Regulation Automated Trading, 85334-85399 [2016-27250]

Download as PDF 85334 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules COMMODITY FUTURES TRADING COMMISSION 17 CFR Parts 1, 38, 40, and 170 RIN 3038–AD52 Regulation Automated Trading Commodity Futures Trading Commission. ACTION: Supplemental notice of proposed rulemaking. AGENCY: On December 17, 2015, the Commodity Futures Trading Commission (‘‘CFTC’’ or ‘‘Commission’’) published in the Federal Register a notice of proposed rulemaking (‘‘NPRM’’) proposing a series of risk controls, transparency measures, and other safeguards to enhance the safety and soundness of automated trading on all designated contract markets (‘‘DCMs’’) (collectively, ‘‘Regulation Automated Trading’’ or ‘‘Regulation AT’’). Through this supplemental notice of proposed rulemaking for Regulation AT (‘‘Supplemental NPRM’’), the Commission is proposing to modify certain rules set forth in the NPRM. Any new or amended rules proposed in this Supplemental NPRM reflect only those areas where the Commission believes that additional notice and comment may be appropriate before enacting final rules. Procedurally, this Supplemental NPRM is not a replacement or withdrawal of rules proposed in the NPRM. Unless specifically amended herein, all regulatory text proposed in the NPRM remains under active consideration for adoption as final rules. The Commission welcomes public comment on all aspects of the Supplemental NPRM. DATES: Comments must be received on or before January 24, 2017. ADDRESSES: You may submit comments, identified by RIN 3038–AD52, by any of the following methods: • CFTC Web site: https:// comments.cftc.gov. Follow the instructions for submitting comments through the Comments Online process on the Web site. • Mail: Send to Christopher Kirkpatrick, Secretary of the Commission, Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st Street NW., Washington, DC 20581. • Hand Delivery/Courier: Same as Mail, above. • Federal eRulemaking Portal: https:// www.regulations.gov. Follow the instructions for submitting comments. Please submit comments by only one method. All comments should be asabaliauskas on DSK3SPTVN1PROD with PROPOSALS SUMMARY: VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 submitted in English or accompanied by an English translation. Comments will be posted as received to https:// www.cftc.gov. You should submit only information that you wish to make available publicly. If you wish the Commission to consider information that may be exempt from disclosure under the Freedom of Information Act (‘‘FOIA’’), a petition for confidential treatment of the exempt information may be submitted according to the procedures established in 17 CFR 145.9. The Commission reserves the right, but shall have no obligation, to review, prescreen, filter, redact, refuse, or remove any or all of your submission from https://www.cftc.gov that it may deem to be inappropriate for publication, such as obscene language. All submissions that have been so treated that contain comments on the merits of the rulemaking will be retained in the public comment file and will be considered as required under the Administrative Procedure Act and other applicable laws, and may be accessible under FOIA. FOR FURTHER INFORMATION CONTACT: Sebastian Pujol Schott, Associate Director, Division of Market Oversight, sps@cftc.gov or 202–418–5641; Marilee Dahlman, Special Counsel, Division of Market Oversight, mdahlman@cftc.gov or 202–418–5264; Joseph Otchin, Special Counsel, Division of Market Oversight, jotchin@cftc.gov or 202–418– 5623; Andrew Ridenour, Special Counsel, Division of Market Oversight, aridenour@cftc.gov or 202–418–5438; Brian Robinson, Special Counsel, Division of Market Oversight, brobinson@CFTC.gov or 202–418–5385; Michael Penick, Economist, Office of the Chief Economist, mpenick@cftc.gov or 202–418–5279; Richard Haynes, Economist, Office of the Chief Economist, rhaynes@cftc.gov or 202– 418–5063; Carlin Metzger, Trial Attorney, Division of Enforcement, cmetzger@cftc.gov or 312–596–0536; or John Dunfee, Assistant General Counsel, Office of General Counsel, jdunfee@ cftc.gov or 202–418–5396. SUPPLEMENTARY INFORMATION: Table of Contents I. Introduction: The NPRM and Supplemental NPRM for Regulation AT A. Basic Structure of Regulation AT: The NPRM and the Supplemental NPRM B. Opportunities for Public Comment on NPRM Proposals During Two Public Comment Periods and Public Staff Roundtable C. Overview of Comments Received II. AT Person Status and Requirements for AT Persons A. Overview and Policy Rationale for New Proposal PO 00000 Frm 00002 Fmt 4701 Sfmt 4702 B. NPRM Proposal and Comments C. Substance of New Proposal 1. Volume Threshold Test for AT Persons 2. Registration as a Floor Trader 3. Anti-Evasion 4. Registration for Membership With a Registered Futures Association D. Commission Questions III. Proposed Definition of DEA A. Overview and Policy Rationale for New Proposal B. NPRM Proposal and Comments C. Substance of New Proposal D. Commission Questions IV. Algorithmic Trading Source Code Retention and Inspection Requirements A. Overview and Policy Rationale for New Proposal B. NPRM Proposal and Comments C. Substance of New Proposal D. Commission Questions V. Testing, Monitoring and Recordkeeping Requirements in the Context of ThirdParty Providers A. Overview and Policy Rationale for New Proposal B. NPRM Proposal and Comments C. Substance of New Proposal D. Commission Questions VI. Changes to Overall Risk Control Framework A. Change From Three Level to Two Level Risk Control Framework 1. Overview and Policy Rationale for Proposal 2. NPRM Proposal and Comments 3. Substance of New Proposal 4. Commission Questions B. Electronic Trading at the AT Person, FCM, and DCM Levels 1. Overview and Policy Rationale for New Proposal 2. NPRM Proposal and Comments 3. Substance of New Proposal 4. Commission Questions C. New and Revised Definitions; Change from ‘‘Clearing Member’’ to ‘‘Executing’’ FCMs 1. Overview and Policy Rationale for New Proposal 2. NPRM Proposal and Comments 3. Substance of New Proposal 4. Commission Questions D. AT Person Delegation to FCM 1. Overview and Policy Rationale for New Proposal 2. NPRM Proposal and Comments 3. Substance of New Proposal 4. Commission Questions VII. Reporting and Recordkeeping Obligations A. Overview and Policy Rationale for New Proposal B. NPRM Proposal and Comments C. Substance of New Proposal D. Commission Questions VIII. Additional Changes to NPRM Proposed Rules Under Consideration A. Commission Questions IX. Related Matters A. Cost-Benefit Considerations 1. The Statutory Requirement for the Commission To Consider the Costs and Benefits of Its Actions 2. Comments Regarding Costs and Benefits of Regulation AT E:\FR\FM\25NOP2.SGM 25NOP2 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules asabaliauskas on DSK3SPTVN1PROD with PROPOSALS 3. The Commission’s Cost-Benefit Consideration of Regulation AT— Baseline Point 4. The Commission’s Cost-Benefit Consideration of Regulation AT—CrossBorder Effects 5. Introduction: The NPRM and Supplemental NPRM for Regulation AT 6. Proposed New Definitions and Changes to NPRM Proposed Definitions 7. Requirements for AT Persons 8. Source Code Retention and Inspection Requirements 9. Testing, Monitoring and Recordkeeping Requirements in the Context of ThirdParty Providers 10. Changes to Overall Risk Control Framework 11. Reporting, Testing and Recordkeeping Requirements 12. Section 15(a) Factors B. Regulatory Flexibility Act 1. A Description, and, Where Feasible, an Estimate of the Number of Small Entities to Which the Proposed Rules Will Apply. 2. A Description of the Projected Reporting, Recordkeeping, and Other Compliance Requirements of the Rules, Including an Estimate of the Classes of Small Entities Which Will Be Subject to the Requirements and the Type of Professional Skills Necessary for Preparation of the Report or Record. C. Paperwork Reduction Act 1. § 1.3(x)(1)(iii)—Submissions by Newly Registered Floor Traders 2. § 1.80(d) Pre-Trade Risk Controls for AT Persons—Delegation 3. § 1.83(a)—AT Person Retention and Production of Books and Records 4. § 1.83(b)—Executing FCM Retention and Production of Books and Records 5. § 1.84—Retention, Production and Confidentiality of Algorithmic Trading Records 6. § 1.85—Third-Party Algorithmic Trading Systems or Components 7. § 38.255(c) Risk Controls for Trading— FCM Certification to DCM 8. § 40.22(a)–(c)—Compliance With DCM Reviews 9. § 40.22(d) Certification Requirement 10. Commission Questions I. Introduction: The NPRM and Supplemental NPRM for Regulation AT Regulation Automated Trading is a comprehensive Commission effort to reduce risk and increase transparency in algorithmic order origination and electronic trade execution on all U.S. futures exchanges. The proposed rules, both in the NPRM and the Supplemental NPRM, modernize the Commission’s regulatory regime, promote the safety and soundness of trading on all contract markets, and seek to keep pace with evolving technologies. This Supplemental NPRM builds on the Commission’s December 2015 NPRM for Regulation AT,1 and is a continuation of 1 Regulation Automated Trading, Proposed Rule, 80 FR 78824 (Dec. 17, 2015) (hereinafter ‘‘NPRM’’). VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 the underlying policies and objectives reflected therein. The Supplemental NPRM responds to persuasive public comments to help ensure appropriate final rules for Regulation AT.2 Procedurally, the Supplemental NPRM is a continuation of the NPRM. All rules in the NPRM remain under 2 Sections I–III of the NPRM provided a fulsome discussion of the policy considerations, market events, existing best practices, and procedural history that informed the Commission’s development of Regulation AT. The Commission explained that ‘‘the basic structure of [open-outcry trading] remained constant for decades, and produced a parallel regulatory framework also premised on natural persons and human decisionmaking speeds.’’ See NPRM at 78825. It contrasted now-obsolete manual processes against the ‘‘wide array of electronic systems for the generation, transmission, management, and execution of orders’’ used today by DCMs and DCM market participants, including high-speed communication networks to confirm transactions, communicate market data, and link markets and market participants. See id. The Commission provided information indicating that over 95% of all on-exchange futures trading was electronic by 2014, with many exchanges having closed their open-outcry trading pits well before then. It also indicated that by 2014, ATSs were present on at least one side of almost 80% of trading volume in some asset classes. The Commission noted that ‘‘[t]he largely complete transition of DCMs to electronic trade matching platforms has occurred alongside an equally important shift in the technologies used by market participants to place and manage orders.’’ These include ATSs, high-speed communication networks, and the use of direct access and colocation services to ‘‘minimize latencies between ATS, market data systems, and DCMs’ electronic trading platform[s].’’ See NPRM at 78826. The Commission explained that ‘‘an overarching goal’’ of Regulation AT is to update its rules in response to the evolution from pit to electronic trading, including by focusing on ‘‘algorithmic order origination or routing by market participants, and electronic trade execution by DCMs.’’ It also observed that ‘‘[m]arket participants using automated trading include an important population of proprietary traders that, while responsible for significant volume and liquidity in key futures products, are not registered with the Commission.’’ The Commission emphasized that Regulation AT is focused on the ‘‘automation of order generation, transmission, and execution, and the risks that may arise from such activity.’’ It identified ‘‘appropriate pre-trade and other risk controls’’ as an important element in ‘‘ensur[ing] the integrity of Commissionregulated markets’’ and fostering market participants’ confidence in the transactions being executed. See NPRM at 78827–78828. The Commission also summarized the broad array of resources that it consulted in preparing the NPRM for Regulation AT, including ‘‘industry practices, measures taken by other U.S. and foreign regulators, and best practices or guidance set forth by other informed parties.’’ It noted the ‘‘emerging consensus around pre-trade risk controls for automated trading and supervision standards for ATSs.’’ Finally, the Commission emphasized that ‘‘Regulation AT attempts to balance flexibility in a rapidly changing technological landscape with the need for a regulatory baseline that provides a robust and sufficiently clear standard for pre-trade risk controls, supervision standards, and other safeguards for automated trading environments.’’ See NPRM at 78828. This Supplemental NPRM continues to build on the policy determinations and regulatory objectives set forth in the NPRM for Regulation AT. PO 00000 Frm 00003 Fmt 4701 Sfmt 4702 85335 consideration as originally proposed unless specifically modified in the proposed rule text in this Supplemental NPRM.3 Accordingly, this Supplemental NPRM begins with an overview of Regulation AT across the NPRM and the Supplemental NPRM (Section I(A)). It continues with a summary of the opportunities for public comment provided by the Commission (Section I(B)), and an overview of the comments received (Section I(C)). Sections II through VII discuss specific proposed rules in the Supplemental NPRM that add to, remove, or otherwise amend the Commission’s original proposals in the NPRM. Sections II through VII also provide a summary of the comments and policy considerations that led to the Commission’s new or amended proposals. Section VIII provides preamble discussion and seeks comment regarding additional areas where the Commission’s final rules for Regulation AT may amend the NPRM. However, such potential amendments are not included as proposed regulatory text in this Supplemental NPRM. The Commission believes that the further amendments under consideration do not impact new parties, create new obligations, or otherwise increase burdens. Section IX includes the Commission’s Paperwork Reduction Act, Regulatory Flexibility Act, and Cost-Benefit discussions for the regulatory text proposed herein. Finally, the Commission presents the proposed new or modified regulatory text following the end of the preamble. Any sections or paragraphs marked as ‘‘Reserved’’ are not addressed in this Supplemental NPRM. The provisions proposed for such sections or paragraphs in the NPRM are unchanged from that document and remain under active consideration by the Commission. (Note, however, that proposed reserved § 1.3(aaaaa) is not the subject of either this Supplemental NPRM or the NPRM. That definitions paragraph is the subject of another pending unrelated Commission rulemaking proposal.) Please note also that the provisions proposed in the NPRM for §§ 38.401 and 40.1(i), and for Appendix B to part 38, are not shown as reserved in this Supplemental NPRM for technical reasons. Nonetheless, the provisions proposed in the NPRM for those two sections and that appendix are unchanged and remain under active consideration by the Commission. 3 The Commission’s new proposed regulatory text is presented in this document following the end of the preamble. E:\FR\FM\25NOP2.SGM 25NOP2 asabaliauskas on DSK3SPTVN1PROD with PROPOSALS 85336 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules A. Basic Structure of Regulation AT: The NPRM and the Supplemental NPRM The basic structure of Regulation Automated Trading is set forth in the NPRM, and remains largely intact. However, through this Supplemental NPRM, the Commission is proposing certain changes to Regulation AT to address comments received in response to the NPRM and during a day-long staff roundtable on Regulation AT held in June 2016. This Section I(A) provides an overview of Regulation AT by summarizing several of the principal changes that the Supplemental NPRM proposes to make to the NPRM. First, Regulation AT would require pre-trade risk controls and other measures for the Algorithmic Trading of AT Person customers in order to promote the continued safety and soundness of Commission-regulated markets. In the NPRM, the Commission proposed placing such risk controls at three levels: The AT Person, the FCM and the DCM. Many commenters asserted that a three-layer structure could be redundant and costly, and some indicated that a two-level structure would be preferable. After careful consideration, the Commission is proposing to move Regulation AT from a three-level risk control structure to a modified two-level structure, with risk controls set at the levels of (1) the AT Person 4 or its FCM; and (2) the DCM. Under the two-level structure proposed in the Supplemental NPRM, an AT Person would have the option of delegating its pre-trade risk control requirements to an FCM rather than implementing its own controls. Second, the NPRM proposed requiring risk controls only with respect to the Algorithmic Trading of AT Persons. In contrast, the Supplemental NPRM addresses not only Algorithmic Trading, but also Electronic Trading at the AT Person, FCM, and DCM levels. The Commission’s amended proposal is consistent with comments stating that all electronic trading—not just the narrower set of Algorithmic Trading— should pass through pre-trade risk controls. Third, in the NPRM, the Commission proposed requiring that pre-trade risk controls be set at the level of each AT Person or market participant, or other 4 ‘‘AT Person’’ is defined in proposed § 1.3(xxxx) of the NPRM, and includes existing Commission registrants engaged in ‘‘Algorithmic Trading’’ on a DCM, as well as market participants required to register as floor traders pursuant to proposed § 1.3(x)(3) of the NPRM. Algorithmic Trading is defined in proposed § 1.3(zzzz) of the NPRM. Electronic Trading is defined in Supplemental NPRM in proposed § 1.3(ddddd). VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 more granular levels as the AT Person, FCM or DCM determined appropriate. The Supplemental NPRM responds to comments that it may not be efficient or possible for DCMs and FCMs to set controls at the level of individual market participants. Accordingly, in the Supplemental NPRM, the Commission revises the risk control provisions to provide AT Persons, FCMs and DCMs greater flexibility regarding the level at which pre-trade controls must be set. Fourth, Regulation AT would require the registration of certain market participants who are not already registered with the Commission. Such market participants would be required to register as ‘‘floor traders,’’ as defined in the Supplemental NPRM in proposed § 1.3(x)(1)(iii) (‘‘New Floor Traders’’), and would also be required to become members of a registered futures association (‘‘RFA’’). Together with certain existing registrants, New Floor Traders would be considered AT Persons and be subject to all relevant requirements of Regulation AT. Pursuant to the NPRM, the proposed registration criteria for New Floor Traders 5 were that such persons be engaged in (1) proprietary, (2) Algorithmic Trading (3) through Direct Electronic Access (‘‘DEA’’) on a DCM. The Supplemental NPRM retains these requirements but also incorporates a volume-based quantitative test for registration as a New Floor Trader. This amendment responds to concerns that the NPRM would have imposed registration and its consequent obligations on too large a population of market participants. The Commission also proposes to apply this same volume-based quantitative test to existing registrants and persons otherwise required to register with the Commission to determine whether they are AT Persons.6 The Commission estimates that its proposed volume-based criteria would result in approximately 120 AT Persons, including some of who are already registered with the Commission in some capacity. This stands in contrast to some commenters’ estimates that the NPRM could have required thousands of 5 For purposes of this Supplemental NPRM, registrants under Supplemental proposed § 1.3(x)(1)(iii) are deemed ‘‘New Floor Traders.’’ 6 To be considered AT Persons, existing registrants and persons otherwise required to register with the Commission must be engaged in Algorithmic Trading on our subject to the rules of a DCM. Unlike for New Floor Traders, however, direct electronic access is not a relevant consideration for existing registrants and persons otherwise required to register with the Commission (e.g., FCMs, floor brokers, swap dealers, major swap participants, commodity pool operators, commodity trading advisors, and introducing brokers). PO 00000 Frm 00004 Fmt 4701 Sfmt 4702 persons to register. While any volumebased metric has limitations, the Commission believes that this is the best way to focus the registration-related obligations on the appropriate class of persons. This approach, coupled with other changes in the Supplemental NPRM regarding the obligations of AT Persons as discussed below, also addresses many of the concerns expressed about the NPRM registration requirement. Fifth, in the NPRM, the Commission proposed requiring that AT Persons provide the DCMs on which they operate with annual reports containing information on the AT Persons’ compliance with requirements concerning risk controls. The NPRM further would have required DCMs to establish a program for effective review and evaluation of the reports. The Commission received comments that the proposed reporting requirements were overly burdensome and would provide little benefit in mitigating the risks of Algorithmic Trading. In the Supplemental NPRM, the Commission proposes replacing the annual compliance report requirement for AT Persons with a streamlined annual certification requirement. The Commission also proposes to retain certain recordkeeping requirements, as well as the requirement that DCMs establish a program for effective periodic review and evaluation of AT Persons’ compliance with elements of Regulation AT. Similarly, the NPRM imposed annual reporting requirements on FCMs and required DCMs to review these reports. The Supplemental NPRM also replaces the annual reporting obligations for FCMs with a certification requirement, and also retains the requirement that FCMs maintain certain records. As with AT Persons, the Supplemental NPRM requires DCMs to establish a program for effective periodic review and evaluation of FCMs’ compliance with Regulation AT. Sixth, Regulation AT requires that algorithmic trading source code be preserved and made available to the Commission when necessary.7 The NPRM required that AT Persons maintain a ‘‘source code repository’’ and make it available for inspection in accordance with the Commission’s general recordkeeping requirements. These provisions provoked extensive 7 ‘‘Algorithmic Trading Source Code’’ is defined in Supplemental proposed § 1.3(ccccc). The Commission notes that source code was not defined in the NPRM. In this Supplemental NPRM, the Commission uses ‘‘source code’’ in connection with its proposal in the NPRM, and uses the term ‘‘Algorithmic Trading Source Code’’ when referring to Supplemental proposed § 1.3(ccccc). E:\FR\FM\25NOP2.SGM 25NOP2 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules asabaliauskas on DSK3SPTVN1PROD with PROPOSALS comments. Notably, commenters may have misunderstood the Commission’s intent, which was never to require that all source code to be provided routinely to a Commission or third-party repository. The Supplemental NPRM acknowledges the concerns regarding the confidentiality and proprietary value of Algorithmic Trading Source Code and revises these provisions extensively. While Algorithmic Trading Source Code and related records are still required to be preserved, they are not subject to the Commission’s general recordkeeping provisions. Instead, preservation and access obligations are set forth in new provisions in the Supplemental NPRM that reflect market participants’ concerns. The Supplemental NPRM provides that the Commission would have access to Algorithmic Trading Source Code and related records only via a subpoena or a special call approved by the Commission itself, not by staff, and that any such access would be subject to policies and procedures to protect confidentiality. Seventh, the Supplemental NPRM discusses a number of changes to certain defined terms proposed in the NPRM, as well as other provisions that the Commission is considering in response to comments from market participants. These include limiting the scope of ‘‘Algorithmic Trading Compliance Issue,’’ ‘‘Algorithmic Trading Disruption,’’ and ‘‘Algorithmic Trading Event.’’ Eighth, Regulation AT includes a number of additional rules focused specifically on DCMs. As reflected in the NPRM, these proposals include: (1) Greater transparency around DCMs’ electronic trade matching platforms and (2) promoting the use of self-trade prevention tools.8 The Commission is 8 The NPRM proposed amendments to existing § 38.255, to require DCMs to have in place systems reasonably designed to facilitate the FCM’s management of the risks that may arise from their customers’ Algorithmic Trading using DEA. Regulation AT would also amend existing § 38.401(a) to require DCMs to provide additional public disclosure regarding their electronic matching platforms. In part 40, the NPRM proposed the following new regulations: § 40.20—requiring DCMs to implement pre-trade risk controls and other related measures; § 40.21—requiring DCMs to provide a test environment to AT Persons; § 40.22— requiring DCMs to implement a review program for compliance reports regarding Algorithmic Trading submitted by AT Persons and clearing member FCMs, require that certain books and records be maintained by such persons, and review such books and records as necessary; § 40.23—requiring DCMs to implement self-trade prevention tools, mandate their use, and publish statistics concerning selftrading; and §§ 40.25–40.28—requiring DCMs to provide disclosure and implement other controls regarding their market maker and trading incentive programs. Regulation AT would amend the VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 contemplating deferring further consideration of such provisions to a second phase of rules to be finalized at a later date. The Commission seeks comments regarding deferral of these two provisions to a later date. Finally, specific regulatory provisions addressed in the Supplemental NPRM include a number of new or revised defined terms, such as revised § 1.3(x)— Floor trader; revised § 1.3(wwww)—AT Order Message; revised § 1.3(xxxx)—AT Person; revised § 1.3(yyyy)—Direct Electronic Access; new § 1.3(ddddd)— Electronic Trading; new § 1.3(bbbbb)— Electronic Trading Order Message; and new § 1.3(ccccc)—Algorithmic Trading Source Code. Other new or revised regulatory provisions include: (1) New § 1.80(d)—Delegation of pre-trade risk controls by AT Persons; (2) new § 1.80(g) —AT Persons’ pre-trade risk controls for Electronic Trading; (3) revised § 1.81—Standards for the development, monitoring, and compliance of Algorithmic Trading systems; (4) revised § 1.82—FCM pretrade risk controls and other related measures for orders from their AT Person customers; (5) revised § 1.83— AT Person and executing FCM recordkeeping; (6) new § 1.84— Maintenance of Algorithmic Trading Source Code and related records; (7) new § 1.85—Use of third-party Algorithmic Trading systems or components; 9 (8) revised §§ 38.255 and 40.20—Risk controls for trading; (9) revised § 40.22—DCM requirements for AT Persons and executing FCMs, and DCM review program; and (10) revised § 170.18—AT Person registration for membership in at least one ‘‘RFA’’. This Supplemental NPRM modifies some, but not all, of the NPRM. Where this Supplemental NPRM proposes rule text in full, such text replaces what was proposed in the NPRM. With the exceptions noted in this paragraph, where this Supplemental NPRM reserves a section or paragraph for which provisions were proposed in the NPRM, the previously proposed provisions of such section or paragraph remain unchanged from the NPRM and continue to be under active consideration by the Commission. For technical reasons, §§ 38.401 and 40.1(i), and Appendix B to part 38, are not shown as reserved in this Supplemental NPRM; however, the amended provisions proposed for those sections definition of ‘‘rule’’ in § 40.1(i) in response to certain of the changes proposed above. 9 Including, for example, options for complying with elements of NPRM § 1.81—‘‘Standards for the development, monitoring, and compliance of Algorithmic Trading systems.’’ See Section V below. PO 00000 Frm 00005 Fmt 4701 Sfmt 4702 85337 and that appendix in the NPRM also remain unchanged and under active consideration. (Please note that proposed reserved § 1.3(aaaaa) is not the subject of either this Supplemental NPRM or the NPRM. That definitions paragraph is the subject of another pending unrelated Commission rulemaking proposal.) B. Opportunities for Public Comment on NPRM Proposals During Two Public Comment Periods and Public Staff Roundtable In response to the NPRM, the Commission received 54 comment letters from an array of market participants, exchanges, industry trade associations, public interest organizations, and others.10 During the initial comment period, Commission staff also met in person and via telephone with interested parties who requested meetings. Market participants and other interested parties were also provided extensive opportunities to comment on the Commission’s 2013 Concept Release on Risk Controls and 10 During the 90-day comment period following the Commission’s issuance of the NPRM, the Commission received comment letters from: Aesthetic Integration Ltd. (‘‘AI’’); Allen, Theo (‘‘Allen’’); Alternative Investment Management Association (‘‘AIMA’’); American Gas Association (‘‘AGA’’); Americans for Financial Reform (‘‘AFR’’); Anonymous (non-responsive comment); Asset Management Group of the Securities Industry and Financial Markets Association (‘‘SIFMA’’); National Introducing Broker Association (‘‘NIBA’’); Barnard, Chris (‘‘Barnard’’); Better Markets Inc. (‘‘Better Markets’’); Bloomberg Tradebook LLC (‘‘Bloomberg’’); CBOE Futures Exchange, LLC (‘‘CBOE’’); Citadel LLC (‘‘Citadel’’); CME Group Inc. (‘‘CME’’); Commercial Energy Working Group and Commodity Markets Council (collectively, the ‘‘Commercial Alliance’’); Committee on Capital Markets Regulation (‘‘CCMR’’); Cordova, Alex (‘‘Cordova’’); CTC Trading Group, L.L.C. (‘‘CTC’’); Futures Industry Association (‘‘FIA’’); Hudson River Trading LLC (‘‘Hudson Trading’’); Information Technology Industry Council and U.S. Chamber of Commerce (‘‘ITI and Commerce’’); Institute for Agriculture and Trade Policy (‘‘IATP’’); Intercontinental Exchange, Inc. (‘‘ICE’’); International Energy Credit Association (‘‘IECA’’); International Swaps and Derivatives Association, Inc. (‘‘ISDA’’); Investment Adviser Association (‘‘IAA’’); LCHF Capital Management, Inc. (‘‘LCHF’’); Lelli, Carmen (‘‘Lelli’’); Leuchtkafer, RT (‘‘Leuchtkafer’’); Managed Funds Association (‘‘MFA’’); Mercatus Center at George Mason University (‘‘Mercatus’’); Minneapolis Grain Exchange, Inc. (‘‘MGEX’’); Modern Markets Initiative (‘‘MMI’’); NASDAQ Futures, Inc. (‘‘NASDAQ’’); National Grain and Feed Association (‘‘NGFA’’); Nodal Exchange, LLC (‘‘Nodal’’); North American Derivatives Exchange, Inc. (‘‘Nadex’’); Olam International Limited (‘‘Olam’’); OneChicago, LLC (‘‘OneChicago’’); Quantitative Investment Management, LLC (‘‘QIM’’); Schwartz, Peter (‘‘Schwartz’’); Shatto, Suzanne (‘‘Shatto’’); Summers, Neil (‘‘Summers’’); TraderServe Limited (‘‘TraderServe’’); Trading Technologies International, Inc. (‘‘TT’’); trueEX LLC (‘‘trueEX’’); Two Sigma Investments, LP (‘‘Two Sigma’’); Virtu Financial, Inc. (‘‘Virtu’’); Weaver, Jack (‘‘Weaver’’); and XTX Markets Limited (‘‘XTX’’). E:\FR\FM\25NOP2.SGM 25NOP2 85338 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules asabaliauskas on DSK3SPTVN1PROD with PROPOSALS System Safeguards for Automated Trading Environments (‘‘Concept Release’’), which included an initial 90day comment period and a subsequent three-week comment period in conjunction with a public meeting of the Commission’s Technology Advisory Committee.11 The Concept Release and comments thereto helped inform a number of the proposals reflected in Regulation AT. Comments received during the initial comment period described above helped to identify areas that warranted further consideration by staff. Accordingly, on June 10, 2016, Commission staff held a public roundtable (‘‘Roundtable’’) to discuss certain elements of the NPRM. The topics discussed at the Roundtable included (1) the definition of DEA; (2) quantitative measures to establish the population of AT Persons; (3) alternatives to imposing pre-trade risk controls and development, testing, and monitoring standards on AT Persons; (4) AT Persons’ compliance with elements of the proposed rules when using thirdparty algorithms or systems; and (5) Algorithmic Trading Source Code access and retention. The Roundtable included representatives from a broad crosssection of entities potentially impacted by Regulation AT.12 A transcript of the Roundtable proceedings is available on the Commission’s Web site at CFTC.gov.13 In connection with the staff Roundtable, the Commission reopened the comment period for elements of Regulation AT for an additional two weeks. The Commission received an additional 19 comment letters during the reopened comment period.14 11 Concept Release on Risk Controls and System Safeguards for Automated Trading Environments, 78 FR 56542 (Sept. 12, 2013); Reopening of Comment Period, 79 FR 4104 (Jan. 24, 2014). 12 The participants at the Roundtable included CME; Deutsche Bank; ICE; QIM; Tethys Technology (‘‘Tethys’’); Virtu; OneChicago; European Securities and Markets Authority (‘‘ESMA’’); ABN AMRO Clearing Chicago LLC (‘‘ABN AMRO’’); AFR; Shell Energy North America (U.S.), L.P. (‘‘Shell’’); Hartree Partners (‘‘Hartree’’); J.P. Morgan; KCG Holdings (‘‘KCG’’); AQR Capital Management (‘‘AQR’’); TT; Optiver US LLC (‘‘Optiver’’); and Hudson Trading. 13 See https://www.cftc.gov/PressRoom/Events/ opaevent_cftcstaff061016. 14 In response to the NPRM, the Commission received: (i) Written comments submitted during the initial 90 day comment period (‘‘Initial Comment Period’’); comments by Roundtable participants; and (iii) written comments submitted during the reopened comment period (‘‘Second Comment Period’’). Some commenters submitted multiple comments. Accordingly, this Supplemental NPRM identifies Roundtable comments with a Roman numeral ‘‘II’’ and Second Comment Period comments with a Roman numeral ‘‘III.’’ For example, CME’s comments are identified as CME (its Initial Comment Period comment letter); CME II (its Roundtable comments); and CME III (its Second Comment Period comment letter). During the Second Comment Period, the VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 C. Overview of Comments Received The comments that the Commission received in written letters and at the Roundtable addressed a range of matters in Regulation AT. For purposes of this Supplemental NPRM, the Commission is focusing solely on comments related to new or amended rules proposed herein.15 For example, several commenters suggested that the proposed rules could impact a larger number of market participants (including new and existing Commission registrants) than would be appropriate or than the Commission estimated in the NPRM.16 The Commission found these comments persuasive, as a result of which it developed the volume-based quantitative test for AT Persons described in Section II below and reflected in Supplemental proposed § 1.3(x)(2) (the ‘‘volume threshold test’’). Some commenters also expressed concern regarding the NPRM’s proposal to require risk controls for Algorithmic Trading at three levels (i.e., at the DCM, FCM and AT Person levels).17 Although most saw value in pre-trade risk controls administered by DCMs, some commenters encouraged the Commission to limit any further risk control requirements to either AT Persons or FCMs, but not both. After careful consideration, the Commission is proposing the hybrid two-level risk control structure in which the first level would be at the level of the AT Person or FCM, as reflected in Supplemental proposed §§ 1.80(d) and (g), 1.82, and 1.3(xxxx)(2).18 Commission received comment letters from: AIMA; Chilton, Bart; Better Markets; the Chamber of Commerce (together with ISDA, FIA and others); CME; Commercial Alliance; an industry group consisting of FIA, FIA Principal Traders Group, MFA, ISDA, and SIFMA Asset Management Group (collectively, the ‘‘Industry Group’’); Hartree; Hudson Trading; ICE; KCG; MFA; MGEX; Milliman Financial Risk Management LLC (‘‘Milliman’’); MMI; Nadex; QIM, Schwartz; and TT. 15 The preamble to any final rules that the Commission may adopt for Regulation AT would provide a more complete summary of all comments received, including in response to the NPRM. 16 E.g., CME A–7; ICE 6; MFA 34; Nadex 1–2. 17 FIA 5; CME 6, A–14; ICE 5; MFA 4–5; Nadex 3; SIFMA 20; NIBA 1–2. 18 As explained in Sections II and VI below, these provisions would establish a framework where FCMs act as one of two pre-trade risk control layers for all electronic trading not originating with an AT Person (see Supplemental proposed § 1.82). AT Persons would remain responsible for their own pre-trade risk controls in lieu of any FCM (see NPRM proposed § 1.80). However, the Supplemental NPRM provides additional flexibility by permitting AT Persons to delegate their pre-trade risk control functions to an FCM, while retaining legal responsibility for such controls (see Supplemental proposed § 1.80(d) and (g)). The Supplemental NPRM would also permit a non-AT Person to administer its own pre-trade risk controls if it so desired by voluntarily assuming AT Person PO 00000 Frm 00006 Fmt 4701 Sfmt 4702 A significant source of discussion in response to the NPRM focused on the source code provisions in NPRM proposed § 1.81(a)(vi). Commenters raised confidentiality, intellectual property, and information security as primary concerns. Many recommended that registrants’ source code should be available to the Commission only through subpoena.19 Some commenters also noted that source code by itself may be of limited value to the Commission, and noted the importance of records such as log files in understanding the market behavior of an ATS. The Commission is sensitive to commenters’ confidentiality and information security concerns as summarized above and in Section IV of this Supplemental NPRM. As explained above, the Commission believes that its intent with respect to source code was misunderstood. Specifically, the Commission did not intend for a source code repository be maintained at the Commission or with third-parties. However, the Commission also emphasizes that preservation of source code, and Commission access to such source code, is vital. Recordkeeping and access to records are and have always been central to the Commodity Exchange Act’s (‘‘Act’’ or ‘‘CEA’’) statutory framework for regulated derivatives markets. Further, as a civil law enforcement agency, the Commission already handles sensitive, proprietary and trade secret information on a daily basis under strict retention and use requirements. Cybersecurity and the protection of confidential information are a top priority for the Commission, and all current and former CFTC employees are prohibited by 17 CFR 140.735–5 from disclosing confidential or non-public commercial, economic or official information. Through this Supplemental NPRM, the Commission seeks to balance commenters’ concerns against its legitimate regulatory interest in ensuring that the Algorithmic Trading Source Code that is often essential for transacting in modern electronic markets is preserved and is available to the Commission when necessary. Source code related provisions are now reflected in a new Supplemental proposed § 1.84, which provides that any CFTC access to Algorithmic Trading Source Code must be authorized by the Commission itself through either the part 11 subpoena process or through a status pursuant to Supplemental proposed § 1.3(xxxx)(2). 19 E.g., AIMA 10–11; Barnard 2; Citadel 2; FIA 48; Hudson Trading 3; ICE 7; ISDA 6; MFA 23; MGEX 24–25; MMI 5; Commercial Alliance 12; QIM 5; TraderServe 1; TT 7; Two Sigma 4–5. E:\FR\FM\25NOP2.SGM 25NOP2 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules new ‘‘special call’’ process set forth in the proposal. Supplemental proposed § 1.84 also addresses records required to be maintained, confidentiality protections, and the time period for which records must be maintained. Supplemental proposed § 1.84 would replace NPRM proposed § 1.81(a)(vi) in its entirety. Other amendments in the Supplemental NPRM address commenters’ concerns regarding the proposed definition of DEA, AT Persons’ compliance with rules when using third-party providers for their Algorithmic Trading technology, and other areas. With respect to third-party providers, for example, the Commission is adding Supplemental proposed § 1.85, which would permit AT Persons to rely on certifications from their thirdparty providers to meet certain requirements in Regulation AT. Such certifications would be permitted primarily with respect to NPRM proposed § 1.81(a), which requires AT Persons to follow certain standards in the development and testing of their ATSs. Comments received in response to specific proposals in the NPRM are discussed in greater detail below. II. AT Person Status and Requirements for AT Persons A. Overview and Policy Rationale for New Proposal asabaliauskas on DSK3SPTVN1PROD with PROPOSALS The proposed rules in Regulation AT apply in large part to market participants who meet the requirements to be an ‘‘AT Person’’ as defined in NPRM proposed § 1.3(xxxx).20 AT Persons include existing Commission registrants engaged in Algorithmic Trading,21 as well as certain 20 In addition to AT Persons, Regulation AT also includes requirements for FCMs, DCMs, and RFAs. 21 Algorithmic Trading is defined in NPRM proposed § 1.3(zzzz) to mean trading in any commodity interest as defined in paragraph (yy) of this section on or subject to the rules of a designated contract market, where: (1) One or more computer algorithms or systems determines whether to initiate, modify, or cancel an order, or otherwise makes determinations with respect to an order, including but not limited to: The product to be traded; the venue where the order will be placed; the type of order to be placed; the timing of the order; whether to place the order; the sequencing of the order in relation to other orders; the price of the order; the quantity of the order; the partition of the order into smaller components for submission; the number of orders to be placed; or how to manage the order after submission; and (2) Such order, modification or order cancellation is electronically submitted for processing on or subject to the rules of a designated contract market; provided, however, that Algorithmic Trading does not include an order, modification, or order cancellation whose every parameter or attribute is manually entered into a front-end system by a natural person, with no further discretion by any VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 unregistered market participants who would be required to register as New Floor Traders pursuant to NPRM proposed § 1.3(x)(1)(iii). Registration criteria proposed in NPRM § 1.3(x)(1)(iii) for currently unregistered market participants include that such market participant be engaged in: (1) Proprietary (2) Algorithmic Trading (3) through DEA on a DCM. In the NPRM, the Commission preliminarily determined that these criteria could function as ‘‘filters’’ on the population of AT Persons, and therefore on the overall scope of the proposed rules. The Commission estimated that this definition would result in a total of 420 potential AT Persons, and believed that this would represent the top end of the range of AT Persons. The Commission based its proposal, in part, on the view that proprietary trading, DEA, and Algorithmic Trading together could appropriately identify those market participants, including new and existing registrants, that any rulemaking should encompass to effectively address risks associated with Algorithmic Trading. The Commission’s estimates notwithstanding, a number of commenters have opined that the NPRM would capture substantially more than 420 AT Persons. Commenters indicated that DEA is a widespread practice, including potentially among proprietary retail market participants. Some commenters also suggested that the Commission’s proposed definition of Algorithmic Trading may be of limited value in filtering the number of AT Persons because, for example, it incorporates certain automated order routing systems (‘‘AORSs’’). At one end of the comment spectrum, several commenters stated that AT Persons could number in the thousands.22 The Commission has carefully considered all comments regarding the number of potential AT Persons pursuant to the proposed rules, particularly those comments indicating that the NPRM’s defined terms and other elements may not successfully filter the scope of the rules. The Commission is therefore proposing in this Supplemental NPRM the addition computer system or algorithm, prior to its electronic submission for processing on or subject to the rules of a designated contract market. 22 See, e.g., MFA 6, 12–13 (indicating that potentially thousands of market participants would be subject to Regulation AT); Nadex 1–2 (indicating that estimated number of affected participants would be significantly higher than 100, potentially in the thousands); FIA 91 (stating that ‘‘DCMs will be flooded by hundreds, if not thousands, of annual reports’’ pursuant to NPRM proposed §§ 1.83 and 40.22); CME A–7 (indicating that the DEA definition would capture trading activity of thousands of firms). PO 00000 Frm 00007 Fmt 4701 Sfmt 4702 85339 of a volume threshold test to the definition of AT Person. In doing so, the Commission has also considered comments that any volume of trading potentially could pose risks. However, status as an AT Person involves compliance costs due to Regulation AT risk control, testing, recordkeeping and other requirements, and accordingly the Commission has determined that, at this time, it is appropriate to limit the population of AT Persons to larger market participants, including those responsible for significant trading volumes and liquidity in CFTCregulated markets. The Commission emphasizes that its proposed framework requires FCMs to act as one of two pretrade risk control layers for all Electronic Trading not originating with an AT Person (see Supplemental proposed § 1.82). Accordingly, the proposed risk control framework is not limited to the trading of AT Persons who satisfy a quantitative threshold (i.e., the volume threshold test described in Section II below). The Commission emphasizes, as stated above, that Regulation AT is not intended to capture large swaths of new or existing registrants. The focus on Algorithmic Trading and DEA, among other criteria, reflects the Commission’s interest in sophisticated market participants that can bring significant human capital, information technology, or other resources to bear on trading in modern markets. The definition of AT Person in Regulation AT is centered on larger market participants, including, those ‘‘responsible for significant trading volumes and liquidity.’’ 23 Such market participants include existing Commission registrants, and an important population of proprietary traders who heretofore have remained outside of the Commission’s registration regime. The Commission has determined to address both sets of market participants through a straightforward test for potential AT Persons that measures all market participants’ presence on DCMs: Total trading volume for all products across all DCMs, as described below. Taking these considerations into account, the Commission has determined that a quantitative volume threshold test is best suited to identifying larger market participants who should be brought within the Commission’s regulatory purview. To that end, the Commission is proposing a new approach that includes quantitative metrics based on a market participant’s average daily trading volume across all products. Specifically, 23 See E:\FR\FM\25NOP2.SGM NPRM at 78827. 25NOP2 85340 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules the Commission is proposing a volume threshold of 20,000 contracts traded on average per day, including for a firm’s own account, the accounts of customers, or both, over a six month period. The Commission believes that this approach will facilitate the identification of AT Persons through the use of clear, numerical standards that can be calculated easily by market participants and are verifiable in the Commission’s data. The Commission further believes that the proposed volume threshold test is an appropriate vehicle to define the scope of AT Persons, in combination with the proposed definition of Algorithmic Trading and the proposed amended definition of DEA.24 As discussed below, the Commission also considered a variety of quantitative thresholds in formulating the Supplemental NPRM proposal, including order related measurements and frequency metrics. asabaliauskas on DSK3SPTVN1PROD with PROPOSALS B. NPRM Proposal and Comments The term ‘‘AT Person,’’ as defined in the NPRM, involves several interrelated terms, including AT Person, floor trader, DEA, and Algorithmic Trading. The definitions proposed in the NPRM for each of those terms are discussed below, and changes thereto are noted where applicable. AT Person. The NPRM proposed to define AT Person as an existing Commission registrant that engages in Algorithmic Trading on or subject to the rules of a DCM, or a New Floor Trader. In this Supplemental NPRM, the Commission is proposing an additional requirement for AT Person status: A volume threshold test, as described in Section II(C) below. In addition, as discussed below in Section VI(D)(3)(c), the Commission is also proposing to permit market participants to voluntarily elect AT Person status.25 The defined term ‘‘AT Person’’ remains central to the structure of the proposed rules. Regulation AT defines the term ‘‘AT Person’’ in order to 24 The Commission also considered alternatives based on defined terms such as ‘‘DEA’’ and ‘‘Algorithmic Trading’’ that also serve to define the scope of AT Persons. The Supplemental NPRM proposes revisions to the definition of DEA based on public comments that the NPRM proposed definition was ambiguous, but does not propose amendments to the definition of Algorithmic Trading. The Commission believes the volumebased approach proposed herein is a better option as it is based on verifiable and easily observed data regarding the trading volumes of all market participants on DCMs. 25 See Supplemental proposed § 1.3(xxxx)(2). The Commission is providing flexibility so that non-AT Person market participants can administer their own pre-trade risk controls in lieu of controls that its FCM must otherwise impose. Such market participants must register as New Floor Traders and comply with obligations imposed on AT Persons. VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 identify which entities are subject to the proposed regulations addressing trading firms’ management of the risks associated with automated trading. These regulations include, for example, pre-trade and other risk controls on the orders initiated by the trading firm, and standards for the development, testing and supervision of ATSs. The definition of AT Person under NPRM proposed § 1.3(xxxx) lists those persons or entities that may be considered an AT Person, namely (1) persons registered or required to be registered as FCMs, floor brokers, swap dealers (‘‘SDs’’), major swap participants (‘‘MSPs’’), commodity pool operators (‘‘CPOs’’), commodity trading advisors (‘‘CTAs’’), or introducing brokers (‘‘IBs’’) that engage in Algorithmic Trading on or subject to the rules of a DCM; or (2) persons registered or required to be registered as floor traders as defined in § 1.3(1)(iii).26 Direct Electronic Access. Through this Supplemental NPRM, the Commission is proposing to amend the definition of DEA originally proposed in the NPRM. In the NPRM, the Commission proposed a new § 1.3(yyyy) that defined DEA as an arrangement where a person electronically transmits an order to a DCM, without the order first being routed through a separate person who is a member of a DCO to which the DCM submits transactions for clearing. By using the word ‘‘routed,’’ the Commission indicated that it means the process by which an order physically goes from a customer to a DCM. Section III below discusses the Commission’s revisions to the proposed definition of DEA as part of this Supplemental. Algorithmic Trading. The Commission is not proposing to amend the definition of Algorithmic Trading originally proposed in the NPRM.27 26 In the NPRM, the Commission proposed amending the definition of ‘‘floor trader’’ in existing § 1.3(x) to facilitate the registration of proprietary traders using DEA for Algorithmic Trading on a DCM. The NPRM proposed requiring such persons (i.e., New Floor Traders) to register as floor traders, assuming they were not already registered or required to register with the Commission in another capacity. 27 In the NPRM, the Commission proposed a new § 1.3(zzzz) that defines Algorithmic Trading as trading in any commodity interest as defined in Regulation 1.3(yy) on or subject to the rules of a DCM, where: (1) One or more computer algorithms or systems determines whether to initiate, modify, or cancel an order, or otherwise makes determinations with respect to an order, including but not limited to: the product to be traded; the venue where the order will be placed; the type of order to be placed; the timing of the order; whether to place the order; the sequencing of the order in relation to other orders; the price of the order; the quantity of the order; the partition of the order into smaller components for submission; the number of orders to be placed; or how to manage the order after submission; and (2) such order, modification or order cancellation is electronically submitted for PO 00000 Frm 00008 Fmt 4701 Sfmt 4702 As the Commission explained in the NPRM, ‘‘[t]he term ‘Algorithmic Trading’ is a critical underpinning’’ of Regulation AT.28 It noted that the proposed definition of Algorithmic Trading is similar to that which was adopted by the European Commission under MiFID II, except that it also includes AORSs.29 It observed that ‘‘automated order routers have the potential to disrupt the market to a similar extent as other types of automated systems, and therefore should not be treated differently’’ under Regulation AT. It also explained that ‘‘given the interconnectedness of trading firm systems, carving out a particular subset of automated systems from the definition of Algorithmic Trading, e.g., order routing systems, would introduce unnecessary complexity and reduce the effectiveness of the safeguards provided in its proposed regulations.’’ 30 The Commission is cognizant of comments indicating some commenters’ belief that the proposed definition of Algorithmic Trading should be revised to exclude certain systems such as AORSs. However, the Commission has thus far been presented with no persuasive evidence establishing that the operation of AORSs presents less risk to the market than other types of automated or algorithmic systems. Comments Received. As discussed above, the NPRM proposed to define AT Person as an existing Commission registrant that engages in Algorithmic Trading on or subject to the rules of a DCM, or a New Floor Trader (i.e., a market participant that engages in (1) proprietary (2) Algorithmic Trading (3) through DEA on a DCM). In addition to receiving comments on the substance of NPRM proposed terms such as ‘‘Algorithmic Trading’’ and ‘‘DEA,’’ 31 the Commission also received comments concerning the number of market participants that would qualify as AT Persons under the proposed rules, particularly as a function of the defined terms discussed above. Several processing on or subject to the rules of a DCM; provided, however, that Algorithmic Trading does not include an order, modification, or order cancellation whose every parameter or attribute is manually entered into a front-end system by a natural person, with no further discretion by any computer system or algorithm, prior to its electronic submission for processing on or subject to the rules of a DCM. 28 See NPRM at 78840. 29 See id. 30 See id. 31 The comments received regarding the NPRM proposed definition of DEA are discussed in Section III(B) below. The Commission is proposing a revised definition of DEA, as set forth in Section III(C) below. The Commission is not proposing to amend the NPRM proposed definition of Algorithmic Trading. E:\FR\FM\25NOP2.SGM 25NOP2 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules commenters asserted that the number of persons or entities that would come within the NPRM proposed definition of AT Person is higher than the Commission’s estimate of 420 AT Persons. ICE commented that ‘‘[i]f read broadly (i.e. orders routed through an FCM’s risk management controls located at the exchange but not physically routed . . . through the FCM are considered DEA), the Commission’s estimated 100 market participants that would be impacted by Regulation AT would increase to include the vast majority of all market participants.’’ 32 The Commercial Alliance stated that Regulation AT could apply to ‘‘a large segment of commercial energy and agricultural firms,’’ contrary to the Commission’s intent to limit its scope to one hundred new registrants.33 MFA commented that ‘‘the breadth of the Regulation AT definitions are [sic] likely to capture many more market participants as AT Persons than the 420 persons that the Commission estimates.’’ 34 MFA estimated that if even half of the CTAs and CPOs registered with the Commission used an algorithmic trading execution system, there would be at least 1,270 CTAs and CPOs that would be AT Persons, exclusive of other registrant categories.35 Several commenters estimated the total number of AT Persons could number in the thousands. Specifically, MFA asserted that if a commodity pool or managed account could be considered an AT Person, ‘‘there could be tens of thousands of AT Persons.’’ 36 CME commented that ‘‘the CFTC should recognize that orders can pass through software that is calibrated by clearing members but maintained and owned by a clearing member’s IT provider (e.g., TT or Bloomberg). If these orders are viewed as DEA orders because they are mischaracterized as bypassing clearing FCM controls, then the DEA definition will capture trading activity from significantly more firms (1000s) than the 100 firms mentioned in the rulemaking.’’ 37 During the Roundtable and the Second Comment Period, the 32 ICE 6. asabaliauskas on DSK3SPTVN1PROD with PROPOSALS 33 Commercial Alliance 2; see also IECA 6 (asserting that Regulation AT could affect ‘‘vastly more’’ than 100 proprietary trading firms). 34 MFA 34. 35 See id. 36 MFA 12 n.23. 37 CME A–7. See also TT 3 (commenting that ‘‘the definition of DEA will likely capture within the definition of ‘floor trader’ many single traders, small trading groups and even larger companies like energy firms who hedge on futures exchanges, all of whom trade through FCMs and are often substantial liquidity providers.’’). VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 Commission received several comments regarding potential quantitative measures to establish the population of AT Persons. Better Markets commented that ‘‘[r]egarding a quantitative threshold, the CFTC must adopt a threshold using a metric that sets limits on volume and frequency.’’ 38 Better Markets further commented that ‘‘[f]or registration purposes, FCMs should be tasked with monitoring proposed metrics and communicating these metrics to the CFTC because their ‘know your customer’ rules make them the most fit.’’ 39 AIMA expressed concerns regarding quantitative measures, commenting that it ‘‘considers that additional metrics on top of the current proposed definition of AT Person may not be the optimal solution to avoid the disproportionately broad scope capturing excessive numbers of registered firms. The fundamental problem causing a large population of potential AT Persons is the inappropriately broad definition of [Algorithmic Trading].’’ 40 The Commercial Alliance also took the position that the Commission should not adopt a quantitative approach to establish the population of AT Persons.41 Commenters raised a number of concerns regarding potential quantitative measures, including that all algorithmic or electronic trading should be subject to appropriate risk controls; 42 that even a small volume of trading could pose risks to the marketplace; 43 that any quantitative measure would necessarily be arbitrary; 44 and that market participants could seek to modify their trading to ‘‘game’’ any quantitative measure.45 The Commission has carefully considered all comments received, and believes that the proposals set forth in this Supplemental NPRM address the comments regarding quantitative 38 Better Markets III 2. 39 Id. 40 AIMA III 3. 41 Commercial Alliance III 2–4. transcript of June 10, 2016 Roundtable (‘‘Roundtable Tr.’’), available at https:// www.cftc.gov/idc/groups/public/@newsroom/ documents/file/transcript061016.pdf, 110:14–114:5; Optiver, Roundtable Tr. 119:11–120:17; see also FIA 6, 13, 21; ICE 4; and MGEX 20–21 (commenting that all market participants trading electronically should use pre-trade and other risk controls appropriate to their trading). 43 Hudson Trading, Roundtable Tr. 95:10–97:8, 135:12–136:19; Optiver, Roundtable Tr. 119:11–19; KCG, Roundtable Tr. 120:21–121:8. 44 Hartree, Roundtable Tr. 100:7–101:7; AQR, Roundtable Tr. 106:5–107:17, 109:9–110:13. 45 Milliman III 3; Hudson Trading, Roundtable Tr. 97:15–98:4; AQR, Roundtable Tr. 107:18–108:7; QIM, Roundtable Tr. 117:13–114:10. 42 ICE, PO 00000 Frm 00009 Fmt 4701 Sfmt 4702 85341 measures raised during the Roundtable and in written comments. Specifically, the Commission is proposing to establish a framework where FCMs act as one of two pre-trade risk control layers for all Electronic Trading not originating with an AT Person (see Supplemental proposed § 1.82). The volume threshold test would identify those market participants with the most significant presence in CFTC-regulated markets. The Commission is also proposing an anti-evasion provision in Supplemental proposed § 1.3(xxxx)(4) to address commenters’ concerns that a quantitative measure could be ‘‘gamed’’ by market participants.46 As discussed in Section II(C) below, the proposed anti-evasion provision states that no person shall trade contracts or cause contracts to be traded through multiple entities for the purpose of evading the floor trader registration requirements under Supplemental proposed § 1.3(x)(3), or to avoid meeting the definition of AT Person under Supplemental proposed § 1.3(xxxx). C. Substance of New Proposal In light of comments received, the Commission is proposing an additional requirement for AT Person status: A volume threshold test. Pursuant to Supplemental proposed § 1.3(xxxx), a market participant may fall under the definition of AT Person in one of three ways. First, the category of AT Persons includes persons registered or required to be registered as an FCM, floor broker, SD, MSP, CPO, CTA, or IB that (1) engages in Algorithmic Trading and (2) satisfies the volume threshold test under Supplemental proposed § 1.3(x)(2) (as discussed in greater detail below).47 Second, AT Persons include New Floor Traders under Supplemental proposed § 1.3(x)(1)(iii).48 Such New Floor Traders must engage in Algorithmic Trading, utilize DEA, and satisfy the volume threshold test under Supplemental proposed § 1.3(x)(2). Third, a person who does not satisfy either of the other two prongs of the AT Person definition may nevertheless elect to become an AT Person, provided that such person registers as a floor trader and complies with all requirements of AT Persons pursuant to Commission regulations.49 In addition, each AT Person who is not already a member of an RFA must submit an application for 46 See AQR, Roundtable Tr. 107:18–108:7; Hudson River Trading, Roundtable Tr. 97:19–21. 47 See Supplemental proposed § 1.3(xxxx)(1)(i). 48 See Supplemental proposed § 1.3(xxxx)(1)(ii). 49 See Supplemental proposed § 1.3(xxxx)(2). E:\FR\FM\25NOP2.SGM 25NOP2 85342 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules membership to at least one RFA, as discussed below. 1. Volume Threshold Test for AT Persons asabaliauskas on DSK3SPTVN1PROD with PROPOSALS In light of commenter views that the Commission has underestimated the number of AT Persons that would fall within the scope of Regulation AT, the Commission proposes modifying the proposed definition of AT Person to incorporate a volume threshold test. Specifically, Supplemental proposed § 1.3(x)(2) would require potential AT Persons to determine whether they trade an aggregate average daily volume of at least 20,000 contracts for their own account, the accounts of customers, or both. The Commission notes that while many Commission registration categories (e.g., FCM, CPO, floor broker, etc.) may trade both their proprietary and customer accounts, New Floor Traders are likely to trade solely for themselves. Accordingly currently unregistered market participants would likely look to their proprietary trading volume when determining whether they satisfy the volume threshold test.50 For purposes of the volume threshold test, potential AT Persons would be required to calculate their aggregate average daily volume across all products on the electronic trading facilities 51 of all DCMs on which they trade.52 Aggregate average daily volume would be calculated in six-month periods, from each January 1 through June 30 and each July 1 through December 31, based on all trading days in the respective period.53 For purposes of calculating the aggregate average daily volume, AT Persons would also be required to aggregate their own trading volume and that of any other persons controlling, controlled by or under common control with the potential AT Person.54 The Commission believes that a volume threshold test based on total trading volume across the electronic trading facilities of all DCMs best matches the goals of AT Person regulation, including risk controls, recordkeeping and testing and 50 However, if a currently unregistered market participant is in fact trading the accounts of customers consistent with the Act and Commission regulations, such market participant should include their customer trading volume, in addition to their proprietary volume, when determining whether it satisfies the volume threshold test. 51 ‘‘Electronic trading facility’’ is defined in section 1a(16) of the CEA. The aggregate average daily volume would not include block trades, exchange for related positions, pit trades, or other transactions outside a DCM’s electronic trading platform. 52 See Supplemental proposed § 1.3(x)(2)(i). 53 See Supplemental proposed § 1.3(x)(2)(ii). 54 See Supplemental proposed § 1.3(x)(2)(iii). VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 monitoring of automated systems requirements that will prevent and reduce the potential risk of market disruption caused by technological malfunction or other error. This volume threshold test would apply to both current and new Commission registrants to help define whether they are AT Persons. In making this determination, the Commission reviewed other quantitative thresholds proposed, or finalized, for regulatory purposes similar to those in Regulation AT. These other quantitative thresholds include, for example, tests proposed by ESMA for identifying highfrequency traders in European markets, i.e., average resting order times and daily number of messages sent by a trading entity. The Commission’s purpose in creating the new AT Person category is to ensure that risk management, testing and monitoring standards are sufficiently high for larger market participants in futures markets, regardless of strategy or firm type. The Commission believes that, out of all actions taking place on an electronic platform, consummated transactions are the key element of market processes such as price discovery and risk transfer. For this reason, larger entities, across products taken as a whole, should be held to standards sufficient to mitigate the risks of general market disruptions or degradations in the quality of trading. The Commission proposes setting a six-month window for calculating average daily trading volume. The Commission’s intent is that a longer window will smooth out episodic volume fluctuations experienced by a firm through the year for a variety of reasons, including, for example, hedging practices, roll activity, or other seasonal reasons. By doing this, the set of AT Persons should be restricted to entities that are larger, sufficiently high-volume traders. The averaging window also should moderate the effect of market events where there is unusually high volume relative to historical levels. The volume threshold test definition does not make a distinction between futures products or between futures and options contracts for the purposes of aggregation. The Commission believes this is appropriate to help facilitate the volume calculation for potential AT Persons. Accordingly, the proposed volume threshold test instead results in an averaging across markets and products. Using the proposed definition, and a trading volume threshold of 20,000 contracts traded per day on DCM electronic trading facilities—including for a firm’s own account, the accounts PO 00000 Frm 00010 Fmt 4701 Sfmt 4702 of customers, or both, over a six month period—the Commission estimates that there would be approximately 120 AT Persons, a portion of which would be newly registered under the amended definition of floor trader.55 In order to derive this estimate, the Commission made use of daily trading audit trail data, for futures and options on futures, received from a number of DCMs. This audit trail data included information about the trading activity of market participants on the electronic trading facility of each DCM, coinciding with the order and trade activity associated with electronic trading, the focus of many other elements of this Supplemental NPRM. Because the volume threshold test is based on activity within a semi-annual period, the Commission calculated the average activity of individual firms during the first half of 2016 and used these aggregate numbers as an activity benchmark. Aggregating this activity across the DCMs for which the Commission had firm identification provided a basis for estimating the number of potential AT Persons. The Commission notes that its data provides a significantly comprehensive, but not a full, identification of the firms associated with each trade; in other cases, the firm associated with a trade may be the broker rather than the principal. For these reasons, the Commission estimates for the number of AT Persons may omit some firms that would meet the volume threshold requirements. Because trading patterns for a given entity or firm may change over time, the Commission acknowledges that traders who are active enough to fall above the AT Person volume threshold test during a given semi-annual period may, over time, reduce their activity levels. To accommodate changes in strategy and in the use of futures markets, the AT Person definition allows for current AT Persons to drop their designation as an AT Person if they fall below the volume threshold for two consecutive six-month periods.56 55 The Commission notes that over time it may amend the volume threshold it adopts in any final rules for Regulation AT. Such amendments would be an outgrowth of the Commission’s experience with the volume threshold it adopts in final rules. As the Commission is proposing to codify the volume threshold in its rules, any future changes would necessarily be pursued through further notice and comment rulemaking. 56 The Commission’s proposed volume threshold test helps determine, together with other factors, a market participant’s obligation to register as a New Floor Trader. As described above, any Commission registrant who is also an AT Person, including a floor trader, may cease to be bound by the requirements applicable to AT Persons if such registrant falls below the volume threshold test for E:\FR\FM\25NOP2.SGM 25NOP2 asabaliauskas on DSK3SPTVN1PROD with PROPOSALS Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules 2. Registration as a Floor Trader Supplemental proposed § 1.3(x) modifies the new definition of floor trader, which also make up the group of AT Persons under Supplemental proposed § 1.3(xxxx)(1)(ii). Under the Supplemental proposed definition, a floor trader must, in addition to using DEA to conduct Algorithmic Trading (as proposed in the NPRM), also satisfy the volume threshold test set forth in Supplemental proposed § 1.3(x)(2). This proposal will help to address concerns that too many market participants would be captured by the new definition of floor trader proposed in the NPRM. Supplemental proposed § 1.3(x)(3) specifies the period of time provided to an entity meeting these conditions to register as a floor trader and come into compliance with the requirements for AT Persons. Specifically, Supplemental proposed § 1.3(x)(3) provides that an unregistered person who satisfies Supplemental proposed §§ 1.3(x)(1)(iii)(A), (x)(1)(iii)(B) and (x)(1)(iii)(C), and who meets the volume threshold test in Supplemental § 1.3(x)(2) in any January 1 through June 30 or July 1 through December 31 period, shall register as a floor trader within 30 days after the end of such period and shall comply with all requirements of AT Persons pursuant to Commission regulations within 90 days after the end of such period. Supplemental proposed § 1.3(x)(3)(ii) describes which person or persons must register if there is an ‘‘affiliate group,’’ under common control, that meets the volume threshold test in the aggregate. Supplemental proposed § 1.3(x)(3)(ii) states that for any group consisting of a person and any other persons controlling, controlled by or under common control of such person, if such group of persons in the aggregate satisfies the volume threshold test set forth in Supplemental proposed § 1.3(x)(2), then one or more persons in such group must register as floor traders. These registrations would need to continue across affiliated entities until the aggregate average daily volume of the unregistered persons in the group trade an aggregate average daily volume below the volume threshold test set forth in § 1.3(x)(2).57 two consecutive six-month periods. The Commission notes, however, that a floor trader who ceases to be an AT Person shall still be registered as a floor trader unless it formally applies for withdrawal from registration as described in Commission § 3.33. 57 The Commission’s proposal for aggregating the trading volume of affiliated entities under common control is modeled on analogous provisions in the Commission’s swap dealer registration VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 3. Anti-Evasion Supplemental proposed § 1.3(x)(4) provides that no person shall trade contracts or cause contracts to be traded through multiple entities for the purpose of evading the registration requirements imposed on New Floor Traders under § 1.3(x)(3), or to avoid meeting the definition of AT Person under § 1.3(xxxx). The purpose of this provision is to prevent market participants whose trading volume would otherwise cause them to fall within the definition of New Floor Trader (and, therefore, AT Person), but who trade through multiple entities for the purpose of falling below the volume threshold test, from avoiding registration. By including such antievasion provision, the Commission seeks to prevent market participants from structuring transactions and legal entities in order to avoid the requirements of Regulation AT. Examples of these structures might include trading through multiple ‘‘shell’’ companies that individually trade below the threshold, or trading through one entity for part of the year, then ceasing all trading activity for that entity and trading instead through a newly formed entity, similarly leaving average daily volume under the threshold. 4. Registration for Membership With a Registered Futures Association In addition to being registered with the Commission in some capacity, AT Persons must also submit applications for membership in at least one RFA.58 In particular, Supplemental proposed § 170.18 requires that an AT Person not yet a member of an RFA must submit an application for membership in at least one RFA within 30 days of such AT Person satisfying the volume threshold test set forth in Supplemental proposed § 1.3(x)(2).59 In addition, Supplemental proposed § 1.3(xxxx) provides that any requirements. See existing § 1.3(ggg)(4) and Interpretative Guidance and Policy Statement Regarding Compliance With Certain Swap Regulations, 78 FR 45292 (July 26, 2013). 58 The Commission is cognizant that upon the adoption of final rules for Regulation AT, an RFA may need additional time to prepare its governance structure, membership categories, application materials, and other internal processes to accommodate New Floor Traders. Accordingly, the Commission may determine to delay the compliance date for Supplemental proposed § 170.18 for a short period of time so that an RFA may complete such processes prior to receiving its first application for membership from a New Floor Trader. 59 Any unregistered person who meets the requirements to register as a New Floor Trader would have identical 30-day periods in which to both register with the Commission and apply for membership in an RFA. PO 00000 Frm 00011 Fmt 4701 Sfmt 4702 85343 person that elects to become an AT Person must submit an application for membership to at least one RFA pursuant to Supplemental proposed § 170.18 within 30 days of such person choosing to become an AT Person.60 D. Commission Questions 1. The Commission invites comment on the proposed volume threshold test set forth in Supplemental proposed § 1.3(x)(2). In particular, the Commission specifically invites comment on whether the volume threshold test is an appropriate means of identifying those market participants who should qualify as AT Persons and therefore be subject to the proposed risk control, recordkeeping testing and monitoring and other requirements in Regulation AT. 2. If you believe that AT Persons should be identified by a quantitative measure other than the proposed volume threshold test, please identify and describe such alternative measure, including the number and types of market participants that would qualify as AT Persons. 3. The proposed volume threshold test would require a potential AT Person to determine whether it trades an aggregate average daily volume of at least 20,000 contracts over a six month period. Do you believe that a potential AT Person’s average daily volume for purposes of the volume threshold test should instead be calculated only over the days in which the potential AT Person trades during the six month period? Would such alternative better address potential AT Persons who may trade infrequently over the course of a six month period, but in large quantities when they do trade? 4. The Commission estimates that its proposed volume threshold of 20,000 contracts traded per day, including for a firm’s own account, the accounts of customers, or both, across all products and DCMs, would capture approximately 120 market participants, including new and existing registrants. Please comment on the Commission’s estimate. Do you believe that the number of market participants captured by this volume threshold test would be greater or fewer than 120? Please indicate how many of these market participants are currently registered with the Commission and how many are not. 60 The Commission does not require such membership to be in a specific membership category. An RFA may register such AT Persons as ‘‘floor traders,’’ or choose to create a subset or other category of Regulation AT floor traders for membership purposes. E:\FR\FM\25NOP2.SGM 25NOP2 asabaliauskas on DSK3SPTVN1PROD with PROPOSALS 85344 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules 5. With the addition of the proposed volume threshold test, do you believe that any AT Person will be a natural person or a sole proprietorship with no employees other than the sole proprietor? 6. For the proposed volume threshold test, please explain any challenges that could arise with respect to implementation. For example, what difficulties might an entity potentially subject to Regulation AT encounter in calculating whether it meets the volume threshold? Will the entity be able to readily distinguish between trades executed on a DCM’s electronic trading facility and other trades executed on or pursuant to the rules of the DCM? Does the volume threshold test potentially capture a set of entities that should not be subject to Regulation AT? 7. For the proposed volume threshold test, please explain whether the proposed rule should specify a different aggregation level for purposes of deciding who is an AT Person (e.g., individual DCMs, individual products), or whether the aggregation should be done over a time period different than the proposed semi-annual window. 8. For the proposed volume threshold test, please explain whether certain trades should be weighted differently in calculating the volume aggregation, or whether certain trades such as spread trades should be excluded from the aggregation. 9. For the proposed volume threshold test, the Commission proposes to set a single threshold incorporating trading in all products and on all DCMs in order to facilitate calculations for potential AT Persons. Please explain whether the Commission should instead set different thresholds for groups of related products, or on a per-DCM basis, or other more granular measures than the aggregation of a potential AT Person’s trading across all products and DCMs. Please also discuss the added complexity of any such alternate system, and explain why such system is preferable despite such complexity. 10. Supplemental proposed § 1.3(x)(2)(ii) calls for aggregate average daily volume to be calculated in sixmonth periods, from each January 1 through June 30 and each July 1 through December 31. The Commission requests comment regarding when to begin the first six-month measurement period for any final rules that the Commission adopts. For example, the Commission anticipates that for any final rules with an effective date prior to July 1, 2017, the first measurement period will be July 1 through December 31, 2016. Alternatively, the Commission could delay the effective date for certain VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 elements of the final rules to a date from July 1, 2017 onwards. In such case, the first measurement period could be January 1 to June 30, 2017. 11. The Commission invites comment on whether any future changes to the volume threshold deemed appropriate by the Commission (subsequent to a final rulemaking on Regulation AT) should be made by notice and comment rulemaking. Commenters are particularly invited to address potential alternatives to updating the volume threshold, if any. 12. The Commission invites comment as to how the proposed volume threshold test should be applied to members of an affiliated group. Commenters are particularly invited to address how the Commission should interpret common control for these purposes, and whether this interpretation should be limited to wholly-owned affiliates. 13. The Commission requests comment regarding the appropriate amount of time for an entity to register as a New Floor Trader and come into compliance with all requirements applicable to AT Persons, once such entity has triggered the criteria for registration and AT Persons status. III. Proposed Definition of DEA A. Overview and Policy Rationale for New Proposal The Commission proposed in NPRM § 1.3(yyyy) to define DEA for purposes of Regulation AT as an arrangement where a person electronically transmits an order to a DCM, without the order first being routed through a separate person who is a member of a DCO to which the DCM submits transactions for clearing.61 The NPRM explained that the term ‘‘routed’’ was intended to mean the process by which an order physically goes from a customer to a DCM. The Commission proposed this definition of DEA in the NPRM as a filter, along with Algorithmic Trading, to help define the category of proprietary traders that would be required to register as floor traders under Regulation AT. The Commission anticipated that the proposed definition of DEA could help to define the number of entities required to register as New Floor Traders, and to focus registration on larger market participants not otherwise registered with the Commission. In light of comments received on the NPRM, and in light of the proposed addition of a volume threshold test to filter out smaller market participants from floor trader 61 See PO 00000 NPRM at 78844. Frm 00012 Fmt 4701 Sfmt 4702 registration and its attendant obligations, the Commission is proposing an amended definition of DEA, as described below. The Supplemental proposed defined term DEA means the electronic transmission of an order for processing on or subject to the rules of a contract market, including the electronic transmission of any modification of such order. DEA would not include orders, or modifications or cancellations thereof, (i) electronically transmitted to a DCM (ii) by an FCM (iii) that such FCM received from an unaffiliated natural person 62 (iv) by means of oral or written communications.63 The amended definition differs from the NPRM definition in four key areas: (a) Eliminating the term ‘‘routed through’’; (b) clarifying that DEA does not include orders submitted to a DCM by an FCM where such FCM received the order from an unaffiliated natural person by means of written or oral communication; 64 (c) changing the proposed rule’s reference to ‘‘clearing members’’ of DCOs to any FCM; and (d) expanding the term ‘‘order’’ to include the cancellation or modifications of such order. B. NPRM Proposal and Comments In the NPRM, DEA was relevant to several of the proposed regulations. It was used as a filter to define the category of market participants required to register as floor traders and be subject to the requirements of Regulation AT 62 The Commission notes that an ‘‘unaffiliated natural person’’ is one who has no affiliation with, and whose employer has no affiliation with, the FCM receiving the order. Such natural person may be communicating the order for another (unaffiliated) Commission registrant, an (unaffiliated) unregistered market participant, an (unaffiliated) end customer, etc. Examples of scenarios that are not DEA include: (1) An employee of a Commission registrant communicates an order to an unaffiliated FCM, verbally or in writing, for onward transmission by such FCM to a DCM; (2) A natural person customer communicates an order to an unaffiliated FCM, verbally or in writing, for onward transmission by such FCM to a DCM; and (3) An employee of customer that is a legal entity not registered with the Commission communicates an order to an unaffiliated FCM, verbally or in writing, for onward transmission by such FCM to a DCM. The Commission emphasizes that an unaffiliated natural person has no relationship, and their employer has no relationship, with the FCM receiving the order for submission to a DCM. 63 The Commission notes that ‘‘written communications’’ may include email, text messages, or instant messaging ‘‘chat’’ tools, in addition to communications on paper. The common denominator is that such communications are in each instance specifically written by a natural person. 64 The Commission notes that this exclusion addresses the ‘‘how’’ and ‘‘by whom’’ of an order’s communication to the FCM. Such communication must be made by a (1) unaffiliated (2) natural person (3) verbally or in writing. E:\FR\FM\25NOP2.SGM 25NOP2 asabaliauskas on DSK3SPTVN1PROD with PROPOSALS Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules (see proposed § 1.3(x)(3)). In addition, DEA was relevant to revised § 38.255, which requires DCMs to have in place systems and controls reasonably designed to facilitate an FCM’s management of the risks that may arise from Algorithmic Trading, and proposed § 1.82, which requires FCMs to implement such DCM-provided controls for DEA orders. This approach of enabling clearing FCMs to implement DCM-based controls is similar to how the Commission addresses financial risk management by FCMs, as reflected in existing DCM regulation § 38.607. Existing § 38.607 describes DEA as allowing customers of futures commission merchants to enter orders directly into a designated contract market’s trade matching system for execution.65 As discussed below, the Commission proposes to amend the definition of DEA to address various commenter concerns, and the term continues to be relevant to Supplemental proposed §§ 1.3(x)(1)(iii), 1.82 and 38.255. Comments Received. The Commission received a range of comments concerning the scope and clarity of the definition of DEA proposed in the NPRM. Better Markets commented that the NPRM’s definition of DEA encompassed all types of access commonly understood in Commissionregulated markets as ‘‘direct market access.’’ 66 Other commenters raised a number of concerns over the NPRM proposed definition of DEA and its application to various types of market participants. One commenter cautioned that the NPRM proposed definition of DEA would not capture any market participants because clearing members are required to have risk controls over automated customer orders under existing § 1.73.67 Some commenters found the NPRM definition too broad, and argued that it would capture individual traders and small trading groups, as well as large corporations using futures markets to hedge risks.68 CME stated that this broader reading of DEA would capture thousands of firms if the term includes orders that pass through software calibrated by clearing members but maintained and owned by a clearing member’s IT provider (e.g., 65 In addition, in the context of foreign boards of trade, section 4(b)(1)(A) of the CEA defines ‘‘direct access’’ as an explicit grant of authority by a foreign board of trade to an identified member or other participant located in the United States to enter trades directly into the trade matching system of the foreign board of trade. 66 Better Markets 3; Better Markets III 3–4. 67 CME, 12. 68 TT 3. VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 TT or Bloomberg).69 Two commenters suggested that the definition of DEA is unnecessary because any market participant trading electronically must utilize pre-trade and other risk controls appropriate to the nature of their trading.70 Several commenters asserted that the NPRM proposed definition of DEA lacks clarity,71 and that the definition does not provide sufficient guidance as to what ‘‘being routed through a separate person’’ that is a member of a DCO means.72 Many commenters argued that DEA should not include DCM-offered connectivity platforms such as WebICE or CME Direct.73 Commenters also argued that DEA should not include platforms provided by third-party ISVs; 74 one commenter considered such ISVs to be an extension of the FCM’s infrastructure where the FCM was able to control a risk control module on the platform.75 Some commenters also suggested that the NPRM definition was too narrowly focused on the role of clearing FCMs, as opposed to executing FCMs. Several commenters argued that executing FCMs could better act as gatekeepers over customer order flow than clearing FCMs.76 For example, Milliman commented that NPRM proposed § 1.3(yyyy) should be modified to refer to an order being routed through a separate person who is an ‘‘executing agent’’ (rather than a clearing member).77 QIM raised the issue of FCM ‘‘gateways’’ through which customers could submit orders, and commented that only the person or agent directly placing trades on a DCM should be considered to possess DEA 78 Commenters offered a variety of alternate definitions of DEA, with the intent that DEA not capture certain types of market participants. Bloomberg and TT offered alternate definitions that would exclude market participants 69 CME A–7. 6; ICE 4–5. 71 TT 2; MFA 15; CME 11–12; ICE 4; IECA 7. 72 TT 2; CME 11–12; ICE 4. 73 FIA A–17; MFA 15; AGA 3; Commercial Alliance III 4; ICE 5; CME A–7. 74 FIA A–6; MFA 15; TT 3; Commercial Alliance 4. 75 FIA A–6. 76 Milliman III 2. One commenter also noted that there may be non-FCM clearing members of a DCM, which could create situations under the NPRM proposed rules where there would be ‘‘no second line of pre-trade risk control administered by an FCM.’’ Industry Group III 15 n.12. One commenter also suggested that limiting the exclusion to instances where a clearing member had risk controls in place would incentivize market participants to move away from the use of executing FCMs and give-up arrangements. See Bloomberg 7. 77 Milliman III 2. 78 QIM III 1. 70 FIA PO 00000 Frm 00013 Fmt 4701 Sfmt 4702 85345 using third-party software platforms provided by FCMs.79 CME offered an alternative definition that would exclude orders passing through risk controls administered by a clearing member.80 FIA and the Commercial Alliance offered an alternative definition that would exclude orders that are first routed through an order routing system under the control of an FCM.81 Better Markets proposed a definition that would take into consideration colocation and the use of FCM-provided software.82 Nadex supported defining DEA, consistent with existing Commission § 38.607, as ‘‘allowing customers of FCMs to enter orders directly into a DCM’s trade matching system for execution.’’ 83 Similarly, Nodal commented that the definition of DEA in § 38.607 ‘‘is an accurate definition of Direct Electronic Access that does not need revision.’’ 84 C. Substance of New Proposal The Commission proposes to amend the definition of DEA in § 1.3(yyyy) of the NPRM to address the comments summarized above, including with respect to potential ambiguities in the NPRM’s definition of DEA. At the same time, the Supplemental NPRM retains DEA as one of the criteria for defining who must register as a New Floor Trader. The addition of the volume threshold test pursuant to Supplemental proposed § 1.3(x)(2) will act as a further filter for New Floor Traders, limiting registration to large market participants. This will limit AT Person status and its attendant obligations to only those market participants who meet the volume threshold test. The Commission intends for the amended proposed definition of DEA to cover any arrangement where a market participant electronically transmits an order, modification or cancellation to a DCM. However, the amended proposed definition excludes from the definition of DEA any orders submitted by an FCM where the FCM receives such order from an unaffiliated natural person by means of written or oral communication. As noted in Section III(A) above, an ‘‘unaffiliated’’ natural person is one who has no affiliation with the FCM receiving the order for submission to a DCM. Similarly, the natural person’s employer can have no affiliation with such FCM. 79 Bloomberg 8–9; TT 3. 12. 81 FIA 6; Commercial Alliance 6. 82 Better Markets III 4. 83 Nadex III 2. 84 Nodal 2. 80 CME E:\FR\FM\25NOP2.SGM 25NOP2 asabaliauskas on DSK3SPTVN1PROD with PROPOSALS 85346 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules The NPRM definition of DEA exempted orders that were ‘‘routed through’’ a clearing FCM. After receiving comments requesting clarification on this phrase, the Commission proposes changing the definition of DEA so that it does not include orders electronically submitted to a DCM by an FCM that such FCM first receives from an unaffiliated natural person by means of oral or written communications. The Commission believes that this revision clarifies which order submission methods are DEA, and which are not, for purposes of Regulation AT. The Commission expects that the language in which an FCM electronically submitting orders first received from an unaffiliated natural person by means of oral or written communications will only encompass situations where the FCM is acting in a true intermediating role: i.e., where the FCM receives an order from a third-party (who may or may not be a Commission registrant) and the FCM then submits such order to a DCM for or on behalf of the third party. Each element of Supplemental proposed § 1.3(yyyy) is intended to emphasize an FCM’s active, involved intermediation as a necessary condition for non-DEA order submission, modification, or cancellation. Accordingly, non-DEA orders must be received by an FCM orally or in writing, from a natural person, who is unaffiliated and whose employer is unaffiliated with the FCM. Because technological innovations have created, and may continue to create, new methods for market participants to connect to DCMs, the Commission has determined not to differentiate between currently existing connection types. Instead, the amended proposed definition would capture all electronic order submissions to a DCM as DEA, unless the order is first received by an FCM from an unaffiliated natural person by means of written or oral communication prior to being submitted to the DCM by the FCM.85 To identify specific connection types in this definition—such as connection through a DCM’s application program interface (‘‘API’’)—risks having the definition become outdated with changes in technology while simultaneously 85 The Commission understands that written or oral communications are not computer-generated, and therefore such communications would come from a natural person. The Commission notes that ‘‘written communications’’ may include email, text messages, or instant messaging ‘‘chat’’ tools, in addition to communications on paper. The common denominator is that such communications are in each instance specifically written by a natural person. VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 creating uncertainty over the regulatory standing of such new technology. Second, the exclusion would apply only where an FCM receives an oral or written communication from a natural person for a particular order or series of orders. The exclusion would not apply to orders received through electronic systems or automated means, such as through any API or graphical user interfaces (‘‘GUIs’’) provided by an FCM. The exclusion also would not apply to any third-party ISV platforms, such as those provided by Bloomberg or TT, even if the FCM were able to calibrate or implement risk controls over customer order flow submitted through those platforms. Further, the exclusion would not apply to any orders submitted through DCM-provided APIs, such as WebICE or CME Direct. In each case, current and potential technological practices may serve to reduce or eliminate the role of an FCM or other Commission registrant as a true intermediary to the transaction. Third, the Commission’s amended proposed definition also would change the entity that must be involved in an order’s transmittal to the DCM for such order not to be considered DEA. The NPRM proposal would exclude orders routed through a clearing member of a DCO to which the DCM submits trades for clearing, thus applying to clearing FCMs. The amended proposal would expand the exclusion from DEA to certain types of orders submitted by any FCM, including those FCMs that a market participant may use only to execute trades as well as those used to clear trades. This change is in response to various comments suggesting that executing FCMs could better act as gatekeepers on customer order flow than clearing FCMs. Fourth, the amended proposal differs from the NPRM proposal in that the definition of DEA proposed in this Supplemental NPRM applies explicitly to modifications and cancellations of orders, not only initial order submissions. The Commission considers this a non-substantial clarification intended to align the DEA definition with the proposed definition of Algorithmic Trading (NPRM proposed § 1.3(zzzz)). D. Commission Questions 14. Does the amended proposed definition of DEA appropriately capture all order submission methods to which the additional filters for New Floor Trader status (i.e., Algorithmic Trading and the volume threshold test) should be applied? PO 00000 Frm 00014 Fmt 4701 Sfmt 4702 IV. Algorithmic Trading Source Code Retention and Inspection Requirements A. Overview and Policy Rationale for New Proposal The Commission proposed NPRM § 1.81(a)(vi) to ensure that source code is preserved and available to the Commission when necessary. The NPRM required that AT Persons maintain a ‘‘source code repository’’ and make it available for inspection in accordance with existing § 1.31. The requirements proposed in the NPRM were intended to be consistent with the Commission’s traditional statutory and regulatory authorities governing recordkeeping and access to records; however, as explained below, some commenters misconstrued the proposal as requiring more than the Commission intended. Specifically, NPRM proposed § 1.81(a)(vi) did not require the transfer of all source code to the Commission or other third party for centralized storage. It also did not require that AT Persons provide their Algorithmic Trading Source Code to the Commission on a regular basis. Comments received in response to NPRM proposed § 1.81(a)(vi) expressed intellectual property and information security concerns among numerous market participants and other observers. The Commission appreciates these concerns, including the commercial and enterprise value of market participants’ Algorithmic Trading Source Code. The Commission is proposing to revise NPRM proposed §§ 1.81(a)(1)(v) and (vi) as reflected in Supplemental proposed § 1.84. This new proposal directly addresses commenters’ concerns regarding Commission access to source code in several respects. Most importantly, access to Algorithmic Trading Source Code would not be governed by § 1.31. Instead, access to Algorithmic Trading Source Code and related records described in the proposed rule would require a subpoena approved by the Commission pursuant to part 11 or a ‘‘special call’’ which must also be approved by the Commission itself, a heightened procedural step that responds to concerns raised by market participants. Through Supplemental proposed § 1.84, the Commission is endeavoring to balance its responsibility to oversee markets and market participants— including the operation of ATSs which have become highly pervasive in modern electronic markets—with market participants’ strongly-held privacy and confidentiality concerns. Ultimately, it is imperative that the Commission have access to all information necessary for effective E:\FR\FM\25NOP2.SGM 25NOP2 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules asabaliauskas on DSK3SPTVN1PROD with PROPOSALS regulatory oversight, including market surveillance and maintaining the safety and soundness of markets. The Commission believes that Supplemental proposed § 1.84 strikes an appropriate balance between regulatory needs and privacy concerns. The Commission emphasizes that recordkeeping and Commission access to books and records are central to the Act’s statutory framework for the oversight of regulated derivatives markets. Sections 4g, 4n(3)(A), 4r(c), and 4s(f)(1)(C) of the Act require all registrants and registered entities to maintain books and records, and provide for prompt access by the Commission and its staff. They include nearly identical language stating that registrants and registered entities shall keep books and records in such form and manner and for such period as may be required by the Commission; and shall keep such books and records open to inspection by any representative of the Commission.86 These core statutory provisions recognize that the Commission must have adequate information to oversee markets and market participants subject to its jurisdiction.87 Required books and records include not only those that must be reported to the Commission on a routine basis, but also books and records that registrants must maintain in their own possession and make available upon request by the Commission or its staff. The Act and Commission rules contemplate a range of mechanisms to obtain books and records, from prompt production to Commission staff through on-site inspection,88 to subpoenas in 86 17 CFR 1.31. See Section 4g(a) of the Act, 7 U.S.C. 6g(a); Section 4n(3)(A) of the Act, 7 U.S.C. 6n(3)(A); Section 4r(c) of the Act, 7 U.S.C. 4r(c); and Section 4s(f)(1)(C) of the Act, 7 U.S.C. 6s(f)(1)(C). Sections 1.31 and 1.35 of the Commission’s rules build on these statutory provisions by requiring registrants to keep full, complete, and systematic records, and to produce such records as required by any representative of the Commission. See 17 CFR 1.35; 17 CFR 1.31. Records must be kept for at least five years, and must be ‘‘readily accessible’’ during the first two years. See 17 CFR 1.31(a)(1). Records must be produced to the Commission in a form specified by any representative of the Commission, and production shall be made, at the expense of the person required to keep the book or record. See 17 CFR 1.31(a)(2). 87 In addition to the statutory authority cited above under Sections 4g, 4n(3)(A), 4r(c), and 4s(f)(1)(C) of the Act, the Commission notes that Section 8a(5) of the Act provides additional authority for the proposed recordkeeping and inspection rules. Section 8a(5) authorizes the Commission to make and promulgate such rules and regulations as, in the judgment of the Commission, are reasonably necessary to effectuate any of the provisions or to accomplish any of the purposes of this Act. 7 U.S.C. 12a(5). 88 See 17 CFR 1.31(a)(2). VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 investigative proceedings pursuant to part 11 of the Commission’s regulations. As a civil law enforcement agency, the Commission handles sensitive, proprietary and trade secret information under strict retention and use requirements.89 Further, cybersecurity and the protection of confidential information are a top priority for the Commission.90 The Commission receives confidential information on a daily basis in a variety of contexts, and takes its legal obligation to protect such information seriously. The Commission has significant data security measures in place to protect sensitive information from internal or external threats. In addition, all current and former CFTC employees are prohibited by 17 CFR 140.735–5 from disclosing confidential or non-public commercial, economic or official information to any unauthorized person, or releasing such information in advance of authorization for its release. In sum, this Supplemental NPRM and the Algorithmic Trading Source Code amendments proposed herein achieve four important goals. First, the Commission is clarifying its intent regarding Algorithmic Trading Source Code. The Commission’s interest is in ensuring that Algorithmic Trading Source Code is preserved by AT Persons and that it be available for inspection by the Commission when needed to investigate, understand, and respond, for example, to significant market events, including market disruptions 89 See Section 8(a) of the Act, 7 U.S.C. 12(a) (providing that except as otherwise specifically authorized in the Act, the Commission may not publish data and information that would separately disclose the business transactions or market positions of any person and trade secrets or names of customers); Section 8(e) of the Act, 7 U.S.C. 12(e) (providing that the Commission shall not furnish any information to a foreign futures authority or to a department, central bank and ministries, or agency of a foreign government or political subdivision thereof unless the Commission is satisfied that the information will not be disclosed by such foreign futures authority, department, central bank and ministries, or agency except in connection with an adjudicatory action or proceeding brought under the laws of such foreign government or political subdivision to which such foreign government or political subdivision or any department, central bank and ministries, or agency thereof, or foreign futures authority, is a party); 17 CFR 145.5 (providing that the Commission may decline to publish or make available to the public certain nonpublic records, including records specifically exempted from disclosure by statute, including data and information which would separately disclose the business transactions or market positions of any person and trade secrets or names of customers); see also 5 U.S.C. 552(b)(4) (providing exemption from FOIA for trade secrets and commercial or financial information obtained from a person and privileged or confidential). 90 See System Safeguards Testing Requirements, Final Rule, 81 FR 64272 (Sept. 19, 2016); System Safeguards Testing Requirements for Derivatives Clearing Organizations, Final Rule, 81 FR 64322 (Sept. 19, 2016). PO 00000 Frm 00015 Fmt 4701 Sfmt 4702 85347 and failures of the price discovery process. The Commission does not seek routine access to Algorithmic Trading Source Code, nor is it requiring that Algorithmic Trading Source Code be provided to repositories maintained by the CFTC or a third party. Second, the Commission is proposing to codify in Supplemental proposed § 1.84(b) that any access to Algorithmic Trading Source Code must be authorized by the Commission itself. Such access could be authorized via subpoena, in an investigatory proceeding pursuant to part 11 of the Commission’s regulations, or via special call authorized by the Commission and executed by the Director of the Division of Market Oversight (‘‘DMO’’ or ‘‘Division’’) pursuant to Supplemental proposed § 1.84(b). The Commission notes that the different methods of access to source code—subpoena or special call—depend on whether Commission staff is: (1) Formally investigating potential violations of law; or (2) carrying out its market oversight responsibilities. Subpoenas are typically issued in connection with enforcement investigations. The proposed special call authority and process is intended to require similar Commission approval, but to recognize, for example, the potential need for DMO to review source code, such as in association with unusual trading events or market disruptions. While some commenters recommended that the Commission rely on subpoenas for access to source code in all circumstances, the Commission believes it is important to distinguish investigatory proceedings from access to records by DMO in connection with market surveillance and related work.91 However, both the subpoena and the special call would require approval by the Commission itself. The Commission notes Supplemental proposed § 1.84’s emphasis on access to Algorithmic Trading Source Code and related files in support of the Commission’s market and trade practice surveillance functions. In executing the special call, communications from DMO to the AT Person could specify further procedures undertaken by the Division to help ensure the security of records provided. For example, the Division could specify the means by which it will access Algorithmic Trading Source Code or other records required by the special call, including on-site inspection at the facilities of the AT Person; the provision of records to the Commission on secure storage media or on 91 The Commission notes that it would continue to possess subpoena authority with respect to source code, as it does today. E:\FR\FM\25NOP2.SGM 25NOP2 85348 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules computers lacking network connectivity; or the transfer of records to secure Commission systems with controlled access. Third, and building on public comments regarding additional information necessary for the Commission to understand the operation of Algorithmic Trading in regulated markets, the Commission is proposing in Supplemental proposed § 1.84(a)(3) that AT Persons be required to keep records of log files generated in the ordinary course by their ATSs. Absent subpoena, access to such log files would also be limited to special call by the Commission. As with other regulatory records, both Algorithmic Trading Source Code and log files would be required to be maintained for a period of five years.92 Pursuant to Supplemental proposed § 1.84(b)(2), AT Persons would be required to maintain records ‘‘in a form and manner that ensures the authenticity and reliability of the information in such records,’’ and would also be required to have available ‘‘systems to promptly retrieve and display’’ records required to be maintained under Supplemental proposed § 1.84.93 Finally, consistent with section 8(a) of the CEA, the Commission is emphasizing in Supplemental proposed § 1.84(b)(3) that key confidentiality protections would apply to any records provided to the Commission pursuant to § 1.84. The Commission notes that section 8 of the Act and other Commission rules governing confidential information would apply to Algorithmic Trading Source Code and related files even in the absence of Supplemental proposed § 1.84(b)(3).94 B. NPRM Proposal and Comments The NPRM proposed that each AT Person maintain a ‘‘source code repository’’ to manage source code access, persistence, copies of all code used in the production environment, 92 See Supplemental proposed § 1.84(a). this regard, Supplemental proposed § 1.84(b)(2) is modeled on existing Commission recordkeeping rules in § 1.31, which also call for persons subject to recordkeeping to maintain capabilities by which the Commission can view required records. 94 In this regard, Supplemental proposed § 1.84(b)(3) is intended to emphasize the confidential nature of any Algorithmic Trading Source Code provided to the Commission. The protections of section 8 would apply even absent codification by the Commission in Supplemental proposed § 1.84(b)(3). Section 8 provides, among other things, that except as otherwise specifically authorized the Commission may not publish data and information that would separately disclose the business transactions or market positions of any person and trade secrets or names of customers. See 7 U.S.C. 8(a)(1). asabaliauskas on DSK3SPTVN1PROD with PROPOSALS 93 In VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 and changes to such code. The NPRM further required that such source code repository would include an audit trail of material changes to source code that would allow AT Persons to determine, for each such material change: Who made it; when they made it; and the coding purpose of the change. The NPRM also required that AT Persons maintain source code in accordance with § 1.31. Several commenters expressed support for the proposal that source code should be a required record under Commission rules.95 Better Markets called the source code provisions ‘‘the most important and effective provision in the proposed rule’’ and noted ‘‘the clear and many benefits arising from the Commission’s ability to perform postmortems after disruptive market events.’’ 96 Better Markets pointed out that ‘‘it is crucial that regulators have access to HFT algorithm source code, rather than facing the impossible task of reconstructing manipulative algorithms from market data alone.’’ 97 Another commenter stated that if an algorithm or source code has caused, or has the potential to cause, damage to the U.S. financial markets, regulators have not only a right, but a duty to inspect source code.98 MFA supported a source code and audit trail record retention requirement, but objected to a source code ‘‘repository.’’ 99 MFA stated that it understands the Commission’s need ‘‘to be able to obtain and review confidential, proprietary material that trading firms and other businesses maintain. We also understand the need for a preservation requirement that will ensure that the source code and any audit trails that are relevant to a given investigation be preserved and be made available to the Commission . . . when appropriate.’’ 100 MFA recommended that the Commission adopt a principlesbased rule requiring that market participants adopt a mechanism to preserve source code, produce current and prior versions of such source code, and track material change to the source code.101 AIMA commented that it is ‘‘supportive of an obligation for AT Persons to maintain internal source code repositories.’’ 102 Many commenters expressed concerns about the confidentiality of source code, and in particular making 95 AFR 3; Better Markets 2; Better Markets III 2– 3; Shatto 1; Summers 1. 96 Better Markets 2. 97 Better Markets 2–3. 98 Summers 1. 99 MFA 3, 21. 100 MFA 21. 101 MFA III 3. 102 AIMA III 4. PO 00000 Frm 00016 Fmt 4701 Sfmt 4702 source code subject to § 1.31.103 Several stated that source code should only be available pursuant to a subpoena,104 which some described as a procedural safeguard.105 Others, such as FIA and Mercatus, noted the potential impracticality of certain requirements of § 1.31 in the context of source code, such as duplicate storage, indexes of stored records, and the potential retention of a third-party technical consultant with access to the records.106 Numerous commenters described source code as valuable intellectual property and raised concerns about information security if source code were to be provided to regulators.107 Some raised the possibility that source code stored on government servers or government-mandated repositories could be vulnerable to cyberattack and other system breaches or misappropriation.108 Some commenters took the position that making source code subject to § 1.31 would violate Constitutional protections.109 Several commenters questioned the scope of the records to be retained as source code.110 MMI stated that ‘‘source code’’ should be defined to avoid confusion.111 FIA stated that ‘‘it is not clear under § 1.81(a)(vi) whether the referenced source code refers to Algorithmic Trading code only, or includes the code of ‘related systems’ or separate ‘software’ as well.’’ 112 One commenter even speculated that the rule might be broad enough to require Microsoft to permit inspection of the code underlying its Excel program if a trader developed an algorithm using an Excel spreadsheet.113 Several commenters and Roundtable participants noted that a review of source code alone without additional context would be insufficient to identify the cause of a trading discrepancy.114 103 MFA 29; ISDA 6; NASDAQ 2; Two Sigma 4; CCMR 5; FIA A–49, 54; Mercatus 6. 104 AIMA 10–11; AIMA III 5; Barnard 2; Citadel 2; FIA A–48; Hudson Trading 3; KCG III 4–5; ICE 7; ICE III 4; ISDA 6; MFA 23; MFA III 3; MGEX 24– 25; MMI 5; Commercial Alliance 12; QIM 5; TraderServe 1; TT 7; Two Sigma 4–5. 105 Industry Group 6. 106 FIA A–54; Mercatus 6. 107 Hudson Trading 1–2; IAA 10; ICE 7; ISDA 6; ITI 2, 4; MMI 3; Commercial Alliance 12; Nadex 7; Two Sigma 2; Virtu 3; TT 4, 3 n.2; QIM 2. 108 LCHF 3; Mercatus 6; MFA 22, 24, 25; CTC 9– 10; IAA 10; CCMR 4–5; MMI 3–4; MMI III 2; Commercial Alliance 12; Chamber of Commerce III 2, 4–5; NIBA 2; QIM 5; TT 4; Two Sigma 2, 3, 6; Mercatus 6; AIMA 10; FIA A–52; Bloomberg 2–3; Citadel 2; SIFMA 16. 109 ITI 2; FIA A–46; MMI 4; MMI III 1–2; TT 4. 110 FIA A–47; MMI 2; TT 3–4. 111 MMI 2. 112 FIA A–47. 113 TT 4. 114 ITI 6; MMI 2; TT 5. E:\FR\FM\25NOP2.SGM 25NOP2 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules Several commenters also posited that source code would be unintelligible to regulators,115 or that the CFTC lacked the resources to understand it.116 Several participants at the Roundtable suggested that it may be necessary to review log files in order to gain further context regarding trading activity under review.117 Participants indicated that a review of log files might assist in identifying a trigger for specific trading behavior such as market data, a change in parameters, or a component of source code.118 asabaliauskas on DSK3SPTVN1PROD with PROPOSALS C. Substance of New Proposal Through this Supplemental NPRM, the Commission is proposing to replace NPRM § 1.81(a)(1)(vi) with Supplemental proposed § 1.84, entitled ‘‘Maintenance of records of Algorithmic Trading Source Code and related records.’’ 119 Supplemental proposed § 1.84 requires AT Persons to retain 115 Hudson Trading 1–2; MMI 2; TraderServe 2; ITI 6; MMI 2; TT 5–6. 116 ITI 5; Weaver 2. 117 KCG Holdings II, Roundtable Tr. 263:2–13 (one of the first items to look at when addressing a trading discrepancy would be ‘‘log files to see was it a data issue, incoming data issue, was it something that was part of the algorithm, was it a control that misfired. You’d look at the log data to see if there’s anything in there that would start to point you in a direction of where the issue might become. At that point in time you might bring in a developer to help walk through the code.’’); TT II, Roundtable Tr. 264:9–11 (noting that a developer would ‘‘probably comb through log files’’ to narrow down where a discrepancy occurred). 118 Optiver II, Roundtable Tr. 267:18–268:21 (describing ‘‘looking in the log file . . . to figure out . . . the trigger for . . . [an] order,’’ including whether it was ‘‘human interaction, . . . market data, a ‘‘change in parameters,’’ or ‘‘source code.’’). 119 The Commission notes that in addition to proposing new § 1.84 (addressing Algorithmic Trading Source Code) and § 1.85 (addressing use of third party systems or components), it has made several changes to proposed § 1.81. The Supplemental NPRM withdraws §§ 1.81(a)(1)(v) and (vi). Provisions relating to documenting the strategy and design of Algorithmic Trading software and maintenance of Algorithmic Trading Source Code are now contained in Supplemental proposed §§ 1.84 and 1.85. In addition, NPRM proposed § 1.81(a)(1)(ii) required testing of all Algorithmic Trading code and any changes to such systems. This language has been modified so that it is consistent with the Commission’s intent that the AT Person be required to test systems, not merely the source code related to such systems. The changes to the second sentence, resulting in the language in Supplemental proposed § 1.81(a)(1)(ii) that such testing shall be reasonably designed to effectively identify circumstances that may contribute to future Algorithmic Trading Events, are intended to improve clarity. The Commission deleted the provision’s final sentence, ‘‘Such testing must be conducted both internally within the AT Person and on each designated contract market on which Algorithmic Trading will occur.’’ The Commission has also withdrawn corresponding NPRM proposed § 40.21, which had required DCMs to provide test environments to AT Persons. Supplemental proposed § 1.81(a)(1)(ii) now provides discretion to the AT Person as to where testing should occur. VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 three categories of records for a period of five years: (1) Algorithmic Trading Source Code; (2) records that track changes to Algorithmic Trading Source Code; and (3) log files that record the activity of the AT Person’s Algorithmic Trading system.120 These records would be required to be maintained in their native format. Supplemental proposed § 1.84 does not require that records be generated; rather, it only requires the retention of such records to the extent they are generated by an AT Person (or by a third-party on behalf of the AT Person) in the ordinary course of their business. It also requires that these records be kept in a form and manner that ensures the authenticity and reliability of the information contained in the records, and that AT Persons have systems available to promptly retrieve and display the records.121 Algorithmic Trading Source Code is defined broadly in Supplemental proposed § 1.3(ccccc), and is intended to capture the various types of code and related components used in connection with Algorithmic Trading. It includes computer code, hardware description language, scripts and formulas, as well as the configuration files and parameters used to carry out the trading.122 The term Algorithmic Trading Source Code should be construed broadly to encompass field-programmable gate array (‘‘FPGA’’) technology including the logic built onto chips or embedded in electronic circuits. Logic embedded in electronic circuits is sometimes referred to as ‘‘hardware description language (‘‘HDL’’). On the other hand, Algorithmic Trading Source Code does not include the underlying code to a program used to develop a formula or algorithm (i.e., Microsoft Excel). The Commission recognizes the confidentiality and value of Algorithmic 120 Commenters at the Roundtable recognized that in order to assess a trading discrepancy they would need to review their own log files and potentially the source code for their trading algorithms. KCG II, Roundtable Tr. 262:17–263:10; 267:18–268:21; TT II, Roundtable Tr. 264:3–20. 121 The Commission notes that Supplemental proposed § 1.84’s requirement that records be maintained in their ‘‘native format’’ is distinct from the proposed requirement that such records be maintained in a manner that ensures the ‘‘authenticity and reliability’’ of information contained in such records. The retention of a record in ‘‘native format’’ equates to a requirement that such record be retained in the same format as it was originally created. Authenticity and reliability, in contrast, address the accuracy of a record as genuine, unchanged iteration of the original. 