How regulators should oversee software

The CFTC and other regulators should carefully evaluate proposals to automate financial transactions.

Crypto firm FTX recently applied to the Commodity Futures Trading Commission (CFTC) for permission to clear margin products for retail investors on a “no middleman” basis. The proposal is complicated and raises many concerns about investor protection and financial stability, but FTX’s proposal also raises a more fundamental question that is of growing relevance to regulators around the world.

How should regulators oversee software that runs automated systems?

Software has long been part of the business models of many industries, but critical regulated activities can now be conducted without human intervention. As courts try to figure out how to apportion responsibility for automated decisions with humans increasingly “out of the loop,” regulators must contend with a new reality about their role: instead of just supervising humans, they are more and more software supervisors.

To provide a little more context, the CFTC oversees the derivatives trading and clearing process. The more analog version of derivatives clearing – the version the CFTC is used to monitoring – manages risk by having layers of intermediaries that each perform a risk management function. Brokers sit between investors and a clearinghouse, and brokers and the clearinghouse regularly assess the collateral needed to back trading positions, asking for more margin if necessary.

The human relations involved allow a certain exercise of discretion. In March 2020, for example, Citi reportedly suffered a technical glitch that prevented it from clearing the necessary margin in time, but the ICE clearinghouse granted some grace and refrained from liquidating Citi’s position.

The recent FTX proposal would deviate from this model, eliminating brokers with their discretionary margin calls and replacing them with software. The software would assess margin requirements every second of every day based on its real-time interpretation of market events. Without exercising discretion or grace, the software would quickly liquidate any investor who was not in compliance, regardless of the consequences for the individual investor or for the financial markets in general.

If the proposal is approved, much will depend on FTX’s software. The software will need to perform the functions that FTX has advertised, and the software must also meet minimum standards for reliability and cybersecurity.

But who will set the minimum standards and who will monitor compliance? Who will verify that the software code as written corresponds to the proposal? Like many industry regulators, the CFTC does not have a large number of software engineers on its staff. So what’s an agency to do?

Sometimes it will be appropriate for regulators to simply say “no” to automation. Due to the complexity of software code, an automated system can never be foolproof. And if automation makes an activity only marginally more efficient than the non-automated alternative, then the benefits are not worth the risks and the regulator should insist on requiring a “human in the loop”.

However, if automation is deemed desirable, a multi-pronged action is required. If the automated system constitutes a critical financial infrastructure, the software concerned must be designed in accordance with good practice standards for software used in security critical environments such as aviation and nuclear power plants. Although the damage that financial companies can cause is sometimes downplayed as being “only” financial or economic, the economic damage can be severe and even result in physical harm. Just consider, for example, the suicide hotlines posted on crypto reddits because crypto assets failed.

Software used to automate the financial infrastructure should therefore be considered security-critical. Decisions made throughout the programming process, such as which code libraries or which diagnostic tests will be run, must follow much stricter standards than equivalent decisions made in the development of a less review such as a social media application.

Unfortunately, the CFTC, like many regulatory agencies, does not currently have the ability to assess compliance with these kinds of standards, or even verify whether regulated companies are misrepresenting what their software does. Regulators can and should try to build their internal technology capacity by hiring more software engineers, but competition for such personnel can be fierce and government salaries are rarely competitive.

Ideally, the US Congress would increase agency budgets in line with the increase in resources needed to oversee automated systems. But it may be more realistic to concentrate this expertise in “hub” agencies. The US Treasury Department’s Office of Financial Research, for example, could serve as an interdisciplinary center of expertise for financial regulators. Alternatively, Congress could resurrect the US Office of Technology Assessment to serve as a more general government center.

Until such software oversight expertise is developed within government, allowing a regulated entity to fully automate a critical activity will necessarily involve the regulator giving up some authority over that activity.

To be clear, even with the necessary expertise, there will be limits to what software standards can achieve. Strict standards are necessary to help minimize programming errors, but the complexity of the software ensures that it will always be vulnerable to “normal crashes”.

Because something will inevitably go wrong with complex software, it is essential that regulators also require a combination of redundancies, frictions, inefficiencies and backstops so that the public is not entirely dependent on the automated system operating as intended. Just as pilots need to be able to turn off the autopilot and take control of an airplane, financial regulators need circuit breakers and other tools to be able to stop automated trading.

The backstop offered by FTX is a $250 million guarantee fund that will be available to absorb losses if needed. It may be impossible to determine with certainty whether this amount will be sufficient to protect the clearing house from insolvency, given the difficulties in valuing crypto assets and assessing the associated risks. But even assuming $250 million is enough, the guarantee fund will do nothing to protect individual investors who are wrongfully liquidated as a result of a software error. It will also do nothing to address the systemic risks that could arise if market-wide asset prices were affected by a technological glitch that forces a massive liquidation of FTX positions, such as in a “flash crash”.

As the CFTC evaluates FTX’s proposal, the agency must consider other measures that compensate for both its limited ability to assess the quality of FTX’s technological plumbing and the inevitable malfunctions with even the highest quality software. . The same is true for other regulators who plan to oversee other software-automated systems.

Hilary J. Allen is a professor of law at the American University Washington College of Law.

Source link

Comments are closed.