The Securities and Exchange Commission made findings and announced sanctions against the New York Stock Exchange on September 14, 2012 for violating Rule 603(a) of Regulation NMS, which requires exchanges to make market data for quotes and trades available on terms that are “fair and reasonable” and “not unreasonably discriminatory.” In essence, the Big Board - as it is allowed to do - provided trade data to individual clients in one data feed, and also provided market data to the public through a consolidated feed that aggregates market information originating on many different exchanges and market centers. Due to a technology error that was unknown to the NYSE, the private recipients were able to receive market data ahead of the general public. The proprietary feed was simply faster in distributing the information to its limited recipients than the consolidated tape was in furnishing data to the public.
The SEC's action is a rare case for the agency to bring versus a national marketplace. That said, the action against NYSE was brought and settled against a backdrop of several unrelated, but embarrassing and highly visible technology problems that cumulatively raise questions about the integrity and fairness of the stock markets. The "flash crash" of May 6, 2010, was a prelude to a succession of technology driven market failures. Nearly two years later, on March 23, 2012, the securities exchange BATS was attempting to go public on its own venue when its software malfunctioned, and the exchange felt it necessary to cancel its own IPO.
Nasdaq won a highly publicized beauty contest against the NYSE to secure the Facebook listing IPO. However, when trading in FB opened on May 18, 2012 Nasdaq experienced systems issues which prevented the immediate confirmation of executions that brokers and investors require. Nasdaq tried to fix the software problem without halting the Facebook market, but the exchange was not able to resolve the lapses in reporting trades, resulting in hundreds of millions of dollars of claimed losses by public investors and the exchange's own member firms.
Most recently, on August 1, 2012 Knight Capital, a major market maker and execution venue for many retail customer orders originating at a host of "discount" brokers, almost bankrupted itself by losing over $400 million in under an hour from a runaway trading algorithm.
There is no question that the NYSE committed an unknowing mistake without having any plan or thought to create a data stream that favored some investors over the interests of others. In sanctioning NYSE, however, the SEC seems to be announcing that it is looking beyond the intent of the market actor, and taking a closer look at the plans, procedures and structural checks and balances that are in place to prevent an unintended technology event from happening.
With the NYSE action it is fairly plain to see an end to the agency accepting "good faith" technology errors that affect the public's perception of whether the markets are fair and properly regulated. In its findings, the SEC establishes clear guidelines for the processes that market centers, and perhaps important market participants as well, will need to follow in order to remain in compliance with the securities laws.
The SEC sets out a three-pronged test to determine whether an exchange is in compliance with its duties under Rule 603(a) of Regulation NMS. Beyond that specific rule, however, it seems entirely reasonable to foresee that this same three-pronged test will also be applied in other situations, and against other market participants, where malfunctioning technology could have a profound affect on market integrity:
1. First, firms need to have in place processes and procedures for the internal review of system architecture and performance through an audit function that is independent of the technologists and business development staff. The SEC was critical that "NYSE’s compliance department played no role in the design, implementation, or operation of the systems."
2. Second, firms need to have in place written policies and procedures to periodically test systems that can have a market impact to assure they function properly. The SEC found fault that "NYSE also did not systematically monitor its data feeds to ensure they complied with Rule 603, and had no written policies and procedures concerning the rule;" and
3. Third, firms must document system performance. The SEC complained that "NYSE failed to retain computer files that contained information about NYSE’s transmission of market data."
As noted, the action against the NYSE does not read like a discreet and isolated set of concerns expressed by a regulator only to a single respondent. Instead, the NYSE case creates a foundation for the SEC to heighten its inspection and enforcement attention over the implementation and management of technology risk controls by exchanges, brokers, high frequency traders and other industry registrants.
In the newly published October 2012 Chicago Fed Letter, the Federal Reserve Bank of Chicago asks the question "how to keep markets safe in a highly technological environment." In researching the answer, the Bank found a wide disparity in risk controls among many different organizations involved in the life cycle of securities trading. "Chicago Fed staff also found that out-of control algorithms were more common than anticipated prior to the study and that there were no clear patterns as to their cause."
The NYSE action signals the serious regulatory focus that the SEC will now be placing on the industry's ability to control the risk of harm when technology is introduced to the markets without independent testing, protocols to insure market safety, and the full documentation that systems meet technological best practices. The Chicago Fed study will only serve to heighten the public and political interest, and unease, in the issue as well. Firms need to take note and, if they have not already done so, implement a meaningful compliance plan to avoid not only the spotlight that comes with a technology driven event, but the regulatory investigation and action that promises to follow.