122 Parameters include settings or variables that are relied on by an algorithm to make determinations in a system’s Algorithmic Trading. For example, parameters may include settings or variables impacting order type, order quantity, order price, order side, position size, number of orders, and duration of orders. PO 00000 Frm 00017 Fmt 4701 Sfmt 4702 85349 Trading Source Code. Accordingly, the Commission has endeavored in this Supplemental NPRM to enhance the procedural protections afforded to Algorithmic Trading Source Code in the rule text and to expressly reference the statutory and regulatory provisions that protect all confidential information to which the Commission has access. As a threshold matter, the Commission emphasizes that Supplemental proposed § 1.84 makes Algorithmic Trading Source Code, change logs, and log files subject to recordkeeping requirements that are separate from the general recordkeeping provisions under § 1.31 of the Commission’s rules. Supplemental proposed § 1.84 also makes clear that these records are subject to section 8(a) of the Act.123 Section 8(a) prohibits the release of data or information that would disclose business transactions or market positions of any person and trade secrets or names of customers, and any data or information concerning or obtained in connection with any pending investigation of any person. Separately, confidential information received by Commission employees is also subject to § 140.735–5 of the Commission’s rules, which prohibits a Commission employee or former employee from disclosing, or causing or allowing to be disclosed, confidential or non-public commercial, economic or official information to any unauthorized person.124 The Commission also notes that Section 1905 of Title 18 specifically prohibits the disclosure of confidential information, including trade secrets, by all officers or employees of the United States and any department or agency thereof, including the CFTC. Violations of this statutory provision carry significant penalties, including fines, loss of employment, and imprisonment.125 Commission staff are 123 Section 8(a) of the Act, 7 U.S.C. 12(a). CFR 140.735–5. 125 See 18 U.S.C. 1905, which provides that whoever, being an officer or employee of the United States or of any department or agency thereof, publishes, divulges, discloses, or makes known in any manner or to any extent not authorized by law any information coming to him in the course of his employment or official duties or by reason of any examination or investigation made by, or return, report or record made to or filed with, such department or agency or officer or employee thereof, which information concerns or relates to the trade secrets, processes, operations, style of work, or apparatus, or to the identity, confidential statistical data, amount or source of any income, profits, losses, or expenditures of any person, firm, partnership, corporation, or association; or permits any income return or copy thereof or any book containing any abstract or particulars thereof to be seen or examined by any person except as provided by law; shall be fined under Title 18 of the United States Code, or imprisoned not more than one year, 124 17 E:\FR\FM\25NOP2.SGM Continued 25NOP2 asabaliauskas on DSK3SPTVN1PROD with PROPOSALS 85350 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules annually trained on the prohibitions against disclosing confidential or nonpublic commercial, economic or official information, and specifically are provided with post-employment guidance regarding these prohibitions, in addition to other applicable ethics restrictions, prior to their departure from the Commission. Supplemental proposed § 1.84 sets out a procedure for requests for production or inspection of these records that requires Commission approval by means of a special call for the records. The Commission would also retain its existing authority to seek access to such records through a subpoena, which would typically be used in an enforcement matter. If the Commission approves a special call, it may authorize the Director of the Division of Market Oversight to execute the special call, and may also authorize the Director to specify the form and manner in which the required records must be produced. The Commission notes that Supplemental proposed § 1.84 does not alter any aspect of part 11 of the Commission’s rules relating to investigations. For clarity, Supplemental proposed § 1.84 provides that the records required by the section must also be available by subpoena issued pursuant to part 11 of the Commission’s regulations. Supplemental proposed § 1.84(a)(2) requires that AT Persons retain records tracking material changes to Algorithmic Trading Source Code, including a record of when and by whom such changes were made, when such records are generated in the ordinary course of business. The Commission notes that this new proposed rule does not require that such records be generated, but does require that they be maintained if they are generated in the ordinary course of business. Supplemental proposed § 1.84(a)(3) requires that AT Persons retain any logs or log files generated by the AT Person in the ordinary course of business that record the activity of the AT Person’s ATS, including a chronological record of such system’s actions. As noted above, this provision was added to address the concerns of some commenters that source code alone is insufficient to review trading activity of an AT Person, and the suggestion that log files may provide important context to a review of source code. The new proposal does not mandate the retention of specific log files or even the form or specific content of log files. The new or both; and shall be removed from office or employment. VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 proposal simply requires that log files be retained to the extent such files are generated in the ordinary course of business. The Commission recognizes that various exchanges require persons with direct access to maintain audit trails with detailed information about trading activity.126 The Commission expects that log files will contain a similar level of detail and in some cases a greater level of detail than the electronic audit trails required by these exchanges. To the extent log files are generated, they must be maintained in a form and manner that ensures the authenticity and reliability of the information contained in the records. In addition, AT Persons must have systems available to promptly retrieve and display these records to the Commission in the event of a special call. D. Commission Questions 15. Please comment on whether, through Supplemental proposed § 1.84, the Commission has appropriately balanced its responsibility to oversee markets and market participants with the privacy and confidentiality concerns that market participants have raised with respect to access to Algorithmic Trading Source Code. 16. Please comment on the Commission’s determination to obtain access to Algorithmic Trading Source Code via special call, rather than have such access be governed by § 1.31. 17. Is the definition of ‘‘Algorithmic Trading Source Code’’ sufficiently clear to allow AT Persons to comply with the recordkeeping requirements in Supplemental proposed § 1.84? Which, if any, components of Algorithmic Trading systems should be added to the definition of Algorithmic Trading Source Code? Which, if any, should be excluded? 18. Are log files described in sufficient detail in the Supplemental NPRM? Please explain why or why not. 19. The NPRM’s Question 131 (NPRM at 78913) sought comment on NPRM proposed § 1.81(a)’s standards for the development and testing of Algorithmic Trading systems and procedures, including requirements for AT Persons to test all Algorithmic Trading code and related systems and any changes to such code and systems prior to their implementation. The Commission 126 For example, ICE Futures U.S. Rule 27.12A requires certain clearing members and direct access members to maintain electronic audit trials of electronic orders submitted through direct access connections. CME Rule 536.B.2. also requires an electronic audit trail for systems accessing the CME Globex platform through the CME iLink gateway. Both CME and ICE require the retention of these electronic audit trails for five years. PO 00000 Frm 00018 Fmt 4701 Sfmt 4702 renews that question here as to Supplemental proposed § 1.84(a). Are any of the requirements of Supplemental proposed § 1.84(a) not already followed by the majority of market participants that would be subject to § 1.84(a) (or some particular segment of market participants), and if so, how much will it cost for a market participant to comply with such requirement(s). 20. If a firm uses FPGA or a similar technology, how would it record the design of the programming? 21. How do firms store or record configurations and parameters that impact their trading system? For example, are these components stored or recorded in their Algorithmic Trading Source Code or log files? 22. If a firm uses a chip or FPGA as a part of its ATS, how does it describe the records? V. Testing, Monitoring and Recordkeeping Requirements in the Context of Third-Party Providers A. Overview and Policy Rationale for New Proposal Regulation AT, as proposed in the NPRM, required AT Persons to comply with a number of standards regarding pre-trade risk controls and other measures; the development, testing and supervision of ATSs; and the retention and potential production of source code. In order to be effective, Regulation AT should be uniformly applied across the breadth of business arrangements that AT Persons may elect to pursue. As detailed below, commenters to the NPRM’s proposed rules noted that AT Persons whose ATSs are sourced in whole or in part from third parties face challenges in complying with certain elements of NPRM proposed §§ 1.80 and 1.81. The Commission has considered these comments and is sensitive to the concerns raised. However, the use of third-party systems should not exempt market participants from compliance with regulatory standards designed to increase the safety and soundness of Algorithmic Trading. The rules set forth in Supplemental proposed § 1.85 seek to strike an appropriate balance by permitting AT Persons to comply with certain elements of §§ 1.81 and 1.84 through a combination of certifications from their service providers, due diligence by the AT Persons and, in most cases,127 a retention of legal 127 As discussed below, Supplemental proposed § 1.85(d) requires that an AT Person is responsible for ensuring that records are retained and produced as required pursuant to Supplemental proposed § 1.84. A certification and due diligence alone will not satisfy an AT Person’s obligation to ensure that E:\FR\FM\25NOP2.SGM 25NOP2 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules responsibility for compliance with the rules by the AT Person.128 asabaliauskas on DSK3SPTVN1PROD with PROPOSALS B. NPRM Proposal and Comments NPRM proposed § 1.81(a) required AT Persons to implement written policies and procedures for the development and testing of ATSs. Among other things, such policies and procedures must at a minimum include documenting the strategy and design of proprietary Algorithmic Trading software, as well as any changes to software that are implemented in a production environment, pursuant to NPRM proposed § 1.81(a)(v). NPRM proposed § 1.81(a)(vi) required an AT Person to maintain a source code repository, which included an audit trail of material changes to source code that would allow AT Persons to determine, for each such material change: Who made it; when they made it; and the coding purpose of the change. The source code was also required to be maintained in accordance with § 1.31. Comments received. Several commenters noted that AT Persons using third-party systems licensed or purchased from vendors or DCMs do not have access to the systems’ algorithmic code, and therefore would be unable to comply with the source code provisions.129 IAA identified this as an issue for registered CPOs and CTAs using an ISV’s or other third-party’s system,130 SIFMA identified it as an issue for asset managers,131 and AIMA identified it as an issue for buy-side participants. AIMA stated that requiring access and disclosure of third-party code, particularly best-execution algorithms, as provided in the NPRM, would cause third parties to stop providing software services to AT Persons.132 The Commercial Alliance also confirmed that the vast majority of its members use third-party source code provided by ISVs or DCMs.133 TT commented that the testing Algorithmic Trading Source Code is retained as required by Supplemental proposed § 1.84. 128 In the context of the Securities and Exchange Commission’s (‘‘SEC’’) Market Access Rule, 75 FR 69792 (Nov. 15, 2010), the SEC allows a brokerdealer relying on third-party technology or software to perform appropriate due diligence to assure that its controls and procedures are consistent with the rule. See SEC, Responses to Frequently Asked Questions Concerning Risk Management Controls for Brokers and Dealers with Market Access (Apr. 15, 2014) (Question 14), available at https:// www.sec.gov/divisions/marketreg/faq-15c-5-riskmanagement-controls-bd.htm. 129 FIA A–53; ISDA 5; CME 38; AIMA 11; AIMA III 5–6; IAA 11; Commercial Alliance 12; SIFMA 15; TT III 2. 130 IAA 11. 131 SIFMA 15. 132 AIMA 11. 133 Commercial Alliance 12. VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 requirements under NPRM proposed § 1.81(a) should focus on the output of an ATS or software, rather than the underlying source code.134 At the Roundtable, Commission staff asked for industry comment regarding how such issues involving third-party providers should be addressed. Generally, industry participants stated that AT Persons lacked access to source code of third parties.135 Tethys commented that AT Persons exhibit a range of control over source code; 136 while some AT Persons may write their own code, others use off-the-shelf thirdparty software, and others may add additional controls to third-party software as necessary.137 TT stated that as a third-party provider, it did not provide its customers with access to its source code.138 Commission staff also asked for comment at the Roundtable on a potential approach where AT Persons would obtain certifications from third parties regarding development requirements and would conduct due diligence. TT said that because it provides customers with the opportunities to test algorithms built using its software,139 it would be unnecessary and burdensome to require AT Persons to obtain certifications from third-party providers.140 AQR, Tethys, and TT argued that it would be difficult to fairly impose a certification requirement.141 ABN AMRO and Tethys commented that AT Persons may not have the necessary expertise to perform extensive due diligence regarding software code.142 ABN AMRO said that customers would not want to have access to source code.143 In addition, TT stated that the Commission can understand how technology functions without seeing source code.144 C. Substance of New Proposal The NPRM comments discussed above cite potential compliance challenges when AT Persons obtain their ATSs, in whole or in part, from third-party providers. Accordingly, this 134 TT III 1. II, Roundtable Tr. 236:2–14; TT II, Roundtable Tr. 216:22–217:1–3, 250:9–13; ABN AMRO, Roundtable Tr. 249:4–10. 136 Tethys II, Roundtable Tr. 236:2–14. 137 Tethys II, Roundtable Tr. 236:2–14. 138 TT II, Roundtable Tr. 216:22–217:1–3. 139 TT II, Roundtable Tr. 237:17–238:6. 140 TT II, Roundtable Tr. 238:7–239:3. 141 AQR, Roundtable Tr. 240: 15–2, 242:17– 243:19; Tethys II, Roundtable Tr. 240:4–14; TT II, Roundtable Tr. 239:4–15. 142 ABN AMRO, Roundtable Tr. 245:12–246:14; Tethys II, Roundtable Tr. 247:18–249:3. 143 ABN AMRO, Roundtable Tr. 249:4–10. 144 See TT II, Roundtable Tr. 250:14–252:7; TT III 2–3. 135 Tethys PO 00000 Frm 00019 Fmt 4701 Sfmt 4702 85351 Supplemental NPRM proposes an alternative framework for AT Persons to comply with their obligations related to the development and testing of ATSs, and for the retention and production of Algorithmic Trading Source Code and related records. Specifically, Supplemental proposed § 1.85 allows AT Persons who, due solely to their use of third-party system or components, are unable to comply with a particular development or testing requirement (NPRM proposed §§ 1.81(a)(1)(i), 1.81(a)(1)(iii), 1.81(a)(1)(iv), 1.81(a)(2), or Supplemental proposed §§ 1.81(a)(1)(ii) or 1.84) 145 or a particular maintenance or production requirement related to Algorithmic Trading Source Code and related records (Supplemental proposed § 1.84), to comply with such proposed regulatory obligations by satisfying two requirements: (i) Obtaining a certification that the third party is complying with the obligation; and (ii) conducting due diligence regarding the accuracy of the certification.146 While obtaining such certifications and conducting due diligence as to their accuracy may still be challenging for some AT Persons, the Commission has determined that such requirements, at this stage, appear more practical compared to the NPRM’s proposal that AT Persons themselves comply with all NPRM § 1.81 requirements. The Commission believes that the certification and due diligence requirements present a workable alternative that will ensure that all AT Persons—regardless of whether they develop their own ATSs, or use the systems of a third party—are subject to the same standards. 145 These subsections were also proposed in the NPRM, although this Supplemental NPRM proposes several changes to the text of § 1.81(a)(1)(ii). 146 The Supplemental NPRM provides flexibility and does not set forth the means by which due diligence must be conducted. The Commission expects that due diligence may take a variety of forms, all of which can potentially be effective in helping AT Persons fulfill their regulatory obligations pursuant to Supplemental proposed § 1.85. Due diligence may include, for example, a combination of (1) information gathering, including with respect to prevailing best practices and a third party’s own practices; (2) on-site inspection; (3) communications between the AT Person and its third-party provider, including in writing, in person, via email, and telephone or video; and (4) review and evaluation of files, documents, and other information gathered. The Commission offers this list by way of example only, and notes that each AT Person should arrive at its own determination regarding an appropriate due diligence process. The Commission encourages each AT Person making use of Supplemental proposed § 1.85 to perform such diligence as is necessary for the AT Person to have comfort that the underlying substantive regulatory requirements are being met. E:\FR\FM\25NOP2.SGM 25NOP2 asabaliauskas on DSK3SPTVN1PROD with PROPOSALS 85352 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules Supplemental proposed § 1.85(d) requires that, in all cases, an AT Person is responsible for ensuring that records are retained and produced as required pursuant to Supplemental proposed § 1.84.147 In other words, an AT Person’s certification and due diligence will establish that it has complied with testing obligations pursuant to NPRM proposed §§ 1.81(a)(1)(i), 1.81(a)(1)(iii), 1.81(a)(1)(iv), 1.81(a)(2), or Supplemental proposed § 1.81(a)(1)(ii), but certification and due diligence alone will not satisfy an AT Person’s obligation to ensure that Algorithmic Trading Source Code is retained and produced as required by Supplemental proposed § 1.84. Even where an AT Person obtains a certification and conducts due diligence with respect to a third party’s obligations, the AT Person will remain responsible for ensuring that Algorithmic Trading Source Code retention and production requirements are met. For example, if the Commission were to issue a special call or a subpoena to an AT Person for the production of Algorithmic Trading Source Code maintained by a third party, the AT Person would be responsible for complying with the Commission request, regardless of the certification or the due diligence performed by the AT Person. Such compliance could be achieved by making sure that the third party produced the required records, but a failure by the third party to produce such records would not relieve the AT Person of its own obligations. Pursuant to the Commission’s Supplemental proposal, AT Persons may not rely on § 1.85 for any element of §§ 1.81(a)(1) and 1.84 with which they have the ability to comply. For example, an AT Person who uses a combination of third-party and internally developed ATS components would be expected to comply with NPRM proposed §§ 1.81(a)(1)(i), 1.81(a)(1)(iii), 1.81(a)(1)(iv), 1.81(a)(2), and Supplemental proposed §§ 1.81(a)(1)(ii) and 1.84 for all such components that the AT Person itself develops or modifies. The Commission also notes that Supplemental proposed § 1.85 provides an alternative means of compliance in circumstances where the use of a third-party system or component is the sole reason why an AT Person cannot otherwise comply with its obligations. Although an AT Person may be motivated to make use of Supplemental proposed § 1.85 for 147 The proposed rules do not require that the certifications be filed with the Commission. However, the certifications would be subject to § 1.31 recordkeeping requirements. VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 reasons of potential costs or administrative ease, such considerations are not permissible rationales for use of Supplemental proposed § 1.85. In many cases, the Commission expects that AT Persons and third parties will each have developed different portions of an ATS. If an AT Person develops an algorithm using third-party software, the AT Person would remain responsible for development and testing requirements with respect to the algorithm, and for the retention and production of Algorithmic Trading Source Code and related records requirements for that algorithm. Further, whether a thirdparty certification is appropriate under Supplemental proposed § 1.85 may depend on the amount of control the AT Person has over the development of algorithms it employs. If the AT Person, for example, has a limited ability to affect or modify an algorithm, then the Commission expects that the AT Person would comply with NPRM proposed §§ 1.81(a)(1)(i), 1.81(a)(1)(iii), 1.81(a)(1)(iv), 1.81(a)(2), and Supplemental proposed §§ 1.81(a)(1)(ii) and 1.84 by obtaining a certification and conducting due diligence pursuant to Supplemental proposed § 1.85. However, the Commission notes that as to Supplemental proposed § 1.84 requirements, the AT Person remains responsible for compliance with Algorithmic Trading Source Code retention and production requirements are met. The Commission expects that the certifications required by Supplemental proposed § 1.85 would, at a minimum, list the specific regulatory obligations that the third party is certifying compliance with, describe the component of the ATS at issue (or the whole system, if applicable), and explain how such component or system complies with the regulatory obligation. The Commission recognizes that some system components may be standard products offered to multiple customer trading firms, and others may be custom-designed for one customer trading firm. With respect to standard products, the third party’s certification may take the same form for multiple customers. Supplemental proposed § 1.85(b) requires that the AT Person must obtain a certification each time there has been a material change to such third-party provided systems or components. Accordingly, there is no specific periodic deadline for certification; rather, the third party must only recertify when there has been a material change. The Commission intends that the due diligence requirement imposed PO 00000 Frm 00020 Fmt 4701 Sfmt 4702 by Supplemental proposed § 1.85(c) includes an obligation on AT Persons to determine whether a material change to third-party provided systems or components has occurred. The Commission understands that AT Persons who use third-party system components or Algorithmic Trading Source Code may not have the same level of development and testing expertise as third-party providers who routinely develop such systems or code. Accordingly, the due diligence required to be performed by the AT Person under Supplemental proposed § 1.85(c) is limited to the accuracy of the certification. Due diligence may require the involvement of technology support staff from the AT Person, but detailed technical audits are not required on behalf of the AT Person with respect to Supplemental proposed § 1.85(c). D. Commission Questions 23. The Commission invites comment on all aspects of Supplemental proposed § 1.85. 24. Should the requirements for AT Persons who develop their own systems and code differ from requirements imposed on AT Persons that use systems or components provided by a third party? If so, how should the requirements be different, while continuing to ensure a consistent baseline of effectiveness in the development and testing of ATSs? 25. What specific steps should AT Persons take when conducting due diligence of the accuracy of a certification from a third party, as required by Supplemental proposed § 1.85? Should proposed § 1.85(c) provide greater detail with respect to such due diligence? For example, should due diligence be required to specifically include review of technical design information, testing protocols and test results, documented dialogue between staff of the AT Person and the third party, or other measures? 26. Supplemental proposed § 1.85(b) requires that the AT Person must obtain a certification each time there has been a material change to third-party provided systems or components. What is a reasonable estimate as to the average frequency of such material changes? Should the Commission base the certification requirement on another timing metric? E:\FR\FM\25NOP2.SGM 25NOP2 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules VI. Changes to Overall Risk Control Framework A. Change From Three Level to Two Level Risk Control Framework asabaliauskas on DSK3SPTVN1PROD with PROPOSALS 1. Overview and Policy Rationale for Proposal In the NPRM, the Commission sought to take a principles-based approach to addressing the potential risks associated with Algorithmic Trading.148 NPRM proposed §§ 1.80, 1.82, 38.255 and 40.20 imposed pre-trade risk control and other requirements, such as order cancellation systems, at three points in the order submission and execution chain: AT Persons, FCMs and DCMs. The NPRM approach proposed to allow the relevant entity—AT Person, FCM, or DCM— discretion in the design and parameters of such controls. In general, while some commenters supported the multilayered approach described above, numerous commenters viewed the framework as unnecessarily redundant and prescriptive. Accordingly, the Commission in this Supplemental NPRM proposes a risk control framework with controls at two, rather than three, levels: (i) AT Person or FCM; and (ii) DCM. The Commission believes that this structure still achieves the goal of protecting market integrity, while simultaneously reducing the complexity of the risk controls and overall costs of compliance. By requiring two levels of risk controls, mistakes or omissions made at one level will have a backstop, potentially mitigating the possibility of a trading disruption. Because the unexpected or disruptive behavior of an algorithm would affect other market participants at the DCM level, thus leading to potential system risk, the Commission is requiring DCM controls for all electronic orders, regardless of source. The second set of controls may be implemented at either the AT Person or the FCM level, depending on whether an order is originated by AT Person or non-AT Person market participant. In addition, under specific circumstances, AT Persons will have discretion to delegate certain of their pre-trade risk control functions to an FCM, if they so choose. The Supplemental proposed rules continue to provide discretion in how entities design and calibrate the controls. Further, as discussed below, the Commission has revised the rules to allow greater flexibility for AT Persons, FCMs and DCMs to determine the level of granularity at which controls are set. 2. NPRM Proposal and Comments As discussed above, NPRM proposed §§ 1.80, 1.82, 38.255 and 40.20 imposed risk control and similar requirements, such as order cancellation systems, at three levels: the AT Person, FCM and DCM. Comments Received. The Commission received numerous comments on the proposed risk control structure during the Initial Comment Period, the Second Comment Period, and at the Roundtable. As discussed in more detail below, some commenters during the Second Comment Period and at the Roundtable suggested a two-level structure instead of the three level structure proposed in the NPRM. For example, the Industry Group suggested a framework in which responsibility for implementing appropriate pre-trade risk controls lies either (i) with the FCM registrant that is facilitating access to the DCM, or (ii) in the case of a market participant that is not trading through the risk controls of an FCM, with that participant. Industry Group further stated that in both cases, the pre-trade risk controls must be supplemented by DCM-provided risk controls configured by the member of the DCO that grants access to the DCM.149 CME suggested a similar approach, commenting that: ‘‘Two layers of market risk controls would apply to all Algorithmic Trading orders. The first layer would be administered by either an AT Person or the gatekeeper clearing member, and could be developed internally or obtained from an independent third-party source (such as the DCM or a software provider). The second layer would be developed and administered by the DCM.’’ 150 The framework proposed in this Supplemental NPRM involves a similar two-level approach, which is intended to address the complexity and cost concerns expressed by Industry Group, CME and other commenters. Further, some commenters supported expanding risk controls requirements to all electronic orders, rather than applying controls to only algorithmic trading orders. For example, the Industry Group stated that ‘‘all electronic trading must be subject to pre-trade and other risk controls administered by a CFTC registrant that are appropriate to the nature of the activity.’’ 151 ICE stated that ‘‘all market participants that engage in electronic trading on a DCM should maintain . . . risk controls, regardless of how market participants access a DCM or whether the market participants engage in 149 Industry Group 8. III 9–10. 151 Industry Group 8. 150 CME 148 See NPRM at 78837–78839. VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 PO 00000 Frm 00021 Fmt 4701 85353 algorithmic trading.’’ 152 The Commission has addressed such comments by expanding the scope of the risk control requirements to include Electronic Trading. Further detail on the addition of Electronic Trading to Regulation AT’s risk control framework is discussed below in Section VI(B), and discussion of the relevant new definitions related to such changes is provided in Section VI(C). Numerous commenters opposed the NPRM’s proposed three-level approach to risk controls or otherwise characterized it as a ‘‘one size fits all’’ model. Specifically, FIA, CME, ICE, MFA, Nadex, NIBA, SIFMA and Mercatus indicated that the multiple layers of risk controls across the market—at the AT Person, clearing member FCM, and DCM levels—are too prescriptive, duplicative, costly and inefficient.153 FIA, CME, OneChicago, LCHF and QIM commented that Regulation AT’s required duplication of risk controls across the lifecycle of a trade actually introduces risk.154 CME, MFA, SIFMA and NIBA characterized the proposed rules as a ‘‘one size fits all’’ model that doesn’t appropriately take into account the different types of automated systems, business, or operational size of market participants.155 FIA did not support requiring every market participant to implement its own risk controls; rather, such controls could be provided by FCMs or DCMs.156 In contrast, other commenters supported the multi-layered approach (either fully or with reservations that the approach could create some risks), or supported more centralized controls at the FCM and DCM levels. Specifically, IATP supported a multi-layered approach to risk controls and believed it will mitigate the risks of algorithmic trading.157 In addition, AIMA supported the principle that risk controls are to be maintained at three levels—the exchange, the clearing member and the trading firm.158 LCHF also recommended a three-level structure for risk controls.159 Virtu generally 152 ICE III 2. 5; CME 6, A–14; ICE 8; Mercatus 4–5; MFA 4–5; Nadex 3; SIFMA 20; NIBA 1. 154 FIA 7, A–25; CME A–11; OneChicago 3; LCHF 2–3; QIM 2. 155 CME A–11; MFA 2, 4; SIFMA 20; NIBA 1. 156 FIA 4, A–24. 157 IATP 7. 158 AIMA 7. 159 LCHF 2–3. LCHF recommended a structure with risk controls at (1) the trading participant level, requiring all the proposed § 1.80 controls, which should be adopted at the most granular level and tailored to the particular trading technology used by the market participant; (2) the FCM/broker 153 FIA Continued Sfmt 4702 E:\FR\FM\25NOP2.SGM 25NOP2 85354 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules asabaliauskas on DSK3SPTVN1PROD with PROPOSALS supported a multi-layered approach to risk controls as well, but warned of potential risks if the multiple controls are applied or calibrated independently, since market participants may not be able to predict which orders will reach the order book and which may be screened by a ‘‘downstream’’ risk layer.160 Similarly, MFA and LCHF acknowledged that multiple risk filters across different entities may reduce the probability that a wrong message reaches the market, but stated that such redundancy may be inefficient or increase complexity and possible errors if the risk parameters are not coordinated properly.161 Several commenters supported centralizing controls at the DCM and FCM levels. AIMA stated that DCMs should play a central role in maintaining risk controls internally and through mandates upon their FCMs, and believed that DCMs and FCMs should have the principal obligations to protect the stability of DCM markets.162 Similarly, MFA commented that the Commission should require centralized pre-trade risk controls at DCMs and clearing member FCMs, and that the proposed § 1.80 risk controls should be applied at the DCM level and the clearing member FCM level.163 MFA indicated that this would ensure that all orders go through the same set of controls.164 MFA further commented that the general infrastructure for such a centralized approach already exists, given that DCMs provide clearing FCMs with controls to manage risk with respect to clients, and that this structure would be more transparent and easier for regulators to oversee and enforce.165 During the Second Comment Period, the Commission received additional comments on the proposed risk control structure. The Industry Group proposed the following two-level structure. Rather than defining ‘‘AT Person,’’ the Commission should require pre-trade risk controls on all electronic orders. Orders from market participants leveraging FCM-administered systems, including those provided by third parties, may use pre-trade risk controls administered by the FCM.166 Market participants not using FCMlevel, requiring order size, position and margin controls; and (3) the DCM level, continuing the adoption of existing controls, such as kill switch or self-trade prevention, with no further risk filter imposed on market participants. 160 Virtu 2. 161 MFA 5–6; LCHF 2–3. 162 AIMA 2, 7, 12. 163 MFA 2, 5–6, 10. 164 MFA 2, 5–6, 10. 165 MFA 2, 5–6, 10. 166 Industry Group 4–5. VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 administered risk controls must apply risk controls to their own orders.167 In both cases, the pre-trade risk controls must be supplemented by DCMprovided risk controls configured by the member of the DCO that grants access to the DCM.168 CME suggested a similar two-layer approach for all Algorithmic Trading orders, commenting that the first layer ‘‘would be administered by either an AT Person or the gatekeeper clearing member’’ and the second layer ‘‘would be developed and administered by the DCM.’’ 169 MFA also commented that it supports risk controls at both the DCM and the FCM providing trading access.170 MFA also supported ‘‘a regulatory framework where a market participant could choose to implement the Commission’s required marketplace risk controls in lieu of going through an FCM’s risk controls, and be subject to Commission oversight.’’ 171 AIMA commented that the principal role in application of risk controls should be played by the DCMs—as the owners of the relevant markets—and FCMs—as the gatekeepers to the relevant markets.172 AIMA stated that ‘‘both parties are best placed to understand and enforce the relevant controls and testing obligations.’’ 173 Sutherland commented that as an alternative to the NPRM’s proposed framework, DCMs under Part 38 core principles should establish and oversee pre-trade risk and other control requirements applicable to AT Persons. Sutherland stated that DCMs have the expertise and are best positioned to implement and enforce the use of controls to mitigate risks on their markets.174 Hartree also emphasized the importance of DCMs in implementing risk controls, stating that ‘‘DCMs are very well suited to not only police these markets, but also to . . . administer CFTC’s rules and regulations as SROs.’’ 175 Hartree suggested a framework in which AT Persons are divided into three categories based on the risk they pose to the market: Category 1 Risk (very little risk, including persons who do not use DEA or who use FCMs to access the DCM); Category 2 Risk (some increased risk, including persons who use DEA and algorithmic trading); and Category 3 Risk (enhanced risk, including persons Fmt 4701 at 6. 177 Hartree 178 ICE 6–7. III 2. 179 Id. III 2. at 5. 182 JPMorgan, Roundtable Tr. 171:11–172:17; ABN AMRO, Roundtable Tr. 175:16–176:176:17; Deutsche Bank, Roundtable Tr. 193:10–14. 183 Virtu II, Roundtable Tr. 177:1–13; Hartree, Roundtable Tr. 185:4–15. 184 CME II, Roundtable Tr. 177:18–178:7. 185 Hudson Trading, Roundtable Tr. 187:10– 188:1. Group 5. Group 8. 169 CME III 9–10. 170 MFA III 2. 171 MFA III 2. 172 AIMA III 4. 173 Id. 174 Sutherland 7. 175 Hartree 8. 181 Id. 168 Industry Frm 00022 176 Id. 180 MGEX 167 Industry PO 00000 who can cause significant market disruption, e.g., a flash crash).176 Third parties such as the FCM and DCM would administer risk controls for Category 1. The trading firm itself and DCM would administer risk controls for Category 2. Enhanced risk controls would apply to Category 3.177 ICE commented that ‘‘all market participants that engage in electronic trading on a DCM should maintain . . . risk controls, regardless of how market participants access a DCM or whether the market participants engage in algorithmic trading.’’ 178 ICE further stated that the Commission ‘‘should not mandate the same risk control requirements across DCMs, FCMs and AT Persons.’’ 179 Similarly, another exchange, MGEX, commented that ‘‘DCMs, FCMs, and market participants should all have some level of responsibility over the development, deployment, and use of pre-trade risk controls. Each market participant needs to have pre-trade risk controls applied to electronically submitted orders, but how that is accomplished should depend on the circumstances.’’ 180 MGEX stated that the Commission should take a principles-based approach to risk controls at the DCM, FCM, and market participant level.181 At the Roundtable, Commission staff asked for industry comment on a potential approach where three levels of risk controls remain but FCMs—not the Commission—impose pre-trade risk control and other requirements on their AT Person customers. Generally, industry participants disagreed with this approach. For example, industry participants expressed concern over cost and burden to FCMs.182 In addition, Virtu and Hartree indicated that certain trading firms prefer to implement their own controls, rather than allow FCMs to continuously oversee whether trading firms have adequate controls on their order flow.183 CME expressed the view that each and every market participant should be responsible for its order flow.184 Hudson Trading suggested that such an approach had potential for an un-level playing field, with different FCMs applying different standards.185 Sfmt 4702 E:\FR\FM\25NOP2.SGM 25NOP2 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules asabaliauskas on DSK3SPTVN1PROD with PROPOSALS Instead, industry participants were more supportive of a two-level approach to risk controls. Tethys described a ‘‘two factor’’ model with the first layer at the DCM and the second layer at the level of who has control of the order being submitted to the DCM.186 At the second layer, the entity with control of the order would be the clearing broker, the executing FCM, or a firm that connects directly to the DCM. Tethys indicated that this approach would reduce costs and the number of entities subject to the regulation.187 Hudson Trading also expressed support for a potential two layer approach, with the DCM as one layer.188 JPMorgan stated that ‘‘the two layers of control can be easily crystalized as the matching engine, and the wall around the matching engine that’s run by the DCM, and those who implement the interface that’s provided by the DCM.’’ 189 With respect to the risk control framework, commenters also addressed the levels at which the NPRM proposed rules required the controls to be set, and expressed particular concern that FCMs and DCMs would be unable to comply with NPRM proposed §§ 1.82, 38.255 and 40.20 at the levels of granularity required by those rules. As to NPRM proposed § 1.82, FIA indicated that the level of granularity which controls are set should be left to FCM discretion and that compliance with NPRM § 1.82, as proposed, would require FCMs to develop additional technology.190 As to NPRM proposed § 38.255, FIA, CBOE, CME, OneChicago and ICE disagreed with the proposal as to the levels at which DCMs must offer the controls to FCMs.191 FIA indicated that DCMs do not have sufficient information to set controls at the market participant level.192 In addition, FIA stated that DCM order size limits are set at the highest level of access and not by market participant or account number, and the higher level is meant as a ‘‘last back stop’’ to prevent unintentionally blocking orders already controlled at the market participant or FCM level.193 CBOE believed that a DCM should set maximum controls at the clearing firm level and at the level of AT Person with DEA, rather than aggregating risk controls for AT Persons with DEA across multiple clearing firms.194 CBOE indicated that its system allows clearing firms to set controls for customers, and that clearing firms are not responsible for an order for which another clearing firm is designated for that customer.195 CBOE further indicated that requiring DCMs to build controls at a more granular level than clearing firm level and AT Person with DEA level would be difficult and cumbersome, because the DCM does not have a direct relationship with participants that do not have DEA.196 CME stated that DCMs generally do not have the ability to provide risk controls to clearing FCMs that can be set at the AT Person, product, account number or designations, and one or more identifiers of natural persons associated with an AT Order Message.197 OneChicago indicated that requiring risk controls for each different product would be a substantial burden and may increase the possibility of a disruption event.198 ICE opposed NPRM proposed § 38.255 mandating the specific levels at which a DCM is required to offer risk controls.199 As to NPRM proposed § 40.20, FIA, CME, MGEX, CBOE and OneChicago opposed requiring DCM controls to be set at the AT Person or market participant level.200 FIA stated that DCMs should not implement the NPRM proposed §§ 1.80 and 1.82 risk controls at the same level of granularity that is expected of market participants and FCMs.201 Rather, FIA asserted that DCMs should implement controls that apply across all orders and that protect the overall quality of the market.202 CME stated that the DCM’s controls should be set at the ‘‘direct connect’’ or the particular market level.203 CBOE indicated that requiring DCMs to build controls at levels more granular level than clearing firm and AT Person with DEA would be difficult and cumbersome, because the DCM does not have a direct relationship with participants that do not have DEA.204 Similarly, OneChicago believed that DCMs should be able to establish controls at the FCM level, but also believed that DCMs must have discretion in terms of the level at which controls should be applied.205 195 Id. 196 Id. 186 Tethys, Roundtable Tr. 37:11–38:8. 187 Tethys, id. at 38:1–40:7. 188 Hudson Trading, id. at 189:8–190:5. 189 JPMorgan, Roundtable Tr. 47:22:48:5. 190 FIA A–36. 191 Id. at A–38, 40; CBOE 3; OneChicago 4; ICE 9. 192 FIA A–38. 193 FIA A–40. 194 CBOE 3. VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 197 CME 19, A–32. 4. 199 ICE 9. 200 FIA A–38; CME 18–19, A–32.; MGEX 7; CBOE 3; OneChicago 5. 201 FIA A–43. 202 Id. 203 CME A–14. 204 CBOE 3. 205 OneChicago 5. 198 OneChicago PO 00000 Frm 00023 Fmt 4701 Sfmt 4702 85355 3. Substance of New Proposal In light of comments received during the comment periods, including at the Roundtable, the Commission has revised the overall framework for risk controls and other measures required pursuant to NPRM proposed §§ 1.80, 1.82, 38.255 and 40.20. This Supplemental NPRM proposes a framework with two, rather than three, levels of risk controls: (1) At the AT Person or FCM level, and (2) at the DCM level. With respect to algorithmic orders originating with AT Persons (i.e., AT Order Messages), the NPRM required all AT Persons to implement the risk controls and other measures required pursuant to § 1.80. By contrast, the Supplemental NPRM requires AT Persons to implement those risk controls, but would also permit AT Persons to delegate compliance with § 1.80(a) to FCMs, as discussed below. The Supplemental NPRM also requires that AT Persons implement pre-trade risk controls on their Electronic Trading Order Messages similar to those required by § 1.80(a).206 In addition, pursuant to the Supplemental NPRM, FCMs are not required to implement risk controls on AT Order Messages that are subject to AT Person-administered controls. AT Order Messages and Electronic Trading Order Messages originating from AT Persons would instead be subject to a second level of risk controls at the DCM level pursuant to Supplemental proposed § 40.20. Electronic orders originating with a non-AT Person are subject to risk controls implemented by executing FCMs pursuant to Supplemental proposed § 1.82. Those orders are subject to the second level of risk controls at the DCM level pursuant to Supplemental proposed § 40.20. Prompted by some commenters’ concern that a three-layer structure may be redundant, the Commission has determined to propose this two-layer structure. The Commission particularly took into account commenters’ opinion that multiple controls, if applied or calibrated independently, may cause market participants to be unable to predict which orders will reach the order book, increasing rather than mitigating market risk. The Commission also carefully considered the Roundtable comments indicating support for a two-level approach. The Commission believes that two levels of risk control are beneficial, both to provide a backstop to a malfunction 206 See Supplemental proposed § 1.80(g)(2) and (g)(3). AT Persons would also be permitted to delegate compliance with § 1.80(g) risk controls to their FCMs. E:\FR\FM\25NOP2.SGM 25NOP2 asabaliauskas on DSK3SPTVN1PROD with PROPOSALS 85356 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules or other failure at one level, and because different levels of the order submission chain often monitor different characteristics of the risk associated with an order. For instance, an FCM may be more capable of determining whether an individual order would breach the risk limits of the AT Person or the clearing firm guaranteeing a potential trade; in contrast, a DCM may be more likely to identify orders that could lead to price dislocations in a given product, or that would lead to market instabilities affecting all market participants. The Commission also recognizes that trading firms are in the best position to understand their own systems, technology, and trading strategies, and that they are best positioned to prevent and reduce the potential risk of certain types of risk. Accordingly, the Commission proposes that certain trading firms—i.e., AT Persons—implement their own pretrade risk controls and other measures pursuant to Supplemental proposed § 1.80.207 The Commission has also revised the proposed risk control rules to provide greater flexibility regarding the level of granularity at which risk controls must be set. Previously, the controls proposed in NPRM §§ 1.80, 1.82, 38.255 and 40.20 were required to be set at the AT Person level, or other more granular levels the AT Person, FCM or DCM determined appropriate, including by product, account number or designation, or one or more identifiers of natural persons associated with an AT Order Message. In this Supplemental NPRM, the Commission intends to increase the flexibility and decrease the burden on AT Persons, FCMs and DCMs in terms of the level of granularity at which controls must be set. Specifically, Supplemental proposed §§ 1.80(a)(2) 1.82(a)(2), 38.255(b)(1)(ii) and (2), and 40.20(a)(2) now require controls to be set at a level or levels of granularity which shall include, as appropriate, the level of each firm, product, account number or designation, or one or more identifiers of the natural persons or the order strategy or ATS associated with an AT Order Message or Electronic Trading Order Message (new terms related to Electronic Trading are discussed in Section VI(C) below).208 By ‘‘as appropriate,’’ the Commission means 207 Supplemental proposed § 1.80(d) and (g) permit AT Persons to delegate compliance with § 1.80(a) to FCMs. 208 Supplemental proposed §§ 1.80(a)(2) 1.82(a)(2), 38.255(b)(1)(ii) and (2), and 40.20(a)(2) are amended from the NPRM proposal to incorporate ‘‘order strategy’’ or ‘‘ATS’’ as potential levels of granularity where risk controls may appropriately be set. VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 such level or levels of granularity as are technologically feasible and reasonably effective at preventing and reducing the potential risk of an Electronic Trading disruption. The proposed rules do not require AT Persons, FCMs or DCMs reorganize their trading infrastructure or develop new technologies solely to ensure that controls are implemented at each of the potential levels enumerated in Supplemental proposed §§ 1.80(a)(2) 1.82(a)(2), 38.255(b)(1)(ii) and (2), and 40.20(a)(2). Rather, as implementation of controls at each such level becomes technologically feasible, AT Persons, FCMs and DCMs should update their practices to optimize the placement of their risk controls at the most effective level. 4. Commission Questions 27. Will two levels of risk controls sufficiently prevent and reduce the potential risks of algorithmic and electronic trading? If there is any element of the revised proposed risk control framework that is not feasible or will not sufficiently address the risks of algorithmic and electronic trading, please explain. B. Electronic Trading at the AT Person, FCM, and DCM Levels 1. Overview and Policy Rationale for New Proposal The Commission proposes to amend NPRM proposed §§ 1.80, 1.82, 38.255 and 40.20 so that the risk control and order cancellation provisions applicable to AT Persons, FCMs, and DCMs now apply to Electronic Trading,209 rather than only to Algorithmic Trading. As a result, a larger number of orders would be subjected to two levels of risk controls, a change that addresses comments that all electronic trading, not only Algorithmic Trading, has the potential to cause market disruption. 2. NPRM Proposal and Comments The NPRM proposed that AT Persons and FCMs must apply risk controls to AT Order Messages (see NPRM proposed §§ 1.80, 1.82, and 38.255). In addition, NPRM proposed § 40.20 required that DCMs ‘‘implement pretrade and other risk controls reasonably designed to prevent an Algorithmic Trading Disruption’’ or similar disruption that results from manual or other non-algorithmic order entry, though the general focus of the risk controls was on AT Order Messages. Comments Received. Several commenters suggested requiring that all electronic trading (not just Algorithmic 209 The proposed new defined term ‘‘Electronic Trading’’ is discussed in Section VI(C) below. PO 00000 Frm 00024 Fmt 4701 Sfmt 4702 Trading) be subject to risk controls. FIA, ICE, and MGEX all supported applying risk controls to all electronic trading, and indicated that DCMs are best suited to implement certain controls.210 FIA stated that all electronic trading has the potential to disrupt markets and should be subject to pre-trade and other risk controls reasonably designed to mitigate market disruption, regardless of the registration status of the person or entity trading.211 Similarly, ICE commented that there is potential for all persons trading electronically to impact a market, and all market participants have a responsibility to implement risk controls.212 ICE commented that some algorithmic traders submit orders across multiple clearing firms throughout a trading session.213 Therefore, DCMs are better suited to administer certain risk controls—including order throttling and price collars—than trading firms and the FCM.214 Another exchange, MGEX, commented that all orders submitted electronically should be subject to pretrade risk controls, regardless of how the order accesses the matching engine.215 MGEX recommended that any order that is electronically submitted must go through pre-trade risk controls at some stage before it reaches the matching engine, and that some controls must, at a minimum, reside at the matching engine.216 MGEX suggested that this would avoid the need for defined terms, better achieve the Commission’s objective, and would provide the public with enhanced clarity.217 MGEX further stated that market participants should develop their own controls where they use trading technology that has direct market access and the DCM-provided controls would not prevent or mitigate market disruption risk.218 Commenters further addressed this issue during the Second Comment Period. The Industry Group commented that ‘‘all electronic trading must be subject to pre-trade and other risk controls administered by a CFTC registrant that are appropriate to the nature of the activity.’’ 219 The Industry Group suggested a framework in which the responsibility for implementing risk controls lies either with the FCM facilitating electronic access to the DCM, or with the market participant, if 210 FIA 4, 7, A–24; ICE 2, 5; MGEX 2, 6–7. 4, 7, A–24. 212 ICE 5. 213 Id. 214 Id. 215 MGEX 2, 6. 216 Id. at 6. 217 Id. at 2, 6–7. 218 Id. at 12. 219 Industry Group 8. 211 FIA E:\FR\FM\25NOP2.SGM 25NOP2 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules it is not trading through the risk controls of an FCM.220 Similarly, ICE reiterated its position that all market participants that engage in electronic trading should maintain appropriate pre-trade and other risk controls, regardless of how they access the market or whether they engage in algorithmic trading. ICE further stated that limiting mandatory risk controls to AT Persons complicates the proposal and does not enhance oversight of algorithmic trading activity.221 MGEX stated that ‘‘each market participant needs to have pretrade risk controls applied to electronically submitted orders, but how that is accomplished should depend on the circumstances.’’ 222 Finally, CME commented on the NPRM’s proposed standards regarding whether AT Persons, FCMs and DCMs must ‘‘prevent’’ or must ‘‘mitigate’’ an Algorithmic Trading Disruption or similar disruption are inconsistent. CME stated that the preamble indicates that risk controls only need to ‘‘mitigate’’ risk, while the rule text requires that AT Persons and DCMs both mitigate and ‘‘prevent’’ risk.223 Further, proposed § 1.82 provides that clearing member FCM controls must ‘‘prevent or mitigate’’ an Algorithmic Trading Disruption.224 CME stated that Regulation AT should only require AT Persons, clearing FCMs and DCMs to mitigate, not prevent, disruptions arising from algorithmic trading.225 CME further stated that it is impossible to prevent every possible disruption caused by algorithmic trading, and therefore the standard should be mitigation, not prevention.226 asabaliauskas on DSK3SPTVN1PROD with PROPOSALS 3. Substance of New Proposal In light of the above comments supporting the implementation of risk controls on all electronic orders, the Commission has amended the requirements of NPRM proposed §§ 1.80, 1.82, 38.255 and 40.20. Pursuant to the Supplemental proposed rules, AT Persons’ risk control obligations would be expanded to include not only Algorithmic Trading, but also Electronic Trading (in Supplemental proposed § 1.80(g)). In the case of FCMs and DCMs, however, the Supplemental proposed rules shift the focal point of risk control from Algorithmic Trading to Electronic 220 Id. 221 ICE 2 III. 2 III. 223 CME 4–5, 22–26. 224 Id. at 24–25. 225 Id. at 23, 26. 226 Id. at 23; CME III 3. 222 MGEX VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 Trading.227 More specifically, Supplemental proposed §§ 1.82 and 38.255 requires FCMs to implement risk controls and other measures on all Electronic Trading Order Messages not originating with an AT Person. Supplemental proposed § 40.20 requires that DCMs implement risk controls on all Electronic Trading Order Messages, regardless of their source. As a whole, the Commission’s revised risk control framework addresses concerns regarding market disruptions arising from Electronic Trading, while also preserving an important focus on the unique risks of Algorithmic Trading in modern markets. In addition, the Commission’s revised framework streamlines risk controls from three levels to two, and provides AT Persons with the flexibility to delegate certain risk control functions to their FCM(s). The risk control requirements for AT Persons in Supplemental proposed § 1.80 apply primarily to AT Order Messages. However, the Commission is proposing in new Supplemental proposed § 1.80(g) that AT Persons also apply pre-trade risk controls to their Electronic Trading Order Messages. The NPRM’s original approach, which required AT Persons to implement risk controls only to their AT Order Messages, left a potentially significant gap in Regulation AT’s overall framework for reducing risk in modern markets. Specifically, non-algorithmic Electronic Trading Order Messages originating with AT Persons would have been left with only one level of required risk controls (i.e., at the DCM). To ensure two levels of risk controls on all Electronic Trading Order Messages, the Commission is proposing Supplemental proposed § 1.80(g)(1), which provides that AT Persons must apply the risk controls required by Supplemental proposed § 1.80(a), (b) and (c) to their Electronic Trading Order Messages that do not arise from Algorithmic Trading. AT Persons may make appropriate adjustments in their § 1.80(g)(1) risk controls mechanisms to accommodate the application of such mechanisms to Electronic Trading Order Messages.228 227 In this regard, the Commission notes that Algorithmic Trading is a subset of Electronic Trading. Risk control mechanisms to address Electronic Trading would necessarily also address Algorithmic Trading. 228 Certain provisions of § 1.80(a), (b) and (c) reference ‘‘Algorithmic Trading’’ and ‘‘AT Order Message.’’ The language ‘‘to accommodate the application of such mechanisms to Electronic Trading Order Messages’’ means that the risk control mechanisms implemented pursuant to Supplemental proposed § 1.80(g) should be designed and calibrated to apply to Electronic Trading and Electronic Trading Order Messages, rather than to Algorithmic Trading and AT Order Messages. PO 00000 Frm 00025 Fmt 4701 Sfmt 4702 85357 Supplemental proposed § 1.80(g)(2) and (3) provides a delegation provision similar to Supplemental proposed § 1.80(d), in which an AT Person may delegate to an executing FCM compliance with § 1.80(a) risk control requirements as to Electronic Trading Order Messages. The Commission has also revised NPRM proposed §§ 1.80, 1.82 and 40.20 to address the inconsistency noted by CME as to whether risk controls must ‘‘prevent’’ or ‘‘prevent and mitigate’’ risk. Supplemental proposed §§ 1.80, 1.82 and 40.20 all now provide for the standard of ‘‘reasonably designed’’ to ‘‘prevent and reduce the potential risk of . . . .’’ As to the concern raised by CME that ‘‘prevent’’ is a difficult standard to meet, the Commission notes that existing § 38.255 imposes on DCMs an obligation to ‘‘prevent and reduce the potential risk of price distortions and market disruptions . . .’’ which is not modified by ‘‘reasonably designed.’’ 229 The statutory text of the related core principle also requires that DCMs have the capacity and responsibility to prevent manipulation, price distortion, and disruptions of the delivery or cash settlement process (also without the ‘‘reasonably designed’’ modification).230 The Commission believes that ‘‘reasonably designed’’ to ‘‘prevent’’ means that the relevant entity—AT Person, FCM or DCM—does those things that are under its control, at its level in the lifecycle of an order, to prevent a disruption from reaching the next level closer to the DCM or at the DCM. Discussed below are changes to rule text addressing the change in focus to Electronic Trading in Supplemental proposed §§ 1.82, 38.255 and 40.20. Proposed § 1.82. In the NPRM, proposed § 1.82 required risk controls and other measures to be reasonably designed to prevent or mitigate an ‘‘Algorithmic Trading Disruption.’’ Supplemental proposed § 1.82 now requires that FCM risk controls and other measures be reasonably designed to prevent and reduce the potential risk of a disruption associated with Electronic Trading (including an Algorithmic Trading Disruption). The Commission discusses the newly defined terms Electronic Trading and Electronic Trading Order Message in Section VI(C) below. The Commission considers a disruption associated with Electronic Trading to mean an event that disrupts, or materially degrades, the Electronic Trading of a market participant, the 229 See existing § 38.255, 17 CFR 38.255. Core Principle 4, Section 5(d)(4) of the Act, 7 U.S.C. 7(d)(4) (2012). 230 DCM E:\FR\FM\25NOP2.SGM 25NOP2 asabaliauskas on DSK3SPTVN1PROD with PROPOSALS 85358 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules operation of the DCM on which the market participant is trading, or the ability of other market participants to trade on the DCM on which the market participant is trading. An Algorithmic Trading Disruption, as defined under Regulation AT, is a subset of the types of Electronic Trading disruptions that could occur. Supplemental proposed § 1.82 also includes several changes to the enumerated risk controls and order cancellation system requirements based on the addition of Electronic Trading to Regulation AT’s risk control framework. In the NPRM, proposed § 1.82(a)(1) required risk controls by reference to the controls listed in § 1.80(a)(1). The Supplemental NPRM now explicitly lists those controls within the regulation text of Supplemental proposed § 1.82(a)(1). In addition, Supplemental proposed § 1.82(a)(1)(i) changes the words ‘‘Maximum AT Order Message frequency’’ to ‘‘maximum Electronic Trading Order Message frequency.’’ Similarly, the Supplemental proposed rule now explicitly lists required order cancellation systems within the regulation text of § 1.82(a)(1) and makes such systems applicable to Electronic Trading Order Messages and Electronic Trading, rather than AT Order Messages and Algorithmic Trading. Supplemental proposed § 1.82(a), (b) and (c) include similar conforming changes in light of the proposed shift in focal point of FCM risk controls from Algorithmic Trading to Electronic Trading. The Supplemental NPRM’s proposed FCM rules do not specify the exact stage at which the FCM needs to implement its controls on an Electronic Trading Order Message. In cases where an order is transmitted electronically to, or through, the FCM, the FCM may have significant flexibility in when and how the risk controls are applied prior to dissemination to the DCM. In cases where an order is communicated manually to the FCM, who would then submit the order in the electronic system, risk controls may need to be applied later in the submission process. In the NPRM, the location of the FCM’s controls varied according to whether an AT Person’s orders were placed through DEA or intermediated by the FCM. The Supplemental NPRM’s proposed FCM rule retains that basic structure. However, with respect to those orders that are submitted through DEA, Supplemental proposed § 1.82(b) and (c) now provide greater discretion to the FCM regarding how to comply with its § 1.82 obligations. FIA’s comment letter indicated that pre-trade risk controls can be administered by the FCM facilitating electronic access to the VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 market, ‘‘and implemented within the appropriate system that the FCM has administrative control over, including third-party vendor systems and exchange provided graphical user interfaces.’’ 231 The revised proposed rule now provides discretion to executing FCMs to comply with § 1.82(b) in the DEA context using the FCM’s own controls, or controls provided by a DCM or other third party, as long as these controls satisfy the requirements of § 1.82(b). Further, NPRM proposed § 1.82(c) had provided that for non-DEA orders, the FCM must itself establish and maintain pre-trade risk controls and order cancellation systems. Supplemental proposed § 1.82(c) now provides that the FCM may also comply with § 1.82(c) by using the pre-trade risk controls and order cancellation systems provided by DCMs pursuant to § 38.255. The Commission intends that this change will provide increased flexibility and decreased costs on FCMs, and allows the FCM to choose what it judges to be the most appropriate, and robust, risk control system from a broader set of options. Proposed § 38.255. The Commission made conforming changes to NPRM proposed § 38.255 consistent with its decision to shift the focal point of FCM risk control obligations from Algorithmic Trading orders to Electronic Trading orders. These include use of the newly defined terms ‘‘Electronic Trading’’ and ‘‘Electronic Trading Order Message.’’ The Commission has also adjusted several regulation cross-references in light of changes made to NPRM proposed § 1.82 (see §§ 38.255(b)(1)(i) and 38.255(b)(2)). Finally, as noted above with respect to § 1.82, an FCM now has discretion in the DEA context as to whether it will use DCM-provided controls to comply with § 1.82 requirements. Consistent with that change, Supplemental proposed § 38.255(c) now allows a DCM that permits DEA to require that an FCM use the DCM-provided controls, or substantially equivalent controls developed by the FCM itself or a third party. Prior to an FCM’s use of its own or a third party’s systems and controls, the FCM must certify to the DCM that such systems and controls are in fact substantially equivalent to the systems and controls that the DCM makes available pursuant to Supplemental proposed § 38.255(b). Proposed § 40.20. The Commission made conforming changes to proposed 231 FIA 3, 5. An industry participant during the Roundtable also indicated that some FCMs may use third party tools to perform certain services to clients. See Roundtable Tr. 166:17–167:5. PO 00000 Frm 00026 Fmt 4701 Sfmt 4702 § 40.20 consistent with its decision to require DCMs to apply risk controls and other measures to electronic trading orders, rather than only to Algorithmic Trading orders. These include changes to use the terms ‘‘Electronic Trading’’ and ‘‘Electronic Trading Order Message.’’ In addition, the regulatory text of Supplemental proposed § 40.20 now explicitly lists risk controls and order cancellation systems within the regulation text of §§ 40.20(a)(1) and 40.20(b)(1)(i). Like Supplemental proposed § 1.82, Supplemental proposed § 40.20 now requires DCMs to implement pre-trade and other risk controls reasonably designed to prevent a disruption associated with Electronic Trading (including an Algorithmic Trading Disruption). As discussed above, the Commission considers a disruption associated with Electronic Trading to mean an event that disrupts, or materially degrades, the Electronic Trading of a market participant, the operation of the DCM on which the market participant is trading, or the ability of other market participants to trade on the DCM on which the market participant is trading. Finally, NPRM proposed § 40.20(d) had required that DCMs implement risk control mechanisms for manual order entry and other non-Algorithmic Trading. Given the change in overall applicability of § 40.20 to Electronic Trading, the Commission has determined to withdraw § 40.20(d). 4. Commission Questions 28. Supplemental proposed §§ 1.82(b) and 38.255(c) provide discretion to the FCM to comply with § 1.82(b) in the DEA context using its controls, or controls provided by a DCM or other third party, as long as those controls are substantially similar to the controls provided by the DCM. Do you agree with this level of discretion, or do you believe that FCMs should be required to use DCM-provided controls in the DEA context to comply with § 1.82? 29. Supplemental proposed § 1.82(c) provides that the FCM may also comply with § 1.82(c) by using the pre-trade risk controls and order cancellation systems provided by DCMs pursuant to § 38.255. Do you agree with this discretion? Given the revised definition of DEA, should proposed §§ 1.82 and 38.255 make any distinction between DEA and non-DEA orders? 30. The Commission assumes that, given the definition of DEA provided in Supplemental proposed § 1.3(yyyy), risk controls implemented by an FCM for non-DEA orders might function similarly to a DCM-provided controls E:\FR\FM\25NOP2.SGM 25NOP2 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules implemented by an FCM for DEA orders. Should Regulation AT therefore require that DCMs provide § 1.82 risk controls for both DEA and non-DEA orders? C. New and Revised Definitions; Change From ‘‘Clearing Member’’ to ‘‘Executing’’ FCMs 1. Overview and Policy Rationale for New Proposal As discussed above, the Commission has decided to modify its framework such that risk controls would be required at two, rather than three, levels of the order submission process. The DCM will always be one level of risk controls. The second level will be either an AT Person or an executing FCM.232 In addition, the Supplemental proposed rules require DCMs (and FCMs, when such firms implement risk controls) to implement risk controls on all electronic orders. Paired with those rule changes, the Commission is proposing new defined terms ‘‘Electronic Trading’’ and ‘‘Electronic Trading Order Message.’’ The Commission has also changed terminology in Regulation AT relating to FCMs. In the NPRM, proposed §§ 1.82, 1.83, 38.255, and 40.22 applied to or referred to ‘‘clearing member’’ FCMs. Now such rules apply or refer to ‘‘executing’’ FCMs. These additional changes are responses to commenter concerns with the prior proposed risk control framework, particularly comments that even nonalgorithmic electronic orders have the potential to cause disruption and that ‘‘clearing member’’ FCMs may not have the ability to implement certain controls on a pre-trade basis. asabaliauskas on DSK3SPTVN1PROD with PROPOSALS 2. NPRM Proposal and Comments The NPRM proposed to define the terms ‘‘Algorithmic Trading’’ and ‘‘AT Order Message’’ (see NPRM proposed §§ 1.3(zzzz) and 1.3(wwww), respectively), but not the terms ‘‘Electronic Trading’’ and ‘‘Electronic Trading Order Message.’’ Pursuant to the NPRM, the proposed term AT Order Message was defined as each new order or quote submitted through Algorithmic Trading to a designated contract market by an AT Person and each change or deletion submitted through Algorithmic Trading by an AT Person with respect to such an order or quote. This term was used in the proposed regulations requiring AT Persons, clearing member 232 Whether the second level of risk controls is implemented by the AT Person or an executing FCM depends on whether the order originated with an AT Person and whether the AT Person has delegated risk control implementation to the executing FCM. VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 FCMs and DCMs to implement pre-trade risk controls and other measures with respect to AT Order Messages. Comments Received. Commenters generally supported the NPRM proposed definition of AT Order Message. CME commented that the term should not include any ‘‘nonactionable’’ messages, such as requests for quotes, requests for cross, heartbeat messages, and mass quotes.233 CME further indicated that DCMs should be able to determine what activity may be disruptive in the context of nonactionable messages.234 FIA commented that message throttles should not reject cancellation messages because such messages may be risk-minimizing.235 FIA further stated that it should be in the discretion of the person supervising order messages to take action if excessive cancellation messages are disruptive.236 The NPRM proposed several rules that impose risk control and reporting requirements on clearing member FCMs (i.e., §§ 1.82 and 1.83) or that otherwise refer to FCMs (i.e., §§ 38.255 and 40.22). The principal risk control rule applicable to FCMs is NPRM proposed § 1.82. AIMA commented that the pretrade risk controls proposed in the NPRM ‘‘represent a strong foundation for ensuring the most obvious safeguards are in place to protect markets from the risks of automated execution.’’ 237 AIMA further commented on the type of entity that should be subject to NPRM proposed § 1.82, stating that the rule should apply to any AT Person providing market access services in the Algorithmic Trading transaction chain, not only to clearing member FCMs.238 Similarly, other commenters took the position that NPRM proposed § 1.82 did not apply to the correct set of FCMs. For example, FIA stated that the § 1.82 requirements should be on the FCM ‘‘facilitating access to the DCM.’’ 239 In support of its position, FIA noted that market participants ‘‘can choose to route orders through an FCM that is not their clearer and give up the trades after execution on the DCM.’’ 240 FIA stated that nonclearing FCMs should provide the same 233 CME A–5. On its Web site, CME states that ‘‘mass quotes’’ allow authorized CME Globex customers to create and maintain a market on a large number of instruments simultaneously. See https://www.cmegroup.com/confluence/display/ EPICSANDBOX/Mass+Quotes. 234 CME A–5. 235 FIA A–13. 236 Id. at 13. 237 AIMA III 2. 238 AIMA 14; see also AIMA III 3. 239 FIA A–29. 240 Id. PO 00000 Frm 00027 Fmt 4701 Sfmt 4702 85359 standard of pre-trade risk management as an FCM that executes and clears for a market participant.241 Accordingly, FIA asserted that any clearing member of a DCM that provides electronic access for its customers or its own trading on a DCM should implement appropriate risk controls.242 FIA further stated that if a clearing FCM delegates facilitation of electronic access to another entity, the delegated entity should implement the appropriate controls and the delegating FCM should help ensure that such controls are in place.243 The Industry Group expanded on this point in their comment letter submitted during the Second Comment Period. The Industry Group indicated that a customer may use the same FCM to provide both execution and clearing services, or may use one FCM for execution and choose to clear trades through another FCM.244 In that instance, the executing FCM acts as the ‘‘gatekeeper’’ to the DCM matching engine, and is the only FCM that can administer pre-trade risk controls.245 Any other FCMs that may subsequently clear trades can only provide controls on a post-trade basis.246 3. Substance of New Proposal a. Defined Terms Electronic Trading and Electronic Trading Order Message The NPRM did not propose definitions of ‘‘Electronic Trading’’ or ‘‘Electronic Trading Order Message.’’ Because the Commission has decided to expand some AT Person, FCM and DCM requirements to electronic orders, these new defined terms are necessary. Supplemental proposed § 1.3(ddddd) defines ‘‘Electronic Trading,’’ for purposes of §§ 1.80, 1.82, 1.83, 38.255, 40.20 and 40.22, as trading in any commodity interest (as defined in paragraph (yy) of § 1.3) on an electronic trading facility (as such term is defined by section 1a(16) of the Act), where the order, order modification or order cancellation is electronically submitted for processing on or subject to the rules of a DCM. The scope of the defined term is intended to be expansive, covering, for example, all order activity on CME Globex. Supplemental proposed § 1.3(bbbbb) defines ‘‘Electronic Trading Order Message’’ as each new order submitted using Electronic Trading and each modification or cancellation submitted using Electronic Trading with respect to 241 Id. 242 Id. 243 Id. at A–30 n.28. Group 4–5 n.4. 244 Industry 245 Id. 246 Id. E:\FR\FM\25NOP2.SGM 25NOP2 85360 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules such an order. This defined term largely tracks the term ‘‘AT Order Message’’ as proposed in the NPRM and as revised in this Supplemental NPRM. asabaliauskas on DSK3SPTVN1PROD with PROPOSALS b. Revisions to Defined Term ‘‘AT Order Message’’ In this Supplemental NPRM, the Commission makes several changes to the definition of AT Order Message (§ 1.3(wwww)), mainly for the purposes of simplification. The words ‘‘modification or cancellation’’ have replaced the words ‘‘change or deletion’’ because it is the Commission’s understanding that ‘‘modification’’ and ‘‘cancellation’’ are more commonly used terms in the industry. The words ‘‘to a designated contract market’’ were deleted as unnecessary, because the concept of an order being submitted specifically to a DCM, as opposed to any other type of exchange, is embedded in the definition of Algorithmic Trading (see NPRM proposed § 1.3(zzzz)). Finally, in this Supplemental NPRM, the Commission has deleted the word ‘‘quote’’ from the definition of AT Order Message. The word ‘‘quote’’ is also not contained in the Electronic Trading Order Message, Algorithmic Trading, or Electronic Trading definitions. The Commission intends that the term ‘‘order’’ means any firm, actionable messages to the DCM. Accordingly, the term ‘‘order’’ includes quotes or mass quotes as long as such quotes are firm and actionable. In response to the NPRM, CME commented that the term AT Order Message should not include any ‘‘non-actionable’’ messages, such as requests for quotes, requests for cross, heartbeat messages, and mass quotes.247 To the extent that certain types of messages, such as requests for quote, requests for cross, and heartbeat messages, are not actionable, then such messages would not fall within the definition of AT Order Message or Electronic Trading Order Message. However, the Commission understands from CME’s Web site that mass quotes can be actionable.248 In cases where the use of quotes (such as mass quotes) is similar to the submission of other order types in that they are actionable, such quotes would have the potential to cause market disruption and, therefore, should be included within the meaning of the terms AT Order Message and Electronic Trading Order Message. 247 CME A–5. example, CME Group’s Web page on mass quotes indicates that successfully accepted quotes act as limit orders. See https://www.cmegroup.com/ confluence/display/EPICSANDBOX/Mass+Quotes. 248 For VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 c. Change in Terminology From ‘‘Clearing Member’’ to ‘‘Executing’’ FCMs In light of the comments received, the Commission determined that applying NPRM proposed § 1.82 to clearing member FCMs would be too limiting. Depending on the order submission process, executing FCMs, rather than clearing member FCMs, may be in the best position to apply risk controls on a pre-trade basis; in many cases, the clearing FCM and the executing FCM will be the same firm, so the wording change will not result in a requirement change. Accordingly, the Commission has revised NPRM proposed § 1.82 (and made conforming changes in Supplemental proposed §§ 1.80, 1.83, 38.255, 40.20 and 40.22) so that the risk control and recordkeeping requirements previously applicable to clearing member FCMs now apply to executing FCMs. The Commission is seeking comment on whether the change from ‘‘clearing member’’ FCMs to ‘‘executing’’ FCMs is appropriate. If commenters raise concerns with this change, and prefer an alternate description, including a return to the prior language, the Commission may adjust the final rules in light of such comments. With respect to Regulation AT, the Commission seeks to ensure that electronic order messages are subject to risk controls by an FCM who provides access to a DCM and can monitor that order message flow prior to its arrival at the DCM.249 Accordingly, all FCMs facilitating such access should be aware that they may be subject to final rules under Regulation AT including, without limitation, Supplemental proposed § 1.82 required controls and § 1.83 required recordkeeping. FCMs are encouraged to submit comments concerning such rules and whether certain FCMs should, or should not, be subject to Regulation AT. 4. Commission Questions 31. With respect to the term ‘‘Electronic Trading,’’ should the definition exclude trading on a hybrid trade execution model, i.e., one that includes non-electronic components? 250 32. The Commission considers the term ‘‘order’’ to include all firm, actionable messages, and understands 249 In some instances, an order may flow through multiple FCMs. The Commission expects that in such a scenario, each executing FCM must comply with § 1.82 with respect to such order. 250 With respect to hybrid trade execution models, the Commission means the unlikely event of a DCM employing a trade execution model that has a voice component, as opposed to an entirely electronic model. PO 00000 Frm 00028 Fmt 4701 Sfmt 4702 mass quotes to be actionable messages. Are there other types of firm, actionable messages that constitute orders—and therefore fall within the scope of the terms AT Order Message and Electronic Trading Order Message—that the Commission should clarify in the final rules? If mass quotes are not firm, actionable messages, please explain. 33. The Commission has changed Regulation AT references to ‘‘clearing member’’ FCMs to ‘‘executing’’ FCMs. Do you agree or disagree with this change? Is the term ‘‘executing’’ FCMs sufficiently clear? Does the term ‘‘executing’’ FCMs more appropriately capture the type of FCMs that can apply pre-trade risk controls and order cancellation systems to electronic trading orders? Does the term ‘‘executing’’ FCMs inappropriately exclude certain FCMs that should otherwise comply with § 1.82 obligations? D. AT Person Delegation to FCM 1. Overview and Policy Rationale for New Proposal As explained above, the Commission proposes streamlining risk controls from three levels to two and shifting the focal point of risk control from Algorithmic Trading to Electronic Trading. The number of AT Persons may be reduced as a result of the proposed volume threshold test, but the obligations of AT Persons pursuant to NPRM proposed § 1.80 will remain largely the same, with several exceptions. As discussed below, the changes to NPRM proposed § 1.80 are: (1) AT Persons would be required to implement certain risk controls to their Electronic Trading Order Messages, in addition to their AT Order Messages; (2) AT Persons would be permitted to delegate certain pre-trade risk control obligations to their executing FCMs; (3) AT Persons would no longer be required to notify their clearing member and DCM of their intended use of Algorithmic Trading; and (4) the provisions proposed in NPRM § 1.80(e) regarding self-trade prevention tools are reserved, as the Commission anticipates postponing consideration of self-trade prevention to a second phase of Regulation AT rulemaking in the future. The Commission proposes the delegation option in order to provide increased flexibility and decreased burden on AT Persons, and eliminates the notification requirement in response to commenter concerns that such provision is unnecessary. E:\FR\FM\25NOP2.SGM 25NOP2 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules asabaliauskas on DSK3SPTVN1PROD with PROPOSALS 2. NPRM Proposal and Comments The NPRM proposed § 1.80, which required that AT Persons implement pre-trade risk controls and other measures for all AT Order Messages that are reasonably designed to prevent an Algorithmic Trading Event.251 Relevant controls and measures required by NPRM proposed § 1.80 included maximum AT Order Message frequency and maximum execution frequency per unit time; order price parameters and maximum order size limits; order cancellation and ATS disconnect systems; and connectivity monitoring systems. They also included several other specific requirements, such as notification by AT Persons to applicable DCMs and clearing member FCMs that they will engage in Algorithmic Trading; calibrating or otherwise implementing DCM-provided self-trade prevention tools; and periodic review of the sufficiency and effectiveness of the controls implemented by the AT Person. Comments Received. Commenters addressed various aspects of the proposed rule, including the enumerated risk control requirements and order cancellation requirements. The Commission is continuing to review such comments, and may make additional changes to such provisions as part of the final rules. This Supplemental NPRM eliminates the notification requirement and reserves for later consideration the self-trade tool implementation requirements, proposed in the NPRM, respectively, as §§ 1.80(d) and 1.80(e). As stated in the NPRM, the purpose of the § 1.80(d) notification provision was to ensure that clearing member FCMs and exchanges have sufficient advance notice to implement and calibrate pre-trade and other risk controls to manage risks arising from the AT Person’s trading.252 In response to the NPRM, FIA and CME opposed proposed § 1.80(d).253 FIA commented that pre-notification of a market participant’s initial use of Algorithmic Trading is unnecessary and overly burdensome.254 FIA stated that when an FCM accepts a client, the client informs the FCM if they will be conducting Algorithmic Trading, and that most exchanges require operator IDs for algorithmic traders.255 FIA further stated that the breadth of the term Algorithmic Trading would require almost every FCM and DCM client to notify the FCM and DCM of their use of Algorithmic Trading technology.256 Finally, FIA commented that identifying each change to a system would be counterproductive and burdensome, as it would require thousands of notices per year by each participant.257 CME agreed that FCMs already obtain a significant amount of information from clients about the type of trading they anticipate engaging in so that the FCM can comply with existing §§ 1.11 and 1.73, and that the Commission should not prescribe that additional information must be communicated.258 The Industry Group recommended that market participants trading electronically, without passing through FCM-administered risk controls, should self-identify to applicable DCMs prior to trading, or may be identified via tags on order messages.259 Nadex requested a change to § 1.80(d), stating that compliance rests entirely on the AT Person providing the notification, and therefore the regulation should specify that in the absence of such notification, the FCM and DCM are absolved of any liability for non-compliance with Regulation AT.260 In contrast, AIMA supported the proposed § 1.80(d) notification requirement.261 3. Substance of New Proposal a. Delegation to Executing FCMs The Commission proposes a change to NPRM proposed § 1.80 so that AT Persons may delegate compliance with § 1.80(a) pre-trade risk control requirements to their executing FCMs. Supplemental proposed § 1.80(d)(1) provides that an AT Person may choose to comply with § 1.80(a) by implementing required pre-trade risk controls, or it may instead delegate compliance with such obligations to its executing futures commission merchant(s). As noted above, commenters generally found the NPRM’s risk control framework as too ‘‘one size fits all,’’ and recommended a more principles-based rule. The Commission believes that the delegation provision provides AT Persons with increased flexibility and decreased burden and compliance costs with respect to § 1.80 compliance. The Supplemental proposed rules do not require the FCM to accept the delegation. If the executing FCM declines to comply with § 1.80(a), the AT Person must implement the risk controls itself. 256 Id. 251 See NPRM at 78849–78855. 252 Id. at 78854. 253 FIA A–26; CME A–12. 254 FIA A–26. 255 Id. VerDate Sep<11>2014 19:51 Nov 23, 2016 257 Id. 258 CME A–12. Group 8. 260 Nadex 5. 261 AIMA 14. 259 Industry Jkt 241001 PO 00000 Frm 00029 Fmt 4701 Sfmt 4702 85361 Supplemental proposed § 1.80(d)(2) provides that an AT Person may only delegate such functions when (i) it is technologically feasible for each relevant futures commission merchant to comply with § 1.80(a) with a level of effectiveness reasonably designed to prevent and reduce the potential risk of an Algorithmic Trading Event; and (ii) each relevant futures commission merchant notifies the AT Person in writing that the futures commission merchant has accepted the AT Person’s delegation and that it will comply with § 1.80(a) on behalf of the AT Person.’’ The purpose of § 1.80(d)(2)(i) is to ensure that the FCM is actually able to effectively implement pre-trade risk controls, order cancellation systems and order connectivity systems on behalf of the AT Person. The Commission believes that generally, use of DEA or some other trading technology that is outside the control of the executing FCM may prevent the FCM from effectively implementing controls on a pre-trade basis. Such delegation would be improper under Supplemental proposed § 1.80(d). The purpose of § 1.80(d)(2)(ii) is to ensure that it is clear, as between the AT Person and the FCM, who is responsible for complying with § 1.80(a). Finally, Supplemental proposed § 1.80(f) continues to require an AT Person to periodically review its compliance with § 1.80 to determine whether it has effectively implemented sufficient measures. The Commission has revised this section so that its standard is consistent with the ‘‘reasonably designed to prevent and reduce the potential risk of’’ an Algorithmic Trading Event standard discussed above. In addition, the Commission has revised this section to account for the possibility that an AT Person has delegated § 1.80(a) compliance to an FCM, and requires the AT Person to periodically review such FCM’s compliance with § 1.80(a). b. Proposed Use of Algorithmic Trading Notification Requirement Based on the addition of Electronic Trading to Regulation AT’s risk control framework, the Commission has determined that mandatory notification from an AT Person to an FCM or DCM is no longer warranted. Accordingly, the Commission proposes to withdraw the notification requirements provided in NPRM § 1.80(d). The Commission emphasizes, however, that DCMs must have an appropriate awareness of its market participants engaged in Algorithmic Trading, as well as the systems and strategies used by market participants. Such understanding is E:\FR\FM\25NOP2.SGM 25NOP2 85362 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules necessary not only for DCMs’ role as self-regulatory organizations with plenary responsibility for the oversight of their markets, but also to comply with the requirements of Supplemental proposed § 40.22. This provision, explained in detail below, requires each DCM to establish an effective program for periodic review and evaluation of AT Persons’ compliance with §§ 1.80 and 1.81. The Commission expects that DCMs will establish their own rules and procedures to ensure that they are aware of the AT Persons trading on their markets, and to successfully comply with Supplemental proposed § 40.22. asabaliauskas on DSK3SPTVN1PROD with PROPOSALS c. Voluntary Election of AT Person Status Finally, the Commission, as part of its changes to the definition of ‘‘AT Person,’’ proposes § 1.3(xxxx)(2), which allows a person that does not satisfy the conditions of § 1.3(xxxx)(1) to nevertheless elect to become an AT Person. Prior to becoming an AT Person, such person must register as a floor trader as defined in § 1.3(x)(1)(ii) and submit an application for membership in at least one RFA pursuant to § 170.18. A person that elects to become an AT Person pursuant to Supplemental proposed § 1.3(xxxx)(2)(i) must comply with all requirements of AT Persons pursuant to Commission regulations.262 The Commission proposes § 1.3(xxxx)(2) in order to provide increased flexibility to persons that prefer to implement their own pre-trade risk controls, rather than leaving implementation of such measures to executing FCMs. 4. Commission Questions 34. Please explain whether you support or oppose the ability of AT Persons to delegate certain § 1.80 obligations to FCMs, including implementation of pre-trade risk controls, order cancellation systems and system connectivity requirements. a. Does the language of Supplemental proposed §§ 1.80(d)(2) and (g)(3) providing that an AT Person may only delegate such functions when (i) it is technologically feasible adequately ensure that delegation only occurs when the FCM can implement controls on a pre-trade basis? b. Should the Commission require the AT Person to conduct due diligence or obtain a certification to ensure that the FCM is implementing sufficient controls? c. Should the Commission allow AT Persons to delegate to FCMs compliance with other § 1.80 obligations, such as § 1.80(b) order cancellation 262 See Supplemental proposed § 1.3(xxxx)(2)(ii). VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 requirements? For which obligations would FCM delegation be technologically feasible? 35. Do you agree with the Commission’s determination to eliminate the notification of the use of Algorithmic Trading requirement that had been required in NPRM proposed § 1.80(d)? If you believe that the Commission should retain such a requirement, please explain why. 36. Will DCMs be able to comply with Supplemental proposed § 40.20(c)’s system connectivity requirements as to AT Persons without an explicit requirement that AT Persons or FCMs notify DCMs that the AT Persons will be conducting Algorithmic Trading? VII. Reporting and Recordkeeping Obligations A. Overview and Policy Rationale for New Proposal NPRM proposed §§ 1.83 and 40.22 required that AT Persons and clearing member FCMs provide the DCMs on which they operate annual reports containing information on their compliance with §§ 1.80(a) and 1.82(a)(1), and that DCMs establish a program for effective review and evaluation of such reports. The proposed rules also provided recordkeeping requirements regarding NPRM proposed §§ 1.80, 1.81 and 1.82 compliance. The reports, recordkeeping requirements, and review program were intended to enable DCMs to understand the pre-trade risk controls and compliance procedures of AT Persons and FCMs with respect to Algorithmic Trading and to identify and take remedial action to address potential risks and compliance concerns. In response to the NPRM, the Commission received comments indicating that the reporting requirements were overly burdensome and would provide little benefit with respect to mitigating the risks of Algorithmic Trading. Accordingly, as described below, the Commission has eliminated the annual compliance reports requirement; retained the recordkeeping requirements; and changed the DCM annual compliance report review program to a more general program for review of AT Person and FCM compliance with §§ 1.80, 1.81 and 1.82. The Commission further proposes requiring DCMs to mandate that AT Persons and executing FCMs provide DCMs with an annual certification attesting that the AT Person or FCM complies with the requirements of §§ 1.80, 1.81, and 1.82, as applicable. The Commission believes that these changes will significantly decrease the PO 00000 Frm 00030 Fmt 4701 Sfmt 4702 cost of compliance by AT Persons and FCMs with Regulation AT, while at the same time providing enhanced flexibility and discretion to DCMs in terms of designing and implementing an effective program for review of AT Person and FCM controls and procedures related to Algorithmic Trading. B. NPRM Proposal and Comments NPRM proposed § 1.83(a) and (b) required that AT Persons and clearing member FCMs provide the DCMs on which they operate with information regarding their compliance with §§ 1.80(a) and 1.82(a)(1). NPRM proposed § 40.22 required that each DCM that receives a report described in § 1.83 establish a program for effective review and evaluation of the reports. The reports proposed by § 1.83 and the review program proposed by § 40.22 were intended to ensure that AT Persons and clearing FCMs implement effective risk controls and regularly review these risk controls. NPRM § 1.83(c) and (d) complimented the compliance report review program by requiring that AT Persons and clearing member FCMs keep and provide upon request to DCMs books and records regarding their compliance with proposed §§ 1.80 and 1.81 (for AT Persons) and § 1.82 (for clearing member FCMs). NPRM proposed § 40.22(d) required DCMs to implement rules that require AT Persons and FCMs to keep and provide to the DCM books and records regarding compliance with §§ 1.80, 1.81 and 1.82. Finally, NPRM proposed § 40.22(e) required DCMs to review and evaluate, as necessary, such books and records maintained by AT Persons and clearing member FCMs regarding their Regulation AT compliance. Comments Received. Numerous commenters opposed the NPRM requirement that AT Persons file an annual report.263 AIMA expressed concern about the burden that reviewing the filings would have on DCMs,264 and CME, FIA, MGEX, Commercial Alliance and Nadex suggested that the cost of requiring participants to prepare and submit compliance reports to DCMs outweighs any benefit.265 Furthermore, CME, FIA and ICE all indicated that information in the reports would be 263 AIMA 17; CME 20, A–20–A–21; FIA 10, A–90; MGEX 15, 16, 25–26; Commercial Alliance 12; Nadex 5; OneChicago 6; ISDA 71; MFA 29; ICE 10, A–30, A–31; NIBA 2; NASDAQ 4. 264 AIMA 17. 265 CME 20; FIA 10; MGEX 15, 25–26; Commercial Alliance 12; Nadex 5. E:\FR\FM\25NOP2.SGM 25NOP2 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules outdated and no longer useful by the time a report is reviewed.266 In addition, commenters questioned the technical capability of DCMs to perform a meaningful review of AT Persons’ reports or to assess whether the quantitative settings or calibrations of any AT Person’s controls are sufficient.267 MGEX stated that ‘‘it is impracticable to expect DCMs to understand all unconventional or proprietary trading strategies or the varied technological systems that market participants employ.’’ 268 Nadex and OneChicago were concerned that DCMs would be responsible for the manner an AT Persons sets or calibrates risk controls.269 MGEX was skeptical that reviewing compliance reports would ensure that AT Persons are actually following these measures in practice.270 MGEX believed that clear rules and robust surveillance are a better way to ensure market integrity.271 CME and FIA further commented that compliance reports would be duplicative for clearing FCMs, which already undergo review by their Designated Self-Regulatory Organization (‘‘DSRO’’) and clearing organizations.272 Several commenters were concerned about the cost of compliance.273 For example, ICE believed that DCMs would have to hire additional staff to conduct a comprehensive review of reports and expressed concern regarding the potential additional cost.274 LCHF and NIBA commented that only large market participants should be required to submit compliance reports, noting concerns as to the costs for small firms or IBs.275 MGEX and NASDAQ commented that small DCMs will be particularly burdened because they will need to hire additional staff.276 NASDAQ believed that the proposed requirements ‘‘could potentially cause some DCMs to cease or scale back operation, and impact the entry of new DCMs.’’ 277 266 CME 20, A–21; FIA 10; ICE A–30. 20, A–20; FIA 10; ICE 10, A–30. 268 MGEX 16. 269 Nadex 5–6; OneChicago 6. Nadex also asserted in its comment letter that ‘‘the proposed regulations would essentially place the DCM in the role of an advisor or consultant to the AT Person. The AT Person could hold the DCM responsible for any errors or malfunctions that occur as the result of the DCM’s ‘remediation’, or shift blame to the DCM in the event those changes are found inappropriate or insufficient by the CFTC or RFA.’’ Nadex 6. 270 MGEX 16. 271 Id. 272 CME 20; FIA 10, A–90. 273 ISDA 7l; MFA 29. 274 ICE A–31. 275 LCHF 3; NIBA 2. 276 MGEX 16. 277 NASDAQ 4. asabaliauskas on DSK3SPTVN1PROD with PROPOSALS 267 CME VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 As an alternative process to mandatory filing of annual reports a number of commenters suggested certification processes and outlined different processes that could be required.278 For example, LCHF suggested that compliance reports be reviewed in situations limited to those involving an ‘‘open investigation’’ or ‘‘complaint filed on a market participant.’’ 279 MGEX similarly suggested that if compliance report reviews were included, they should only occur as a part of an investigation of a market disruption, or alternatively that the FCM or DSRO would have the responsibility for conducting such a review.280 Commenters also expressed concern over the confidentiality of information required to be provided to DCMs in compliance reports.281 AIMA suggested that language be added to the proposed rule to require that DCMs maintain compliance reports in confidence, and that the Commission treat these as nonpublic reports for FOIA purposes.282 With respect to the DCM’s role in the reporting and recordkeeping framework, OneChicago, CME, FIA and ICE commented that the compliance reports provided to DCMs would be overly burdensome and ineffective in reducing risk.283 FIA and ICE commented that DCMs already follow procedures that effectively reduce the risk from Algorithmic Trading.284 ICE further commented that the compliance reports are unnecessary, because ‘‘DCMs have implemented comprehensive market surveillance and regulation programs that include automated reports and alerts designed to identify instances of aberrant or abnormal order or trade activity. These programs are already effective at identifying specific events of concern that involve Algorithmic Trading.’’ 285 CME, FIA and ICE also commented that the reports would include stale and irrelevant data, which would not be helpful to DCMs in preventing future market risk or disruptive practices.286 FIA commented that ‘‘DCMs are likely not to know the trading strategies or risk tolerances of any particular AT Person and thus are unable to assess the adequacy of their development and testing protocols, their procedures to help detect Algorithmic 278 CME 20, A–21, 22; FIA 10, FIA A–90; ICE 9– 10; MFA 29; NASDAQ 4; OneChicago 6. 279 LCHF 3. 280 MGEX 17. 281 AIMA 18; FIA A–91, A–92. 282 AIMA 18. 283 OneChicago 6; CME 20; FIA A–90–91; ICE 33. 284 FIA A–94; ICE 33. 285 ICE 33. 286 CME A–21; FIA A–91; ICE 30–31. PO 00000 Frm 00031 Fmt 4701 Sfmt 4702 85363 Trading Compliance Issues, or their pretrade risk and other controls.’’ ‘‘ 287 CBOE commented on the preamble language, stating that a DCM may want to review an AT Person’s books and records, pursuant to § 40.22(d)–(e), if the AT Person represents significant volume in a particular product.288 CBOE stated that ‘‘the trigger for a review of risk control books and records should be potential or actual problematic behavior by the AT Person that suggests the need for heightened scrutiny of the AT Person in relation to its risk controls,’’ but that high volume should not be a trigger for review.289 In addition, OneChicago found the text of § 40.22 vague and questioned what would be considered appropriate remediation of any deficiency found in an AT Person or FCM report.290 Some commenters also asserted that the Commission’s estimated cost for DCMs to comply with § 40.22 is too low.291 CME stated that the annual cost for each of its four exchanges would be closer to $525,000, stating that ‘‘this figure assumes that across all four Exchanges, approximately 650 entities would come within the scope of the proposed compliance report requirements and each entity would be reviewed once every four years (across all four Exchanges). If CME Group Exchanges were required to review each entity’s annual report once every two years, the cost would double as CME Group would need to hire twice as many full-time employees. CME Group estimates that it would take approximately one month for a full-time employee to complete each review.’’ 292 MGEX estimated that it would need to hire at least two additional full time employees to review the reports, and that reviewing each report would take significantly longer than the 15 hours estimated in the NPRM.293 Commenters further discussed the reporting structure during the Second Comment Period. The Industry Group commented that the annual reports requirement was ‘‘ineffective, unnecessary, and redundant with other requirements to which registrants are subject. Additionally, the proposed reports will inundate DCMs with voluminous policies and procedures related to the development and compliance of algorithmic trading systems, as well as mountainous 287 FIA A–91. 78876. 289 CBOE 7–8. 290 OneChicago 6. 291 CME 22; MGEX 26. 292 CME 22. 293 MGEX 26. 288 NPRM E:\FR\FM\25NOP2.SGM 25NOP2 85364 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules snapshots of stale qualitative risk parameter settings particularized to a given market participant that will be virtually impossible for a DCM to meaningfully assess.’’ 294 The Industry Group stated that as an alternative, the Commission should require a certification process that affected parties materially comply with relevant aspects of the rule.295 In addition, consistent with its recommendation of a two-level risk control structure with AT Persons/ FCMs at one level, and DCMs as the second level, the Industry Group suggested a due diligence requirement in which FCMs must perform due diligence on customers that transmit orders without such orders going through FCM-administered risk controls.296 In its Second Comment Period letter, CME reiterated its opposition to the reporting structure as creating an unnecessary administrative burden without a corresponding benefit to market integrity.297 Among other things, CME noted that DCMs would not have sufficient information about AT Persons’ systems to meaningfully assess Regulation AT compliance, and DCMs would appear to be endorsing the policies and procedures of AT Persons if they receive compliance reports but remain silent.298 CME also commented on the substantial costs of the report review program.299 Finally, CME suggested a similar due diligence process where the clearing member who granted DEA to an AT Person (a ‘‘gatekeeper clearing member’’) should obtain certifications of compliance from their customers.300 asabaliauskas on DSK3SPTVN1PROD with PROPOSALS C. Substance of New Proposal In light of the concerns raised by commenters to NPRM proposed §§ 1.83 and 40.22, the Commission has determined to make several changes to the proposed rules. First, and most significantly, the Commission has eliminated the requirement that AT Persons and FCMs prepare compliance reports. The requirements proposed as NPRM §§ 1.83(a) (AT Person reports) and 1.83(b) (FCM reports) are withdrawn in Supplemental proposed § 1.83. However, the Commission has determined to retain the AT Person and FCM recordkeeping requirements, and such requirements proposed in the 294 Industry Group 7. 295 Id. 296 Id. at 9. III 4. 298 Id. at 4. 299 Id. 300 Id. at 5. 297 CME VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 NPRM as §§ 1.83(c) and 1.83(d) are now re-numbered as §§ 1.83(a) and 1.83(b). The Commission in this Supplemental NPRM has made conforming changes to § 40.22. Specifically, the NPRM required that DCMs review AT Person and FCM annual reports, identify deficiencies in AT Persons’ and FCMs’ compliance programs, and take remedial action as needed. The Commission has eliminated DCMs’ obligation to review annual compliance reports. In place of that obligation, Supplemental proposed § 40.22(a) now requires DCMs to periodically review AT Persons’ and FCMs’ programs for compliance with §§ 1.80, 1.81 and 1.82. The Commission expects that DCMs’ periodic review programs would be similar to their existing programs for periodically reviewing members’ and market participants’ compliance with audit trail recordkeeping requirements. Supplemental proposed § 40.22(b) (formerly § 40.22(d)) continues to require DCMs to implement rules requiring AT Persons and FCMs (now executing FCMs) to keep and provide to the DCM books and records regarding compliance with §§ 1.80, 1.81 and 1.82. Proposed § 40.22(c) replaces the previous requirement that DCMs review and evaluate such books and records with a more general requirement that DCMs require such periodic reporting from AT Persons and executing futures commission merchants as is necessary to fulfill the designated contract market’s obligations pursuant to paragraph (a) of § 40.22. Supplemental proposed § 40.22(d) provides that DCMs must require by rule that AT Persons and executing FCMs provide DCMs with an annual certification attesting that the AT Person or FCM complies with the requirements of §§ 1.80, 1.81, and 1.82, as applicable. Such annual certification shall be made by the chief compliance officer or chief executive officer of the AT Person or FCM and must state that, to the best of his or her knowledge and reasonable belief, the information contained in the certification is accurate and complete. The Commission believes that the annual certification requirement proposed in Supplemental proposed § 40.22(d) will be substantially less burdensome than the review of compliance reports proposed under NPRM proposed § 40.22. The Commission also believes that the periodic review program required by Supplemental proposed § 40.22(a), and the annual certifications required by Supplemental proposed § 40.22(d), will together impose an important discipline on actors in the Algorithmic and PO 00000 Frm 00032 Fmt 4701 Sfmt 4702 Electronic Trading space to help ensure compliance with Regulation AT’s key risk control and algorithm development provisions, including §§ 1.80, 1.81 and 1.82. The Commission acknowledges the comments from Industry Group and CME suggesting an FCM-based due diligence program. The Commission will continue to consider such comments and whether such a structure should be incorporated into a final rule. However, at this time the Commission believes that the DCM is the appropriate entity to review the compliance programs of AT Persons. The DCM will have a broader perspective of the entire market compared to an FCM, and is better situated to ensure that there is a consistent baseline of sufficient controls across all AT Persons and executing FCMs. D. Commission Questions 37. Do you agree with the elimination of the annual compliance report requirement? Do you believe that the current AT Person/executing FCM recordkeeping and DCM review program proposed rules will sufficiently ensure that AT Persons and executing FCMs have effective risk controls? Is there any aspect of Supplemental proposed §§ 1.83 and 40.22 that should be changed to better ensure that AT Persons and executing FCMs are implementing effective risk controls? VIII. Additional Changes to NPRM Proposed Rules Under Consideration The Commission is considering certain additional changes to the rules proposed in the NPRM, apart from the proposed rule text provisions set forth in this Supplemental NPRM. The Commission preliminarily believes that such additional changes could be adopted without further notice and comment, since they do not impact new parties, create new obligations, or otherwise increase burdens. The following is a summary of certain discrete areas that are under consideration. The Commission emphasizes that it has yet to make final determinations with respect to the items below, and that their final disposition may depend in part on how the Commission proceeds with other proposals in the NPRM and Supplemental NPRM. NPRM proposed § 1.3(tttt) defines the term Algorithmic Trading Compliance Issue.301 The term is relevant to the pre301 NPRM proposed § 1.3(tttt) defines ‘‘Algorithmic Trading Compliance Issue’’ to mean an event at an AT Person that has caused any Algorithmic Trading of such entity to operate in a manner that does not comply with the CEA or the E:\FR\FM\25NOP2.SGM 25NOP2 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules asabaliauskas on DSK3SPTVN1PROD with PROPOSALS trade risk and other control requirements for AT Persons under NPRM proposed § 1.80, the testing requirements on AT Persons under proposed § 1.81(c), and the pre-trade and other risk controls for DCMs under NPRM proposed § 40.20. Several commenters noted that the scope of an Algorithmic Trading Compliance Issue should not include breaches of an AT Person’s own internal requirements.302 For example, SIFMA recommended that the definition be revised to remove references to an AT Person’s internal policies to prevent unduly burdening DCMs and AT Persons with notifications of internal events that do not impact the market.303 MFA commented that including violations of the AT Person’s own internal requirements, or the requirements of the AT Person’s clearing member, is too general and broad.304 Citadel commented that the Commission should ‘‘focus on trading activity that can impact the proper functioning of the market, instead of purely internal events within a firm that do not impact other market participants, such as an inadvertent violation of an internal trading-related process.’’ 305 CME indicated that applying a causation standard to internal policies may cause uncertainty.306 In response to the concerns expressed by commenters, the Commission is considering limiting the scope of the term to violations of applicable law, including the Act and CFTC regulations. To that end, the Commission is considering whether to eliminate from NPRM proposed § 1.3(tttt) references to an AT Person’s own internal rules, those of its clearing member, any DCM on which it trades, or an RFA.307 rules and regulations thereunder, the rules of any designated contract market to which such AT Person submits orders through Algorithmic Trading, the rules of any registered futures association of which such AT Person is a member, the AT Person’s own internal requirements, or the requirements of the AT Person’s clearing member, in each case as applicable. 302 See AIMA 8; Citadel 3; CME A–3; CTC 14; IAA 9; ICE 10; FIA Appendix A 5, 11; ISDA 4; MFA 13; SIFMA 3. 303 SIFMA 3, 1; see also Citadel 3. 304 MFA 13. 305 Citadel 3. 306 CME A–3–4. 307 The Commission notes, however, that its regulation 166.3 requires each Commission registrant (except certain associated persons) to ‘‘diligently supervise’’ the handling by its partners, officers, employees, agents, and persons occupying a similar status or performing a similar function, of all commodity interest accounts carried, operated, advised, or introduced by the registrant, and all other activities of its partners, officers, employees, agents, etc. AT Persons would be included among the Commission registrants subject to § 166.3 VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 NPRM proposed § 1.3(uuuu) defines the term Algorithmic Trading Disruption.308 The term is relevant to Regulation AT’s pre-trade risk and other control requirements for AT Persons and FCMs that are clearing members for a DCO, as provided in NPRM proposed §§ 1.80 and 1.82(a), respectively. Several commenters asserted that the proposed definition is too broad 309 or lacks clarity.310 Commenters also recommended excluding events originating within an AT Person from the scope of an Algorithmic Trading Disruption.311 The Commission is considering potentially eliminating references in the definition to a disruption of an AT Person’s own ability to trade, and limiting the scope of the term to disruptions of the market and others’ ability to trade on it. The Commission is also considering whether to make analogous changes to the defined term Algorithmic Trading Event. NPRM proposed § 1.3(vvvv) defined the term Algorithmic Trading Event to mean either an Algorithmic Trading Compliance Issue or an Algorithmic Trading Disruption. The term is used in NPRM proposed § 1.80, which required AT Persons to implement risk controls that are reasonably designed to prevent or mitigate an Algorithmic Trading Event.312 The term is also used in NPRM proposed § 1.81(a) (requiring AT Persons to conduct regular back-testing using historical data to identify circumstances that may contribute to Algorithmic Trading Events), NPRM proposed § 1.81(b) (requiring AT Persons to conduct real-time monitoring of Algorithmic Trading to identify potential Algorithmic Trading Events), and NPRM proposed § 1.81(d) (requiring AT Persons to establish training procedures for communicating and escalating to appropriate personnel instances of Algorithmic Trading Events). Several commenters stated that the proposed definition of Algorithmic Trading Event is unnecessary 313 or 308 NPRM proposed § 1.3(uuuu) provides that the term ‘‘Algorithmic Trading Disruption’’ means an event originating with an AT Person that disrupts, or materially degrades, (1) the Algorithmic Trading of such AT Person, (2) the operation of the designated contract market on which such AT Person is trading or (3) the ability of other market participants to trade on the designated contract market on which such AT Person is trading. 309 AIMA 9; CME A–4; MMI 2; SIFMA 3, 19; CME A–4; FIA Appendix A–5, A–6. 310 CME A–4; FIA Appendix A–5, A–6. 311 SIFMA 3, 19; CME A–4; AIMA 2, 9; MMI 2. 312 This provision now requires AT Persons to implement controls reasonably designed to prevent and reduce the potential risk of an Algorithmic Trading Event. 313 MFA 15; MMI 2. PO 00000 Frm 00033 Fmt 4701 Sfmt 4702 85365 overly broad.314 Consistent with the proposed changes to NPRM proposed §§ 1.3(tttt) and 1.3(uuuu) described above, the Commission is considering clarifying in the final rules for Regulation AT that an AT Person’s internal policies, or the disruption of its own Algorithmic Trading, are outside the scope of an Algorithmic Trading Event. Additionally, the Commission is considering whether to modify certain requirements regarding the development, monitoring, and compliance of ATSs under NPRM proposed § 1.81. CME, MFA, AIMA and FIA commented that the requirement under NPRM proposed § 1.81(a)(1)(ii) 315 to test all changes to Algorithmic Trading code prior to implementation is too broad.316 CME also raised concerns that this requirement would impose significant costs for AT Persons and DCMs.317 MFA and AIMA recommended that this requirement be limited by a materiality standard.318 FIA commented that ‘‘‘any changes’ should be clarified to be limited to any change that directly impacts source code associated with determining when and how to send an order or otherwise impact an order on a DCM.’’ 319 FIA also commented that ‘‘‘related systems’ should be clarified to pertain only to those systems that have the ability to determine when and how to send an order or otherwise affect an order on a DCM.’’ 320 The Commission has withdrawn the requirement under NPRM proposed § 1.81(a)(1)(ii) that AT Persons must test all Algorithmic Trading code and related systems on each DCM on which Algorithmic Trading will occur. The Commission is also considering whether to modify the requirement that AT Persons must test all changes to code by adding a materiality standard. The Commission is considering whether to modify the algorithm monitoring requirements under NPRM proposed § 1.81(b), which requires continuous real-time monitoring of 314 SIFMA 3, 19. proposed §§ 1.81(a)(1)(ii) (requiring AT Persons to implement written policies and procedures for the testing of all Algorithmic Trading code and related systems and any changes to such code and systems prior to their implementation and that such testing must be conducted both internally within the AT Person and on each designated contract market on which Algorithmic Trading will occur.). 316 CME A–16; MFA 19; AIMA 16; FIA 61. 317 CME A–16. 318 MFA 19; AIMA 16. 319 FIA 61. 320 Id. 315 NPRM E:\FR\FM\25NOP2.SGM 25NOP2 asabaliauskas on DSK3SPTVN1PROD with PROPOSALS 85366 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules ATSs.321 Several commenters recommended changes to the proposed requirements for real-time monitoring. CME stated that ‘‘any final regulation should be flexible enough to allow the most reasonable approach for real-time monitoring that is proportional to the AT Person’s size and risk profile.’’ 322 FIA recommended that the Commission ‘‘only mandate that: (1) One or more specifically identifiable persons at an AT Person must have the authority to address system breakdowns that might cause an Algorithmic Trading Disruption; and (2) systems must be in place to help such persons monitor for potential problems and interact with each Algorithmic Trading system.’’ 323 IAA commented that the monitoring and compliance requirements of § 1.81 should be replaced with a more general requirement for AT Persons to design a compliance program that is reasonably designed to meet the requirements of the rule. The Commission is considering whether to eliminate certain language in the NPRM preamble regarding CFTC expectations that the person monitoring an algorithm should simultaneously be engaged in trading. The Commission is also considering whether to eliminate in its entirety NPRM proposed § 1.81(c)(2)(ii). The provision provided that each AT Person must implement written policies and procedures requiring a plan of internal coordination and communication between compliance staff of the AT Person and staff of the AT Person responsible for Algorithmic Trading regarding Algorithmic Trading design, changes, testing, and controls, which plan should be designed to detect and prevent Algorithmic Trading Compliance Issues. In addition, the Commission is continuing to evaluate comments regarding certain of the enumerated risk control mechanisms in the NPRM (and retained in this Supplemental). For example, the Commission is considering the appropriateness of a maximum execution frequency control at the DCM level. The Commission is also considering clarifying in any final rules it may adopt for Regulation AT that the requirements for market maker and trading incentive programs under NPRM proposed § 40.25 do not apply retroactively, i.e., to programs 321 NPRM proposed § 1.81(b) provides, inter alia, that each AT Person shall implement written policies and procedures reasonably designed to ensure that each of its Algorithmic Trading systems is subject to continuous real-time monitoring by knowledgeable and qualified staff while such Algorithmic Trading system is engaged in trading. 322 CME A–18. 323 FIA 66. VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 established prior to the Regulation AT effective date. In addition to proposing the changes to NPRM proposed rules set forth above, the Commission notes that it has determined to defer to a later date the final rules regarding self-trading 324 and disclosure and transparency of DCM trade matching systems.325 The Commission anticipates finalizing those rules after finalizing the other rules proposed in the NPRM and this Supplemental NPRM. D. Commission Questions 38. The Commission welcomes all comments regarding its consideration of potential amendments, deferral, or elimination of provisions proposed in the NPRM as discussed in this Section VIII of the Supplemental NPRM. IX. Related Matters A. Cost-Benefit Considerations 1. The Statutory Requirement for the Commission To Consider the Costs and Benefits of Its Actions Section 15(a) of the CEA requires the Commission to ‘‘consider the costs and benefits’’ of its actions before promulgating a regulation under the CEA or issuing certain orders.326 Section 15(a) further specifies that the costs and benefits must be evaluated in light of the following five broad areas of market and public concern: (1) Protection of market participants and the public; (2) efficiency, competitiveness, and financial integrity of futures markets; (3) price discovery; (4) sound risk management practices; and (5) other public interest considerations. The Commission considers the costs and benefits resulting from its discretionary determinations with respect to the section 15(a) factors below. As a general matter, the Commission considers the incremental costs and benefits of the new and amended rules proposed in this supplemental notice of proposed rulemaking for Regulation Automated Trading,327 taking into account what it 324 See NPRM proposed § 40.23. NPRM proposed § 38.401(a). 326 7 U.S.C. 19(a). 327 As explained, infra, on December 17, 2015, the Commission published in the Federal Register a notice of proposed rulemaking (‘‘NPRM’’) proposing a series of risk controls, transparency measures, and other safeguards to enhance the safety and soundness of automated trading on all designated contract markets (‘‘DCMs’’) (collectively, ‘‘Regulation Automated Trading’’ or ‘‘Regulation AT’’). Regulation Automated Trading, Proposed Rule, 80 FR 78824 (Dec. 17, 2015) (hereinafter ‘‘NPRM’’). Through this supplemental notice of proposed rulemaking for Regulation AT (‘‘Supplemental NPRM’’), the Commission is proposing certain modifications and additions to rules set forth in the believes is industry practice given the Commission’s existing regulations and industry best practices, as described below. Where reasonably feasible, the Commission has endeavored to estimate quantifiable costs and benefits. The Commission also identifies and describes costs and benefits qualitatively. 