial portion of our markets, and algorithms can and do malfunction at times, with negative effects on the markets.” As a result, she believes it “prudent” to consider regulating the activity. Bowen does not believe that algorithmic trading should be banned or limited in speed, but rather that “we can and should set some reasonable ground rules on the entities using this trading strategy.” She suggested that algorithmic traders should take steps to prevent malfunctions and easily shut down their algorithms in the case that a malfunction does occur. She compared these steps to manual traders understanding their obligations under the Commodity Exchange Act (CEA) before trading futures and not manipulating markets.
Bowen argued that algorithmic traders should set robust pre-trade risk controls with redundant notifications and be required to either know the CEA obligations or work with someone who does. She also suggested that rules should encourage communication between traders and compliance and regulatory staff in order to mitigate the potential impacts of a malfunction. She noted that compliance staff should understand the risks of algorithmic trading and ideally “would even know something about crafting algorithms.”
She suggested that exchanges should publish additional information regarding their market maker programs and exchanges that allow algorithmic trading should disclose the percentage of “self-trades,” or “trades that occur between two entities that are either commonly controlled or for the common benefit of the same entities.” Bowen argued that “the exchanges shouldn’t pay people to trade with themselves. We want market makers to provide real liquidity, and trades with and between me, myself, and I represent phantom liquidity at best.”
Turning to cybersecurity, she suggested that an “aggressive rapid response” alone is insufficient, and instead “we need both multi-layered defenses at each major firm and coordination between stakeholders and regulators before, during, and after attacks.” She argued that regulators should require companies to “create processes in advance for building and testing their cybersecurity systems and a clearer process for sharing information about cybersecurity threats with regulators.” She suggested that the CFTC should require each registrant to designate an employee a Cybersecurity Expert or Chief Information Security Officer to serve as a primary point of contact. Second, the CFTC should require regular confidential reporting regarding a registrant’s cybersecurity program so that the CFTC could assess progress on an industry-wide basis. She suggested that CFTC rules also should require registrants to promptly report any material cybersecurity event. Lastly, Bowen argued that the CFTC should require an independent cybersecurity audit or annual independent penetration testing of a registrant’s systems.