2. Comments Regarding Costs and Benefits of Regulation AT 328 a. Pre-Trade Risk Controls and Other Measures Some commenters addressing Regulation AT requirements generally (including pre-trade risk controls, recordkeeping, and compliance report costs) indicated that costs are substantially higher than estimated in the proposed rule and the articulated benefits do not justify the costs.329 As to DCMs, FIA commented that certain of the Commission’s proposed pre-trade and other risk controls for DCMs are overly prescriptive and would result in costly investment in controls that would not be sufficiently flexible to adapt to further market evolution.330 b. Testing and Supervision of Automated Systems Rules applicable to DCMs: CBOE recommended that any requirements for testing environments be principlesbased and not prescriptive in order to accommodate the current best practices of the industry and to avoid requiring the development of costly new systems that are not currently in existence at DCMs.331 ICE, CME, and FIA each stated that the requirement to have DCM test environments offer simulation of production trading, contained in NPRM proposed § 40.21, was impractical. ICE stated that requiring DCM test environments to support the simulation of real market conditions or historical transaction, order or message data in its test environment is not practical, and that any benefits that this type of simulation may produce would not be commensurate with the substantial cost 325 See PO 00000 Frm 00034 Fmt 4701 Sfmt 4702 NPRM. This discussion refers to rules originally proposed in the NPRM as ‘‘NPRM proposed’’ and rules proposed in the Supplemental NPRM as ‘‘Supplemental proposed.’’ 328 This summary of comments is limited to those relevant to the costs and benefits of the Supplemental proposed rules that are the subject of this Supplemental NPRM. Comments addressing the costs and benefits of NPRM proposed rules not modified by this Supplemental NPRM will be included in the final rulemaking release for Regulation AT. 329 See, e.g., FIA 1–3; 10–11; A–78; MFA 34–25; QIM 3; SIFMA 20. 330 FIA A–41. 331 CBOE 6–7. E:\FR\FM\25NOP2.SGM 25NOP2 asabaliauskas on DSK3SPTVN1PROD with PROPOSALS Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules associated with developing it. Without the actual interaction of real trades and the wide range of market conditions that can occur in a live trading environment, ICE stated that it is unclear what benefits would arise from this type of simulation. ICE also commented that the implementation would require significant financial investment to develop and maintain.332 CME commented that the Commission fails to clearly define the term ‘‘simulate’’ in NPRM proposed § 40.21. In addition, CME stated if the Commission interprets Regulation AT to require DCMs to maintain and provide a test environment that includes a production parallel facility that utilizes real-time or near real-time market and transaction data for testing of a market participant’s algorithm, the Commission’s cost analysis of NPRM proposed § 40.21 is incorrect.333 FIA commented that although it is possible to include historical data in test environments that can be replayed to simulate stress conditions in DCM stress environments, such environments would not be able to interact with the market. As a result, FIA asserted that a true simulation is not possible. Requiring historical data would add costs without producing the intended improvement in the DCM test environment. FIA also indicated that a test environment as prescribed in NPRM proposed § 40.21 would not be possible within the bounds of reasonable investment, and that any costs would far outweigh the purported benefits.334 FIA and CME both stated that the costs of NPRM proposed § 1.81 exceed the benefits. CME stated that the prescriptive nature of the requirements set forth in NPRM Proposed § 1.81 will introduce significant cost and inefficiencies without the benefit of reduced risk to DCMs and market participants. Moreover, FIA and CME commented that the Commission has significantly underestimated the cost to both market participants and DCMs to support performance level production testing.335 FIA also stated that the proposed prescriptive requirements with respect to DCM test environments are cost prohibitive with no justifiable benefit.336 CME further commented that back testing is a complex and costly exercise with a limited scope for mitigating risk; therefore, NPRM proposed § 1.81 should not be adopted.337 CME asserted that the costs to AT Persons and DCMs to establish the extensive infrastructure needed for back testing far exceed the benefits. CME also stated that requiring AT Persons to test ‘‘any’’ change with DCMs, as set forth in NPRM proposed § 1.81(a)(1)(ii), is too vague. Moreover, CME commented that the requirement was too expansive in that it would encompass testing for changes to systems which would not reduce risk to the AT Person or the overall markets, but would instead be a significant cost burden for AT Persons and the DCM.338 CME further indicated that requiring DCMs to provide test environments that simulate production performance levels would be costly and less effective than the current market practice, whereby AT Persons design and develop their own scaled environment with the support of DCMs.339 TT commented that the testing requirements under NPRM proposed § 1.81(a) ‘‘should focus on the output of an Algorithmic Trading system or software rather than the source code underlying such systems or software, which would yield no material benefit.’’ 340 Rules applicable to AT Persons: A Roundtable participant stated that Regulation AT is ‘‘a very, very heavy burden’’ and ‘‘an extreme cost to be an AT person.’’ 341 CTC commented that NPRM proposed § 1.81(a) would require CTC to draft, implement, and test a whole new series of policies. Altering its procedures to conform to the regulation, CTC explained, would be costly and would not provide sufficient benefit to justify the costs. CTC further indicated that the cost-benefit analysis contained in the NPRM fails to adequately explain the benefits, only citing an event involving Knight Capital. According to CTC, the event ‘‘is a threadbare justification for imposing prescriptive requirements on AT Persons.’’ CTC further stated that proposed § 1.81(b), which requires AT Persons to provide for continuous, realtime monitoring of ATSs, entails significant staffing and other resource costs. CTC commented that real-time monitoring is a standard that is impossible to meet.342 CTC proposed ‘‘near real time’’ as an alternative standard.343 337 CME 338 CME 332 ICE 339 Id. 333 CME A–10. 35. 334 FIA A–44–A–45. 335 CME A–16. 336 FIA A–38, A–39 and A–44. A–15. A–16. FIA, SIFMA, and Mercatus objected to the rule requiring monitoring of algorithmic trading by a natural person separate from the trader. FIA stated that hiring an activity monitor that is independent of the trader would not be operationally efficient or reasonable from a cost perspective.344 SIFMA also noted that requiring separate monitors to those implementing a training strategy is overly burdensome and inconsistent with typical CPO/CTA trading behavior. SIFMA argued that the requirement to ‘‘oversee a trader’s actions continuously and in real time is a burdensome measure that is not common practice in the industry and may not be capable of being accomplished fully.’’ Instead, SIFMA stated that traders would have the appropriate monitoring knowledge and can respond best in real time.345 Mercatus argued that requiring the separation of algorithmic monitoring and trading would create undue burdens on small firms. Specifically, Mercatus stated that ‘‘the required separation of trading and monitoring functions is akin to requiring that every firm engaged in algorithmic trading have a dedicated compliance person. Further burdening small firms, the Commission requires ‘staff of the AT Person to review ATSs in order to detect potential Algorithmic Trading Compliance Issues’ and specifies that ‘such staff must include staff of the AT Person familiar with’ the relevant laws, regulations, and rules. This language would seem to preclude the use of outside consultants, which could be a more affordable method of compliance for small firms.’’ 346 MFA argued that a separate physical structure for algorithm testing would be unnecessarily burdensome to smaller AT Persons. In contrast to physical separation, MFA commented that virtual separation (ensuring that testing software does not connect to active markets) rather than physical separation, would reduce costs and more easily allow for the sharing of components between test and production environments such as ‘‘market data infrastructure or reference data files.’’ MFA also noted concerns with code testing, stating that the requirement is broad. MFA pointed out that only material changes should be required to be tested. MFA stated that it is not uncommon for CTAs and CPOs to make minor adjustments to certain parameters embedded in their investment trading software on a daily 340 TT VerDate Sep<11>2014 19:51 Nov 23, 2016 III 1. CME, Roundtable Tr. 28:12–18. 342 CTC 14. 343 Id. at 12–13. 341 See Jkt 241001 PO 00000 Frm 00035 Fmt 4701 Sfmt 4702 85367 344 FIA A–77. 16. 346 Mercatus 4. 345 SIFMA E:\FR\FM\25NOP2.SGM 25NOP2 85368 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules basis, including administrative changes, or enhancements.347 SIFMA commented that the definition of AT Person extends to systems in which trades are communicated to the FCM/other trader for execution. SIFMA indicated that such execution management systems are often not under the development or control of the CPO/CTA and therefore cannot be fully monitored by them. In addition, SIFMA stated that CPO/CTAs may make use of routing software (AORSs) provided by the FCM that often have risk controls built in.348 FIA commented that the CFTC needs a better understanding of, among other things, the anticipated benefits and actual costs of the proposed requirements for policies and procedures for the development, testing, deployment, and monitoring of ATSs.349 FIA further asserted that several of the requirements in NPRM proposed § 1.81(a)–(d) are not standard industry practice and would impose costs on AT Persons, including costs stemming from the hiring of additional staff. In addition, FIA commented that the rules would require extensive narrative documentation, testing of every change to an ATS at every DCM, historical back-testing of all changes to source code, separation of the trading function and the monitoring function associated with Algorithmic Trading, and documentation of system strategy and design independently of the software responsible for executing the strategy.350 asabaliauskas on DSK3SPTVN1PROD with PROPOSALS c. Requirements To Maintain and Make Available Source Code Records In support of the NPRM proposed rules regarding source code, Better Markets commented that ‘‘the clear and many benefits arising from the Commission’s ability to perform postmortems after disruptive market events far outweigh any legitimate concerns, which haven’t been proffered.’’ 351 In contrast, other commenters expressed concerns regarding potential costs regarding source code recordkeeping. CME commented that maintaining a source code repository would impose significant burdens and costs on any entity that does not currently do so.352 CME further commented that the CFTC has not demonstrated any need for AT Persons to make source code available, ‘‘let alone a need that outweighs the cost 347 MFA 18–19. 4–5, 16. 349 FIA 3–4. 350 FIA A–72. 351 Better Markets III 3. 352 CME 38. 348 SIFMA VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 and confidentiality concerns attendant to such a requirement.’’ 353 The Industry Group commented that the proposed source code requirement ‘‘puts highly proprietary information at risk without measurable benefits.’’ 354 FIA stated that the requirement in NPRM proposed § 1.81(a)(v) for AT Persons to maintain a source code repository in accordance with § 1.31 is impractical and unduly burdensome.355 FIA noted that the proposed rule captures Algorithmic Trading source code as well as the source code of ‘‘related systems’’ in its retention and access requirements.356 FIA asserted that ‘‘related systems’’ is vague and could encompass all, or nearly all, source code utilized by an AT Person, including, but not be limited to, source code associated with back-office, portfolio risk management, monitoring, and user interfaces. FIA indicated that such a broad interpretation would dramatically increase the cost of complying with the proposed rules. Relatedly, a Roundtable participant noted that storage of source code is not free.357 AIMA commented that source code ‘‘provides very little supervisory or investigative utility to anyone seeking to ‘read’ it’’ and that accessing source code ‘‘without a specific court-upheld reason would simply risk the commercially sensitive IP of AT Persons without providing any additional benefit.’’ 358 The Chamber of Commerce asserted that ‘‘the CFTC has not provided an estimate of the costs for hiring qualified developers that could actually analyze the proprietary source code, meaning that the CFTC currently does not know how much it would even cost to review information within its possession.’’ 359 The Chamber of Commerce further asserted that the proposed source code requirements would ‘‘not provid[e] any tangible benefit to the CFTC.’’ 360 KCG commented that ‘‘it seems clear that the risks (and costs) of allowing ondemand access to proprietary source code outweigh any potential benefit.’’ 361 Similarly, MGEX also expressed concern that the costs of the proposed source code requirement outweigh the benefits.362 MMI commented that ‘‘the costs associated with creating a new regulatory 353 CME III 9. Group 6 (emphasis omitted). 355 FIA A–54. 356 Id. at A–55. 357 AQR, Roundtable Tr. at 281:9–10. 358 AIMA III 5. 359 Chamber of Commerce III 4. 360 Chamber of Commerce III 6. 361 KCG III 5. 362 MGEX III 7. 354 Industry PO 00000 Frm 00036 Fmt 4701 Sfmt 4702 requirement and the risks associated to the disclosure of such information [i.e., source code] to regulators (and perhaps inadvertently to the public) defy an acceptable cost-benefit analysis of the proposed § 1.81(a).’’ 363 Finally, QIM asserted that the proposed source code requirement ‘‘would not provide the benefits envisioned by the Commission.’’ 364 d. Requirement To Submit Compliance Reports and Other Related Algorithmic Trading Requirements Costs and Benefits to DCMs: ICE commented that the burden on DCMs to collect and review the proposed annual reports is significant. ICE indicated that undertaking the type of review necessary to verify and evaluate the information contained in the proposed annual reports would be both costly and resource intensive. The number of AT Persons and clearing FCMs that would be required to file annual reports with DCMs would far exceed the number of clearing FCMs that are currently reviewed under DSRO audit today. Further, ICE stated that DCMs do not have the resources or qualified expertise that would be required to conduct a comprehensive review of the proposed annual reports and the algorithms developed and operated by AT Persons. ICE recommended that the annual report requirement set forth in NPRM proposed § 1.83 be replaced with a certification process.365 CME commented that the annual compliance report requirement creates an unnecessary administrative burden on all parties involved without generating a significant benefit.366 CME asserted that the information in the reports would be stale and that CME would need to hire additional staff with the expertise to evaluate the reports. Moreover, CME indicated that compliance reports would be onerous and duplicative for clearing FCMs, as they already undergo significant review by their DSRO and clearing organizations. CME argued that further unnecessary duplication would result from AT Persons submitting reports to multiple DCMs. With regard to specific cost estimates, CME stated that the Commission has significantly underestimated the ongoing costs to DCMs of complying with the NPRM’s requirement to periodically review AT Person and clearing FCM compliance reports and books and records, and to identify and 363 MMI III 2–3. III 2. 365 ICE A–31. 366 CME 20; CME III 4. 364 QIM E:\FR\FM\25NOP2.SGM 25NOP2 asabaliauskas on DSK3SPTVN1PROD with PROPOSALS Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules remediate any insufficient mechanisms, policies and procedures discovered. In the NPRM, the Commission estimated that it would cost each DCM approximately $244,080 per year to comply with NPRM proposed § 40.22. CME believes this estimate is deficient by approximately 50% and estimated the annual cost for each of its four DCMs to be closer to $525,000, assuming that across all four DCMs, approximately 650 entities would come within the scope of the proposed compliance report requirements and that each entity would be reviewed once every four years (across all four DCMs). CME estimated that it would take approximately one month for a full-time employee to complete each review. According to CME, the biggest flaw in the CFTC’s analysis is its assumption that new full-time employees dedicated to compliance with § 40.22 would not be required. Moreover, for the compliance report to provide any meaningful benefit to market integrity, DCM personnel would need to spend far more than 15 hours reviewing each report and related books and records.367 MGEX commented that costs are likely to be higher for DCMs than those calculated by the Commission, especially for the requirement that DCMs review, analyze and remediate compliance programs of AT Persons.368 In extremis, elevated costs could leave the marketplace in a situation of reduced competition between DCMs. MGEX provided estimates for the costs associated with DCM compliance, and stated that the per-form review time would exceed the Commission’s 15 hour estimate because such forms would not be standardized. MGEX indicated that the review process would require the hiring of at least two additional full time employees. Finally, MGEX argued that these costs are especially burdensome for smaller DCMs, stating: ‘‘[T]he costs associated with new compliance obligations disproportionally impacts existing DCMs. With every new compliance obligation, there are new costs. For smaller DCMs, the cost are often more severe. This is because smaller DCMs do not have the benefit of large staffs and resources to leverage. Put differently, it is more likely smaller DCMs will have to hire additional staff to meet new compliance obligations, and therefore their cost assessment is fundamentally different than larger DCM.’’ 369 Costs and Benefits to Market Participants and FCMs: MFA commented that Regulation AT reporting, compliance and recordkeeping costs far outweigh the benefits, and proposed that reporting/ compliance could be incorporated in the NFA review program which is already CPO/CTA common practice.370 FIA recommended that each AT Person periodically review and test the effectiveness of its policies and procedures related to Algorithmic Trading and take prompt action to remedy any deficiencies.371 However, because there is no materiality threshold associated with the remediated deficiencies in the proposed rule, FIA does not support documenting each incident of remediation. FIA indicated that many deficiencies are immaterial and the costs associated with their documentation would outweigh the marginal benefit, if any. In addition, FIA asserted that extensive documentation of policies and procedures associated with trading system design, development, testing, operations, and compliance does little to reduce any perceived risks associated with Algorithmic Trading. FIA stated that the application of sound policies and procedures, rather than the documentation of those policies and procedures, has a material impact on reducing risk.372 FIA opposes requiring AT Persons or clearing member FCMs to prepare annual reports because, among other things, the burden of preparing and filing an annual report may be extensive, especially if Regulation AT applies to AT Persons of different sizes and complexities.373 FIA noted that IBs, CTAs, CPOs who are small entities may be disproportionately adversely impacted by Regulation AT. FIA also argued that since FCMs are already required to prepare CCO Annual Reports under § 3.3 and subject to risk management requirements under §§ 1.11 and 1.73, there is no marginal benefit in requiring FCMs to produce an additional annual report. FIA expects that such a report would cost substantially higher than the Commission’s estimates. CME commented that the ‘‘proposed requirement that AT Persons and clearing FCMs prepare and submit extensive annual compliance reports to DCMs creates an unnecessary administrative burden on all parties involved without providing significant benefit to market integrity.’’ 374 In addition, a Roundtable participant representing an FCM estimated that the compliance costs for Regulation AT would be $1 million annually for the participant’s firm.375 Another Roundtable participant questioned whether all FCMs could afford that cost and suggested that ‘‘we could potentially lose’’ some FCMs.376 e. Requirements for Certain Entities to Register as New Floor Traders MFA commented that, as currently proposed, Regulation AT would apply to the majority of futures market participants, significantly increasing compliance costs relative to a framework where risk controls are applied at the DCM and clearing-FCM level. Specifically, MFA stated that it ‘‘is concerned that the Regulation AT framework is overly broad and elaborate, which would make implementation expensive and burdensome for market participants and regulators. Regulation AT, as proposed, would regulate—in the same manner— virtually any market participant that uses any automation with respect to trading, without taking into consideration the type of automation or the different category, business or operational size of the market participant. Based on the Commission’s own cost-benefit and regulatory flexibility analyses, we believe this is not the Commission’s intent.’’ MFA acknowledged that risk controls are appropriate for all entities, but requiring the same risk controls at all levels of trading is unreasonably costly.377 The Commercial Alliance commented that a quantitative measure to identify the population of AT Persons ‘‘would require the CFTC to revise the metric frequently’’ and such revisions would ‘‘increase costs for market participants to update their IT systems and monitoring practices accordingly, which could cause a lag in the markets and reduce liquidity.’’ 378 The Commercial Alliance further commented that a registration framework for AT Persons would ‘‘impose significant cost burdens to market participants’’ but would not provide any ‘‘additional regulatory benefit.’’ 379 3. The Commission’s Cost-Benefit Consideration of Regulation AT— Baseline Point In the NPRM, the Commission took account of the incremental costs and at 22. 25–26. 369 Id. at 27. 368 MGEX VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 370 MFA 375 ABN 371 FIA 367 CME 9 A–63. 372 Id. at A–73. 373 Id. at A–91–A–92. 374 CME III 4. 376 OneChicago, PO 00000 Frm 00037 Fmt 4701 85369 AMRO, Roundtable Tr. 176: 13–17. Roundtable Tr. 197: 11–15. 377 MFA 5–6. 378 Commercial Alliance III 3. 379 Id. at III 6. Sfmt 4702 E:\FR\FM\25NOP2.SGM 25NOP2 asabaliauskas on DSK3SPTVN1PROD with PROPOSALS 85370 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules benefits of the proposed rules relative to what it understood as the general industry status quo conditions (reflective of the Commission’s existing regulations and industry best practices). As noted in the NPRM, elements of Regulation AT sought to codify existing norms and best practices of trading firms, FCMs, and DCMs, meaning that the costs and benefits to firms already satisfying these norms and employing the proposed codified practices would be minimal. The Commission, however, also recognized in the NPRM that some individual firms currently may not be operating at industry best practice levels; for such firms, costs and benefits attributable to the proposed regulations will be incremental to a lower status quo baseline. To assist the Commission and the public in assessing and understanding the economic costs and benefits of the Supplemental proposed rules as revised in this Supplemental NPRM, the Commission has, in general, analyzed the costs of the proposed regulations as compared to the analogous regulations as proposed in the original NPRM.380 In doing so, the Commission notes how the Supplemental proposed rules alter the previous NPRM assessment relative to the status quo baseline. As noted in the NPRM, in many instances, full quantification of the costs is not reasonably feasible because costs depend on the size, structure, and practices of trading firms, FCMs and DCMs. Within each category of entity, the size, structure and practices of such entities will vary markedly. In addition, the quantification may require information or data, some of which may be proprietary, that the Commission lacks means to access. Further, with exceptions noted in the IX.A.2 discussion of cost-benefit comments, interested parties have not provided information in response to the Concept Release and NPRM to assist the Commission in quantifying costs. The Commission notes that to the extent that the regulations proposed in this rulemaking result in additional costs, those costs will be realized by trading firms, FCMs and exchanges in order to protect market participants and the public. Finally, in general, full quantification of the benefits of the proposed rule is also not reasonably feasible, due to the difficulty in quantifying the benefits of a reduction 380 The Commission notes that the costs and benefits of NPRM § 1.81(vi), regarding the source code and log file retention, were not explicitly discussed in the NPRM. Therefore, as discussed below, for Supplemental proposed § 1.84, the Commission is using current industry practice as the baseline. VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 in market disruptions and other significant market events due to the risk controls and other measures proposed in Regulation AT. 4. The Commission’s Cost-Benefit Consideration of Regulation AT—CrossBorder Effects The Commission notes that the consideration of costs and benefits below is based on the understanding that the markets function internationally, with many transactions involving U.S. firms taking place across international boundaries; with some Commission registrants being organized outside of the United States; with leading industry members typically conducting operations both within and outside the United States; and with industry members commonly following substantially similar business practices wherever located. Where the Commission does not specifically refer to matters of location, the below discussion of costs and benefits refers to the effects of the proposed rules on all activity subject to the proposed and amended regulations, whether by virtue of the activity’s physical location in the United States or by virtue of the activity’s connection with or effect on U.S. commerce under CEA section 2(i).381 In particular, the Commission notes that some AT Persons are located outside of the United States. 5. Introduction: The NPRM and Supplemental NPRM for Regulation AT The consideration of costs and benefits for this Supplemental NPRM for Regulation AT builds on the costbenefit considerations contained in the NPRM. Regulation AT reflects a comprehensive effort to reduce risk and increase transparency across algorithmic order origination and electronic trade execution on all U.S. futures exchanges. The proposed rules, both in the NPRM and the Supplemental NPRM, seek to modernize the Commission’s regulatory regime, keep pace with evolving markets and technologies, and to promote the continued safety and soundness of trading on all contract markets. The Commission is endeavoring, through this Supplemental NPRM, to incorporate persuasive comments received during numerous opportunities for public comment, and to address concerns raised by market participants including concerns related to the costs and benefits of Regulation AT as proposed in the NPRM. Many of the changes in the Supplemental NPRM are designed to mitigate cost concerns while retaining the important benefits of Regulation AT. For example, as discussed below, the Commission is proposing to reduce the number of levels at which risk controls are typically applied to two (the DCM and either the FCM or AT Person) from three (the DCM, FCM, and AT Person) and proposing a volume threshold to limit the number of AT Persons under the Supplemental NPRM relative to the number of AT Persons under the NPRM. Both of these changes are designed to reduce costs while retaining the essential benefits associated with the risk controls and the rules applicable to AT Persons. 6. Proposed New Definitions and Changes to NPRM Proposed Definitions The Commission proposes in this Supplemental NPRM new defined terms ‘‘Electronic Trading’’ and ‘‘Electronic Trading Order Message’’ as well as ‘‘Algorithmic Trading Source Code.’’ The Commission also proposes to modify certain definitions proposed in the NPRM, including ‘‘Direct Electronic Access’’ (‘‘DEA’’) and ‘‘AT Order Message.’’ Finally, the Commission in this Supplemental NPRM changes various references in Regulation AT from ‘‘clearing member’’ to ‘‘executing’’ FCM. The Commission believes that these definitions and changes in terminology do not impose costs or confer benefits in and of themselves. However, as discussed below, changes in definition or new definitions may affect the costs and benefits of rules where defined terms are used. 7. Requirements for AT Persons a. Summary of Proposal The Commission proposes changes to modify the definition of AT Person. Pursuant to Supplemental proposed § 1.3(xxxx), a market participant may fall under the definition of AT Person in one of three ways. First, the category of AT Persons includes persons registered or required to be registered as an FCM, floor broker, swap dealer, major swap participant, commodity pool operator, commodity trading advisor, or introducing broker that (1) engages in Algorithmic Trading and (2) satisfies the volume threshold of 20,000 contracts traded per day over a six month period under Supplemental proposed § 1.3(x)(2).382 Second, AT Persons include New Floor Traders under Supplemental proposed § 1.3(x)(1)(iii).383 Such New Floor Traders must engage in Algorithmic Trading, utilize DEA under the revised 382 See 381 7 PO 00000 U.S.C. 2(i). Frm 00038 Fmt 4701 383 See Sfmt 4702 E:\FR\FM\25NOP2.SGM Supplemental proposed § 1.3(xxxx)(1)(i). Supplemental proposed § 1.3(xxxx)(1)(ii). 25NOP2 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules definition,384 and satisfy the volume threshold under Supplemental proposed § 1.3(x)(2). Third, a person who does not satisfy either of the other two prongs of the AT Person definition may nevertheless elect to become an AT Person, provided that such person registers as a floor trader and complies with all requirements of AT Persons pursuant to Commission regulations.385 Further, Supplemental proposed § 1.3(x)(4) contains an anti-evasion provision prohibiting the trading of contracts through multiple entities for the purpose of evading the registration requirements imposed on New Floor Traders under § 1.3(x)(3), or to avoid meeting the definition of AT Person under § 1.3(xxxx). Under the volume threshold, if a floor trader or other registrant who is a potential AT Person (including other entities under common control) trades an aggregate average daily volume on electronic trading facilities across all products and all DCMs of at least 20,000 contracts, including for a firm’s own account, the accounts of customers, or both,386 over a six-month period (either January–June or July–December), that registrant will be an AT Person. Further, under NPRM proposed § 170.18, AT Persons also must register for membership in at least one RFA. Supplemental proposed § 170.18 clarifies that an AT Person not yet a member of an RFA must submit an application for membership in at least one RFA within 30 days of such registrant satisfying the volume test set forth in Supplemental proposed § 1.3(x)(2). Finally, under Supplemental proposed § 1.3(xxxx)(2), an entity may voluntarily choose to become an AT Person even if it does not otherwise meet the definition of AT Person by choosing to register as a floor trader and applying for membership with an RFA. asabaliauskas on DSK3SPTVN1PROD with PROPOSALS b. Costs The NPRM’s cost-benefit considerations for rules applicable to AT Persons, and for rules on other market participants that depend on the 384 Under the revised definition in § 1.3(yyyy), DEA includes any electronic order submissions to a DCM, unless the order is first received by an FCM from a separate natural person by means of written or oral communication prior to being submitted to the DCM by the FCM. 385 See Supplemental proposed § 1.3(xxxx)(2). 386 As discussed above in Section II(C), New Floor Traders who are not otherwise registered with the Commission would be expected to trade only for their own accounts, not on behalf of customers. Absent any trading for a customer account consistent with the Act and Commission regulations, New Floor Traders would therefore be expected to apply the volume threshold test solely to their proprietary trading volume. VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 number of AT Persons (i.e., § 40.22 DCM compliance report review program), were based on an estimate of 420 AT Persons. That estimate was based on a sample of order messages sent to DCMs and was based on the NPRM proposed definition of DEA.387 This data included new orders, modifications to orders, and cancellations, and the methodology for estimating that number was specified in the NPRM.388 In response to comments asserting that the actual number of AT Persons under the proposed rule would be much larger than the 420 entities estimated the Commission, the Commission is proposing a volume threshold to limit the number of AT Persons. The volume threshold would be set at 20,000 contracts aggregated across a market participant’s own account, the accounts of customers, or both, over a six-month period. The Commission estimates that the proposed volume threshold will reduce the number of AT Persons to approximately 120. In order to derive this estimate, the Commission made use of daily trading audit trail data, for futures and options on futures, received from each DCM. Because the volume threshold is based on activity within a semi-annual period, the Commission calculated the average activity of individual firms during the first half of 2016 and used these aggregate numbers as an activity benchmark. Aggregating this activity across the DCMs for which the Commission had firm identification provided a basis for estimating the number of potential AT Persons. The Commission notes that its data provides a significantly comprehensive, but not a full, identification of the firms associated with each trade; in other cases, the firm associated with a trade may be the broker rather than the principal. For these reasons, the Commission estimate for the number of AT Persons may omit some firms that would meet the volume threshold requirements. The Commission notes that the definition of ‘‘Direct Electronic Access’’ is an element of the definition of ‘‘floor trader’’ and, thus, AT Person. The Commission is modifying the definition of DEA. Under Supplemental proposed § 1.3(yyyy), DEA includes any electronic order submissions to a DCM, unless the order is first received by an FCM from an unaffiliated natural person by means 387 Under NPRM proposed § 1.3(yyyy), DEA was defined as an arrangement where a person electronically transmits an order to a DCM, without the order first being routed through a separate person who is a member of a DCO to which the DCM submits transactions for clearing. 388 NPRM at 78884. PO 00000 Frm 00039 Fmt 4701 Sfmt 4702 85371 of written or oral communication prior to being submitted to the DCM by the FCM. This definition, in and of itself, is broad enough to potentially include most participants on DCMs. However, merely meeting the definition of DEA will not impose costs on market participants trading for their own account who are not AT Persons; that is, to incur costs, they must also engage in Automated Trading and meet the volume threshold. The clarifying changes to Supplemental proposed § 170.18 should not materially affect the costs associated with the RFA membership requirement for AT Persons. Supplemental proposed § 1.3(xxxx)(2), which permits an entity to voluntarily become an AT Person, does not impose any mandatory costs since it does not require anyone who otherwise does not meet the definition of AT Person to become an AT Person. An entity that does voluntarily become an AT Person presumably has determined that the benefits of doing so warrant accepting the costs imposed on AT Persons. c. Benefits The volume threshold and changes to the definition of AT Person will limit the number of firms subject to Regulation AT while preserving the benefits of Regulation AT for the larger firms trading on DCMs. The Commission believes that the benefits associated with requirements such as risk controls, testing and monitoring, recordkeeping, and other provisions applicable to AT Persons are greatest for this subset of market participants because errors related to malfunctions at the firms with highest activity will likely have the largest impact on other market participants and the market as a whole. As evidence for this, FIA indicated in its December 2013 response to the Concept Release that most, if not all, large automated firms have extensive risk controls across all of their algorithmic activity, often calibrated at multiple levels, along with other quality control schemes to minimize the chance of error.389 Such firms, understanding the effect they may have on the marketplace due to unanticipated behavior, have voluntarily chosen to incorporate measures similar to those required in Regulation AT to mitigate these risks. The anti-evasion provisions will help ensure that entities that should be AT Persons are not able to readily avoid AT Person status by trading through multiple entities. 389 FIA, Comment in Response to Concept Release (Dec. 11, 2013). E:\FR\FM\25NOP2.SGM 25NOP2 85372 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules asabaliauskas on DSK3SPTVN1PROD with PROPOSALS The clarifying changes to Supplemental proposed § 170.18 should not materially affect the benefits associated with the RFA membership requirement for AT Persons. Supplemental proposed § 1.3(xxxx)(2), which permits an entity to voluntarily become an AT Person, provides an entity that does not otherwise meet the definition of AT Person with the flexibility to become an AT Person so that it can realize the benefits of implementing its own risk controls, rather than accepting an FCM’s risk controls. d. Consideration of Alternatives The Commission considered not adopting a registration requirement for AT Persons in response to comments. This would have made the definition of DEA and the volumetric threshold unnecessary. However, the Commission continues to believe that there are certain larger market participants whose automated trading represents an elevated risk to market integrity and who, for the protection of market participants and the public, should therefore be subject to enhanced oversight relative to other market participants. The Commission also considered not using a volume threshold or other quantitative threshold (as suggested by some commenters) and instead responding to commenter concerns that the NPRM would capture substantially more than 420 AT Persons by revising the definition of DEA so that the term captures a narrower scope of trading activity. The Commission was unable to identify a definition of DEA that would reduce the number of AT Persons and provide a low-cost way for entities to determine whether they are AT Persons as defined under Regulation AT. The Commission thus determined to propose a quantitative threshold (i.e., the volume threshold test), while at the same time defining DEA broadly. The Commission considered other quantitative metrics including tests proposed by ESMA for identifying highfrequency traders in European markets, i.e., average resting order times and daily number of messages sent by a trading entity. However, the new AT Person category is intended to ensure that risk management, testing and monitoring standards are sufficiently high for the class of market participants who are largest, regardless of strategy or firm type. The Commission believes that volume is a key element of market processes such as price discovery and risk transfer, is simpler than other potential metrics, and can be calculated at lower cost than metrics such as VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 average order resting times and message frequency. The Commission also considered volume thresholds at other levels higher and lower than 20,000 contracts. However, the Commission has preliminarily determined that 20,000 contracts will result in the registration of those firms for whom Regulation AT proposed rules applicable to AT Persons are needed most and will provide the greatest benefit. e. Commission Questions 39. Beyond specific questions concerning specific Supplemental proposed rules interspersed throughout its discussion, the Commission generally requests comment on all aspects of its consideration of costs and benefits of this Supplemental NPRM, including: (a) Identification, quantification, and assessment of any costs and benefits not discussed therein; (b) whether any of the proposed regulations may cause FCMs or DCMs to raise their fees for their customers, or otherwise result in increased costs for market participants and, if so, to what extent; (c) whether any category of Commission registrants will be disproportionately impacted by the proposed regulations, and if so whether the burden of any regulations should be appropriately shifted to other Commission registrants; (d) what costs, if any, would likely arise from market participants engaging in regulatory arbitrage by restructuring their trading activities to trade on platforms not subject to the proposed regulations, or taking other steps to avoid costs associated with the proposed regulations; (e) quantitative estimates of the impact on transaction costs and liquidity of the proposals contained herein; (f) the potential costs and benefits of the alternatives that the Commission discussed in this release, and any other alternatives appropriate under the CEA that commenters believe would provide superior benefits relative to costs; (g) data and any other information to assist or otherwise inform the Commission’s ability to quantify or qualitatively describe the benefits and costs of the proposed rules; and (h) substantiating data, statistics, and any other information to support positions posited by commenters with respect to the Commission’s consideration of costs and benefits. 40. As noted above, some commenters opined that the NPRM would capture substantially more than 420 AT Persons. Is there a definition of DEA that should be adopted that would appropriately limit the scope of the definition of AT Person, without use of a quantitative PO 00000 Frm 00040 Fmt 4701 Sfmt 4702 threshold? Further, is there a definition of DEA that would serve as a low-cost method of enabling entities to determine if they are AT Persons? 41. Are there quantitative thresholds other than volume that would provide a superior cost-benefit profile to the Commission’s proposal? 42. Would a volume threshold at levels higher or lower than 20,000 contracts provide a superior cost-benefit profile to the Commission’s proposal? 43. Should volume threshold calculations exclude or weigh differently spread trades or any other types of trades, and if so, should the volume threshold level be adjusted? What are the costs and benefits of excluding or weighing differently certain types of trades? 8. Source Code Retention and Inspection Requirements a. Summary of New Proposal Under the NPRM proposal, each AT Person was required to maintain a ‘‘source code repository’’ to manage source code access, persistence, copies of all code used in the production environment, and changes to such code. Such source code repository was required to include an audit trail of material changes to source code that would allow AT Persons to determine, for each such material change: Who made it; when they made it; and the coding purpose of the change. The NPRM also required that AT Persons maintain source code in accordance with § 1.31 and make source code available for inspection by Commission staff and the Department of Justice pursuant to § 1.31. Under Supplemental proposed § 1.84, AT Persons are required to retain (to the extent that they are generated by an AT Person) three categories of records for a period of five years: (1) Algorithmic Trading Source Code; (2) records that track changes to Algorithmic Trading Source Code; and (3) log files that record the activity of the AT Person’s Algorithmic Trading system. Instead of making Algorithmic Trading Source Code available for inspection by Commission staff and the Department of Justice pursuant to § 1.31, under Supplemental proposed § 1.84, action by the Commission itself would be required, either in the form of a special call for these records or pursuant to a subpoena. The Commission may authorize the Director of the Division of Market Oversight to execute the special call, and to specify the form and manner in which the required records must be produced. This procedure is similar to the procedure for the Commission to E:\FR\FM\25NOP2.SGM 25NOP2 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules grant subpoena power to staff. The Commission will retain the authority to grant subpoena power with respect to Algorithmic Trading Source Code, change logs, and log files. asabaliauskas on DSK3SPTVN1PROD with PROPOSALS b. Costs The Commission estimates that a typical AT Person without the hardware and software in place to maintain the records required by Supplemental proposed § 1.84(a) would incur a cost of $41,840 to purchase and set up the required hardware and software, migrate existing Algorithmic Trading Source Code and logs into the software, draft appropriate recordkeeping policies and procedures and make technology improvements to recordkeeping infrastructure. This cost is broken down as follows: Hardware costing $12,000,390 software costing $2,000,391 1 Project Manager for the Algorithmic Trading Source Code and log migration effort, working for 60 hours (60 × $70 = $4,200); 1 Developer for the Algorithmic Trading Source Code and log migration effort, working for 60 hours (60 × $75 = $4,500), 1 Project Manager to develop the related policies and procedures, working for 120 hours (120 × $70 = $8,400), 1 Business Analyst to develop the related policies and procedures, working for 120 hours (120 × $52 = $6,240), and 1 Developer to develop the related policies and procedures, working for 60 hours (60 × $75 = $4,500). The 120 AT Persons therefore would incur a total initial cost of $5,020,800 (120 × $41,840). The Commission estimates that, on an initial basis, an AT Person with the hardware and software in place to maintain the records required by Supplemental proposed § 1.84(a) would incur a cost of $12,160 to purchase and set up the required hardware and software, migrate existing Algorithmic Trading Source Code and logs into the software, draft appropriate recordkeeping policies and procedures and make technology improvements to recordkeeping infrastructure. This cost is broken down as follows: Hardware costing $4,000, 1 Project Manager to develop the related policies and 390 The Commission estimates that the hardware could cost from $1,000 to $25,000 depending on factors including which hardware vendor an AT Person chooses, the amount of business the AT Person does with the hardware vendor and the pricing the hardware vendor provides the AT Person as a result. 391 The Commission estimates that the software could cost from $0 to $5,000 depending on factors including which hardware vendor an AT Person chooses, the amount of business the AT Person does with the hardware vendor and the pricing the hardware vendor provides the AT Person as a result. VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 procedures, working for 30 hours (30 × $70 = $2,100), 1 Business Analyst to develop the related policies and procedures, working for 30 hours (30 × $52 = $1,560), and 1 Developer to develop the related policies and procedures, working for 60 hours (60 × $75 = $4,500). The 120 AT Persons therefore would incur a total initial cost of $1,459,200 (120 × $12,160). The Commission also has estimated the cost of complying with Supplemental proposed § 1.84(b), which require AT Persons to produce records of Algorithmic Trading in response to a special call. The Commission estimates that, on an annual basis, an AT Person will incur a cost of $51,840 to draft and update recordkeeping policies and procedures and make technology improvements to recordkeeping infrastructure. This cost is broken down as follows: 1 Project Manager, working for 36 hours per month × 12 months = 432 hours per year (432 × $70 = $30,240); and 1 Developer, working for 24 hours per month × 12 months = 288 hours per year (288 × $75 = $21,600). The 120 AT Persons would therefore incur a total initial cost of $2,894,400 (120 × $51,840). The Commission does not estimate a specific number of special calls per year that AT Persons will receive. Rather, such special calls would occur on an intermittent basis and the Commission estimates the cost for one response. The Commission estimates that, on an intermittent basis, an AT Person will incur a cost of $5,844 to ensure compliance with those aspects of Supplemental proposed § 1.84(b) requiring AT Persons to produce records of Algorithmic Trading in response to a special call. This cost is broken down as follows: 1 Project Manager, working for 12 hours (12 × $70 = $840); 1 Developer, working for 36 hours (36 × $75 = $2,700); and 1 Compliance Attorney, working for 24 hours (24 × $96 = $2,304). The 120 AT Persons would therefore incur a total annual cost of $701,280 (120 × $5,844). The Commission expects that AT Persons already retain Algorithmic Trading Source Code and log files and to some extent are incurring such costs under current practice. The Commission believes that with the numerous protections to Algorithmic Trading Source Code confidentiality provided in Supplemental proposed § 1.84, including removal of the applicability of § 1.31, the various costs attributed to the NPRM source code rule by commenters generally do not apply to Supplemental proposed § 1.84. PO 00000 Frm 00041 Fmt 4701 Sfmt 4702 85373 For more detail on the estimated costs of § 1.84, see Sections IX(B)(2)(d) and (e) below. c. Benefits As noted, Supplemental proposed § 1.84 is first and foremost a recordkeeping rule. Requiring AT Persons to retain Algorithmic Trading Source Code and log files will ensure that the Commission is able to access this information (through a special call or subpoena) on the, presumably infrequent, occasions when it is needed to investigate or inquire into an Algorithmic Trading Compliance Issue or disruption. Supplemental proposed § 1.84(b), which would require the Commission to issue a special call in order to enable Commission staff to review Algorithmic Trading Source Code and log files as part of its market oversight responsibilities. The Commission could also access source code by issuing subpoenas that are typically used in enforcement investigations. For example, the Commission might issue a special call to inquire into a market disruption without launching a formal enforcement investigation or implying that the disruption was caused by a violation of the CEA or Commission regulations. Further, Commission access to Algorithmic Trading Source Code and log files should not compromise their integrity as trade secrets or other confidential information; the confidentiality provisions of Supplemental proposed § 1.84(b)(3) are designed to preserve their confidential status. The Commission notes that Supplemental proposed § 1.84(b)(3) is in addition to existing confidentiality protections provided in section 8(a) of the Act. d. Consideration of Alternatives The Commission considered the alternative of maintaining the NPRM proposal that Algorithmic Trading Source Code would be subject to the inspection and production provisions of § 1.31, but the Commission acknowledges the concerns of commenters regarding Algorithmic Trading Source Code confidentiality and trade secret preservation and determined to provide Algorithmic Trading Source Code and log files with the greater protection provided by Supplemental proposed § 1.84 as compared to § 1.31. The Commission also considered not promulgating an Algorithmic Trading Source Code rule, but determined that it is essential for the protection of market participants and the public to ensure that Algorithmic Trading Source Code E:\FR\FM\25NOP2.SGM 25NOP2 85374 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules and log file records be retained and, when necessary, made available to the Commission. e. Commission Questions 44. The Commission requests comment on the costs and benefits of Supplemental proposed § 1.84 including the accuracy of its cost estimates. 45. To what extent do AT Persons currently retain Algorithmic Trading Source Code and log files and for what period of time? 46. To what extent do the protections to Algorithmic Trading Source Code confidentiality in Supplemental proposed § 1.84 address the concerns of commenters regarding the NPRM proposed § 1.81(a)(1)(vi) Algorithmic Trading Source Code rule, particularly with respect to costs and benefits? asabaliauskas on DSK3SPTVN1PROD with PROPOSALS 9. Testing, Monitoring and Recordkeeping Requirements in the Context of Third-Party Providers a. Summary of New Proposal NPRM proposed § 1.81(a) required AT Persons to implement written policies and procedures for the development and testing of ATSs. Among other things, such policies and procedures must at a minimum include documenting the strategy and design of proprietary Algorithmic Trading software, as well as any changes to software that are implemented in a production environment, pursuant to NPRM proposed § 1.81(a)(v). Under NPRM proposed § 1.81(a)(vi), a source code repository was required to be maintained, as discussed above. Supplemental proposed § 1.85 allows AT Persons who are unable to comply with a particular development and testing requirement 392 or a particular maintenance or production requirement related to Algorithmic Trading strategy (including Algorithmic Trading Source Code and log files),393 due solely to their use of third-party system components, to obtain a certification that the third party is complying with the obligation. AT Persons would need to obtain a new certification whenever there is a material change to the thirdparty system or system components. The proposed rule also would require AT Persons to conduct due diligence regarding the accuracy of the certification. In addition, in all cases, under the Supplemental NPRM, an AT Person is responsible for ensuring that records are retained and produced as required pursuant to Supplemental 392 See NPRM proposed §§ 1.81(a)(1)(i), 1.81(a)(1)(iii), and 1.81(a)(1)(iv), and Supplemental NPRM proposed § 1.81(a)(1)(ii). 393 See Supplemental proposed § 1.84. VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 proposed § 1.84 from third-party providers. b. Costs Costs to AT Persons: As discussed in further detail in the PRA section, the Commission estimates that each AT Person will incur a one-time cost of $4,884 to establish the process for initially obtaining the third-party certifications permitted by Supplemental proposed § 1.85, conduct the related due diligence and obtain the initial certifications. This cost is broken down as follows: 1 Project Manager, working for 24 hours (24 × $70 = $1,680); 1 Compliance Attorney, working for 24 hours (24 × $96 = $2,304); and 1 Developer working for 12 hours (12 × $75 = $900). The estimated 120 AT Persons that will rely on § 1.85 would therefore incur a total one-time cost of $586,080 (120 × $4,884). The Commission expects that the approximately 120 AT Persons, on average, will need to review approximately one certification each, assuming that some AT Persons use more than one third-party system or system component, while others use only their own systems. For purposes of this cost analysis, the Commission estimates that an AT Person will need to acquire a new certification approximately once per year due to a material change in the third-party system or component. The Commission estimates that, on an annual basis, an AT Person will incur a cost of $2,892 to obtain the third-party certifications permitted by Supplemental proposed § 1.85 and conduct the related due diligence.394 This cost is broken down as follows: 1 Project Manager, working for 12 hours (12 × $70 = $840); 1 Compliance Attorney, working for 12 hours (12 × $96 = $1,152); and 1 Developer working for 12 hours (12 × $75 = $900). The estimated 120 AT Persons that will rely on § 1.85 would therefore incur a total annual cost of $347,040 (120 × $2,892). The provision making an AT Person responsible for ensuring that records are retained and produced as required pursuant to Supplemental proposed § 1.84, should not impose direct costs on AT Persons unless there is an instance the third party is found to have failed to retain and produce records. The costs, in such an event, would depend on the nature and extent of the violation, and it is not reasonably 394 The Supplemental NPRM does not set forth the means by which due diligence must be conducted. The Commission expects that due diligence may take a variety of forms, including but not limited to, email exchanges, teleconferences, reviews of files, and in-person meetings. PO 00000 Frm 00042 Fmt 4701 Sfmt 4702 feasible for the Commission to quantify such costs at this time. The Commission also anticipates that an AT Person will incur a one-time cost of $2,304 to re-write its contracts with third parties, so that the AT Persons can comply with the recordkeeping and production provisions of Supplemental proposed § 1.84. This cost is broken down as follows: 1 Compliance Attorney, working for 24 hours (24 x $96 per hour = $2,304). AT Persons may incur additional costs as a result of Supplemental proposed § 1.85, depending on the response of third-party providers to implementation of the rule. It is possible that third-party providers may pass on the costs that they incur as a result of Supplemental proposed § 1.85 to their AT Person customers (or all of their customers) in the form of higher prices or an AT Person surcharge. Costs to Third-Party Providers: The Commission expects that all third-party providers combined will need to provide approximately 120 certifications to the 120 AT Persons, assuming that some AT Persons use more than one third-party system or system component, while others use only their own systems. For purposes of this cost-benefit analysis, the Commission estimates that a third-party provider will need to provide a new certification to its AT Person customers approximately once per year due to a material change in the third-party system or component. The Commission also expects third-party providers to cooperate with AT Person due diligence for each certification provided, for a total of 120 due diligence occurrences. The Commission estimates that each third-party provider will incur a onetime cost of $4,884 to establish the process for initially providing the thirdparty certifications permitted by Supplemental proposed § 1.85 and cooperating with AT Persons conducting the related due diligence. The Commission estimates that there will be a total of 50 third-party service providers to AT Persons for their ATSs or components, and seeks comment on this estimate. The one-time $4,884 cost for each third-party provider is broken down as follows: 1 Project Manager, working for 24 hours (24 × $70 = $1,680); 1 Compliance Attorney, working for 24 hours (24 × $96 = $2,304); and 1 Developer working for 12 hours (12 × $75 = $900). The estimated 50 third parties that provide certifications pursuant to Supplemental proposed § 1.85 would therefore incur a total annual cost of $244,200 (50 × $4,884). E:\FR\FM\25NOP2.SGM 25NOP2 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules asabaliauskas on DSK3SPTVN1PROD with PROPOSALS The Commission estimates that, on an annual basis, an average third party will incur a cost of $2,892 to provide AT Persons the third-party certifications permitted by Supplemental proposed § 1.85 and cooperate with AT Persons conducting the related due diligence. This cost is broken down as follows: 1 Project Manager, working for 12 hours (12 × $70 = $840); 1 Compliance Attorney, working for 12 hours (12 × $96 = $1,152); and 1 Developer working for 12 hours (12 × $75 = $900). The estimated 50 third parties that will rely on § 1.85 would therefore incur a total annual cost of $146,600 (50 × $2,892). In addition to the costs of providing certifications, the Commission anticipates that third-party providers will incur additional costs relating to Supplemental proposed § 1.85(a), which contemplates that third parties will provide to AT Persons systems or components that comply with NPRM proposed §§ 1.81(a)(1)(i), 1.81(a)(1)(iii), 1.81(a)(1)(iv), 1.81(a)(2), or Supplemental proposed §§ 1.81(a)(1)(ii) or 1.84. The Commission estimates that, on an annual basis, a third party will incur costs to comply with the proposed rules listed above that are comparable to the costs that an AT Person would incur to comply with such rules. The estimated costs for an AT Person to comply with Supplemental proposed § 1.84 are discussed in Section IX(A)(8) above. The estimated costs for an AT Person to comply with proposed § 1.81(a) were discussed in detail in the NPRM.395 395 See NPRM at 78900. In the NPRM, the Commission estimated that an AT Person that has not implemented any of the requirements of proposed § 1.81(a) (development and testing of ATSs) would incur a total cost of $349,865 to implement those requirements. This cost was broken down as follows: 1 Project Manager, working for 1,707 hours (1,707 × $70 = $119,490); 2 Business Analysts, working for a combined 853 hours (853 × $52 = $44,356); 3 Testers, working for a combined 2,347 hours (2,347 × $52 = $122,044); and 2 Developers, working for a combined 853 hours (853 × $75 = $63,975). The Commission notes that this calculation would apply only to third parties that have not implemented any of the requirements of proposed § 1.81(a). However, the Commission anticipates that many third-party providers—e.g., software development firms— already develop and test systems or components in the ordinary course of their business. Indeed, the Commission anticipates that third-party providers would generally be as sophisticated, if not more sophisticated, than AT Persons with respect to the development and testing of ATSs. Therefore, the Commission believes that the cost of compliance for third parties would be lower than the estimate calculated above. In addition, the Commission anticipates that compliance costs under Supplemental proposed § 1.81(a)(1)(ii) will be lower than the costs estimated in the NPRM, since the Commission is proposing to eliminate the requirement under NPRM proposed § 1.81(a)(1)(ii) that AT Persons must test all Algorithmic Trading code and related systems on each DCM on which VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 The Commission also anticipates that a third-party will incur a one-time cost of $2,304 to re-write its contracts with AT Persons, so that the AT Persons can comply with the recordkeeping and production provisions of Supplemental proposed § 1.84. This cost is broken down as follows: 1 Compliance Attorney, working for 24 hours (24 × $96 per hour = $2,304). These cost estimates represent an average across all of the estimated 50 firms offering ATS systems or components of systems for use on DCMs. However, the costs to particular firms will vary depending on how many products they offer and how many AT Person customers they do business with. For example, the Commission understands that a small number of firms have a predominant share in the market for third-party provided ATS. Accordingly, the largest providers may have several dozen AT Person customers (as well as a much larger number of non-AT Person customers) while other firms among these 50 currently may have no or few AT Person customers. The Commission anticipates that much of the cost of providing certifications will result from the initial costs of researching the requirements for certifications and creating the first certification. The Commission expects that a third-party provider can create a single certification for a particular ATS product or component and provide the same certification to all AT Person customers using that product. Certifications for other software products offered by a third-party vendor are likely to be similar to the certification for the initial product. Thus, the cost of creating a certification for an additional software product is likely to be substantially lower than the cost of creating the initial certification. For the same reason, the cost of modifying a certification to reflect material changes to a product is also likely to be much lower than the cost of creating the initial certification. Accordingly, the Commission expects that there will be economies of scale associated with providing certifications to AT Persons, and costs for firms with many AT Person customers may not be substantially greater than such costs for firms with only one AT Person customer. However, a firm with many AT Person customers is likely to incur much higher costs associated with cooperating with AT Person due Algorithmic Trading will occur (while retaining a more general requirement that AT Persons must test all ATSs). PO 00000 Frm 00043 Fmt 4701 Sfmt 4702 85375 diligence than a firm with only one or a few AT Person customers. This is because a third-party provider will have to cooperate with due diligence separately for each AT Person customer. If a firm has several dozen AT Person customers, it may be necessary for the project manager, compliance attorney, and developer noted above to devote an extended period of time to cooperating with AT Person due diligence, especially following issuance of the initial certification. On subsequent occasions when the software changes materially, the provider will again have to cooperate with AT Person due diligence, but this is likely to be less costly (albeit still significant) than cooperating with the initial due diligence. As noted, AT Persons would likely perform some due diligence even absent the proposed rule. However, they might perceive less need to perform extensive due diligence on firms with many AT Person customers and strong reputations than on firms new to the market or with few AT Person customers. Moreover, AT Persons may tend to perform less due diligence over time, if there are no problems and they come to trust their providers. Thus, Supplemental proposed § 1.85 may result in more extensive due diligence being performed on established firms with many AT Person customers than would occur absent the Supplemental proposed rule. It is highly likely, especially given the small number of third party providers, that these third-party providers will pass on these costs to their AT Person customers or to all of their customers. It is also possible that third-party providers will elect to avoid these costs by no longer providing their systems to AT Persons, especially if (as is likely given the small number of AT Persons) AT Persons represent a relatively small percentage of their customers. For more detail on the estimated costs of § 1.85, see Section IX(B)(2)(f). c. Benefits The certification requirements of Supplemental proposed § 1.85 will improve the safety of ATSs by ensuring that ATSs and components provided by third parties to AT Persons are compliant with the development and testing requirements of Regulation AT even when the AT Persons themselves otherwise are unable to comply with those requirements. The due diligence requirements will further ensure that third-party systems are compliant with Regulation AT. Moreover, the recordkeeping and production requirements of § 1.85(d) (by reference to § 1.84(a) and (b)) will ensure the E:\FR\FM\25NOP2.SGM 25NOP2 85376 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules Commission is able to access the Algorithmic Trading Source Code and log files of third parties via special call to an AT Person or via subpoena in the event they are needed to investigate or inquire into a disruption. Finally, placing ultimate responsibility for compliance with the recordkeeping and production requirements of Supplemental proposed § 1.84 with the AT Person will further ensure that the benefits of these requirements are fully realized. d. Consideration of Alternatives The Commission considered not requiring AT Persons to conduct due diligence of third-party certifications in order to reduce costs, but determined that requiring due diligence is essential to market integrity and protection of market participants and the public. The Commission preliminarily believes that certification alone is not sufficient to ensure that third-party systems and components are compliant with Regulation AT. The Commission also considered making an AT Person ultimately responsible for ensuring that third-party systems are compliant with the development and testing requirements of Supplemental proposed § 1.81, but was concerned that this might deter AT Persons from utilizing third-party systems for which they are ultimately responsible but lack control. Moreover, the Commission preliminarily believes that certification and due diligence are sufficient to ensure that the benefits of Supplemental proposed § 1.81 are realized with regard to third-party systems. asabaliauskas on DSK3SPTVN1PROD with PROPOSALS e. Commission Questions 47. The Commission requests comment on its cost-benefit considerations related to Supplemental proposed § 1.85, including the accuracy of its cost estimates. 48. The Commission requests comment on the costs of § 1.85 to thirdparty providers with few AT Person customers as compared to the costs to third-party providers with many AT Person customers. 49. To what extent does requiring due diligence of third-party certifications provide additional benefits beyond those of certification requirement itself? 50. To what extent would AT Persons perform due diligence of third-party certifications absent the proposed rule requiring such due diligence? 51. Would placing ultimate responsibility for third-party compliance with Supplemental proposed § 1.81 with the AT Person VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 provide benefits beyond those of certification and due diligence? 52. For purposes of this cost analysis, the Commission estimated that an AT Person will need to acquire a new certification approximately once per year due to a material change in the third-party system or component. Please comment on whether the estimate of a material change occurring approximately once per year is an appropriate assumption. 53. The Commission requests any additional quantitative information that commenters can provide regarding the costs and benefits of § 1.85. 54. How many third parties are actively providing Algorithmic Trading software in the futures and option markets on DCMs? 55. To what extent will third-party providers pass on the costs that they incur as a result of § 1.85 to their AT Person customers or to all of their customers? 10. Changes to Overall Risk Control Framework a. Summary of New Proposal NPRM proposed §§ 1.80, 1.82, 38.255 and 40.20 imposed risk control and similar requirements, such as order cancellation systems, at three levels: the AT Person, FCM and DCM. The NPRM also contained definitions for various terms, including ‘‘Algorithmic Trading’’ and ‘‘AT Order Message.’’ Under the NPRM, risk controls applied to AT Order Messages, but not to order messages entered onto an exchange’s matching engine manually. In the Supplemental NPRM, the Commission proposes a risk control framework with controls at two, rather than three, levels: (i) AT Person or FCM; and (ii) DCM. With respect to algorithmic orders originating with AT Persons (AT Order Messages), the proposed rules require all AT Persons to implement the risk controls and other measures required pursuant to § 1.80 (although AT Persons may delegate compliance with § 1.80(a) to FCMs). The Supplemental NPRM also adds new § 1.80(g), which requires AT Persons to apply the risk control mechanisms described in § 1.80(a), (b) and (c) on its Electronic Trading Order Messages that do not arise from Algorithmic Trading, after making any adjustments in the risk control mechanisms to accommodate the application of such mechanisms to Electronic Trading Order Messages. FCMs are not required to implement risk controls on AT Order Messages that are subject to AT Person-administered controls. Those AT Order Messages originating from AT Persons will be PO 00000 Frm 00044 Fmt 4701 Sfmt 4702 subject to a second level of risk controls at the DCM level pursuant to proposed § 40.20. AT Order Messages originating with a non-AT Person are subject to risk controls implemented by executing FCMs pursuant to proposed § 1.82. Those orders will be subject to the second level of risk controls at the DCM level pursuant to proposed § 40.20. The Commission is proposing two additional definitions in the Supplemental NPRM for the terms Electronic Trading and Electronic Trading Order Message, since many of the risk controls will also apply to manually-entered electronic trades. Pursuant to these definitions, Electronic Trading Order Messages are subject to risk controls implemented by executing FCMs pursuant to proposed § 1.82 or by AT Persons pursuant to supplemental proposed § 1.80(g). Those orders will be subject to the second level of risk controls at the DCM level pursuant to proposed § 40.20. The Supplemental NPRM eliminates NPRM proposed § 1.80(d) which required notification by AT Persons to applicable DCMs and clearing member FCMs that they will engage in Algorithmic Trading. Finally, Supplemental proposed § 38.255(c) requires a DCM that permits DEA to require that an FCM use DCMprovided risk controls, or substantially equivalent controls developed by the FCM itself or a third party. Prior to an FCM’s use of its own or a third party’s systems and controls, the FCM must certify to the DCM that such systems and controls are substantially equivalent to the systems and controls that the DCM makes available pursuant to Supplemental proposed § 38.255(b). b. Costs Requiring risk controls at two levels rather than three will reduce the costs to FCMs and AT Persons associated with these risk controls (relative to those in the NPRM) by requiring either the AT Person or the FCM to implement risk controls, but not both. As discussed in the NPRM, the Commission estimated those costs as: each AT Person— $79,680; and each clearing member FCM—$49,800 (as to DEA orders) and $159,360 (as to non-DEA orders).396 FCMs generally will be required to implement risk controls only for nonAT Person accounts. AT Persons will be permitted to delegate their risk control responsibilities to FCMs under Supplemental proposed §§ 1.80(d) and 1.80(g)(2) and the Commission expects 396 See E:\FR\FM\25NOP2.SGM NPRM at 78898 and 78903. 25NOP2 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules that AT Persons may do so if it reduces their costs.397 Imposing risk controls on all electronic order messages will cause a modest increase in costs on AT Persons and DCMs, but the Commission expects this increase in costs to be minimal since the marginal cost of imposing existing risk controls on additional orders is low once the risk controls have been created and are up and running and AT Persons can make appropriate adjustments to the risk controls set out in §§ 1.80(a), (b), and (c) since some of these controls need not be applied to manual orders. Similarly, imposing FCM-level risk controls on all Electronic Trading Order Messages not originating with an AT Person will only increase costs modestly. Moreover, the Commission estimates that at least 95% of all order messages on DCM matching engines are generated by ATSs, so that relatively few order messages are affected by this Supplemental proposed rule. This estimate was based on order activity for one week in 2016, as reported in the audit trail for all futures products on the CME Globex platform. The withdrawal of the notification requirement of NPRM proposed § 1.80(d) eliminates the costs associated with that NPRM proposal. The Commission expects that the written notifications pursuant to Supplemental proposed § 38.255(c) from an FCM to a DCM that the FCM’s risk controls are substantially equivalent to the risk controls available from the DCM will, as discussed in the PRA section below, cost approximately $235 per certification. The Commission is unable to estimate the exact number of FCMs that will choose to use its own or a third party’s systems and controls. Assuming that all 70 executing FCMs were to do so for four DCMs each, the Commission estimates that the 70 executing FCMs would incur a total one-time cost of $65,800 (70 × $235 × 4).398 asabaliauskas on DSK3SPTVN1PROD with PROPOSALS c. Benefits The Commission preliminarily believes that the benefits of risk controls will not be materially impacted by reducing the number of levels at which risk controls are imposed to two from three. As described in the NPRM, these benefits include, among other things, mitigating credit, market, and 397 FCMs would be permitted to charge AT Person customers to implement risk controls on their behalf. 398 DCMs will incur some costs with respect to preparing an exchange rule requiring FCMs to provide § 38.255(c) certifications. Exchange rulewriting costs were generally covered in the costbenefit considerations for the Part 40 final rule (76 FR 44776, July 27, 2011). VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 operational risks by ensuring that each order accurately reflects the intentions of market participants.399 Requiring risk controls for all Electronic Trading Order Messages will, as discussed by commenters, ensure that the benefits of the risk controls are realized for all manually entered Electronic Trading Order Messages as well as AT Order Messages. d. Consideration of Alternatives In determining the appropriate risk control framework for AT Persons, FCMs and DCMs, the Commission considered a few alternatives. First, the Commission considered whether it should require AT Persons to implement their own controls to comply with Supplemental proposed § 1.80(a), rather than allow AT Persons the choice to delegate their risk control duties to FCMs. However, in order to further mitigate costs, the Commission chose to allow this flexibility when it is technologically feasible for the FCM to implement such controls with the same level of effectiveness reasonably designed to prevent and reduce the risk of an Algorithmic Trading Event. The Commission also considered the alternative of not requiring AT Persons to apply risk controls to all Electronic Trading Order Messages, but rather applying such controls only to AT Order Messages as a way of reducing costs, but determined that two levels of risk controls should be applied to all Electronic Trading Order Messages, including those originating with an AT Person. e. Commission Questions 56. The Commission requests comment on its cost-benefit considerations related to the revisions to §§ 1.80, 1.82, 38.255 and 40.20, including the accuracy of the Commission’s cost estimates or assumptions concerning decreased cost. 57. Does requiring risk controls at two levels rather than three materially alter the costs or benefits of the risk control framework? 58. Does imposing risk controls on all Electronic Trading Order Messages materially increase costs? Please quantify any increase in costs if possible. What are the benefits of imposing risk controls on all Electronic Trading Order Messages, rather than just AT Order Messages? 59. Does permitting AT Persons to delegate risk controls to an FCM reduce costs or materially alter the benefits of the risk controls? 399 NPRM PO 00000 at 78899–78900. Frm 00045 Fmt 4701 Sfmt 4702 85377 60. Should the Commission require AT Persons to apply risk controls to their manual Electronic Trading Order Messages? Would a single, DCM-level control applicable to such orders provide sufficient protection for markets and market participants? 11. Reporting, Testing and Recordkeeping Requirements a. Summary of New Proposal NPRM proposed §§ 1.83 and 40.22 required that AT Persons and clearing member FCMs provide the DCMs on which they operate with annual reports providing information on their compliance with §§ 1.80(a) and 1.82(a)(1), and that DCMs establish a program for effective review and evaluation of the reports. NPRM proposed §§ 1.83 and 40.22 also provided recordkeeping requirements regarding §§ 1.80, 1.81 and 1.82 compliance. Further, NPRM proposed § 1.81(a)(1)(ii) required AT Persons to test all Algorithmic Trading code and related systems both internally within the AT Person and on each DCM on which Algorithmic Trading will occur. NPRM proposed § 40.21 had required DCMs to provide testing environments. In light of the concerns raised by commenters to proposed §§ 1.83 and 40.22, the Commission has replaced the requirement that AT Persons and FCMs prepare compliance reports with a requirement that DCMs mandate that AT Persons and executing FCMs provide DCMs with an annual certification attesting that the AT Person or FCM complies with the requirements of §§ 1.80, 1.81, and 1.82, as applicable, while maintaining the recordkeeping requirements. Also in lieu of requiring compliance reports, Supplemental proposed § 40.22(a) requires DCMs to periodically review AT Persons’ and FCMs’ programs for compliance with §§ 1.80, 1.81 and 1.82. Additionally, the Commission is proposing to modify certain requirements regarding the development, monitoring, and compliance of ATSs under NPRM proposed § 1.81. The Commission has withdrawn the requirement under NPRM proposed § 1.81(a)(1)(ii) that AT Persons must test all Algorithmic Trading code and related systems on each DCM on which Algorithmic Trading will occur (while retaining a more general requirement in Supplemental proposed § 1.81(a)(1)(ii) that AT Persons must test all ATSs, including Algorithmic Trading Source Code, any changes to such systems or code, prior to implementation, and such testing shall be reasonably designed to E:\FR\FM\25NOP2.SGM 25NOP2 85378 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules effectively identify circumstances that may contribute to future Algorithmic Trading Events). The Commission has also withdrawn NPRM proposed § 40.21, which had required DCMs to provide test environments that enable AT Persons to simulate production trading. b. Costs The Commission preliminarily believes that the costs associated with Supplemental proposed § 40.22(a) (DCMs to periodically review AT Persons’ and FCMs’ programs for compliance with §§ 1.80, 1.81 and 1.82) are similar on a per-event basis to the costs associated with the NPRM requirements that DCMs review annual compliance reports from AT Persons and FCMs. However, the Commission expects that DCMs can appropriately perform these periodic reviews for most AT Persons and FCMs at a frequency less often than annually, generally reducing costs. The Commission notes that it may be necessary for DCMs to perform reviews more frequently for entities whose trading activities appear to impose greater potential risks to the marketplace. In the NPRM, the Commission estimated that the compliance reports would cost each clearing member FCM $7,090 annually and each AT Person $4,240 annually.400 However, some commenters indicated that the Commission had underestimated such costs. The Commission estimated in the NPRM that it would cost each DCM approximately $244,080 per year to comply with NPRM proposed § 40.22, of which $133,200 is associated with review and remediation of compliance reports.401 CME believes the Commission’s estimate for complying with § 40.22’s requirements that DCMs periodically review AT Person and clearing member FCM compliance reports and books and records, and identify and remediate any insufficient mechanisms, policies and procedures discovered, is too low. Instead, CME estimated the annual cost for each of its four DCMs 402 to be closer to $525,000, 400 See NPRM at 78904. NPRM at 78908. The remainder is associated with the costs of reviewing books and records (§ 40.22(e)) and self-trading requests (§ 40.22(c)). These provisions are not addressed in the Supplemental NPRM. 402 CME Group is the parent company of the Chicago Mercantile Exchange, Chicago Board of Trade, New York Mercantile Exchange, and Commodity Exchange DCMs. Following the merger of the four exchanges, CME Group has a single Market Regulation Department which provides compliance, enforcement, and other self-regulatory services to all four of the CME Group DCMs. With respect to the four DCMs, CME Group’s Market asabaliauskas on DSK3SPTVN1PROD with PROPOSALS 401 See VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 assuming that across all four DCMs, approximately 650 entities would come within the scope of the proposed compliance report requirements and each entity would be reviewed once every four years (across all four DCMs).403 CME estimated that it would take approximately one month for a fulltime employee to complete each review.404 The Commission preliminarily adopts the CME cost estimate regarding the cost of each individual compliance review ($3,230), but at this time believes that it would be appropriate for a DCM to review AT Persons and FCMs on average every two years rather than every four years.405 As noted, the Commission expects the costs of Supplemental proposed § 40.22(a) to be similar to the compliance review costs of NPRM Proposed Regulation 40.22. However, the Commission expects that the number of entities that would come within the scope of Supplemental proposed § 40.22(a) would be approximately 180 (120 AT Persons and an additional 60 FCMs) 406 and that the high-end cost to a large DCM (such as those operated by the CME) would thus be approximately $290,000 rather than $525,000. This cost is broken down as follows: $3,230 per review multiplied by 90 (180 AT Persons and FCMs half of which are reviewed each year for 90 reviews) is approximately $290,000. The costs would be lower for smaller DCMs with fewer AT Person market participants and fewer FCMs since they would need to conduct reviews for fewer entities. FCMs and AT Persons will not incur costs associated with annual compliance reports since those reports will not be required under the Supplemental NPRM, but the Commission estimates that it will cost $2,480 for an FCM or an AT Person to cooperate with a DCM’s periodic review. The Commission expects that on average, an FCM or AT Person will be subject to a periodic review every two years for each DCM on which it trades or once every year in total (with entities whose trading activities appear to impose greater potential risks to the marketplace needing more frequent reviews). Regulation Department effectively functions as a single entity, sharing management, staff, information technology and other resources. 403 CME 22. 404 See id. 405 As noted, more frequent reviews may be needed for firms that appear to present more risk. 406 The Commission is using 60, as opposed to 70, FCMs for purposes of this calculation because every FCM does not operate on all DCMs. Accordingly, a single DCM would not necessarily have to review every FCM. PO 00000 Frm 00046 Fmt 4701 Sfmt 4702 Supplemental proposed § 40.22(d) provides that DCMs must require by rule 407 that AT Persons and executing FCMs provide DCMs with an annual certification attesting that the AT Person or FCM complies with the requirements of §§ 1.80, 1.81, and 1.82, as applicable. Such annual certification shall be made by the chief compliance officer or chief executive officer of the AT Person or FCM and must state that, to the best of his or her knowledge and reasonable belief, the information contained in the certification is accurate and complete. The Commission estimates that each DCM’s chief compliance officer will spend approximately one hour receiving and reviewing the certification from approximately 120 AT Persons and 60 executing FCMs, for a total of 180 hours and a cost of $28,620 per DCM. This cost is broken down as follows: 1 Chief Compliance Officer, working for 1 hour (1 × $159 per hour × 180 certifications = $28,620). The Commission notes that this cost is significantly lower than the $111,000 per-DCM cost estimated in the NPRM for review of compliance reports.408 As to AT Person and executing FCM costs, the Commission expects that the annual certification requirement will involve preparation and transmittal of a document that makes the required certification, and that most of the hours associated with this requirement would involve review and analysis by compliance personnel of the entity’s compliance with §§ 1.80, 1.81, and 1.82, as necessary to enable the CCO or CEO to sign the certification. The Commission expects that each AT Person or FCM will transmit the essentially same certifications to each DCM that it is trading or operating on, without the need to prepare a unique certification for each DCM. The Commission also expects that to the extent that an AT Person’s or FCM’s interaction with the various DCMs’ electronic trading facilities are similar, the review and analysis of the entity’s compliance with §§ 1.80, 1.81, and 1.82 will also be similar. Therefore, the Commission preliminarily believes that the marginal cost of submitting certifications to additional DCMs will be much less than the cost of submitting a certification to the first DCM. The Commission estimates that, on an annual basis, an AT Person and an FCM will each incur a cost of $1,176 to submit the compliance certification to 407 DCMs will incur some costs with respect to preparing an exchange rule requiring FCMs and AT Persons to provide § 40.22(d) certifications. Exchange rule-writing costs were generally covered in the cost-benefit considerations for the Part 40 final rule (76 FR 44776, July 27, 2011). 408 See NPRM at 78907. E:\FR\FM\25NOP2.SGM 25NOP2 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules asabaliauskas on DSK3SPTVN1PROD with PROPOSALS four DCMs. This cost is broken down as follows: 1 Senior Compliance Specialist, working for 6 hours (6 × $57 = $342); and 1 Chief Compliance Officer, working for 6 hours (6 × $139 = $834), for each certification.409 The 120 AT Persons that will be subject to DCM rules implemented pursuant to § 40.22(d) would therefore incur a total annual cost of $141,120 (120 × $1,176). Similarly, the 70 executing FCMs that will be subject to DCM rules implemented pursuant to § 40.22(d) would therefore incur a total annual cost of $82,320 (70 × $1,176). The Commission notes that the $1,176 perentity cost of submitting certifications is substantially lower than the $4,240 perAT Person cost and the $7,090 per-FCM cost estimated in the NPRM for submission to DCMs of annual compliance reports.410 Finally, withdrawing the requirement under NPRM proposed § 1.81(a)(1)(ii) that AT Persons must test Algorithmic Trading code and related systems on each DCM on which Algorithmic Trading will occur, and withdrawing NPRM proposed § 40.21, which had required DCMs to provide test environments that enable AT Persons to simulate production trading, will eliminate the costs associated with those NPRM proposed rules. c. Benefits The Commission expects that the benefits of proposed § 40.22(a) will be similar to the benefits of the compliance report requirements of NPRM proposed §§ 1.83(a) and (b) and 40.22(c). As stated in the NPRM, those benefits were to enable ‘‘DCMs to have a clearer understanding of the pre-trade risk controls of all AT Persons that are engaged in Algorithmic Trading on such DCM’’ and to ‘‘improve the standardization of market participants’ pre-trade risk controls.’’ 411 In those years in which entities are not reviewed, DCMs will at least receive notifications pursuant to supplemental proposed § 40.22(d) confirming that such entities are in compliance with §§ 1.80, 1.81 and 1.82, as applicable. An AT Person’s or FCM’s failure to provide the required certification would indicate a basis for the DCM to engage in a review of such entity’s risk controls and testing program. The withdrawal of the requirement under NPRM proposed § 1.81(a)(1)(ii) that AT Persons must test Algorithmic 409 The six hours of work for each employee consists of five hours for the initial certification and one hour to prepare additional certifications for three other DCMs. 410 See NPRM at 78904. 411 NPRM at 78905. VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 Trading code and related systems on each DCM on which Algorithmic Trading will occur, and the withdrawal of NPRM proposed § 40.21, which had required DCMs to provide test environments that enable AT Persons to simulate production trading, will eliminate any benefits directly associated with those particular NPRM proposed rules. The Commission is revising or withdrawing those NPRM proposed rules in response to comments discussed above indicating that they were costly and impracticable. The Commission expects that the remaining testing requirements in Supplemental proposed § 1.81 generally will continue to provide the benefits described in the NPRM, including the potential to reduce market disruptions.412 d. Consideration of Alternatives The Commission considered the alternative of eliminating the compliance requirements of NPRM proposed § 40.22(c) without proposing either § 40.22(a) or § 40.22(d) in its place. The Commission determined to propose § 40.22(a) and § 40.22(d) because it preliminarily determined that these supplemental proposed rules are necessary to ensure that the benefits of Regulation AT are fully realized, including the goal of ensuring that risk controls are effectively implemented across AT Persons and FCMs, and that insufficient controls at such entities are identified and remediated. Specifically, the Commission preliminarily believes that it is necessary for DCMs to periodically review compliance by AT Persons and FCMs and for AT Persons and FCMs to review their own compliance in order to make certifications. e. Commission Questions 61. The Commission requests comment on its cost-benefit considerations related to Supplemental proposed §§ 1.81(a)(1)(ii), 1.83, 40.22, and NPRM proposed § 40.21, including the accuracy of its cost estimates or assumptions regarding decreased costs and the accuracy of its assumptions regarding the amount of work that would be required of AT Persons and FCMs to comply with the certification requirements of Regulation AT. 62. How do the costs and benefits of Supplemental proposed § 40.22(a) compare to the compliance costs and benefits associated with NPRM proposed § 40.22(c)? 412 Id. PO 00000 at 78901 and 78907. Frm 00047 Fmt 4701 Sfmt 4702 85379 12. Section 15(a) Factors This section discusses the CEA section 15(a) factors for the proposals in this Supplemental NPRM. a. Protection of Market Participants and the Public The Commission preliminarily believes that, as modified by the Supplemental NPRM, Regulation AT would continue to, as stated in the NPRM, protect market participants and the public by limiting a ‘‘race to the bottom,’’ in which certain entities sacrifice effective risk controls in order to minimize costs or increase the speed of trading. The Supplemental proposal to set risk controls at two levels rather than three will reduce costs while maintaining Regulation AT’s protection of market participants and the public. The proposal to apply risk controls to Electronic Trading Order Messages as well as AT Order Messages will protect market participants and the public by providing the benefits of risk controls to all order submissions to a DCM’s electronic trading facility. The requirements of Supplemental proposed § 40.22(a), which requires DCMs to periodically review AT Persons’ and FCMs’ programs for compliance with §§ 1.80, 1.81 and 1.82, and the certification requirements of § 40.22(d), will promote protection of market participants and the public by helping to ensure that the risk control rules are followed in a consistent manner and may further reduce the likelihood of Algorithmic Trading Events and Algorithmic Trading Disruptions. Supplemental proposed § 1.84 will protect market participants and the public by ensuring that the Commission has access to the Algorithmic Trading Source Code and log files of AT Persons in the event they are needed to investigate or inquire into an Algorithmic Trading Event or Algorithmic Trading Disruption. Supplemental proposed § 1.85 will protect market participants and the public by ensuring that ATSs and components provided by third parties to AT Persons are compliant with the development and testing requirements of Regulation AT, even when the AT Persons themselves are otherwise unable to comply with those requirements. Moreover, the recordkeeping requirements of § 1.85(d) (by reference to § 1.84(a) and (b)) will protect market participants and the public by ensuring that the Commission has access to the Algorithmic Trading Source Code and log files of third parties in the event they are needed to investigate or inquire into a an E:\FR\FM\25NOP2.SGM 25NOP2 85380 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules Algorithmic Trading Event or Algorithmic Trading Disruption. b. Efficiency, Competitiveness, and Financial Integrity of Futures Markets The Commission preliminarily believes that by addressing pre-trade risk controls, testing, and order management controls at two market levels—the exchange and either the trading firm or the executing FCM— Regulation AT, as modified by this Supplemental NPRM, will continue to provide standards that can be interpreted and enforced in a uniform manner. Implementation of Regulation AT to electronic order messages will help mitigate instabilities in the markets and ensure market efficiency and financial integrity, as discussed in the NPRM.413 Supplemental proposed § 1.85 will further these goals as well by ensuring that third-party systems used by AT Persons are compliant with Regulation AT. Supplemental proposed § 1.84 will further market efficiency and financial integrity by ensuring that the Commission has access to the Algorithmic Trading Source Code and log files of AT Persons in the event they are needed to investigate or inquire into an Algorithmic Trading Event or Algorithmic Trading Disruption. asabaliauskas on DSK3SPTVN1PROD with PROPOSALS c. Price Discovery Requiring both exchanges and either trading firms or executing FCMs to implement pre-trade risk controls, testing, and order management control requirements in order to mitigate the risk of a malfunctioning trading algorithm or automated trading disruption promotes the price discovery process by reducing the likelihood of transactions at prices that do not accurately reflect market forces. d. Sound Risk Management Practices The Commission believes that the pretrade risk and order management control requirements contained in Regulation AT, as modified by this Supplemental NPRM, will contribute to a system-wide reduction in operational risk, and will help standardize risk management practices across similar entities within the marketplace. The reduction in operational risk may simplify the tasks associated with sound risk management practices. These enhanced risk management practices should help reduce unintended market volatility, which will aid in efficient market making, and reduce overall transaction costs as they relate to price movements, which should encourage 413 NPRM at 78909–78910. VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 market participants to trade in Commission-regulated markets. Market participants and those who rely on prices as determined within regulated markets should benefit from markets that behave in an orderly and expected fashion. e. Other Public Interest Considerations The Commission has not identified any effects that these proposed rules would have on other public interest considerations other than those addressed above. f. Commission Questions 63. The Commission requests comment on its consideration of the CEA section 15(a) factors. B. Regulatory Flexibility Act The Regulatory Flexibility Act requires that agencies consider whether the rules they propose will have a significant economic impact on a substantial number of small entities and, if so, provide a regulatory flexibility analysis regarding the impact.414 A regulatory flexibility analysis or certification is typically required for any rule for which the agency publishes a general notice of proposed rulemaking pursuant to the notice-and-comment provisions of the Administrative Procedure Act, 5 U.S.C. 553(b).415 In the NPRM, the Commission provided a regulatory flexibility analysis pursuant to the Regulatory Flexibility Act.416 Regulation AT impacts three broad types of market participants: DCMs, FCMs, and AT Persons.417 In the NPRM, the Chairman, on behalf of the Commission, certified pursuant to 5 U.S.C. 605(b) that the rules proposed in Regulation AT imposing requirements on FCMs and DCMs would not have a significant economic impact on a substantial number of small entities.418 With respect to AT Persons, the NRPM provided a regulatory flexibility analysis addressing whether Regulation AT would have a significant economic impact on a substantial number of AT Persons that were small entities. As defined in the NPRM, the term AT Persons included various entities that engaged in Algorithmic Trading, including New Floor Traders under NPRM proposed § 1.3(x)(3), FCMs, floor brokers, SDs, MSPs, CPOs, CTAs and 414 5 U.S.C. 601 et. seq. U.S.C. 601(2), 603, 604, and 605. 416 NPRM at 78885. 417 Supplemental proposed § 1.85 will impact another type of market participant, third-party service providers providing software or systems to AT Persons for Algorithmic Trading. 418 NPRM at 78885. 415 5 PO 00000 Frm 00048 Fmt 4701 Sfmt 4702 IBs.419 The NPRM noted that the Commission previously determined that FCMs, foreign brokers, SDs, MSPs, CPOs, and natural persons are not small entities for purposes of the Regulatory Flexibility Act.420 The NPRM stated that the Commission believes it is likely that no natural persons will be AT Persons, given the technological and personnel costs associated with Algorithmic Trading.421 The Commission then considered whether, in the context of Regulation AT, floor brokers, floor traders, CTAs, and IBs that engage in Algorithmic Trading should be considered small entities for purposes of the Regulatory Flexibility Act.422 The Commission concluded that it did not believe that a substantial number of small entities will be impacted by Regulation AT.423 The Commission has made a number of substantive additions and changes to Regulation AT in this Supplemental NPRM, some of which may impact small entities. Significantly, while the Commission estimated that there would be 420 AT Persons under the NPRM proposed rules for Regulation AT, the Commission has revised its estimate to 120 AT Persons under the modified rules proposed in this Supplemental NPRM. As discussed below, the Commission believes that the Supplemental proposed rules will have a significant economic impact on fewer (if any) small entities than the NPRM proposed rules. Pursuant to 5 U.S.C. 603, the Commission offers for public comment the following supplemental analysis to its initial regulatory flexibility analysis addressing the impact of Regulation AT on small entities. The Commission’s analysis in the NPRM consisted of six parts, as generally set forth in section 603(b) of the Regulatory Flexibility Act. The Supplemental NPRM does not alter the Commission’s analysis of four of the areas: (1) A description of the reasons why action is being considered; (2) a succinct statement of the objectives of, and legal basis for, the proposals; (3) an identification of all relevant federal rules that may duplicate, overlap, or conflict with the proposed rule; and (4) a description of significant alternatives. The Commission offers the following supplemental analysis for two areas: (1) A description of and, where feasible, an estimate of the number of small entities to which the proposed rules will apply; and (2) a description of the projected 419 Id. at 78885–6. at 78885. 421 Id. at 78885–6. 422 Id. at 78885. 423 Id. at 78886. 420 Id. E:\FR\FM\25NOP2.SGM 25NOP2 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules other compliance requirements that will be imposed upon AT Persons 425 under the proposed rules. reporting, recordkeeping, and other compliance requirements of the rules, including an estimate of the classes of small entities which will be subject to the requirements and the type of professional skills necessary for preparation of the report or record. asabaliauskas on DSK3SPTVN1PROD with PROPOSALS 1. A Description, and, Where Feasible, an Estimate of the Number of Small Entities to Which the Proposed Rules Will Apply The Commission noted in the NPRM that the definition of AT Person is limited to entities that conduct Algorithmic Trading and the definition of New Floor Traders under NPRM proposed § 1.3(x)(1)(iii) is further limited to those entities with DEA. The Commission believes that entities with such capabilities are generally not small entities. Supplemental proposed § 1.3(xxxx)(1)(i)(B) adds a volume threshold test to the definition of AT Person, which measure is also set forth in definition of New Floor Trader pursuant to Supplemental proposed §§ 1.3(x)(1)(iii)(D) and 1.3(x)(2). The Commission believes that adding this volume threshold to further reduce the scope of Regulation AT will ensure that a substantial number of small entities will not be impacted by the information collection. In the NPRM, the Commission estimated that approximately 420 persons will be AT Persons. The regulatory flexibility analysis contained in the NPRM concluded that Regulation AT would not impact a substantial number of small entities.424 In this supplemental NPRM, the Commission estimates that approximately 120 persons will be AT Persons, and a smaller number would be New Floor Traders under 1.3(x)(1)(iii). Accordingly, the Commission believes that under the modified definition of AT Person set forth in Supplemental proposed § 1.3(xxxx), the Supplemental proposed rules will impact significantly fewer small entities than the NPRM proposed rules and, in particular, that there will not be a substantial number of small entities impacted by the information collection. 2. A Description of the Projected Reporting, Recordkeeping, and Other Compliance Requirements of the Rules, Including an Estimate of the Classes of Small Entities Which Will Be Subject to the Requirements and the Type of Professional Skills Necessary for Preparation of the Report or Record The following section discusses the projected reporting, recordkeeping, and 424 Id. at 78886. VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 a. § 1.3(x)(1)(iii)—Registration of New Floor Traders Regulation AT would impose new registration requirements on certain entities with Direct Electronic Access who meet a volumetric test as a result of the proposed amendment to the definition of ‘‘floor trader’’ in Supplemental proposed § 1.3(x)(1)(iii). The Commission provided detailed estimates of the costs associated with registration as a New Floor Trader in the NPRM.426 The Commission estimated that new registrants would incur a onetime cost of approximately $2,106 per registrant ($1,050 in application fees plus $1,056 in preparation costs). In the NPRM, the Commission estimated that there would be approximately 100 new Floor trader registrants. The Commission believes that the volume threshold test will likely result in fewer than 100 new Floor trader registrants. The Commission further believes that the volume threshold test proposed in the Supplemental NPRM will reduce the impact on small entities as compared with the NPRM, since the registration requirements of Regulation AT will only apply to entities with high trading volumes when measured across all products and DCMs. b. § 1.80—Pre-Trade Risk Controls NPRM proposed regulations §§ 1.80, 1.82, 38.255 and 40.20 imposed risk control and similar requirements, such as order cancellation systems, on three levels: AT Person, FCM and DCM. As discussed above, this Supplemental NPRM changes the overall framework for risk controls and other measures required pursuant to NPRM proposed §§ 1.80, 1.82, 38.255 and 40.20. This Supplemental NPRM proposes a revised framework with two levels of risk controls: (1) At the AT Person or FCM level, and (2) the DCM level. With respect to orders originating with AT Persons (AT Order Messages), the rules would require all AT Persons to implement the risk controls and other measures required pursuant to § 1.80 (although AT Persons may delegate compliance with § 1.80(a) to FCMs, as discussed above). In the NPRM, the Commission estimated that it would cost an AT Person approximately $79,680 to upgrade its controls to 425 This analysis discusses estimated costs for AT Persons, irrespective of whether they are small entities. However, the Commission believes that the associated costs for small entity AT Persons would be no more than the costs for any other AT Persons. 426 NPRM at 78925. PO 00000 Frm 00049 Fmt 4701 Sfmt 4702 85381 comply with § 1.80. In the NPRM, the Commission estimated that there would be 420 AT Persons. However, under this Supplemental NPRM, the Commission estimates that there will be approximately 120 AT Persons. Assuming that there are 120 AT Persons, the Commission estimates that the total industry cost to implement § 1.80 would be approximately $9,561,600. The Commission also proposes a change to NPRM proposed § 1.80 in which AT Persons may delegate compliance with pre-trade risk control requirements (§ 1.80(a)) to their executing FCMs. Supplemental proposed § 1.80(d) provides that an AT Person may choose to comply with paragraph (a) of § 1.80 by itself implementing such pre-trade risk controls, or may instead delegate compliance with such obligations to its executing futures commission merchant. Supplemental proposed § 1.80(f) continues to require an AT Person to periodically review its compliance with § 1.80 to determine whether it has effectively implemented sufficient measures reasonably designed to prevent an Algorithmic Trading Event.427 The Commission has revised this section to account for the possibility that an AT Person has delegated § 1.80(a) compliance to an FCM, and requires the AT Person to periodically review such FCM’s compliance with § 1.80(a). The Commission assumes that some AT Persons will delegate compliance with § 1.80 to its executing FCM under § 1.80(d), and thus review such FCM’s compliance with § 1.80(a) pursuant to Supplemental proposed § 1.80(f). While the Commission cannot estimate how many AT Persons will delegate compliance, the Commission believes that the costs associated with review are the same as those associated with compliance with § 1.80 generally. c. § 1.83(a)—AT Person Recordkeeping Requirements As discussed above, the Commission estimated in the NPRM that 420 entities would qualify as AT Persons under Regulation AT. Pursuant to Supplemental proposed § 1.3(xxxx), the Commission now estimates that 120 entities will be AT Persons. The Commission’s new, lower estimate for the number of AT Persons is a function of the volume threshold test that market participants would have to satisfy to fall within the definition of AT Person 427 The Commission notes that the Supplemental proposes a reasonably designed to prevent and reduce the potential risk of standard under § 1.80. E:\FR\FM\25NOP2.SGM 25NOP2 85382 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules asabaliauskas on DSK3SPTVN1PROD with PROPOSALS under Supplemental proposed § 1.3(xxxx). The Commission has updated its Regulatory Flexibility Act analysis from the NPRM for proposed § 1.83, based on its updated estimate of 120 AT Persons in the Supplemental NPRM (as opposed to the 420 AT Persons estimated in the NPRM). The Commission’s Regulatory Flexibility Act analysis for Supplemental proposed § 1.83 assumes the same cost on a per AT Person basis as was used in the NPRM analysis. Specifically, the Commission estimated in the NPRM that proposed § 1.83 requirements that AT Persons keep and provide books and records relating to NPRM proposed §§ 1.80 and 1.81 compliance would result in initial outlay of 60 hours of burden per AT Person. Under Supplemental proposed § 1.83(a), the 120 AT Persons would therefore initially incur 7,200 burden hours in total. In the NPRM, the Commission estimated that, on an initial basis, an AT Person would incur a cost of $5,130 to draft and update recordkeeping policies and procedures and make technology improvements to recordkeeping infrastructure. Under Supplemental proposed § 1.83(a), the 120 AT Persons would therefore incur a total initial cost of $615,600. The Commission estimated in the NPRM that proposed § 1.83 requirements that AT Persons keep and provide books and records relating to NPRM proposed §§ 1.80 and 1.81 compliance would result in annual costs of 30 hours of burden per AT Person. Under Supplemental proposed § 1.83(a), the 120 AT Persons would therefore incur 3,600 burden hours in total. In the NPRM, the Commission estimated that, on an annual basis, an AT Person would incur a cost of $2,670 to ensure compliance with the NPRM proposed § 1.83(a) recordkeeping rules relating to NPRM proposed § 1.82 compliance. Under Supplemental proposed § 1.83(a), the 120 AT Persons would therefore incur a total annual cost of $320,400. d. § 1.84—Maintenance of Algorithmic Trading Source Code and Related Records Supplemental proposed § 1.84 would require AT Persons to retain three categories of records for a period of five years: (1) Algorithmic Trading Source Code; (2) records that track changes to Algorithmic Trading Source Code; and (3) log files that record the activity of the AT Person’s ATS. For purposes of Supplemental proposed § 1.84, Algorithmic Trading Source Code includes computer code, hardware description language, scripts and formulas as well as the configuration VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 files and parameters used to carry out the trading. These records are required to be maintained in their native format. Supplemental proposed § 1.84 also requires that these records be kept in a form and manner that ensures the authenticity and reliability of the information contained in the records, and that AT Persons have systems available to promptly retrieve and display the records. Supplemental proposed § 1.84 applies to AT Persons, including any AT Persons that are floor brokers, floor traders, CTAs, or IBs. The Commission’s best understanding is that at this time, all floor brokers are natural persons. Given the technological and personnel costs associated with Algorithmic Trading, the Commission’s expectation is that only entities, not natural persons, would meet the definition of ‘‘AT Person.’’ Accordingly, the Commission does not believe that any floor brokers would be AT Persons impacted by Supplemental proposed § 1.84. With respect to New Floor Traders, CTAs, and IBs that would meet the definition of AT Person, the Commission does not believe it is feasible to estimate the total number of such entities that would be small entities. However, under this Supplemental NPRM, the Commission estimates that there will be a total of 120 AT Persons, a subset of the estimated 420 AT Persons described in the NPRM. The Commission noted in the NPRM that the proposed definition of AT Person was limited to entities that conduct Algorithmic Trading, and the NPRM proposed definition of New Floor Traders was further limited to those entities with DEA.428 The Commission stated that it believed entities with such capabilities are generally not small entities.429 Thus, the population of AT Persons under the Supplemental NPRM is even less likely to include small entities, since they must meet the additional volume threshold measures discussed above. Consequently, the Commission does not believe that Supplemental proposed § 1.84 will impact a substantial number of small entities. In order to comply with the requirements set out in Supplemental proposed § 1.84(a), an AT Person must have a version control system and an application log management system in place. The Commission expects that most AT Persons have version control software to manage each change made to their software and identify who made the change and why. The Commission 428 NPRM Frm 00050 Fmt 4701 i. Firms Without Sufficient Hardware and Software in Place The Commission estimates that Supplemental proposed § 1.84(a), which requires AT Persons to maintain specified records related to their Algorithmic Trading Source Code and their Algorithmic Trading systems’ activity, will result in initial outlay of 420 hours of burden per AT Person without sufficient hardware and software in place to comply with proposed § 1.84(a), and 33,600 burden hours in total. The estimated burden was calculated as follows: Burden: Supplemental proposed § 1.84(a), which would require AT Persons to maintain certain records. Respondents/Affected Entities: 120 AT Persons. Estimated total burden on each AT Person or executing FCM: 420 hours. Burden statement-all AT Persons and executing FCMs: 120 respondents × 420 hours = 50,400 Burden Hours initial year. The Commission estimates that an AT Person without the hardware and software in place to maintain the records required by Supplemental proposed § 1.84(a) would incur a cost of $41,840 to purchase and set up the required hardware and software, migrate existing Algorithmic Trading Source Code and logs into the software and draft appropriate recordkeeping policies and procedures and make technology improvements to recordkeeping infrastructure. This cost is broken down as follows: Hardware costing $12,000,430 430 The Commission estimates that the hardware could cost from $1,000 to $25,000 depending on factors including which hardware vendor an AT at 78886. 429 Id. PO 00000 also expects that most AT Persons manage their application logs through some form of application log management system. For firms that do not have version control systems and application log management systems in place, the effort involved in setting one up includes the acquisition of the hardware to run the system, the application software itself, the migration of the existing Algorithmic Trading Source Code and logs into the software, and the creation of policy and procedures related to the use of the system by the firm. For appropriate hardware to accomplish this task, a machine with sufficient storage space and sufficient redundancy will be needed. The Commission expects that ten terabytes of data would constitute sufficient storage capacity. A number of software options are available, from open-source products to industrystandard tools. Sfmt 4702 E:\FR\FM\25NOP2.SGM 25NOP2 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules software costing $2,000,431 1 Project Manager for the Algorithmic Trading Source Code and log migration effort, working for 60 hours (60 × $70 = $4,200); 1 Developer for the Algorithmic Trading Source Code and log migration effort, working for 60 hours (60 × $75 = $4,500), 1 Project Manager to develop the related policies and procedures, working for 120 hours (120 × $70 = $8,400), 1 Business Analyst to develop the related policies and procedures, working for 120 hours (120 × $52 = $6,240), and 1 Developer to develop the related policies and procedures, working for 60 hours (60 × $75 = $4,500). The 120 AT Persons would therefore incur a total initial cost of $5,020,800 (120 × $41,840). asabaliauskas on DSK3SPTVN1PROD with PROPOSALS ii. Firms With Sufficient Hardware and Software in Place Firms that have the necessary systems in place may nevertheless need to make changes to their policies and procedures and enhance their hardware to provide more storage capacity, in each case to address the requirements of Supplemental proposed § 1.84(a). The discussion below addresses both the effort it takes to determine what upgrades need to be made, and to implement those upgrades. The Commission estimates that Supplemental proposed § 1.84(a) requiring AT Persons to maintain specified records related to their Algorithmic Trading Source Code and their Algorithmic Trading systems’ activity will result in initial outlay of 90 hours of burden per AT Person with sufficient hardware and software to comply with Supplemental proposed § 1.84(a), and 10,800 burden hours in total. The estimated burden was calculated as follows: Burden: Supplemental proposed § 1.84(a), which would require AT Persons to maintain certain records. Respondents/Affected Entities: 120 AT Persons. Estimated total burden on each respondent: 90 hours. Burden statement—all respondents: 120 respondents × 90 hours = 10,800 Burden Hours initial year. The Commission estimates that, on an initial basis, an AT Person with the hardware and software in place to Person chooses, the amount of business the AT Person does with the hardware vendor and the pricing the hardware vendor provides the AT Person as a result. 431 The Commission estimates that the software could cost from $0 to $5,000 depending on factors including which hardware vendor an AT Person chooses, the amount of business the AT Person does with the hardware vendor and the pricing the hardware vendor provides the AT Person as a result. VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 maintain the records required by Supplemental proposed § 1.84(a) would incur a cost of $12,160 to purchase and set up the required hardware and software, migrate existing Algorithmic Trading Source Code and logs into the software and draft appropriate recordkeeping policies and procedures and make technology improvements to recordkeeping infrastructure. This cost is broken down as follows: Hardware costing $4,000,432 1 Project Manager to develop the related policies and procedures, working for 30 hours (30 × $70 = $2,100), 1 Business Analyst to develop the related policies and procedures, working for 30 hours (30 × $52 = $1,560), and 1 Developer to develop the related policies and procedures, working for 60 hours (60 × $75 = $4,500). The 120 AT Persons would therefore incur a total initial cost of $1,459,200 (120 × $12,160). e. Supplemental Proposed §§ 1.84(b) and (c) In order to comply with the requirements set out in Supplemental proposed §§ 1.84(b) and 1.84(c), AT Persons will have to use their version control software to manage their software’s version history. This will require a standard monthly effort to maintain the environment so that each AT Person is able to respond to special calls and/or subpoenas. Monthly Maintenance: The Commission estimates that Supplemental proposed §§ 1.84(b) and 1.84(c), which require AT Persons to produce records of Algorithmic Trading in response to a special call or subpoena, will result in ongoing costs of 324 hours of burden per AT Person per year, and 38,880 annual burden hours in total. The estimated burden was calculated as follows: Burden: Rule requiring AT Persons to produce Algorithmic Trading records in response to a Special Call or Subpoena. Respondents/Affected Entities: 120 AT Persons. Estimated total burden on each respondent: 324 hours.433 Burden statement-all respondents: 120 respondents × 324 hours = 38,880 Burden Hours per year. The Commission estimates that, on an annual basis, an AT Person will incur a 432 The Commission estimates that the hardware could cost from $1,000 to $10,000 depending on factors including which hardware vendor an AT Person chooses, the amount of business the AT Person does with the hardware vendor and the pricing the hardware vendor provides the AT Person as a result. 433 The Commission estimates 27 burden hours per respondent/affected entity per month. Annualizing this monthly figure by multiplying by 12 results in the 324 total burden hour estimate. PO 00000 Frm 00051 Fmt 4701 Sfmt 4702 85383 cost of $25,380 to draft and update recordkeeping policies and procedures and make technology improvements to recordkeeping infrastructure. This cost is broken down as follows: 1 Project Manager, working for 3 hours per month × 18 months = 54 hours per year (54 × $70 = $3,780); and 1 Developer, working for 24 hours per month × 12 months = 288 hours per year (288 × $75 = $21,600). The 120 AT Persons would therefore incur a total initial cost of $3,045,600 (120 × $25,380). Costs Per Response to a Special Call or Subpoena. The Commission estimates that Supplemental proposed §§ 1.84(b) and 1.84(c), which require AT Persons to produce records of Algorithmic Trading in response to a special call or subpoena, will result in costs per response of 48 hours of burden per AT Person, and 12,960 burden hours in total. The estimated burden was calculated as follows: Burden: Rule requiring AT Persons to produce Algorithmic Trading records in response to a Special Call or Subpoena. Respondents/Affected Entities: 120 AT Persons. Estimated number of responses: 120. Estimated total burden on each respondent: 108 hours. Frequency of collection: Intermittent. Burden statement-all respondents: 120 respondents × 108 hours = 12,960 Burden Hours per year. The Commission estimates that, on an intermittent basis, an AT Person will incur a cost of $5,844 to ensure compliance with those aspects of Supplemental proposed §§ 1.84(b) and 1.84(c) requiring AT Persons to produce records of Algorithmic Trading in response to a special call or subpoena. This cost is broken down as follows: 1 Project Manager, working for 12 hours (12 x $70 = $840); 1 Developer, working for 36 hours (36 × $75 = $2,700); and 1 Compliance Attorney, working for 24 hours (24 × $96 = $2,304). The 120 AT Persons would therefore incur a total annual cost of $701,280 (120 × $5,844). f. § 1.85—Use of Third-Party Algorithmic Trading Systems or Components Supplemental proposed § 1.85 would allow AT Persons who are unable to comply with a particular development and testing requirement or a particular maintenance or production requirement related to Algorithmic Trading strategy, due solely to their use of third-party system components, to obtain a certification that the third party is complying with the obligation. Pursuant to Supplemental proposed § 1.84, AT Persons must also conduct due diligence regarding the accuracy of the E:\FR\FM\25NOP2.SGM 25NOP2 asabaliauskas on DSK3SPTVN1PROD with PROPOSALS 85384 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules certification.434 In addition, in all cases, under the Supplemental NPRM, an AT Person is responsible for ensuring that records are retained and produced as required pursuant to Supplemental proposed § 1.84. Supplemental proposed § 1.85 would have the effect of reducing the burdens on AT Persons under Supplemental proposed § 1.84 because an AT Person could effectively shift its burden to comply with certain obligations onto a third party, provided that the third party provides a certification to the AT Person. Since Supplemental proposed § 1.85 is burden reducing with respect to AT Persons, the Commission does not believe that the proposed rule would have a ‘‘significant economic impact’’ on AT Persons for purposes of the Regulatory Flexibility Act. Additionally, the Commission assumes that the third parties that would provide certifications under Supplemental proposed § 1.85 would not be small entities, given the levels of complexity and sophistication required to provide third-party system components to AT Persons in connection with such AT Person’s Algorithmic Trading strategy. The Commission invites comment on the accuracy of its assumption. The Commission estimates that the requirement under Supplemental proposed § 1.85 that an AT Person may comply with an obligation under NPRM proposed §§ 1.81(a)(1)(i), 1.81(a)(1)(iii), 1.81(a)(1)(iv), 1.81(a)(2), or Supplemental proposed §§ 1.81(a)(1)(ii) or 1.84 by obtaining a certification from a third party that the third party is fulfilling the obligation, will result in: (1) 60 one-time hours of burden per AT Person, and 7,200 burden hours in total; (2) 36 hours (on a recurring annual basis) of burden per AT Person, and 4,320 burden hours in total; (3) 60 onetime hours of burden per third party, and 3,000 burden hours in total; and (4) 36 hours (on a recurring annual basis) of burden per third party, and 1,800 burden hours in total. The estimated burden was calculated as follows: Burden: AT Person establishing the process for obtaining third-party certifications, obtaining the initial certifications and conducting due diligence on the accuracy thereof. Respondents/Affected Entities: 120.435 434 The Supplemental NPRM does not set forth the means by which due diligence must be conducted. The Commission expects that due diligence may take a variety of forms, including but not limited to, email exchanges, teleconferences, reviews of files, and in-person meetings. 435 The Commission estimates 120 AT Persons will rely on third party certifications pursuant to VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 Estimated number of responses: 120.436 Estimated total burden on each respondent: 60 hours.437 Frequency of collection: One-time. Burden statement-all respondents: 120 respondents × 60 hours = 7,200 Burden Hours per year. The Commission estimates that an AT Person will incur a one-time cost of $3,506 to establish the process for initially obtaining the third-party certifications permitted by Supplemental proposed § 1.85, conduct the related due diligence and obtain the initial certifications. This cost is broken down as follows: 1 Project Manager, working for 24 hours (24 × $70 = $1,680); 1 Compliance Attorney, working for 24 hours (24 × $96 = $2,304); and 1 Developer working for 12 hours (12 × $75 = $900). The estimated 120 AT Persons that will rely on § 1.85 would therefore incur a total one-time cost of $586,080 (120 × $4,884). Burden: AT Person updating its certifications from third parties and conducting updated due diligence on the accuracy thereof. Respondents/Affected Entities: 120. Estimated number of responses: 120. Estimated total burden on each respondent: 54 hours. Frequency of response: Annual. Burden statement-all respondents: 120 respondents × 54 hours = 6,480 Burden Hours per year. The Commission estimates that, on an annual basis, an AT Person will incur a cost of $2,892 to obtain the third-party certifications permitted by Supplemental proposed § 1.85 and conduct the related due diligence. This cost is broken down as follows: 1 Project Manager, working for 12 hours (12 × $70 = $840); 1 Compliance Attorney, working for 12 hours (12 × $96 = $1,152); and 1 Developer working for 12 hours (12 × $75 = $900). The estimated 120 AT Persons that will rely on § 1.85 Supplemental proposed § 1.85. This estimate is based on an assumption that each AT Person will rely on one third party service providers for such AT Person’s ATS or components. In fact, the Commission anticipates that some AT Persons will not rely on any third party service providers for their ATSs or components, while other AT Persons will rely on two third party service providers. For purposes of this PRA analysis, the Commission believes that the best available estimate is that there will be a total of 120 Respondents/Affected Entities. The Commission seeks comment on this estimate. 436 This is calculated as the product of 120 estimated Respondents/Affected Entities and one initial response (i.e., establishing the process for obtaining third party certifications, obtaining the initial certifications and conducting due diligence on the accuracy thereof). 437 The Commission estimates that the initial response will take a Project Manager 24 hours, a Compliance Attorney 24 hours and a Developer 12 hours. The sum of those hours is 60 hours. PO 00000 Frm 00052 Fmt 4701 Sfmt 4702 would therefore incur a total annual cost of $347,040 (120 × $2,892). The Commission also anticipates that an AT Person will incur a one-time cost of $2,304 to re-write its contracts with third parties, so that the AT Persons can comply with the recordkeeping and production provisions of Supplemental proposed § 1.84. This cost is broken down as follows: 1 Compliance Attorney, working for 24 hours (24 × $96 per hour = $2,304). Burden: Third party establishing the process for providing certifications to AT Persons, providing the initial certifications and cooperating with AT Persons conducting due diligence on the accuracy thereof. Respondents/Affected Entities: 50.438 Estimated number of responses: 50.439 Estimated total burden on each respondent: 60 hours.440 Frequency of response: One-time. Burden statement-all respondents: 50 responses × 60 hours = 3,000 Burden Hours per year. The Commission estimates that a third party will incur a one-time cost of $4,884 to establish the process for initially providing the third-party certifications permitted by Supplemental proposed § 1.85 and cooperate with AT Persons conducting the related due diligence. This cost is broken down as follows: 1 Project Manager, working for 24 hours (24 × $70 = $1,680); 1 Compliance Attorney, working for 24 hours (24 × $96 = $2,304); and 1 Developer working for 12 hours (12 × $75 = $900). The Commission estimates that third-party ATS providers will issue 120 certifications per year, either as initial or annual certifications. This reflects the Commission’s estimate of 120 AT Persons, and the fact that some AT Persons will rely on multiple third-party providers, while others will develop their systems entirely in-house. The estimated 50 third parties that provide certifications pursuant to Supplemental 438 The Commission estimates that there will be a total of 50 third party service providers to AT Persons for their ATSs or components. The Commission seeks comment on this estimate. 439 This is calculated as the product of 50 third parties and one initial response (i.e., establishing the process for providing third party certifications, providing the initial certifications and cooperating with AT Persons conducting due diligence on the accuracy thereof). The Commission assumes that each third party will provide a single certification to all AT Persons using a product or service from the third party. The Commission seeks comment on this estimate. 440 The Commission estimates that, as with the initial collection burden on AT Persons, the initial response will take a third party Project Manager 24 hours, a third party Compliance Attorney 24 hours and a third party Developer 12 hours. The sum of those hours is 60 hours. E:\FR\FM\25NOP2.SGM 25NOP2 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules asabaliauskas on DSK3SPTVN1PROD with PROPOSALS proposed § 1.85 would therefore incur a total annual cost of $244,200 (50 × $4,884). Burden: Third parties annually updating their certifications to AT Persons and cooperating with AT Persons conducting due diligence on the accuracy thereof. Respondents/Affected Entities: 50.441 Estimated number of responses: 120. Estimated total burden on each respondent: 36 hours.442 Frequency of response: Annual. Burden statement-all respondents: 120 responses × 36 hours = 4,320 Burden Hours per year. The Commission estimates that, on an annual basis, a third party will incur a cost of $2,892 to provide AT Persons the third-party certifications permitted by Supplemental proposed § 1.85 and cooperate with AT Persons conducting the related due diligence. The Commission estimates that third-party ATS providers will issue 120 certifications per year, either as initial or annual certifications. This reflects the Commission’s estimate of 120 AT Persons, and the fact that some AT Persons will rely on multiple third-party providers, while others will develop their systems entirely in-house. This cost is broken down as follows: 1 Project Manager, working for 12 hours (12 × $70 = $840); 1 Compliance Attorney, working for 12 hours (12 × $96 = $1,152); and 1 Developer working for 12 hours (12 × $75 = $900). The estimated 50 third parties that will rely on § 1.85 would therefore incur a total annual cost of $144,600 (50 × $2,892). In addition to the costs of providing certifications, the Commission anticipates that third-party providers will incur additional costs relating to Supplemental proposed § 1.85(a), which contemplates that third parties will provide to AT Persons systems or components that comply with NPRM proposed §§ 1.81(a)(1)(i), 1.81(a)(1)(iii), 1.81(a)(1)(iv), 1.81(a)(2), or Supplemental proposed §§ 1.81(a)(1)(ii) or 1.84. The Commission estimates that, on an annual basis, a third party will incur costs to comply with the proposed rules listed above that are comparable to 441 The Commission estimates that there will be a total of 50 third party service providers to AT Persons for their ATSs or components. 442 The Commission estimates that, as with the recurring annual collection for AT Persons, the annual collection will take a third party Project Manager 12 hours, a third party Compliance Attorney 12 hours and a third party Developer 12 hours. The sum of those hours is 36 hours. However, the Commission believes that in a typical year, the actual number of burden hours would be lower, provided that the product or service the AT Person receives from the third party provider has not changed substantially. VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 the costs that an AT Person would incur to comply with such rules. The estimated costs for an AT Person to comply with Supplemental proposed § 1.84 are discussed in Section IX(B)(2)(e) above. The estimated costs for an AT Person to comply with proposed § 1.81(a) were discussed in detail in the NPRM.443 The Commission also anticipates that a third-party will incur a one-time cost of $2,304 to re-write its contracts with AT Persons, so that the AT Persons can comply with the recordkeeping and production provisions of Supplemental proposed § 1.84. This cost is broken down as follows: 1 Compliance Attorney, working for 24 hours (24 × $96 per hour = $2,304). g. § 40.22—Compliance With DCM Reviews The Commission expects that Supplemental proposed § 40.22, which requires DCMs to periodically review AT Persons’ compliance with §§ 1.80 and 1.81 executing FCMs’ compliance with § 1.82, will also impose burdens on the AT Persons that will be subject to such reviews. The Commission believes that an adequate review program will typically require DCMs to evaluate AT Persons’ compliance every two years. Low-risk parties may require less frequent review, while high-risk parties could require more frequent evaluation. The Commission estimates (on an annual basis) 48 hours of burden per AT 443 See NPRM at 78888, 78900. In the NPRM, the Commission estimated that an AT Person that has not implemented any of the requirements of proposed § 1.81(a) (development and testing of ATSs) would incur a total cost of $349,865 to implement those requirements. This cost was broken down as follows: 1 Project Manager, working for 1,707 hours (1,707 × $70 = $119,490); 2 Business Analysts, working for a combined 853 hours (853 × $52 = $44,356); 3 Testers, working for a combined 2,347 hours (2,347 × $52 = $122,044); and 2 Developers, working for a combined 853 hours (853 × $75 = $63,975). The Commission notes that this calculation would apply only to third parties that have not implemented any of the requirements of proposed § 1.81(a). However, the Commission anticipates that many third-party providers—e.g., software development firms— already develop and test systems or components in the ordinary course of their business. Indeed, the Commission anticipates that third-party providers would generally be as sophisticated, if not more sophisticated, than AT Persons with respect to the development and testing of ATSs. Therefore, the Commission believes that the cost of compliance for third parties would be lower than the estimate calculated above. In addition, the Commission anticipates that compliance costs under Supplemental proposed § 1.81(a)(1)(ii) will be lower than the costs estimated in the NPRM, since the Commission is proposing to eliminate the requirement under NPRM proposed § 1.81(a)(1)(ii) that AT Persons must test all Algorithmic Trading code and related systems on each DCM on which Algorithmic Trading will occur (while retaining a more general requirement that AT Persons must test all ATSs). PO 00000 Frm 00053 Fmt 4701 Sfmt 4702 85385 Person, and 2,880 burden hours in total per year. The estimated burden was calculated as follows: Burden: Compliance by AT Persons with DCM Reviews. Respondents/Affected Entities: 120. Estimated number of responses: 60 per year (120/2, or half of the total population per year). Estimated total burden on each AT Person or executing FCM: 48 hours. Frequency of response: Once every two years. Burden statement-all AT Persons and executing FCMs: 60 respondents × 48 hours = 2,880 Burden Hours per year. The Commission estimates that, on an annual basis, an AT Person will incur a cost of $3,720 to facilitate a DCM’s compliance with Supplemental proposed § 40.22. Such costs reflect to the burden to an AT Person of providing written information, responding to questions, and otherwise furnishing such information as the DCM may need to discharge its responsibilities. This cost is broken down as follows: 1 Senior Compliance Specialist, working for 36 hours (36 × $57 = $2,052); and 1 Chief Compliance Officer, working for 12 hours (12 × $139 = $1,668). The 120 AT Persons that will be subject to § 1.83(a) would therefore incur a total annual cost of $446,400 (120 × $3,720). h. § 40.22(d)—Certification Requirement The Commission estimates that Supplemental proposed § 40.22(d), which states that DCMs must require each AT Person to provide the DCM an annual certification attesting that the AT Person complies with the requirements of §§ 1.80 and 1.81, will result in (on an annual basis) 12 hours of burden per AT Person and 1,440 burden hours total. The Commission expects that the annual certification requirement will involve preparation and transmittal of a document that makes the required certification, and that most of the burden hours associated with this requirement would involve review and analysis by compliance personnel of the entity’s compliance with §§ 1.80 and 1.81 necessary to enable the CCO or CEO to sign the certification. The estimated burden was calculated as follows: Burden: Compliance certifications submitted by AT Persons to DCMs. Respondents/Affected Entities: 120 AT Persons. Estimated number of responses: 120. Estimated total burden on each respondent: 12 hours. Frequency of collection: Annual. Burden statement-all respondents: 120 respondents × 12 hours = 1,440 Burden Hours per year. E:\FR\FM\25NOP2.SGM 25NOP2 85386 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules The Commission estimates that, on an annual basis, an AT Person will incur a cost of $1,176 to submit the compliance certification that will be required by proposed § 40.22(d). This cost is broken down as follows: 1 Senior Compliance Specialist, working for 6 hours (6 × $57 = $342); and 1 Chief Compliance Officer, working for 6 hours (6 × $139 = $834), for each certification to one DCM. The 120 AT Persons that will be subject to DCM rules implemented pursuant to § 40.22(d) would therefore incur a total annual cost of $141,120 (120 × $1,176).444 64. The Commission invites comment on its Regulatory Flexibility Act analysis. In particular, the Commission specifically invites comment on the accuracy of its assumption that the third parties referenced in Supplemental proposed § 1.85 would not be ‘‘small entities’’ for Regulatory Flexibility Act purposes. 65. Do you agree that revising the definition of AT Person to include one of the proposed volume threshold will mean that no natural persons will be AT Persons? 66. Do you agree that revising the definition of AT Person to include one of the proposed quantitative measures will mean that there will not be a substantial number of small entities impacted by the information collection? asabaliauskas on DSK3SPTVN1PROD with PROPOSALS C. Paperwork Reduction Act The Paperwork Reduction Act (‘‘PRA’’) 445 imposes certain requirements on federal agencies in connection with their conducting or sponsoring any collection of information as defined by the PRA. As discussed in the NPRM, Regulation AT would result in new collection of information requirements within the meaning of the PRA. As explained above, the Commission believes that the proposed volume threshold will reduce the number of AT Persons, which would accordingly reduce the PRA estimates provided in the NPRM. The Commission invites the public to comment on any aspect of how the proposed volume threshold would impact the paperwork burdens discussed in the NPRM. 1. § 1.3(x)(1)(iii)—Submissions by Newly Registered Floor Traders 446 In the NPRM, the Commission estimated that there would be 100 new Floor trader registrants under the 444 The six hours of work for each employee consists of five hours for the initial certification and one hour to prepare additional certifications for three other DCMs. 445 44 U.S.C. 3501 et seq. 446 78 FR 78891. VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 proposed definition of floor trader in § 1.3(x)(3). The Commission estimated that the NPRM proposed rules requiring registration would result in 11 hours of burden per affected entity, and 1,100 burden hours total. The Commission estimated that new registrants would incur a one-time cost of $1,056. While the Commission estimated that there would be 420 AT Persons under the NPRM proposed rules for Regulation AT, and approximately 100 would be required to register as Floor traders, the Commission has revised its estimate to 120 AT Persons under the modified rules proposed in this Supplemental NPRM.447 While the Commission recognizes that the modifications in the Supplemental NPRM may reduce the number of entities required to register, the Commission estimates that there will be approximately 100 new Floor trader registrants under Supplemental proposed § 1.3(x)(1)(iii). The Commission estimates that the 100 entities subject to the registration requirement would incur a total onetime cost of $105,600 (100 × $1,056). 2. § 1.80(d)—Pre-Trade Risk Controls for AT Persons—Delegation Supplemental proposed § 1.80(d) allows an AT Person to delegate compliance with § 1.80(a) to its executing FCM. Under Supplemental proposed § 1.80(d)(2), an AT Person may only delegate such functions when (i) it is technologically feasible for each relevant FCM to comply with § 1.80(a) with a level of effectiveness reasonably designed to prevent and reduce the potential risk of an Algorithmic Trading Event; and (ii) each relevant FCM notifies the AT Person in writing that the FCM has accepted the AT Person’s delegation and that it will comply with § 1.80(a) on behalf of the AT Person. The Commission expects that the written notification pursuant to Supplemental proposed § 1.80(d)(2)(ii) will involve preparation and transmittal of a document that confirms that the FCM accepted the delegation and will comply with § 1.80(a). Accordingly, the Commission estimates that Supplemental proposed § 1.80(d)(2)(ii) will result in two burden hours per affected entity to prepare and send the notification: 1 Compliance Attorney, working for 1 hour (1 × $96 = $96); and 1 Chief Compliance Officer, working for 1 hour (1 × $139). The Commission is unable to estimate the exact number of the 120 AT Persons that will choose to delegate § 1.80(d) compliance. Assuming that all 70 executing FCMs accept delegation for at least one AT 447 See PO 00000 Section II(C)(1). Frm 00054 Fmt 4701 Sfmt 4702 Person, the Commission estimates that the 70 executing FCMs would incur a total one-time cost of $16,450 (70 × $235). 3. § 1.83(a)—AT Person Retention and Production of Books and Records 448 As discussed above, the Commission estimated in the NPRM that 420 entities would qualify as AT Persons under Regulation AT. Pursuant to Supplemental proposed § 1.3(xxxx), the Commission now estimates that 120 entities will be AT Persons. The Commission’s new, lower estimate for the number of AT Persons is a function of the volume threshold test that market participants would have to satisfy to fall within the definition of AT Person under Supplemental proposed § 1.3(xxxx). The Commission has updated its PRA analysis from the NPRM for proposed § 1.83, based on its updated estimate of 120 AT Persons in the Supplemental NPRM (as opposed to the 420 AT Persons estimated in the NPRM). The Commission’s PRA analysis for Supplemental proposed § 1.83 assumes the same cost on a per AT Person basis as was used in the NPRM analysis. Specifically, the Commission estimated in the NPRM that proposed § 1.83 requirements that AT Persons keep and provide books and records relating to NPRM proposed §§ 1.80 and 1.81 compliance would result in initial outlay of 60 hours of burden per AT Person. Under Supplemental proposed § 1.83(a), the 120 AT Persons would therefore initially incur 7,200 burden hours in total. In the NPRM, the Commission estimated that, on an initial basis, an AT Person would incur a cost of $5,130 to draft and update recordkeeping policies and procedures and make technology improvements to recordkeeping infrastructure. Under Supplemental proposed § 1.83(a), the 120 AT Persons would therefore incur a total initial cost of $615,600. The Commission estimated in the NPRM that proposed § 1.83 requirements that AT Persons keep and provide books and records relating to NPRM proposed §§ 1.80 and 1.81 compliance would result in annual costs of 30 hours of burden per AT Person. Under Supplemental proposed § 1.83(a), the 120 AT Persons would therefore incur 3,600 burden hours in total. In the NPRM, the Commission estimated that, on an annual basis, an AT Person would incur a cost of $2,670 to ensure 448 Supplemental proposed § 1.83(a) is identical to NPRM proposed § 1.83(c). NPRM proposed §§ 1.83(a) and (b) have been removed in this Supplemental NPRM, and § 1.83 has been renumbered accordingly. E:\FR\FM\25NOP2.SGM 25NOP2 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules compliance with the NPRM proposed § 1.83(a) recordkeeping rules relating to NPRM proposed § 1.82 compliance. Under Supplemental proposed § 1.83(a), the 120 AT Persons would therefore incur a total annual cost of $320,400. asabaliauskas on DSK3SPTVN1PROD with PROPOSALS 4. § 1.83(b)—Executing FCM Retention and Production of Books and Records 449 As discussed above, Supplemental proposed § 1.83(b) would govern FCM retention and production of books and records relating to § 1.82 compliance. NPRM § 1.83(d) applied to ‘‘clearing’’ FCMs. In contrast, Supplemental proposed § 1.83(b) would apply to ‘‘executing’’ FCMs. The Commission’s PRA analysis for Supplemental proposed § 1.83 assumes the same cost on a per AT Person basis as was used in the NPRM analysis. In the NPRM, the Commission estimated that compliance with § 1.83(d) would result in initial outlay of 60 hours of burden per FCM, and 3,420 burden hours total. In the NPRM, the Commission estimated that, on an initial basis, an FCM would incur a cost of $5,130 to draft and update recordkeeping policies and procedures and make technology improvements to recordkeeping infrastructure. Under Supplemental proposed § 1.83(b), the 70 executing FCMs would therefore incur a total initial cost of $359,100. The Commission estimated in the NPRM that proposed § 1.83 requirements that clearing FCMs keep and provide books and records relating to NPRM proposed § 1.82 compliance would result in annual costs of 30 hours of burden per FCM. In the NPRM, the Commission estimated that compliance with § 1.83(d) would result in annual costs of 30 hours of burden per FCM, and 1,710 burden hours total. In the NPRM, the Commission estimated that, on an initial basis, an FCM would incur a cost of $2,670 relating to § 1.82 compliance, including the updating of policies and procedures and technology infrastructure, and to respond to DCM record requests. Under Supplemental proposed § 1.83(b), the 70 executing FCMs would therefore incur a total annual cost of $186,900. 5. § 1.84—Retention, Production and Confidentiality of Algorithmic Trading Records a. Supplemental Proposed § 1.84(a) In order to comply with the requirements set out in Supplemental proposed § 1.84(a), an AT Person must 449 Supplemental proposed § 1.83(b) amends the provisions of NPRM § 1.83(d). NPRM §§ 1.83(a) and (b) have been removed in this Supplemental NPRM, and § 1.83 has been renumbered accordingly. VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 have a version control system and an application log management system in place. The Commission expects that most AT Persons have version control software to manage each change made to their software and identify who made the change and why. The Commission also expects that most AT Persons manage their application logs through some form of application log management system. For firms that do not have version control systems and application log management systems in place, the effort involved in setting one up includes the acquisition of the hardware to run the system, the application software itself, the migration of the existing Algorithmic Trading Source Code and logs into the software, and the creation of policy and procedures related to the use of the system by the firm. For appropriate hardware to accomplish this task, a machine with sufficient storage space and sufficient redundancy will be needed. The Commission expects that 10 terabytes of data would constitute sufficient storage capacity. A number of software options are available, from open-source products to industrystandard tools. i. Firms Without Sufficient Hardware and Software in Place The Commission estimates that Supplemental proposed § 1.84(a), which requires AT Persons to maintain specified records related to their Algorithmic Trading Source Code and their Algorithmic Trading systems’ activity, will result in initial outlay of 420 hours of burden per AT Person without sufficient hardware and software in place to comply with proposed § 1.84(a), and 50,400 burden hours in total. The estimated burden was calculated as follows: Burden: Supplemental proposed § 1.84(a), which would require AT Persons to maintain certain records. Respondents/Affected Entities: 120 AT Persons. Estimated total burden on each respondent: 420 hours. Burden statement-all respondents: 120 respondents × 420 hours = 50,400 Burden Hours initial year. The Commission estimates that an AT Person without the hardware and software in place to maintain the records required by Supplemental proposed § 1.84(a) would incur a cost of $41,840 to purchase and set up the required hardware and software, migrate existing Algorithmic Trading Source Code and logs into the software and draft appropriate recordkeeping policies and procedures and make technology improvements to recordkeeping PO 00000 Frm 00055 Fmt 4701 Sfmt 4702 85387 infrastructure. This cost is broken down as follows: Hardware costing $12,000,450 software costing $2,000,451 1 Project Manager for the Algorithmic Trading Source Code and log migration effort, working for 60 hours (60 × $70 = $4,200); 1 Developer for the Algorithmic Trading Source Code and log migration effort, working for 60 hours (60 × $75 = $4,500), 1 Project Manager to develop the related policies and procedures, working for 120 hours (120 × $70 = $8,400), 1 Business Analyst to develop the related policies and procedures, working for 120 hours (120 × $52 = $6,240), and 1 Developer to develop the related policies and procedures, working for 60 hours (60 × $75 = $4,500). Therefore, if none of the 120 AT Persons had sufficient hardware and software to comply, they would therefore incur a total initial cost of $5,020,800 (120 × $41,840). ii. Firms With Sufficient Hardware and Software in Place Firms that have the necessary systems in place may nevertheless need to make changes to their policies and procedures and enhance their hardware to provide more storage capacity, in each case to address the requirements of Supplemental proposed § 1.84(a). The discussion below addresses both the effort it takes to determine what upgrades need to be made, and to implement those upgrades. The Commission estimates that Supplemental proposed § 1.84(a) requiring AT Persons to maintain specified records related to their Algorithmic Trading Source Code and their Algorithmic Trading systems’ activity will result in initial outlay of 90 hours of burden per AT Person with sufficient hardware and software to comply with Supplemental proposed § 1.84(a), and 10,800 burden hours in total. The estimated burden was calculated as follows: Burden: Supplemental proposed § 1.84(a), which would require AT Persons to maintain certain records. Respondents/Affected Entities: 120 AT Persons. Estimated total burden on each respondent: 90 hours. 450 The Commission estimates that the hardware could cost from $1,000 to $25,000 depending on factors including which hardware vendor an AT Person chooses, the amount of business the AT Person does with the hardware vendor and the pricing the hardware vendor provides the AT Person as a result. 451 The Commission estimates that the software could cost from $0 to $5,000 depending on factors including which hardware vendor an AT Person chooses, the amount of business the AT Person does with the hardware vendor and the pricing the hardware vendor provides the AT Person as a result. E:\FR\FM\25NOP2.SGM 25NOP2 85388 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules Burden statement—all respondents: 120 respondents × 90 hours = 10,800 Burden Hours initial year. The Commission estimates that, on an initial basis, an AT Person with the hardware and software in place to maintain the records required by Supplemental proposed § 1.84(a) would incur a cost of $12,160 to purchase and set up the required hardware and software, migrate existing Algorithmic Trading Source Code and logs into the software and draft appropriate recordkeeping policies and procedures and make technology improvements to recordkeeping infrastructure. This cost is broken down as follows: Hardware costing $4,000,452 1 Project Manager to develop the related policies and procedures, working for 30 hours (30 × $70 = $2,100, 1 Business Analyst to develop the related policies and procedures, working for 30 hours (30 × $52 = $1,560), and 1 Developer to develop the related policies and procedures, working for 60 hours (60 × $75 = $4,500). The 120 AT Persons would therefore incur a total initial cost of $1,459,200 (120 × $12,160). asabaliauskas on DSK3SPTVN1PROD with PROPOSALS b. Supplemental Proposed §§ 1.84(b) and (c) In order to comply with the requirements set out in Supplemental proposed §§ 1.84(b) and 1.84(c), AT Persons will have to use their version control software to manage their software’s version history. This will require a standard monthly effort to maintain the environment so that each AT Person is able to respond to special calls and/or subpoenas. Monthly Maintenance: The Commission estimates that Supplemental proposed §§ 1.84(b) and 1.84(c), which require AT Persons to produce records of Algorithmic Trading in response to a special call or subpoena, will result in ongoing costs of 324 hours of burden per AT Person per year, and 38,880 annual burden hours in total. The estimated burden was calculated as follows: Burden: Rule requiring AT Persons to produce Algorithmic Trading records in response to a Special Call or Subpoena. Respondents/Affected Entities: 120 AT Persons. Estimated total burden on each respondent: 324 hours.453 452 The Commission estimates that the hardware could cost from $1,000 to $10,000 depending on factors including which hardware vendor an AT Person chooses, the amount of business the AT Person does with the hardware vendor and the pricing the hardware vendor provides the AT Person as a result. 453 The Commission estimates 27 burden hours per respondent/affected entity per month. VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 Burden statement—all respondents: 120 respondents × 324 hours = 38,880 Burden Hours per year. The Commission estimates that, on an annual basis, an AT Person will incur a cost of $24,120 to draft and update recordkeeping policies and procedures and make technology improvements to recordkeeping infrastructure. This cost is broken down as follows: 1 Project Manager, working for 3 hours per month × 12 months = 36 hours per year (36 × $70 = $2,520); and 1 Developer, working for 24 hours per month × 12 months = 288 hours per year (288 × $75 = $21,600). The 120 AT Persons would therefore incur a total annual cost of $2,894,400 (120 × $24,120). Costs per Response to a Special Call or Subpoena: The Commission estimates that Supplemental proposed §§ 1.84(b) and 1.84(c), which require AT Persons to produce records of Algorithmic Trading in response to a special call or subpoena, will result in costs per response of 72 hours of burden per AT Person, and 12,960 burden hours in total. The estimated burden was calculated as follows: Burden: Rule requiring AT Persons to produce Algorithmic Trading records in response to a Special Call or Subpoena. Respondents/Affected Entities: 120 AT Persons. Estimated number of responses: 120. Estimated total burden on each respondent: 108 hours. Frequency of collection: Intermittent. Burden statement—all respondents: 120 respondents × 108 hours = 12,960 Burden Hours per year. The Commission estimates that, on an intermittent basis, an AT Person will incur a cost of $5,844 to ensure compliance with those aspects of Supplemental proposed §§ 1.84(b) and 1.84(c) requiring AT Persons to produce records of Algorithmic Trading in response to a special call or subpoena. This cost is broken down as follows: 1 Project Manager, working for 12 hours (12 × $70 = $840); 1 Developer, working for 36 hours (36 × $75 = $2,700); and 1 Compliance Attorney, working for 24 hours (24 × $96 = $2,304). The 120 AT Persons would therefore incur a total annual cost of $701,280 (120 × $5,844). 6. § 1.85—Third-Party Algorithmic Trading Systems or Components The Commission estimates that the requirement under Supplemental proposed § 1.85 that an AT Person may comply with an obligation under NPRM proposed §§ 1.81(a)(1)(i), 1.81(a)(1)(iii), 1.81(a)(1)(iv), 1.81(a)(2), or Annualizing this monthly figure by multiplying by 12 results in the 324 total burden hour estimate. PO 00000 Frm 00056 Fmt 4701 Sfmt 4702 Supplemental proposed §§ 1.81(a)(1)(ii) or 1.84 by obtaining a certification from a third party that the third party is fulfilling the obligation, will result in: (1) 60 one-time hours of burden per AT Person, and 7,200 burden hours in total; (2) 36 hours (on a recurring annual basis) of burden per AT Person, and 4,320 burden hours in total; (3) 60 onetime hours of burden per third party, and 3,000 burden hours in total; and (4) 36 hours (on a recurring annual basis) of burden per third party, and 1,800 burden hours in total. The estimated burden was calculated as follows: Burden: AT Person establishing the process for obtaining third-party certifications, obtaining the initial certifications and conducting due diligence on the accuracy thereof. Respondents/Affected Entities: 120.454 Estimated number of responses: 120.455 Estimated total burden on each respondent: 60 hours.456 Frequency of collection: One-time. Burden statement—all respondents: 120 respondents × 60 hours = 7,200 Burden Hours per year. The Commission estimates that an AT Person will incur a one-time cost of $4,884 to establish the process for initially obtaining the third-party certifications permitted by Supplemental proposed § 1.85, conduct the related due diligence and obtain the initial certifications. This cost is broken down as follows: 1 Project Manager, working for 24 hours (24 × $70 = $1,680); 1 Compliance Attorney, working for 24 hours (24 × $96 = $2,304); and 1 Developer working for 12 hours (12 × $75 = $900). The estimated 120 AT Persons that will rely on § 1.85 would therefore incur a total one-time cost of $586,080 (120 × $4,884). Burden: AT Person updating its certifications from third parties and 454 The Commission estimates 120 AT Persons will rely on third party certifications pursuant to Supplemental proposed § 1.85. This estimate is based on an assumption that each AT Person will rely on one third party service providers for such AT Person’s ATS or components. In fact, the Commission anticipates that some AT Persons will not rely on any third party service providers for their ATSs or components, while other AT Persons will rely on two third party service providers. For purposes of this PRA analysis, the Commission believes that the best available estimate is that there will be a total of 120 Respondents/Affected Entities. The Commission seeks comment on this estimate. 455 This is calculated as the product of 120 estimated Respondents/Affected Entities and one initial response (i.e., establishing the process for obtaining third party certifications, obtaining the initial certifications and conducting due diligence on the accuracy thereof). 456 The Commission estimates that the initial response will take a Project Manager 24 hours, a Compliance Attorney 24 hours and a Developer 12 hours. The sum of those hours is 60 hours. E:\FR\FM\25NOP2.SGM 25NOP2 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules conducting updated due diligence on the accuracy thereof. Respondents/Affected Entities: 120. Estimated number of responses: 120. Estimated total burden on each respondent: 36 hours.457 Frequency of collection: Annual. Burden statement—all respondents: 120 respondents × 36 hours = 4,320 Burden Hours per year. The Commission estimates that, on an annual basis, an AT Person will incur a cost of $2,892 to obtain the third-party certifications permitted by Supplemental proposed § 1.85 and conduct the related due diligence. This cost is broken down as follows: 1 Project Manager, working for 12 hours (12 × $70 = $840); 1 Compliance Attorney, working for 12 hours (12 × $96 = $1,152); and 1 Developer working for 12 hours (12 × $75 = $900). The estimated 120 AT Persons that will rely on § 1.85 would therefore incur a total annual cost of $347,040 (120 × $2,892). Burden: Third party establishing the process for providing certifications to AT Persons, providing the initial certifications and cooperating with AT Persons conducting due diligence on the accuracy thereof. Respondents/Affected Entities: 50.458 Estimated number of responses: 50.459 Estimated total burden on each respondent: 60 hours.460 Frequency of collection: One-time. Burden statement—all respondents: 50 responses × 60 hours = 3,000 Burden Hours per year. The Commission estimates that a third party will incur a one-time cost of $4,884 to establish the process for initially providing the third-party certifications permitted by asabaliauskas on DSK3SPTVN1PROD with PROPOSALS 457 The Commission estimates that the annual collection will take a Project Manager 12 hours, a Compliance Attorney 12 hours and a Developer 12 hours. The sum of those hours is 36 hours. However, the Commission believes that in a typical year, the actual number of burden hours would be lower, provided that the product or service the AT Person receives from the third party provider has not changed substantially. 458 The Commission estimates that there will be a total of 50 third party service providers to AT Persons for their ATSs or components. The Commission seeks comment on this estimate. 459 This is calculated as the product of 50 third parties and one initial response (i.e., establishing the process for providing third party certifications, providing the initial certifications and cooperating with AT Persons conducting due diligence on the accuracy thereof). The Commission assumes that each third party will provide a single certification to all AT Persons using a product or service from the third party. The Commission seeks comment on this estimate. 460 The Commission estimates that, as with the initial collection burden on AT Persons, the initial response will take a third party Project Manager 24 hours, a third party Compliance Attorney 24 hours and a third party Developer 12 hours. The sum of those hours is 60 hours. VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 Supplemental proposed § 1.85 and cooperate with AT Persons conducting the related due diligence. This cost is broken down as follows: 1 Project Manager, working for 24 hours (24 × $70 = $1,680); 1 Compliance Attorney, working for 24 hours (24 × $96 = $2,304); and 1 Developer working for 12 hours (12 × $75 = $900). The estimated 50 third parties that provide certifications pursuant to Supplemental proposed § 1.85 would therefore incur a total initial cost of $244,200 (50 × $4,884). Burden: Third parties annually updating their certifications to AT Persons and cooperating with AT Persons conducting due diligence on the accuracy thereof. Respondents/Affected Entities: 50.461 Estimated number of responses: 120. Estimated total burden on each respondent: 36 hours.462 Frequency of collection: Annual. Burden statement—all respondents: 120 responses × 36 hours = 4,320 Burden Hours per year. The Commission estimates that, on an annual basis, a third party will incur a cost of $2,892 to provide AT Persons the third-party certifications permitted by Supplemental proposed § 1.85 and cooperate with AT Persons conducting the related due diligence. This cost is broken down as follows: 1 Project Manager, working for 12 hours (12 × $70 = $840); 1 Compliance Attorney, working for 12 hours (12 × $96 = $1,152); and 1 Developer working for 12 hours (12 × $75 = $900). The estimated 50 third parties that will rely on § 1.85 would therefore incur a total annual cost of $144,600 (50 × $2,892). 7. § 38.255(c)—Risk Controls for Trading—FCM Certification to DCM Supplemental proposed § 38.255(c) requires a DCM that permits DEA to require that an FCM use DCM-provided risk controls, or substantially equivalent controls developed by the FCM itself or a third party. Prior to an FCM’s use of its own or a third party’s systems and controls, the FCM must certify to the DCM that such systems and controls are in fact substantially equivalent to the 461 The Commission estimates that there will be a total of 50 third party service providers to AT Persons for their ATSs or components. 462 The Commission estimates that, as with the recurring annual collection for AT Persons, the annual collection will take a third party Project Manager 12 hours, a third party Compliance Attorney 12 hours and a third party Developer 12 hours. The sum of those hours is 36 hours. However, the Commission believes that in a typical year, the actual number of burden hours would be lower, provided that the product or service the AT Person receives from the third party provider has not changed substantially. PO 00000 Frm 00057 Fmt 4701 Sfmt 4702 85389 systems and controls that the DCM makes available pursuant to Supplemental proposed § 38.255(b). The Commission expects that the written notification pursuant to Supplemental proposed § 38.255(c) will involve preparation and transmittal of a certification document. Accordingly, the Commission estimates that Supplemental proposed § 38.255(c) will result in two burden hours per affected entity to prepare and send the notification: 1 Compliance Attorney, working for 1 hour (1 × $96 = $96); and 1 Chief Compliance Officer, working for 1 hour (1 × $139). The Commission is unable to estimate the exact number of FCMs that will choose to use its own or a third party’s systems and controls. Assuming that all 70 executing FCMs were to do so for four DCMs, the Commission estimates that the 70 executing FCMs would incur a total one-time cost of $65,800 (70 × $235 × 4).463 8. § 40.22(a)–(c)—Compliance With DCM Reviews The Commission expects that Supplemental proposed § 40.22(a)–(c), which requires DCMs to periodically review AT Persons’ compliance with §§ 1.80 and 1.81 executing FCMs’ compliance with § 1.82, will also impose burdens on the AT Persons and executing FCMs that will be subject to such reviews. The Commission believes that an adequate review program will typically require DCMs to evaluate AT Persons’ and executing FCMs’ compliance every two years. Low-risk parties may require less frequent review, while high-risk parties could require for frequent evaluation. The Commission estimates (on an annual basis) 48 hours of burden per AT Person and executing FCM, and 4,320 burden hours in total per year. The estimated burden was calculated as follows: Burden: Compliance by AT Persons and FCMs with DCM Reviews. Respondents/Affected Entities: 180 (120 AT Persons + 60 FCMs).464 Estimated number of responses: 90 per year (180/2, or half of the total population per year). Estimated total burden on each AT Person or executing FCM: 48 hours. Frequency of response: Once every two years. 463 DCMs will incur some costs with respect to preparing an exchange rule requiring FCMs to provide § 38.255(c) certifications. Exchange rulewriting costs are generally covered in the existing Part 40 PRA collection. 464 The Commission is using 60, as opposed to 70, FCMs for purposes of this calculation because every FCM does not operate on all DCMs. Accordingly, a single DCM would not necessarily have to review every FCM. E:\FR\FM\25NOP2.SGM 25NOP2 85390 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules asabaliauskas on DSK3SPTVN1PROD with PROPOSALS Burden statement—all AT Persons and executing FCMs: 90 respondents × 48 hours = 4,320 Burden Hours per year. The Commission estimates that, on an annual basis, an AT Person or an executing FCM will incur a cost of $3,720 to facilitate a DCM’s compliance with Supplemental proposed § 40.22. Such costs reflect to the burden to an AT Person or executing FCM of providing written information, responding to questions, and otherwise furnishing such information as the DCM may need to discharge its responsibilities. This cost is broken down as follows: 1 Senior Compliance Specialist, working for 36 hours (36 × $57 = $2,052); and 1 Chief Compliance Officer, working for 12 hours (12 × $139 = $1,668). The 180 AT Persons and executing FCMs that will be subject to § 40.22 DCM review programs would therefore incur a total annual cost of $334,800 (90 × $3,720). 9. § 40.22(d)—Certification Requirement The Commission estimates that Supplemental proposed § 40.22(d), which states that DCMs must require each AT Person to provide the DCM an annual certification attesting that the AT Person complies with the requirements of §§ 1.80 and 1.81, will result in (on an annual basis) 12 hours of burden per AT Person and 1,440 burden hours total. The Commission expects that the annual certification requirement will involve preparation and transmittal of a document that makes the required certification, and that most of the burden hours associated with this requirement would involve review and analysis by compliance personnel of the entity’s compliance with §§ 1.80 and 1.81 necessary to enable the CCO or CEO to sign the certification. The estimated burden was calculated as follows: Burden: Compliance certifications submitted by AT Persons to DCMs. Respondents/Affected Entities: 120 AT Persons. Estimated number of responses: 120. Estimated total burden on each respondent: 12 hours. Frequency of collection: Annual. Burden statement—all respondents: 120 respondents × 12 hours = 1,440 Burden Hours per year. The Commission estimates that, on an annual basis, an AT Person will incur a cost of $1,176 to submit the compliance certification that will be required by proposed § 40.22(d). This cost is broken down as follows: 1 Senior Compliance Specialist, working for 6 hours (6 × $57 = $342); and 1 Chief Compliance Officer, working for 6 hours (6 × $139 = $834), for each certification to one VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 DCM. The 120 AT Persons that will be subject to DCM rules implemented pursuant to § 40.22(d) would therefore incur a total annual cost of $141,120 (120 × $1,176). Proposed § 40.22(d) also states that DCMs must require that each executing FCM provide the DCM with an annual certification attesting that the executing FCM complies with the requirements of § 1.82. The Commission estimates that this requirement will result in (on an annual basis), 10 hours of burden per executing FCM, and 2,800 burden hours total. The Commission expects that the annual certification requirement will involve preparation and transmittal of a document that makes the required certification, and that most of the burden hours associated with this requirement would involve review and analysis by compliance personnel of the entity’s compliance with § 1.82 necessary to enable the CCO or CEO to sign the certification. The estimated burden was calculated as follows: Burden: Compliance certifications submitted by executing FCMs to DCMs. Respondents/Affected Entities: 70 executing FCMs. Estimated number of responses: 70. Estimated total burden on each respondent: 12 hours. Frequency of collection: Annual. Burden statement—all respondents: 70 respondents × 12 hours = 840 Burden Hours per year. The Commission estimates that, on an annual basis, an executing FCM will incur a cost of $1,176 to submit the compliance certification required by proposed § 40.22(d). This cost is broken down as follows: 1 Senior Compliance Specialist, working for 6 hours (6 × $57 = $342); and 1 Chief Compliance Officer, working for 5 hours (5 × $139 = $834), for each certification to one DCM. The 70 executing FCMs that will be subject to DCM rules implemented pursuant to § 40.22(d) would therefore incur a total annual cost of $82,320 (70 × $1,176). 10. Commission Questions 67. The Commission welcomes all comments on the PRA analysis set forth in this Supplemental NPRM and, in particular, all comments regarding the accuracy of its estimate that 120 AT Persons would rely on third-party certifications pursuant to Supplemental proposed § 1.85. 68. The Commission seeks comment on its estimate that 50 third parties would provide certifications to AT Persons pursuant to Supplemental proposed § 1.85. 69. The Commission seeks comment on its estimated costs on AT Persons PO 00000 Frm 00058 Fmt 4701 Sfmt 4702 and third parties in connection with Supplemental proposed § 1.85. 70. The Commission is assuming that each third party that provides certifications under Supplemental proposed § 1.85 will provide a single certification to all AT Persons that use a product or service from such third party. The Commission seeks comment on whether it is feasible for a third party to provide a single certification to all AT Persons using such third party’s products or services. List of Subjects 17 CFR Part 1 Commodity futures, Commodity pool operators, Commodity trading advisors, Definitions, Designated contract markets, Floor brokers, Futures commission merchants, Introducing brokers, Major swap participants, Reporting and recordkeeping requirements, Swap dealers. 17 CFR Part 38 Commodity futures, Designated contract markets, Reporting and recordkeeping requirements. 17 CFR Part 40 Commodity futures, Definitions, Designated contract markets, Reporting and recordkeeping requirements. 17 CFR Part 170 Commodity futures, Commodity pool operators, Commodity trading advisors, Floor brokers, Futures commission merchants, Introducing brokers, Major swap participants, Reporting and recordkeeping requirements, Swap dealers. For the reasons stated in the preamble, the Commodity Futures Trading Commission proposes to amend 17 CFR chapter I as follows: PART 1—GENERAL REGULATIONS UNDER THE COMMODITY EXCHANGE ACT 1. The authority citation for part 1 continues to read as follows: ■ Authority: 7 U.S.C. 1a, 2, 5, 6, 6a, 6b, 6c, 6d, 6e, 6f, 6g, 6h, 6i, 6k, 6l, 6m, 6n, 6o, 6p, 6r, 6s, 7, 7a–1, 7a–2, 7b, 7b–3, 8, 9, 10a, 12, 12a, 12c, 13a, 13a–1, 16, 16a, 19, 21, 23, and 24 (2012). 2. Amend § 1.3 as follows: a. Revise paragraph (x); b. Reserve paragraphs (tttt)–(vvvv); c. Add paragraphs (wwww), (xxxx), and (yyyy); ■ d. Reserve paragraphs (zzzz) and (aaaaa); and ■ e. Add paragraphs (bbbbb), (ccccc), and (ddddd). ■ ■ ■ ■ E:\FR\FM\25NOP2.SGM 25NOP2 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules The revisions and additions to read as follows: § 1.3 Definitions. asabaliauskas on DSK3SPTVN1PROD with PROPOSALS * * * * * (x) Floor trader—(1) In general. This term means any person: (i) Who, in or surrounding any pit, ring, post or other place provided by a contract market for the meeting of persons similarly engaged, purchases, or sells solely for such person’s own account— (A) Any commodity for future delivery, security futures product, or swap; or (B) Any commodity option authorized under section 4c of the Act; or (ii) Who is registered with the Commission as a floor trader; or (iii)(A) Who, in or surrounding any other place provided by a contract market for the meeting of persons similarly engaged, purchases or sells solely for such person’s own account— (1) Any commodity for future delivery, security futures product, or swap; or (2) Any commodity option authorized under section 4c of the Act; (B) Who uses Direct Electronic Access as defined in paragraph (yyyy) of this section, in whole or in part, to access such other place for Algorithmic Trading; (C) Who is not registered with the Commission as a futures commission merchant, floor broker, swap dealer, major swap participant, commodity pool operator, commodity trading advisor, or introducing broker; and (D) Who, with respect to purchases or sales on any designated contract market of any commodity for future delivery, security futures product, or swap, or any commodity option authorized under section 4c of the Act, satisfies the volume threshold test set forth in paragraph (x)(2) of this section. (2) Volume threshold test. A person satisfies the volume threshold test for purposes of paragraph (x)(1)(iii)(D) of this section if such person trades an aggregate average daily volume of at least 20,000 contracts for such person’s own account, the accounts of customers, or both where: (i) Such person shall calculate the aggregate average daily volume across all products and on the electronic trading facilities of all designated contract markets where such person trades; (ii) Such person shall calculate the aggregate average daily volume for each January 1 through June 30 and July 1 through December 31 period, based on all trading days in the respective period; and VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 (iii) For purposes of calculating the aggregate average daily volume, such person shall aggregate its own trading volume and that of any other persons controlling, controlled by or under common control with such person. (3) Registration period. (i) Unregistered persons who satisfy paragraphs (x)(1)(iii)(A)–(C) of this section, and who satisfy the volume threshold test set forth in paragraph (x)(2) of this section in any January 1 through June 30 or July 1 through December 31 period, shall register as a floor trader within 30 days after the end of such period and shall comply with all requirements of AT Persons pursuant to Commission regulations in this chapter within 90 days after the end of such period. (ii) For any group consisting of a person and any other persons controlling, controlled by or under common control with such person, if such group of persons in the aggregate satisfies the volume threshold test set forth in paragraph (x)(2) of this section, then one or more persons in such group shall register as floor traders under paragraph (x)(3)(i) of this section, so that the aggregate average daily volume of the unregistered persons in the group trade an aggregate average daily volume below the volume threshold test set forth in paragraph (x)(2) of this section. (4) Anti-Evasion. (i) No person shall trade contracts or cause contracts to be traded through multiple entities for the purpose of evading the registration requirements imposed on floor traders under paragraph (x)(3) of this section, or to avoid meeting the definition of AT Person under paragraph (xxxx) of this section. (ii) Contracts that any person trades or causes to be traded through multiple entities for the purpose of evading the registration requirements imposed on floor traders under paragraph (x)(3) of this section, or to avoid meeting the definition of AT Person under paragraph (xxxx) of this section, shall be attributed to such person for purposes of the volume threshold test calculation contained in paragraph (x)(2) of this section. * * * * * (tttt)–(vvvv) [Reserved] (wwww) AT Order Message. This term means each new order submitted through Algorithmic Trading by an AT Person and each modification or cancellation submitted through Algorithmic Trading by an AT Person with respect to such an order. (xxxx) AT Person. (1) This term means any person registered or required to be registered as a— PO 00000 Frm 00059 Fmt 4701 Sfmt 4702 85391 (i) Futures commission merchant, floor broker, swap dealer, major swap participant, commodity pool operator, commodity trading advisor, or introducing broker that— (A) Engages in Algorithmic Trading on or subject to the rules of a designated contract market; and (B) With respect to purchases or sales of any commodity for future delivery, security futures product, or swap, or any commodity option authorized under section 4c of the Act, satisfies, or has satisfied, the volume threshold test set forth in paragraph (x)(2) of this section; provided, however, that if an AT Person does not satisfy such volume threshold test for two consecutive semi-annual periods, as outlined in paragraph (x)(2) of this section, then such person shall no longer be considered an AT Person; or (ii) Floor trader as defined in paragraph (x)(1)(iii) of this section. (2)(i) A person who does not satisfy the conditions of paragraph (xxxx)(1) of this section may elect to become an AT Person, provided that such person: (A) Registers as a floor trader as defined in paragraph (x)(1)(ii) of this section; and (B) Submits an application for membership in at least one registered futures association pursuant to § 170.18 of this chapter. (ii) A person that elects to become an AT Person pursuant to paragraph (xxxx)(2)(i) of this section shall comply with all requirements of AT Persons pursuant to Commission regulations in this chapter. (yyyy) Direct Electronic Access. For purposes of §§ 1.3(x), 1.3(xxxx), 1.80, 1.81, and 1.82, and §§ 38.255 and 40.20 of this chapter, this term means the electronic transmission of an order for processing on or subject to the rules of a contract market, including the electronic transmission of any modification or cancellation of such order; provided however that this term does not include orders, or modifications or cancellations thereof, electronically transmitted to a designated contract market by a futures commission merchant that such futures commission merchant first received from an unaffiliated natural person by means of oral or written communications. (zzzz)–(aaaaa) [Reserved] (bbbbb) Electronic Trading Order Message. This term means each new order submitted by Electronic Trading and each modification or cancellation submitted by Electronic Trading with respect to such an order. (ccccc) Algorithmic Trading Source Code. Algorithmic Trading Source Code E:\FR\FM\25NOP2.SGM 25NOP2 85392 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules generally means computer commands written in a computer programming language that is readable by natural persons. For purposes of §§ 1.81 and 1.84, Algorithmic Trading Source Code shall include at minimum computer code, logic embedded in electronic circuits, scripts, parameters input into an Algorithmic Trading system, formulas, and configuration files. (ddddd) Electronic Trading. For purposes of §§ 1.80, 1.82, and 1.83, and §§ 38.255, 40.20, and 40.22 of this chapter, this term means trading in any commodity interest as defined in paragraph (yy) of this section on an electronic trading facility as such term is defined by section 1a(16) of the Act, where the order, order modification or order cancellation is electronically submitted for processing on or subject to the rules of a designated contract market. ■ 3. Add subpart A to read as follows: Subpart A—Requirements for Algorithmic Trading Sec. 1.80 Pre-trade risk controls for AT Persons. 1.81 Standards for the development, monitoring, and compliance of Algorithmic Trading systems. 1.82 Executing futures commission merchant risk management. 1.83 AT Person and executing futures commission merchant recordkeeping. 1.84 Maintenance of Algorithmic Trading Source Code and related records. 1.85 Use of third-party Algorithmic Trading systems or components. Subpart A—Requirements for Algorithmic Trading asabaliauskas on DSK3SPTVN1PROD with PROPOSALS § 1.80 Pre-trade risk controls for AT Persons. For all AT Order Messages, an AT Person shall implement pre-trade risk controls and other measures reasonably designed to prevent and reduce the potential risk of an Algorithmic Trading Event, including but not limited to: (a) [Reserved] (1) [Reserved] (2) Pre-trade risk controls shall be set at a level or levels of granularity that shall include as appropriate the level of each AT Person, product, account number or designation, or one or more identifiers of the natural persons or the order strategy or Algorithmic Trading system associated with an AT Order Message. (b) [Reserved] (c) [Reserved] (d) Delegation. (1) An AT Person may choose to comply with paragraph (a) of this section by implementing required pre-trade risk controls, or it may instead delegate compliance with such VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 obligations to its executing futures commission merchant(s). (2) An AT Person may only delegate such functions when— (i) It is technologically feasible for each relevant futures commission merchant to comply with paragraph (a) of this section with a level of effectiveness reasonably designed to prevent and reduce the potential risk of an Algorithmic Trading Event; and (ii) Each relevant futures commission merchant notifies the AT Person in writing that the futures commission merchant has accepted the AT Person’s delegation and that it will comply with paragraph (a) of this section on behalf of the AT Person. (e) [Reserved] (f) Periodic review for sufficiency and effectiveness. Each AT Person shall periodically review its compliance with this section to determine whether it has effectively implemented sufficient measures reasonably designed to prevent and reduce the potential risk of an Algorithmic Trading Event. Each AT Person that has delegated its pre-trade risk controls to a futures commission merchant pursuant to paragraph (d) or paragraph (g)(2)–(3) of this section shall periodically review such futures commission merchant’s compliance with the requirements of paragraph (a) of this section on behalf of the AT Person. Each AT Person shall take prompt action to remedy any deficiencies it identifies in its own measures or in those of a futures commission merchant to which it has delegated. (g) AT Persons’ pre-trade risk controls for electronic trading. (1) An AT Person shall also apply the risk control mechanisms described in paragraphs (a), (b), and (c) of this section to its Electronic Trading Order Messages that do not arise from Algorithmic Trading, after making appropriate adjustments in the risk control mechanisms to accommodate the application of such mechanisms to Electronic Trading Order Messages. (2) An AT Person may choose to comply with paragraph (g)(1) of this section as to the risk controls in paragraph (a) of this section by implementing required pre-trade risk controls, or it may instead delegate compliance with such obligations to its executing futures commission merchant(s). (3) An AT Person may only delegate such functions when— (i) It is technologically feasible for each relevant futures commission merchant to comply with paragraph (g)(1) of this section as to risk control mechanisms required by paragraph (a) PO 00000 Frm 00060 Fmt 4701 Sfmt 4702 of this section with a level of effectiveness reasonably designed to prevent and reduce the potential risk of a disruption associated with Electronic Trading; and (ii) Each relevant futures commission merchant notifies the AT Person in writing that the futures commission merchant has accepted the AT Person’s delegation and that it will comply with paragraph (a) of this section on behalf of the AT Person. § 1.81 Standards for the development, monitoring, and compliance of Algorithmic Trading systems. (a) Development and testing of Algorithmic Trading Systems. (1) [Reserved] (i) [Reserved] (ii) Testing of all Algorithmic Trading systems, including Algorithmic Trading Source Code, and any changes to such systems or code, prior to their implementation. Such testing shall be reasonably designed to effectively identify circumstances that may contribute to future Algorithmic Trading Events. (iii)–(iv) [Reserved] (2) [Reserved] (b)–(d) [Reserved] § 1.82 Executing futures commission merchant risk management. (a) Electronic Trading Order Messages not originating with an AT Person. Each executing futures commission merchant shall comply with the following requirements for all Electronic Trading Order Messages not originating with an AT Person: (1) Make use of pre-trade risk controls reasonably designed to prevent and reduce the potential risk of a disruption associated with Electronic Trading (including an Algorithmic Trading Disruption), including at a minimum: (i) Maximum Electronic Trading Order Message frequency per unit time and maximum execution frequency per unit time; and (ii) Order price parameters and maximum order size limits. (2) Pre-trade risk controls must be set at a level or levels of granularity that will prevent and reduce the potential risk of an Electronic Trading disruption, which shall include as appropriate the level of each customer, product, account number or designation, or one or more identifiers of the natural persons or the order strategy or Algorithmic Trading system associated with an Electronic Trading Order Message. (3) The futures commission merchant shall have policies and procedures reasonably designed to ensure that natural person monitors at the futures E:\FR\FM\25NOP2.SGM 25NOP2 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules commission merchant are promptly alerted when pre-trade risk control parameters established pursuant to this section are breached. (4) Make use of order cancellation systems that have the ability to: (i) Immediately disengage Electronic Trading; (ii) Cancel selected or up to all resting orders when system or market conditions require it; and (iii) Prevent submission of new Electronic Trading Order Messages. (b) Direct Electronic Access orders. For all Electronic Trading Order Messages not originating with an AT Person and that are submitted to a trading platform through Direct Electronic Access as defined in § 1.3(yyyy), the futures commission merchant may comply with the requirements of paragraphs (a)(1), (2), and (4) of this section by implementing the pre-trade risk controls and order cancellation systems provided by designated contract markets pursuant to § 38.255(b) and (c) of this chapter. (c) Non-Direct Electronic Access orders. For all Electronic Trading Order Messages not originating with an AT Person and that are not submitted to a trading platform through Direct Electronic Access as defined in § 1.3(yyyy), the futures commission merchant shall comply with the requirements of paragraphs (a)(1), (2), and (4) of this section by— (i) Itself establishing and maintaining the pre-trade risk controls and order cancellation systems described in paragraphs (a)(1), (2), and (4) of this section; or (ii) Implementing the pre-trade risk controls and order cancellation systems provided by designated contract markets pursuant to § 38.255(b) and (c) of this chapter. asabaliauskas on DSK3SPTVN1PROD with PROPOSALS § 1.83 AT Person and executing futures commission merchant recordkeeping. (a) AT Person recordkeeping. Each AT Person shall keep, and provide upon request to each designated contract market on which such AT Person engages in Algorithmic Trading, books and records regarding such AT Person’s compliance with all requirements pursuant to §§ 1.80 and 1.81. (b) Executing futures commission merchant recordkeeping. Each executing futures commission merchant shall keep, and provide upon request to each designated contract market on which its customers engage in Electronic Trading, books and records regarding such futures commission merchant’s compliance with all requirements pursuant to § 1.82. VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 § 1.84 Maintenance of Algorithmic Trading Source Code and related records. (a) Records required to be maintained. Each AT Person shall retain the following records, in their native format, for a period of five years: (1) Any Algorithmic Trading Source Code used by the AT Person. (2) Any records generated by the AT Person in the ordinary course of business that track material changes to the Algorithmic Trading Source Code, including, if generated by the AT Person in the ordinary course of business, a record of when and by whom such changes were made. (3) Any logs or log files generated by the AT Person in the ordinary course of business that record the activity of the AT Person’s Algorithmic Trading system, including a chronological record of such system’s actions. (b) Commission access to required records pursuant to special call. AT Persons shall produce records required to be maintained pursuant to § 1.84(a) as requested pursuant to special call of the Commission. (1) Form and manner. Such special call by the Commission may authorize the Director of the Division of Market Oversight to execute the special call and to specify the form and manner in which records shall be produced. (2) Accessibility and production of records of Algorithmic Trading activity. (i) The records required to be kept pursuant to § 1.84(a) shall be maintained in a form and manner that ensures the authenticity and reliability of the information contained in such records. (ii) AT Persons shall have available at all times systems to promptly retrieve and display the records required to be maintained pursuant to § 1.84(a) and the information contained in such records. Such systems shall, at a minimum, be equivalent to the systems used by the AT Persons when accessing records required to be maintained pursuant to § 1.84(a) in the ordinary course of its business. (iii) Each AT Person must, at its own expense, produce promptly upon demand, such records as may be set forth in the Commission’s special call or as specified by the Director of the Division of Market Oversight pursuant to special call by the Commission. (3) Confidentiality of records required to be maintained. Records required to be maintained pursuant to § 1.84(a) are subject to section 8(a) of the Act when produced to the Commission pursuant to § 1.84(b). Except as specifically authorized in the Act or the Commission’s regulations in this chapter, the Commission shall not PO 00000 Frm 00061 Fmt 4701 Sfmt 4702 85393 disclose any record provided pursuant to § 1.84(b), including data and information that would separately disclose the market positions, business transactions, trade secrets, or names of customers of any person. (c) Subpoenas. The special call procedure set forth in paragraph (b) of this section in no way limits the ability of the Commission, any member of the Commission, or Commission staff to obtain records required to be maintained pursuant to paragraph (a) of this section via the subpoena procedure set forth in part 11 of this chapter. § 1.85 Use of third-party Algorithmic Trading systems or components. (a) Use of third-party Algorithmic Trading systems or components. With respect to Algorithmic Trading systems or components, AT Persons who are otherwise unable to comply with an obligation set forth in the following provisions: §§ 1.81(a)(1)(i), 1.81(a)(1)(ii), 1.81(a)(1)(iii), 1.81(a)(1)(iv), 1.81(a)(2), or 1.84, due solely to their use of thirdparty systems or components may comply with such obligation by obtaining a certification from the third party that the relevant system or component meets applicable regulatory requirements. (b) AT Persons shall obtain a new certification described in paragraph (a) of this section each time there is a material change to such third-party provided systems or components. (c) Each AT Person shall conduct due diligence to reasonably determine the accuracy and sufficiency of a certification provided by a third party. (d) Notwithstanding the provisions of paragraphs (a)–(c) of this section, each AT Person shall remain responsible for compliance with the obligations set forth in § 1.84. Each AT Person shall retain records pursuant to § 1.84(a), or shall cause such records to be maintained. Each AT Person shall also produce records pursuant to § 1.84(b), or cause such records to be produced, when requested by the Commission. PART 38—DESIGNATED CONTRACT MARKETS 4. The authority citation for part 38 continues to read as follows: ■ Authority: 7 U.S.C. 1a, 2, 6, 6a, 6c, 6d, 6e, 6f, 6g, 6i, 6j, 6k, 6l, 6m, 6n, 7, 7a–2, 7b, 7b– 1, 7b–3, 8, 9, 15, and 21, as amended by the Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. 111–203, 124 Stat. 1376. ■ 5. Revise § 38.255 to read as follows: § 38.255 Risk controls for trading. (a) [Reserved] E:\FR\FM\25NOP2.SGM 25NOP2 asabaliauskas on DSK3SPTVN1PROD with PROPOSALS 85394 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules (b) For all Electronic Trading Order Messages that are submitted to a designated contract market through Direct Electronic Access as defined in § 1.3(yyyy) of this chapter, the designated contract market shall make available to the executing futures commission merchants effective systems and controls, reasonably designed to facilitate the items enumerated below: (1) The futures commission merchant’s management of the risks, pursuant to § 1.82(a)(1) and (2) of this chapter, that may arise from such Electronic Trading. (i) Such systems and controls shall include, at a minimum, the pre-trade risk controls described in § 1.82(a)(1) of this chapter. (ii) Such systems shall, at a minimum, enable the futures commission merchant to set the pre-trade risk controls at a level or levels of granularity that will prevent and reduce the potential risk of an Electronic Trading disruption, which shall include as appropriate the level of each customer, product, account number or designation, and one or more identifiers of the natural persons or the order strategy or Algorithmic Trading system associated with an Electronic Trading Order Message. (2) The future commission merchant’s ability to make use of the order cancellation systems required by § 1.82(a)(4) of this chapter. The designated contract market shall enable the future commission merchant to apply such order cancellation systems to orders at a level or levels of granularity that will prevent and reduce the potential risk of an Electronic Trading disruption, which shall include as appropriate orders from each customer, product, account number or designation, or one or more identifiers of the natural persons or the order strategy or Algorithmic Trading system associated with an Electronic Trading Order Message. (c) A designated contract market that permits Direct Electronic Access as defined in § 1.3(yyyy) of this chapter shall also require futures commission merchants to use the systems and controls described in paragraph (b) of this section, or substantially equivalent systems and controls developed by the futures commission merchant itself or provided by a third party, with respect to all Electronic Trading Order Messages not originating with an AT Person that are submitted through Direct Electronic Access. Prior to a futures commission merchants’ use of its own or a third party’s systems and controls, the futures commission merchant must certify to the designated contract market that such systems and controls are substantially VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 equivalent to the systems and controls that the designated contract market makes available pursuant to paragraph (b) of this section. PART 40—PROVISIONS COMMON TO REGISTERED ENTITIES 6. The authority citation for part 40 continues to read as follows: ■ Authority: 7 U.S.C. 1a, 2, 5, 6, 7, 7a, 8 and 12, as amended by Titles VII and VIII of the Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. 111–203, 124 Stat. 1376 (2010). §§ 40.13 through 40.19 [Reserved] 7. Add reserved §§ 40.13 through 40.19. ■ 8. Add § 40.20 to read as follows: ■ § 40.20 Risk controls for trading. A designated contract market shall implement pre-trade and other risk controls reasonably designed to prevent and reduce the potential risk of a disruption associated with Electronic Trading (including an Algorithmic Trading Disruption), including at a minimum all of the following: (a) Pre-trade risk controls. Pre-trade risk controls reasonably designed to address the risks from Electronic Trading on a designated contract market. (1) The pre-trade risk controls to be established and used by a designated contract market shall include: (i) Maximum Electronic Trading Order Message frequency per unit time and maximum execution frequency per unit time; and (ii) Order price parameters and maximum order size limits. (2) Designated contract markets must set the pre-trade risk controls at a level or levels of granularity that will prevent and reduce the potential risk of an Electronic Trading disruption, which shall include as appropriate the level of each trading firm, by product or one or more identifiers of the natural persons or the order strategy or Algorithmic Trading system associated with an Electronic Trading Order Message. (3) [Reserved] (b) Order cancellation systems. (1) Order cancellation systems that have the ability to: (i) Immediately disengage Electronic Trading; (ii) Cancel selected or up to all resting orders when system or market conditions require it; (iii) Prevent submission of new Electronic Trading Order Messages; and (iv) Cancel or suspend all resting orders from AT Persons in the event of disconnect with the trading platform. (2) [Reserved] PO 00000 Frm 00062 Fmt 4701 Sfmt 4702 (c) [Reserved] § 40.21 ■ ■ [Reserved] 9. Add reserved § 40.21. 10. Add § 40.22 to read as follows: § 40.22 DCM requirements for AT Persons and executing FCMs; DCM review program. A designated contract market shall comply with the following: (a) Compliance program. Establish a program for effective periodic review and evaluation of AT Persons’ compliance with §§ 1.80 and 1.81 of this chapter and executing futures commission merchant compliance with § 1.82 of this chapter. An effective program shall include measures by the designated contract market reasonably designed to identify and remediate any insufficient mechanisms, policies and procedures, including identification and remediation of any inadequate quantitative settings or calibrations of pre-trade risk controls required of AT Persons pursuant to § 1.80(a) of this chapter; (b) Maintenance of books and records. Implement rules that require each AT Person to keep and provide to the designated contract market books and records regarding such AT Person’s compliance with all requirements pursuant to §§ 1.80 and 1.81 of this chapter, and require each executing futures commission merchant to keep and provide to the designated contract market books and records regarding such executing futures commission merchant’s compliance with all requirements pursuant to § 1.82 of this chapter; and (c) Reporting. Require such periodic reporting from AT Persons and executing futures commission merchants as is necessary to fulfill the designated contract market’s obligations pursuant to paragraph (a) of this section. (d) Annual Certification. Require by rule that AT Persons and executing futures commission merchants provide the designated contract market with an annual certification attesting the AT Person or executing futures commission merchant complies with the requirements of §§ 1.80, 1.81, and 1.82 of this chapter, as applicable. Such annual certification shall be made by the chief compliance officer or chief executive officer of the AT Person or the executing futures commission merchant, and shall state that, to the best of his or her knowledge and reasonable belief, the information contained in the certification is accurate and complete. §§ 40.23 through 40.28 [Reserved] 11. Add reserved §§ 40.23 through 40.28. ■ E:\FR\FM\25NOP2.SGM 25NOP2 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules PART 170—REGISTERED FUTURES ASSOCIATIONS 12. The authority citation for part 170 continues to read as follows: ■ Authority: 7 U.S.C. 6d, 6m, 6p, 6s, 12a, and 21. 13. Add § 170.18 to subpart C to read as follows: ■ § 170.18 AT Persons. Each registrant, as defined in § 1.3(oooo) of this chapter, that is an AT Person, as defined in § 1.3(xxxx) of this chapter, that is not otherwise required to be a member of a futures association that is registered under section 17 of the Act pursuant to §§ 170.15, 170.16, or 170.17 must submit an application for membership in at least one futures association that is registered under section 17 of the Act and that provides for the membership therein of such registrant, unless no such futures association is so registered, within 30 days of such registrant satisfying the volume threshold test set forth in § 1.3(x)(2) of this chapter. Subpart D [Reserved] § 170.19 [Reserved] 14. Add reserved subpart D, consisting of reserved § 170.19. ■ Issued in Washington, DC, on November 7, 2016, by the Commission. Christopher J. Kirkpatrick, Secretary of the Commission. Note: The following appendices will not appear in the Code of Federal Regulations. Appendices to Regulation Automated Trading—Commission Voting Summary, Chairman’s Statement, and Commissioners’ Statements Appendix 1—Commission Voting Summary On this matter, Chairman Massad and Commissioner Bowen voted in the affirmative. Commissioner Giancarlo voted in the negative. asabaliauskas on DSK3SPTVN1PROD with PROPOSALS Appendix 2—Statement of Chairman Timothy G. Massad I support this supplemental proposal related to ‘‘Regulation AT,’’ our proposed rule to address the increased use of automated trading in our markets. Automated trading dominates the markets we oversee. More than 70 percent of trading in futures is now automated. And this is not just in financial futures; we see it in physical commodity futures as well. Our markets have fundamentally changed as a result. In just a few years, we have gone from open-outcry pits where floor traders jostled elbow-to-elbow to make trades, to a machine dominated market where a millisecond is considered slow. In fact, the VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 new measure is a microsecond. In the time it would take a trader to hang up the phone and signal a single bid with his hands in the pit, today’s machines can potentially generate thousands of orders. But in another respect, our markets have not changed at all. Farmers, ranchers, manufacturers, exporters—businesses of all types—still depend on them to hedge routine risk and engage in price discovery. Whether it is corn or copper, crude oil or cocoa, equities or Treasuries, Japanese yen or British pounds—businesses need these markets. They need them to function reliably, fairly, and free of manipulation or disruption. If anything has changed, it is that those needs are greater today. Businesses operate worldwide, commodity markets are global, and products are more diverse. Market participants look to us to make sure these markets operate with integrity. So while the landscape has changed dramatically, our mission has stayed the same. I meet with market participants of all types, and I find that traditional end-users, such as those from the agricultural community, are particularly concerned about the effects of automated trading on these markets. It is especially important for us to be able to respond to the concerns of those who are not so-called ‘‘flash boys,’’ and are only moving at human speed. The fact is that our regulations have not kept up with our modern markets. Today’s proposal is a part of what we need to do to keep our regulatory system up-to-date, just as you need updates for your phone’s operating system from time to time. There are other things we need to do to modernize our regulatory oversight and, in particular, to engage in adequate surveillance of modern trading methods. For example, we must continue to enhance our ability to receive and analyze message and other types of data, and cooperation among regulators will become increasingly important given how today’s global markets are linked. This proposal focuses on minimizing the risk of disruption and other problems that can be caused by automated trading, and making sure we have the tools to deal with those problems should they occur. It requires reasonable risk controls, using a principlesbased approach that would codify many industry best practices. But it does not prescribe the parameters or limits of such controls, because we know how diverse market participants can be, and we believe they are the ones who should determine those specifics. It requires testing and monitoring of algorithms. It requires the preservation of source code and other records—the equivalent of the records that those trading at human speed have preserved for years. And it ensures that we would have access to such records when necessary, just as for years we have reviewed the records of non-automated traders. In the last year, we received significant feedback on the proposal that the Commission unanimously approved in November of 2015. And today’s supplemental proposal makes a number of changes to that initial measure. They reflect the helpful suggestions and comments we have received. PO 00000 Frm 00063 Fmt 4701 Sfmt 4702 85395 First, while our original proposal called for risk controls at three levels—the exchange, the futures commission merchant (FCM) and the trading firm—we heard from many respondents that this was redundant and costly. Many instead favored a two-tier structure. Therefore, today’s proposal would require risk controls at the exchange level, and either the trader or FCM level. So for example, a firm could have its own controls—or opt in to the FCM controls, but we would not require both. In addition, we heard from many that the controls should pertain to all electronic trading, not just algorithmic trading. The proposal approved today also makes that change. It also provides greater flexibility regarding the level at which pre-trade risk controls must be set. We also heard that our registration requirement was overly broad. Some claimed it would require thousands of firms to register. Some even argued that we should not require registration at all; we should simply require risk controls. We need a registration requirement to make sure that some of the biggest traders in our markets are following the basic risk controls required by our proposal. But I am willing to have it appropriately tailored to those who are most active in our markets. Today, a small number of traders can represent a large percentage of total trading volume, including during periods of high volatility. For example, the evening after the UK’s vote to exit the European Union, the ten most active firms represented approximately 60 percent of trade activity in British pound futures. This is why our supplemental proposal adds a volumetric test to our registration requirement, so that it pertains to those firms that are doing most of the trading. In addition, this proposal reduces Regulation AT’s reporting requirements, by replacing the annual compliance report with a streamlined annual certification report. Finally, the proposal revises our original proposal on the issue of algorithmic trading source code. I have said many times that I support a rule that respects the proprietary value and confidentiality of source code. At the same time, this information may be critical to understanding what happened in the event of a market disruption or whether someone is complying with the law. This is why preservation of source code, as well as access, is critical. Therefore, this supplemental proposal makes the following changes. First, the proposal requires the Commission itself to make the decision to seek access to source code. No staff member can do so without Commission approval. This is a significant departure from our standard practice, which allows staff to seek access to information that registrants are required to preserve without a subpoena or specific Commission authorization. We have proposed this change in recognition of the concerns raised. The Commission could authorize the staff to seek such access either by means of a subpoena—which is sometimes the means used in the context of an enforcement investigation into behavior that may be unlawful—or a ‘‘special call.’’ The special E:\FR\FM\25NOP2.SGM 25NOP2 85396 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules call is the means our surveillance division has used for many years to obtain and review information in connection with their oversight of trading, and it is issued by the staff. But in this case, we are proposing a process that will require the same level of Commission approval that comes with the issuance of a subpoena, even if it is for surveillance purposes. Our proposal also describes the steps we can take to preserve the confidentiality of source code. Exactly what we would do in any particular situation would depend on the facts, but confidentiality must always be preserved. It could include precautions like reviewing the source code on a computer that is not connected to the internet or any network, and housing that computer in a secure room. Further, employees of the agency are under statutory obligation to keep proprietary information like source code confidential. There are criminal penalties associated with violating that requirement. I would note that we have protected the confidentiality of source code in the past when we have obtained it. Finally, I disagree with the characterization that what we are doing amounts to a ‘‘slippery slope.’’ I would call this an ‘‘uphill climb.’’ Our markets have evolved much faster than our regulatory framework. We are climbing a steep hill to catch up; and to make sure we can always see and understand what is going on in our markets today. We have long engaged in surveillance that involves reviewing information that has significant proprietary value. This may consist of information on trading strategies, including activities in related markets, or information that would go to whether a position truly is a bona fide hedge, such as purchase or supply commitments of related cash commodities, inventory levels, production expectations, and so forth. Much of this information is confidential and proprietary, and so we protect it. Our review of it is not a denial of due process rights, nor is the proposal we have adopted today. We should not have a regulatory regime where those who still trade at human speed are subject to effective surveillance, but those who use machines are not. Our rules should not favor one method over another, and nobody should be able to hide behind their machines. I thank the hardworking CFTC staff for their work on this supplemental proposal and I thank my fellow Commissioners for their consideration. asabaliauskas on DSK3SPTVN1PROD with PROPOSALS Appendix 3—Concurring Statement of Commissioner Sharon Y. Bowen Thank you. I’m glad to be here this morning as the Commission considers this supplemental proposal to our rulemaking on Automated Trading. I’ve said several times that I am a firm believer in two things: The need to enhance our rules to ensure that they are appropriately rigorous and protective and to find a rule that works and can be effectively implemented. I am pleased to say that I believe today’s release does both. I commend our staff for their hard work on this proposal. Following significant engagement with a variety of stakeholders, from exchanges and VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 proprietary traders to advocates of financial reform, we are making several important revisions to our proposed rule on automated trading. Of these changes, there are two in particular that I want to flag. First, we are revising our registration regime to better focus our attention and regulations on the firms responsible for substantial amounts of automated trading in our markets. Under this proposal, firms that make use of Direct Electronic Access (DEA) to connect to our markets will not automatically have to register. Instead, only those firms which use DEA and also have an average of 20,000 or more trades each day over a six month period will be required to register.1 It only seems appropriate that the firms responsible for a substantial portion of trades in our markets should have heightened regulatory requirements than small firms only entering a handful of trades a day. While a one-sizefits-all system may work in some cases, I believe it would be unduly burdensome to small firms to require that anyone who uses DEA automatically has to register. By offering a specific threshold for registration, however, it is critical that we pick the right number. I therefore am looking forward to the comments from market participants on whether 20,000 trades per day is the right level, too high, or too low. Given the interest that our previous proposal on registration engendered, I am sure that there will be some spirited debates about just what the proper threshold should be. However, while small firms with small volumes will not be required to register, it is not the case that their trades will be unregulated. In fact, the second major revision of today’s proposal will require that all electronic trading, algorithmic as well as non-algorithmic, will have two separate layers of pre-trade risk controls on it. For those trades originating from an AT Person, both the designated contract market (DCM) and the AT Person will be obligated to place pre-trade risk controls on their electronic trades, with the AT Person having the option of delegating this responsibility to the relevant futures commission merchant (FCM). Meanwhile, any electronic trading from entities other than AT persons will also be subject to two levels of pre-trade risk controls: One level set by the DCM and one by the FCM. As a result, under this proposal, we will be ensuring that every single electronic trade, automated as well as nonautomated, in our markets is subject to two levels of pre-trade risk controls without exception. Given the nearly constant technological innovations and redesigns involving algorithmic trading, I believe having two levels of risk controls is not only the most prudent course of action for our markets, it is also critical protection against a market malfunction harming investors or our broader economy. For those of you worried that automated trading is occurring free of any oversight or regulation, this rule seeks to allay some of those fears. As I have said before, however, this regulation is merely a first cut. Having looked 1 Supplemental Notice of Proposed Rulemaking on Regulation on Automated Trading at II.C.1 and proposed rule § 1.3(x)(2). PO 00000 Frm 00064 Fmt 4701 Sfmt 4702 at this issue for nearly a year, I have some doubts whether we are doing enough to ensure that all market participants, especially end-users in certain markets, are being given a level-playing field at present due to the proliferation of algorithmic trading. I therefore believe that we should consider instituting pilot programs in certain small sections of the market that can test the effects of additional, more substantial restrictions on algorithmic trading on market operations. Please note, I do not believe it is the time to place more rigorous restrictions on algorithmic trading on all the markets we regulate. Instead, I believe only that we should see whether there are some markets where a significant percentage of end-users are interested in establishing greater monitoring and regulation of algorithmic trading. If one or two such markets do exist, then those markets could be candidates for a tailored pilot program to gather data on the effects of algorithmic trading on those markets. We could then gain important insight on the effects of new market dynamics that continue to evolve. If you are an end-user and believe that your market would benefit from such a tailored pilot program, I encourage you to convey that message to the Commission. I had the pleasure of meeting with some members of the National Cattlemen’s Beef Association earlier this year and more recently, who informed me that they believe algorithmic trading is having a substantial impact on livestock markets and that they are interested in gaining more data on how algorithmic trading is influencing livestock prices. I share a desire for more information, both about whether this rule is regarded as being a step in the right direction and about what, if any, effects algorithmic trading is having on our markets. If an observer has an issue with any part of this rule, especially if you feel it is too weak, I sincerely hope you will lay out that concern in detail and let us know how we can improve it. Finally, I want to thank stakeholders, particularly several industry groups, for their engagement with the Commission since we released our proposal. I was very happy to learn that some aspects of this proposal, including the idea of requiring pre-trade risk controls on all electronic trades, were suggested by members of the industry. We have notice and comment requirements for many reasons: Increased transparency, an opportunity for public involvement, and of course to set procedural strictures on the government. But one of the reasons undergirding our system of notice and comment is the idea that regulators do not have all the answers all of the time, and there is a role for market participants to play during the regulatory process. The fact that industry participants were able to devise and endorse a broad regulatory requirement on all automated trading is to be commended. Appendix 4—Dissenting Statement of Commissioner J. Christopher Giancarlo Introduction I have previously said that proposed Regulation Automated Trading (Reg. AT) is a well-meaning attempt by the Commodity Futures Trading Commission (CFTC or E:\FR\FM\25NOP2.SGM 25NOP2 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules asabaliauskas on DSK3SPTVN1PROD with PROPOSALS Commission) to catch up to the digital revolution in U.S. futures markets.1 However, I have also raised some concerns ranging from the prescriptive compliance burdens to the disproportionate impact on small market participants to the regulatory inconsistencies of the proposed rule.2 I have also warned that any public good achieved by the rule is undone by the now notorious source code repository requirement.3 Not surprisingly, dozens of commenters to the proposal echoed my concerns and vehemently opposed the source code requirement. So, here we are again almost a year later to consider a Supplemental Notice of Proposed Rulemaking on Regulation Automated Trading (Supplemental Notice) because proposed Reg. AT missed the mark the first time around.4 This Supplemental Notice does improve proposed Reg. AT in some respects, such as moving from three levels of risk controls to two levels in order to simplify the framework and narrowing the scope of registration so it may not capture smaller market participants. However, the Supplemental Notice does not go far enough. It subjects the source code retention and inspection requirements to the special call process and provides an unworkable compliance process for AT Persons 5 that use software from third-party providers. I proposed several reasonable changes to the Commission and staff in an effort to make the Supplemental Notice workable and less burdensome, while still achieving its objectives. It is disappointing that those changes were not accepted. On a brighter note, the Commission has agreed to extend the comment period from 30 days to 60 days. While a longer comment period may provide some comfort to commenters that they do not have to rush to finish their comment letters over the Thanksgiving holiday, it does nothing to address my substantive issues. I am certain that many commenters will once again echo my concerns. While I could focus on a number of issues with proposed Reg. AT and the Supplemental Notice, I will first concentrate my statement on the source code issue and then the third-party software provider requirements. Thereafter, I will discuss a few other topics, such as the prescriptive nature of the proposal and burdensome reporting requirements. I welcome comments on all these issues and others. 1 Opening Statement of Commissioner J. Christopher Giancarlo before the CFTC Staff Roundtable on Regulation Automated Trading, June 10, 2016, https://www.cftc.gov/PressRoom/ SpeechesTestimony/giancarlostatement061016. 2 Regulation Automated Trading, 80 FR 78824, 78945–48 (Dec. 17, 2015). 3 Id. at 78947. 4 I note that at a time when the CFTC continuously pleads for additional resources, this is an example where the Commission could have saved a lot of time and effort if it spent a little more time up front to craft a sensible proposed Reg. AT. 5 As defined in the Supplemental Notice. VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 Source Code Retention and Inspection Requirements No Subpoena Means No Due Process of Law Let me make clear at the outset that the CFTC can today obtain the computer source code of market participants pursuant to a subpoena. Therefore, the issue raised by proposed Reg. AT and this Supplemental Notice is NOT whether the CFTC can examine source code of automated traders where appropriate to investigate suspected market misbehavior. The issue raised by this proposal is whether the owners of source code have any say in the matter. The subpoena process provides property owners with due process of law before the government can seize their property. It protects owners of property—not the government that already has abundant power. It allows property owners an opportunity to challenge the scope, timing and manner of discovery and whether any legal privileges apply to the process of surrendering property to the government. The subpoena process therefore provides a fair compromise between the rights of property owners and the government’s right to seize their property. Without the subpoena process, there is no balance between the civil liberties of the governed and the unlimited power of the government. As a foundation of civil liberties, the subpoena process precedes the American Republic going back to English common law. As a legal principle, it was woven into the Bill of Rights. As a bulwark of modern civil society, it protects the liberty of the governed from the tyranny of the government. The Supplemental Notice before us today, however, would strip owners of intellectual property of due process of law. The CFTC justifies this abridgement of rights with the condition that before the Commission can take source code 6 it will abide by two procedural hurdles—a majority vote of the Commission and the special call process operated by the Division of Market Oversight (DMO).7 This justification entirely misses the point. Abrogating the legal rights of property owners is not assuaged by imposing a few additional procedural burdens on the government agency seizing their property. Source code owners will have lost any say in the matter. The proposal gives unchecked power to the CFTC to decide if, when and how property owners must turn over their source code. Moreover, the special call process provides the CFTC an end-run-around the subpoena process. While the Supplemental Notice states that the CFTC will use the special call 6 I also note my concern with the breadth of the new Algorithmic Trading Source Code definition and invite comment on it. 7 The Supplemental Notice allows the Commission to authorize the Director of DMO to execute the special call and to specify the form and manner in which records shall be produced. DMO’s existing special call process has not operated without operational error or inadvertent disclosure of confidential information. The process should be subject to enhanced checks and balances, procedural controls and greater objectivity in targeting market behavior. PO 00000 Frm 00065 Fmt 4701 Sfmt 4702 85397 process to obtain source code in carrying out its market oversight responsibilities, there is no limit in the proposed rule on DMO staff from sharing source code with staff of the Division of Enforcement. The proposal will allow the Enforcement Division to view source code without bothering with a subpoena. Such sharing of information will likely become routine if this proposal is finalized. No Specific Source Code Protections Commenters have rightly questioned what level of security the CFTC will deploy to safeguard seized source code. In an attempt to assure market participants that their source code will be kept secure, the Supplemental Notice lists the various statutes and regulations that require confidentiality of such information. The proposed rule text also includes a reference to Commodity Exchange Act (CEA) section 8(a), which prohibits the release of trade secrets and other information.8 Yet, these are not new protections. They are in place today. Simply citing them in the preamble and rule text of the Supplemental Notice gives little assurance that the CFTC will safeguard source code. If the agency is determined to protect confidentiality, then it should include specific protections in the rule. For example, the CFTC could provide that it will only review source code at a property owner’s premises or on computers not connected to the Internet. The CFTC could also state that it will return all source code to the property owner once its review is finished. The rule text provides no such assurances. Absent specific measures, it is absurd to suggest that source code will be kept secure. Just look at the area of government cybersecurity. In the six months after the CFTC proposed Reg. AT, hackers breached the computer networks of the Federal Deposit Insurance Corporation and the Federal Reserve.9 Incredibly, the U.S. Office of Personnel Management (OPM) that gave up 21.5 million personnel records in a year-long cyber penetration failed a security audit last November—six months after the breach was discovered.10 In fact, federal, state and local government agencies rank last in cybersecurity when compared against 17 major private industries, including transportation, retail and healthcare.11 87 U.S.C. 12(a); CEA section 8(a). Bo Williams, Criminal Investigation Underway into Banking Regulator Data Breach, The Hill, May 12, 2016, https://thehill.com/policy/ cybersecurity/279752-criminal-investigation-openin-fdic-data-breach; Dustin Volz and Jason Lange, U.S. Lawmakers Probe Fed Cyber Breaches, Cite ‘Serious Concerns’, Reuters, June 3, 2016, https:// t.reuters.com/article/topNews/idUSKCN0YP281. 10 U.S. Office of Pers. Mgmt. Office of the Inspector Gen. Office of Audits, 4A–CI–00–15–011, Federal Information Security Modernization Act Audit FY 2015, Nov. 10, 2015; See also, Jack McCarthy, OIG Finds OPM Still Struggling with Security, Healthcare IT News, Nov. 30, 2015, https:// www.healthcareitnews.com/blog/oig-finds-opmstill-struggling-security (discussing OIG’s findings of OPM’s security protocols six months after a massive data breach). 11 Dustin Volz, U.S. Government Worse than All Major Industries on Cyber Security: Report, Reuters, 9 Katie E:\FR\FM\25NOP2.SGM Continued 25NOP2 85398 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules The CFTC itself has an imperfect record as a guardian of confidential proprietary information.12 If this rule goes forward, the CFTC will make itself a target for a broader group of cyber criminals, including those engaged in commercial espionage. Last Friday, we learned that a former employee of the Office of the Comptroller of the Currency (OCC) downloaded thousands of files from the agency’s servers onto two removable thumb drives without authorization prior to retiring from the agency.13 The OCC said that when it contacted the former employee about those files, he was ‘‘unable to locate or return the thumb drives to the agency.’’ 14 The OCC breach surely sent shivers up the spines of source code owners who received notice that same day of the CFTC’s intention to move forward with the Supplemental Notice. They must have been doubly spooked when the CFTC’s own servers crashed a few hours later due to a denial-of-service attack. asabaliauskas on DSK3SPTVN1PROD with PROPOSALS Establishment of Dangerous Regulatory Precedent If the CFTC adopts the source code provisions of the Supplemental Notice, the Securities and Exchange Commission (SEC) will likely copy it and so will other U.S. and overseas regulators—and not just regulators of financial markets.15 Regulators like the Federal Communications Commission may demand source code for Apple’s iPhone. The Federal Trade Commission may seek source code used in the matching engines of Google, Facebook and Snapchat. The National Security Agency may demand to see the source code of Cisco’s switches and Oracle’s servers. The Department of Transportation may demand Uber’s auction technology and Tesla’s driverless steering source code. Where does it end? It certainly will not end on American shores. Overseas regulators will also mimic the rule. The German chancellor has said that she wants her government to examine the source code used in the matching engines of Google and Facebook because she does not like their political coverage of her administration.16 The Chinese government Apr. 14, 2016, https://mobile.reuters.com/article/ idUSKCN0XB27K. 12 See generally Bart Chilton, The Government Can’t be Trusted to Collect Source Code and Other Private Property, Business Insider, Nov. 1, 2016, https://www.businessinsider.com/bart-chiltongovernment-cant-be-trusted-to-collect-source-code2016-11; Gregory Meyer and Philip Stafford, US Regulators Propose Powers to Scrutinise Algo Traders’ Source Code, Financial Times, Dec. 1, 2015, https://www.ft.com/content/137f81bc-944f11e5-b190-291e94b77c8f. 13 Ben Lane, OCC Reveals Major Information Security Breach Involving Former Employee, HousingWire, Oct. 28, 2016, https:// www.housingwire.com/articles/38402-occ-revealsmajor-information-security-breach-involvingformer-employee. 14 Id. 15 Congressman Sean P. Duffy Letter to SEC Chair Mary Jo White, Aug. 10, 2016, https:// modernmarketsinitiative.org/wp-content/uploads/ 2016/08/16.08.10-Automated-Trading-Letter-toSEC.pdf. 16 Article, Angela Merkel wants Facebook and Google’s Secrets Revealed, BBC, Oct. 28, 2016, https://www.bbc.com/news/technology-37798762. VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 has already tried to put in place a rule to obtain the source code of U.S. technology firms.17 If the CFTC adopts this rule, it will make a mockery of the U.S. government’s past attempts to oppose China’s efforts to view proprietary commercial source code.18 It confirms that the CFTC is not on the same page as its own U.S. government counterparts. Undoubtedly, this proposed rule is a reckless step onto a slippery slope. Today, the federal government is coming for the source code of seemingly faceless algorithmic trading firms. Tomorrow, however, governments worldwide may come for the source code underlying the organizing and matching of Americans’ personal information—their snapchats, tweets and instagrams, their online purchases, their choice of reading material and their political and social preferences. Seriously, where will it end? Possible Constitutional Challenge Fortunately, our country’s founders protected Americans against unreasonable searches and seizures and guaranteed them due process of law in the U.S. Constitution. The Supreme Court has routinely and recently upheld these fundamental civil rights. If the CFTC adopts the Supplemental Notice as proposed, its source code seizure provisions may be robustly challenged in federal court. The litigation will consume the agency’s precious, limited resources and its credibility in defending such a dubiously constitutional rule. That will be a sad waste of American taxpayer money. The CFTC justifies its actions based on its need to oversee the growing incidence of algorithmic trading and disruption in the financial markets. Given the relative ease of obtaining an administrative subpoena,19 I disagree with the assertion in the proposal that the special call process is necessary to review source code in association with usual trading events or market disruptions. The subpoena and the proposed special call process both require a Commission vote. One process is therefore not faster than the other. The only difference is that the special call process is an end-run-around the subpoena process and deprives source code owners of due process of law. Third-Party Software Providers If the source code requirements are not bad enough, AT Persons who use third-party algorithmic trading systems and those third17 Eva Dou, U.S., China Discuss Proposed Banking Security Rules, The Wall Street Journal, Feb. 13, 2015, https://www.wsj.com/articles/chinabanking-regulator-considering-source-code-rules1423805889; Shannon Tiezzi, US-China Talk Intellectual Property, Market Access at Trade Dialogue, The Diplomat, Nov. 25, 2015, https:// thediplomat.com/2015/11/us-china-talkintellectual-property-market-access-at-tradedialogue/. 18 Id. Congressmen Scott Garrett and Randy Neugebauer Letter to CFTC Chairman Timothy Massad, Aug. 3, 2016, https:// modernmarketsinitiative.org/wp-content/uploads/ 2016/08/20160802-ESG-RN-Letter-to-CFTC-re-RegAT2.pdf. 19 United States v. Morton Salt Company, 338 U.S. 632 (1950). PO 00000 Frm 00066 Fmt 4701 Sfmt 4702 parties are in for a real treat. Under the Supplemental Notice, AT Persons who use third-party trading systems are liable for turning over the source code of the thirdparty providers. An AT Person has no control over a third party’s source code. And, thirdparties have already said that they will not give out their source code.20 In addition, the Supplemental Notice requires an AT Person who uses a third-party algorithmic trading system to obtain a certification and conduct due diligence to ensure that the third-party is complying with the development and testing requirements in proposed Reg. AT. The AT Person must obtain a new certification each time there is a material change to such third-party’s system. These requirements are infeasible and could harm innovation and intellectual property rights. Participants at the Regulation AT roundtable also found the certification and due diligence suggestion impractical.21 One commenter said it could hurt smaller third-party vendors.22 Another commenter said that AT Persons may not have the necessary expertise to perform due diligence of third-party systems.23 They are correct. The CFTC must revisit these requirements. I invite commenters to propose less burdensome solutions. Other Issues Finally, let me highlight three issues: (1) The prescriptive nature of risk controls and development and testing requirements; (2) burdensome reporting requirements; and (3) the need for a phased-in implementation process. I reassert the issues I raised from proposed Reg. AT last year. I thank the many commenters for responding to those questions and concerns. Prescriptive Nature of Risk Controls and Development and Testing Requirements When proposed Reg. AT was issued, I noted that the CFTC is basically playing catch-up to an industry that has already developed and implemented risk controls and related testing standards for automated trading.24 I supported a principles-based approach to risk controls and testing that built upon, rather than hindered ongoing industry efforts.25 Many commenters to Reg. AT supported such a principles-based approach to risk controls and development and testing requirements and noted that proposed Reg. AT was too prescriptive.26 Commenters supported providing participants’ flexibility to determine which risk controls are needed 20 Trading Technologies, Staff Roundtable, Elements of Proposed Regulation Automated Trading, Transcript, at 250–252, June 10, 2016 (Roundtable Tr.), https://www.cftc.gov/idc/groups/ public/@newsroom/documents/file/ transcript061016.pdf. 21 Id. at 239. 22 Id. 23 Tethys Technology, Roundtable Tr. at 248. 24 80 FR at 78945. 25 Id. at 78946. 26 See, e.g., FIA Comment Letter at 3, 4–5 (Mar. 16, 2016); CME Comment Letter at 6, 7–8 (Mar. 16, 2016); ICE Comment Letter at 10 (Mar. 16, 2016); CTC Comment Letter at 1 (Mar. 15, 2016). E:\FR\FM\25NOP2.SGM 25NOP2 Federal Register / Vol. 81, No. 227 / Friday, November 25, 2016 / Proposed Rules and how those controls are applied and administered based on each participant’s unique risk profile and business situation.27 Commenters also noted that many of the proposed development and testing requirements are not practical and do not reflect how software is customarily developed, tested, deployed and monitored.28 I believe that the marketplace has implemented effective best practices and procedures for risk controls and development and testing of automated trading systems that account for different types of systems and businesses. Reg. AT’s approach is a one-sizefits-all model that does not take into account individual circumstances. For example, the proposed risk controls may not apply to all market participants or at all levels and may have negative unintended consequences.29 The proposed development and testing requirements will require AT Persons to make costly changes to existing business practices and procedures with no material market benefit.30 Once again, I urge the CFTC to adopt a principles-based approach in the final rule so that AT Persons have the necessary flexibility to administer controls and testing based on their trading and risk profiles. asabaliauskas on DSK3SPTVN1PROD with PROPOSALS Still Burdensome Reporting Requirements The Supplemental Notice replaces the requirement in proposed Reg. AT that AT Persons and clearing member futures commission merchants (FCMs) prepare certain annual reports with an annual certification requirement. While that is positive, the Supplemental Notice requires designated contract markets (DCMs) to establish a program for effective periodic review and evaluation of AT Persons’ and FCMs’ compliance with risk controls and other requirements. The Supplemental Notice also retains proposed Reg. AT’s requirement that the DCM must identify and remediate any insufficient mechanisms, policies and procedures, including identification and remediation of any inadequate quantitative settings or calibrations of pre-trade risk controls required of AT Persons. The Supplemental Notice touts the significantly decreased costs and enhanced flexibility to DCMs in designing a compliance program by replacing the annual reports with a certification requirement. I am not so sure that will be the case. The Supplemental Notice does not eliminate the compliance program altogether and replace it with a certification requirement. DCMs must still establish such a program and review and evaluate AT Persons’ and FCMs’ compliance with risk control and other requirements. I 27 See, e.g., FIA Comment Letter at 3 (Mar. 16, 2016); CME Comment Letter at 7–8 (Mar. 16, 2016). 28 See, e.g., FIA Comment Letter at 5 (Mar. 16, 2016); CTC Comment Letter at 12–14 (Mar. 15, 2016). 29 See, e.g., FIA Comment Letter, Attachment A at 24–25 (Mar. 16, 2016). 30 See, e.g., CTC Comment Letter at 12 (Mar. 15, 2016). VerDate Sep<11>2014 19:51 Nov 23, 2016 Jkt 241001 am concerned that this requirement could necessitate DCMs hiring additional staff to conduct periodic reviews with limited benefits for reducing risk. Even more problematic, DCMs are on the hook to identify and remediate any insufficient mechanisms, policies and procedures, including inadequate quantitative settings or calibrations of pretrade risk controls. The Supplemental Notice acknowledges, but dismisses, DCMs’ own concerns that they lack the technical capability to assess whether the quantitative settings or calibrations of AT Persons’ controls are sufficient.31 In my statement on proposed Reg. AT, I suggested a much simpler process of self-assessments like FINRA requires.32 Commenters also suggested similar less burdensome processes.33 I urge the Commission to revisit this provision and provide a more workable solution that does not hold DCMs liable for identifying and remediating inadequate settings of AT Persons. Any Final Rule Must Be Phased-In Proposed Reg. AT and this Supplemental Notice if finalized in their current form will be a huge undertaking for all parties involved. The Futures Industry Association (FIA) estimated that it could take several years to implement.34 In this regard, FIA recommended that the CFTC implement Reg. AT in three separate rules: Pre-trade and other risk controls, policies and procedures regarding development and testing of algorithmic trading systems and registration.35 Other commenters also recommended phased-in rulemakings.36 Reg. AT is a major rulemaking that covers a broad range of automated trading issues. Commenters asserted that the costs of the proposal are substantially higher than estimated by the Commission and provided quantitative estimates to back up their assertions.37 The Supplemental Notice does not do enough to fix the issues with proposed Reg. AT and reduce unnecessary costs on the marketplace. Given the scope of Reg. AT and the cost concerns, I believe the CFTC should at least phase-in the implementation process for any final Reg. AT rulemaking. I invite commenters to provide suggestions on how to do so. 31 CME Comment Letter at 20 (Mar. 16, 2016); ICE Comment Letter at 9–10 (Mar. 16, 2016); FIA Comment Letter at 10 (Mar. 16, 2016); MGEX Comment Letter at 16–17 (Mar. 16, 2016). 32 80 FR at 78947. 33 CME Comment Letter at 20 (Mar. 16, 2016); ICE Comment Letter at 9–10 (Mar. 16, 2016); FIA Comment Letter at 10 (Mar. 16, 2016); MGEX Comment Letter at 16–17 (Mar. 16, 2016). 34 FIA Comment Letter at 11 (Mar. 16, 2016). 35 Id. at Attachment A at 14–15. 36 MGEX Comment Letter at 3 (Mar. 16, 2016); NASDAQ Futures Comment Letter at 2 (Mar. 16, 2016). 37 See, e.g., CME Comment Letter at 5 (Mar. 16, 2016); MFA Comment Letter at 34–35 (Mar. 16, 2016); MGEX Comment Letter at 25–28 (Mar. 16, 2016). PO 00000 Frm 00067 Fmt 4701 Sfmt 9990 85399 Conclusion It has been my general practice as a CFTC commissioner to vote in support of publishing proposed rules for public comment even when I have substantial concerns and issues. That is because on most proposals reasonable people can have differences of opinion. I try to hear a broad range of sensible views before making a final decision. I have also taken this approach because of the enormous respect I have for my two fellow commissioners. It continues to be an honor to serve alongside them. So, it is a disappointment that on this rule I must depart from my preferred practice of voting in favor of proposed rulemakings. Reg. AT is unlike any other rule proposal that I have seen in my time of service. What should be a step forward by the agency in its mission to oversee twenty-first century digital markets is squandered by its giant stumble backwards in undoing Americans’ legal and Constitutional rights. The Commission recommends that we adopt this Supplemental Notice in order to address the growing incidence of algorithmic trading and to determine if algorithms are disrupting financial markets. That is all well and good. Automated trading presents a number of critical challenges to our markets.38 My many meetings with America’s farmers and ranchers have confirmed the importance of enhancing the CFTC’s ability to catch-up to the digital transformation of twenty-first century futures markets.39 Yet, jettisoning the subpoena process does nothing to address the challenge of automated trading given the existing ease and speed of obtaining an administrative subpoena.40 Benjamin Franklin is said to have warned that ‘‘A people that are willing to give up their liberty for temporary security deserve neither—and will lose both.’’ Franklin was right. Reg. AT is a threat to Americans’ liberty AND their security. After twelve score years of ordered freedom, it is a degree turn in the direction of unchecked state authority. If adopted in its present form, it will put out of balance centuries-old rights of the governed against the creeping power of the government. Thus, I have no choice but to vote against this proposal. [FR Doc. 2016–27250 Filed 11–23–16; 8:45 am] BILLING CODE 6351–01–P 38 See Guest Lecture of Commissioner J. Christopher Giancarlo, Harvard Law School, Fidelity Guest Lecture Series on International Finance, Dec. 1, 2015, https://www.cftc.gov/ PressRoom/SpeechesTestimony/opagiancarlo-11. 39 See Address of CFTC Commissioner J. Christopher Giancarlo to the American Enterprise Institute, 21st Century Markets Need 21st Century Regulation, Sept. 21, 2016, https://www.cftc.gov/ PressRoom/SpeechesTestimony/opagiancarlo-17. 40 United States v. Morton Salt Company, 338 U.S. 632 (1950). E:\FR\FM\25NOP2.SGM 25NOP2

Agencies

[Federal Register Volume 81, Number 227 (Friday, November 25, 2016)]
[Proposed Rules]
[Pages 85334-85399]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-27250]



[[Page 85333]]

Vol. 81

Friday,

No. 227

November 25, 2016

Part II





Commodity Futures Trading Commission





-----------------------------------------------------------------------





17 CFR Parts 1, 38, 40, et al.





Regulation Automated Trading; Proposed Rule

Federal Register / Vol. 81 , No. 227 / Friday, November 25, 2016 / 
Proposed Rules

[[Page 85334]]


-----------------------------------------------------------------------

COMMODITY FUTURES TRADING COMMISSION

17 CFR Parts 1, 38, 40, and 170

RIN 3038-AD52


Regulation Automated Trading

AGENCY: Commodity Futures Trading Commission.

ACTION: Supplemental notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: On December 17, 2015, the Commodity Futures Trading Commission 
(``CFTC'' or ``Commission'') published in the Federal Register a notice 
of proposed rulemaking (``NPRM'') proposing a series of risk controls, 
transparency measures, and other safeguards to enhance the safety and 
soundness of automated trading on all designated contract markets 
(``DCMs'') (collectively, ``Regulation Automated Trading'' or 
``Regulation AT''). Through this supplemental notice of proposed 
rulemaking for Regulation AT (``Supplemental NPRM''), the Commission is 
proposing to modify certain rules set forth in the NPRM. Any new or 
amended rules proposed in this Supplemental NPRM reflect only those 
areas where the Commission believes that additional notice and comment 
may be appropriate before enacting final rules. Procedurally, this 
Supplemental NPRM is not a replacement or withdrawal of rules proposed 
in the NPRM. Unless specifically amended herein, all regulatory text 
proposed in the NPRM remains under active consideration for adoption as 
final rules. The Commission welcomes public comment on all aspects of 
the Supplemental NPRM.

DATES: Comments must be received on or before January 24, 2017.

ADDRESSES: You may submit comments, identified by RIN 3038-AD52, by any 
of the following methods:
     CFTC Web site: https://comments.cftc.gov. Follow the 
instructions for submitting comments through the Comments Online 
process on the Web site.
     Mail: Send to Christopher Kirkpatrick, Secretary of the 
Commission, Commodity Futures Trading Commission, Three Lafayette 
Centre, 1155 21st Street NW., Washington, DC 20581.
     Hand Delivery/Courier: Same as Mail, above.
     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments.
    Please submit comments by only one method. All comments should be 
submitted in English or accompanied by an English translation. Comments 
will be posted as received to https://www.cftc.gov. You should submit 
only information that you wish to make available publicly. If you wish 
the Commission to consider information that may be exempt from 
disclosure under the Freedom of Information Act (``FOIA''), a petition 
for confidential treatment of the exempt information may be submitted 
according to the procedures established in 17 CFR 145.9. The Commission 
reserves the right, but shall have no obligation, to review, prescreen, 
filter, redact, refuse, or remove any or all of your submission from 
https://www.cftc.gov that it may deem to be inappropriate for 
publication, such as obscene language. All submissions that have been 
so treated that contain comments on the merits of the rulemaking will 
be retained in the public comment file and will be considered as 
required under the Administrative Procedure Act and other applicable 
laws, and may be accessible under FOIA.

FOR FURTHER INFORMATION CONTACT: Sebastian Pujol Schott, Associate 
Director, Division of Market Oversight, sps@cftc.gov or 202-418-5641; 
Marilee Dahlman, Special Counsel, Division of Market Oversight, 
mdahlman@cftc.gov or 202-418-5264; Joseph Otchin, Special Counsel, 
Division of Market Oversight, jotchin@cftc.gov or 202-418-5623; Andrew 
Ridenour, Special Counsel, Division of Market Oversight, 
aridenour@cftc.gov or 202-418-5438; Brian Robinson, Special Counsel, 
Division of Market Oversight, CFTC.gov">brobinson@CFTC.gov or 202-418-5385; 
Michael Penick, Economist, Office of the Chief Economist, 
mpenick@cftc.gov or 202-418-5279; Richard Haynes, Economist, Office of 
the Chief Economist, rhaynes@cftc.gov or 202-418-5063; Carlin Metzger, 
Trial Attorney, Division of Enforcement, cmetzger@cftc.gov or 312-596-
0536; or John Dunfee, Assistant General Counsel, Office of General 
Counsel, jdunfee@cftc.gov or 202-418-5396.

SUPPLEMENTARY INFORMATION: 

Table of Contents

I. Introduction: The NPRM and Supplemental NPRM for Regulation AT
    A. Basic Structure of Regulation AT: The NPRM and the 
Supplemental NPRM
    B. Opportunities for Public Comment on NPRM Proposals During Two 
Public Comment Periods and Public Staff Roundtable
    C. Overview of Comments Received
II. AT Person Status and Requirements for AT Persons
    A. Overview and Policy Rationale for New Proposal
    B. NPRM Proposal and Comments
    C. Substance of New Proposal
    1. Volume Threshold Test for AT Persons
    2. Registration as a Floor Trader
    3. Anti-Evasion
    4. Registration for Membership With a Registered Futures 
Association
    D. Commission Questions
III. Proposed Definition of DEA
    A. Overview and Policy Rationale for New Proposal
    B. NPRM Proposal and Comments
    C. Substance of New Proposal
    D. Commission Questions
IV. Algorithmic Trading Source Code Retention and Inspection 
Requirements
    A. Overview and Policy Rationale for New Proposal
    B. NPRM Proposal and Comments
    C. Substance of New Proposal
    D. Commission Questions
V. Testing, Monitoring and Recordkeeping Requirements in the Context 
of Third-Party Providers
    A. Overview and Policy Rationale for New Proposal
    B. NPRM Proposal and Comments
    C. Substance of New Proposal
    D. Commission Questions
VI. Changes to Overall Risk Control Framework
    A. Change From Three Level to Two Level Risk Control Framework
    1. Overview and Policy Rationale for Proposal
    2. NPRM Proposal and Comments
    3. Substance of New Proposal
    4. Commission Questions
    B. Electronic Trading at the AT Person, FCM, and DCM Levels
    1. Overview and Policy Rationale for New Proposal
    2. NPRM Proposal and Comments
    3. Substance of New Proposal
    4. Commission Questions
    C. New and Revised Definitions; Change from ``Clearing Member'' 
to ``Executing'' FCMs
    1. Overview and Policy Rationale for New Proposal
    2. NPRM Proposal and Comments
    3. Substance of New Proposal
    4. Commission Questions
    D. AT Person Delegation to FCM
    1. Overview and Policy Rationale for New Proposal
    2. NPRM Proposal and Comments
    3. Substance of New Proposal
    4. Commission Questions
VII. Reporting and Recordkeeping Obligations
    A. Overview and Policy Rationale for New Proposal
    B. NPRM Proposal and Comments
    C. Substance of New Proposal
    D. Commission Questions
VIII. Additional Changes to NPRM Proposed Rules Under Consideration
    A. Commission Questions
IX. Related Matters
    A. Cost-Benefit Considerations
    1. The Statutory Requirement for the Commission To Consider the 
Costs and Benefits of Its Actions
    2. Comments Regarding Costs and Benefits of Regulation AT

[[Page 85335]]

    3. The Commission's Cost-Benefit Consideration of Regulation 
AT--Baseline Point
    4. The Commission's Cost-Benefit Consideration of Regulation 
AT--Cross-Border Effects
    5. Introduction: The NPRM and Supplemental NPRM for Regulation 
AT
    6. Proposed New Definitions and Changes to NPRM Proposed 
Definitions
    7. Requirements for AT Persons
    8. Source Code Retention and Inspection Requirements
    9. Testing, Monitoring and Recordkeeping Requirements in the 
Context of Third-Party Providers
    10. Changes to Overall Risk Control Framework
    11. Reporting, Testing and Recordkeeping Requirements
    12. Section 15(a) Factors
    B. Regulatory Flexibility Act
    1. A Description, and, Where Feasible, an Estimate of the Number 
of Small Entities to Which the Proposed Rules Will Apply.
    2. A Description of the Projected Reporting, Recordkeeping, and 
Other Compliance Requirements of the Rules, Including an Estimate of 
the Classes of Small Entities Which Will Be Subject to the 
Requirements and the Type of Professional Skills Necessary for 
Preparation of the Report or Record.
    C. Paperwork Reduction Act
    1. Sec.  1.3(x)(1)(iii)--Submissions by Newly Registered Floor 
Traders
    2. Sec.  1.80(d) Pre-Trade Risk Controls for AT Persons--
Delegation
    3. Sec.  1.83(a)--AT Person Retention and Production of Books 
and Records
    4. Sec.  1.83(b)--Executing FCM Retention and Production of 
Books and Records
    5. Sec.  1.84--Retention, Production and Confidentiality of 
Algorithmic Trading Records
    6. Sec.  1.85--Third-Party Algorithmic Trading Systems or 
Components
    7. Sec.  38.255(c) Risk Controls for Trading--FCM Certification 
to DCM
    8. Sec.  40.22(a)-(c)--Compliance With DCM Reviews
    9. Sec.  40.22(d) Certification Requirement
    10. Commission Questions

I. Introduction: The NPRM and Supplemental NPRM for Regulation AT

    Regulation Automated Trading is a comprehensive Commission effort 
to reduce risk and increase transparency in algorithmic order 
origination and electronic trade execution on all U.S. futures 
exchanges. The proposed rules, both in the NPRM and the Supplemental 
NPRM, modernize the Commission's regulatory regime, promote the safety 
and soundness of trading on all contract markets, and seek to keep pace 
with evolving technologies. This Supplemental NPRM builds on the 
Commission's December 2015 NPRM for Regulation AT,\1\ and is a 
continuation of the underlying policies and objectives reflected 
therein. The Supplemental NPRM responds to persuasive public comments 
to help ensure appropriate final rules for Regulation AT.\2\
---------------------------------------------------------------------------

    \1\ Regulation Automated Trading, Proposed Rule, 80 FR 78824 
(Dec. 17, 2015) (hereinafter ``NPRM'').
    \2\ Sections I-III of the NPRM provided a fulsome discussion of 
the policy considerations, market events, existing best practices, 
and procedural history that informed the Commission's development of 
Regulation AT. The Commission explained that ``the basic structure 
of [open-outcry trading] remained constant for decades, and produced 
a parallel regulatory framework also premised on natural persons and 
human decision-making speeds.'' See NPRM at 78825. It contrasted 
now-obsolete manual processes against the ``wide array of electronic 
systems for the generation, transmission, management, and execution 
of orders'' used today by DCMs and DCM market participants, 
including high-speed communication networks to confirm transactions, 
communicate market data, and link markets and market participants. 
See id.
    The Commission provided information indicating that over 95% of 
all on-exchange futures trading was electronic by 2014, with many 
exchanges having closed their open-outcry trading pits well before 
then. It also indicated that by 2014, ATSs were present on at least 
one side of almost 80% of trading volume in some asset classes. The 
Commission noted that ``[t]he largely complete transition of DCMs to 
electronic trade matching platforms has occurred alongside an 
equally important shift in the technologies used by market 
participants to place and manage orders.'' These include ATSs, high-
speed communication networks, and the use of direct access and 
colocation services to ``minimize latencies between ATS, market data 
systems, and DCMs' electronic trading platform[s].'' See NPRM at 
78826.
    The Commission explained that ``an overarching goal'' of 
Regulation AT is to update its rules in response to the evolution 
from pit to electronic trading, including by focusing on 
``algorithmic order origination or routing by market participants, 
and electronic trade execution by DCMs.'' It also observed that 
``[m]arket participants using automated trading include an important 
population of proprietary traders that, while responsible for 
significant volume and liquidity in key futures products, are not 
registered with the Commission.'' The Commission emphasized that 
Regulation AT is focused on the ``automation of order generation, 
transmission, and execution, and the risks that may arise from such 
activity.'' It identified ``appropriate pre-trade and other risk 
controls'' as an important element in ``ensur[ing] the integrity of 
Commission-regulated markets'' and fostering market participants' 
confidence in the transactions being executed. See NPRM at 78827-
78828.
    The Commission also summarized the broad array of resources that 
it consulted in preparing the NPRM for Regulation AT, including 
``industry practices, measures taken by other U.S. and foreign 
regulators, and best practices or guidance set forth by other 
informed parties.'' It noted the ``emerging consensus around pre-
trade risk controls for automated trading and supervision standards 
for ATSs.'' Finally, the Commission emphasized that ``Regulation AT 
attempts to balance flexibility in a rapidly changing technological 
landscape with the need for a regulatory baseline that provides a 
robust and sufficiently clear standard for pre-trade risk controls, 
supervision standards, and other safeguards for automated trading 
environments.'' See NPRM at 78828. This Supplemental NPRM continues 
to build on the policy determinations and regulatory objectives set 
forth in the NPRM for Regulation AT.
---------------------------------------------------------------------------

    Procedurally, the Supplemental NPRM is a continuation of the NPRM. 
All rules in the NPRM remain under consideration as originally proposed 
unless specifically modified in the proposed rule text in this 
Supplemental NPRM.\3\ Accordingly, this Supplemental NPRM begins with 
an overview of Regulation AT across the NPRM and the Supplemental NPRM 
(Section I(A)). It continues with a summary of the opportunities for 
public comment provided by the Commission (Section I(B)), and an 
overview of the comments received (Section I(C)). Sections II through 
VII discuss specific proposed rules in the Supplemental NPRM that add 
to, remove, or otherwise amend the Commission's original proposals in 
the NPRM. Sections II through VII also provide a summary of the 
comments and policy considerations that led to the Commission's new or 
amended proposals. Section VIII provides preamble discussion and seeks 
comment regarding additional areas where the Commission's final rules 
for Regulation AT may amend the NPRM. However, such potential 
amendments are not included as proposed regulatory text in this 
Supplemental NPRM. The Commission believes that the further amendments 
under consideration do not impact new parties, create new obligations, 
or otherwise increase burdens. Section IX includes the Commission's 
Paperwork Reduction Act, Regulatory Flexibility Act, and Cost-Benefit 
discussions for the regulatory text proposed herein. Finally, the 
Commission presents the proposed new or modified regulatory text 
following the end of the preamble. Any sections or paragraphs marked as 
``Reserved'' are not addressed in this Supplemental NPRM. The 
provisions proposed for such sections or paragraphs in the NPRM are 
unchanged from that document and remain under active consideration by 
the Commission. (Note, however, that proposed reserved Sec.  1.3(aaaaa) 
is not the subject of either this Supplemental NPRM or the NPRM. That 
definitions paragraph is the subject of another pending unrelated 
Commission rulemaking proposal.) Please note also that the provisions 
proposed in the NPRM for Sec. Sec.  38.401 and 40.1(i), and for 
Appendix B to part 38, are not shown as reserved in this Supplemental 
NPRM for technical reasons. Nonetheless, the provisions proposed in the 
NPRM for those two sections and that appendix are unchanged and remain 
under active consideration by the Commission.
---------------------------------------------------------------------------

    \3\ The Commission's new proposed regulatory text is presented 
in this document following the end of the preamble.

---------------------------------------------------------------------------

[[Page 85336]]

A. Basic Structure of Regulation AT: The NPRM and the Supplemental NPRM

    The basic structure of Regulation Automated Trading is set forth in 
the NPRM, and remains largely intact. However, through this 
Supplemental NPRM, the Commission is proposing certain changes to 
Regulation AT to address comments received in response to the NPRM and 
during a day-long staff roundtable on Regulation AT held in June 2016. 
This Section I(A) provides an overview of Regulation AT by summarizing 
several of the principal changes that the Supplemental NPRM proposes to 
make to the NPRM.
    First, Regulation AT would require pre-trade risk controls and 
other measures for the Algorithmic Trading of AT Person customers in 
order to promote the continued safety and soundness of Commission-
regulated markets. In the NPRM, the Commission proposed placing such 
risk controls at three levels: The AT Person, the FCM and the DCM. Many 
commenters asserted that a three-layer structure could be redundant and 
costly, and some indicated that a two-level structure would be 
preferable. After careful consideration, the Commission is proposing to 
move Regulation AT from a three-level risk control structure to a 
modified two-level structure, with risk controls set at the levels of 
(1) the AT Person \4\ or its FCM; and (2) the DCM. Under the two-level 
structure proposed in the Supplemental NPRM, an AT Person would have 
the option of delegating its pre-trade risk control requirements to an 
FCM rather than implementing its own controls.
---------------------------------------------------------------------------

    \4\ ``AT Person'' is defined in proposed Sec.  1.3(xxxx) of the 
NPRM, and includes existing Commission registrants engaged in 
``Algorithmic Trading'' on a DCM, as well as market participants 
required to register as floor traders pursuant to proposed Sec.  
1.3(x)(3) of the NPRM. Algorithmic Trading is defined in proposed 
Sec.  1.3(zzzz) of the NPRM. Electronic Trading is defined in 
Supplemental NPRM in proposed Sec.  1.3(ddddd).
---------------------------------------------------------------------------

    Second, the NPRM proposed requiring risk controls only with respect 
to the Algorithmic Trading of AT Persons. In contrast, the Supplemental 
NPRM addresses not only Algorithmic Trading, but also Electronic 
Trading at the AT Person, FCM, and DCM levels. The Commission's amended 
proposal is consistent with comments stating that all electronic 
trading--not just the narrower set of Algorithmic Trading--should pass 
through pre-trade risk controls.
    Third, in the NPRM, the Commission proposed requiring that pre-
trade risk controls be set at the level of each AT Person or market 
participant, or other more granular levels as the AT Person, FCM or DCM 
determined appropriate. The Supplemental NPRM responds to comments that 
it may not be efficient or possible for DCMs and FCMs to set controls 
at the level of individual market participants. Accordingly, in the 
Supplemental NPRM, the Commission revises the risk control provisions 
to provide AT Persons, FCMs and DCMs greater flexibility regarding the 
level at which pre-trade controls must be set.
    Fourth, Regulation AT would require the registration of certain 
market participants who are not already registered with the Commission. 
Such market participants would be required to register as ``floor 
traders,'' as defined in the Supplemental NPRM in proposed Sec.  
1.3(x)(1)(iii) (``New Floor Traders''), and would also be required to 
become members of a registered futures association (``RFA''). Together 
with certain existing registrants, New Floor Traders would be 
considered AT Persons and be subject to all relevant requirements of 
Regulation AT. Pursuant to the NPRM, the proposed registration criteria 
for New Floor Traders \5\ were that such persons be engaged in (1) 
proprietary, (2) Algorithmic Trading (3) through Direct Electronic 
Access (``DEA'') on a DCM. The Supplemental NPRM retains these 
requirements but also incorporates a volume-based quantitative test for 
registration as a New Floor Trader. This amendment responds to concerns 
that the NPRM would have imposed registration and its consequent 
obligations on too large a population of market participants. The 
Commission also proposes to apply this same volume-based quantitative 
test to existing registrants and persons otherwise required to register 
with the Commission to determine whether they are AT Persons.\6\
---------------------------------------------------------------------------

    \5\ For purposes of this Supplemental NPRM, registrants under 
Supplemental proposed Sec.  1.3(x)(1)(iii) are deemed ``New Floor 
Traders.''
    \6\ To be considered AT Persons, existing registrants and 
persons otherwise required to register with the Commission must be 
engaged in Algorithmic Trading on our subject to the rules of a DCM. 
Unlike for New Floor Traders, however, direct electronic access is 
not a relevant consideration for existing registrants and persons 
otherwise required to register with the Commission (e.g., FCMs, 
floor brokers, swap dealers, major swap participants, commodity pool 
operators, commodity trading advisors, and introducing brokers).
---------------------------------------------------------------------------

    The Commission estimates that its proposed volume-based criteria 
would result in approximately 120 AT Persons, including some of who are 
already registered with the Commission in some capacity. This stands in 
contrast to some commenters' estimates that the NPRM could have 
required thousands of persons to register. While any volume-based 
metric has limitations, the Commission believes that this is the best 
way to focus the registration-related obligations on the appropriate 
class of persons. This approach, coupled with other changes in the 
Supplemental NPRM regarding the obligations of AT Persons as discussed 
below, also addresses many of the concerns expressed about the NPRM 
registration requirement.
    Fifth, in the NPRM, the Commission proposed requiring that AT 
Persons provide the DCMs on which they operate with annual reports 
containing information on the AT Persons' compliance with requirements 
concerning risk controls. The NPRM further would have required DCMs to 
establish a program for effective review and evaluation of the reports. 
The Commission received comments that the proposed reporting 
requirements were overly burdensome and would provide little benefit in 
mitigating the risks of Algorithmic Trading. In the Supplemental NPRM, 
the Commission proposes replacing the annual compliance report 
requirement for AT Persons with a streamlined annual certification 
requirement. The Commission also proposes to retain certain 
recordkeeping requirements, as well as the requirement that DCMs 
establish a program for effective periodic review and evaluation of AT 
Persons' compliance with elements of Regulation AT. Similarly, the NPRM 
imposed annual reporting requirements on FCMs and required DCMs to 
review these reports. The Supplemental NPRM also replaces the annual 
reporting obligations for FCMs with a certification requirement, and 
also retains the requirement that FCMs maintain certain records. As 
with AT Persons, the Supplemental NPRM requires DCMs to establish a 
program for effective periodic review and evaluation of FCMs' 
compliance with Regulation AT.
    Sixth, Regulation AT requires that algorithmic trading source code 
be preserved and made available to the Commission when necessary.\7\ 
The NPRM required that AT Persons maintain a ``source code repository'' 
and make it available for inspection in accordance with the 
Commission's general recordkeeping requirements. These provisions 
provoked extensive

[[Page 85337]]

comments. Notably, commenters may have misunderstood the Commission's 
intent, which was never to require that all source code to be provided 
routinely to a Commission or third-party repository. The Supplemental 
NPRM acknowledges the concerns regarding the confidentiality and 
proprietary value of Algorithmic Trading Source Code and revises these 
provisions extensively. While Algorithmic Trading Source Code and 
related records are still required to be preserved, they are not 
subject to the Commission's general recordkeeping provisions. Instead, 
preservation and access obligations are set forth in new provisions in 
the Supplemental NPRM that reflect market participants' concerns. The 
Supplemental NPRM provides that the Commission would have access to 
Algorithmic Trading Source Code and related records only via a subpoena 
or a special call approved by the Commission itself, not by staff, and 
that any such access would be subject to policies and procedures to 
protect confidentiality.
---------------------------------------------------------------------------

    \7\ ``Algorithmic Trading Source Code'' is defined in 
Supplemental proposed Sec.  1.3(ccccc). The Commission notes that 
source code was not defined in the NPRM. In this Supplemental NPRM, 
the Commission uses ``source code'' in connection with its proposal 
in the NPRM, and uses the term ``Algorithmic Trading Source Code'' 
when referring to Supplemental proposed Sec.  1.3(ccccc).
---------------------------------------------------------------------------

    Seventh, the Supplemental NPRM discusses a number of changes to 
certain defined terms proposed in the NPRM, as well as other provisions 
that the Commission is considering in response to comments from market 
participants. These include limiting the scope of ``Algorithmic Trading 
Compliance Issue,'' ``Algorithmic Trading Disruption,'' and 
``Algorithmic Trading Event.''
    Eighth, Regulation AT includes a number of additional rules focused 
specifically on DCMs. As reflected in the NPRM, these proposals 
include: (1) Greater transparency around DCMs' electronic trade 
matching platforms and (2) promoting the use of self-trade prevention 
tools.\8\ The Commission is contemplating deferring further 
consideration of such provisions to a second phase of rules to be 
finalized at a later date. The Commission seeks comments regarding 
deferral of these two provisions to a later date.
---------------------------------------------------------------------------

    \8\ The NPRM proposed amendments to existing Sec.  38.255, to 
require DCMs to have in place systems reasonably designed to 
facilitate the FCM's management of the risks that may arise from 
their customers' Algorithmic Trading using DEA. Regulation AT would 
also amend existing Sec.  38.401(a) to require DCMs to provide 
additional public disclosure regarding their electronic matching 
platforms. In part 40, the NPRM proposed the following new 
regulations: Sec.  40.20--requiring DCMs to implement pre-trade risk 
controls and other related measures; Sec.  40.21--requiring DCMs to 
provide a test environment to AT Persons; Sec.  40.22--requiring 
DCMs to implement a review program for compliance reports regarding 
Algorithmic Trading submitted by AT Persons and clearing member 
FCMs, require that certain books and records be maintained by such 
persons, and review such books and records as necessary; Sec.  
40.23--requiring DCMs to implement self-trade prevention tools, 
mandate their use, and publish statistics concerning self-trading; 
and Sec. Sec.  40.25-40.28--requiring DCMs to provide disclosure and 
implement other controls regarding their market maker and trading 
incentive programs. Regulation AT would amend the definition of 
``rule'' in Sec.  40.1(i) in response to certain of the changes 
proposed above.
---------------------------------------------------------------------------

    Finally, specific regulatory provisions addressed in the 
Supplemental NPRM include a number of new or revised defined terms, 
such as revised Sec.  1.3(x)--Floor trader; revised Sec.  1.3(wwww)--AT 
Order Message; revised Sec.  1.3(xxxx)--AT Person; revised Sec.  
1.3(yyyy)--Direct Electronic Access; new Sec.  1.3(ddddd)--Electronic 
Trading; new Sec.  1.3(bbbbb)--Electronic Trading Order Message; and 
new Sec.  1.3(ccccc)--Algorithmic Trading Source Code. Other new or 
revised regulatory provisions include: (1) New Sec.  1.80(d)--
Delegation of pre-trade risk controls by AT Persons; (2) new Sec.  
1.80(g) --AT Persons' pre-trade risk controls for Electronic Trading; 
(3) revised Sec.  1.81--Standards for the development, monitoring, and 
compliance of Algorithmic Trading systems; (4) revised Sec.  1.82--FCM 
pre-trade risk controls and other related measures for orders from 
their AT Person customers; (5) revised Sec.  1.83--AT Person and 
executing FCM recordkeeping; (6) new Sec.  1.84--Maintenance of 
Algorithmic Trading Source Code and related records; (7) new Sec.  
1.85--Use of third-party Algorithmic Trading systems or components; \9\ 
(8) revised Sec. Sec.  38.255 and 40.20--Risk controls for trading; (9) 
revised Sec.  40.22--DCM requirements for AT Persons and executing 
FCMs, and DCM review program; and (10) revised Sec.  170.18--AT Person 
registration for membership in at least one ``RFA''.
---------------------------------------------------------------------------

    \9\ Including, for example, options for complying with elements 
of NPRM Sec.  1.81--``Standards for the development, monitoring, and 
compliance of Algorithmic Trading systems.'' See Section V below.
---------------------------------------------------------------------------

    This Supplemental NPRM modifies some, but not all, of the NPRM. 
Where this Supplemental NPRM proposes rule text in full, such text 
replaces what was proposed in the NPRM. With the exceptions noted in 
this paragraph, where this Supplemental NPRM reserves a section or 
paragraph for which provisions were proposed in the NPRM, the 
previously proposed provisions of such section or paragraph remain 
unchanged from the NPRM and continue to be under active consideration 
by the Commission. For technical reasons, Sec. Sec.  38.401 and 
40.1(i), and Appendix B to part 38, are not shown as reserved in this 
Supplemental NPRM; however, the amended provisions proposed for those 
sections and that appendix in the NPRM also remain unchanged and under 
active consideration. (Please note that proposed reserved Sec.  
1.3(aaaaa) is not the subject of either this Supplemental NPRM or the 
NPRM. That definitions paragraph is the subject of another pending 
unrelated Commission rulemaking proposal.)

B. Opportunities for Public Comment on NPRM Proposals During Two Public 
Comment Periods and Public Staff Roundtable

    In response to the NPRM, the Commission received 54 comment letters 
from an array of market participants, exchanges, industry trade 
associations, public interest organizations, and others.\10\ During the 
initial comment period, Commission staff also met in person and via 
telephone with interested parties who requested meetings. Market 
participants and other interested parties were also provided extensive 
opportunities to comment on the Commission's 2013 Concept Release on 
Risk Controls and

[[Page 85338]]

System Safeguards for Automated Trading Environments (``Concept 
Release''), which included an initial 90-day comment period and a 
subsequent three-week comment period in conjunction with a public 
meeting of the Commission's Technology Advisory Committee.\11\ The 
Concept Release and comments thereto helped inform a number of the 
proposals reflected in Regulation AT.
---------------------------------------------------------------------------

    \10\ During the 90-day comment period following the Commission's 
issuance of the NPRM, the Commission received comment letters from: 
Aesthetic Integration Ltd. (``AI''); Allen, Theo (``Allen''); 
Alternative Investment Management Association (``AIMA''); American 
Gas Association (``AGA''); Americans for Financial Reform (``AFR''); 
Anonymous (non-responsive comment); Asset Management Group of the 
Securities Industry and Financial Markets Association (``SIFMA''); 
National Introducing Broker Association (``NIBA''); Barnard, Chris 
(``Barnard''); Better Markets Inc. (``Better Markets''); Bloomberg 
Tradebook LLC (``Bloomberg''); CBOE Futures Exchange, LLC 
(``CBOE''); Citadel LLC (``Citadel''); CME Group Inc. (``CME''); 
Commercial Energy Working Group and Commodity Markets Council 
(collectively, the ``Commercial Alliance''); Committee on Capital 
Markets Regulation (``CCMR''); Cordova, Alex (``Cordova''); CTC 
Trading Group, L.L.C. (``CTC''); Futures Industry Association 
(``FIA''); Hudson River Trading LLC (``Hudson Trading''); 
Information Technology Industry Council and U.S. Chamber of Commerce 
(``ITI and Commerce''); Institute for Agriculture and Trade Policy 
(``IATP''); Intercontinental Exchange, Inc. (``ICE''); International 
Energy Credit Association (``IECA''); International Swaps and 
Derivatives Association, Inc. (``ISDA''); Investment Adviser 
Association (``IAA''); LCHF Capital Management, Inc. (``LCHF''); 
Lelli, Carmen (``Lelli''); Leuchtkafer, RT (``Leuchtkafer''); 
Managed Funds Association (``MFA''); Mercatus Center at George Mason 
University (``Mercatus''); Minneapolis Grain Exchange, Inc. 
(``MGEX''); Modern Markets Initiative (``MMI''); NASDAQ Futures, 
Inc. (``NASDAQ''); National Grain and Feed Association (``NGFA''); 
Nodal Exchange, LLC (``Nodal''); North American Derivatives 
Exchange, Inc. (``Nadex''); Olam International Limited (``Olam''); 
OneChicago, LLC (``OneChicago''); Quantitative Investment 
Management, LLC (``QIM''); Schwartz, Peter (``Schwartz''); Shatto, 
Suzanne (``Shatto''); Summers, Neil (``Summers''); TraderServe 
Limited (``TraderServe''); Trading Technologies International, Inc. 
(``TT''); trueEX LLC (``trueEX''); Two Sigma Investments, LP (``Two 
Sigma''); Virtu Financial, Inc. (``Virtu''); Weaver, Jack 
(``Weaver''); and XTX Markets Limited (``XTX'').
    \11\ Concept Release on Risk Controls and System Safeguards for 
Automated Trading Environments, 78 FR 56542 (Sept. 12, 2013); 
Reopening of Comment Period, 79 FR 4104 (Jan. 24, 2014).
---------------------------------------------------------------------------

    Comments received during the initial comment period described above 
helped to identify areas that warranted further consideration by staff. 
Accordingly, on June 10, 2016, Commission staff held a public 
roundtable (``Roundtable'') to discuss certain elements of the NPRM. 
The topics discussed at the Roundtable included (1) the definition of 
DEA; (2) quantitative measures to establish the population of AT 
Persons; (3) alternatives to imposing pre-trade risk controls and 
development, testing, and monitoring standards on AT Persons; (4) AT 
Persons' compliance with elements of the proposed rules when using 
third-party algorithms or systems; and (5) Algorithmic Trading Source 
Code access and retention. The Roundtable included representatives from 
a broad cross-section of entities potentially impacted by Regulation 
AT.\12\ A transcript of the Roundtable proceedings is available on the 
Commission's Web site at CFTC.gov.\13\ In connection with the staff 
Roundtable, the Commission reopened the comment period for elements of 
Regulation AT for an additional two weeks. The Commission received an 
additional 19 comment letters during the reopened comment period.\14\
---------------------------------------------------------------------------

    \12\ The participants at the Roundtable included CME; Deutsche 
Bank; ICE; QIM; Tethys Technology (``Tethys''); Virtu; OneChicago; 
European Securities and Markets Authority (``ESMA''); ABN AMRO 
Clearing Chicago LLC (``ABN AMRO''); AFR; Shell Energy North America 
(U.S.), L.P. (``Shell''); Hartree Partners (``Hartree''); J.P. 
Morgan; KCG Holdings (``KCG''); AQR Capital Management (``AQR''); 
TT; Optiver US LLC (``Optiver''); and Hudson Trading.
    \13\ See https://www.cftc.gov/PressRoom/Events/opaevent_cftcstaff061016.
    \14\ In response to the NPRM, the Commission received: (i) 
Written comments submitted during the initial 90 day comment period 
(``Initial Comment Period''); comments by Roundtable participants; 
and (iii) written comments submitted during the reopened comment 
period (``Second Comment Period''). Some commenters submitted 
multiple comments. Accordingly, this Supplemental NPRM identifies 
Roundtable comments with a Roman numeral ``II'' and Second Comment 
Period comments with a Roman numeral ``III.'' For example, CME's 
comments are identified as CME (its Initial Comment Period comment 
letter); CME II (its Roundtable comments); and CME III (its Second 
Comment Period comment letter). During the Second Comment Period, 
the Commission received comment letters from: AIMA; Chilton, Bart; 
Better Markets; the Chamber of Commerce (together with ISDA, FIA and 
others); CME; Commercial Alliance; an industry group consisting of 
FIA, FIA Principal Traders Group, MFA, ISDA, and SIFMA Asset 
Management Group (collectively, the ``Industry Group''); Hartree; 
Hudson Trading; ICE; KCG; MFA; MGEX; Milliman Financial Risk 
Management LLC (``Milliman''); MMI; Nadex; QIM, Schwartz; and TT.
---------------------------------------------------------------------------

C. Overview of Comments Received

    The comments that the Commission received in written letters and at 
the Roundtable addressed a range of matters in Regulation AT. For 
purposes of this Supplemental NPRM, the Commission is focusing solely 
on comments related to new or amended rules proposed herein.\15\ For 
example, several commenters suggested that the proposed rules could 
impact a larger number of market participants (including new and 
existing Commission registrants) than would be appropriate or than the 
Commission estimated in the NPRM.\16\ The Commission found these 
comments persuasive, as a result of which it developed the volume-based 
quantitative test for AT Persons described in Section II below and 
reflected in Supplemental proposed Sec.  1.3(x)(2) (the ``volume 
threshold test''). Some commenters also expressed concern regarding the 
NPRM's proposal to require risk controls for Algorithmic Trading at 
three levels (i.e., at the DCM, FCM and AT Person levels).\17\ Although 
most saw value in pre-trade risk controls administered by DCMs, some 
commenters encouraged the Commission to limit any further risk control 
requirements to either AT Persons or FCMs, but not both. After careful 
consideration, the Commission is proposing the hybrid two-level risk 
control structure in which the first level would be at the level of the 
AT Person or FCM, as reflected in Supplemental proposed Sec. Sec.  
1.80(d) and (g), 1.82, and 1.3(xxxx)(2).\18\
---------------------------------------------------------------------------

    \15\ The preamble to any final rules that the Commission may 
adopt for Regulation AT would provide a more complete summary of all 
comments received, including in response to the NPRM.
    \16\ E.g., CME A-7; ICE 6; MFA 34; Nadex 1-2.
    \17\ FIA 5; CME 6, A-14; ICE 5; MFA 4-5; Nadex 3; SIFMA 20; NIBA 
1-2.
    \18\ As explained in Sections II and VI below, these provisions 
would establish a framework where FCMs act as one of two pre-trade 
risk control layers for all electronic trading not originating with 
an AT Person (see Supplemental proposed Sec.  1.82). AT Persons 
would remain responsible for their own pre-trade risk controls in 
lieu of any FCM (see NPRM proposed Sec.  1.80). However, the 
Supplemental NPRM provides additional flexibility by permitting AT 
Persons to delegate their pre-trade risk control functions to an 
FCM, while retaining legal responsibility for such controls (see 
Supplemental proposed Sec.  1.80(d) and (g)). The Supplemental NPRM 
would also permit a non-AT Person to administer its own pre-trade 
risk controls if it so desired by voluntarily assuming AT Person 
status pursuant to Supplemental proposed Sec.  1.3(xxxx)(2).
---------------------------------------------------------------------------

    A significant source of discussion in response to the NPRM focused 
on the source code provisions in NPRM proposed Sec.  1.81(a)(vi). 
Commenters raised confidentiality, intellectual property, and 
information security as primary concerns. Many recommended that 
registrants' source code should be available to the Commission only 
through subpoena.\19\ Some commenters also noted that source code by 
itself may be of limited value to the Commission, and noted the 
importance of records such as log files in understanding the market 
behavior of an ATS.
---------------------------------------------------------------------------

    \19\ E.g., AIMA 10-11; Barnard 2; Citadel 2; FIA 48; Hudson 
Trading 3; ICE 7; ISDA 6; MFA 23; MGEX 24-25; MMI 5; Commercial 
Alliance 12; QIM 5; TraderServe 1; TT 7; Two Sigma 4-5.
---------------------------------------------------------------------------

    The Commission is sensitive to commenters' confidentiality and 
information security concerns as summarized above and in Section IV of 
this Supplemental NPRM. As explained above, the Commission believes 
that its intent with respect to source code was misunderstood. 
Specifically, the Commission did not intend for a source code 
repository be maintained at the Commission or with third-parties. 
However, the Commission also emphasizes that preservation of source 
code, and Commission access to such source code, is vital. 
Recordkeeping and access to records are and have always been central to 
the Commodity Exchange Act's (``Act'' or ``CEA'') statutory framework 
for regulated derivatives markets. Further, as a civil law enforcement 
agency, the Commission already handles sensitive, proprietary and trade 
secret information on a daily basis under strict retention and use 
requirements. Cybersecurity and the protection of confidential 
information are a top priority for the Commission, and all current and 
former CFTC employees are prohibited by 17 CFR 140.735-5 from 
disclosing confidential or non-public commercial, economic or official 
information.
    Through this Supplemental NPRM, the Commission seeks to balance 
commenters' concerns against its legitimate regulatory interest in 
ensuring that the Algorithmic Trading Source Code that is often 
essential for transacting in modern electronic markets is preserved and 
is available to the Commission when necessary. Source code related 
provisions are now reflected in a new Supplemental proposed Sec.  1.84, 
which provides that any CFTC access to Algorithmic Trading Source Code 
must be authorized by the Commission itself through either the part 11 
subpoena process or through a

[[Page 85339]]

new ``special call'' process set forth in the proposal. Supplemental 
proposed Sec.  1.84 also addresses records required to be maintained, 
confidentiality protections, and the time period for which records must 
be maintained. Supplemental proposed Sec.  1.84 would replace NPRM 
proposed Sec.  1.81(a)(vi) in its entirety.
    Other amendments in the Supplemental NPRM address commenters' 
concerns regarding the proposed definition of DEA, AT Persons' 
compliance with rules when using third-party providers for their 
Algorithmic Trading technology, and other areas. With respect to third-
party providers, for example, the Commission is adding Supplemental 
proposed Sec.  1.85, which would permit AT Persons to rely on 
certifications from their third-party providers to meet certain 
requirements in Regulation AT. Such certifications would be permitted 
primarily with respect to NPRM proposed Sec.  1.81(a), which requires 
AT Persons to follow certain standards in the development and testing 
of their ATSs.
    Comments received in response to specific proposals in the NPRM are 
discussed in greater detail below.

II. AT Person Status and Requirements for AT Persons

A. Overview and Policy Rationale for New Proposal

    The proposed rules in Regulation AT apply in large part to market 
participants who meet the requirements to be an ``AT Person'' as 
defined in NPRM proposed Sec.  1.3(xxxx).\20\ AT Persons include 
existing Commission registrants engaged in Algorithmic Trading,\21\ as 
well as certain unregistered market participants who would be required 
to register as New Floor Traders pursuant to NPRM proposed Sec.  
1.3(x)(1)(iii). Registration criteria proposed in NPRM Sec.  
1.3(x)(1)(iii) for currently unregistered market participants include 
that such market participant be engaged in: (1) Proprietary (2) 
Algorithmic Trading (3) through DEA on a DCM. In the NPRM, the 
Commission preliminarily determined that these criteria could function 
as ``filters'' on the population of AT Persons, and therefore on the 
overall scope of the proposed rules. The Commission estimated that this 
definition would result in a total of 420 potential AT Persons, and 
believed that this would represent the top end of the range of AT 
Persons. The Commission based its proposal, in part, on the view that 
proprietary trading, DEA, and Algorithmic Trading together could 
appropriately identify those market participants, including new and 
existing registrants, that any rulemaking should encompass to 
effectively address risks associated with Algorithmic Trading.
---------------------------------------------------------------------------

    \20\ In addition to AT Persons, Regulation AT also includes 
requirements for FCMs, DCMs, and RFAs.
    \21\ Algorithmic Trading is defined in NPRM proposed Sec.  
1.3(zzzz) to mean trading in any commodity interest as defined in 
paragraph (yy) of this section on or subject to the rules of a 
designated contract market, where: (1) One or more computer 
algorithms or systems determines whether to initiate, modify, or 
cancel an order, or otherwise makes determinations with respect to 
an order, including but not limited to: The product to be traded; 
the venue where the order will be placed; the type of order to be 
placed; the timing of the order; whether to place the order; the 
sequencing of the order in relation to other orders; the price of 
the order; the quantity of the order; the partition of the order 
into smaller components for submission; the number of orders to be 
placed; or how to manage the order after submission; and (2) Such 
order, modification or order cancellation is electronically 
submitted for processing on or subject to the rules of a designated 
contract market; provided, however, that Algorithmic Trading does 
not include an order, modification, or order cancellation whose 
every parameter or attribute is manually entered into a front-end 
system by a natural person, with no further discretion by any 
computer system or algorithm, prior to its electronic submission for 
processing on or subject to the rules of a designated contract 
market.
---------------------------------------------------------------------------

    The Commission's estimates notwithstanding, a number of commenters 
have opined that the NPRM would capture substantially more than 420 AT 
Persons. Commenters indicated that DEA is a widespread practice, 
including potentially among proprietary retail market participants. 
Some commenters also suggested that the Commission's proposed 
definition of Algorithmic Trading may be of limited value in filtering 
the number of AT Persons because, for example, it incorporates certain 
automated order routing systems (``AORSs''). At one end of the comment 
spectrum, several commenters stated that AT Persons could number in the 
thousands.\22\
---------------------------------------------------------------------------

    \22\ See, e.g., MFA 6, 12-13 (indicating that potentially 
thousands of market participants would be subject to Regulation AT); 
Nadex 1-2 (indicating that estimated number of affected participants 
would be significantly higher than 100, potentially in the 
thousands); FIA 91 (stating that ``DCMs will be flooded by hundreds, 
if not thousands, of annual reports'' pursuant to NPRM proposed 
Sec. Sec.  1.83 and 40.22); CME A-7 (indicating that the DEA 
definition would capture trading activity of thousands of firms).
---------------------------------------------------------------------------

    The Commission has carefully considered all comments regarding the 
number of potential AT Persons pursuant to the proposed rules, 
particularly those comments indicating that the NPRM's defined terms 
and other elements may not successfully filter the scope of the rules. 
The Commission is therefore proposing in this Supplemental NPRM the 
addition of a volume threshold test to the definition of AT Person. In 
doing so, the Commission has also considered comments that any volume 
of trading potentially could pose risks. However, status as an AT 
Person involves compliance costs due to Regulation AT risk control, 
testing, recordkeeping and other requirements, and accordingly the 
Commission has determined that, at this time, it is appropriate to 
limit the population of AT Persons to larger market participants, 
including those responsible for significant trading volumes and 
liquidity in CFTC-regulated markets. The Commission emphasizes that its 
proposed framework requires FCMs to act as one of two pre-trade risk 
control layers for all Electronic Trading not originating with an AT 
Person (see Supplemental proposed Sec.  1.82). Accordingly, the 
proposed risk control framework is not limited to the trading of AT 
Persons who satisfy a quantitative threshold (i.e., the volume 
threshold test described in Section II below).
    The Commission emphasizes, as stated above, that Regulation AT is 
not intended to capture large swaths of new or existing registrants. 
The focus on Algorithmic Trading and DEA, among other criteria, 
reflects the Commission's interest in sophisticated market participants 
that can bring significant human capital, information technology, or 
other resources to bear on trading in modern markets. The definition of 
AT Person in Regulation AT is centered on larger market participants, 
including, those ``responsible for significant trading volumes and 
liquidity.'' \23\ Such market participants include existing Commission 
registrants, and an important population of proprietary traders who 
heretofore have remained outside of the Commission's registration 
regime. The Commission has determined to address both sets of market 
participants through a straightforward test for potential AT Persons 
that measures all market participants' presence on DCMs: Total trading 
volume for all products across all DCMs, as described below.
---------------------------------------------------------------------------

    \23\ See NPRM at 78827.
---------------------------------------------------------------------------

    Taking these considerations into account, the Commission has 
determined that a quantitative volume threshold test is best suited to 
identifying larger market participants who should be brought within the 
Commission's regulatory purview. To that end, the Commission is 
proposing a new approach that includes quantitative metrics based on a 
market participant's average daily trading volume across all products. 
Specifically,

[[Page 85340]]

the Commission is proposing a volume threshold of 20,000 contracts 
traded on average per day, including for a firm's own account, the 
accounts of customers, or both, over a six month period. The Commission 
believes that this approach will facilitate the identification of AT 
Persons through the use of clear, numerical standards that can be 
calculated easily by market participants and are verifiable in the 
Commission's data. The Commission further believes that the proposed 
volume threshold test is an appropriate vehicle to define the scope of 
AT Persons, in combination with the proposed definition of Algorithmic 
Trading and the proposed amended definition of DEA.\24\ As discussed 
below, the Commission also considered a variety of quantitative 
thresholds in formulating the Supplemental NPRM proposal, including 
order related measurements and frequency metrics.
---------------------------------------------------------------------------

    \24\ The Commission also considered alternatives based on 
defined terms such as ``DEA'' and ``Algorithmic Trading'' that also 
serve to define the scope of AT Persons. The Supplemental NPRM 
proposes revisions to the definition of DEA based on public comments 
that the NPRM proposed definition was ambiguous, but does not 
propose amendments to the definition of Algorithmic Trading. The 
Commission believes the volume-based approach proposed herein is a 
better option as it is based on verifiable and easily observed data 
regarding the trading volumes of all market participants on DCMs.
---------------------------------------------------------------------------

B. NPRM Proposal and Comments

    The term ``AT Person,'' as defined in the NPRM, involves several 
interrelated terms, including AT Person, floor trader, DEA, and 
Algorithmic Trading. The definitions proposed in the NPRM for each of 
those terms are discussed below, and changes thereto are noted where 
applicable.
    AT Person. The NPRM proposed to define AT Person as an existing 
Commission registrant that engages in Algorithmic Trading on or subject 
to the rules of a DCM, or a New Floor Trader. In this Supplemental 
NPRM, the Commission is proposing an additional requirement for AT 
Person status: A volume threshold test, as described in Section II(C) 
below. In addition, as discussed below in Section VI(D)(3)(c), the 
Commission is also proposing to permit market participants to 
voluntarily elect AT Person status.\25\
---------------------------------------------------------------------------

    \25\ See Supplemental proposed Sec.  1.3(xxxx)(2). The 
Commission is providing flexibility so that non-AT Person market 
participants can administer their own pre-trade risk controls in 
lieu of controls that its FCM must otherwise impose. Such market 
participants must register as New Floor Traders and comply with 
obligations imposed on AT Persons.
---------------------------------------------------------------------------

    The defined term ``AT Person'' remains central to the structure of 
the proposed rules. Regulation AT defines the term ``AT Person'' in 
order to identify which entities are subject to the proposed 
regulations addressing trading firms' management of the risks 
associated with automated trading. These regulations include, for 
example, pre-trade and other risk controls on the orders initiated by 
the trading firm, and standards for the development, testing and 
supervision of ATSs. The definition of AT Person under NPRM proposed 
Sec.  1.3(xxxx) lists those persons or entities that may be considered 
an AT Person, namely (1) persons registered or required to be 
registered as FCMs, floor brokers, swap dealers (``SDs''), major swap 
participants (``MSPs''), commodity pool operators (``CPOs''), commodity 
trading advisors (``CTAs''), or introducing brokers (``IBs'') that 
engage in Algorithmic Trading on or subject to the rules of a DCM; or 
(2) persons registered or required to be registered as floor traders as 
defined in Sec.  1.3(1)(iii).\26\
---------------------------------------------------------------------------

    \26\ In the NPRM, the Commission proposed amending the 
definition of ``floor trader'' in existing Sec.  1.3(x) to 
facilitate the registration of proprietary traders using DEA for 
Algorithmic Trading on a DCM. The NPRM proposed requiring such 
persons (i.e., New Floor Traders) to register as floor traders, 
assuming they were not already registered or required to register 
with the Commission in another capacity.
---------------------------------------------------------------------------

    Direct Electronic Access. Through this Supplemental NPRM, the 
Commission is proposing to amend the definition of DEA originally 
proposed in the NPRM. In the NPRM, the Commission proposed a new Sec.  
1.3(yyyy) that defined DEA as an arrangement where a person 
electronically transmits an order to a DCM, without the order first 
being routed through a separate person who is a member of a DCO to 
which the DCM submits transactions for clearing. By using the word 
``routed,'' the Commission indicated that it means the process by which 
an order physically goes from a customer to a DCM. Section III below 
discusses the Commission's revisions to the proposed definition of DEA 
as part of this Supplemental.
    Algorithmic Trading. The Commission is not proposing to amend the 
definition of Algorithmic Trading originally proposed in the NPRM.\27\
---------------------------------------------------------------------------

    \27\ In the NPRM, the Commission proposed a new Sec.  1.3(zzzz) 
that defines Algorithmic Trading as trading in any commodity 
interest as defined in Regulation 1.3(yy) on or subject to the rules 
of a DCM, where: (1) One or more computer algorithms or systems 
determines whether to initiate, modify, or cancel an order, or 
otherwise makes determinations with respect to an order, including 
but not limited to: the product to be traded; the venue where the 
order will be placed; the type of order to be placed; the timing of 
the order; whether to place the order; the sequencing of the order 
in relation to other orders; the price of the order; the quantity of 
the order; the partition of the order into smaller components for 
submission; the number of orders to be placed; or how to manage the 
order after submission; and (2) such order, modification or order 
cancellation is electronically submitted for processing on or 
subject to the rules of a DCM; provided, however, that Algorithmic 
Trading does not include an order, modification, or order 
cancellation whose every parameter or attribute is manually entered 
into a front-end system by a natural person, with no further 
discretion by any computer system or algorithm, prior to its 
electronic submission for processing on or subject to the rules of a 
DCM.
---------------------------------------------------------------------------

    As the Commission explained in the NPRM, ``[t]he term `Algorithmic 
Trading' is a critical underpinning'' of Regulation AT.\28\ It noted 
that the proposed definition of Algorithmic Trading is similar to that 
which was adopted by the European Commission under MiFID II, except 
that it also includes AORSs.\29\ It observed that ``automated order 
routers have the potential to disrupt the market to a similar extent as 
other types of automated systems, and therefore should not be treated 
differently'' under Regulation AT. It also explained that ``given the 
interconnectedness of trading firm systems, carving out a particular 
subset of automated systems from the definition of Algorithmic Trading, 
e.g., order routing systems, would introduce unnecessary complexity and 
reduce the effectiveness of the safeguards provided in its proposed 
regulations.'' \30\ The Commission is cognizant of comments indicating 
some commenters' belief that the proposed definition of Algorithmic 
Trading should be revised to exclude certain systems such as AORSs. 
However, the Commission has thus far been presented with no persuasive 
evidence establishing that the operation of AORSs presents less risk to 
the market than other types of automated or algorithmic systems.
---------------------------------------------------------------------------

    \28\ See NPRM at 78840.
    \29\ See id.
    \30\ See id.
---------------------------------------------------------------------------

    Comments Received. As discussed above, the NPRM proposed to define 
AT Person as an existing Commission registrant that engages in 
Algorithmic Trading on or subject to the rules of a DCM, or a New Floor 
Trader (i.e., a market participant that engages in (1) proprietary (2) 
Algorithmic Trading (3) through DEA on a DCM). In addition to receiving 
comments on the substance of NPRM proposed terms such as ``Algorithmic 
Trading'' and ``DEA,'' \31\ the Commission also received comments 
concerning the number of market participants that would qualify as AT 
Persons under the proposed rules, particularly as a function of the 
defined terms discussed above. Several

[[Page 85341]]

commenters asserted that the number of persons or entities that would 
come within the NPRM proposed definition of AT Person is higher than 
the Commission's estimate of 420 AT Persons. ICE commented that ``[i]f 
read broadly (i.e. orders routed through an FCM's risk management 
controls located at the exchange but not physically routed . . . 
through the FCM are considered DEA), the Commission's estimated 100 
market participants that would be impacted by Regulation AT would 
increase to include the vast majority of all market participants.'' 
\32\ The Commercial Alliance stated that Regulation AT could apply to 
``a large segment of commercial energy and agricultural firms,'' 
contrary to the Commission's intent to limit its scope to one hundred 
new registrants.\33\ MFA commented that ``the breadth of the Regulation 
AT definitions are [sic] likely to capture many more market 
participants as AT Persons than the 420 persons that the Commission 
estimates.'' \34\ MFA estimated that if even half of the CTAs and CPOs 
registered with the Commission used an algorithmic trading execution 
system, there would be at least 1,270 CTAs and CPOs that would be AT 
Persons, exclusive of other registrant categories.\35\
---------------------------------------------------------------------------

    \31\ The comments received regarding the NPRM proposed 
definition of DEA are discussed in Section III(B) below. The 
Commission is proposing a revised definition of DEA, as set forth in 
Section III(C) below. The Commission is not proposing to amend the 
NPRM proposed definition of Algorithmic Trading.
    \32\ ICE 6.
    \33\ Commercial Alliance 2; see also IECA 6 (asserting that 
Regulation AT could affect ``vastly more'' than 100 proprietary 
trading firms).
    \34\ MFA 34.
    \35\ See id.
---------------------------------------------------------------------------

    Several commenters estimated the total number of AT Persons could 
number in the thousands. Specifically, MFA asserted that if a commodity 
pool or managed account could be considered an AT Person, ``there could 
be tens of thousands of AT Persons.'' \36\ CME commented that ``the 
CFTC should recognize that orders can pass through software that is 
calibrated by clearing members but maintained and owned by a clearing 
member's IT provider (e.g., TT or Bloomberg). If these orders are 
viewed as DEA orders because they are mischaracterized as bypassing 
clearing FCM controls, then the DEA definition will capture trading 
activity from significantly more firms (1000s) than the 100 firms 
mentioned in the rulemaking.'' \37\
---------------------------------------------------------------------------

    \36\ MFA 12 n.23.
    \37\ CME A-7. See also TT 3 (commenting that ``the definition of 
DEA will likely capture within the definition of `floor trader' many 
single traders, small trading groups and even larger companies like 
energy firms who hedge on futures exchanges, all of whom trade 
through FCMs and are often substantial liquidity providers.'').
---------------------------------------------------------------------------

    During the Roundtable and the Second Comment Period, the Commission 
received several comments regarding potential quantitative measures to 
establish the population of AT Persons. Better Markets commented that 
``[r]egarding a quantitative threshold, the CFTC must adopt a threshold 
using a metric that sets limits on volume and frequency.'' \38\ Better 
Markets further commented that ``[f]or registration purposes, FCMs 
should be tasked with monitoring proposed metrics and communicating 
these metrics to the CFTC because their `know your customer' rules make 
them the most fit.'' \39\ AIMA expressed concerns regarding 
quantitative measures, commenting that it ``considers that additional 
metrics on top of the current proposed definition of AT Person may not 
be the optimal solution to avoid the disproportionately broad scope 
capturing excessive numbers of registered firms. The fundamental 
problem causing a large population of potential AT Persons is the 
inappropriately broad definition of [Algorithmic Trading].'' \40\ The 
Commercial Alliance also took the position that the Commission should 
not adopt a quantitative approach to establish the population of AT 
Persons.\41\
---------------------------------------------------------------------------

    \38\ Better Markets III 2.
    \39\ Id.
    \40\ AIMA III 3.
    \41\ Commercial Alliance III 2-4.
---------------------------------------------------------------------------

    Commenters raised a number of concerns regarding potential 
quantitative measures, including that all algorithmic or electronic 
trading should be subject to appropriate risk controls; \42\ that even 
a small volume of trading could pose risks to the marketplace; \43\ 
that any quantitative measure would necessarily be arbitrary; \44\ and 
that market participants could seek to modify their trading to ``game'' 
any quantitative measure.\45\ The Commission has carefully considered 
all comments received, and believes that the proposals set forth in 
this Supplemental NPRM address the comments regarding quantitative 
measures raised during the Roundtable and in written comments.
---------------------------------------------------------------------------

    \42\ ICE, transcript of June 10, 2016 Roundtable (``Roundtable 
Tr.''), available at https://www.cftc.gov/idc/groups/public/@newsroom/documents/file/transcript061016.pdf, 110:14-114:5; 
Optiver, Roundtable Tr. 119:11-120:17; see also FIA 6, 13, 21; ICE 
4; and MGEX 20-21 (commenting that all market participants trading 
electronically should use pre-trade and other risk controls 
appropriate to their trading).
    \43\ Hudson Trading, Roundtable Tr. 95:10-97:8, 135:12-136:19; 
Optiver, Roundtable Tr. 119:11-19; KCG, Roundtable Tr. 120:21-121:8.
    \44\ Hartree, Roundtable Tr. 100:7-101:7; AQR, Roundtable Tr. 
106:5-107:17, 109:9-110:13.
    \45\ Milliman III 3; Hudson Trading, Roundtable Tr. 97:15-98:4; 
AQR, Roundtable Tr. 107:18-108:7; QIM, Roundtable Tr. 117:13-114:10.
---------------------------------------------------------------------------

    Specifically, the Commission is proposing to establish a framework 
where FCMs act as one of two pre-trade risk control layers for all 
Electronic Trading not originating with an AT Person (see Supplemental 
proposed Sec.  1.82). The volume threshold test would identify those 
market participants with the most significant presence in CFTC-
regulated markets. The Commission is also proposing an anti-evasion 
provision in Supplemental proposed Sec.  1.3(xxxx)(4) to address 
commenters' concerns that a quantitative measure could be ``gamed'' by 
market participants.\46\ As discussed in Section II(C) below, the 
proposed anti-evasion provision states that no person shall trade 
contracts or cause contracts to be traded through multiple entities for 
the purpose of evading the floor trader registration requirements under 
Supplemental proposed Sec.  1.3(x)(3), or to avoid meeting the 
definition of AT Person under Supplemental proposed Sec.  1.3(xxxx).
---------------------------------------------------------------------------

    \46\ See AQR, Roundtable Tr. 107:18-108:7; Hudson River Trading, 
Roundtable Tr. 97:19-21.
---------------------------------------------------------------------------

C. Substance of New Proposal

    In light of comments received, the Commission is proposing an 
additional requirement for AT Person status: A volume threshold test. 
Pursuant to Supplemental proposed Sec.  1.3(xxxx), a market participant 
may fall under the definition of AT Person in one of three ways. First, 
the category of AT Persons includes persons registered or required to 
be registered as an FCM, floor broker, SD, MSP, CPO, CTA, or IB that 
(1) engages in Algorithmic Trading and (2) satisfies the volume 
threshold test under Supplemental proposed Sec.  1.3(x)(2) (as 
discussed in greater detail below).\47\ Second, AT Persons include New 
Floor Traders under Supplemental proposed Sec.  1.3(x)(1)(iii).\48\ 
Such New Floor Traders must engage in Algorithmic Trading, utilize DEA, 
and satisfy the volume threshold test under Supplemental proposed Sec.  
1.3(x)(2). Third, a person who does not satisfy either of the other two 
prongs of the AT Person definition may nevertheless elect to become an 
AT Person, provided that such person registers as a floor trader and 
complies with all requirements of AT Persons pursuant to Commission 
regulations.\49\ In addition, each AT Person who is not already a 
member of an RFA must submit an application for

[[Page 85342]]

membership to at least one RFA, as discussed below.
---------------------------------------------------------------------------

    \47\ See Supplemental proposed Sec.  1.3(xxxx)(1)(i).
    \48\ See Supplemental proposed Sec.  1.3(xxxx)(1)(ii).
    \49\ See Supplemental proposed Sec.  1.3(xxxx)(2).
---------------------------------------------------------------------------

1. Volume Threshold Test for AT Persons
    In light of commenter views that the Commission has underestimated 
the number of AT Persons that would fall within the scope of Regulation 
AT, the Commission proposes modifying the proposed definition of AT 
Person to incorporate a volume threshold test. Specifically, 
Supplemental proposed Sec.  1.3(x)(2) would require potential AT 
Persons to determine whether they trade an aggregate average daily 
volume of at least 20,000 contracts for their own account, the accounts 
of customers, or both. The Commission notes that while many Commission 
registration categories (e.g., FCM, CPO, floor broker, etc.) may trade 
both their proprietary and customer accounts, New Floor Traders are 
likely to trade solely for themselves. Accordingly currently 
unregistered market participants would likely look to their proprietary 
trading volume when determining whether they satisfy the volume 
threshold test.\50\ For purposes of the volume threshold test, 
potential AT Persons would be required to calculate their aggregate 
average daily volume across all products on the electronic trading 
facilities \51\ of all DCMs on which they trade.\52\ Aggregate average 
daily volume would be calculated in six-month periods, from each 
January 1 through June 30 and each July 1 through December 31, based on 
all trading days in the respective period.\53\ For purposes of 
calculating the aggregate average daily volume, AT Persons would also 
be required to aggregate their own trading volume and that of any other 
persons controlling, controlled by or under common control with the 
potential AT Person.\54\
---------------------------------------------------------------------------

    \50\ However, if a currently unregistered market participant is 
in fact trading the accounts of customers consistent with the Act 
and Commission regulations, such market participant should include 
their customer trading volume, in addition to their proprietary 
volume, when determining whether it satisfies the volume threshold 
test.
    \51\ ``Electronic trading facility'' is defined in section 
1a(16) of the CEA. The aggregate average daily volume would not 
include block trades, exchange for related positions, pit trades, or 
other transactions outside a DCM's electronic trading platform.
    \52\ See Supplemental proposed Sec.  1.3(x)(2)(i).
    \53\ See Supplemental proposed Sec.  1.3(x)(2)(ii).
    \54\ See Supplemental proposed Sec.  1.3(x)(2)(iii).
---------------------------------------------------------------------------

    The Commission believes that a volume threshold test based on total 
trading volume across the electronic trading facilities of all DCMs 
best matches the goals of AT Person regulation, including risk 
controls, recordkeeping and testing and monitoring of automated systems 
requirements that will prevent and reduce the potential risk of market 
disruption caused by technological malfunction or other error. This 
volume threshold test would apply to both current and new Commission 
registrants to help define whether they are AT Persons.
    In making this determination, the Commission reviewed other 
quantitative thresholds proposed, or finalized, for regulatory purposes 
similar to those in Regulation AT. These other quantitative thresholds 
include, for example, tests proposed by ESMA for identifying high-
frequency traders in European markets, i.e., average resting order 
times and daily number of messages sent by a trading entity. The 
Commission's purpose in creating the new AT Person category is to 
ensure that risk management, testing and monitoring standards are 
sufficiently high for larger market participants in futures markets, 
regardless of strategy or firm type. The Commission believes that, out 
of all actions taking place on an electronic platform, consummated 
transactions are the key element of market processes such as price 
discovery and risk transfer. For this reason, larger entities, across 
products taken as a whole, should be held to standards sufficient to 
mitigate the risks of general market disruptions or degradations in the 
quality of trading.
    The Commission proposes setting a six-month window for calculating 
average daily trading volume. The Commission's intent is that a longer 
window will smooth out episodic volume fluctuations experienced by a 
firm through the year for a variety of reasons, including, for example, 
hedging practices, roll activity, or other seasonal reasons. By doing 
this, the set of AT Persons should be restricted to entities that are 
larger, sufficiently high-volume traders. The averaging window also 
should moderate the effect of market events where there is unusually 
high volume relative to historical levels.
    The volume threshold test definition does not make a distinction 
between futures products or between futures and options contracts for 
the purposes of aggregation. The Commission believes this is 
appropriate to help facilitate the volume calculation for potential AT 
Persons. Accordingly, the proposed volume threshold test instead 
results in an averaging across markets and products.
    Using the proposed definition, and a trading volume threshold of 
20,000 contracts traded per day on DCM electronic trading facilities--
including for a firm's own account, the accounts of customers, or both, 
over a six month period--the Commission estimates that there would be 
approximately 120 AT Persons, a portion of which would be newly 
registered under the amended definition of floor trader.\55\ In order 
to derive this estimate, the Commission made use of daily trading audit 
trail data, for futures and options on futures, received from a number 
of DCMs. This audit trail data included information about the trading 
activity of market participants on the electronic trading facility of 
each DCM, coinciding with the order and trade activity associated with 
electronic trading, the focus of many other elements of this 
Supplemental NPRM. Because the volume threshold test is based on 
activity within a semi-annual period, the Commission calculated the 
average activity of individual firms during the first half of 2016 and 
used these aggregate numbers as an activity benchmark. Aggregating this 
activity across the DCMs for which the Commission had firm 
identification provided a basis for estimating the number of potential 
AT Persons. The Commission notes that its data provides a significantly 
comprehensive, but not a full, identification of the firms associated 
with each trade; in other cases, the firm associated with a trade may 
be the broker rather than the principal. For these reasons, the 
Commission estimates for the number of AT Persons may omit some firms 
that would meet the volume threshold requirements.
---------------------------------------------------------------------------

    \55\ The Commission notes that over time it may amend the volume 
threshold it adopts in any final rules for Regulation AT. Such 
amendments would be an outgrowth of the Commission's experience with 
the volume threshold it adopts in final rules. As the Commission is 
proposing to codify the volume threshold in its rules, any future 
changes would necessarily be pursued through further notice and 
comment rulemaking.
---------------------------------------------------------------------------

    Because trading patterns for a given entity or firm may change over 
time, the Commission acknowledges that traders who are active enough to 
fall above the AT Person volume threshold test during a given semi-
annual period may, over time, reduce their activity levels. To 
accommodate changes in strategy and in the use of futures markets, the 
AT Person definition allows for current AT Persons to drop their 
designation as an AT Person if they fall below the volume threshold for 
two consecutive six-month periods.\56\
---------------------------------------------------------------------------

    \56\ The Commission's proposed volume threshold test helps 
determine, together with other factors, a market participant's 
obligation to register as a New Floor Trader. As described above, 
any Commission registrant who is also an AT Person, including a 
floor trader, may cease to be bound by the requirements applicable 
to AT Persons if such registrant falls below the volume threshold 
test for two consecutive six-month periods. The Commission notes, 
however, that a floor trader who ceases to be an AT Person shall 
still be registered as a floor trader unless it formally applies for 
withdrawal from registration as described in Commission Sec.  3.33.

---------------------------------------------------------------------------

[[Page 85343]]

2. Registration as a Floor Trader
    Supplemental proposed Sec.  1.3(x) modifies the new definition of 
floor trader, which also make up the group of AT Persons under 
Supplemental proposed Sec.  1.3(xxxx)(1)(ii). Under the Supplemental 
proposed definition, a floor trader must, in addition to using DEA to 
conduct Algorithmic Trading (as proposed in the NPRM), also satisfy the 
volume threshold test set forth in Supplemental proposed Sec.  
1.3(x)(2). This proposal will help to address concerns that too many 
market participants would be captured by the new definition of floor 
trader proposed in the NPRM.
    Supplemental proposed Sec.  1.3(x)(3) specifies the period of time 
provided to an entity meeting these conditions to register as a floor 
trader and come into compliance with the requirements for AT Persons. 
Specifically, Supplemental proposed Sec.  1.3(x)(3) provides that an 
unregistered person who satisfies Supplemental proposed Sec. Sec.  
1.3(x)(1)(iii)(A), (x)(1)(iii)(B) and (x)(1)(iii)(C), and who meets the 
volume threshold test in Supplemental Sec.  1.3(x)(2) in any January 1 
through June 30 or July 1 through December 31 period, shall register as 
a floor trader within 30 days after the end of such period and shall 
comply with all requirements of AT Persons pursuant to Commission 
regulations within 90 days after the end of such period.
    Supplemental proposed Sec.  1.3(x)(3)(ii) describes which person or 
persons must register if there is an ``affiliate group,'' under common 
control, that meets the volume threshold test in the aggregate. 
Supplemental proposed Sec.  1.3(x)(3)(ii) states that for any group 
consisting of a person and any other persons controlling, controlled by 
or under common control of such person, if such group of persons in the 
aggregate satisfies the volume threshold test set forth in Supplemental 
proposed Sec.  1.3(x)(2), then one or more persons in such group must 
register as floor traders. These registrations would need to continue 
across affiliated entities until the aggregate average daily volume of 
the unregistered persons in the group trade an aggregate average daily 
volume below the volume threshold test set forth in Sec.  
1.3(x)(2).\57\
---------------------------------------------------------------------------

    \57\ The Commission's proposal for aggregating the trading 
volume of affiliated entities under common control is modeled on 
analogous provisions in the Commission's swap dealer registration 
requirements. See existing Sec.  1.3(ggg)(4) and Interpretative 
Guidance and Policy Statement Regarding Compliance With Certain Swap 
Regulations, 78 FR 45292 (July 26, 2013).
---------------------------------------------------------------------------

3. Anti-Evasion
    Supplemental proposed Sec.  1.3(x)(4) provides that no person shall 
trade contracts or cause contracts to be traded through multiple 
entities for the purpose of evading the registration requirements 
imposed on New Floor Traders under Sec.  1.3(x)(3), or to avoid meeting 
the definition of AT Person under Sec.  1.3(xxxx). The purpose of this 
provision is to prevent market participants whose trading volume would 
otherwise cause them to fall within the definition of New Floor Trader 
(and, therefore, AT Person), but who trade through multiple entities 
for the purpose of falling below the volume threshold test, from 
avoiding registration. By including such anti-evasion provision, the 
Commission seeks to prevent market participants from structuring 
transactions and legal entities in order to avoid the requirements of 
Regulation AT. Examples of these structures might include trading 
through multiple ``shell'' companies that individually trade below the 
threshold, or trading through one entity for part of the year, then 
ceasing all trading activity for that entity and trading instead 
through a newly formed entity, similarly leaving average daily volume 
under the threshold.
4. Registration for Membership With a Registered Futures Association
    In addition to being registered with the Commission in some 
capacity, AT Persons must also submit applications for membership in at 
least one RFA.\58\ In particular, Supplemental proposed Sec.  170.18 
requires that an AT Person not yet a member of an RFA must submit an 
application for membership in at least one RFA within 30 days of such 
AT Person satisfying the volume threshold test set forth in 
Supplemental proposed Sec.  1.3(x)(2).\59\ In addition, Supplemental 
proposed Sec.  1.3(xxxx) provides that any person that elects to become 
an AT Person must submit an application for membership to at least one 
RFA pursuant to Supplemental proposed Sec.  170.18 within 30 days of 
such person choosing to become an AT Person.\60\
---------------------------------------------------------------------------

    \58\ The Commission is cognizant that upon the adoption of final 
rules for Regulation AT, an RFA may need additional time to prepare 
its governance structure, membership categories, application 
materials, and other internal processes to accommodate New Floor 
Traders. Accordingly, the Commission may determine to delay the 
compliance date for Supplemental proposed Sec.  170.18 for a short 
period of time so that an RFA may complete such processes prior to 
receiving its first application for membership from a New Floor 
Trader.
    \59\ Any unregistered person who meets the requirements to 
register as a New Floor Trader would have identical 30-day periods 
in which to both register with the Commission and apply for 
membership in an RFA.
    \60\ The Commission does not require such membership to be in a 
specific membership category. An RFA may register such AT Persons as 
``floor traders,'' or choose to create a subset or other category of 
Regulation AT floor traders for membership purposes.
---------------------------------------------------------------------------

D. Commission Questions

    1. The Commission invites comment on the proposed volume threshold 
test set forth in Supplemental proposed Sec.  1.3(x)(2). In particular, 
the Commission specifically invites comment on whether the volume 
threshold test is an appropriate means of identifying those market 
participants who should qualify as AT Persons and therefore be subject 
to the proposed risk control, recordkeeping testing and monitoring and 
other requirements in Regulation AT.
    2. If you believe that AT Persons should be identified by a 
quantitative measure other than the proposed volume threshold test, 
please identify and describe such alternative measure, including the 
number and types of market participants that would qualify as AT 
Persons.
    3. The proposed volume threshold test would require a potential AT 
Person to determine whether it trades an aggregate average daily volume 
of at least 20,000 contracts over a six month period. Do you believe 
that a potential AT Person's average daily volume for purposes of the 
volume threshold test should instead be calculated only over the days 
in which the potential AT Person trades during the six month period? 
Would such alternative better address potential AT Persons who may 
trade infrequently over the course of a six month period, but in large 
quantities when they do trade?
    4. The Commission estimates that its proposed volume threshold of 
20,000 contracts traded per day, including for a firm's own account, 
the accounts of customers, or both, across all products and DCMs, would 
capture approximately 120 market participants, including new and 
existing registrants. Please comment on the Commission's estimate. Do 
you believe that the number of market participants captured by this 
volume threshold test would be greater or fewer than 120? Please 
indicate how many of these market participants are currently registered 
with the Commission and how many are not.

[[Page 85344]]

    5. With the addition of the proposed volume threshold test, do you 
believe that any AT Person will be a natural person or a sole 
proprietorship with no employees other than the sole proprietor?
    6. For the proposed volume threshold test, please explain any 
challenges that could arise with respect to implementation. For 
example, what difficulties might an entity potentially subject to 
Regulation AT encounter in calculating whether it meets the volume 
threshold? Will the entity be able to readily distinguish between 
trades executed on a DCM's electronic trading facility and other trades 
executed on or pursuant to the rules of the DCM? Does the volume 
threshold test potentially capture a set of entities that should not be 
subject to Regulation AT?
    7. For the proposed volume threshold test, please explain whether 
the proposed rule should specify a different aggregation level for 
purposes of deciding who is an AT Person (e.g., individual DCMs, 
individual products), or whether the aggregation should be done over a 
time period different than the proposed semi-annual window.
    8. For the proposed volume threshold test, please explain whether 
certain trades should be weighted differently in calculating the volume 
aggregation, or whether certain trades such as spread trades should be 
excluded from the aggregation.
    9. For the proposed volume threshold test, the Commission proposes 
to set a single threshold incorporating trading in all products and on 
all DCMs in order to facilitate calculations for potential AT Persons. 
Please explain whether the Commission should instead set different 
thresholds for groups of related products, or on a per-DCM basis, or 
other more granular measures than the aggregation of a potential AT 
Person's trading across all products and DCMs. Please also discuss the 
added complexity of any such alternate system, and explain why such 
system is preferable despite such complexity.
    10. Supplemental proposed Sec.  1.3(x)(2)(ii) calls for aggregate 
average daily volume to be calculated in six-month periods, from each 
January 1 through June 30 and each July 1 through December 31. The 
Commission requests comment regarding when to begin the first six-month 
measurement period for any final rules that the Commission adopts. For 
example, the Commission anticipates that for any final rules with an 
effective date prior to July 1, 2017, the first measurement period will 
be July 1 through December 31, 2016. Alternatively, the Commission 
could delay the effective date for certain elements of the final rules 
to a date from July 1, 2017 onwards. In such case, the first 
measurement period could be January 1 to June 30, 2017.
    11. The Commission invites comment on whether any future changes to 
the volume threshold deemed appropriate by the Commission (subsequent 
to a final rulemaking on Regulation AT) should be made by notice and 
comment rulemaking. Commenters are particularly invited to address 
potential alternatives to updating the volume threshold, if any.
    12. The Commission invites comment as to how the proposed volume 
threshold test should be applied to members of an affiliated group. 
Commenters are particularly invited to address how the Commission 
should interpret common control for these purposes, and whether this 
interpretation should be limited to wholly-owned affiliates.
    13. The Commission requests comment regarding the appropriate 
amount of time for an entity to register as a New Floor Trader and come 
into compliance with all requirements applicable to AT Persons, once 
such entity has triggered the criteria for registration and AT Persons 
status.

III. Proposed Definition of DEA

A. Overview and Policy Rationale for New Proposal

    The Commission proposed in NPRM Sec.  1.3(yyyy) to define DEA for 
purposes of Regulation AT as an arrangement where a person 
electronically transmits an order to a DCM, without the order first 
being routed through a separate person who is a member of a DCO to 
which the DCM submits transactions for clearing.\61\ The NPRM explained 
that the term ``routed'' was intended to mean the process by which an 
order physically goes from a customer to a DCM. The Commission proposed 
this definition of DEA in the NPRM as a filter, along with Algorithmic 
Trading, to help define the category of proprietary traders that would 
be required to register as floor traders under Regulation AT. The 
Commission anticipated that the proposed definition of DEA could help 
to define the number of entities required to register as New Floor 
Traders, and to focus registration on larger market participants not 
otherwise registered with the Commission. In light of comments received 
on the NPRM, and in light of the proposed addition of a volume 
threshold test to filter out smaller market participants from floor 
trader registration and its attendant obligations, the Commission is 
proposing an amended definition of DEA, as described below.
---------------------------------------------------------------------------

    \61\ See NPRM at 78844.
---------------------------------------------------------------------------

    The Supplemental proposed defined term DEA means the electronic 
transmission of an order for processing on or subject to the rules of a 
contract market, including the electronic transmission of any 
modification of such order. DEA would not include orders, or 
modifications or cancellations thereof, (i) electronically transmitted 
to a DCM (ii) by an FCM (iii) that such FCM received from an 
unaffiliated natural person \62\ (iv) by means of oral or written 
communications.\63\ The amended definition differs from the NPRM 
definition in four key areas: (a) Eliminating the term ``routed 
through''; (b) clarifying that DEA does not include orders submitted to 
a DCM by an FCM where such FCM received the order from an unaffiliated 
natural person by means of written or oral communication; \64\ (c) 
changing the proposed rule's reference to ``clearing members'' of DCOs 
to any FCM; and (d) expanding the term ``order'' to include the 
cancellation or modifications of such order.
---------------------------------------------------------------------------

    \62\ The Commission notes that an ``unaffiliated natural 
person'' is one who has no affiliation with, and whose employer has 
no affiliation with, the FCM receiving the order. Such natural 
person may be communicating the order for another (unaffiliated) 
Commission registrant, an (unaffiliated) unregistered market 
participant, an (unaffiliated) end customer, etc. Examples of 
scenarios that are not DEA include: (1) An employee of a Commission 
registrant communicates an order to an unaffiliated FCM, verbally or 
in writing, for onward transmission by such FCM to a DCM; (2) A 
natural person customer communicates an order to an unaffiliated 
FCM, verbally or in writing, for onward transmission by such FCM to 
a DCM; and (3) An employee of customer that is a legal entity not 
registered with the Commission communicates an order to an 
unaffiliated FCM, verbally or in writing, for onward transmission by 
such FCM to a DCM. The Commission emphasizes that an unaffiliated 
natural person has no relationship, and their employer has no 
relationship, with the FCM receiving the order for submission to a 
DCM.
    \63\ The Commission notes that ``written communications'' may 
include email, text messages, or instant messaging ``chat'' tools, 
in addition to communications on paper. The common denominator is 
that such communications are in each instance specifically written 
by a natural person.
    \64\ The Commission notes that this exclusion addresses the 
``how'' and ``by whom'' of an order's communication to the FCM. Such 
communication must be made by a (1) unaffiliated (2) natural person 
(3) verbally or in writing.
---------------------------------------------------------------------------

B. NPRM Proposal and Comments

    In the NPRM, DEA was relevant to several of the proposed 
regulations. It was used as a filter to define the category of market 
participants required to register as floor traders and be subject to 
the requirements of Regulation AT

[[Page 85345]]

(see proposed Sec.  1.3(x)(3)). In addition, DEA was relevant to 
revised Sec.  38.255, which requires DCMs to have in place systems and 
controls reasonably designed to facilitate an FCM's management of the 
risks that may arise from Algorithmic Trading, and proposed Sec.  1.82, 
which requires FCMs to implement such DCM-provided controls for DEA 
orders. This approach of enabling clearing FCMs to implement DCM-based 
controls is similar to how the Commission addresses financial risk 
management by FCMs, as reflected in existing DCM regulation Sec.  
38.607. Existing Sec.  38.607 describes DEA as allowing customers of 
futures commission merchants to enter orders directly into a designated 
contract market's trade matching system for execution.\65\ As discussed 
below, the Commission proposes to amend the definition of DEA to 
address various commenter concerns, and the term continues to be 
relevant to Supplemental proposed Sec. Sec.  1.3(x)(1)(iii), 1.82 and 
38.255.
---------------------------------------------------------------------------

    \65\ In addition, in the context of foreign boards of trade, 
section 4(b)(1)(A) of the CEA defines ``direct access'' as an 
explicit grant of authority by a foreign board of trade to an 
identified member or other participant located in the United States 
to enter trades directly into the trade matching system of the 
foreign board of trade.
---------------------------------------------------------------------------

    Comments Received. The Commission received a range of comments 
concerning the scope and clarity of the definition of DEA proposed in 
the NPRM. Better Markets commented that the NPRM's definition of DEA 
encompassed all types of access commonly understood in Commission-
regulated markets as ``direct market access.'' \66\ Other commenters 
raised a number of concerns over the NPRM proposed definition of DEA 
and its application to various types of market participants. One 
commenter cautioned that the NPRM proposed definition of DEA would not 
capture any market participants because clearing members are required 
to have risk controls over automated customer orders under existing 
Sec.  1.73.\67\ Some commenters found the NPRM definition too broad, 
and argued that it would capture individual traders and small trading 
groups, as well as large corporations using futures markets to hedge 
risks.\68\ CME stated that this broader reading of DEA would capture 
thousands of firms if the term includes orders that pass through 
software calibrated by clearing members but maintained and owned by a 
clearing member's IT provider (e.g., TT or Bloomberg).\69\ Two 
commenters suggested that the definition of DEA is unnecessary because 
any market participant trading electronically must utilize pre-trade 
and other risk controls appropriate to the nature of their trading.\70\
---------------------------------------------------------------------------

    \66\ Better Markets 3; Better Markets III 3-4.
    \67\ CME, 12.
    \68\ TT 3.
    \69\ CME A-7.
    \70\ FIA 6; ICE 4-5.
---------------------------------------------------------------------------

    Several commenters asserted that the NPRM proposed definition of 
DEA lacks clarity,\71\ and that the definition does not provide 
sufficient guidance as to what ``being routed through a separate 
person'' that is a member of a DCO means.\72\ Many commenters argued 
that DEA should not include DCM-offered connectivity platforms such as 
WebICE or CME Direct.\73\ Commenters also argued that DEA should not 
include platforms provided by third-party ISVs; \74\ one commenter 
considered such ISVs to be an extension of the FCM's infrastructure 
where the FCM was able to control a risk control module on the 
platform.\75\
---------------------------------------------------------------------------

    \71\ TT 2; MFA 15; CME 11-12; ICE 4; IECA 7.
    \72\ TT 2; CME 11-12; ICE 4.
    \73\ FIA A-17; MFA 15; AGA 3; Commercial Alliance III 4; ICE 5; 
CME A-7.
    \74\ FIA A-6; MFA 15; TT 3; Commercial Alliance 4.
    \75\ FIA A-6.
---------------------------------------------------------------------------

    Some commenters also suggested that the NPRM definition was too 
narrowly focused on the role of clearing FCMs, as opposed to executing 
FCMs. Several commenters argued that executing FCMs could better act as 
gatekeepers over customer order flow than clearing FCMs.\76\ For 
example, Milliman commented that NPRM proposed Sec.  1.3(yyyy) should 
be modified to refer to an order being routed through a separate person 
who is an ``executing agent'' (rather than a clearing member).\77\ QIM 
raised the issue of FCM ``gateways'' through which customers could 
submit orders, and commented that only the person or agent directly 
placing trades on a DCM should be considered to possess DEA \78\
---------------------------------------------------------------------------

    \76\ Milliman III 2. One commenter also noted that there may be 
non-FCM clearing members of a DCM, which could create situations 
under the NPRM proposed rules where there would be ``no second line 
of pre-trade risk control administered by an FCM.'' Industry Group 
III 15 n.12. One commenter also suggested that limiting the 
exclusion to instances where a clearing member had risk controls in 
place would incentivize market participants to move away from the 
use of executing FCMs and give-up arrangements. See Bloomberg 7.
    \77\ Milliman III 2.
    \78\ QIM III 1.
---------------------------------------------------------------------------

    Commenters offered a variety of alternate definitions of DEA, with 
the intent that DEA not capture certain types of market participants. 
Bloomberg and TT offered alternate definitions that would exclude 
market participants using third-party software platforms provided by 
FCMs.\79\ CME offered an alternative definition that would exclude 
orders passing through risk controls administered by a clearing 
member.\80\ FIA and the Commercial Alliance offered an alternative 
definition that would exclude orders that are first routed through an 
order routing system under the control of an FCM.\81\ Better Markets 
proposed a definition that would take into consideration colocation and 
the use of FCM-provided software.\82\ Nadex supported defining DEA, 
consistent with existing Commission Sec.  38.607, as ``allowing 
customers of FCMs to enter orders directly into a DCM's trade matching 
system for execution.'' \83\ Similarly, Nodal commented that the 
definition of DEA in Sec.  38.607 ``is an accurate definition of Direct 
Electronic Access that does not need revision.'' \84\
---------------------------------------------------------------------------

    \79\ Bloomberg 8-9; TT 3.
    \80\ CME 12.
    \81\ FIA 6; Commercial Alliance 6.
    \82\ Better Markets III 4.
    \83\ Nadex III 2.
    \84\ Nodal 2.
---------------------------------------------------------------------------

C. Substance of New Proposal

    The Commission proposes to amend the definition of DEA in Sec.  
1.3(yyyy) of the NPRM to address the comments summarized above, 
including with respect to potential ambiguities in the NPRM's 
definition of DEA. At the same time, the Supplemental NPRM retains DEA 
as one of the criteria for defining who must register as a New Floor 
Trader. The addition of the volume threshold test pursuant to 
Supplemental proposed Sec.  1.3(x)(2) will act as a further filter for 
New Floor Traders, limiting registration to large market participants. 
This will limit AT Person status and its attendant obligations to only 
those market participants who meet the volume threshold test.
    The Commission intends for the amended proposed definition of DEA 
to cover any arrangement where a market participant electronically 
transmits an order, modification or cancellation to a DCM. However, the 
amended proposed definition excludes from the definition of DEA any 
orders submitted by an FCM where the FCM receives such order from an 
unaffiliated natural person by means of written or oral communication. 
As noted in Section III(A) above, an ``unaffiliated'' natural person is 
one who has no affiliation with the FCM receiving the order for 
submission to a DCM. Similarly, the natural person's employer can have 
no affiliation with such FCM.

[[Page 85346]]

    The NPRM definition of DEA exempted orders that were ``routed 
through'' a clearing FCM. After receiving comments requesting 
clarification on this phrase, the Commission proposes changing the 
definition of DEA so that it does not include orders electronically 
submitted to a DCM by an FCM that such FCM first receives from an 
unaffiliated natural person by means of oral or written communications. 
The Commission believes that this revision clarifies which order 
submission methods are DEA, and which are not, for purposes of 
Regulation AT. The Commission expects that the language in which an FCM 
electronically submitting orders first received from an unaffiliated 
natural person by means of oral or written communications will only 
encompass situations where the FCM is acting in a true intermediating 
role: i.e., where the FCM receives an order from a third-party (who may 
or may not be a Commission registrant) and the FCM then submits such 
order to a DCM for or on behalf of the third party. Each element of 
Supplemental proposed Sec.  1.3(yyyy) is intended to emphasize an FCM's 
active, involved intermediation as a necessary condition for non-DEA 
order submission, modification, or cancellation. Accordingly, non-DEA 
orders must be received by an FCM orally or in writing, from a natural 
person, who is unaffiliated and whose employer is unaffiliated with the 
FCM.
    Because technological innovations have created, and may continue to 
create, new methods for market participants to connect to DCMs, the 
Commission has determined not to differentiate between currently 
existing connection types. Instead, the amended proposed definition 
would capture all electronic order submissions to a DCM as DEA, unless 
the order is first received by an FCM from an unaffiliated natural 
person by means of written or oral communication prior to being 
submitted to the DCM by the FCM.\85\ To identify specific connection 
types in this definition--such as connection through a DCM's 
application program interface (``API'')--risks having the definition 
become outdated with changes in technology while simultaneously 
creating uncertainty over the regulatory standing of such new 
technology.
---------------------------------------------------------------------------

    \85\ The Commission understands that written or oral 
communications are not computer-generated, and therefore such 
communications would come from a natural person. The Commission 
notes that ``written communications'' may include email, text 
messages, or instant messaging ``chat'' tools, in addition to 
communications on paper. The common denominator is that such 
communications are in each instance specifically written by a 
natural person.
---------------------------------------------------------------------------

    Second, the exclusion would apply only where an FCM receives an 
oral or written communication from a natural person for a particular 
order or series of orders. The exclusion would not apply to orders 
received through electronic systems or automated means, such as through 
any API or graphical user interfaces (``GUIs'') provided by an FCM. The 
exclusion also would not apply to any third-party ISV platforms, such 
as those provided by Bloomberg or TT, even if the FCM were able to 
calibrate or implement risk controls over customer order flow submitted 
through those platforms. Further, the exclusion would not apply to any 
orders submitted through DCM-provided APIs, such as WebICE or CME 
Direct. In each case, current and potential technological practices may 
serve to reduce or eliminate the role of an FCM or other Commission 
registrant as a true intermediary to the transaction.
    Third, the Commission's amended proposed definition also would 
change the entity that must be involved in an order's transmittal to 
the DCM for such order not to be considered DEA. The NPRM proposal 
would exclude orders routed through a clearing member of a DCO to which 
the DCM submits trades for clearing, thus applying to clearing FCMs. 
The amended proposal would expand the exclusion from DEA to certain 
types of orders submitted by any FCM, including those FCMs that a 
market participant may use only to execute trades as well as those used 
to clear trades. This change is in response to various comments 
suggesting that executing FCMs could better act as gatekeepers on 
customer order flow than clearing FCMs.
    Fourth, the amended proposal differs from the NPRM proposal in that 
the definition of DEA proposed in this Supplemental NPRM applies 
explicitly to modifications and cancellations of orders, not only 
initial order submissions. The Commission considers this a non-
substantial clarification intended to align the DEA definition with the 
proposed definition of Algorithmic Trading (NPRM proposed Sec.  
1.3(zzzz)).

D. Commission Questions

    14. Does the amended proposed definition of DEA appropriately 
capture all order submission methods to which the additional filters 
for New Floor Trader status (i.e., Algorithmic Trading and the volume 
threshold test) should be applied?

IV. Algorithmic Trading Source Code Retention and Inspection 
Requirements

A. Overview and Policy Rationale for New Proposal

    The Commission proposed NPRM Sec.  1.81(a)(vi) to ensure that 
source code is preserved and available to the Commission when 
necessary. The NPRM required that AT Persons maintain a ``source code 
repository'' and make it available for inspection in accordance with 
existing Sec.  1.31. The requirements proposed in the NPRM were 
intended to be consistent with the Commission's traditional statutory 
and regulatory authorities governing recordkeeping and access to 
records; however, as explained below, some commenters misconstrued the 
proposal as requiring more than the Commission intended. Specifically, 
NPRM proposed Sec.  1.81(a)(vi) did not require the transfer of all 
source code to the Commission or other third party for centralized 
storage. It also did not require that AT Persons provide their 
Algorithmic Trading Source Code to the Commission on a regular basis.
    Comments received in response to NPRM proposed Sec.  1.81(a)(vi) 
expressed intellectual property and information security concerns among 
numerous market participants and other observers. The Commission 
appreciates these concerns, including the commercial and enterprise 
value of market participants' Algorithmic Trading Source Code. The 
Commission is proposing to revise NPRM proposed Sec. Sec.  
1.81(a)(1)(v) and (vi) as reflected in Supplemental proposed Sec.  
1.84. This new proposal directly addresses commenters' concerns 
regarding Commission access to source code in several respects. Most 
importantly, access to Algorithmic Trading Source Code would not be 
governed by Sec.  1.31. Instead, access to Algorithmic Trading Source 
Code and related records described in the proposed rule would require a 
subpoena approved by the Commission pursuant to part 11 or a ``special 
call'' which must also be approved by the Commission itself, a 
heightened procedural step that responds to concerns raised by market 
participants.
    Through Supplemental proposed Sec.  1.84, the Commission is 
endeavoring to balance its responsibility to oversee markets and market 
participants--including the operation of ATSs which have become highly 
pervasive in modern electronic markets--with market participants' 
strongly-held privacy and confidentiality concerns. Ultimately, it is 
imperative that the Commission have access to all information necessary 
for effective

[[Page 85347]]

regulatory oversight, including market surveillance and maintaining the 
safety and soundness of markets. The Commission believes that 
Supplemental proposed Sec.  1.84 strikes an appropriate balance between 
regulatory needs and privacy concerns.
    The Commission emphasizes that recordkeeping and Commission access 
to books and records are central to the Act's statutory framework for 
the oversight of regulated derivatives markets. Sections 4g, 4n(3)(A), 
4r(c), and 4s(f)(1)(C) of the Act require all registrants and 
registered entities to maintain books and records, and provide for 
prompt access by the Commission and its staff. They include nearly 
identical language stating that registrants and registered entities 
shall keep books and records in such form and manner and for such 
period as may be required by the Commission; and shall keep such books 
and records open to inspection by any representative of the 
Commission.\86\ These core statutory provisions recognize that the 
Commission must have adequate information to oversee markets and market 
participants subject to its jurisdiction.\87\ Required books and 
records include not only those that must be reported to the Commission 
on a routine basis, but also books and records that registrants must 
maintain in their own possession and make available upon request by the 
Commission or its staff. The Act and Commission rules contemplate a 
range of mechanisms to obtain books and records, from prompt production 
to Commission staff through on-site inspection,\88\ to subpoenas in 
investigative proceedings pursuant to part 11 of the Commission's 
regulations.
---------------------------------------------------------------------------

    \86\ 17 CFR 1.31. See Section 4g(a) of the Act, 7 U.S.C. 6g(a); 
Section 4n(3)(A) of the Act, 7 U.S.C. 6n(3)(A); Section 4r(c) of the 
Act, 7 U.S.C. 4r(c); and Section 4s(f)(1)(C) of the Act, 7 U.S.C. 
6s(f)(1)(C). Sections 1.31 and 1.35 of the Commission's rules build 
on these statutory provisions by requiring registrants to keep full, 
complete, and systematic records, and to produce such records as 
required by any representative of the Commission. See 17 CFR 1.35; 
17 CFR 1.31. Records must be kept for at least five years, and must 
be ``readily accessible'' during the first two years. See 17 CFR 
1.31(a)(1). Records must be produced to the Commission in a form 
specified by any representative of the Commission, and production 
shall be made, at the expense of the person required to keep the 
book or record. See 17 CFR 1.31(a)(2).
    \87\ In addition to the statutory authority cited above under 
Sections 4g, 4n(3)(A), 4r(c), and 4s(f)(1)(C) of the Act, the 
Commission notes that Section 8a(5) of the Act provides additional 
authority for the proposed recordkeeping and inspection rules. 
Section 8a(5) authorizes the Commission to make and promulgate such 
rules and regulations as, in the judgment of the Commission, are 
reasonably necessary to effectuate any of the provisions or to 
accomplish any of the purposes of this Act. 7 U.S.C. 12a(5).
    \88\ See 17 CFR 1.31(a)(2).
---------------------------------------------------------------------------

    As a civil law enforcement agency, the Commission handles 
sensitive, proprietary and trade secret information under strict 
retention and use requirements.\89\ Further, cybersecurity and the 
protection of confidential information are a top priority for the 
Commission.\90\ The Commission receives confidential information on a 
daily basis in a variety of contexts, and takes its legal obligation to 
protect such information seriously. The Commission has significant data 
security measures in place to protect sensitive information from 
internal or external threats. In addition, all current and former CFTC 
employees are prohibited by 17 CFR 140.735-5 from disclosing 
confidential or non-public commercial, economic or official information 
to any unauthorized person, or releasing such information in advance of 
authorization for its release.
---------------------------------------------------------------------------

    \89\ See Section 8(a) of the Act, 7 U.S.C. 12(a) (providing that 
except as otherwise specifically authorized in the Act, the 
Commission may not publish data and information that would 
separately disclose the business transactions or market positions of 
any person and trade secrets or names of customers); Section 8(e) of 
the Act, 7 U.S.C. 12(e) (providing that the Commission shall not 
furnish any information to a foreign futures authority or to a 
department, central bank and ministries, or agency of a foreign 
government or political subdivision thereof unless the Commission is 
satisfied that the information will not be disclosed by such foreign 
futures authority, department, central bank and ministries, or 
agency except in connection with an adjudicatory action or 
proceeding brought under the laws of such foreign government or 
political subdivision to which such foreign government or political 
subdivision or any department, central bank and ministries, or 
agency thereof, or foreign futures authority, is a party); 17 CFR 
145.5 (providing that the Commission may decline to publish or make 
available to the public certain nonpublic records, including records 
specifically exempted from disclosure by statute, including data and 
information which would separately disclose the business 
transactions or market positions of any person and trade secrets or 
names of customers); see also 5 U.S.C. 552(b)(4) (providing 
exemption from FOIA for trade secrets and commercial or financial 
information obtained from a person and privileged or confidential).
    \90\ See System Safeguards Testing Requirements, Final Rule, 81 
FR 64272 (Sept. 19, 2016); System Safeguards Testing Requirements 
for Derivatives Clearing Organizations, Final Rule, 81 FR 64322 
(Sept. 19, 2016).
---------------------------------------------------------------------------

    In sum, this Supplemental NPRM and the Algorithmic Trading Source 
Code amendments proposed herein achieve four important goals. First, 
the Commission is clarifying its intent regarding Algorithmic Trading 
Source Code. The Commission's interest is in ensuring that Algorithmic 
Trading Source Code is preserved by AT Persons and that it be available 
for inspection by the Commission when needed to investigate, 
understand, and respond, for example, to significant market events, 
including market disruptions and failures of the price discovery 
process. The Commission does not seek routine access to Algorithmic 
Trading Source Code, nor is it requiring that Algorithmic Trading 
Source Code be provided to repositories maintained by the CFTC or a 
third party.
    Second, the Commission is proposing to codify in Supplemental 
proposed Sec.  1.84(b) that any access to Algorithmic Trading Source 
Code must be authorized by the Commission itself. Such access could be 
authorized via subpoena, in an investigatory proceeding pursuant to 
part 11 of the Commission's regulations, or via special call authorized 
by the Commission and executed by the Director of the Division of 
Market Oversight (``DMO'' or ``Division'') pursuant to Supplemental 
proposed Sec.  1.84(b). The Commission notes that the different methods 
of access to source code--subpoena or special call--depend on whether 
Commission staff is: (1) Formally investigating potential violations of 
law; or (2) carrying out its market oversight responsibilities. 
Subpoenas are typically issued in connection with enforcement 
investigations. The proposed special call authority and process is 
intended to require similar Commission approval, but to recognize, for 
example, the potential need for DMO to review source code, such as in 
association with unusual trading events or market disruptions. While 
some commenters recommended that the Commission rely on subpoenas for 
access to source code in all circumstances, the Commission believes it 
is important to distinguish investigatory proceedings from access to 
records by DMO in connection with market surveillance and related 
work.\91\ However, both the subpoena and the special call would require 
approval by the Commission itself.
---------------------------------------------------------------------------

    \91\ The Commission notes that it would continue to possess 
subpoena authority with respect to source code, as it does today.
---------------------------------------------------------------------------

    The Commission notes Supplemental proposed Sec.  1.84's emphasis on 
access to Algorithmic Trading Source Code and related files in support 
of the Commission's market and trade practice surveillance functions. 
In executing the special call, communications from DMO to the AT Person 
could specify further procedures undertaken by the Division to help 
ensure the security of records provided. For example, the Division 
could specify the means by which it will access Algorithmic Trading 
Source Code or other records required by the special call, including 
on-site inspection at the facilities of the AT Person; the provision of 
records to the Commission on secure storage media or on

[[Page 85348]]

computers lacking network connectivity; or the transfer of records to 
secure Commission systems with controlled access.
    Third, and building on public comments regarding additional 
information necessary for the Commission to understand the operation of 
Algorithmic Trading in regulated markets, the Commission is proposing 
in Supplemental proposed Sec.  1.84(a)(3) that AT Persons be required 
to keep records of log files generated in the ordinary course by their 
ATSs. Absent subpoena, access to such log files would also be limited 
to special call by the Commission. As with other regulatory records, 
both Algorithmic Trading Source Code and log files would be required to 
be maintained for a period of five years.\92\ Pursuant to Supplemental 
proposed Sec.  1.84(b)(2), AT Persons would be required to maintain 
records ``in a form and manner that ensures the authenticity and 
reliability of the information in such records,'' and would also be 
required to have available ``systems to promptly retrieve and display'' 
records required to be maintained under Supplemental proposed Sec.  
1.84.\93\
---------------------------------------------------------------------------

    \92\ See Supplemental proposed Sec.  1.84(a).
    \93\ In this regard, Supplemental proposed Sec.  1.84(b)(2) is 
modeled on existing Commission recordkeeping rules in Sec.  1.31, 
which also call for persons subject to recordkeeping to maintain 
capabilities by which the Commission can view required records.
---------------------------------------------------------------------------

    Finally, consistent with section 8(a) of the CEA, the Commission is 
emphasizing in Supplemental proposed Sec.  1.84(b)(3) that key 
confidentiality protections would apply to any records provided to the 
Commission pursuant to Sec.  1.84. The Commission notes that section 8 
of the Act and other Commission rules governing confidential 
information would apply to Algorithmic Trading Source Code and related 
files even in the absence of Supplemental proposed Sec.  
1.84(b)(3).\94\
---------------------------------------------------------------------------

    \94\ In this regard, Supplemental proposed Sec.  1.84(b)(3) is 
intended to emphasize the confidential nature of any Algorithmic 
Trading Source Code provided to the Commission. The protections of 
section 8 would apply even absent codification by the Commission in 
Supplemental proposed Sec.  1.84(b)(3). Section 8 provides, among 
other things, that except as otherwise specifically authorized the 
Commission may not publish data and information that would 
separately disclose the business transactions or market positions of 
any person and trade secrets or names of customers. See 7 U.S.C. 
8(a)(1).
---------------------------------------------------------------------------

B. NPRM Proposal and Comments

    The NPRM proposed that each AT Person maintain a ``source code 
repository'' to manage source code access, persistence, copies of all 
code used in the production environment, and changes to such code. The 
NPRM further required that such source code repository would include an 
audit trail of material changes to source code that would allow AT 
Persons to determine, for each such material change: Who made it; when 
they made it; and the coding purpose of the change. The NPRM also 
required that AT Persons maintain source code in accordance with Sec.  
1.31.
    Several commenters expressed support for the proposal that source 
code should be a required record under Commission rules.\95\ Better 
Markets called the source code provisions ``the most important and 
effective provision in the proposed rule'' and noted ``the clear and 
many benefits arising from the Commission's ability to perform post-
mortems after disruptive market events.'' \96\ Better Markets pointed 
out that ``it is crucial that regulators have access to HFT algorithm 
source code, rather than facing the impossible task of reconstructing 
manipulative algorithms from market data alone.'' \97\ Another 
commenter stated that if an algorithm or source code has caused, or has 
the potential to cause, damage to the U.S. financial markets, 
regulators have not only a right, but a duty to inspect source 
code.\98\ MFA supported a source code and audit trail record retention 
requirement, but objected to a source code ``repository.'' \99\ MFA 
stated that it understands the Commission's need ``to be able to obtain 
and review confidential, proprietary material that trading firms and 
other businesses maintain. We also understand the need for a 
preservation requirement that will ensure that the source code and any 
audit trails that are relevant to a given investigation be preserved 
and be made available to the Commission . . . when appropriate.'' \100\ 
MFA recommended that the Commission adopt a principles-based rule 
requiring that market participants adopt a mechanism to preserve source 
code, produce current and prior versions of such source code, and track 
material change to the source code.\101\ AIMA commented that it is 
``supportive of an obligation for AT Persons to maintain internal 
source code repositories.'' \102\
---------------------------------------------------------------------------

    \95\ AFR 3; Better Markets 2; Better Markets III 2-3; Shatto 1; 
Summers 1.
    \96\ Better Markets 2.
    \97\ Better Markets 2-3.
    \98\ Summers 1.
    \99\ MFA 3, 21.
    \100\ MFA 21.
    \101\ MFA III 3.
    \102\ AIMA III 4.
---------------------------------------------------------------------------

    Many commenters expressed concerns about the confidentiality of 
source code, and in particular making source code subject to Sec.  
1.31.\103\ Several stated that source code should only be available 
pursuant to a subpoena,\104\ which some described as a procedural 
safeguard.\105\ Others, such as FIA and Mercatus, noted the potential 
impracticality of certain requirements of Sec.  1.31 in the context of 
source code, such as duplicate storage, indexes of stored records, and 
the potential retention of a third-party technical consultant with 
access to the records.\106\
---------------------------------------------------------------------------

    \103\ MFA 29; ISDA 6; NASDAQ 2; Two Sigma 4; CCMR 5; FIA A-49, 
54; Mercatus 6.
    \104\ AIMA 10-11; AIMA III 5; Barnard 2; Citadel 2; FIA A-48; 
Hudson Trading 3; KCG III 4-5; ICE 7; ICE III 4; ISDA 6; MFA 23; MFA 
III 3; MGEX 24-25; MMI 5; Commercial Alliance 12; QIM 5; TraderServe 
1; TT 7; Two Sigma 4-5.
    \105\ Industry Group 6.
    \106\ FIA A-54; Mercatus 6.
---------------------------------------------------------------------------

    Numerous commenters described source code as valuable intellectual 
property and raised concerns about information security if source code 
were to be provided to regulators.\107\ Some raised the possibility 
that source code stored on government servers or government-mandated 
repositories could be vulnerable to cyberattack and other system 
breaches or misappropriation.\108\ Some commenters took the position 
that making source code subject to Sec.  1.31 would violate 
Constitutional protections.\109\
---------------------------------------------------------------------------

    \107\ Hudson Trading 1-2; IAA 10; ICE 7; ISDA 6; ITI 2, 4; MMI 
3; Commercial Alliance 12; Nadex 7; Two Sigma 2; Virtu 3; TT 4, 3 
n.2; QIM 2.
    \108\ LCHF 3; Mercatus 6; MFA 22, 24, 25; CTC 9-10; IAA 10; CCMR 
4-5; MMI 3-4; MMI III 2; Commercial Alliance 12; Chamber of Commerce 
III 2, 4-5; NIBA 2; QIM 5; TT 4; Two Sigma 2, 3, 6; Mercatus 6; AIMA 
10; FIA A-52; Bloomberg 2-3; Citadel 2; SIFMA 16.
    \109\ ITI 2; FIA A-46; MMI 4; MMI III 1-2; TT 4.
---------------------------------------------------------------------------

    Several commenters questioned the scope of the records to be 
retained as source code.\110\ MMI stated that ``source code'' should be 
defined to avoid confusion.\111\ FIA stated that ``it is not clear 
under Sec.  1.81(a)(vi) whether the referenced source code refers to 
Algorithmic Trading code only, or includes the code of `related 
systems' or separate `software' as well.'' \112\ One commenter even 
speculated that the rule might be broad enough to require Microsoft to 
permit inspection of the code underlying its Excel program if a trader 
developed an algorithm using an Excel spreadsheet.\113\
---------------------------------------------------------------------------

    \110\ FIA A-47; MMI 2; TT 3-4.
    \111\ MMI 2.
    \112\ FIA A-47.
    \113\ TT 4.
---------------------------------------------------------------------------

    Several commenters and Roundtable participants noted that a review 
of source code alone without additional context would be insufficient 
to identify the cause of a trading discrepancy.\114\

[[Page 85349]]

Several commenters also posited that source code would be 
unintelligible to regulators,\115\ or that the CFTC lacked the 
resources to understand it.\116\ Several participants at the Roundtable 
suggested that it may be necessary to review log files in order to gain 
further context regarding trading activity under review.\117\ 
Participants indicated that a review of log files might assist in 
identifying a trigger for specific trading behavior such as market 
data, a change in parameters, or a component of source code.\118\
---------------------------------------------------------------------------

    \114\ ITI 6; MMI 2; TT 5.
    \115\ Hudson Trading 1-2; MMI 2; TraderServe 2; ITI 6; MMI 2; TT 
5-6.
    \116\ ITI 5; Weaver 2.
    \117\ KCG Holdings II, Roundtable Tr. 263:2-13 (one of the first 
items to look at when addressing a trading discrepancy would be 
``log files to see was it a data issue, incoming data issue, was it 
something that was part of the algorithm, was it a control that 
misfired. You'd look at the log data to see if there's anything in 
there that would start to point you in a direction of where the 
issue might become. At that point in time you might bring in a 
developer to help walk through the code.''); TT II, Roundtable Tr. 
264:9-11 (noting that a developer would ``probably comb through log 
files'' to narrow down where a discrepancy occurred).
    \118\ Optiver II, Roundtable Tr. 267:18-268:21 (describing 
``looking in the log file . . . to figure out . . . the trigger for 
. . . [an] order,'' including whether it was ``human interaction, . 
. . market data, a ``change in parameters,'' or ``source code.'').
---------------------------------------------------------------------------

C. Substance of New Proposal

    Through this Supplemental NPRM, the Commission is proposing to 
replace NPRM Sec.  1.81(a)(1)(vi) with Supplemental proposed Sec.  
1.84, entitled ``Maintenance of records of Algorithmic Trading Source 
Code and related records.'' \119\ Supplemental proposed Sec.  1.84 
requires AT Persons to retain three categories of records for a period 
of five years: (1) Algorithmic Trading Source Code; (2) records that 
track changes to Algorithmic Trading Source Code; and (3) log files 
that record the activity of the AT Person's Algorithmic Trading 
system.\120\ These records would be required to be maintained in their 
native format. Supplemental proposed Sec.  1.84 does not require that 
records be generated; rather, it only requires the retention of such 
records to the extent they are generated by an AT Person (or by a 
third-party on behalf of the AT Person) in the ordinary course of their 
business. It also requires that these records be kept in a form and 
manner that ensures the authenticity and reliability of the information 
contained in the records, and that AT Persons have systems available to 
promptly retrieve and display the records.\121\
---------------------------------------------------------------------------

    \119\ The Commission notes that in addition to proposing new 
Sec.  1.84 (addressing Algorithmic Trading Source Code) and Sec.  
1.85 (addressing use of third party systems or components), it has 
made several changes to proposed Sec.  1.81. The Supplemental NPRM 
withdraws Sec. Sec.  1.81(a)(1)(v) and (vi). Provisions relating to 
documenting the strategy and design of Algorithmic Trading software 
and maintenance of Algorithmic Trading Source Code are now contained 
in Supplemental proposed Sec. Sec.  1.84 and 1.85.
    In addition, NPRM proposed Sec.  1.81(a)(1)(ii) required testing 
of all Algorithmic Trading code and any changes to such systems. 
This language has been modified so that it is consistent with the 
Commission's intent that the AT Person be required to test systems, 
not merely the source code related to such systems. The changes to 
the second sentence, resulting in the language in Supplemental 
proposed Sec.  1.81(a)(1)(ii) that such testing shall be reasonably 
designed to effectively identify circumstances that may contribute 
to future Algorithmic Trading Events, are intended to improve 
clarity. The Commission deleted the provision's final sentence, 
``Such testing must be conducted both internally within the AT 
Person and on each designated contract market on which Algorithmic 
Trading will occur.'' The Commission has also withdrawn 
corresponding NPRM proposed Sec.  40.21, which had required DCMs to 
provide test environments to AT Persons. Supplemental proposed Sec.  
1.81(a)(1)(ii) now provides discretion to the AT Person as to where 
testing should occur.
    \120\ Commenters at the Roundtable recognized that in order to 
assess a trading discrepancy they would need to review their own log 
files and potentially the source code for their trading algorithms. 
KCG II, Roundtable Tr. 262:17-263:10; 267:18-268:21; TT II, 
Roundtable Tr. 264:3-20.
    \121\ The Commission notes that Supplemental proposed Sec.  
1.84's requirement that records be maintained in their ``native 
format'' is distinct from the proposed requirement that such records 
be maintained in a manner that ensures the ``authenticity and 
reliability'' of information contained in such records. The 
retention of a record in ``native format'' equates to a requirement 
that such record be retained in the same format as it was originally 
created. Authenticity and reliability, in contrast, address the 
accuracy of a record as genuine, unchanged iteration of the 
original.
---------------------------------------------------------------------------

    Algorithmic Trading Source Code is defined broadly in Supplemental 
proposed Sec.  1.3(ccccc), and is intended to capture the various types 
of code and related components used in connection with Algorithmic 
Trading. It includes computer code, hardware description language, 
scripts and formulas, as well as the configuration files and parameters 
used to carry out the trading.\122\ The term Algorithmic Trading Source 
Code should be construed broadly to encompass field-programmable gate 
array (``FPGA'') technology including the logic built onto chips or 
embedded in electronic circuits. Logic embedded in electronic circuits 
is sometimes referred to as ``hardware description language (``HDL''). 
On the other hand, Algorithmic Trading Source Code does not include the 
underlying code to a program used to develop a formula or algorithm 
(i.e., Microsoft Excel).
---------------------------------------------------------------------------

    \122\ Parameters include settings or variables that are relied 
on by an algorithm to make determinations in a system's Algorithmic 
Trading. For example, parameters may include settings or variables 
impacting order type, order quantity, order price, order side, 
position size, number of orders, and duration of orders.
---------------------------------------------------------------------------

    The Commission recognizes the confidentiality and value of 
Algorithmic Trading Source Code. Accordingly, the Commission has 
endeavored in this Supplemental NPRM to enhance the procedural 
protections afforded to Algorithmic Trading Source Code in the rule 
text and to expressly reference the statutory and regulatory provisions 
that protect all confidential information to which the Commission has 
access. As a threshold matter, the Commission emphasizes that 
Supplemental proposed Sec.  1.84 makes Algorithmic Trading Source Code, 
change logs, and log files subject to recordkeeping requirements that 
are separate from the general recordkeeping provisions under Sec.  1.31 
of the Commission's rules. Supplemental proposed Sec.  1.84 also makes 
clear that these records are subject to section 8(a) of the Act.\123\ 
Section 8(a) prohibits the release of data or information that would 
disclose business transactions or market positions of any person and 
trade secrets or names of customers, and any data or information 
concerning or obtained in connection with any pending investigation of 
any person. Separately, confidential information received by Commission 
employees is also subject to Sec.  140.735-5 of the Commission's rules, 
which prohibits a Commission employee or former employee from 
disclosing, or causing or allowing to be disclosed, confidential or 
non-public commercial, economic or official information to any 
unauthorized person.\124\ The Commission also notes that Section 1905 
of Title 18 specifically prohibits the disclosure of confidential 
information, including trade secrets, by all officers or employees of 
the United States and any department or agency thereof, including the 
CFTC. Violations of this statutory provision carry significant 
penalties, including fines, loss of employment, and imprisonment.\125\ 
Commission staff are

[[Page 85350]]

annually trained on the prohibitions against disclosing confidential or 
non-public commercial, economic or official information, and 
specifically are provided with post-employment guidance regarding these 
prohibitions, in addition to other applicable ethics restrictions, 
prior to their departure from the Commission.
---------------------------------------------------------------------------

    \123\ Section 8(a) of the Act, 7 U.S.C. 12(a).
    \124\ 17 CFR 140.735-5.
    \125\ See 18 U.S.C. 1905, which provides that whoever, being an 
officer or employee of the United States or of any department or 
agency thereof, publishes, divulges, discloses, or makes known in 
any manner or to any extent not authorized by law any information 
coming to him in the course of his employment or official duties or 
by reason of any examination or investigation made by, or return, 
report or record made to or filed with, such department or agency or 
officer or employee thereof, which information concerns or relates 
to the trade secrets, processes, operations, style of work, or 
apparatus, or to the identity, confidential statistical data, amount 
or source of any income, profits, losses, or expenditures of any 
person, firm, partnership, corporation, or association; or permits 
any income return or copy thereof or any book containing any 
abstract or particulars thereof to be seen or examined by any person 
except as provided by law; shall be fined under Title 18 of the 
United States Code, or imprisoned not more than one year, or both; 
and shall be removed from office or employment.
---------------------------------------------------------------------------

    Supplemental proposed Sec.  1.84 sets out a procedure for requests 
for production or inspection of these records that requires Commission 
approval by means of a special call for the records. The Commission 
would also retain its existing authority to seek access to such records 
through a subpoena, which would typically be used in an enforcement 
matter. If the Commission approves a special call, it may authorize the 
Director of the Division of Market Oversight to execute the special 
call, and may also authorize the Director to specify the form and 
manner in which the required records must be produced. The Commission 
notes that Supplemental proposed Sec.  1.84 does not alter any aspect 
of part 11 of the Commission's rules relating to investigations. For 
clarity, Supplemental proposed Sec.  1.84 provides that the records 
required by the section must also be available by subpoena issued 
pursuant to part 11 of the Commission's regulations.
    Supplemental proposed Sec.  1.84(a)(2) requires that AT Persons 
retain records tracking material changes to Algorithmic Trading Source 
Code, including a record of when and by whom such changes were made, 
when such records are generated in the ordinary course of business. The 
Commission notes that this new proposed rule does not require that such 
records be generated, but does require that they be maintained if they 
are generated in the ordinary course of business.
    Supplemental proposed Sec.  1.84(a)(3) requires that AT Persons 
retain any logs or log files generated by the AT Person in the ordinary 
course of business that record the activity of the AT Person's ATS, 
including a chronological record of such system's actions. As noted 
above, this provision was added to address the concerns of some 
commenters that source code alone is insufficient to review trading 
activity of an AT Person, and the suggestion that log files may provide 
important context to a review of source code. The new proposal does not 
mandate the retention of specific log files or even the form or 
specific content of log files. The new proposal simply requires that 
log files be retained to the extent such files are generated in the 
ordinary course of business. The Commission recognizes that various 
exchanges require persons with direct access to maintain audit trails 
with detailed information about trading activity.\126\ The Commission 
expects that log files will contain a similar level of detail and in 
some cases a greater level of detail than the electronic audit trails 
required by these exchanges. To the extent log files are generated, 
they must be maintained in a form and manner that ensures the 
authenticity and reliability of the information contained in the 
records. In addition, AT Persons must have systems available to 
promptly retrieve and display these records to the Commission in the 
event of a special call.
---------------------------------------------------------------------------

    \126\ For example, ICE Futures U.S. Rule 27.12A requires certain 
clearing members and direct access members to maintain electronic 
audit trials of electronic orders submitted through direct access 
connections. CME Rule 536.B.2. also requires an electronic audit 
trail for systems accessing the CME Globex platform through the CME 
iLink gateway. Both CME and ICE require the retention of these 
electronic audit trails for five years.
---------------------------------------------------------------------------

D. Commission Questions

    15. Please comment on whether, through Supplemental proposed Sec.  
1.84, the Commission has appropriately balanced its responsibility to 
oversee markets and market participants with the privacy and 
confidentiality concerns that market participants have raised with 
respect to access to Algorithmic Trading Source Code.
    16. Please comment on the Commission's determination to obtain 
access to Algorithmic Trading Source Code via special call, rather than 
have such access be governed by Sec.  1.31.
    17. Is the definition of ``Algorithmic Trading Source Code'' 
sufficiently clear to allow AT Persons to comply with the recordkeeping 
requirements in Supplemental proposed Sec.  1.84? Which, if any, 
components of Algorithmic Trading systems should be added to the 
definition of Algorithmic Trading Source Code? Which, if any, should be 
excluded?
    18. Are log files described in sufficient detail in the 
Supplemental NPRM? Please explain why or why not.
    19. The NPRM's Question 131 (NPRM at 78913) sought comment on NPRM 
proposed Sec.  1.81(a)'s standards for the development and testing of 
Algorithmic Trading systems and procedures, including requirements for 
AT Persons to test all Algorithmic Trading code and related systems and 
any changes to such code and systems prior to their implementation. The 
Commission renews that question here as to Supplemental proposed Sec.  
1.84(a). Are any of the requirements of Supplemental proposed Sec.  
1.84(a) not already followed by the majority of market participants 
that would be subject to Sec.  1.84(a) (or some particular segment of 
market participants), and if so, how much will it cost for a market 
participant to comply with such requirement(s).
    20. If a firm uses FPGA or a similar technology, how would it 
record the design of the programming?
    21. How do firms store or record configurations and parameters that 
impact their trading system? For example, are these components stored 
or recorded in their Algorithmic Trading Source Code or log files?
    22. If a firm uses a chip or FPGA as a part of its ATS, how does it 
describe the records?

V. Testing, Monitoring and Recordkeeping Requirements in the Context of 
Third-Party Providers

A. Overview and Policy Rationale for New Proposal

    Regulation AT, as proposed in the NPRM, required AT Persons to 
comply with a number of standards regarding pre-trade risk controls and 
other measures; the development, testing and supervision of ATSs; and 
the retention and potential production of source code. In order to be 
effective, Regulation AT should be uniformly applied across the breadth 
of business arrangements that AT Persons may elect to pursue. As 
detailed below, commenters to the NPRM's proposed rules noted that AT 
Persons whose ATSs are sourced in whole or in part from third parties 
face challenges in complying with certain elements of NPRM proposed 
Sec. Sec.  1.80 and 1.81. The Commission has considered these comments 
and is sensitive to the concerns raised. However, the use of third-
party systems should not exempt market participants from compliance 
with regulatory standards designed to increase the safety and soundness 
of Algorithmic Trading. The rules set forth in Supplemental proposed 
Sec.  1.85 seek to strike an appropriate balance by permitting AT 
Persons to comply with certain elements of Sec. Sec.  1.81 and 1.84 
through a combination of certifications from their service providers, 
due diligence by the AT Persons and, in most cases,\127\ a retention of 
legal

[[Page 85351]]

responsibility for compliance with the rules by the AT Person.\128\
---------------------------------------------------------------------------

    \127\ As discussed below, Supplemental proposed Sec.  1.85(d) 
requires that an AT Person is responsible for ensuring that records 
are retained and produced as required pursuant to Supplemental 
proposed Sec.  1.84. A certification and due diligence alone will 
not satisfy an AT Person's obligation to ensure that Algorithmic 
Trading Source Code is retained as required by Supplemental proposed 
Sec.  1.84.
    \128\ In the context of the Securities and Exchange Commission's 
(``SEC'') Market Access Rule, 75 FR 69792 (Nov. 15, 2010), the SEC 
allows a broker-dealer relying on third-party technology or software 
to perform appropriate due diligence to assure that its controls and 
procedures are consistent with the rule. See SEC, Responses to 
Frequently Asked Questions Concerning Risk Management Controls for 
Brokers and Dealers with Market Access (Apr. 15, 2014) (Question 
14), available at https://www.sec.gov/divisions/marketreg/faq-15c-5-risk-management-controls-bd.htm.
---------------------------------------------------------------------------

B. NPRM Proposal and Comments

    NPRM proposed Sec.  1.81(a) required AT Persons to implement 
written policies and procedures for the development and testing of 
ATSs. Among other things, such policies and procedures must at a 
minimum include documenting the strategy and design of proprietary 
Algorithmic Trading software, as well as any changes to software that 
are implemented in a production environment, pursuant to NPRM proposed 
Sec.  1.81(a)(v). NPRM proposed Sec.  1.81(a)(vi) required an AT Person 
to maintain a source code repository, which included an audit trail of 
material changes to source code that would allow AT Persons to 
determine, for each such material change: Who made it; when they made 
it; and the coding purpose of the change. The source code was also 
required to be maintained in accordance with Sec.  1.31.
    Comments received. Several commenters noted that AT Persons using 
third-party systems licensed or purchased from vendors or DCMs do not 
have access to the systems' algorithmic code, and therefore would be 
unable to comply with the source code provisions.\129\ IAA identified 
this as an issue for registered CPOs and CTAs using an ISV's or other 
third-party's system,\130\ SIFMA identified it as an issue for asset 
managers,\131\ and AIMA identified it as an issue for buy-side 
participants. AIMA stated that requiring access and disclosure of 
third-party code, particularly best-execution algorithms, as provided 
in the NPRM, would cause third parties to stop providing software 
services to AT Persons.\132\ The Commercial Alliance also confirmed 
that the vast majority of its members use third-party source code 
provided by ISVs or DCMs.\133\ TT commented that the testing 
requirements under NPRM proposed Sec.  1.81(a) should focus on the 
output of an ATS or software, rather than the underlying source 
code.\134\
---------------------------------------------------------------------------

    \129\ FIA A-53; ISDA 5; CME 38; AIMA 11; AIMA III 5-6; IAA 11; 
Commercial Alliance 12; SIFMA 15; TT III 2.
    \130\ IAA 11.
    \131\ SIFMA 15.
    \132\ AIMA 11.
    \133\ Commercial Alliance 12.
    \134\ TT III 1.
---------------------------------------------------------------------------

    At the Roundtable, Commission staff asked for industry comment 
regarding how such issues involving third-party providers should be 
addressed. Generally, industry participants stated that AT Persons 
lacked access to source code of third parties.\135\ Tethys commented 
that AT Persons exhibit a range of control over source code; \136\ 
while some AT Persons may write their own code, others use off-the-
shelf third-party software, and others may add additional controls to 
third-party software as necessary.\137\ TT stated that as a third-party 
provider, it did not provide its customers with access to its source 
code.\138\
---------------------------------------------------------------------------

    \135\ Tethys II, Roundtable Tr. 236:2-14; TT II, Roundtable Tr. 
216:22-217:1-3, 250:9-13; ABN AMRO, Roundtable Tr. 249:4-10.
    \136\ Tethys II, Roundtable Tr. 236:2-14.
    \137\ Tethys II, Roundtable Tr. 236:2-14.
    \138\ TT II, Roundtable Tr. 216:22-217:1-3.
---------------------------------------------------------------------------

    Commission staff also asked for comment at the Roundtable on a 
potential approach where AT Persons would obtain certifications from 
third parties regarding development requirements and would conduct due 
diligence. TT said that because it provides customers with the 
opportunities to test algorithms built using its software,\139\ it 
would be unnecessary and burdensome to require AT Persons to obtain 
certifications from third-party providers.\140\ AQR, Tethys, and TT 
argued that it would be difficult to fairly impose a certification 
requirement.\141\ ABN AMRO and Tethys commented that AT Persons may not 
have the necessary expertise to perform extensive due diligence 
regarding software code.\142\ ABN AMRO said that customers would not 
want to have access to source code.\143\ In addition, TT stated that 
the Commission can understand how technology functions without seeing 
source code.\144\
---------------------------------------------------------------------------

    \139\ TT II, Roundtable Tr. 237:17-238:6.
    \140\ TT II, Roundtable Tr. 238:7-239:3.
    \141\ AQR, Roundtable Tr. 240: 15-2, 242:17-243:19; Tethys II, 
Roundtable Tr. 240:4-14; TT II, Roundtable Tr. 239:4-15.
    \142\ ABN AMRO, Roundtable Tr. 245:12-246:14; Tethys II, 
Roundtable Tr. 247:18-249:3.
    \143\ ABN AMRO, Roundtable Tr. 249:4-10.
    \144\ See TT II, Roundtable Tr. 250:14-252:7; TT III 2-3.
---------------------------------------------------------------------------

C. Substance of New Proposal

    The NPRM comments discussed above cite potential compliance 
challenges when AT Persons obtain their ATSs, in whole or in part, from 
third-party providers. Accordingly, this Supplemental NPRM proposes an 
alternative framework for AT Persons to comply with their obligations 
related to the development and testing of ATSs, and for the retention 
and production of Algorithmic Trading Source Code and related records.
    Specifically, Supplemental proposed Sec.  1.85 allows AT Persons 
who, due solely to their use of third-party system or components, are 
unable to comply with a particular development or testing requirement 
(NPRM proposed Sec. Sec.  1.81(a)(1)(i), 1.81(a)(1)(iii), 
1.81(a)(1)(iv), 1.81(a)(2), or Supplemental proposed Sec. Sec.  
1.81(a)(1)(ii) or 1.84) \145\ or a particular maintenance or production 
requirement related to Algorithmic Trading Source Code and related 
records (Supplemental proposed Sec.  1.84), to comply with such 
proposed regulatory obligations by satisfying two requirements: (i) 
Obtaining a certification that the third party is complying with the 
obligation; and (ii) conducting due diligence regarding the accuracy of 
the certification.\146\ While obtaining such certifications and 
conducting due diligence as to their accuracy may still be challenging 
for some AT Persons, the Commission has determined that such 
requirements, at this stage, appear more practical compared to the 
NPRM's proposal that AT Persons themselves comply with all NPRM Sec.  
1.81 requirements. The Commission believes that the certification and 
due diligence requirements present a workable alternative that will 
ensure that all AT Persons--regardless of whether they develop their 
own ATSs, or use the systems of a third party--are subject to the same 
standards.
---------------------------------------------------------------------------

    \145\ These subsections were also proposed in the NPRM, although 
this Supplemental NPRM proposes several changes to the text of Sec.  
1.81(a)(1)(ii).
    \146\ The Supplemental NPRM provides flexibility and does not 
set forth the means by which due diligence must be conducted. The 
Commission expects that due diligence may take a variety of forms, 
all of which can potentially be effective in helping AT Persons 
fulfill their regulatory obligations pursuant to Supplemental 
proposed Sec.  1.85. Due diligence may include, for example, a 
combination of (1) information gathering, including with respect to 
prevailing best practices and a third party's own practices; (2) on-
site inspection; (3) communications between the AT Person and its 
third-party provider, including in writing, in person, via email, 
and telephone or video; and (4) review and evaluation of files, 
documents, and other information gathered. The Commission offers 
this list by way of example only, and notes that each AT Person 
should arrive at its own determination regarding an appropriate due 
diligence process. The Commission encourages each AT Person making 
use of Supplemental proposed Sec.  1.85 to perform such diligence as 
is necessary for the AT Person to have comfort that the underlying 
substantive regulatory requirements are being met.

---------------------------------------------------------------------------

[[Page 85352]]

    Supplemental proposed Sec.  1.85(d) requires that, in all cases, an 
AT Person is responsible for ensuring that records are retained and 
produced as required pursuant to Supplemental proposed Sec.  1.84.\147\ 
In other words, an AT Person's certification and due diligence will 
establish that it has complied with testing obligations pursuant to 
NPRM proposed Sec. Sec.  1.81(a)(1)(i), 1.81(a)(1)(iii), 
1.81(a)(1)(iv), 1.81(a)(2), or Supplemental proposed Sec.  
1.81(a)(1)(ii), but certification and due diligence alone will not 
satisfy an AT Person's obligation to ensure that Algorithmic Trading 
Source Code is retained and produced as required by Supplemental 
proposed Sec.  1.84. Even where an AT Person obtains a certification 
and conducts due diligence with respect to a third party's obligations, 
the AT Person will remain responsible for ensuring that Algorithmic 
Trading Source Code retention and production requirements are met. For 
example, if the Commission were to issue a special call or a subpoena 
to an AT Person for the production of Algorithmic Trading Source Code 
maintained by a third party, the AT Person would be responsible for 
complying with the Commission request, regardless of the certification 
or the due diligence performed by the AT Person. Such compliance could 
be achieved by making sure that the third party produced the required 
records, but a failure by the third party to produce such records would 
not relieve the AT Person of its own obligations.
---------------------------------------------------------------------------

    \147\ The proposed rules do not require that the certifications 
be filed with the Commission. However, the certifications would be 
subject to Sec.  1.31 recordkeeping requirements.
---------------------------------------------------------------------------

    Pursuant to the Commission's Supplemental proposal, AT Persons may 
not rely on Sec.  1.85 for any element of Sec. Sec.  1.81(a)(1) and 
1.84 with which they have the ability to comply. For example, an AT 
Person who uses a combination of third-party and internally developed 
ATS components would be expected to comply with NPRM proposed 
Sec. Sec.  1.81(a)(1)(i), 1.81(a)(1)(iii), 1.81(a)(1)(iv), 1.81(a)(2), 
and Supplemental proposed Sec. Sec.  1.81(a)(1)(ii) and 1.84 for all 
such components that the AT Person itself develops or modifies. The 
Commission also notes that Supplemental proposed Sec.  1.85 provides an 
alternative means of compliance in circumstances where the use of a 
third-party system or component is the sole reason why an AT Person 
cannot otherwise comply with its obligations. Although an AT Person may 
be motivated to make use of Supplemental proposed Sec.  1.85 for 
reasons of potential costs or administrative ease, such considerations 
are not permissible rationales for use of Supplemental proposed Sec.  
1.85.
    In many cases, the Commission expects that AT Persons and third 
parties will each have developed different portions of an ATS. If an AT 
Person develops an algorithm using third-party software, the AT Person 
would remain responsible for development and testing requirements with 
respect to the algorithm, and for the retention and production of 
Algorithmic Trading Source Code and related records requirements for 
that algorithm. Further, whether a third-party certification is 
appropriate under Supplemental proposed Sec.  1.85 may depend on the 
amount of control the AT Person has over the development of algorithms 
it employs. If the AT Person, for example, has a limited ability to 
affect or modify an algorithm, then the Commission expects that the AT 
Person would comply with NPRM proposed Sec. Sec.  1.81(a)(1)(i), 
1.81(a)(1)(iii), 1.81(a)(1)(iv), 1.81(a)(2), and Supplemental proposed 
Sec. Sec.  1.81(a)(1)(ii) and 1.84 by obtaining a certification and 
conducting due diligence pursuant to Supplemental proposed Sec.  1.85. 
However, the Commission notes that as to Supplemental proposed Sec.  
1.84 requirements, the AT Person remains responsible for compliance 
with Algorithmic Trading Source Code retention and production 
requirements are met.
    The Commission expects that the certifications required by 
Supplemental proposed Sec.  1.85 would, at a minimum, list the specific 
regulatory obligations that the third party is certifying compliance 
with, describe the component of the ATS at issue (or the whole system, 
if applicable), and explain how such component or system complies with 
the regulatory obligation. The Commission recognizes that some system 
components may be standard products offered to multiple customer 
trading firms, and others may be custom-designed for one customer 
trading firm. With respect to standard products, the third party's 
certification may take the same form for multiple customers.
    Supplemental proposed Sec.  1.85(b) requires that the AT Person 
must obtain a certification each time there has been a material change 
to such third-party provided systems or components. Accordingly, there 
is no specific periodic deadline for certification; rather, the third 
party must only re-certify when there has been a material change. The 
Commission intends that the due diligence requirement imposed by 
Supplemental proposed Sec.  1.85(c) includes an obligation on AT 
Persons to determine whether a material change to third-party provided 
systems or components has occurred.
    The Commission understands that AT Persons who use third-party 
system components or Algorithmic Trading Source Code may not have the 
same level of development and testing expertise as third-party 
providers who routinely develop such systems or code. Accordingly, the 
due diligence required to be performed by the AT Person under 
Supplemental proposed Sec.  1.85(c) is limited to the accuracy of the 
certification. Due diligence may require the involvement of technology 
support staff from the AT Person, but detailed technical audits are not 
required on behalf of the AT Person with respect to Supplemental 
proposed Sec.  1.85(c).

D. Commission Questions

    23. The Commission invites comment on all aspects of Supplemental 
proposed Sec.  1.85.
    24. Should the requirements for AT Persons who develop their own 
systems and code differ from requirements imposed on AT Persons that 
use systems or components provided by a third party? If so, how should 
the requirements be different, while continuing to ensure a consistent 
baseline of effectiveness in the development and testing of ATSs?
    25. What specific steps should AT Persons take when conducting due 
diligence of the accuracy of a certification from a third party, as 
required by Supplemental proposed Sec.  1.85? Should proposed Sec.  
1.85(c) provide greater detail with respect to such due diligence? For 
example, should due diligence be required to specifically include 
review of technical design information, testing protocols and test 
results, documented dialogue between staff of the AT Person and the 
third party, or other measures?
    26. Supplemental proposed Sec.  1.85(b) requires that the AT Person 
must obtain a certification each time there has been a material change 
to third-party provided systems or components. What is a reasonable 
estimate as to the average frequency of such material changes? Should 
the Commission base the certification requirement on another timing 
metric?

[[Page 85353]]

VI. Changes to Overall Risk Control Framework

A. Change From Three Level to Two Level Risk Control Framework

1. Overview and Policy Rationale for Proposal
    In the NPRM, the Commission sought to take a principles-based 
approach to addressing the potential risks associated with Algorithmic 
Trading.\148\ NPRM proposed Sec. Sec.  1.80, 1.82, 38.255 and 40.20 
imposed pre-trade risk control and other requirements, such as order 
cancellation systems, at three points in the order submission and 
execution chain: AT Persons, FCMs and DCMs. The NPRM approach proposed 
to allow the relevant entity--AT Person, FCM, or DCM--discretion in the 
design and parameters of such controls. In general, while some 
commenters supported the multi-layered approach described above, 
numerous commenters viewed the framework as unnecessarily redundant and 
prescriptive. Accordingly, the Commission in this Supplemental NPRM 
proposes a risk control framework with controls at two, rather than 
three, levels: (i) AT Person or FCM; and (ii) DCM. The Commission 
believes that this structure still achieves the goal of protecting 
market integrity, while simultaneously reducing the complexity of the 
risk controls and overall costs of compliance.
---------------------------------------------------------------------------

    \148\ See NPRM at 78837-78839.
---------------------------------------------------------------------------

    By requiring two levels of risk controls, mistakes or omissions 
made at one level will have a backstop, potentially mitigating the 
possibility of a trading disruption. Because the unexpected or 
disruptive behavior of an algorithm would affect other market 
participants at the DCM level, thus leading to potential system risk, 
the Commission is requiring DCM controls for all electronic orders, 
regardless of source. The second set of controls may be implemented at 
either the AT Person or the FCM level, depending on whether an order is 
originated by AT Person or non-AT Person market participant. In 
addition, under specific circumstances, AT Persons will have discretion 
to delegate certain of their pre-trade risk control functions to an 
FCM, if they so choose. The Supplemental proposed rules continue to 
provide discretion in how entities design and calibrate the controls. 
Further, as discussed below, the Commission has revised the rules to 
allow greater flexibility for AT Persons, FCMs and DCMs to determine 
the level of granularity at which controls are set.
2. NPRM Proposal and Comments
    As discussed above, NPRM proposed Sec. Sec.  1.80, 1.82, 38.255 and 
40.20 imposed risk control and similar requirements, such as order 
cancellation systems, at three levels: the AT Person, FCM and DCM.
    Comments Received. The Commission received numerous comments on the 
proposed risk control structure during the Initial Comment Period, the 
Second Comment Period, and at the Roundtable. As discussed in more 
detail below, some commenters during the Second Comment Period and at 
the Roundtable suggested a two-level structure instead of the three 
level structure proposed in the NPRM. For example, the Industry Group 
suggested a framework in which responsibility for implementing 
appropriate pre-trade risk controls lies either (i) with the FCM 
registrant that is facilitating access to the DCM, or (ii) in the case 
of a market participant that is not trading through the risk controls 
of an FCM, with that participant. Industry Group further stated that in 
both cases, the pre-trade risk controls must be supplemented by DCM-
provided risk controls configured by the member of the DCO that grants 
access to the DCM.\149\ CME suggested a similar approach, commenting 
that: ``Two layers of market risk controls would apply to all 
Algorithmic Trading orders. The first layer would be administered by 
either an AT Person or the gatekeeper clearing member, and could be 
developed internally or obtained from an independent third-party source 
(such as the DCM or a software provider). The second layer would be 
developed and administered by the DCM.'' \150\ The framework proposed 
in this Supplemental NPRM involves a similar two-level approach, which 
is intended to address the complexity and cost concerns expressed by 
Industry Group, CME and other commenters.
---------------------------------------------------------------------------

    \149\ Industry Group 8.
    \150\ CME III 9-10.
---------------------------------------------------------------------------

    Further, some commenters supported expanding risk controls 
requirements to all electronic orders, rather than applying controls to 
only algorithmic trading orders. For example, the Industry Group stated 
that ``all electronic trading must be subject to pre-trade and other 
risk controls administered by a CFTC registrant that are appropriate to 
the nature of the activity.'' \151\ ICE stated that ``all market 
participants that engage in electronic trading on a DCM should maintain 
. . . risk controls, regardless of how market participants access a DCM 
or whether the market participants engage in algorithmic trading.'' 
\152\ The Commission has addressed such comments by expanding the scope 
of the risk control requirements to include Electronic Trading. Further 
detail on the addition of Electronic Trading to Regulation AT's risk 
control framework is discussed below in Section VI(B), and discussion 
of the relevant new definitions related to such changes is provided in 
Section VI(C).
---------------------------------------------------------------------------

    \151\ Industry Group 8.
    \152\ ICE III 2.
---------------------------------------------------------------------------

    Numerous commenters opposed the NPRM's proposed three-level 
approach to risk controls or otherwise characterized it as a ``one size 
fits all'' model. Specifically, FIA, CME, ICE, MFA, Nadex, NIBA, SIFMA 
and Mercatus indicated that the multiple layers of risk controls across 
the market--at the AT Person, clearing member FCM, and DCM levels--are 
too prescriptive, duplicative, costly and inefficient.\153\ FIA, CME, 
OneChicago, LCHF and QIM commented that Regulation AT's required 
duplication of risk controls across the lifecycle of a trade actually 
introduces risk.\154\ CME, MFA, SIFMA and NIBA characterized the 
proposed rules as a ``one size fits all'' model that doesn't 
appropriately take into account the different types of automated 
systems, business, or operational size of market participants.\155\ FIA 
did not support requiring every market participant to implement its own 
risk controls; rather, such controls could be provided by FCMs or 
DCMs.\156\
---------------------------------------------------------------------------

    \153\ FIA 5; CME 6, A-14; ICE 8; Mercatus 4-5; MFA 4-5; Nadex 3; 
SIFMA 20; NIBA 1.
    \154\ FIA 7, A-25; CME A-11; OneChicago 3; LCHF 2-3; QIM 2.
    \155\ CME A-11; MFA 2, 4; SIFMA 20; NIBA 1.
    \156\ FIA 4, A-24.
---------------------------------------------------------------------------

    In contrast, other commenters supported the multi-layered approach 
(either fully or with reservations that the approach could create some 
risks), or supported more centralized controls at the FCM and DCM 
levels. Specifically, IATP supported a multi-layered approach to risk 
controls and believed it will mitigate the risks of algorithmic 
trading.\157\ In addition, AIMA supported the principle that risk 
controls are to be maintained at three levels--the exchange, the 
clearing member and the trading firm.\158\ LCHF also recommended a 
three-level structure for risk controls.\159\ Virtu generally

[[Page 85354]]

supported a multi-layered approach to risk controls as well, but warned 
of potential risks if the multiple controls are applied or calibrated 
independently, since market participants may not be able to predict 
which orders will reach the order book and which may be screened by a 
``downstream'' risk layer.\160\ Similarly, MFA and LCHF acknowledged 
that multiple risk filters across different entities may reduce the 
probability that a wrong message reaches the market, but stated that 
such redundancy may be inefficient or increase complexity and possible 
errors if the risk parameters are not coordinated properly.\161\
---------------------------------------------------------------------------

    \157\ IATP 7.
    \158\ AIMA 7.
    \159\ LCHF 2-3. LCHF recommended a structure with risk controls 
at (1) the trading participant level, requiring all the proposed 
Sec.  1.80 controls, which should be adopted at the most granular 
level and tailored to the particular trading technology used by the 
market participant; (2) the FCM/broker level, requiring order size, 
position and margin controls; and (3) the DCM level, continuing the 
adoption of existing controls, such as kill switch or self-trade 
prevention, with no further risk filter imposed on market 
participants.
    \160\ Virtu 2.
    \161\ MFA 5-6; LCHF 2-3.
---------------------------------------------------------------------------

    Several commenters supported centralizing controls at the DCM and 
FCM levels. AIMA stated that DCMs should play a central role in 
maintaining risk controls internally and through mandates upon their 
FCMs, and believed that DCMs and FCMs should have the principal 
obligations to protect the stability of DCM markets.\162\ Similarly, 
MFA commented that the Commission should require centralized pre-trade 
risk controls at DCMs and clearing member FCMs, and that the proposed 
Sec.  1.80 risk controls should be applied at the DCM level and the 
clearing member FCM level.\163\ MFA indicated that this would ensure 
that all orders go through the same set of controls.\164\ MFA further 
commented that the general infrastructure for such a centralized 
approach already exists, given that DCMs provide clearing FCMs with 
controls to manage risk with respect to clients, and that this 
structure would be more transparent and easier for regulators to 
oversee and enforce.\165\
---------------------------------------------------------------------------

    \162\ AIMA 2, 7, 12.
    \163\ MFA 2, 5-6, 10.
    \164\ MFA 2, 5-6, 10.
    \165\ MFA 2, 5-6, 10.
---------------------------------------------------------------------------

    During the Second Comment Period, the Commission received 
additional comments on the proposed risk control structure. The 
Industry Group proposed the following two-level structure. Rather than 
defining ``AT Person,'' the Commission should require pre-trade risk 
controls on all electronic orders. Orders from market participants 
leveraging FCM-administered systems, including those provided by third 
parties, may use pre-trade risk controls administered by the FCM.\166\ 
Market participants not using FCM-administered risk controls must apply 
risk controls to their own orders.\167\ In both cases, the pre-trade 
risk controls must be supplemented by DCM-provided risk controls 
configured by the member of the DCO that grants access to the DCM.\168\
---------------------------------------------------------------------------

    \166\ Industry Group 4-5.
    \167\ Industry Group 5.
    \168\ Industry Group 8.
---------------------------------------------------------------------------

    CME suggested a similar two-layer approach for all Algorithmic 
Trading orders, commenting that the first layer ``would be administered 
by either an AT Person or the gatekeeper clearing member'' and the 
second layer ``would be developed and administered by the DCM.'' \169\ 
MFA also commented that it supports risk controls at both the DCM and 
the FCM providing trading access.\170\ MFA also supported ``a 
regulatory framework where a market participant could choose to 
implement the Commission's required marketplace risk controls in lieu 
of going through an FCM's risk controls, and be subject to Commission 
oversight.'' \171\
---------------------------------------------------------------------------

    \169\ CME III 9-10.
    \170\ MFA III 2.
    \171\ MFA III 2.
---------------------------------------------------------------------------

    AIMA commented that the principal role in application of risk 
controls should be played by the DCMs--as the owners of the relevant 
markets--and FCMs--as the gatekeepers to the relevant markets.\172\ 
AIMA stated that ``both parties are best placed to understand and 
enforce the relevant controls and testing obligations.'' \173\ 
Sutherland commented that as an alternative to the NPRM's proposed 
framework, DCMs under Part 38 core principles should establish and 
oversee pre-trade risk and other control requirements applicable to AT 
Persons. Sutherland stated that DCMs have the expertise and are best 
positioned to implement and enforce the use of controls to mitigate 
risks on their markets.\174\ Hartree also emphasized the importance of 
DCMs in implementing risk controls, stating that ``DCMs are very well 
suited to not only police these markets, but also to . . . administer 
CFTC's rules and regulations as SROs.'' \175\ Hartree suggested a 
framework in which AT Persons are divided into three categories based 
on the risk they pose to the market: Category 1 Risk (very little risk, 
including persons who do not use DEA or who use FCMs to access the 
DCM); Category 2 Risk (some increased risk, including persons who use 
DEA and algorithmic trading); and Category 3 Risk (enhanced risk, 
including persons who can cause significant market disruption, e.g., a 
flash crash).\176\ Third parties such as the FCM and DCM would 
administer risk controls for Category 1. The trading firm itself and 
DCM would administer risk controls for Category 2. Enhanced risk 
controls would apply to Category 3.\177\
---------------------------------------------------------------------------

    \172\ AIMA III 4.
    \173\ Id.
    \174\ Sutherland 7.
    \175\ Hartree 8.
    \176\ Id. at 6.
    \177\ Hartree 6-7.
---------------------------------------------------------------------------

    ICE commented that ``all market participants that engage in 
electronic trading on a DCM should maintain . . . risk controls, 
regardless of how market participants access a DCM or whether the 
market participants engage in algorithmic trading.'' \178\ ICE further 
stated that the Commission ``should not mandate the same risk control 
requirements across DCMs, FCMs and AT Persons.'' \179\ Similarly, 
another exchange, MGEX, commented that ``DCMs, FCMs, and market 
participants should all have some level of responsibility over the 
development, deployment, and use of pre-trade risk controls. Each 
market participant needs to have pre-trade risk controls applied to 
electronically submitted orders, but how that is accomplished should 
depend on the circumstances.'' \180\ MGEX stated that the Commission 
should take a principles-based approach to risk controls at the DCM, 
FCM, and market participant level.\181\
---------------------------------------------------------------------------

    \178\ ICE III 2.
    \179\ Id.
    \180\ MGEX III 2.
    \181\ Id. at 5.
---------------------------------------------------------------------------

    At the Roundtable, Commission staff asked for industry comment on a 
potential approach where three levels of risk controls remain but 
FCMs--not the Commission--impose pre-trade risk control and other 
requirements on their AT Person customers. Generally, industry 
participants disagreed with this approach. For example, industry 
participants expressed concern over cost and burden to FCMs.\182\ In 
addition, Virtu and Hartree indicated that certain trading firms prefer 
to implement their own controls, rather than allow FCMs to continuously 
oversee whether trading firms have adequate controls on their order 
flow.\183\ CME expressed the view that each and every market 
participant should be responsible for its order flow.\184\ Hudson 
Trading suggested that such an approach had potential for an un-level 
playing field, with different FCMs applying different standards.\185\
---------------------------------------------------------------------------

    \182\ JPMorgan, Roundtable Tr. 171:11-172:17; ABN AMRO, 
Roundtable Tr. 175:16-176:176:17; Deutsche Bank, Roundtable Tr. 
193:10-14.
    \183\ Virtu II, Roundtable Tr. 177:1-13; Hartree, Roundtable Tr. 
185:4-15.
    \184\ CME II, Roundtable Tr. 177:18-178:7.
    \185\ Hudson Trading, Roundtable Tr. 187:10-188:1.

---------------------------------------------------------------------------

[[Page 85355]]

    Instead, industry participants were more supportive of a two-level 
approach to risk controls. Tethys described a ``two factor'' model with 
the first layer at the DCM and the second layer at the level of who has 
control of the order being submitted to the DCM.\186\ At the second 
layer, the entity with control of the order would be the clearing 
broker, the executing FCM, or a firm that connects directly to the DCM. 
Tethys indicated that this approach would reduce costs and the number 
of entities subject to the regulation.\187\ Hudson Trading also 
expressed support for a potential two layer approach, with the DCM as 
one layer.\188\ JPMorgan stated that ``the two layers of control can be 
easily crystalized as the matching engine, and the wall around the 
matching engine that's run by the DCM, and those who implement the 
interface that's provided by the DCM.'' \189\
---------------------------------------------------------------------------

    \186\ Tethys, Roundtable Tr. 37:11-38:8.
    \187\ Tethys, id. at 38:1-40:7.
    \188\ Hudson Trading, id. at 189:8-190:5.
    \189\ JPMorgan, Roundtable Tr. 47:22:48:5.
---------------------------------------------------------------------------

    With respect to the risk control framework, commenters also 
addressed the levels at which the NPRM proposed rules required the 
controls to be set, and expressed particular concern that FCMs and DCMs 
would be unable to comply with NPRM proposed Sec. Sec.  1.82, 38.255 
and 40.20 at the levels of granularity required by those rules. As to 
NPRM proposed Sec.  1.82, FIA indicated that the level of granularity 
which controls are set should be left to FCM discretion and that 
compliance with NPRM Sec.  1.82, as proposed, would require FCMs to 
develop additional technology.\190\
---------------------------------------------------------------------------

    \190\ FIA A-36.
---------------------------------------------------------------------------

    As to NPRM proposed Sec.  38.255, FIA, CBOE, CME, OneChicago and 
ICE disagreed with the proposal as to the levels at which DCMs must 
offer the controls to FCMs.\191\ FIA indicated that DCMs do not have 
sufficient information to set controls at the market participant 
level.\192\ In addition, FIA stated that DCM order size limits are set 
at the highest level of access and not by market participant or account 
number, and the higher level is meant as a ``last back stop'' to 
prevent unintentionally blocking orders already controlled at the 
market participant or FCM level.\193\ CBOE believed that a DCM should 
set maximum controls at the clearing firm level and at the level of AT 
Person with DEA, rather than aggregating risk controls for AT Persons 
with DEA across multiple clearing firms.\194\ CBOE indicated that its 
system allows clearing firms to set controls for customers, and that 
clearing firms are not responsible for an order for which another 
clearing firm is designated for that customer.\195\ CBOE further 
indicated that requiring DCMs to build controls at a more granular 
level than clearing firm level and AT Person with DEA level would be 
difficult and cumbersome, because the DCM does not have a direct 
relationship with participants that do not have DEA.\196\ CME stated 
that DCMs generally do not have the ability to provide risk controls to 
clearing FCMs that can be set at the AT Person, product, account number 
or designations, and one or more identifiers of natural persons 
associated with an AT Order Message.\197\ OneChicago indicated that 
requiring risk controls for each different product would be a 
substantial burden and may increase the possibility of a disruption 
event.\198\ ICE opposed NPRM proposed Sec.  38.255 mandating the 
specific levels at which a DCM is required to offer risk controls.\199\
---------------------------------------------------------------------------

    \191\ Id. at A-38, 40; CBOE 3; OneChicago 4; ICE 9.
    \192\ FIA A-38.
    \193\ FIA A-40.
    \194\ CBOE 3.
    \195\ Id.
    \196\ Id.
    \197\ CME 19, A-32.
    \198\ OneChicago 4.
    \199\ ICE 9.
---------------------------------------------------------------------------

    As to NPRM proposed Sec.  40.20, FIA, CME, MGEX, CBOE and 
OneChicago opposed requiring DCM controls to be set at the AT Person or 
market participant level.\200\ FIA stated that DCMs should not 
implement the NPRM proposed Sec. Sec.  1.80 and 1.82 risk controls at 
the same level of granularity that is expected of market participants 
and FCMs.\201\ Rather, FIA asserted that DCMs should implement controls 
that apply across all orders and that protect the overall quality of 
the market.\202\ CME stated that the DCM's controls should be set at 
the ``direct connect'' or the particular market level.\203\ CBOE 
indicated that requiring DCMs to build controls at levels more granular 
level than clearing firm and AT Person with DEA would be difficult and 
cumbersome, because the DCM does not have a direct relationship with 
participants that do not have DEA.\204\ Similarly, OneChicago believed 
that DCMs should be able to establish controls at the FCM level, but 
also believed that DCMs must have discretion in terms of the level at 
which controls should be applied.\205\
---------------------------------------------------------------------------

    \200\ FIA A-38; CME 18-19, A-32.; MGEX 7; CBOE 3; OneChicago 5.
    \201\ FIA A-43.
    \202\ Id.
    \203\ CME A-14.
    \204\ CBOE 3.
    \205\ OneChicago 5.
---------------------------------------------------------------------------

3. Substance of New Proposal
    In light of comments received during the comment periods, including 
at the Roundtable, the Commission has revised the overall framework for 
risk controls and other measures required pursuant to NPRM proposed 
Sec. Sec.  1.80, 1.82, 38.255 and 40.20. This Supplemental NPRM 
proposes a framework with two, rather than three, levels of risk 
controls: (1) At the AT Person or FCM level, and (2) at the DCM level. 
With respect to algorithmic orders originating with AT Persons (i.e., 
AT Order Messages), the NPRM required all AT Persons to implement the 
risk controls and other measures required pursuant to Sec.  1.80. By 
contrast, the Supplemental NPRM requires AT Persons to implement those 
risk controls, but would also permit AT Persons to delegate compliance 
with Sec.  1.80(a) to FCMs, as discussed below. The Supplemental NPRM 
also requires that AT Persons implement pre-trade risk controls on 
their Electronic Trading Order Messages similar to those required by 
Sec.  1.80(a).\206\ In addition, pursuant to the Supplemental NPRM, 
FCMs are not required to implement risk controls on AT Order Messages 
that are subject to AT Person-administered controls. AT Order Messages 
and Electronic Trading Order Messages originating from AT Persons would 
instead be subject to a second level of risk controls at the DCM level 
pursuant to Supplemental proposed Sec.  40.20.
---------------------------------------------------------------------------

    \206\ See Supplemental proposed Sec.  1.80(g)(2) and (g)(3). AT 
Persons would also be permitted to delegate compliance with Sec.  
1.80(g) risk controls to their FCMs.
---------------------------------------------------------------------------

    Electronic orders originating with a non-AT Person are subject to 
risk controls implemented by executing FCMs pursuant to Supplemental 
proposed Sec.  1.82. Those orders are subject to the second level of 
risk controls at the DCM level pursuant to Supplemental proposed Sec.  
40.20.
    Prompted by some commenters' concern that a three-layer structure 
may be redundant, the Commission has determined to propose this two-
layer structure. The Commission particularly took into account 
commenters' opinion that multiple controls, if applied or calibrated 
independently, may cause market participants to be unable to predict 
which orders will reach the order book, increasing rather than 
mitigating market risk. The Commission also carefully considered the 
Roundtable comments indicating support for a two-level approach.
    The Commission believes that two levels of risk control are 
beneficial, both to provide a backstop to a malfunction

[[Page 85356]]

or other failure at one level, and because different levels of the 
order submission chain often monitor different characteristics of the 
risk associated with an order. For instance, an FCM may be more capable 
of determining whether an individual order would breach the risk limits 
of the AT Person or the clearing firm guaranteeing a potential trade; 
in contrast, a DCM may be more likely to identify orders that could 
lead to price dislocations in a given product, or that would lead to 
market instabilities affecting all market participants. The Commission 
also recognizes that trading firms are in the best position to 
understand their own systems, technology, and trading strategies, and 
that they are best positioned to prevent and reduce the potential risk 
of certain types of risk. Accordingly, the Commission proposes that 
certain trading firms--i.e., AT Persons--implement their own pre-trade 
risk controls and other measures pursuant to Supplemental proposed 
Sec.  1.80.\207\
---------------------------------------------------------------------------

    \207\ Supplemental proposed Sec.  1.80(d) and (g) permit AT 
Persons to delegate compliance with Sec.  1.80(a) to FCMs.
---------------------------------------------------------------------------

    The Commission has also revised the proposed risk control rules to 
provide greater flexibility regarding the level of granularity at which 
risk controls must be set. Previously, the controls proposed in NPRM 
Sec. Sec.  1.80, 1.82, 38.255 and 40.20 were required to be set at the 
AT Person level, or other more granular levels the AT Person, FCM or 
DCM determined appropriate, including by product, account number or 
designation, or one or more identifiers of natural persons associated 
with an AT Order Message. In this Supplemental NPRM, the Commission 
intends to increase the flexibility and decrease the burden on AT 
Persons, FCMs and DCMs in terms of the level of granularity at which 
controls must be set. Specifically, Supplemental proposed Sec. Sec.  
1.80(a)(2) 1.82(a)(2), 38.255(b)(1)(ii) and (2), and 40.20(a)(2) now 
require controls to be set at a level or levels of granularity which 
shall include, as appropriate, the level of each firm, product, account 
number or designation, or one or more identifiers of the natural 
persons or the order strategy or ATS associated with an AT Order 
Message or Electronic Trading Order Message (new terms related to 
Electronic Trading are discussed in Section VI(C) below).\208\ By ``as 
appropriate,'' the Commission means such level or levels of granularity 
as are technologically feasible and reasonably effective at preventing 
and reducing the potential risk of an Electronic Trading disruption. 
The proposed rules do not require AT Persons, FCMs or DCMs reorganize 
their trading infrastructure or develop new technologies solely to 
ensure that controls are implemented at each of the potential levels 
enumerated in Supplemental proposed Sec. Sec.  1.80(a)(2) 1.82(a)(2), 
38.255(b)(1)(ii) and (2), and 40.20(a)(2). Rather, as implementation of 
controls at each such level becomes technologically feasible, AT 
Persons, FCMs and DCMs should update their practices to optimize the 
placement of their risk controls at the most effective level.
---------------------------------------------------------------------------

    \208\ Supplemental proposed Sec. Sec.  1.80(a)(2) 1.82(a)(2), 
38.255(b)(1)(ii) and (2), and 40.20(a)(2) are amended from the NPRM 
proposal to incorporate ``order strategy'' or ``ATS'' as potential 
levels of granularity where risk controls may appropriately be set.
---------------------------------------------------------------------------

4. Commission Questions
    27. Will two levels of risk controls sufficiently prevent and 
reduce the potential risks of algorithmic and electronic trading? If 
there is any element of the revised proposed risk control framework 
that is not feasible or will not sufficiently address the risks of 
algorithmic and electronic trading, please explain.

B. Electronic Trading at the AT Person, FCM, and DCM Levels

1. Overview and Policy Rationale for New Proposal
    The Commission proposes to amend NPRM proposed Sec. Sec.  1.80, 
1.82, 38.255 and 40.20 so that the risk control and order cancellation 
provisions applicable to AT Persons, FCMs, and DCMs now apply to 
Electronic Trading,\209\ rather than only to Algorithmic Trading. As a 
result, a larger number of orders would be subjected to two levels of 
risk controls, a change that addresses comments that all electronic 
trading, not only Algorithmic Trading, has the potential to cause 
market disruption.
---------------------------------------------------------------------------

    \209\ The proposed new defined term ``Electronic Trading'' is 
discussed in Section VI(C) below.
---------------------------------------------------------------------------

2. NPRM Proposal and Comments
    The NPRM proposed that AT Persons and FCMs must apply risk controls 
to AT Order Messages (see NPRM proposed Sec. Sec.  1.80, 1.82, and 
38.255). In addition, NPRM proposed Sec.  40.20 required that DCMs 
``implement pre-trade and other risk controls reasonably designed to 
prevent an Algorithmic Trading Disruption'' or similar disruption that 
results from manual or other non-algorithmic order entry, though the 
general focus of the risk controls was on AT Order Messages.
    Comments Received. Several commenters suggested requiring that all 
electronic trading (not just Algorithmic Trading) be subject to risk 
controls. FIA, ICE, and MGEX all supported applying risk controls to 
all electronic trading, and indicated that DCMs are best suited to 
implement certain controls.\210\ FIA stated that all electronic trading 
has the potential to disrupt markets and should be subject to pre-trade 
and other risk controls reasonably designed to mitigate market 
disruption, regardless of the registration status of the person or 
entity trading.\211\ Similarly, ICE commented that there is potential 
for all persons trading electronically to impact a market, and all 
market participants have a responsibility to implement risk 
controls.\212\ ICE commented that some algorithmic traders submit 
orders across multiple clearing firms throughout a trading 
session.\213\ Therefore, DCMs are better suited to administer certain 
risk controls--including order throttling and price collars--than 
trading firms and the FCM.\214\
---------------------------------------------------------------------------

    \210\ FIA 4, 7, A-24; ICE 2, 5; MGEX 2, 6-7.
    \211\ FIA 4, 7, A-24.
    \212\ ICE 5.
    \213\ Id.
    \214\ Id.
---------------------------------------------------------------------------

    Another exchange, MGEX, commented that all orders submitted 
electronically should be subject to pre-trade risk controls, regardless 
of how the order accesses the matching engine.\215\ MGEX recommended 
that any order that is electronically submitted must go through pre-
trade risk controls at some stage before it reaches the matching 
engine, and that some controls must, at a minimum, reside at the 
matching engine.\216\ MGEX suggested that this would avoid the need for 
defined terms, better achieve the Commission's objective, and would 
provide the public with enhanced clarity.\217\ MGEX further stated that 
market participants should develop their own controls where they use 
trading technology that has direct market access and the DCM-provided 
controls would not prevent or mitigate market disruption risk.\218\
---------------------------------------------------------------------------

    \215\ MGEX 2, 6.
    \216\ Id. at 6.
    \217\ Id. at 2, 6-7.
    \218\ Id. at 12.
---------------------------------------------------------------------------

    Commenters further addressed this issue during the Second Comment 
Period. The Industry Group commented that ``all electronic trading must 
be subject to pre-trade and other risk controls administered by a CFTC 
registrant that are appropriate to the nature of the activity.'' \219\ 
The Industry Group suggested a framework in which the responsibility 
for implementing risk controls lies either with the FCM facilitating 
electronic access to the DCM, or with the market participant, if

[[Page 85357]]

it is not trading through the risk controls of an FCM.\220\ Similarly, 
ICE reiterated its position that all market participants that engage in 
electronic trading should maintain appropriate pre-trade and other risk 
controls, regardless of how they access the market or whether they 
engage in algorithmic trading. ICE further stated that limiting 
mandatory risk controls to AT Persons complicates the proposal and does 
not enhance oversight of algorithmic trading activity.\221\ MGEX stated 
that ``each market participant needs to have pre-trade risk controls 
applied to electronically submitted orders, but how that is 
accomplished should depend on the circumstances.'' \222\
---------------------------------------------------------------------------

    \219\ Industry Group 8.
    \220\ Id.
    \221\ ICE 2 III.
    \222\ MGEX 2 III.
---------------------------------------------------------------------------

    Finally, CME commented on the NPRM's proposed standards regarding 
whether AT Persons, FCMs and DCMs must ``prevent'' or must ``mitigate'' 
an Algorithmic Trading Disruption or similar disruption are 
inconsistent. CME stated that the preamble indicates that risk controls 
only need to ``mitigate'' risk, while the rule text requires that AT 
Persons and DCMs both mitigate and ``prevent'' risk.\223\ Further, 
proposed Sec.  1.82 provides that clearing member FCM controls must 
``prevent or mitigate'' an Algorithmic Trading Disruption.\224\ CME 
stated that Regulation AT should only require AT Persons, clearing FCMs 
and DCMs to mitigate, not prevent, disruptions arising from algorithmic 
trading.\225\ CME further stated that it is impossible to prevent every 
possible disruption caused by algorithmic trading, and therefore the 
standard should be mitigation, not prevention.\226\
---------------------------------------------------------------------------

    \223\ CME 4-5, 22-26.
    \224\ Id. at 24-25.
    \225\ Id. at 23, 26.
    \226\ Id. at 23; CME III 3.
---------------------------------------------------------------------------

3. Substance of New Proposal
    In light of the above comments supporting the implementation of 
risk controls on all electronic orders, the Commission has amended the 
requirements of NPRM proposed Sec. Sec.  1.80, 1.82, 38.255 and 40.20. 
Pursuant to the Supplemental proposed rules, AT Persons' risk control 
obligations would be expanded to include not only Algorithmic Trading, 
but also Electronic Trading (in Supplemental proposed Sec.  1.80(g)). 
In the case of FCMs and DCMs, however, the Supplemental proposed rules 
shift the focal point of risk control from Algorithmic Trading to 
Electronic Trading.\227\ More specifically, Supplemental proposed 
Sec. Sec.  1.82 and 38.255 requires FCMs to implement risk controls and 
other measures on all Electronic Trading Order Messages not originating 
with an AT Person. Supplemental proposed Sec.  40.20 requires that DCMs 
implement risk controls on all Electronic Trading Order Messages, 
regardless of their source. As a whole, the Commission's revised risk 
control framework addresses concerns regarding market disruptions 
arising from Electronic Trading, while also preserving an important 
focus on the unique risks of Algorithmic Trading in modern markets. In 
addition, the Commission's revised framework streamlines risk controls 
from three levels to two, and provides AT Persons with the flexibility 
to delegate certain risk control functions to their FCM(s).
---------------------------------------------------------------------------

    \227\ In this regard, the Commission notes that Algorithmic 
Trading is a subset of Electronic Trading. Risk control mechanisms 
to address Electronic Trading would necessarily also address 
Algorithmic Trading.
---------------------------------------------------------------------------

    The risk control requirements for AT Persons in Supplemental 
proposed Sec.  1.80 apply primarily to AT Order Messages. However, the 
Commission is proposing in new Supplemental proposed Sec.  1.80(g) that 
AT Persons also apply pre-trade risk controls to their Electronic 
Trading Order Messages. The NPRM's original approach, which required AT 
Persons to implement risk controls only to their AT Order Messages, 
left a potentially significant gap in Regulation AT's overall framework 
for reducing risk in modern markets. Specifically, non-algorithmic 
Electronic Trading Order Messages originating with AT Persons would 
have been left with only one level of required risk controls (i.e., at 
the DCM). To ensure two levels of risk controls on all Electronic 
Trading Order Messages, the Commission is proposing Supplemental 
proposed Sec.  1.80(g)(1), which provides that AT Persons must apply 
the risk controls required by Supplemental proposed Sec.  1.80(a), (b) 
and (c) to their Electronic Trading Order Messages that do not arise 
from Algorithmic Trading. AT Persons may make appropriate adjustments 
in their Sec.  1.80(g)(1) risk controls mechanisms to accommodate the 
application of such mechanisms to Electronic Trading Order 
Messages.\228\ Supplemental proposed Sec.  1.80(g)(2) and (3) provides 
a delegation provision similar to Supplemental proposed Sec.  1.80(d), 
in which an AT Person may delegate to an executing FCM compliance with 
Sec.  1.80(a) risk control requirements as to Electronic Trading Order 
Messages.
---------------------------------------------------------------------------

    \228\ Certain provisions of Sec.  1.80(a), (b) and (c) reference 
``Algorithmic Trading'' and ``AT Order Message.'' The language ``to 
accommodate the application of such mechanisms to Electronic Trading 
Order Messages'' means that the risk control mechanisms implemented 
pursuant to Supplemental proposed Sec.  1.80(g) should be designed 
and calibrated to apply to Electronic Trading and Electronic Trading 
Order Messages, rather than to Algorithmic Trading and AT Order 
Messages.
---------------------------------------------------------------------------

    The Commission has also revised NPRM proposed Sec. Sec.  1.80, 1.82 
and 40.20 to address the inconsistency noted by CME as to whether risk 
controls must ``prevent'' or ``prevent and mitigate'' risk. 
Supplemental proposed Sec. Sec.  1.80, 1.82 and 40.20 all now provide 
for the standard of ``reasonably designed'' to ``prevent and reduce the 
potential risk of . . . .'' As to the concern raised by CME that 
``prevent'' is a difficult standard to meet, the Commission notes that 
existing Sec.  38.255 imposes on DCMs an obligation to ``prevent and 
reduce the potential risk of price distortions and market disruptions . 
. .'' which is not modified by ``reasonably designed.'' \229\ The 
statutory text of the related core principle also requires that DCMs 
have the capacity and responsibility to prevent manipulation, price 
distortion, and disruptions of the delivery or cash settlement process 
(also without the ``reasonably designed'' modification).\230\ The 
Commission believes that ``reasonably designed'' to ``prevent'' means 
that the relevant entity--AT Person, FCM or DCM--does those things that 
are under its control, at its level in the lifecycle of an order, to 
prevent a disruption from reaching the next level closer to the DCM or 
at the DCM.
---------------------------------------------------------------------------

    \229\ See existing Sec.  38.255, 17 CFR 38.255.
    \230\ DCM Core Principle 4, Section 5(d)(4) of the Act, 7 U.S.C. 
7(d)(4) (2012).
---------------------------------------------------------------------------

    Discussed below are changes to rule text addressing the change in 
focus to Electronic Trading in Supplemental proposed Sec. Sec.  1.82, 
38.255 and 40.20.
    Proposed Sec.  1.82. In the NPRM, proposed Sec.  1.82 required risk 
controls and other measures to be reasonably designed to prevent or 
mitigate an ``Algorithmic Trading Disruption.'' Supplemental proposed 
Sec.  1.82 now requires that FCM risk controls and other measures be 
reasonably designed to prevent and reduce the potential risk of a 
disruption associated with Electronic Trading (including an Algorithmic 
Trading Disruption). The Commission discusses the newly defined terms 
Electronic Trading and Electronic Trading Order Message in Section 
VI(C) below.
    The Commission considers a disruption associated with Electronic 
Trading to mean an event that disrupts, or materially degrades, the 
Electronic Trading of a market participant, the

[[Page 85358]]

operation of the DCM on which the market participant is trading, or the 
ability of other market participants to trade on the DCM on which the 
market participant is trading. An Algorithmic Trading Disruption, as 
defined under Regulation AT, is a subset of the types of Electronic 
Trading disruptions that could occur.
    Supplemental proposed Sec.  1.82 also includes several changes to 
the enumerated risk controls and order cancellation system requirements 
based on the addition of Electronic Trading to Regulation AT's risk 
control framework. In the NPRM, proposed Sec.  1.82(a)(1) required risk 
controls by reference to the controls listed in Sec.  1.80(a)(1). The 
Supplemental NPRM now explicitly lists those controls within the 
regulation text of Supplemental proposed Sec.  1.82(a)(1). In addition, 
Supplemental proposed Sec.  1.82(a)(1)(i) changes the words ``Maximum 
AT Order Message frequency'' to ``maximum Electronic Trading Order 
Message frequency.'' Similarly, the Supplemental proposed rule now 
explicitly lists required order cancellation systems within the 
regulation text of Sec.  1.82(a)(1) and makes such systems applicable 
to Electronic Trading Order Messages and Electronic Trading, rather 
than AT Order Messages and Algorithmic Trading. Supplemental proposed 
Sec.  1.82(a), (b) and (c) include similar conforming changes in light 
of the proposed shift in focal point of FCM risk controls from 
Algorithmic Trading to Electronic Trading.
    The Supplemental NPRM's proposed FCM rules do not specify the exact 
stage at which the FCM needs to implement its controls on an Electronic 
Trading Order Message. In cases where an order is transmitted 
electronically to, or through, the FCM, the FCM may have significant 
flexibility in when and how the risk controls are applied prior to 
dissemination to the DCM. In cases where an order is communicated 
manually to the FCM, who would then submit the order in the electronic 
system, risk controls may need to be applied later in the submission 
process.
    In the NPRM, the location of the FCM's controls varied according to 
whether an AT Person's orders were placed through DEA or intermediated 
by the FCM. The Supplemental NPRM's proposed FCM rule retains that 
basic structure. However, with respect to those orders that are 
submitted through DEA, Supplemental proposed Sec.  1.82(b) and (c) now 
provide greater discretion to the FCM regarding how to comply with its 
Sec.  1.82 obligations. FIA's comment letter indicated that pre-trade 
risk controls can be administered by the FCM facilitating electronic 
access to the market, ``and implemented within the appropriate system 
that the FCM has administrative control over, including third-party 
vendor systems and exchange provided graphical user interfaces.'' \231\ 
The revised proposed rule now provides discretion to executing FCMs to 
comply with Sec.  1.82(b) in the DEA context using the FCM's own 
controls, or controls provided by a DCM or other third party, as long 
as these controls satisfy the requirements of Sec.  1.82(b). Further, 
NPRM proposed Sec.  1.82(c) had provided that for non-DEA orders, the 
FCM must itself establish and maintain pre-trade risk controls and 
order cancellation systems. Supplemental proposed Sec.  1.82(c) now 
provides that the FCM may also comply with Sec.  1.82(c) by using the 
pre-trade risk controls and order cancellation systems provided by DCMs 
pursuant to Sec.  38.255. The Commission intends that this change will 
provide increased flexibility and decreased costs on FCMs, and allows 
the FCM to choose what it judges to be the most appropriate, and 
robust, risk control system from a broader set of options.
---------------------------------------------------------------------------

    \231\ FIA 3, 5. An industry participant during the Roundtable 
also indicated that some FCMs may use third party tools to perform 
certain services to clients. See Roundtable Tr. 166:17-167:5.
---------------------------------------------------------------------------

    Proposed Sec.  38.255. The Commission made conforming changes to 
NPRM proposed Sec.  38.255 consistent with its decision to shift the 
focal point of FCM risk control obligations from Algorithmic Trading 
orders to Electronic Trading orders. These include use of the newly 
defined terms ``Electronic Trading'' and ``Electronic Trading Order 
Message.'' The Commission has also adjusted several regulation cross-
references in light of changes made to NPRM proposed Sec.  1.82 (see 
Sec. Sec.  38.255(b)(1)(i) and 38.255(b)(2)).
    Finally, as noted above with respect to Sec.  1.82, an FCM now has 
discretion in the DEA context as to whether it will use DCM-provided 
controls to comply with Sec.  1.82 requirements. Consistent with that 
change, Supplemental proposed Sec.  38.255(c) now allows a DCM that 
permits DEA to require that an FCM use the DCM-provided controls, or 
substantially equivalent controls developed by the FCM itself or a 
third party. Prior to an FCM's use of its own or a third party's 
systems and controls, the FCM must certify to the DCM that such systems 
and controls are in fact substantially equivalent to the systems and 
controls that the DCM makes available pursuant to Supplemental proposed 
Sec.  38.255(b).
    Proposed Sec.  40.20. The Commission made conforming changes to 
proposed Sec.  40.20 consistent with its decision to require DCMs to 
apply risk controls and other measures to electronic trading orders, 
rather than only to Algorithmic Trading orders. These include changes 
to use the terms ``Electronic Trading'' and ``Electronic Trading Order 
Message.'' In addition, the regulatory text of Supplemental proposed 
Sec.  40.20 now explicitly lists risk controls and order cancellation 
systems within the regulation text of Sec. Sec.  40.20(a)(1) and 
40.20(b)(1)(i).
    Like Supplemental proposed Sec.  1.82, Supplemental proposed Sec.  
40.20 now requires DCMs to implement pre-trade and other risk controls 
reasonably designed to prevent a disruption associated with Electronic 
Trading (including an Algorithmic Trading Disruption). As discussed 
above, the Commission considers a disruption associated with Electronic 
Trading to mean an event that disrupts, or materially degrades, the 
Electronic Trading of a market participant, the operation of the DCM on 
which the market participant is trading, or the ability of other market 
participants to trade on the DCM on which the market participant is 
trading.
    Finally, NPRM proposed Sec.  40.20(d) had required that DCMs 
implement risk control mechanisms for manual order entry and other non-
Algorithmic Trading. Given the change in overall applicability of Sec.  
40.20 to Electronic Trading, the Commission has determined to withdraw 
Sec.  40.20(d).
4. Commission Questions
    28. Supplemental proposed Sec. Sec.  1.82(b) and 38.255(c) provide 
discretion to the FCM to comply with Sec.  1.82(b) in the DEA context 
using its controls, or controls provided by a DCM or other third party, 
as long as those controls are substantially similar to the controls 
provided by the DCM. Do you agree with this level of discretion, or do 
you believe that FCMs should be required to use DCM-provided controls 
in the DEA context to comply with Sec.  1.82?
    29. Supplemental proposed Sec.  1.82(c) provides that the FCM may 
also comply with Sec.  1.82(c) by using the pre-trade risk controls and 
order cancellation systems provided by DCMs pursuant to Sec.  38.255. 
Do you agree with this discretion? Given the revised definition of DEA, 
should proposed Sec. Sec.  1.82 and 38.255 make any distinction between 
DEA and non-DEA orders?
    30. The Commission assumes that, given the definition of DEA 
provided in Supplemental proposed Sec.  1.3(yyyy), risk controls 
implemented by an FCM for non-DEA orders might function similarly to a 
DCM-provided controls

[[Page 85359]]

implemented by an FCM for DEA orders. Should Regulation AT therefore 
require that DCMs provide Sec.  1.82 risk controls for both DEA and 
non-DEA orders?

C. New and Revised Definitions; Change From ``Clearing Member'' to 
``Executing'' FCMs

1. Overview and Policy Rationale for New Proposal
    As discussed above, the Commission has decided to modify its 
framework such that risk controls would be required at two, rather than 
three, levels of the order submission process. The DCM will always be 
one level of risk controls. The second level will be either an AT 
Person or an executing FCM.\232\ In addition, the Supplemental proposed 
rules require DCMs (and FCMs, when such firms implement risk controls) 
to implement risk controls on all electronic orders. Paired with those 
rule changes, the Commission is proposing new defined terms 
``Electronic Trading'' and ``Electronic Trading Order Message.'' The 
Commission has also changed terminology in Regulation AT relating to 
FCMs. In the NPRM, proposed Sec. Sec.  1.82, 1.83, 38.255, and 40.22 
applied to or referred to ``clearing member'' FCMs. Now such rules 
apply or refer to ``executing'' FCMs. These additional changes are 
responses to commenter concerns with the prior proposed risk control 
framework, particularly comments that even non-algorithmic electronic 
orders have the potential to cause disruption and that ``clearing 
member'' FCMs may not have the ability to implement certain controls on 
a pre-trade basis.
---------------------------------------------------------------------------

    \232\ Whether the second level of risk controls is implemented 
by the AT Person or an executing FCM depends on whether the order 
originated with an AT Person and whether the AT Person has delegated 
risk control implementation to the executing FCM.
---------------------------------------------------------------------------

2. NPRM Proposal and Comments
    The NPRM proposed to define the terms ``Algorithmic Trading'' and 
``AT Order Message'' (see NPRM proposed Sec. Sec.  1.3(zzzz) and 
1.3(wwww), respectively), but not the terms ``Electronic Trading'' and 
``Electronic Trading Order Message.'' Pursuant to the NPRM, the 
proposed term AT Order Message was defined as each new order or quote 
submitted through Algorithmic Trading to a designated contract market 
by an AT Person and each change or deletion submitted through 
Algorithmic Trading by an AT Person with respect to such an order or 
quote. This term was used in the proposed regulations requiring AT 
Persons, clearing member FCMs and DCMs to implement pre-trade risk 
controls and other measures with respect to AT Order Messages.
    Comments Received. Commenters generally supported the NPRM proposed 
definition of AT Order Message. CME commented that the term should not 
include any ``non-actionable'' messages, such as requests for quotes, 
requests for cross, heartbeat messages, and mass quotes.\233\ CME 
further indicated that DCMs should be able to determine what activity 
may be disruptive in the context of non-actionable messages.\234\ FIA 
commented that message throttles should not reject cancellation 
messages because such messages may be risk-minimizing.\235\ FIA further 
stated that it should be in the discretion of the person supervising 
order messages to take action if excessive cancellation messages are 
disruptive.\236\
---------------------------------------------------------------------------

    \233\ CME A-5. On its Web site, CME states that ``mass quotes'' 
allow authorized CME Globex customers to create and maintain a 
market on a large number of instruments simultaneously. See https://www.cmegroup.com/confluence/display/EPICSANDBOX/Mass+Quotes.
    \234\ CME A-5.
    \235\ FIA A-13.
    \236\ Id. at 13.
---------------------------------------------------------------------------

    The NPRM proposed several rules that impose risk control and 
reporting requirements on clearing member FCMs (i.e., Sec. Sec.  1.82 
and 1.83) or that otherwise refer to FCMs (i.e., Sec. Sec.  38.255 and 
40.22). The principal risk control rule applicable to FCMs is NPRM 
proposed Sec.  1.82. AIMA commented that the pre-trade risk controls 
proposed in the NPRM ``represent a strong foundation for ensuring the 
most obvious safeguards are in place to protect markets from the risks 
of automated execution.'' \237\ AIMA further commented on the type of 
entity that should be subject to NPRM proposed Sec.  1.82, stating that 
the rule should apply to any AT Person providing market access services 
in the Algorithmic Trading transaction chain, not only to clearing 
member FCMs.\238\ Similarly, other commenters took the position that 
NPRM proposed Sec.  1.82 did not apply to the correct set of FCMs. For 
example, FIA stated that the Sec.  1.82 requirements should be on the 
FCM ``facilitating access to the DCM.'' \239\ In support of its 
position, FIA noted that market participants ``can choose to route 
orders through an FCM that is not their clearer and give up the trades 
after execution on the DCM.'' \240\ FIA stated that non-clearing FCMs 
should provide the same standard of pre-trade risk management as an FCM 
that executes and clears for a market participant.\241\ Accordingly, 
FIA asserted that any clearing member of a DCM that provides electronic 
access for its customers or its own trading on a DCM should implement 
appropriate risk controls.\242\ FIA further stated that if a clearing 
FCM delegates facilitation of electronic access to another entity, the 
delegated entity should implement the appropriate controls and the 
delegating FCM should help ensure that such controls are in place.\243\
---------------------------------------------------------------------------

    \237\ AIMA III 2.
    \238\ AIMA 14; see also AIMA III 3.
    \239\ FIA A-29.
    \240\ Id.
    \241\ Id.
    \242\ Id.
    \243\ Id. at A-30 n.28.
---------------------------------------------------------------------------

    The Industry Group expanded on this point in their comment letter 
submitted during the Second Comment Period. The Industry Group 
indicated that a customer may use the same FCM to provide both 
execution and clearing services, or may use one FCM for execution and 
choose to clear trades through another FCM.\244\ In that instance, the 
executing FCM acts as the ``gatekeeper'' to the DCM matching engine, 
and is the only FCM that can administer pre-trade risk controls.\245\ 
Any other FCMs that may subsequently clear trades can only provide 
controls on a post-trade basis.\246\
---------------------------------------------------------------------------

    \244\ Industry Group 4-5 n.4.
    \245\ Id.
    \246\ Id.
---------------------------------------------------------------------------

3. Substance of New Proposal
a. Defined Terms Electronic Trading and Electronic Trading Order 
Message
    The NPRM did not propose definitions of ``Electronic Trading'' or 
``Electronic Trading Order Message.'' Because the Commission has 
decided to expand some AT Person, FCM and DCM requirements to 
electronic orders, these new defined terms are necessary.
    Supplemental proposed Sec.  1.3(ddddd) defines ``Electronic 
Trading,'' for purposes of Sec. Sec.  1.80, 1.82, 1.83, 38.255, 40.20 
and 40.22, as trading in any commodity interest (as defined in 
paragraph (yy) of Sec.  1.3) on an electronic trading facility (as such 
term is defined by section 1a(16) of the Act), where the order, order 
modification or order cancellation is electronically submitted for 
processing on or subject to the rules of a DCM. The scope of the 
defined term is intended to be expansive, covering, for example, all 
order activity on CME Globex.
    Supplemental proposed Sec.  1.3(bbbbb) defines ``Electronic Trading 
Order Message'' as each new order submitted using Electronic Trading 
and each modification or cancellation submitted using Electronic 
Trading with respect to

[[Page 85360]]

such an order. This defined term largely tracks the term ``AT Order 
Message'' as proposed in the NPRM and as revised in this Supplemental 
NPRM.
b. Revisions to Defined Term ``AT Order Message''
    In this Supplemental NPRM, the Commission makes several changes to 
the definition of AT Order Message (Sec.  1.3(wwww)), mainly for the 
purposes of simplification. The words ``modification or cancellation'' 
have replaced the words ``change or deletion'' because it is the 
Commission's understanding that ``modification'' and ``cancellation'' 
are more commonly used terms in the industry. The words ``to a 
designated contract market'' were deleted as unnecessary, because the 
concept of an order being submitted specifically to a DCM, as opposed 
to any other type of exchange, is embedded in the definition of 
Algorithmic Trading (see NPRM proposed Sec.  1.3(zzzz)).
    Finally, in this Supplemental NPRM, the Commission has deleted the 
word ``quote'' from the definition of AT Order Message. The word 
``quote'' is also not contained in the Electronic Trading Order 
Message, Algorithmic Trading, or Electronic Trading definitions. The 
Commission intends that the term ``order'' means any firm, actionable 
messages to the DCM. Accordingly, the term ``order'' includes quotes or 
mass quotes as long as such quotes are firm and actionable. In response 
to the NPRM, CME commented that the term AT Order Message should not 
include any ``non-actionable'' messages, such as requests for quotes, 
requests for cross, heartbeat messages, and mass quotes.\247\ To the 
extent that certain types of messages, such as requests for quote, 
requests for cross, and heartbeat messages, are not actionable, then 
such messages would not fall within the definition of AT Order Message 
or Electronic Trading Order Message. However, the Commission 
understands from CME's Web site that mass quotes can be 
actionable.\248\ In cases where the use of quotes (such as mass quotes) 
is similar to the submission of other order types in that they are 
actionable, such quotes would have the potential to cause market 
disruption and, therefore, should be included within the meaning of the 
terms AT Order Message and Electronic Trading Order Message.
---------------------------------------------------------------------------

    \247\ CME A-5.
    \248\ For example, CME Group's Web page on mass quotes indicates 
that successfully accepted quotes act as limit orders. See https://www.cmegroup.com/confluence/display/EPICSANDBOX/Mass+Quotes.
---------------------------------------------------------------------------

c. Change in Terminology From ``Clearing Member'' to ``Executing'' FCMs
    In light of the comments received, the Commission determined that 
applying NPRM proposed Sec.  1.82 to clearing member FCMs would be too 
limiting. Depending on the order submission process, executing FCMs, 
rather than clearing member FCMs, may be in the best position to apply 
risk controls on a pre-trade basis; in many cases, the clearing FCM and 
the executing FCM will be the same firm, so the wording change will not 
result in a requirement change. Accordingly, the Commission has revised 
NPRM proposed Sec.  1.82 (and made conforming changes in Supplemental 
proposed Sec. Sec.  1.80, 1.83, 38.255, 40.20 and 40.22) so that the 
risk control and recordkeeping requirements previously applicable to 
clearing member FCMs now apply to executing FCMs.
    The Commission is seeking comment on whether the change from 
``clearing member'' FCMs to ``executing'' FCMs is appropriate. If 
commenters raise concerns with this change, and prefer an alternate 
description, including a return to the prior language, the Commission 
may adjust the final rules in light of such comments. With respect to 
Regulation AT, the Commission seeks to ensure that electronic order 
messages are subject to risk controls by an FCM who provides access to 
a DCM and can monitor that order message flow prior to its arrival at 
the DCM.\249\ Accordingly, all FCMs facilitating such access should be 
aware that they may be subject to final rules under Regulation AT 
including, without limitation, Supplemental proposed Sec.  1.82 
required controls and Sec.  1.83 required recordkeeping. FCMs are 
encouraged to submit comments concerning such rules and whether certain 
FCMs should, or should not, be subject to Regulation AT.
---------------------------------------------------------------------------

    \249\ In some instances, an order may flow through multiple 
FCMs. The Commission expects that in such a scenario, each executing 
FCM must comply with Sec.  1.82 with respect to such order.
---------------------------------------------------------------------------

4. Commission Questions
    31. With respect to the term ``Electronic Trading,'' should the 
definition exclude trading on a hybrid trade execution model, i.e., one 
that includes non-electronic components? \250\
---------------------------------------------------------------------------

    \250\ With respect to hybrid trade execution models, the 
Commission means the unlikely event of a DCM employing a trade 
execution model that has a voice component, as opposed to an 
entirely electronic model.
---------------------------------------------------------------------------

    32. The Commission considers the term ``order'' to include all 
firm, actionable messages, and understands mass quotes to be actionable 
messages. Are there other types of firm, actionable messages that 
constitute orders--and therefore fall within the scope of the terms AT 
Order Message and Electronic Trading Order Message--that the Commission 
should clarify in the final rules? If mass quotes are not firm, 
actionable messages, please explain.
    33. The Commission has changed Regulation AT references to 
``clearing member'' FCMs to ``executing'' FCMs. Do you agree or 
disagree with this change? Is the term ``executing'' FCMs sufficiently 
clear? Does the term ``executing'' FCMs more appropriately capture the 
type of FCMs that can apply pre-trade risk controls and order 
cancellation systems to electronic trading orders? Does the term 
``executing'' FCMs inappropriately exclude certain FCMs that should 
otherwise comply with Sec.  1.82 obligations?

D. AT Person Delegation to FCM

1. Overview and Policy Rationale for New Proposal
    As explained above, the Commission proposes streamlining risk 
controls from three levels to two and shifting the focal point of risk 
control from Algorithmic Trading to Electronic Trading. The number of 
AT Persons may be reduced as a result of the proposed volume threshold 
test, but the obligations of AT Persons pursuant to NPRM proposed Sec.  
1.80 will remain largely the same, with several exceptions. As 
discussed below, the changes to NPRM proposed Sec.  1.80 are: (1) AT 
Persons would be required to implement certain risk controls to their 
Electronic Trading Order Messages, in addition to their AT Order 
Messages; (2) AT Persons would be permitted to delegate certain pre-
trade risk control obligations to their executing FCMs; (3) AT Persons 
would no longer be required to notify their clearing member and DCM of 
their intended use of Algorithmic Trading; and (4) the provisions 
proposed in NPRM Sec.  1.80(e) regarding self-trade prevention tools 
are reserved, as the Commission anticipates postponing consideration of 
self-trade prevention to a second phase of Regulation AT rulemaking in 
the future. The Commission proposes the delegation option in order to 
provide increased flexibility and decreased burden on AT Persons, and 
eliminates the notification requirement in response to commenter 
concerns that such provision is unnecessary.

[[Page 85361]]

2. NPRM Proposal and Comments
    The NPRM proposed Sec.  1.80, which required that AT Persons 
implement pre-trade risk controls and other measures for all AT Order 
Messages that are reasonably designed to prevent an Algorithmic Trading 
Event.\251\ Relevant controls and measures required by NPRM proposed 
Sec.  1.80 included maximum AT Order Message frequency and maximum 
execution frequency per unit time; order price parameters and maximum 
order size limits; order cancellation and ATS disconnect systems; and 
connectivity monitoring systems. They also included several other 
specific requirements, such as notification by AT Persons to applicable 
DCMs and clearing member FCMs that they will engage in Algorithmic 
Trading; calibrating or otherwise implementing DCM-provided self-trade 
prevention tools; and periodic review of the sufficiency and 
effectiveness of the controls implemented by the AT Person.
---------------------------------------------------------------------------

    \251\ See NPRM at 78849-78855.
---------------------------------------------------------------------------

    Comments Received. Commenters addressed various aspects of the 
proposed rule, including the enumerated risk control requirements and 
order cancellation requirements. The Commission is continuing to review 
such comments, and may make additional changes to such provisions as 
part of the final rules. This Supplemental NPRM eliminates the 
notification requirement and reserves for later consideration the self-
trade tool implementation requirements, proposed in the NPRM, 
respectively, as Sec. Sec.  1.80(d) and 1.80(e). As stated in the NPRM, 
the purpose of the Sec.  1.80(d) notification provision was to ensure 
that clearing member FCMs and exchanges have sufficient advance notice 
to implement and calibrate pre-trade and other risk controls to manage 
risks arising from the AT Person's trading.\252\
---------------------------------------------------------------------------

    \252\ Id. at 78854.
---------------------------------------------------------------------------

    In response to the NPRM, FIA and CME opposed proposed Sec.  
1.80(d).\253\ FIA commented that pre-notification of a market 
participant's initial use of Algorithmic Trading is unnecessary and 
overly burdensome.\254\ FIA stated that when an FCM accepts a client, 
the client informs the FCM if they will be conducting Algorithmic 
Trading, and that most exchanges require operator IDs for algorithmic 
traders.\255\ FIA further stated that the breadth of the term 
Algorithmic Trading would require almost every FCM and DCM client to 
notify the FCM and DCM of their use of Algorithmic Trading 
technology.\256\ Finally, FIA commented that identifying each change to 
a system would be counterproductive and burdensome, as it would require 
thousands of notices per year by each participant.\257\ CME agreed that 
FCMs already obtain a significant amount of information from clients 
about the type of trading they anticipate engaging in so that the FCM 
can comply with existing Sec. Sec.  1.11 and 1.73, and that the 
Commission should not prescribe that additional information must be 
communicated.\258\ The Industry Group recommended that market 
participants trading electronically, without passing through FCM-
administered risk controls, should self-identify to applicable DCMs 
prior to trading, or may be identified via tags on order messages.\259\ 
Nadex requested a change to Sec.  1.80(d), stating that compliance 
rests entirely on the AT Person providing the notification, and 
therefore the regulation should specify that in the absence of such 
notification, the FCM and DCM are absolved of any liability for non-
compliance with Regulation AT.\260\ In contrast, AIMA supported the 
proposed Sec.  1.80(d) notification requirement.\261\
---------------------------------------------------------------------------

    \253\ FIA A-26; CME A-12.
    \254\ FIA A-26.
    \255\ Id.
    \256\ Id.
    \257\ Id.
    \258\ CME A-12.
    \259\ Industry Group 8.
    \260\ Nadex 5.
    \261\ AIMA 14.
---------------------------------------------------------------------------

3. Substance of New Proposal
a. Delegation to Executing FCMs
    The Commission proposes a change to NPRM proposed Sec.  1.80 so 
that AT Persons may delegate compliance with Sec.  1.80(a) pre-trade 
risk control requirements to their executing FCMs. Supplemental 
proposed Sec.  1.80(d)(1) provides that an AT Person may choose to 
comply with Sec.  1.80(a) by implementing required pre-trade risk 
controls, or it may instead delegate compliance with such obligations 
to its executing futures commission merchant(s). As noted above, 
commenters generally found the NPRM's risk control framework as too 
``one size fits all,'' and recommended a more principles-based rule. 
The Commission believes that the delegation provision provides AT 
Persons with increased flexibility and decreased burden and compliance 
costs with respect to Sec.  1.80 compliance. The Supplemental proposed 
rules do not require the FCM to accept the delegation. If the executing 
FCM declines to comply with Sec.  1.80(a), the AT Person must implement 
the risk controls itself.
    Supplemental proposed Sec.  1.80(d)(2) provides that an AT Person 
may only delegate such functions when (i) it is technologically 
feasible for each relevant futures commission merchant to comply with 
Sec.  1.80(a) with a level of effectiveness reasonably designed to 
prevent and reduce the potential risk of an Algorithmic Trading Event; 
and (ii) each relevant futures commission merchant notifies the AT 
Person in writing that the futures commission merchant has accepted the 
AT Person's delegation and that it will comply with Sec.  1.80(a) on 
behalf of the AT Person.'' The purpose of Sec.  1.80(d)(2)(i) is to 
ensure that the FCM is actually able to effectively implement pre-trade 
risk controls, order cancellation systems and order connectivity 
systems on behalf of the AT Person. The Commission believes that 
generally, use of DEA or some other trading technology that is outside 
the control of the executing FCM may prevent the FCM from effectively 
implementing controls on a pre-trade basis. Such delegation would be 
improper under Supplemental proposed Sec.  1.80(d). The purpose of 
Sec.  1.80(d)(2)(ii) is to ensure that it is clear, as between the AT 
Person and the FCM, who is responsible for complying with Sec.  
1.80(a).
    Finally, Supplemental proposed Sec.  1.80(f) continues to require 
an AT Person to periodically review its compliance with Sec.  1.80 to 
determine whether it has effectively implemented sufficient measures. 
The Commission has revised this section so that its standard is 
consistent with the ``reasonably designed to prevent and reduce the 
potential risk of'' an Algorithmic Trading Event standard discussed 
above. In addition, the Commission has revised this section to account 
for the possibility that an AT Person has delegated Sec.  1.80(a) 
compliance to an FCM, and requires the AT Person to periodically review 
such FCM's compliance with Sec.  1.80(a).
b. Proposed Use of Algorithmic Trading Notification Requirement
    Based on the addition of Electronic Trading to Regulation AT's risk 
control framework, the Commission has determined that mandatory 
notification from an AT Person to an FCM or DCM is no longer warranted. 
Accordingly, the Commission proposes to withdraw the notification 
requirements provided in NPRM Sec.  1.80(d). The Commission emphasizes, 
however, that DCMs must have an appropriate awareness of its market 
participants engaged in Algorithmic Trading, as well as the systems and 
strategies used by market participants. Such understanding is

[[Page 85362]]

necessary not only for DCMs' role as self-regulatory organizations with 
plenary responsibility for the oversight of their markets, but also to 
comply with the requirements of Supplemental proposed Sec.  40.22. This 
provision, explained in detail below, requires each DCM to establish an 
effective program for periodic review and evaluation of AT Persons' 
compliance with Sec. Sec.  1.80 and 1.81. The Commission expects that 
DCMs will establish their own rules and procedures to ensure that they 
are aware of the AT Persons trading on their markets, and to 
successfully comply with Supplemental proposed Sec.  40.22.
c. Voluntary Election of AT Person Status
    Finally, the Commission, as part of its changes to the definition 
of ``AT Person,'' proposes Sec.  1.3(xxxx)(2), which allows a person 
that does not satisfy the conditions of Sec.  1.3(xxxx)(1) to 
nevertheless elect to become an AT Person. Prior to becoming an AT 
Person, such person must register as a floor trader as defined in Sec.  
1.3(x)(1)(ii) and submit an application for membership in at least one 
RFA pursuant to Sec.  170.18. A person that elects to become an AT 
Person pursuant to Supplemental proposed Sec.  1.3(xxxx)(2)(i) must 
comply with all requirements of AT Persons pursuant to Commission 
regulations.\262\ The Commission proposes Sec.  1.3(xxxx)(2) in order 
to provide increased flexibility to persons that prefer to implement 
their own pre-trade risk controls, rather than leaving implementation 
of such measures to executing FCMs.
---------------------------------------------------------------------------

    \262\ See Supplemental proposed Sec.  1.3(xxxx)(2)(ii).
---------------------------------------------------------------------------

4. Commission Questions
    34. Please explain whether you support or oppose the ability of AT 
Persons to delegate certain Sec.  1.80 obligations to FCMs, including 
implementation of pre-trade risk controls, order cancellation systems 
and system connectivity requirements.
    a. Does the language of Supplemental proposed Sec. Sec.  1.80(d)(2) 
and (g)(3) providing that an AT Person may only delegate such functions 
when (i) it is technologically feasible adequately ensure that 
delegation only occurs when the FCM can implement controls on a pre-
trade basis?
    b. Should the Commission require the AT Person to conduct due 
diligence or obtain a certification to ensure that the FCM is 
implementing sufficient controls?
    c. Should the Commission allow AT Persons to delegate to FCMs 
compliance with other Sec.  1.80 obligations, such as Sec.  1.80(b) 
order cancellation requirements? For which obligations would FCM 
delegation be technologically feasible?
    35. Do you agree with the Commission's determination to eliminate 
the notification of the use of Algorithmic Trading requirement that had 
been required in NPRM proposed Sec.  1.80(d)? If you believe that the 
Commission should retain such a requirement, please explain why.
    36. Will DCMs be able to comply with Supplemental proposed Sec.  
40.20(c)'s system connectivity requirements as to AT Persons without an 
explicit requirement that AT Persons or FCMs notify DCMs that the AT 
Persons will be conducting Algorithmic Trading?

VII. Reporting and Recordkeeping Obligations

A. Overview and Policy Rationale for New Proposal

    NPRM proposed Sec. Sec.  1.83 and 40.22 required that AT Persons 
and clearing member FCMs provide the DCMs on which they operate annual 
reports containing information on their compliance with Sec. Sec.  
1.80(a) and 1.82(a)(1), and that DCMs establish a program for effective 
review and evaluation of such reports. The proposed rules also provided 
recordkeeping requirements regarding NPRM proposed Sec. Sec.  1.80, 
1.81 and 1.82 compliance. The reports, recordkeeping requirements, and 
review program were intended to enable DCMs to understand the pre-trade 
risk controls and compliance procedures of AT Persons and FCMs with 
respect to Algorithmic Trading and to identify and take remedial action 
to address potential risks and compliance concerns.
    In response to the NPRM, the Commission received comments 
indicating that the reporting requirements were overly burdensome and 
would provide little benefit with respect to mitigating the risks of 
Algorithmic Trading. Accordingly, as described below, the Commission 
has eliminated the annual compliance reports requirement; retained the 
recordkeeping requirements; and changed the DCM annual compliance 
report review program to a more general program for review of AT Person 
and FCM compliance with Sec. Sec.  1.80, 1.81 and 1.82. The Commission 
further proposes requiring DCMs to mandate that AT Persons and 
executing FCMs provide DCMs with an annual certification attesting that 
the AT Person or FCM complies with the requirements of Sec. Sec.  1.80, 
1.81, and 1.82, as applicable. The Commission believes that these 
changes will significantly decrease the cost of compliance by AT 
Persons and FCMs with Regulation AT, while at the same time providing 
enhanced flexibility and discretion to DCMs in terms of designing and 
implementing an effective program for review of AT Person and FCM 
controls and procedures related to Algorithmic Trading.

B. NPRM Proposal and Comments

    NPRM proposed Sec.  1.83(a) and (b) required that AT Persons and 
clearing member FCMs provide the DCMs on which they operate with 
information regarding their compliance with Sec. Sec.  1.80(a) and 
1.82(a)(1). NPRM proposed Sec.  40.22 required that each DCM that 
receives a report described in Sec.  1.83 establish a program for 
effective review and evaluation of the reports. The reports proposed by 
Sec.  1.83 and the review program proposed by Sec.  40.22 were intended 
to ensure that AT Persons and clearing FCMs implement effective risk 
controls and regularly review these risk controls. NPRM Sec.  1.83(c) 
and (d) complimented the compliance report review program by requiring 
that AT Persons and clearing member FCMs keep and provide upon request 
to DCMs books and records regarding their compliance with proposed 
Sec. Sec.  1.80 and 1.81 (for AT Persons) and Sec.  1.82 (for clearing 
member FCMs). NPRM proposed Sec.  40.22(d) required DCMs to implement 
rules that require AT Persons and FCMs to keep and provide to the DCM 
books and records regarding compliance with Sec. Sec.  1.80, 1.81 and 
1.82. Finally, NPRM proposed Sec.  40.22(e) required DCMs to review and 
evaluate, as necessary, such books and records maintained by AT Persons 
and clearing member FCMs regarding their Regulation AT compliance.
    Comments Received. Numerous commenters opposed the NPRM requirement 
that AT Persons file an annual report.\263\ AIMA expressed concern 
about the burden that reviewing the filings would have on DCMs,\264\ 
and CME, FIA, MGEX, Commercial Alliance and Nadex suggested that the 
cost of requiring participants to prepare and submit compliance reports 
to DCMs outweighs any benefit.\265\ Furthermore, CME, FIA and ICE all 
indicated that information in the reports would be

[[Page 85363]]

outdated and no longer useful by the time a report is reviewed.\266\
---------------------------------------------------------------------------

    \263\ AIMA 17; CME 20, A-20-A-21; FIA 10, A-90; MGEX 15, 16, 25-
26; Commercial Alliance 12; Nadex 5; OneChicago 6; ISDA 71; MFA 29; 
ICE 10, A-30, A-31; NIBA 2; NASDAQ 4.
    \264\ AIMA 17.
    \265\ CME 20; FIA 10; MGEX 15, 25-26; Commercial Alliance 12; 
Nadex 5.
    \266\ CME 20, A-21; FIA 10; ICE A-30.
---------------------------------------------------------------------------

    In addition, commenters questioned the technical capability of DCMs 
to perform a meaningful review of AT Persons' reports or to assess 
whether the quantitative settings or calibrations of any AT Person's 
controls are sufficient.\267\ MGEX stated that ``it is impracticable to 
expect DCMs to understand all unconventional or proprietary trading 
strategies or the varied technological systems that market participants 
employ.'' \268\ Nadex and OneChicago were concerned that DCMs would be 
responsible for the manner an AT Persons sets or calibrates risk 
controls.\269\ MGEX was skeptical that reviewing compliance reports 
would ensure that AT Persons are actually following these measures in 
practice.\270\ MGEX believed that clear rules and robust surveillance 
are a better way to ensure market integrity.\271\ CME and FIA further 
commented that compliance reports would be duplicative for clearing 
FCMs, which already undergo review by their Designated Self-Regulatory 
Organization (``DSRO'') and clearing organizations.\272\
---------------------------------------------------------------------------

    \267\ CME 20, A-20; FIA 10; ICE 10, A-30.
    \268\ MGEX 16.
    \269\ Nadex 5-6; OneChicago 6. Nadex also asserted in its 
comment letter that ``the proposed regulations would essentially 
place the DCM in the role of an advisor or consultant to the AT 
Person. The AT Person could hold the DCM responsible for any errors 
or malfunctions that occur as the result of the DCM's `remediation', 
or shift blame to the DCM in the event those changes are found 
inappropriate or insufficient by the CFTC or RFA.'' Nadex 6.
    \270\ MGEX 16.
    \271\ Id.
    \272\ CME 20; FIA 10, A-90.
---------------------------------------------------------------------------

    Several commenters were concerned about the cost of 
compliance.\273\ For example, ICE believed that DCMs would have to hire 
additional staff to conduct a comprehensive review of reports and 
expressed concern regarding the potential additional cost.\274\ LCHF 
and NIBA commented that only large market participants should be 
required to submit compliance reports, noting concerns as to the costs 
for small firms or IBs.\275\ MGEX and NASDAQ commented that small DCMs 
will be particularly burdened because they will need to hire additional 
staff.\276\ NASDAQ believed that the proposed requirements ``could 
potentially cause some DCMs to cease or scale back operation, and 
impact the entry of new DCMs.'' \277\
---------------------------------------------------------------------------

    \273\ ISDA 7l; MFA 29.
    \274\ ICE A-31.
    \275\ LCHF 3; NIBA 2.
    \276\ MGEX 16.
    \277\ NASDAQ 4.
---------------------------------------------------------------------------

    As an alternative process to mandatory filing of annual reports a 
number of commenters suggested certification processes and outlined 
different processes that could be required.\278\ For example, LCHF 
suggested that compliance reports be reviewed in situations limited to 
those involving an ``open investigation'' or ``complaint filed on a 
market participant.'' \279\ MGEX similarly suggested that if compliance 
report reviews were included, they should only occur as a part of an 
investigation of a market disruption, or alternatively that the FCM or 
DSRO would have the responsibility for conducting such a review.\280\
---------------------------------------------------------------------------

    \278\ CME 20, A-21, 22; FIA 10, FIA A-90; ICE 9-10; MFA 29; 
NASDAQ 4; OneChicago 6.
    \279\ LCHF 3.
    \280\ MGEX 17.
---------------------------------------------------------------------------

    Commenters also expressed concern over the confidentiality of 
information required to be provided to DCMs in compliance reports.\281\ 
AIMA suggested that language be added to the proposed rule to require 
that DCMs maintain compliance reports in confidence, and that the 
Commission treat these as non-public reports for FOIA purposes.\282\
---------------------------------------------------------------------------

    \281\ AIMA 18; FIA A-91, A-92.
    \282\ AIMA 18.
---------------------------------------------------------------------------

    With respect to the DCM's role in the reporting and recordkeeping 
framework, OneChicago, CME, FIA and ICE commented that the compliance 
reports provided to DCMs would be overly burdensome and ineffective in 
reducing risk.\283\ FIA and ICE commented that DCMs already follow 
procedures that effectively reduce the risk from Algorithmic 
Trading.\284\ ICE further commented that the compliance reports are 
unnecessary, because ``DCMs have implemented comprehensive market 
surveillance and regulation programs that include automated reports and 
alerts designed to identify instances of aberrant or abnormal order or 
trade activity. These programs are already effective at identifying 
specific events of concern that involve Algorithmic Trading.'' \285\ 
CME, FIA and ICE also commented that the reports would include stale 
and irrelevant data, which would not be helpful to DCMs in preventing 
future market risk or disruptive practices.\286\ FIA commented that 
``DCMs are likely not to know the trading strategies or risk tolerances 
of any particular AT Person and thus are unable to assess the adequacy 
of their development and testing protocols, their procedures to help 
detect Algorithmic Trading Compliance Issues, or their pre-trade risk 
and other controls.'' `` \287\
---------------------------------------------------------------------------

    \283\ OneChicago 6; CME 20; FIA A-90-91; ICE 33.
    \284\ FIA A-94; ICE 33.
    \285\ ICE 33.
    \286\ CME A-21; FIA A-91; ICE 30-31.
    \287\ FIA A-91.
---------------------------------------------------------------------------

    CBOE commented on the preamble language, stating that a DCM may 
want to review an AT Person's books and records, pursuant to Sec.  
40.22(d)-(e), if the AT Person represents significant volume in a 
particular product.\288\ CBOE stated that ``the trigger for a review of 
risk control books and records should be potential or actual 
problematic behavior by the AT Person that suggests the need for 
heightened scrutiny of the AT Person in relation to its risk 
controls,'' but that high volume should not be a trigger for 
review.\289\ In addition, OneChicago found the text of Sec.  40.22 
vague and questioned what would be considered appropriate remediation 
of any deficiency found in an AT Person or FCM report.\290\
---------------------------------------------------------------------------

    \288\ NPRM 78876.
    \289\ CBOE 7-8.
    \290\ OneChicago 6.
---------------------------------------------------------------------------

    Some commenters also asserted that the Commission's estimated cost 
for DCMs to comply with Sec.  40.22 is too low.\291\ CME stated that 
the annual cost for each of its four exchanges would be closer to 
$525,000, stating that ``this figure assumes that across all four 
Exchanges, approximately 650 entities would come within the scope of 
the proposed compliance report requirements and each entity would be 
reviewed once every four years (across all four Exchanges). If CME 
Group Exchanges were required to review each entity's annual report 
once every two years, the cost would double as CME Group would need to 
hire twice as many full-time employees. CME Group estimates that it 
would take approximately one month for a full-time employee to complete 
each review.'' \292\ MGEX estimated that it would need to hire at least 
two additional full time employees to review the reports, and that 
reviewing each report would take significantly longer than the 15 hours 
estimated in the NPRM.\293\
---------------------------------------------------------------------------

    \291\ CME 22; MGEX 26.
    \292\ CME 22.
    \293\ MGEX 26.
---------------------------------------------------------------------------

    Commenters further discussed the reporting structure during the 
Second Comment Period. The Industry Group commented that the annual 
reports requirement was ``ineffective, unnecessary, and redundant with 
other requirements to which registrants are subject. Additionally, the 
proposed reports will inundate DCMs with voluminous policies and 
procedures related to the development and compliance of algorithmic 
trading systems, as well as mountainous

[[Page 85364]]

snapshots of stale qualitative risk parameter settings particularized 
to a given market participant that will be virtually impossible for a 
DCM to meaningfully assess.'' \294\ The Industry Group stated that as 
an alternative, the Commission should require a certification process 
that affected parties materially comply with relevant aspects of the 
rule.\295\ In addition, consistent with its recommendation of a two-
level risk control structure with AT Persons/FCMs at one level, and 
DCMs as the second level, the Industry Group suggested a due diligence 
requirement in which FCMs must perform due diligence on customers that 
transmit orders without such orders going through FCM-administered risk 
controls.\296\
---------------------------------------------------------------------------

    \294\ Industry Group 7.
    \295\ Id.
    \296\ Id. at 9.
---------------------------------------------------------------------------

    In its Second Comment Period letter, CME reiterated its opposition 
to the reporting structure as creating an unnecessary administrative 
burden without a corresponding benefit to market integrity.\297\ Among 
other things, CME noted that DCMs would not have sufficient information 
about AT Persons' systems to meaningfully assess Regulation AT 
compliance, and DCMs would appear to be endorsing the policies and 
procedures of AT Persons if they receive compliance reports but remain 
silent.\298\ CME also commented on the substantial costs of the report 
review program.\299\ Finally, CME suggested a similar due diligence 
process where the clearing member who granted DEA to an AT Person (a 
``gatekeeper clearing member'') should obtain certifications of 
compliance from their customers.\300\
---------------------------------------------------------------------------

    \297\ CME III 4.
    \298\ Id. at 4.
    \299\ Id.
    \300\ Id. at 5.
---------------------------------------------------------------------------

C. Substance of New Proposal

    In light of the concerns raised by commenters to NPRM proposed 
Sec. Sec.  1.83 and 40.22, the Commission has determined to make 
several changes to the proposed rules. First, and most significantly, 
the Commission has eliminated the requirement that AT Persons and FCMs 
prepare compliance reports. The requirements proposed as NPRM 
Sec. Sec.  1.83(a) (AT Person reports) and 1.83(b) (FCM reports) are 
withdrawn in Supplemental proposed Sec.  1.83. However, the Commission 
has determined to retain the AT Person and FCM recordkeeping 
requirements, and such requirements proposed in the NPRM as Sec. Sec.  
1.83(c) and 1.83(d) are now re-numbered as Sec. Sec.  1.83(a) and 
1.83(b).
    The Commission in this Supplemental NPRM has made conforming 
changes to Sec.  40.22. Specifically, the NPRM required that DCMs 
review AT Person and FCM annual reports, identify deficiencies in AT 
Persons' and FCMs' compliance programs, and take remedial action as 
needed. The Commission has eliminated DCMs' obligation to review annual 
compliance reports. In place of that obligation, Supplemental proposed 
Sec.  40.22(a) now requires DCMs to periodically review AT Persons' and 
FCMs' programs for compliance with Sec. Sec.  1.80, 1.81 and 1.82. The 
Commission expects that DCMs' periodic review programs would be similar 
to their existing programs for periodically reviewing members' and 
market participants' compliance with audit trail recordkeeping 
requirements.
    Supplemental proposed Sec.  40.22(b) (formerly Sec.  40.22(d)) 
continues to require DCMs to implement rules requiring AT Persons and 
FCMs (now executing FCMs) to keep and provide to the DCM books and 
records regarding compliance with Sec. Sec.  1.80, 1.81 and 1.82. 
Proposed Sec.  40.22(c) replaces the previous requirement that DCMs 
review and evaluate such books and records with a more general 
requirement that DCMs require such periodic reporting from AT Persons 
and executing futures commission merchants as is necessary to fulfill 
the designated contract market's obligations pursuant to paragraph (a) 
of Sec.  40.22.
    Supplemental proposed Sec.  40.22(d) provides that DCMs must 
require by rule that AT Persons and executing FCMs provide DCMs with an 
annual certification attesting that the AT Person or FCM complies with 
the requirements of Sec. Sec.  1.80, 1.81, and 1.82, as applicable. 
Such annual certification shall be made by the chief compliance officer 
or chief executive officer of the AT Person or FCM and must state that, 
to the best of his or her knowledge and reasonable belief, the 
information contained in the certification is accurate and complete. 
The Commission believes that the annual certification requirement 
proposed in Supplemental proposed Sec.  40.22(d) will be substantially 
less burdensome than the review of compliance reports proposed under 
NPRM proposed Sec.  40.22. The Commission also believes that the 
periodic review program required by Supplemental proposed Sec.  
40.22(a), and the annual certifications required by Supplemental 
proposed Sec.  40.22(d), will together impose an important discipline 
on actors in the Algorithmic and Electronic Trading space to help 
ensure compliance with Regulation AT's key risk control and algorithm 
development provisions, including Sec. Sec.  1.80, 1.81 and 1.82.
    The Commission acknowledges the comments from Industry Group and 
CME suggesting an FCM-based due diligence program. The Commission will 
continue to consider such comments and whether such a structure should 
be incorporated into a final rule. However, at this time the Commission 
believes that the DCM is the appropriate entity to review the 
compliance programs of AT Persons. The DCM will have a broader 
perspective of the entire market compared to an FCM, and is better 
situated to ensure that there is a consistent baseline of sufficient 
controls across all AT Persons and executing FCMs.
D. Commission Questions
    37. Do you agree with the elimination of the annual compliance 
report requirement? Do you believe that the current AT Person/executing 
FCM recordkeeping and DCM review program proposed rules will 
sufficiently ensure that AT Persons and executing FCMs have effective 
risk controls? Is there any aspect of Supplemental proposed Sec. Sec.  
1.83 and 40.22 that should be changed to better ensure that AT Persons 
and executing FCMs are implementing effective risk controls?

VIII. Additional Changes to NPRM Proposed Rules Under Consideration

    The Commission is considering certain additional changes to the 
rules proposed in the NPRM, apart from the proposed rule text 
provisions set forth in this Supplemental NPRM. The Commission 
preliminarily believes that such additional changes could be adopted 
without further notice and comment, since they do not impact new 
parties, create new obligations, or otherwise increase burdens. The 
following is a summary of certain discrete areas that are under 
consideration. The Commission emphasizes that it has yet to make final 
determinations with respect to the items below, and that their final 
disposition may depend in part on how the Commission proceeds with 
other proposals in the NPRM and Supplemental NPRM.
    NPRM proposed Sec.  1.3(tttt) defines the term Algorithmic Trading 
Compliance Issue.\301\ The term is relevant to the pre-

[[Page 85365]]

trade risk and other control requirements for AT Persons under NPRM 
proposed Sec.  1.80, the testing requirements on AT Persons under 
proposed Sec.  1.81(c), and the pre-trade and other risk controls for 
DCMs under NPRM proposed Sec.  40.20. Several commenters noted that the 
scope of an Algorithmic Trading Compliance Issue should not include 
breaches of an AT Person's own internal requirements.\302\ For example, 
SIFMA recommended that the definition be revised to remove references 
to an AT Person's internal policies to prevent unduly burdening DCMs 
and AT Persons with notifications of internal events that do not impact 
the market.\303\ MFA commented that including violations of the AT 
Person's own internal requirements, or the requirements of the AT 
Person's clearing member, is too general and broad.\304\ Citadel 
commented that the Commission should ``focus on trading activity that 
can impact the proper functioning of the market, instead of purely 
internal events within a firm that do not impact other market 
participants, such as an inadvertent violation of an internal trading-
related process.'' \305\ CME indicated that applying a causation 
standard to internal policies may cause uncertainty.\306\ In response 
to the concerns expressed by commenters, the Commission is considering 
limiting the scope of the term to violations of applicable law, 
including the Act and CFTC regulations. To that end, the Commission is 
considering whether to eliminate from NPRM proposed Sec.  1.3(tttt) 
references to an AT Person's own internal rules, those of its clearing 
member, any DCM on which it trades, or an RFA.\307\
---------------------------------------------------------------------------

    \301\ NPRM proposed Sec.  1.3(tttt) defines ``Algorithmic 
Trading Compliance Issue'' to mean an event at an AT Person that has 
caused any Algorithmic Trading of such entity to operate in a manner 
that does not comply with the CEA or the rules and regulations 
thereunder, the rules of any designated contract market to which 
such AT Person submits orders through Algorithmic Trading, the rules 
of any registered futures association of which such AT Person is a 
member, the AT Person's own internal requirements, or the 
requirements of the AT Person's clearing member, in each case as 
applicable.
    \302\ See AIMA 8; Citadel 3; CME A-3; CTC 14; IAA 9; ICE 10; FIA 
Appendix A 5, 11; ISDA 4; MFA 13; SIFMA 3.
    \303\ SIFMA 3, 1; see also Citadel 3.
    \304\ MFA 13.
    \305\ Citadel 3.
    \306\ CME A-3-4.
    \307\ The Commission notes, however, that its regulation 166.3 
requires each Commission registrant (except certain associated 
persons) to ``diligently supervise'' the handling by its partners, 
officers, employees, agents, and persons occupying a similar status 
or performing a similar function, of all commodity interest accounts 
carried, operated, advised, or introduced by the registrant, and all 
other activities of its partners, officers, employees, agents, etc. 
AT Persons would be included among the Commission registrants 
subject to Sec.  166.3
---------------------------------------------------------------------------

    NPRM proposed Sec.  1.3(uuuu) defines the term Algorithmic Trading 
Disruption.\308\ The term is relevant to Regulation AT's pre-trade risk 
and other control requirements for AT Persons and FCMs that are 
clearing members for a DCO, as provided in NPRM proposed Sec. Sec.  
1.80 and 1.82(a), respectively. Several commenters asserted that the 
proposed definition is too broad \309\ or lacks clarity.\310\ 
Commenters also recommended excluding events originating within an AT 
Person from the scope of an Algorithmic Trading Disruption.\311\ The 
Commission is considering potentially eliminating references in the 
definition to a disruption of an AT Person's own ability to trade, and 
limiting the scope of the term to disruptions of the market and others' 
ability to trade on it.
---------------------------------------------------------------------------

    \308\ NPRM proposed Sec.  1.3(uuuu) provides that the term 
``Algorithmic Trading Disruption'' means an event originating with 
an AT Person that disrupts, or materially degrades, (1) the 
Algorithmic Trading of such AT Person, (2) the operation of the 
designated contract market on which such AT Person is trading or (3) 
the ability of other market participants to trade on the designated 
contract market on which such AT Person is trading.
    \309\ AIMA 9; CME A-4; MMI 2; SIFMA 3, 19; CME A-4; FIA Appendix 
A-5, A-6.
    \310\ CME A-4; FIA Appendix A-5, A-6.
    \311\ SIFMA 3, 19; CME A-4; AIMA 2, 9; MMI 2.
---------------------------------------------------------------------------

    The Commission is also considering whether to make analogous 
changes to the defined term Algorithmic Trading Event. NPRM proposed 
Sec.  1.3(vvvv) defined the term Algorithmic Trading Event to mean 
either an Algorithmic Trading Compliance Issue or an Algorithmic 
Trading Disruption. The term is used in NPRM proposed Sec.  1.80, which 
required AT Persons to implement risk controls that are reasonably 
designed to prevent or mitigate an Algorithmic Trading Event.\312\ The 
term is also used in NPRM proposed Sec.  1.81(a) (requiring AT Persons 
to conduct regular back-testing using historical data to identify 
circumstances that may contribute to Algorithmic Trading Events), NPRM 
proposed Sec.  1.81(b) (requiring AT Persons to conduct real-time 
monitoring of Algorithmic Trading to identify potential Algorithmic 
Trading Events), and NPRM proposed Sec.  1.81(d) (requiring AT Persons 
to establish training procedures for communicating and escalating to 
appropriate personnel instances of Algorithmic Trading Events). Several 
commenters stated that the proposed definition of Algorithmic Trading 
Event is unnecessary \313\ or overly broad.\314\ Consistent with the 
proposed changes to NPRM proposed Sec. Sec.  1.3(tttt) and 1.3(uuuu) 
described above, the Commission is considering clarifying in the final 
rules for Regulation AT that an AT Person's internal policies, or the 
disruption of its own Algorithmic Trading, are outside the scope of an 
Algorithmic Trading Event.
---------------------------------------------------------------------------

    \312\ This provision now requires AT Persons to implement 
controls reasonably designed to prevent and reduce the potential 
risk of an Algorithmic Trading Event.
    \313\ MFA 15; MMI 2.
    \314\ SIFMA 3, 19.
---------------------------------------------------------------------------

    Additionally, the Commission is considering whether to modify 
certain requirements regarding the development, monitoring, and 
compliance of ATSs under NPRM proposed Sec.  1.81. CME, MFA, AIMA and 
FIA commented that the requirement under NPRM proposed Sec.  
1.81(a)(1)(ii) \315\ to test all changes to Algorithmic Trading code 
prior to implementation is too broad.\316\ CME also raised concerns 
that this requirement would impose significant costs for AT Persons and 
DCMs.\317\ MFA and AIMA recommended that this requirement be limited by 
a materiality standard.\318\ FIA commented that ```any changes' should 
be clarified to be limited to any change that directly impacts source 
code associated with determining when and how to send an order or 
otherwise impact an order on a DCM.'' \319\ FIA also commented that 
```related systems' should be clarified to pertain only to those 
systems that have the ability to determine when and how to send an 
order or otherwise affect an order on a DCM.'' \320\ The Commission has 
withdrawn the requirement under NPRM proposed Sec.  1.81(a)(1)(ii) that 
AT Persons must test all Algorithmic Trading code and related systems 
on each DCM on which Algorithmic Trading will occur. The Commission is 
also considering whether to modify the requirement that AT Persons must 
test all changes to code by adding a materiality standard.
---------------------------------------------------------------------------

    \315\ NPRM proposed Sec. Sec.  1.81(a)(1)(ii) (requiring AT 
Persons to implement written policies and procedures for the testing 
of all Algorithmic Trading code and related systems and any changes 
to such code and systems prior to their implementation and that such 
testing must be conducted both internally within the AT Person and 
on each designated contract market on which Algorithmic Trading will 
occur.).
    \316\ CME A-16; MFA 19; AIMA 16; FIA 61.
    \317\ CME A-16.
    \318\ MFA 19; AIMA 16.
    \319\ FIA 61.
    \320\ Id.
---------------------------------------------------------------------------

    The Commission is considering whether to modify the algorithm 
monitoring requirements under NPRM proposed Sec.  1.81(b), which 
requires continuous real-time monitoring of

[[Page 85366]]

ATSs.\321\ Several commenters recommended changes to the proposed 
requirements for real-time monitoring. CME stated that ``any final 
regulation should be flexible enough to allow the most reasonable 
approach for real-time monitoring that is proportional to the AT 
Person's size and risk profile.'' \322\ FIA recommended that the 
Commission ``only mandate that: (1) One or more specifically 
identifiable persons at an AT Person must have the authority to address 
system breakdowns that might cause an Algorithmic Trading Disruption; 
and (2) systems must be in place to help such persons monitor for 
potential problems and interact with each Algorithmic Trading system.'' 
\323\ IAA commented that the monitoring and compliance requirements of 
Sec.  1.81 should be replaced with a more general requirement for AT 
Persons to design a compliance program that is reasonably designed to 
meet the requirements of the rule. The Commission is considering 
whether to eliminate certain language in the NPRM preamble regarding 
CFTC expectations that the person monitoring an algorithm should 
simultaneously be engaged in trading.
---------------------------------------------------------------------------

    \321\ NPRM proposed Sec.  1.81(b) provides, inter alia, that 
each AT Person shall implement written policies and procedures 
reasonably designed to ensure that each of its Algorithmic Trading 
systems is subject to continuous real-time monitoring by 
knowledgeable and qualified staff while such Algorithmic Trading 
system is engaged in trading.
    \322\ CME A-18.
    \323\ FIA 66.
---------------------------------------------------------------------------

    The Commission is also considering whether to eliminate in its 
entirety NPRM proposed Sec.  1.81(c)(2)(ii). The provision provided 
that each AT Person must implement written policies and procedures 
requiring a plan of internal coordination and communication between 
compliance staff of the AT Person and staff of the AT Person 
responsible for Algorithmic Trading regarding Algorithmic Trading 
design, changes, testing, and controls, which plan should be designed 
to detect and prevent Algorithmic Trading Compliance Issues.
    In addition, the Commission is continuing to evaluate comments 
regarding certain of the enumerated risk control mechanisms in the NPRM 
(and retained in this Supplemental). For example, the Commission is 
considering the appropriateness of a maximum execution frequency 
control at the DCM level. The Commission is also considering clarifying 
in any final rules it may adopt for Regulation AT that the requirements 
for market maker and trading incentive programs under NPRM proposed 
Sec.  40.25 do not apply retroactively, i.e., to programs established 
prior to the Regulation AT effective date. In addition to proposing the 
changes to NPRM proposed rules set forth above, the Commission notes 
that it has determined to defer to a later date the final rules 
regarding self-trading \324\ and disclosure and transparency of DCM 
trade matching systems.\325\ The Commission anticipates finalizing 
those rules after finalizing the other rules proposed in the NPRM and 
this Supplemental NPRM.
---------------------------------------------------------------------------

    \324\ See NPRM proposed Sec.  40.23.
    \325\ See NPRM proposed Sec.  38.401(a).
---------------------------------------------------------------------------

D. Commission Questions

    38. The Commission welcomes all comments regarding its 
consideration of potential amendments, deferral, or elimination of 
provisions proposed in the NPRM as discussed in this Section VIII of 
the Supplemental NPRM.

IX. Related Matters

A. Cost-Benefit Considerations

1. The Statutory Requirement for the Commission To Consider the Costs 
and Benefits of Its Actions
    Section 15(a) of the CEA requires the Commission to ``consider the 
costs and benefits'' of its actions before promulgating a regulation 
under the CEA or issuing certain orders.\326\ Section 15(a) further 
specifies that the costs and benefits must be evaluated in light of the 
following five broad areas of market and public concern: (1) Protection 
of market participants and the public; (2) efficiency, competitiveness, 
and financial integrity of futures markets; (3) price discovery; (4) 
sound risk management practices; and (5) other public interest 
considerations. The Commission considers the costs and benefits 
resulting from its discretionary determinations with respect to the 
section 15(a) factors below. As a general matter, the Commission 
considers the incremental costs and benefits of the new and amended 
rules proposed in this supplemental notice of proposed rulemaking for 
Regulation Automated Trading,\327\ taking into account what it believes 
is industry practice given the Commission's existing regulations and 
industry best practices, as described below. Where reasonably feasible, 
the Commission has endeavored to estimate quantifiable costs and 
benefits. The Commission also identifies and describes costs and 
benefits qualitatively.
---------------------------------------------------------------------------

    \326\ 7 U.S.C. 19(a).
    \327\ As explained, infra, on December 17, 2015, the Commission 
published in the Federal Register a notice of proposed rulemaking 
(``NPRM'') proposing a series of risk controls, transparency 
measures, and other safeguards to enhance the safety and soundness 
of automated trading on all designated contract markets (``DCMs'') 
(collectively, ``Regulation Automated Trading'' or ``Regulation 
AT''). Regulation Automated Trading, Proposed Rule, 80 FR 78824 
(Dec. 17, 2015) (hereinafter ``NPRM'').
    Through this supplemental notice of proposed rulemaking for 
Regulation AT (``Supplemental NPRM''), the Commission is proposing 
certain modifications and additions to rules set forth in the NPRM. 
This discussion refers to rules originally proposed in the NPRM as 
``NPRM proposed'' and rules proposed in the Supplemental NPRM as 
``Supplemental proposed.''
---------------------------------------------------------------------------

2. Comments Regarding Costs and Benefits of Regulation AT \328\
---------------------------------------------------------------------------

    \328\ This summary of comments is limited to those relevant to 
the costs and benefits of the Supplemental proposed rules that are 
the subject of this Supplemental NPRM. Comments addressing the costs 
and benefits of NPRM proposed rules not modified by this 
Supplemental NPRM will be included in the final rulemaking release 
for Regulation AT.
---------------------------------------------------------------------------

a. Pre-Trade Risk Controls and Other Measures
    Some commenters addressing Regulation AT requirements generally 
(including pre-trade risk controls, recordkeeping, and compliance 
report costs) indicated that costs are substantially higher than 
estimated in the proposed rule and the articulated benefits do not 
justify the costs.\329\ As to DCMs, FIA commented that certain of the 
Commission's proposed pre-trade and other risk controls for DCMs are 
overly prescriptive and would result in costly investment in controls 
that would not be sufficiently flexible to adapt to further market 
evolution.\330\
---------------------------------------------------------------------------

    \329\ See, e.g., FIA 1-3; 10-11; A-78; MFA 34-25; QIM 3; SIFMA 
20.
    \330\ FIA A-41.
---------------------------------------------------------------------------

b. Testing and Supervision of Automated Systems
    Rules applicable to DCMs: CBOE recommended that any requirements 
for testing environments be principles-based and not prescriptive in 
order to accommodate the current best practices of the industry and to 
avoid requiring the development of costly new systems that are not 
currently in existence at DCMs.\331\
---------------------------------------------------------------------------

    \331\ CBOE 6-7.
---------------------------------------------------------------------------

    ICE, CME, and FIA each stated that the requirement to have DCM test 
environments offer simulation of production trading, contained in NPRM 
proposed Sec.  40.21, was impractical. ICE stated that requiring DCM 
test environments to support the simulation of real market conditions 
or historical transaction, order or message data in its test 
environment is not practical, and that any benefits that this type of 
simulation may produce would not be commensurate with the substantial 
cost

[[Page 85367]]

associated with developing it. Without the actual interaction of real 
trades and the wide range of market conditions that can occur in a live 
trading environment, ICE stated that it is unclear what benefits would 
arise from this type of simulation. ICE also commented that the 
implementation would require significant financial investment to 
develop and maintain.\332\
---------------------------------------------------------------------------

    \332\ ICE A-10.
---------------------------------------------------------------------------

    CME commented that the Commission fails to clearly define the term 
``simulate'' in NPRM proposed Sec.  40.21. In addition, CME stated if 
the Commission interprets Regulation AT to require DCMs to maintain and 
provide a test environment that includes a production parallel facility 
that utilizes real-time or near real-time market and transaction data 
for testing of a market participant's algorithm, the Commission's cost 
analysis of NPRM proposed Sec.  40.21 is incorrect.\333\
---------------------------------------------------------------------------

    \333\ CME 35.
---------------------------------------------------------------------------

    FIA commented that although it is possible to include historical 
data in test environments that can be replayed to simulate stress 
conditions in DCM stress environments, such environments would not be 
able to interact with the market. As a result, FIA asserted that a true 
simulation is not possible. Requiring historical data would add costs 
without producing the intended improvement in the DCM test environment. 
FIA also indicated that a test environment as prescribed in NPRM 
proposed Sec.  40.21 would not be possible within the bounds of 
reasonable investment, and that any costs would far outweigh the 
purported benefits.\334\
---------------------------------------------------------------------------

    \334\ FIA A-44-A-45.
---------------------------------------------------------------------------

    FIA and CME both stated that the costs of NPRM proposed Sec.  1.81 
exceed the benefits. CME stated that the prescriptive nature of the 
requirements set forth in NPRM Proposed Sec.  1.81 will introduce 
significant cost and inefficiencies without the benefit of reduced risk 
to DCMs and market participants. Moreover, FIA and CME commented that 
the Commission has significantly underestimated the cost to both market 
participants and DCMs to support performance level production 
testing.\335\ FIA also stated that the proposed prescriptive 
requirements with respect to DCM test environments are cost prohibitive 
with no justifiable benefit.\336\
---------------------------------------------------------------------------

    \335\ CME A-16.
    \336\ FIA A-38, A-39 and A-44.
---------------------------------------------------------------------------

    CME further commented that back testing is a complex and costly 
exercise with a limited scope for mitigating risk; therefore, NPRM 
proposed Sec.  1.81 should not be adopted.\337\ CME asserted that the 
costs to AT Persons and DCMs to establish the extensive infrastructure 
needed for back testing far exceed the benefits. CME also stated that 
requiring AT Persons to test ``any'' change with DCMs, as set forth in 
NPRM proposed Sec.  1.81(a)(1)(ii), is too vague. Moreover, CME 
commented that the requirement was too expansive in that it would 
encompass testing for changes to systems which would not reduce risk to 
the AT Person or the overall markets, but would instead be a 
significant cost burden for AT Persons and the DCM.\338\ CME further 
indicated that requiring DCMs to provide test environments that 
simulate production performance levels would be costly and less 
effective than the current market practice, whereby AT Persons design 
and develop their own scaled environment with the support of DCMs.\339\
---------------------------------------------------------------------------

    \337\ CME A-15.
    \338\ CME A-16.
    \339\ Id.
---------------------------------------------------------------------------

    TT commented that the testing requirements under NPRM proposed 
Sec.  1.81(a) ``should focus on the output of an Algorithmic Trading 
system or software rather than the source code underlying such systems 
or software, which would yield no material benefit.'' \340\
---------------------------------------------------------------------------

    \340\ TT III 1.
---------------------------------------------------------------------------

    Rules applicable to AT Persons: A Roundtable participant stated 
that Regulation AT is ``a very, very heavy burden'' and ``an extreme 
cost to be an AT person.'' \341\ CTC commented that NPRM proposed Sec.  
1.81(a) would require CTC to draft, implement, and test a whole new 
series of policies. Altering its procedures to conform to the 
regulation, CTC explained, would be costly and would not provide 
sufficient benefit to justify the costs. CTC further indicated that the 
cost-benefit analysis contained in the NPRM fails to adequately explain 
the benefits, only citing an event involving Knight Capital. According 
to CTC, the event ``is a threadbare justification for imposing 
prescriptive requirements on AT Persons.'' CTC further stated that 
proposed Sec.  1.81(b), which requires AT Persons to provide for 
continuous, real-time monitoring of ATSs, entails significant staffing 
and other resource costs. CTC commented that real-time monitoring is a 
standard that is impossible to meet.\342\ CTC proposed ``near real 
time'' as an alternative standard.\343\
---------------------------------------------------------------------------

    \341\ See CME, Roundtable Tr. 28:12-18.
    \342\ CTC 14.
    \343\ Id. at 12-13.
---------------------------------------------------------------------------

    FIA, SIFMA, and Mercatus objected to the rule requiring monitoring 
of algorithmic trading by a natural person separate from the trader. 
FIA stated that hiring an activity monitor that is independent of the 
trader would not be operationally efficient or reasonable from a cost 
perspective.\344\ SIFMA also noted that requiring separate monitors to 
those implementing a training strategy is overly burdensome and 
inconsistent with typical CPO/CTA trading behavior. SIFMA argued that 
the requirement to ``oversee a trader's actions continuously and in 
real time is a burdensome measure that is not common practice in the 
industry and may not be capable of being accomplished fully.'' Instead, 
SIFMA stated that traders would have the appropriate monitoring 
knowledge and can respond best in real time.\345\
---------------------------------------------------------------------------

    \344\ FIA A-77.
    \345\ SIFMA 16.
---------------------------------------------------------------------------

    Mercatus argued that requiring the separation of algorithmic 
monitoring and trading would create undue burdens on small firms. 
Specifically, Mercatus stated that ``the required separation of trading 
and monitoring functions is akin to requiring that every firm engaged 
in algorithmic trading have a dedicated compliance person. Further 
burdening small firms, the Commission requires `staff of the AT Person 
to review ATSs in order to detect potential Algorithmic Trading 
Compliance Issues' and specifies that `such staff must include staff of 
the AT Person familiar with' the relevant laws, regulations, and rules. 
This language would seem to preclude the use of outside consultants, 
which could be a more affordable method of compliance for small 
firms.'' \346\
---------------------------------------------------------------------------

    \346\ Mercatus 4.
---------------------------------------------------------------------------

    MFA argued that a separate physical structure for algorithm testing 
would be unnecessarily burdensome to smaller AT Persons. In contrast to 
physical separation, MFA commented that virtual separation (ensuring 
that testing software does not connect to active markets) rather than 
physical separation, would reduce costs and more easily allow for the 
sharing of components between test and production environments such as 
``market data infrastructure or reference data files.'' MFA also noted 
concerns with code testing, stating that the requirement is broad. MFA 
pointed out that only material changes should be required to be tested. 
MFA stated that it is not uncommon for CTAs and CPOs to make minor 
adjustments to certain parameters embedded in their investment trading 
software on a daily

[[Page 85368]]

basis, including administrative changes, or enhancements.\347\
---------------------------------------------------------------------------

    \347\ MFA 18-19.
---------------------------------------------------------------------------

    SIFMA commented that the definition of AT Person extends to systems 
in which trades are communicated to the FCM/other trader for execution. 
SIFMA indicated that such execution management systems are often not 
under the development or control of the CPO/CTA and therefore cannot be 
fully monitored by them. In addition, SIFMA stated that CPO/CTAs may 
make use of routing software (AORSs) provided by the FCM that often 
have risk controls built in.\348\
---------------------------------------------------------------------------

    \348\ SIFMA 4-5, 16.
---------------------------------------------------------------------------

    FIA commented that the CFTC needs a better understanding of, among 
other things, the anticipated benefits and actual costs of the proposed 
requirements for policies and procedures for the development, testing, 
deployment, and monitoring of ATSs.\349\ FIA further asserted that 
several of the requirements in NPRM proposed Sec.  1.81(a)-(d) are not 
standard industry practice and would impose costs on AT Persons, 
including costs stemming from the hiring of additional staff. In 
addition, FIA commented that the rules would require extensive 
narrative documentation, testing of every change to an ATS at every 
DCM, historical back-testing of all changes to source code, separation 
of the trading function and the monitoring function associated with 
Algorithmic Trading, and documentation of system strategy and design 
independently of the software responsible for executing the 
strategy.\350\
---------------------------------------------------------------------------

    \349\ FIA 3-4.
    \350\ FIA A-72.
---------------------------------------------------------------------------

c. Requirements To Maintain and Make Available Source Code Records
    In support of the NPRM proposed rules regarding source code, Better 
Markets commented that ``the clear and many benefits arising from the 
Commission's ability to perform post-mortems after disruptive market 
events far outweigh any legitimate concerns, which haven't been 
proffered.'' \351\ In contrast, other commenters expressed concerns 
regarding potential costs regarding source code recordkeeping. CME 
commented that maintaining a source code repository would impose 
significant burdens and costs on any entity that does not currently do 
so.\352\ CME further commented that the CFTC has not demonstrated any 
need for AT Persons to make source code available, ``let alone a need 
that outweighs the cost and confidentiality concerns attendant to such 
a requirement.'' \353\
---------------------------------------------------------------------------

    \351\ Better Markets III 3.
    \352\ CME 38.
    \353\ CME III 9.
---------------------------------------------------------------------------

    The Industry Group commented that the proposed source code 
requirement ``puts highly proprietary information at risk without 
measurable benefits.'' \354\ FIA stated that the requirement in NPRM 
proposed Sec.  1.81(a)(v) for AT Persons to maintain a source code 
repository in accordance with Sec.  1.31 is impractical and unduly 
burdensome.\355\ FIA noted that the proposed rule captures Algorithmic 
Trading source code as well as the source code of ``related systems'' 
in its retention and access requirements.\356\ FIA asserted that 
``related systems'' is vague and could encompass all, or nearly all, 
source code utilized by an AT Person, including, but not be limited to, 
source code associated with back-office, portfolio risk management, 
monitoring, and user interfaces. FIA indicated that such a broad 
interpretation would dramatically increase the cost of complying with 
the proposed rules. Relatedly, a Roundtable participant noted that 
storage of source code is not free.\357\
---------------------------------------------------------------------------

    \354\ Industry Group 6 (emphasis omitted).
    \355\ FIA A-54.
    \356\ Id. at A-55.
    \357\ AQR, Roundtable Tr. at 281:9-10.
---------------------------------------------------------------------------

    AIMA commented that source code ``provides very little supervisory 
or investigative utility to anyone seeking to `read' it'' and that 
accessing source code ``without a specific court-upheld reason would 
simply risk the commercially sensitive IP of AT Persons without 
providing any additional benefit.'' \358\ The Chamber of Commerce 
asserted that ``the CFTC has not provided an estimate of the costs for 
hiring qualified developers that could actually analyze the proprietary 
source code, meaning that the CFTC currently does not know how much it 
would even cost to review information within its possession.'' \359\ 
The Chamber of Commerce further asserted that the proposed source code 
requirements would ``not provid[e] any tangible benefit to the CFTC.'' 
\360\
---------------------------------------------------------------------------

    \358\ AIMA III 5.
    \359\ Chamber of Commerce III 4.
    \360\ Chamber of Commerce III 6.
---------------------------------------------------------------------------

    KCG commented that ``it seems clear that the risks (and costs) of 
allowing on-demand access to proprietary source code outweigh any 
potential benefit.'' \361\ Similarly, MGEX also expressed concern that 
the costs of the proposed source code requirement outweigh the 
benefits.\362\ MMI commented that ``the costs associated with creating 
a new regulatory requirement and the risks associated to the disclosure 
of such information [i.e., source code] to regulators (and perhaps 
inadvertently to the public) defy an acceptable cost-benefit analysis 
of the proposed Sec.  1.81(a).'' \363\ Finally, QIM asserted that the 
proposed source code requirement ``would not provide the benefits 
envisioned by the Commission.'' \364\
---------------------------------------------------------------------------

    \361\ KCG III 5.
    \362\ MGEX III 7.
    \363\ MMI III 2-3.
    \364\ QIM III 2.
---------------------------------------------------------------------------

d. Requirement To Submit Compliance Reports and Other Related 
Algorithmic Trading Requirements
    Costs and Benefits to DCMs: ICE commented that the burden on DCMs 
to collect and review the proposed annual reports is significant. ICE 
indicated that undertaking the type of review necessary to verify and 
evaluate the information contained in the proposed annual reports would 
be both costly and resource intensive. The number of AT Persons and 
clearing FCMs that would be required to file annual reports with DCMs 
would far exceed the number of clearing FCMs that are currently 
reviewed under DSRO audit today. Further, ICE stated that DCMs do not 
have the resources or qualified expertise that would be required to 
conduct a comprehensive review of the proposed annual reports and the 
algorithms developed and operated by AT Persons. ICE recommended that 
the annual report requirement set forth in NPRM proposed Sec.  1.83 be 
replaced with a certification process.\365\
---------------------------------------------------------------------------

    \365\ ICE A-31.
---------------------------------------------------------------------------

    CME commented that the annual compliance report requirement creates 
an unnecessary administrative burden on all parties involved without 
generating a significant benefit.\366\ CME asserted that the 
information in the reports would be stale and that CME would need to 
hire additional staff with the expertise to evaluate the reports. 
Moreover, CME indicated that compliance reports would be onerous and 
duplicative for clearing FCMs, as they already undergo significant 
review by their DSRO and clearing organizations. CME argued that 
further unnecessary duplication would result from AT Persons submitting 
reports to multiple DCMs.
---------------------------------------------------------------------------

    \366\ CME 20; CME III 4.
---------------------------------------------------------------------------

    With regard to specific cost estimates, CME stated that the 
Commission has significantly underestimated the ongoing costs to DCMs 
of complying with the NPRM's requirement to periodically review AT 
Person and clearing FCM compliance reports and books and records, and 
to identify and

[[Page 85369]]

remediate any insufficient mechanisms, policies and procedures 
discovered. In the NPRM, the Commission estimated that it would cost 
each DCM approximately $244,080 per year to comply with NPRM proposed 
Sec.  40.22. CME believes this estimate is deficient by approximately 
50% and estimated the annual cost for each of its four DCMs to be 
closer to $525,000, assuming that across all four DCMs, approximately 
650 entities would come within the scope of the proposed compliance 
report requirements and that each entity would be reviewed once every 
four years (across all four DCMs). CME estimated that it would take 
approximately one month for a full-time employee to complete each 
review. According to CME, the biggest flaw in the CFTC's analysis is 
its assumption that new full-time employees dedicated to compliance 
with Sec.  40.22 would not be required. Moreover, for the compliance 
report to provide any meaningful benefit to market integrity, DCM 
personnel would need to spend far more than 15 hours reviewing each 
report and related books and records.\367\
---------------------------------------------------------------------------

    \367\ CME at 22.
---------------------------------------------------------------------------

    MGEX commented that costs are likely to be higher for DCMs than 
those calculated by the Commission, especially for the requirement that 
DCMs review, analyze and remediate compliance programs of AT 
Persons.\368\ In extremis, elevated costs could leave the marketplace 
in a situation of reduced competition between DCMs. MGEX provided 
estimates for the costs associated with DCM compliance, and stated that 
the per-form review time would exceed the Commission's 15 hour estimate 
because such forms would not be standardized. MGEX indicated that the 
review process would require the hiring of at least two additional full 
time employees. Finally, MGEX argued that these costs are especially 
burdensome for smaller DCMs, stating: ``[T]he costs associated with new 
compliance obligations disproportionally impacts existing DCMs. With 
every new compliance obligation, there are new costs. For smaller DCMs, 
the cost are often more severe. This is because smaller DCMs do not 
have the benefit of large staffs and resources to leverage. Put 
differently, it is more likely smaller DCMs will have to hire 
additional staff to meet new compliance obligations, and therefore 
their cost assessment is fundamentally different than larger DCM.'' 
\369\
---------------------------------------------------------------------------

    \368\ MGEX 25-26.
    \369\ Id. at 27.
---------------------------------------------------------------------------

    Costs and Benefits to Market Participants and FCMs: MFA commented 
that Regulation AT reporting, compliance and recordkeeping costs far 
outweigh the benefits, and proposed that reporting/compliance could be 
incorporated in the NFA review program which is already CPO/CTA common 
practice.\370\
---------------------------------------------------------------------------

    \370\ MFA 9
---------------------------------------------------------------------------

    FIA recommended that each AT Person periodically review and test 
the effectiveness of its policies and procedures related to Algorithmic 
Trading and take prompt action to remedy any deficiencies.\371\ 
However, because there is no materiality threshold associated with the 
remediated deficiencies in the proposed rule, FIA does not support 
documenting each incident of remediation. FIA indicated that many 
deficiencies are immaterial and the costs associated with their 
documentation would outweigh the marginal benefit, if any. In addition, 
FIA asserted that extensive documentation of policies and procedures 
associated with trading system design, development, testing, 
operations, and compliance does little to reduce any perceived risks 
associated with Algorithmic Trading. FIA stated that the application of 
sound policies and procedures, rather than the documentation of those 
policies and procedures, has a material impact on reducing risk.\372\
---------------------------------------------------------------------------

    \371\ FIA A-63.
    \372\ Id. at A-73.
---------------------------------------------------------------------------

    FIA opposes requiring AT Persons or clearing member FCMs to prepare 
annual reports because, among other things, the burden of preparing and 
filing an annual report may be extensive, especially if Regulation AT 
applies to AT Persons of different sizes and complexities.\373\ FIA 
noted that IBs, CTAs, CPOs who are small entities may be 
disproportionately adversely impacted by Regulation AT. FIA also argued 
that since FCMs are already required to prepare CCO Annual Reports 
under Sec.  3.3 and subject to risk management requirements under 
Sec. Sec.  1.11 and 1.73, there is no marginal benefit in requiring 
FCMs to produce an additional annual report. FIA expects that such a 
report would cost substantially higher than the Commission's estimates.
---------------------------------------------------------------------------

    \373\ Id. at A-91-A-92.
---------------------------------------------------------------------------

    CME commented that the ``proposed requirement that AT Persons and 
clearing FCMs prepare and submit extensive annual compliance reports to 
DCMs creates an unnecessary administrative burden on all parties 
involved without providing significant benefit to market integrity.'' 
\374\ In addition, a Roundtable participant representing an FCM 
estimated that the compliance costs for Regulation AT would be $1 
million annually for the participant's firm.\375\ Another Roundtable 
participant questioned whether all FCMs could afford that cost and 
suggested that ``we could potentially lose'' some FCMs.\376\
---------------------------------------------------------------------------

    \374\ CME III 4.
    \375\ ABN AMRO, Roundtable Tr. 176: 13-17.
    \376\ OneChicago, Roundtable Tr. 197: 11-15.
---------------------------------------------------------------------------

e. Requirements for Certain Entities to Register as New Floor Traders
    MFA commented that, as currently proposed, Regulation AT would 
apply to the majority of futures market participants, significantly 
increasing compliance costs relative to a framework where risk controls 
are applied at the DCM and clearing-FCM level. Specifically, MFA stated 
that it ``is concerned that the Regulation AT framework is overly broad 
and elaborate, which would make implementation expensive and burdensome 
for market participants and regulators. Regulation AT, as proposed, 
would regulate--in the same manner--virtually any market participant 
that uses any automation with respect to trading, without taking into 
consideration the type of automation or the different category, 
business or operational size of the market participant. Based on the 
Commission's own cost-benefit and regulatory flexibility analyses, we 
believe this is not the Commission's intent.'' MFA acknowledged that 
risk controls are appropriate for all entities, but requiring the same 
risk controls at all levels of trading is unreasonably costly.\377\
---------------------------------------------------------------------------

    \377\ MFA 5-6.
---------------------------------------------------------------------------

    The Commercial Alliance commented that a quantitative measure to 
identify the population of AT Persons ``would require the CFTC to 
revise the metric frequently'' and such revisions would ``increase 
costs for market participants to update their IT systems and monitoring 
practices accordingly, which could cause a lag in the markets and 
reduce liquidity.'' \378\ The Commercial Alliance further commented 
that a registration framework for AT Persons would ``impose significant 
cost burdens to market participants'' but would not provide any 
``additional regulatory benefit.'' \379\
---------------------------------------------------------------------------

    \378\ Commercial Alliance III 3.
    \379\ Id. at III 6.
---------------------------------------------------------------------------

3. The Commission's Cost-Benefit Consideration of Regulation AT--
Baseline Point
    In the NPRM, the Commission took account of the incremental costs 
and

[[Page 85370]]

benefits of the proposed rules relative to what it understood as the 
general industry status quo conditions (reflective of the Commission's 
existing regulations and industry best practices). As noted in the 
NPRM, elements of Regulation AT sought to codify existing norms and 
best practices of trading firms, FCMs, and DCMs, meaning that the costs 
and benefits to firms already satisfying these norms and employing the 
proposed codified practices would be minimal. The Commission, however, 
also recognized in the NPRM that some individual firms currently may 
not be operating at industry best practice levels; for such firms, 
costs and benefits attributable to the proposed regulations will be 
incremental to a lower status quo baseline.
    To assist the Commission and the public in assessing and 
understanding the economic costs and benefits of the Supplemental 
proposed rules as revised in this Supplemental NPRM, the Commission 
has, in general, analyzed the costs of the proposed regulations as 
compared to the analogous regulations as proposed in the original 
NPRM.\380\ In doing so, the Commission notes how the Supplemental 
proposed rules alter the previous NPRM assessment relative to the 
status quo baseline. As noted in the NPRM, in many instances, full 
quantification of the costs is not reasonably feasible because costs 
depend on the size, structure, and practices of trading firms, FCMs and 
DCMs. Within each category of entity, the size, structure and practices 
of such entities will vary markedly. In addition, the quantification 
may require information or data, some of which may be proprietary, that 
the Commission lacks means to access. Further, with exceptions noted in 
the IX.A.2 discussion of cost-benefit comments, interested parties have 
not provided information in response to the Concept Release and NPRM to 
assist the Commission in quantifying costs. The Commission notes that 
to the extent that the regulations proposed in this rulemaking result 
in additional costs, those costs will be realized by trading firms, 
FCMs and exchanges in order to protect market participants and the 
public. Finally, in general, full quantification of the benefits of the 
proposed rule is also not reasonably feasible, due to the difficulty in 
quantifying the benefits of a reduction in market disruptions and other 
significant market events due to the risk controls and other measures 
proposed in Regulation AT.
---------------------------------------------------------------------------

    \380\ The Commission notes that the costs and benefits of NPRM 
Sec.  1.81(vi), regarding the source code and log file retention, 
were not explicitly discussed in the NPRM. Therefore, as discussed 
below, for Supplemental proposed Sec.  1.84, the Commission is using 
current industry practice as the baseline.
---------------------------------------------------------------------------

4. The Commission's Cost-Benefit Consideration of Regulation AT--Cross-
Border Effects
    The Commission notes that the consideration of costs and benefits 
below is based on the understanding that the markets function 
internationally, with many transactions involving U.S. firms taking 
place across international boundaries; with some Commission registrants 
being organized outside of the United States; with leading industry 
members typically conducting operations both within and outside the 
United States; and with industry members commonly following 
substantially similar business practices wherever located. Where the 
Commission does not specifically refer to matters of location, the 
below discussion of costs and benefits refers to the effects of the 
proposed rules on all activity subject to the proposed and amended 
regulations, whether by virtue of the activity's physical location in 
the United States or by virtue of the activity's connection with or 
effect on U.S. commerce under CEA section 2(i).\381\ In particular, the 
Commission notes that some AT Persons are located outside of the United 
States.
---------------------------------------------------------------------------

    \381\ 7 U.S.C. 2(i).
---------------------------------------------------------------------------

5. Introduction: The NPRM and Supplemental NPRM for Regulation AT
    The consideration of costs and benefits for this Supplemental NPRM 
for Regulation AT builds on the cost-benefit considerations contained 
in the NPRM. Regulation AT reflects a comprehensive effort to reduce 
risk and increase transparency across algorithmic order origination and 
electronic trade execution on all U.S. futures exchanges. The proposed 
rules, both in the NPRM and the Supplemental NPRM, seek to modernize 
the Commission's regulatory regime, keep pace with evolving markets and 
technologies, and to promote the continued safety and soundness of 
trading on all contract markets. The Commission is endeavoring, through 
this Supplemental NPRM, to incorporate persuasive comments received 
during numerous opportunities for public comment, and to address 
concerns raised by market participants including concerns related to 
the costs and benefits of Regulation AT as proposed in the NPRM. Many 
of the changes in the Supplemental NPRM are designed to mitigate cost 
concerns while retaining the important benefits of Regulation AT. For 
example, as discussed below, the Commission is proposing to reduce the 
number of levels at which risk controls are typically applied to two 
(the DCM and either the FCM or AT Person) from three (the DCM, FCM, and 
AT Person) and proposing a volume threshold to limit the number of AT 
Persons under the Supplemental NPRM relative to the number of AT 
Persons under the NPRM. Both of these changes are designed to reduce 
costs while retaining the essential benefits associated with the risk 
controls and the rules applicable to AT Persons.
6. Proposed New Definitions and Changes to NPRM Proposed Definitions
    The Commission proposes in this Supplemental NPRM new defined terms 
``Electronic Trading'' and ``Electronic Trading Order Message'' as well 
as ``Algorithmic Trading Source Code.'' The Commission also proposes to 
modify certain definitions proposed in the NPRM, including ``Direct 
Electronic Access'' (``DEA'') and ``AT Order Message.'' Finally, the 
Commission in this Supplemental NPRM changes various references in 
Regulation AT from ``clearing member'' to ``executing'' FCM. The 
Commission believes that these definitions and changes in terminology 
do not impose costs or confer benefits in and of themselves. However, 
as discussed below, changes in definition or new definitions may affect 
the costs and benefits of rules where defined terms are used.
7. Requirements for AT Persons
a. Summary of Proposal
    The Commission proposes changes to modify the definition of AT 
Person. Pursuant to Supplemental proposed Sec.  1.3(xxxx), a market 
participant may fall under the definition of AT Person in one of three 
ways. First, the category of AT Persons includes persons registered or 
required to be registered as an FCM, floor broker, swap dealer, major 
swap participant, commodity pool operator, commodity trading advisor, 
or introducing broker that (1) engages in Algorithmic Trading and (2) 
satisfies the volume threshold of 20,000 contracts traded per day over 
a six month period under Supplemental proposed Sec.  1.3(x)(2).\382\ 
Second, AT Persons include New Floor Traders under Supplemental 
proposed Sec.  1.3(x)(1)(iii).\383\ Such New Floor Traders must engage 
in Algorithmic Trading, utilize DEA under the revised

[[Page 85371]]

definition,\384\ and satisfy the volume threshold under Supplemental 
proposed Sec.  1.3(x)(2). Third, a person who does not satisfy either 
of the other two prongs of the AT Person definition may nevertheless 
elect to become an AT Person, provided that such person registers as a 
floor trader and complies with all requirements of AT Persons pursuant 
to Commission regulations.\385\ Further, Supplemental proposed Sec.  
1.3(x)(4) contains an anti-evasion provision prohibiting the trading of 
contracts through multiple entities for the purpose of evading the 
registration requirements imposed on New Floor Traders under Sec.  
1.3(x)(3), or to avoid meeting the definition of AT Person under Sec.  
1.3(xxxx).
---------------------------------------------------------------------------

    \382\ See Supplemental proposed Sec.  1.3(xxxx)(1)(i).
    \383\ See Supplemental proposed Sec.  1.3(xxxx)(1)(ii).
    \384\ Under the revised definition in Sec.  1.3(yyyy), DEA 
includes any electronic order submissions to a DCM, unless the order 
is first received by an FCM from a separate natural person by means 
of written or oral communication prior to being submitted to the DCM 
by the FCM.
    \385\ See Supplemental proposed Sec.  1.3(xxxx)(2).
---------------------------------------------------------------------------

    Under the volume threshold, if a floor trader or other registrant 
who is a potential AT Person (including other entities under common 
control) trades an aggregate average daily volume on electronic trading 
facilities across all products and all DCMs of at least 20,000 
contracts, including for a firm's own account, the accounts of 
customers, or both,\386\ over a six-month period (either January-June 
or July-December), that registrant will be an AT Person.
---------------------------------------------------------------------------

    \386\ As discussed above in Section II(C), New Floor Traders who 
are not otherwise registered with the Commission would be expected 
to trade only for their own accounts, not on behalf of customers. 
Absent any trading for a customer account consistent with the Act 
and Commission regulations, New Floor Traders would therefore be 
expected to apply the volume threshold test solely to their 
proprietary trading volume.
---------------------------------------------------------------------------

    Further, under NPRM proposed Sec.  170.18, AT Persons also must 
register for membership in at least one RFA. Supplemental proposed 
Sec.  170.18 clarifies that an AT Person not yet a member of an RFA 
must submit an application for membership in at least one RFA within 30 
days of such registrant satisfying the volume test set forth in 
Supplemental proposed Sec.  1.3(x)(2).
    Finally, under Supplemental proposed Sec.  1.3(xxxx)(2), an entity 
may voluntarily choose to become an AT Person even if it does not 
otherwise meet the definition of AT Person by choosing to register as a 
floor trader and applying for membership with an RFA.
b. Costs
    The NPRM's cost-benefit considerations for rules applicable to AT 
Persons, and for rules on other market participants that depend on the 
number of AT Persons (i.e., Sec.  40.22 DCM compliance report review 
program), were based on an estimate of 420 AT Persons. That estimate 
was based on a sample of order messages sent to DCMs and was based on 
the NPRM proposed definition of DEA.\387\ This data included new 
orders, modifications to orders, and cancellations, and the methodology 
for estimating that number was specified in the NPRM.\388\
---------------------------------------------------------------------------

    \387\ Under NPRM proposed Sec.  1.3(yyyy), DEA was defined as an 
arrangement where a person electronically transmits an order to a 
DCM, without the order first being routed through a separate person 
who is a member of a DCO to which the DCM submits transactions for 
clearing.
    \388\ NPRM at 78884.
---------------------------------------------------------------------------

    In response to comments asserting that the actual number of AT 
Persons under the proposed rule would be much larger than the 420 
entities estimated the Commission, the Commission is proposing a volume 
threshold to limit the number of AT Persons. The volume threshold would 
be set at 20,000 contracts aggregated across a market participant's own 
account, the accounts of customers, or both, over a six-month period. 
The Commission estimates that the proposed volume threshold will reduce 
the number of AT Persons to approximately 120.
    In order to derive this estimate, the Commission made use of daily 
trading audit trail data, for futures and options on futures, received 
from each DCM. Because the volume threshold is based on activity within 
a semi-annual period, the Commission calculated the average activity of 
individual firms during the first half of 2016 and used these aggregate 
numbers as an activity benchmark. Aggregating this activity across the 
DCMs for which the Commission had firm identification provided a basis 
for estimating the number of potential AT Persons. The Commission notes 
that its data provides a significantly comprehensive, but not a full, 
identification of the firms associated with each trade; in other cases, 
the firm associated with a trade may be the broker rather than the 
principal. For these reasons, the Commission estimate for the number of 
AT Persons may omit some firms that would meet the volume threshold 
requirements.
    The Commission notes that the definition of ``Direct Electronic 
Access'' is an element of the definition of ``floor trader'' and, thus, 
AT Person. The Commission is modifying the definition of DEA. Under 
Supplemental proposed Sec.  1.3(yyyy), DEA includes any electronic 
order submissions to a DCM, unless the order is first received by an 
FCM from an unaffiliated natural person by means of written or oral 
communication prior to being submitted to the DCM by the FCM. This 
definition, in and of itself, is broad enough to potentially include 
most participants on DCMs. However, merely meeting the definition of 
DEA will not impose costs on market participants trading for their own 
account who are not AT Persons; that is, to incur costs, they must also 
engage in Automated Trading and meet the volume threshold.
    The clarifying changes to Supplemental proposed Sec.  170.18 should 
not materially affect the costs associated with the RFA membership 
requirement for AT Persons. Supplemental proposed Sec.  1.3(xxxx)(2), 
which permits an entity to voluntarily become an AT Person, does not 
impose any mandatory costs since it does not require anyone who 
otherwise does not meet the definition of AT Person to become an AT 
Person. An entity that does voluntarily become an AT Person presumably 
has determined that the benefits of doing so warrant accepting the 
costs imposed on AT Persons.
c. Benefits
    The volume threshold and changes to the definition of AT Person 
will limit the number of firms subject to Regulation AT while 
preserving the benefits of Regulation AT for the larger firms trading 
on DCMs. The Commission believes that the benefits associated with 
requirements such as risk controls, testing and monitoring, 
recordkeeping, and other provisions applicable to AT Persons are 
greatest for this subset of market participants because errors related 
to malfunctions at the firms with highest activity will likely have the 
largest impact on other market participants and the market as a whole. 
As evidence for this, FIA indicated in its December 2013 response to 
the Concept Release that most, if not all, large automated firms have 
extensive risk controls across all of their algorithmic activity, often 
calibrated at multiple levels, along with other quality control schemes 
to minimize the chance of error.\389\ Such firms, understanding the 
effect they may have on the marketplace due to unanticipated behavior, 
have voluntarily chosen to incorporate measures similar to those 
required in Regulation AT to mitigate these risks. The anti-evasion 
provisions will help ensure that entities that should be AT Persons are 
not able to readily avoid AT Person status by trading through multiple 
entities.
---------------------------------------------------------------------------

    \389\ FIA, Comment in Response to Concept Release (Dec. 11, 
2013).

---------------------------------------------------------------------------

[[Page 85372]]

    The clarifying changes to Supplemental proposed Sec.  170.18 should 
not materially affect the benefits associated with the RFA membership 
requirement for AT Persons. Supplemental proposed Sec.  1.3(xxxx)(2), 
which permits an entity to voluntarily become an AT Person, provides an 
entity that does not otherwise meet the definition of AT Person with 
the flexibility to become an AT Person so that it can realize the 
benefits of implementing its own risk controls, rather than accepting 
an FCM's risk controls.
d. Consideration of Alternatives
    The Commission considered not adopting a registration requirement 
for AT Persons in response to comments. This would have made the 
definition of DEA and the volumetric threshold unnecessary. However, 
the Commission continues to believe that there are certain larger 
market participants whose automated trading represents an elevated risk 
to market integrity and who, for the protection of market participants 
and the public, should therefore be subject to enhanced oversight 
relative to other market participants. The Commission also considered 
not using a volume threshold or other quantitative threshold (as 
suggested by some commenters) and instead responding to commenter 
concerns that the NPRM would capture substantially more than 420 AT 
Persons by revising the definition of DEA so that the term captures a 
narrower scope of trading activity. The Commission was unable to 
identify a definition of DEA that would reduce the number of AT Persons 
and provide a low-cost way for entities to determine whether they are 
AT Persons as defined under Regulation AT. The Commission thus 
determined to propose a quantitative threshold (i.e., the volume 
threshold test), while at the same time defining DEA broadly.
    The Commission considered other quantitative metrics including 
tests proposed by ESMA for identifying high-frequency traders in 
European markets, i.e., average resting order times and daily number of 
messages sent by a trading entity. However, the new AT Person category 
is intended to ensure that risk management, testing and monitoring 
standards are sufficiently high for the class of market participants 
who are largest, regardless of strategy or firm type. The Commission 
believes that volume is a key element of market processes such as price 
discovery and risk transfer, is simpler than other potential metrics, 
and can be calculated at lower cost than metrics such as average order 
resting times and message frequency.
    The Commission also considered volume thresholds at other levels 
higher and lower than 20,000 contracts. However, the Commission has 
preliminarily determined that 20,000 contracts will result in the 
registration of those firms for whom Regulation AT proposed rules 
applicable to AT Persons are needed most and will provide the greatest 
benefit.
e. Commission Questions
    39. Beyond specific questions concerning specific Supplemental 
proposed rules interspersed throughout its discussion, the Commission 
generally requests comment on all aspects of its consideration of costs 
and benefits of this Supplemental NPRM, including: (a) Identification, 
quantification, and assessment of any costs and benefits not discussed 
therein; (b) whether any of the proposed regulations may cause FCMs or 
DCMs to raise their fees for their customers, or otherwise result in 
increased costs for market participants and, if so, to what extent; (c) 
whether any category of Commission registrants will be 
disproportionately impacted by the proposed regulations, and if so 
whether the burden of any regulations should be appropriately shifted 
to other Commission registrants; (d) what costs, if any, would likely 
arise from market participants engaging in regulatory arbitrage by 
restructuring their trading activities to trade on platforms not 
subject to the proposed regulations, or taking other steps to avoid 
costs associated with the proposed regulations; (e) quantitative 
estimates of the impact on transaction costs and liquidity of the 
proposals contained herein; (f) the potential costs and benefits of the 
alternatives that the Commission discussed in this release, and any 
other alternatives appropriate under the CEA that commenters believe 
would provide superior benefits relative to costs; (g) data and any 
other information to assist or otherwise inform the Commission's 
ability to quantify or qualitatively describe the benefits and costs of 
the proposed rules; and (h) substantiating data, statistics, and any 
other information to support positions posited by commenters with 
respect to the Commission's consideration of costs and benefits.
    40. As noted above, some commenters opined that the NPRM would 
capture substantially more than 420 AT Persons. Is there a definition 
of DEA that should be adopted that would appropriately limit the scope 
of the definition of AT Person, without use of a quantitative 
threshold? Further, is there a definition of DEA that would serve as a 
low-cost method of enabling entities to determine if they are AT 
Persons?
    41. Are there quantitative thresholds other than volume that would 
provide a superior cost-benefit profile to the Commission's proposal?
    42. Would a volume threshold at levels higher or lower than 20,000 
contracts provide a superior cost-benefit profile to the Commission's 
proposal?
    43. Should volume threshold calculations exclude or weigh 
differently spread trades or any other types of trades, and if so, 
should the volume threshold level be adjusted? What are the costs and 
benefits of excluding or weighing differently certain types of trades?
8. Source Code Retention and Inspection Requirements
a. Summary of New Proposal
    Under the NPRM proposal, each AT Person was required to maintain a 
``source code repository'' to manage source code access, persistence, 
copies of all code used in the production environment, and changes to 
such code. Such source code repository was required to include an audit 
trail of material changes to source code that would allow AT Persons to 
determine, for each such material change: Who made it; when they made 
it; and the coding purpose of the change. The NPRM also required that 
AT Persons maintain source code in accordance with Sec.  1.31 and make 
source code available for inspection by Commission staff and the 
Department of Justice pursuant to Sec.  1.31.
    Under Supplemental proposed Sec.  1.84, AT Persons are required to 
retain (to the extent that they are generated by an AT Person) three 
categories of records for a period of five years: (1) Algorithmic 
Trading Source Code; (2) records that track changes to Algorithmic 
Trading Source Code; and (3) log files that record the activity of the 
AT Person's Algorithmic Trading system. Instead of making Algorithmic 
Trading Source Code available for inspection by Commission staff and 
the Department of Justice pursuant to Sec.  1.31, under Supplemental 
proposed Sec.  1.84, action by the Commission itself would be required, 
either in the form of a special call for these records or pursuant to a 
subpoena. The Commission may authorize the Director of the Division of 
Market Oversight to execute the special call, and to specify the form 
and manner in which the required records must be produced. This 
procedure is similar to the procedure for the Commission to

[[Page 85373]]

grant subpoena power to staff. The Commission will retain the authority 
to grant subpoena power with respect to Algorithmic Trading Source 
Code, change logs, and log files.
b. Costs
    The Commission estimates that a typical AT Person without the 
hardware and software in place to maintain the records required by 
Supplemental proposed Sec.  1.84(a) would incur a cost of $41,840 to 
purchase and set up the required hardware and software, migrate 
existing Algorithmic Trading Source Code and logs into the software, 
draft appropriate recordkeeping policies and procedures and make 
technology improvements to recordkeeping infrastructure. This cost is 
broken down as follows: Hardware costing $12,000,\390\ software costing 
$2,000,\391\ 1 Project Manager for the Algorithmic Trading Source Code 
and log migration effort, working for 60 hours (60 x $70 = $4,200); 1 
Developer for the Algorithmic Trading Source Code and log migration 
effort, working for 60 hours (60 x $75 = $4,500), 1 Project Manager to 
develop the related policies and procedures, working for 120 hours (120 
x $70 = $8,400), 1 Business Analyst to develop the related policies and 
procedures, working for 120 hours (120 x $52 = $6,240), and 1 Developer 
to develop the related policies and procedures, working for 60 hours 
(60 x $75 = $4,500). The 120 AT Persons therefore would incur a total 
initial cost of $5,020,800 (120 x $41,840).
---------------------------------------------------------------------------

    \390\ The Commission estimates that the hardware could cost from 
$1,000 to $25,000 depending on factors including which hardware 
vendor an AT Person chooses, the amount of business the AT Person 
does with the hardware vendor and the pricing the hardware vendor 
provides the AT Person as a result.
    \391\ The Commission estimates that the software could cost from 
$0 to $5,000 depending on factors including which hardware vendor an 
AT Person chooses, the amount of business the AT Person does with 
the hardware vendor and the pricing the hardware vendor provides the 
AT Person as a result.
---------------------------------------------------------------------------

    The Commission estimates that, on an initial basis, an AT Person 
with the hardware and software in place to maintain the records 
required by Supplemental proposed Sec.  1.84(a) would incur a cost of 
$12,160 to purchase and set up the required hardware and software, 
migrate existing Algorithmic Trading Source Code and logs into the 
software, draft appropriate recordkeeping policies and procedures and 
make technology improvements to recordkeeping infrastructure. This cost 
is broken down as follows: Hardware costing $4,000, 1 Project Manager 
to develop the related policies and procedures, working for 30 hours 
(30 x $70 = $2,100), 1 Business Analyst to develop the related policies 
and procedures, working for 30 hours (30 x $52 = $1,560), and 1 
Developer to develop the related policies and procedures, working for 
60 hours (60 x $75 = $4,500). The 120 AT Persons therefore would incur 
a total initial cost of $1,459,200 (120 x $12,160).
    The Commission also has estimated the cost of complying with 
Supplemental proposed Sec.  1.84(b), which require AT Persons to 
produce records of Algorithmic Trading in response to a special call. 
The Commission estimates that, on an annual basis, an AT Person will 
incur a cost of $51,840 to draft and update recordkeeping policies and 
procedures and make technology improvements to recordkeeping 
infrastructure. This cost is broken down as follows: 1 Project Manager, 
working for 36 hours per month x 12 months = 432 hours per year (432 x 
$70 = $30,240); and 1 Developer, working for 24 hours per month x 12 
months = 288 hours per year (288 x $75 = $21,600). The 120 AT Persons 
would therefore incur a total initial cost of $2,894,400 (120 x 
$51,840).
    The Commission does not estimate a specific number of special calls 
per year that AT Persons will receive. Rather, such special calls would 
occur on an intermittent basis and the Commission estimates the cost 
for one response. The Commission estimates that, on an intermittent 
basis, an AT Person will incur a cost of $5,844 to ensure compliance 
with those aspects of Supplemental proposed Sec.  1.84(b) requiring AT 
Persons to produce records of Algorithmic Trading in response to a 
special call. This cost is broken down as follows: 1 Project Manager, 
working for 12 hours (12 x $70 = $840); 1 Developer, working for 36 
hours (36 x $75 = $2,700); and 1 Compliance Attorney, working for 24 
hours (24 x $96 = $2,304). The 120 AT Persons would therefore incur a 
total annual cost of $701,280 (120 x $5,844).
    The Commission expects that AT Persons already retain Algorithmic 
Trading Source Code and log files and to some extent are incurring such 
costs under current practice. The Commission believes that with the 
numerous protections to Algorithmic Trading Source Code confidentiality 
provided in Supplemental proposed Sec.  1.84, including removal of the 
applicability of Sec.  1.31, the various costs attributed to the NPRM 
source code rule by commenters generally do not apply to Supplemental 
proposed Sec.  1.84.
    For more detail on the estimated costs of Sec.  1.84, see Sections 
IX(B)(2)(d) and (e) below.
c. Benefits
    As noted, Supplemental proposed Sec.  1.84 is first and foremost a 
recordkeeping rule. Requiring AT Persons to retain Algorithmic Trading 
Source Code and log files will ensure that the Commission is able to 
access this information (through a special call or subpoena) on the, 
presumably infrequent, occasions when it is needed to investigate or 
inquire into an Algorithmic Trading Compliance Issue or disruption. 
Supplemental proposed Sec.  1.84(b), which would require the Commission 
to issue a special call in order to enable Commission staff to review 
Algorithmic Trading Source Code and log files as part of its market 
oversight responsibilities. The Commission could also access source 
code by issuing subpoenas that are typically used in enforcement 
investigations. For example, the Commission might issue a special call 
to inquire into a market disruption without launching a formal 
enforcement investigation or implying that the disruption was caused by 
a violation of the CEA or Commission regulations. Further, Commission 
access to Algorithmic Trading Source Code and log files should not 
compromise their integrity as trade secrets or other confidential 
information; the confidentiality provisions of Supplemental proposed 
Sec.  1.84(b)(3) are designed to preserve their confidential status. 
The Commission notes that Supplemental proposed Sec.  1.84(b)(3) is in 
addition to existing confidentiality protections provided in section 
8(a) of the Act.
d. Consideration of Alternatives
    The Commission considered the alternative of maintaining the NPRM 
proposal that Algorithmic Trading Source Code would be subject to the 
inspection and production provisions of Sec.  1.31, but the Commission 
acknowledges the concerns of commenters regarding Algorithmic Trading 
Source Code confidentiality and trade secret preservation and 
determined to provide Algorithmic Trading Source Code and log files 
with the greater protection provided by Supplemental proposed Sec.  
1.84 as compared to Sec.  1.31.
    The Commission also considered not promulgating an Algorithmic 
Trading Source Code rule, but determined that it is essential for the 
protection of market participants and the public to ensure that 
Algorithmic Trading Source Code

[[Page 85374]]

and log file records be retained and, when necessary, made available to 
the Commission.
e. Commission Questions
    44. The Commission requests comment on the costs and benefits of 
Supplemental proposed Sec.  1.84 including the accuracy of its cost 
estimates.
    45. To what extent do AT Persons currently retain Algorithmic 
Trading Source Code and log files and for what period of time?
    46. To what extent do the protections to Algorithmic Trading Source 
Code confidentiality in Supplemental proposed Sec.  1.84 address the 
concerns of commenters regarding the NPRM proposed Sec.  1.81(a)(1)(vi) 
Algorithmic Trading Source Code rule, particularly with respect to 
costs and benefits?
9. Testing, Monitoring and Recordkeeping Requirements in the Context of 
Third-Party Providers
a. Summary of New Proposal
    NPRM proposed Sec.  1.81(a) required AT Persons to implement 
written policies and procedures for the development and testing of 
ATSs. Among other things, such policies and procedures must at a 
minimum include documenting the strategy and design of proprietary 
Algorithmic Trading software, as well as any changes to software that 
are implemented in a production environment, pursuant to NPRM proposed 
Sec.  1.81(a)(v). Under NPRM proposed Sec.  1.81(a)(vi), a source code 
repository was required to be maintained, as discussed above.
    Supplemental proposed Sec.  1.85 allows AT Persons who are unable 
to comply with a particular development and testing requirement \392\ 
or a particular maintenance or production requirement related to 
Algorithmic Trading strategy (including Algorithmic Trading Source Code 
and log files),\393\ due solely to their use of third-party system 
components, to obtain a certification that the third party is complying 
with the obligation. AT Persons would need to obtain a new 
certification whenever there is a material change to the third-party 
system or system components. The proposed rule also would require AT 
Persons to conduct due diligence regarding the accuracy of the 
certification. In addition, in all cases, under the Supplemental NPRM, 
an AT Person is responsible for ensuring that records are retained and 
produced as required pursuant to Supplemental proposed Sec.  1.84 from 
third-party providers.
---------------------------------------------------------------------------

    \392\ See NPRM proposed Sec. Sec.  1.81(a)(1)(i), 
1.81(a)(1)(iii), and 1.81(a)(1)(iv), and Supplemental NPRM proposed 
Sec.  1.81(a)(1)(ii).
    \393\ See Supplemental proposed Sec.  1.84.
---------------------------------------------------------------------------

b. Costs
    Costs to AT Persons: As discussed in further detail in the PRA 
section, the Commission estimates that each AT Person will incur a one-
time cost of $4,884 to establish the process for initially obtaining 
the third-party certifications permitted by Supplemental proposed Sec.  
1.85, conduct the related due diligence and obtain the initial 
certifications. This cost is broken down as follows: 1 Project Manager, 
working for 24 hours (24 x $70 = $1,680); 1 Compliance Attorney, 
working for 24 hours (24 x $96 = $2,304); and 1 Developer working for 
12 hours (12 x $75 = $900). The estimated 120 AT Persons that will rely 
on Sec.  1.85 would therefore incur a total one-time cost of $586,080 
(120 x $4,884).
    The Commission expects that the approximately 120 AT Persons, on 
average, will need to review approximately one certification each, 
assuming that some AT Persons use more than one third-party system or 
system component, while others use only their own systems. For purposes 
of this cost analysis, the Commission estimates that an AT Person will 
need to acquire a new certification approximately once per year due to 
a material change in the third-party system or component. The 
Commission estimates that, on an annual basis, an AT Person will incur 
a cost of $2,892 to obtain the third-party certifications permitted by 
Supplemental proposed Sec.  1.85 and conduct the related due 
diligence.\394\ This cost is broken down as follows: 1 Project Manager, 
working for 12 hours (12 x $70 = $840); 1 Compliance Attorney, working 
for 12 hours (12 x $96 = $1,152); and 1 Developer working for 12 hours 
(12 x $75 = $900). The estimated 120 AT Persons that will rely on Sec.  
1.85 would therefore incur a total annual cost of $347,040 (120 x 
$2,892).
---------------------------------------------------------------------------

    \394\ The Supplemental NPRM does not set forth the means by 
which due diligence must be conducted. The Commission expects that 
due diligence may take a variety of forms, including but not limited 
to, email exchanges, teleconferences, reviews of files, and in-
person meetings.
---------------------------------------------------------------------------

    The provision making an AT Person responsible for ensuring that 
records are retained and produced as required pursuant to Supplemental 
proposed Sec.  1.84, should not impose direct costs on AT Persons 
unless there is an instance the third party is found to have failed to 
retain and produce records. The costs, in such an event, would depend 
on the nature and extent of the violation, and it is not reasonably 
feasible for the Commission to quantify such costs at this time.
    The Commission also anticipates that an AT Person will incur a one-
time cost of $2,304 to re-write its contracts with third parties, so 
that the AT Persons can comply with the recordkeeping and production 
provisions of Supplemental proposed Sec.  1.84. This cost is broken 
down as follows: 1 Compliance Attorney, working for 24 hours (24 x $96 
per hour = $2,304).
    AT Persons may incur additional costs as a result of Supplemental 
proposed Sec.  1.85, depending on the response of third-party providers 
to implementation of the rule. It is possible that third-party 
providers may pass on the costs that they incur as a result of 
Supplemental proposed Sec.  1.85 to their AT Person customers (or all 
of their customers) in the form of higher prices or an AT Person 
surcharge.
    Costs to Third-Party Providers: The Commission expects that all 
third-party providers combined will need to provide approximately 120 
certifications to the 120 AT Persons, assuming that some AT Persons use 
more than one third-party system or system component, while others use 
only their own systems. For purposes of this cost-benefit analysis, the 
Commission estimates that a third-party provider will need to provide a 
new certification to its AT Person customers approximately once per 
year due to a material change in the third-party system or component. 
The Commission also expects third-party providers to cooperate with AT 
Person due diligence for each certification provided, for a total of 
120 due diligence occurrences.
    The Commission estimates that each third-party provider will incur 
a one-time cost of $4,884 to establish the process for initially 
providing the third-party certifications permitted by Supplemental 
proposed Sec.  1.85 and cooperating with AT Persons conducting the 
related due diligence. The Commission estimates that there will be a 
total of 50 third-party service providers to AT Persons for their ATSs 
or components, and seeks comment on this estimate. The one-time $4,884 
cost for each third-party provider is broken down as follows: 1 Project 
Manager, working for 24 hours (24 x $70 = $1,680); 1 Compliance 
Attorney, working for 24 hours (24 x $96 = $2,304); and 1 Developer 
working for 12 hours (12 x $75 = $900). The estimated 50 third parties 
that provide certifications pursuant to Supplemental proposed Sec.  
1.85 would therefore incur a total annual cost of $244,200 (50 x 
$4,884).

[[Page 85375]]

    The Commission estimates that, on an annual basis, an average third 
party will incur a cost of $2,892 to provide AT Persons the third-party 
certifications permitted by Supplemental proposed Sec.  1.85 and 
cooperate with AT Persons conducting the related due diligence. This 
cost is broken down as follows: 1 Project Manager, working for 12 hours 
(12 x $70 = $840); 1 Compliance Attorney, working for 12 hours (12 x 
$96 = $1,152); and 1 Developer working for 12 hours (12 x $75 = $900). 
The estimated 50 third parties that will rely on Sec.  1.85 would 
therefore incur a total annual cost of $146,600 (50 x $2,892).
    In addition to the costs of providing certifications, the 
Commission anticipates that third-party providers will incur additional 
costs relating to Supplemental proposed Sec.  1.85(a), which 
contemplates that third parties will provide to AT Persons systems or 
components that comply with NPRM proposed Sec. Sec.  1.81(a)(1)(i), 
1.81(a)(1)(iii), 1.81(a)(1)(iv), 1.81(a)(2), or Supplemental proposed 
Sec. Sec.  1.81(a)(1)(ii) or 1.84. The Commission estimates that, on an 
annual basis, a third party will incur costs to comply with the 
proposed rules listed above that are comparable to the costs that an AT 
Person would incur to comply with such rules. The estimated costs for 
an AT Person to comply with Supplemental proposed Sec.  1.84 are 
discussed in Section IX(A)(8) above. The estimated costs for an AT 
Person to comply with proposed Sec.  1.81(a) were discussed in detail 
in the NPRM.\395\
---------------------------------------------------------------------------

    \395\ See NPRM at 78900. In the NPRM, the Commission estimated 
that an AT Person that has not implemented any of the requirements 
of proposed Sec.  1.81(a) (development and testing of ATSs) would 
incur a total cost of $349,865 to implement those requirements. This 
cost was broken down as follows: 1 Project Manager, working for 
1,707 hours (1,707 x $70 = $119,490); 2 Business Analysts, working 
for a combined 853 hours (853 x $52 = $44,356); 3 Testers, working 
for a combined 2,347 hours (2,347 x $52 = $122,044); and 2 
Developers, working for a combined 853 hours (853 x $75 = $63,975). 
The Commission notes that this calculation would apply only to third 
parties that have not implemented any of the requirements of 
proposed Sec.  1.81(a). However, the Commission anticipates that 
many third-party providers--e.g., software development firms--
already develop and test systems or components in the ordinary 
course of their business. Indeed, the Commission anticipates that 
third-party providers would generally be as sophisticated, if not 
more sophisticated, than AT Persons with respect to the development 
and testing of ATSs. Therefore, the Commission believes that the 
cost of compliance for third parties would be lower than the 
estimate calculated above. In addition, the Commission anticipates 
that compliance costs under Supplemental proposed Sec.  
1.81(a)(1)(ii) will be lower than the costs estimated in the NPRM, 
since the Commission is proposing to eliminate the requirement under 
NPRM proposed Sec.  1.81(a)(1)(ii) that AT Persons must test all 
Algorithmic Trading code and related systems on each DCM on which 
Algorithmic Trading will occur (while retaining a more general 
requirement that AT Persons must test all ATSs).
---------------------------------------------------------------------------

    The Commission also anticipates that a third-party will incur a 
one-time cost of $2,304 to re-write its contracts with AT Persons, so 
that the AT Persons can comply with the recordkeeping and production 
provisions of Supplemental proposed Sec.  1.84. This cost is broken 
down as follows: 1 Compliance Attorney, working for 24 hours (24 x $96 
per hour = $2,304).
    These cost estimates represent an average across all of the 
estimated 50 firms offering ATS systems or components of systems for 
use on DCMs. However, the costs to particular firms will vary depending 
on how many products they offer and how many AT Person customers they 
do business with. For example, the Commission understands that a small 
number of firms have a predominant share in the market for third-party 
provided ATS. Accordingly, the largest providers may have several dozen 
AT Person customers (as well as a much larger number of non-AT Person 
customers) while other firms among these 50 currently may have no or 
few AT Person customers.
    The Commission anticipates that much of the cost of providing 
certifications will result from the initial costs of researching the 
requirements for certifications and creating the first certification. 
The Commission expects that a third-party provider can create a single 
certification for a particular ATS product or component and provide the 
same certification to all AT Person customers using that product. 
Certifications for other software products offered by a third-party 
vendor are likely to be similar to the certification for the initial 
product. Thus, the cost of creating a certification for an additional 
software product is likely to be substantially lower than the cost of 
creating the initial certification. For the same reason, the cost of 
modifying a certification to reflect material changes to a product is 
also likely to be much lower than the cost of creating the initial 
certification. Accordingly, the Commission expects that there will be 
economies of scale associated with providing certifications to AT 
Persons, and costs for firms with many AT Person customers may not be 
substantially greater than such costs for firms with only one AT Person 
customer.
    However, a firm with many AT Person customers is likely to incur 
much higher costs associated with cooperating with AT Person due 
diligence than a firm with only one or a few AT Person customers. This 
is because a third-party provider will have to cooperate with due 
diligence separately for each AT Person customer. If a firm has several 
dozen AT Person customers, it may be necessary for the project manager, 
compliance attorney, and developer noted above to devote an extended 
period of time to cooperating with AT Person due diligence, especially 
following issuance of the initial certification. On subsequent 
occasions when the software changes materially, the provider will again 
have to cooperate with AT Person due diligence, but this is likely to 
be less costly (albeit still significant) than cooperating with the 
initial due diligence. As noted, AT Persons would likely perform some 
due diligence even absent the proposed rule. However, they might 
perceive less need to perform extensive due diligence on firms with 
many AT Person customers and strong reputations than on firms new to 
the market or with few AT Person customers. Moreover, AT Persons may 
tend to perform less due diligence over time, if there are no problems 
and they come to trust their providers. Thus, Supplemental proposed 
Sec.  1.85 may result in more extensive due diligence being performed 
on established firms with many AT Person customers than would occur 
absent the Supplemental proposed rule.
    It is highly likely, especially given the small number of third 
party providers, that these third-party providers will pass on these 
costs to their AT Person customers or to all of their customers. It is 
also possible that third-party providers will elect to avoid these 
costs by no longer providing their systems to AT Persons, especially if 
(as is likely given the small number of AT Persons) AT Persons 
represent a relatively small percentage of their customers.
    For more detail on the estimated costs of Sec.  1.85, see Section 
IX(B)(2)(f).
c. Benefits
    The certification requirements of Supplemental proposed Sec.  1.85 
will improve the safety of ATSs by ensuring that ATSs and components 
provided by third parties to AT Persons are compliant with the 
development and testing requirements of Regulation AT even when the AT 
Persons themselves otherwise are unable to comply with those 
requirements. The due diligence requirements will further ensure that 
third-party systems are compliant with Regulation AT. Moreover, the 
recordkeeping and production requirements of Sec.  1.85(d) (by 
reference to Sec.  1.84(a) and (b)) will ensure the

[[Page 85376]]

Commission is able to access the Algorithmic Trading Source Code and 
log files of third parties via special call to an AT Person or via 
subpoena in the event they are needed to investigate or inquire into a 
disruption. Finally, placing ultimate responsibility for compliance 
with the recordkeeping and production requirements of Supplemental 
proposed Sec.  1.84 with the AT Person will further ensure that the 
benefits of these requirements are fully realized.
d. Consideration of Alternatives
    The Commission considered not requiring AT Persons to conduct due 
diligence of third-party certifications in order to reduce costs, but 
determined that requiring due diligence is essential to market 
integrity and protection of market participants and the public. The 
Commission preliminarily believes that certification alone is not 
sufficient to ensure that third-party systems and components are 
compliant with Regulation AT.
    The Commission also considered making an AT Person ultimately 
responsible for ensuring that third-party systems are compliant with 
the development and testing requirements of Supplemental proposed Sec.  
1.81, but was concerned that this might deter AT Persons from utilizing 
third-party systems for which they are ultimately responsible but lack 
control. Moreover, the Commission preliminarily believes that 
certification and due diligence are sufficient to ensure that the 
benefits of Supplemental proposed Sec.  1.81 are realized with regard 
to third-party systems.
e. Commission Questions
    47. The Commission requests comment on its cost-benefit 
considerations related to Supplemental proposed Sec.  1.85, including 
the accuracy of its cost estimates.
    48. The Commission requests comment on the costs of Sec.  1.85 to 
third-party providers with few AT Person customers as compared to the 
costs to third-party providers with many AT Person customers.
    49. To what extent does requiring due diligence of third-party 
certifications provide additional benefits beyond those of 
certification requirement itself?
    50. To what extent would AT Persons perform due diligence of third-
party certifications absent the proposed rule requiring such due 
diligence?
    51. Would placing ultimate responsibility for third-party 
compliance with Supplemental proposed Sec.  1.81 with the AT Person 
provide benefits beyond those of certification and due diligence?
    52. For purposes of this cost analysis, the Commission estimated 
that an AT Person will need to acquire a new certification 
approximately once per year due to a material change in the third-party 
system or component. Please comment on whether the estimate of a 
material change occurring approximately once per year is an appropriate 
assumption.
    53. The Commission requests any additional quantitative information 
that commenters can provide regarding the costs and benefits of Sec.  
1.85.
    54. How many third parties are actively providing Algorithmic 
Trading software in the futures and option markets on DCMs?
    55. To what extent will third-party providers pass on the costs 
that they incur as a result of Sec.  1.85 to their AT Person customers 
or to all of their customers?
10. Changes to Overall Risk Control Framework
a. Summary of New Proposal
    NPRM proposed Sec. Sec.  1.80, 1.82, 38.255 and 40.20 imposed risk 
control and similar requirements, such as order cancellation systems, 
at three levels: the AT Person, FCM and DCM. The NPRM also contained 
definitions for various terms, including ``Algorithmic Trading'' and 
``AT Order Message.'' Under the NPRM, risk controls applied to AT Order 
Messages, but not to order messages entered onto an exchange's matching 
engine manually.
    In the Supplemental NPRM, the Commission proposes a risk control 
framework with controls at two, rather than three, levels: (i) AT 
Person or FCM; and (ii) DCM. With respect to algorithmic orders 
originating with AT Persons (AT Order Messages), the proposed rules 
require all AT Persons to implement the risk controls and other 
measures required pursuant to Sec.  1.80 (although AT Persons may 
delegate compliance with Sec.  1.80(a) to FCMs). The Supplemental NPRM 
also adds new Sec.  1.80(g), which requires AT Persons to apply the 
risk control mechanisms described in Sec.  1.80(a), (b) and (c) on its 
Electronic Trading Order Messages that do not arise from Algorithmic 
Trading, after making any adjustments in the risk control mechanisms to 
accommodate the application of such mechanisms to Electronic Trading 
Order Messages. FCMs are not required to implement risk controls on AT 
Order Messages that are subject to AT Person-administered controls. 
Those AT Order Messages originating from AT Persons will be subject to 
a second level of risk controls at the DCM level pursuant to proposed 
Sec.  40.20.
    AT Order Messages originating with a non-AT Person are subject to 
risk controls implemented by executing FCMs pursuant to proposed Sec.  
1.82. Those orders will be subject to the second level of risk controls 
at the DCM level pursuant to proposed Sec.  40.20.
    The Commission is proposing two additional definitions in the 
Supplemental NPRM for the terms Electronic Trading and Electronic 
Trading Order Message, since many of the risk controls will also apply 
to manually-entered electronic trades. Pursuant to these definitions, 
Electronic Trading Order Messages are subject to risk controls 
implemented by executing FCMs pursuant to proposed Sec.  1.82 or by AT 
Persons pursuant to supplemental proposed Sec.  1.80(g). Those orders 
will be subject to the second level of risk controls at the DCM level 
pursuant to proposed Sec.  40.20. The Supplemental NPRM eliminates NPRM 
proposed Sec.  1.80(d) which required notification by AT Persons to 
applicable DCMs and clearing member FCMs that they will engage in 
Algorithmic Trading.
    Finally, Supplemental proposed Sec.  38.255(c) requires a DCM that 
permits DEA to require that an FCM use DCM-provided risk controls, or 
substantially equivalent controls developed by the FCM itself or a 
third party. Prior to an FCM's use of its own or a third party's 
systems and controls, the FCM must certify to the DCM that such systems 
and controls are substantially equivalent to the systems and controls 
that the DCM makes available pursuant to Supplemental proposed Sec.  
38.255(b).
b. Costs
    Requiring risk controls at two levels rather than three will reduce 
the costs to FCMs and AT Persons associated with these risk controls 
(relative to those in the NPRM) by requiring either the AT Person or 
the FCM to implement risk controls, but not both. As discussed in the 
NPRM, the Commission estimated those costs as: each AT Person--$79,680; 
and each clearing member FCM--$49,800 (as to DEA orders) and $159,360 
(as to non-DEA orders).\396\ FCMs generally will be required to 
implement risk controls only for non-AT Person accounts. AT Persons 
will be permitted to delegate their risk control responsibilities to 
FCMs under Supplemental proposed Sec. Sec.  1.80(d) and 1.80(g)(2) and 
the Commission expects

[[Page 85377]]

that AT Persons may do so if it reduces their costs.\397\
---------------------------------------------------------------------------

    \396\ See NPRM at 78898 and 78903.
    \397\ FCMs would be permitted to charge AT Person customers to 
implement risk controls on their behalf.
---------------------------------------------------------------------------

    Imposing risk controls on all electronic order messages will cause 
a modest increase in costs on AT Persons and DCMs, but the Commission 
expects this increase in costs to be minimal since the marginal cost of 
imposing existing risk controls on additional orders is low once the 
risk controls have been created and are up and running and AT Persons 
can make appropriate adjustments to the risk controls set out in 
Sec. Sec.  1.80(a), (b), and (c) since some of these controls need not 
be applied to manual orders. Similarly, imposing FCM-level risk 
controls on all Electronic Trading Order Messages not originating with 
an AT Person will only increase costs modestly. Moreover, the 
Commission estimates that at least 95% of all order messages on DCM 
matching engines are generated by ATSs, so that relatively few order 
messages are affected by this Supplemental proposed rule. This estimate 
was based on order activity for one week in 2016, as reported in the 
audit trail for all futures products on the CME Globex platform.
    The withdrawal of the notification requirement of NPRM proposed 
Sec.  1.80(d) eliminates the costs associated with that NPRM proposal.
    The Commission expects that the written notifications pursuant to 
Supplemental proposed Sec.  38.255(c) from an FCM to a DCM that the 
FCM's risk controls are substantially equivalent to the risk controls 
available from the DCM will, as discussed in the PRA section below, 
cost approximately $235 per certification. The Commission is unable to 
estimate the exact number of FCMs that will choose to use its own or a 
third party's systems and controls. Assuming that all 70 executing FCMs 
were to do so for four DCMs each, the Commission estimates that the 70 
executing FCMs would incur a total one-time cost of $65,800 (70 x $235 
x 4).\398\
---------------------------------------------------------------------------

    \398\ DCMs will incur some costs with respect to preparing an 
exchange rule requiring FCMs to provide Sec.  38.255(c) 
certifications. Exchange rule-writing costs were generally covered 
in the cost-benefit considerations for the Part 40 final rule (76 FR 
44776, July 27, 2011).
---------------------------------------------------------------------------

c. Benefits
    The Commission preliminarily believes that the benefits of risk 
controls will not be materially impacted by reducing the number of 
levels at which risk controls are imposed to two from three. As 
described in the NPRM, these benefits include, among other things, 
mitigating credit, market, and operational risks by ensuring that each 
order accurately reflects the intentions of market participants.\399\
---------------------------------------------------------------------------

    \399\ NPRM at 78899-78900.
---------------------------------------------------------------------------

    Requiring risk controls for all Electronic Trading Order Messages 
will, as discussed by commenters, ensure that the benefits of the risk 
controls are realized for all manually entered Electronic Trading Order 
Messages as well as AT Order Messages.
d. Consideration of Alternatives
    In determining the appropriate risk control framework for AT 
Persons, FCMs and DCMs, the Commission considered a few alternatives. 
First, the Commission considered whether it should require AT Persons 
to implement their own controls to comply with Supplemental proposed 
Sec.  1.80(a), rather than allow AT Persons the choice to delegate 
their risk control duties to FCMs. However, in order to further 
mitigate costs, the Commission chose to allow this flexibility when it 
is technologically feasible for the FCM to implement such controls with 
the same level of effectiveness reasonably designed to prevent and 
reduce the risk of an Algorithmic Trading Event.
    The Commission also considered the alternative of not requiring AT 
Persons to apply risk controls to all Electronic Trading Order 
Messages, but rather applying such controls only to AT Order Messages 
as a way of reducing costs, but determined that two levels of risk 
controls should be applied to all Electronic Trading Order Messages, 
including those originating with an AT Person.
e. Commission Questions
    56. The Commission requests comment on its cost-benefit 
considerations related to the revisions to Sec. Sec.  1.80, 1.82, 
38.255 and 40.20, including the accuracy of the Commission's cost 
estimates or assumptions concerning decreased cost.
    57. Does requiring risk controls at two levels rather than three 
materially alter the costs or benefits of the risk control framework?
    58. Does imposing risk controls on all Electronic Trading Order 
Messages materially increase costs? Please quantify any increase in 
costs if possible. What are the benefits of imposing risk controls on 
all Electronic Trading Order Messages, rather than just AT Order 
Messages?
    59. Does permitting AT Persons to delegate risk controls to an FCM 
reduce costs or materially alter the benefits of the risk controls?
    60. Should the Commission require AT Persons to apply risk controls 
to their manual Electronic Trading Order Messages? Would a single, DCM-
level control applicable to such orders provide sufficient protection 
for markets and market participants?
11. Reporting, Testing and Recordkeeping Requirements
a. Summary of New Proposal
    NPRM proposed Sec. Sec.  1.83 and 40.22 required that AT Persons 
and clearing member FCMs provide the DCMs on which they operate with 
annual reports providing information on their compliance with 
Sec. Sec.  1.80(a) and 1.82(a)(1), and that DCMs establish a program 
for effective review and evaluation of the reports. NPRM proposed 
Sec. Sec.  1.83 and 40.22 also provided recordkeeping requirements 
regarding Sec. Sec.  1.80, 1.81 and 1.82 compliance. Further, NPRM 
proposed Sec.  1.81(a)(1)(ii) required AT Persons to test all 
Algorithmic Trading code and related systems both internally within the 
AT Person and on each DCM on which Algorithmic Trading will occur. NPRM 
proposed Sec.  40.21 had required DCMs to provide testing environments.
    In light of the concerns raised by commenters to proposed 
Sec. Sec.  1.83 and 40.22, the Commission has replaced the requirement 
that AT Persons and FCMs prepare compliance reports with a requirement 
that DCMs mandate that AT Persons and executing FCMs provide DCMs with 
an annual certification attesting that the AT Person or FCM complies 
with the requirements of Sec. Sec.  1.80, 1.81, and 1.82, as 
applicable, while maintaining the recordkeeping requirements. Also in 
lieu of requiring compliance reports, Supplemental proposed Sec.  
40.22(a) requires DCMs to periodically review AT Persons' and FCMs' 
programs for compliance with Sec. Sec.  1.80, 1.81 and 1.82.
    Additionally, the Commission is proposing to modify certain 
requirements regarding the development, monitoring, and compliance of 
ATSs under NPRM proposed Sec.  1.81. The Commission has withdrawn the 
requirement under NPRM proposed Sec.  1.81(a)(1)(ii) that AT Persons 
must test all Algorithmic Trading code and related systems on each DCM 
on which Algorithmic Trading will occur (while retaining a more general 
requirement in Supplemental proposed Sec.  1.81(a)(1)(ii) that AT 
Persons must test all ATSs, including Algorithmic Trading Source Code, 
any changes to such systems or code, prior to implementation, and such 
testing shall be reasonably designed to

[[Page 85378]]

effectively identify circumstances that may contribute to future 
Algorithmic Trading Events). The Commission has also withdrawn NPRM 
proposed Sec.  40.21, which had required DCMs to provide test 
environments that enable AT Persons to simulate production trading.
b. Costs
    The Commission preliminarily believes that the costs associated 
with Supplemental proposed Sec.  40.22(a) (DCMs to periodically review 
AT Persons' and FCMs' programs for compliance with Sec. Sec.  1.80, 
1.81 and 1.82) are similar on a per-event basis to the costs associated 
with the NPRM requirements that DCMs review annual compliance reports 
from AT Persons and FCMs. However, the Commission expects that DCMs can 
appropriately perform these periodic reviews for most AT Persons and 
FCMs at a frequency less often than annually, generally reducing costs. 
The Commission notes that it may be necessary for DCMs to perform 
reviews more frequently for entities whose trading activities appear to 
impose greater potential risks to the marketplace. In the NPRM, the 
Commission estimated that the compliance reports would cost each 
clearing member FCM $7,090 annually and each AT Person $4,240 
annually.\400\ However, some commenters indicated that the Commission 
had underestimated such costs.
---------------------------------------------------------------------------

    \400\ See NPRM at 78904.
---------------------------------------------------------------------------

    The Commission estimated in the NPRM that it would cost each DCM 
approximately $244,080 per year to comply with NPRM proposed Sec.  
40.22, of which $133,200 is associated with review and remediation of 
compliance reports.\401\ CME believes the Commission's estimate for 
complying with Sec.  40.22's requirements that DCMs periodically review 
AT Person and clearing member FCM compliance reports and books and 
records, and identify and remediate any insufficient mechanisms, 
policies and procedures discovered, is too low. Instead, CME estimated 
the annual cost for each of its four DCMs \402\ to be closer to 
$525,000, assuming that across all four DCMs, approximately 650 
entities would come within the scope of the proposed compliance report 
requirements and each entity would be reviewed once every four years 
(across all four DCMs).\403\ CME estimated that it would take 
approximately one month for a full-time employee to complete each 
review.\404\ The Commission preliminarily adopts the CME cost estimate 
regarding the cost of each individual compliance review ($3,230), but 
at this time believes that it would be appropriate for a DCM to review 
AT Persons and FCMs on average every two years rather than every four 
years.\405\ As noted, the Commission expects the costs of Supplemental 
proposed Sec.  40.22(a) to be similar to the compliance review costs of 
NPRM Proposed Regulation 40.22. However, the Commission expects that 
the number of entities that would come within the scope of Supplemental 
proposed Sec.  40.22(a) would be approximately 180 (120 AT Persons and 
an additional 60 FCMs) \406\ and that the high-end cost to a large DCM 
(such as those operated by the CME) would thus be approximately 
$290,000 rather than $525,000. This cost is broken down as follows: 
$3,230 per review multiplied by 90 (180 AT Persons and FCMs half of 
which are reviewed each year for 90 reviews) is approximately $290,000. 
The costs would be lower for smaller DCMs with fewer AT Person market 
participants and fewer FCMs since they would need to conduct reviews 
for fewer entities.
---------------------------------------------------------------------------

    \401\ See NPRM at 78908. The remainder is associated with the 
costs of reviewing books and records (Sec.  40.22(e)) and self-
trading requests (Sec.  40.22(c)). These provisions are not 
addressed in the Supplemental NPRM.
    \402\ CME Group is the parent company of the Chicago Mercantile 
Exchange, Chicago Board of Trade, New York Mercantile Exchange, and 
Commodity Exchange DCMs. Following the merger of the four exchanges, 
CME Group has a single Market Regulation Department which provides 
compliance, enforcement, and other self-regulatory services to all 
four of the CME Group DCMs. With respect to the four DCMs, CME 
Group's Market Regulation Department effectively functions as a 
single entity, sharing management, staff, information technology and 
other resources.
    \403\ CME 22.
    \404\ See id.
    \405\ As noted, more frequent reviews may be needed for firms 
that appear to present more risk.
    \406\ The Commission is using 60, as opposed to 70, FCMs for 
purposes of this calculation because every FCM does not operate on 
all DCMs. Accordingly, a single DCM would not necessarily have to 
review every FCM.
---------------------------------------------------------------------------

    FCMs and AT Persons will not incur costs associated with annual 
compliance reports since those reports will not be required under the 
Supplemental NPRM, but the Commission estimates that it will cost 
$2,480 for an FCM or an AT Person to cooperate with a DCM's periodic 
review. The Commission expects that on average, an FCM or AT Person 
will be subject to a periodic review every two years for each DCM on 
which it trades or once every year in total (with entities whose 
trading activities appear to impose greater potential risks to the 
marketplace needing more frequent reviews).
    Supplemental proposed Sec.  40.22(d) provides that DCMs must 
require by rule \407\ that AT Persons and executing FCMs provide DCMs 
with an annual certification attesting that the AT Person or FCM 
complies with the requirements of Sec. Sec.  1.80, 1.81, and 1.82, as 
applicable. Such annual certification shall be made by the chief 
compliance officer or chief executive officer of the AT Person or FCM 
and must state that, to the best of his or her knowledge and reasonable 
belief, the information contained in the certification is accurate and 
complete. The Commission estimates that each DCM's chief compliance 
officer will spend approximately one hour receiving and reviewing the 
certification from approximately 120 AT Persons and 60 executing FCMs, 
for a total of 180 hours and a cost of $28,620 per DCM. This cost is 
broken down as follows: 1 Chief Compliance Officer, working for 1 hour 
(1 x $159 per hour x 180 certifications = $28,620). The Commission 
notes that this cost is significantly lower than the $111,000 per-DCM 
cost estimated in the NPRM for review of compliance reports.\408\ As to 
AT Person and executing FCM costs, the Commission expects that the 
annual certification requirement will involve preparation and 
transmittal of a document that makes the required certification, and 
that most of the hours associated with this requirement would involve 
review and analysis by compliance personnel of the entity's compliance 
with Sec. Sec.  1.80, 1.81, and 1.82, as necessary to enable the CCO or 
CEO to sign the certification. The Commission expects that each AT 
Person or FCM will transmit the essentially same certifications to each 
DCM that it is trading or operating on, without the need to prepare a 
unique certification for each DCM. The Commission also expects that to 
the extent that an AT Person's or FCM's interaction with the various 
DCMs' electronic trading facilities are similar, the review and 
analysis of the entity's compliance with Sec. Sec.  1.80, 1.81, and 
1.82 will also be similar. Therefore, the Commission preliminarily 
believes that the marginal cost of submitting certifications to 
additional DCMs will be much less than the cost of submitting a 
certification to the first DCM.
---------------------------------------------------------------------------

    \407\ DCMs will incur some costs with respect to preparing an 
exchange rule requiring FCMs and AT Persons to provide Sec.  
40.22(d) certifications. Exchange rule-writing costs were generally 
covered in the cost-benefit considerations for the Part 40 final 
rule (76 FR 44776, July 27, 2011).
    \408\ See NPRM at 78907.
---------------------------------------------------------------------------

    The Commission estimates that, on an annual basis, an AT Person and 
an FCM will each incur a cost of $1,176 to submit the compliance 
certification to

[[Page 85379]]

four DCMs. This cost is broken down as follows: 1 Senior Compliance 
Specialist, working for 6 hours (6 x $57 = $342); and 1 Chief 
Compliance Officer, working for 6 hours (6 x $139 = $834), for each 
certification.\409\ The 120 AT Persons that will be subject to DCM 
rules implemented pursuant to Sec.  40.22(d) would therefore incur a 
total annual cost of $141,120 (120 x $1,176). Similarly, the 70 
executing FCMs that will be subject to DCM rules implemented pursuant 
to Sec.  40.22(d) would therefore incur a total annual cost of $82,320 
(70 x $1,176). The Commission notes that the $1,176 per-entity cost of 
submitting certifications is substantially lower than the $4,240 per-AT 
Person cost and the $7,090 per-FCM cost estimated in the NPRM for 
submission to DCMs of annual compliance reports.\410\ Finally, 
withdrawing the requirement under NPRM proposed Sec.  1.81(a)(1)(ii) 
that AT Persons must test Algorithmic Trading code and related systems 
on each DCM on which Algorithmic Trading will occur, and withdrawing 
NPRM proposed Sec.  40.21, which had required DCMs to provide test 
environments that enable AT Persons to simulate production trading, 
will eliminate the costs associated with those NPRM proposed rules.
---------------------------------------------------------------------------

    \409\ The six hours of work for each employee consists of five 
hours for the initial certification and one hour to prepare 
additional certifications for three other DCMs.
    \410\ See NPRM at 78904.
---------------------------------------------------------------------------

c. Benefits
    The Commission expects that the benefits of proposed Sec.  40.22(a) 
will be similar to the benefits of the compliance report requirements 
of NPRM proposed Sec. Sec.  1.83(a) and (b) and 40.22(c). As stated in 
the NPRM, those benefits were to enable ``DCMs to have a clearer 
understanding of the pre-trade risk controls of all AT Persons that are 
engaged in Algorithmic Trading on such DCM'' and to ``improve the 
standardization of market participants' pre-trade risk controls.'' 
\411\ In those years in which entities are not reviewed, DCMs will at 
least receive notifications pursuant to supplemental proposed Sec.  
40.22(d) confirming that such entities are in compliance with 
Sec. Sec.  1.80, 1.81 and 1.82, as applicable. An AT Person's or FCM's 
failure to provide the required certification would indicate a basis 
for the DCM to engage in a review of such entity's risk controls and 
testing program.
---------------------------------------------------------------------------

    \411\ NPRM at 78905.
---------------------------------------------------------------------------

    The withdrawal of the requirement under NPRM proposed Sec.  
1.81(a)(1)(ii) that AT Persons must test Algorithmic Trading code and 
related systems on each DCM on which Algorithmic Trading will occur, 
and the withdrawal of NPRM proposed Sec.  40.21, which had required 
DCMs to provide test environments that enable AT Persons to simulate 
production trading, will eliminate any benefits directly associated 
with those particular NPRM proposed rules. The Commission is revising 
or withdrawing those NPRM proposed rules in response to comments 
discussed above indicating that they were costly and impracticable. The 
Commission expects that the remaining testing requirements in 
Supplemental proposed Sec.  1.81 generally will continue to provide the 
benefits described in the NPRM, including the potential to reduce 
market disruptions.\412\
---------------------------------------------------------------------------

    \412\ Id. at 78901 and 78907.
---------------------------------------------------------------------------

d. Consideration of Alternatives
    The Commission considered the alternative of eliminating the 
compliance requirements of NPRM proposed Sec.  40.22(c) without 
proposing either Sec.  40.22(a) or Sec.  40.22(d) in its place. The 
Commission determined to propose Sec.  40.22(a) and Sec.  40.22(d) 
because it preliminarily determined that these supplemental proposed 
rules are necessary to ensure that the benefits of Regulation AT are 
fully realized, including the goal of ensuring that risk controls are 
effectively implemented across AT Persons and FCMs, and that 
insufficient controls at such entities are identified and remediated. 
Specifically, the Commission preliminarily believes that it is 
necessary for DCMs to periodically review compliance by AT Persons and 
FCMs and for AT Persons and FCMs to review their own compliance in 
order to make certifications.
e. Commission Questions
    61. The Commission requests comment on its cost-benefit 
considerations related to Supplemental proposed Sec. Sec.  
1.81(a)(1)(ii), 1.83, 40.22, and NPRM proposed Sec.  40.21, including 
the accuracy of its cost estimates or assumptions regarding decreased 
costs and the accuracy of its assumptions regarding the amount of work 
that would be required of AT Persons and FCMs to comply with the 
certification requirements of Regulation AT.
    62. How do the costs and benefits of Supplemental proposed Sec.  
40.22(a) compare to the compliance costs and benefits associated with 
NPRM proposed Sec.  40.22(c)?
12. Section 15(a) Factors
    This section discusses the CEA section 15(a) factors for the 
proposals in this Supplemental NPRM.
a. Protection of Market Participants and the Public
    The Commission preliminarily believes that, as modified by the 
Supplemental NPRM, Regulation AT would continue to, as stated in the 
NPRM, protect market participants and the public by limiting a ``race 
to the bottom,'' in which certain entities sacrifice effective risk 
controls in order to minimize costs or increase the speed of trading. 
The Supplemental proposal to set risk controls at two levels rather 
than three will reduce costs while maintaining Regulation AT's 
protection of market participants and the public. The proposal to apply 
risk controls to Electronic Trading Order Messages as well as AT Order 
Messages will protect market participants and the public by providing 
the benefits of risk controls to all order submissions to a DCM's 
electronic trading facility. The requirements of Supplemental proposed 
Sec.  40.22(a), which requires DCMs to periodically review AT Persons' 
and FCMs' programs for compliance with Sec. Sec.  1.80, 1.81 and 1.82, 
and the certification requirements of Sec.  40.22(d), will promote 
protection of market participants and the public by helping to ensure 
that the risk control rules are followed in a consistent manner and may 
further reduce the likelihood of Algorithmic Trading Events and 
Algorithmic Trading Disruptions.
    Supplemental proposed Sec.  1.84 will protect market participants 
and the public by ensuring that the Commission has access to the 
Algorithmic Trading Source Code and log files of AT Persons in the 
event they are needed to investigate or inquire into an Algorithmic 
Trading Event or Algorithmic Trading Disruption.
    Supplemental proposed Sec.  1.85 will protect market participants 
and the public by ensuring that ATSs and components provided by third 
parties to AT Persons are compliant with the development and testing 
requirements of Regulation AT, even when the AT Persons themselves are 
otherwise unable to comply with those requirements. Moreover, the 
recordkeeping requirements of Sec.  1.85(d) (by reference to Sec.  
1.84(a) and (b)) will protect market participants and the public by 
ensuring that the Commission has access to the Algorithmic Trading 
Source Code and log files of third parties in the event they are needed 
to investigate or inquire into a an

[[Page 85380]]

Algorithmic Trading Event or Algorithmic Trading Disruption.
b. Efficiency, Competitiveness, and Financial Integrity of Futures 
Markets
    The Commission preliminarily believes that by addressing pre-trade 
risk controls, testing, and order management controls at two market 
levels--the exchange and either the trading firm or the executing FCM--
Regulation AT, as modified by this Supplemental NPRM, will continue to 
provide standards that can be interpreted and enforced in a uniform 
manner. Implementation of Regulation AT to electronic order messages 
will help mitigate instabilities in the markets and ensure market 
efficiency and financial integrity, as discussed in the NPRM.\413\ 
Supplemental proposed Sec.  1.85 will further these goals as well by 
ensuring that third-party systems used by AT Persons are compliant with 
Regulation AT.
---------------------------------------------------------------------------

    \413\ NPRM at 78909-78910.
---------------------------------------------------------------------------

    Supplemental proposed Sec.  1.84 will further market efficiency and 
financial integrity by ensuring that the Commission has access to the 
Algorithmic Trading Source Code and log files of AT Persons in the 
event they are needed to investigate or inquire into an Algorithmic 
Trading Event or Algorithmic Trading Disruption.
c. Price Discovery
    Requiring both exchanges and either trading firms or executing FCMs 
to implement pre-trade risk controls, testing, and order management 
control requirements in order to mitigate the risk of a malfunctioning 
trading algorithm or automated trading disruption promotes the price 
discovery process by reducing the likelihood of transactions at prices 
that do not accurately reflect market forces.
d. Sound Risk Management Practices
    The Commission believes that the pre-trade risk and order 
management control requirements contained in Regulation AT, as modified 
by this Supplemental NPRM, will contribute to a system-wide reduction 
in operational risk, and will help standardize risk management 
practices across similar entities within the marketplace. The reduction 
in operational risk may simplify the tasks associated with sound risk 
management practices. These enhanced risk management practices should 
help reduce unintended market volatility, which will aid in efficient 
market making, and reduce overall transaction costs as they relate to 
price movements, which should encourage market participants to trade in 
Commission-regulated markets. Market participants and those who rely on 
prices as determined within regulated markets should benefit from 
markets that behave in an orderly and expected fashion.
e. Other Public Interest Considerations
    The Commission has not identified any effects that these proposed 
rules would have on other public interest considerations other than 
those addressed above.
f. Commission Questions
    63. The Commission requests comment on its consideration of the CEA 
section 15(a) factors.

B. Regulatory Flexibility Act

    The Regulatory Flexibility Act requires that agencies consider 
whether the rules they propose will have a significant economic impact 
on a substantial number of small entities and, if so, provide a 
regulatory flexibility analysis regarding the impact.\414\ A regulatory 
flexibility analysis or certification is typically required for any 
rule for which the agency publishes a general notice of proposed 
rulemaking pursuant to the notice-and-comment provisions of the 
Administrative Procedure Act, 5 U.S.C. 553(b).\415\
---------------------------------------------------------------------------

    \414\ 5 U.S.C. 601 et. seq.
    \415\ 5 U.S.C. 601(2), 603, 604, and 605.
---------------------------------------------------------------------------

    In the NPRM, the Commission provided a regulatory flexibility 
analysis pursuant to the Regulatory Flexibility Act.\416\ Regulation AT 
impacts three broad types of market participants: DCMs, FCMs, and AT 
Persons.\417\ In the NPRM, the Chairman, on behalf of the Commission, 
certified pursuant to 5 U.S.C. 605(b) that the rules proposed in 
Regulation AT imposing requirements on FCMs and DCMs would not have a 
significant economic impact on a substantial number of small 
entities.\418\
---------------------------------------------------------------------------

    \416\ NPRM at 78885.
    \417\ Supplemental proposed Sec.  1.85 will impact another type 
of market participant, third-party service providers providing 
software or systems to AT Persons for Algorithmic Trading.
    \418\ NPRM at 78885.
---------------------------------------------------------------------------

    With respect to AT Persons, the NRPM provided a regulatory 
flexibility analysis addressing whether Regulation AT would have a 
significant economic impact on a substantial number of AT Persons that 
were small entities. As defined in the NPRM, the term AT Persons 
included various entities that engaged in Algorithmic Trading, 
including New Floor Traders under NPRM proposed Sec.  1.3(x)(3), FCMs, 
floor brokers, SDs, MSPs, CPOs, CTAs and IBs.\419\ The NPRM noted that 
the Commission previously determined that FCMs, foreign brokers, SDs, 
MSPs, CPOs, and natural persons are not small entities for purposes of 
the Regulatory Flexibility Act.\420\ The NPRM stated that the 
Commission believes it is likely that no natural persons will be AT 
Persons, given the technological and personnel costs associated with 
Algorithmic Trading.\421\ The Commission then considered whether, in 
the context of Regulation AT, floor brokers, floor traders, CTAs, and 
IBs that engage in Algorithmic Trading should be considered small 
entities for purposes of the Regulatory Flexibility Act.\422\ The 
Commission concluded that it did not believe that a substantial number 
of small entities will be impacted by Regulation AT.\423\
---------------------------------------------------------------------------

    \419\ Id. at 78885-6.
    \420\ Id. at 78885.
    \421\ Id. at 78885-6.
    \422\ Id. at 78885.
    \423\ Id. at 78886.
---------------------------------------------------------------------------

    The Commission has made a number of substantive additions and 
changes to Regulation AT in this Supplemental NPRM, some of which may 
impact small entities. Significantly, while the Commission estimated 
that there would be 420 AT Persons under the NPRM proposed rules for 
Regulation AT, the Commission has revised its estimate to 120 AT 
Persons under the modified rules proposed in this Supplemental NPRM. As 
discussed below, the Commission believes that the Supplemental proposed 
rules will have a significant economic impact on fewer (if any) small 
entities than the NPRM proposed rules.
    Pursuant to 5 U.S.C. 603, the Commission offers for public comment 
the following supplemental analysis to its initial regulatory 
flexibility analysis addressing the impact of Regulation AT on small 
entities. The Commission's analysis in the NPRM consisted of six parts, 
as generally set forth in section 603(b) of the Regulatory Flexibility 
Act. The Supplemental NPRM does not alter the Commission's analysis of 
four of the areas: (1) A description of the reasons why action is being 
considered; (2) a succinct statement of the objectives of, and legal 
basis for, the proposals; (3) an identification of all relevant federal 
rules that may duplicate, overlap, or conflict with the proposed rule; 
and (4) a description of significant alternatives. The Commission 
offers the following supplemental analysis for two areas: (1) A 
description of and, where feasible, an estimate of the number of small 
entities to which the proposed rules will apply; and (2) a description 
of the projected

[[Page 85381]]

reporting, recordkeeping, and other compliance requirements of the 
rules, including an estimate of the classes of small entities which 
will be subject to the requirements and the type of professional skills 
necessary for preparation of the report or record.
1. A Description, and, Where Feasible, an Estimate of the Number of 
Small Entities to Which the Proposed Rules Will Apply
    The Commission noted in the NPRM that the definition of AT Person 
is limited to entities that conduct Algorithmic Trading and the 
definition of New Floor Traders under NPRM proposed Sec.  
1.3(x)(1)(iii) is further limited to those entities with DEA. The 
Commission believes that entities with such capabilities are generally 
not small entities.
    Supplemental proposed Sec.  1.3(xxxx)(1)(i)(B) adds a volume 
threshold test to the definition of AT Person, which measure is also 
set forth in definition of New Floor Trader pursuant to Supplemental 
proposed Sec. Sec.  1.3(x)(1)(iii)(D) and 1.3(x)(2). The Commission 
believes that adding this volume threshold to further reduce the scope 
of Regulation AT will ensure that a substantial number of small 
entities will not be impacted by the information collection. In the 
NPRM, the Commission estimated that approximately 420 persons will be 
AT Persons. The regulatory flexibility analysis contained in the NPRM 
concluded that Regulation AT would not impact a substantial number of 
small entities.\424\ In this supplemental NPRM, the Commission 
estimates that approximately 120 persons will be AT Persons, and a 
smaller number would be New Floor Traders under 1.3(x)(1)(iii). 
Accordingly, the Commission believes that under the modified definition 
of AT Person set forth in Supplemental proposed Sec.  1.3(xxxx), the 
Supplemental proposed rules will impact significantly fewer small 
entities than the NPRM proposed rules and, in particular, that there 
will not be a substantial number of small entities impacted by the 
information collection.
---------------------------------------------------------------------------

    \424\ Id. at 78886.
---------------------------------------------------------------------------

2. A Description of the Projected Reporting, Recordkeeping, and Other 
Compliance Requirements of the Rules, Including an Estimate of the 
Classes of Small Entities Which Will Be Subject to the Requirements and 
the Type of Professional Skills Necessary for Preparation of the Report 
or Record
    The following section discusses the projected reporting, 
recordkeeping, and other compliance requirements that will be imposed 
upon AT Persons \425\ under the proposed rules.
---------------------------------------------------------------------------

    \425\ This analysis discusses estimated costs for AT Persons, 
irrespective of whether they are small entities. However, the 
Commission believes that the associated costs for small entity AT 
Persons would be no more than the costs for any other AT Persons.
---------------------------------------------------------------------------

a. Sec.  1.3(x)(1)(iii)--Registration of New Floor Traders
    Regulation AT would impose new registration requirements on certain 
entities with Direct Electronic Access who meet a volumetric test as a 
result of the proposed amendment to the definition of ``floor trader'' 
in Supplemental proposed Sec.  1.3(x)(1)(iii). The Commission provided 
detailed estimates of the costs associated with registration as a New 
Floor Trader in the NPRM.\426\ The Commission estimated that new 
registrants would incur a one-time cost of approximately $2,106 per 
registrant ($1,050 in application fees plus $1,056 in preparation 
costs). In the NPRM, the Commission estimated that there would be 
approximately 100 new Floor trader registrants. The Commission believes 
that the volume threshold test will likely result in fewer than 100 new 
Floor trader registrants. The Commission further believes that the 
volume threshold test proposed in the Supplemental NPRM will reduce the 
impact on small entities as compared with the NPRM, since the 
registration requirements of Regulation AT will only apply to entities 
with high trading volumes when measured across all products and DCMs.
---------------------------------------------------------------------------

    \426\ NPRM at 78925.
---------------------------------------------------------------------------

b. Sec.  1.80--Pre-Trade Risk Controls
    NPRM proposed regulations Sec. Sec.  1.80, 1.82, 38.255 and 40.20 
imposed risk control and similar requirements, such as order 
cancellation systems, on three levels: AT Person, FCM and DCM. As 
discussed above, this Supplemental NPRM changes the overall framework 
for risk controls and other measures required pursuant to NPRM proposed 
Sec. Sec.  1.80, 1.82, 38.255 and 40.20. This Supplemental NPRM 
proposes a revised framework with two levels of risk controls: (1) At 
the AT Person or FCM level, and (2) the DCM level. With respect to 
orders originating with AT Persons (AT Order Messages), the rules would 
require all AT Persons to implement the risk controls and other 
measures required pursuant to Sec.  1.80 (although AT Persons may 
delegate compliance with Sec.  1.80(a) to FCMs, as discussed above). In 
the NPRM, the Commission estimated that it would cost an AT Person 
approximately $79,680 to upgrade its controls to comply with Sec.  
1.80. In the NPRM, the Commission estimated that there would be 420 AT 
Persons. However, under this Supplemental NPRM, the Commission 
estimates that there will be approximately 120 AT Persons. Assuming 
that there are 120 AT Persons, the Commission estimates that the total 
industry cost to implement Sec.  1.80 would be approximately 
$9,561,600.
    The Commission also proposes a change to NPRM proposed Sec.  1.80 
in which AT Persons may delegate compliance with pre-trade risk control 
requirements (Sec.  1.80(a)) to their executing FCMs. Supplemental 
proposed Sec.  1.80(d) provides that an AT Person may choose to comply 
with paragraph (a) of Sec.  1.80 by itself implementing such pre-trade 
risk controls, or may instead delegate compliance with such obligations 
to its executing futures commission merchant. Supplemental proposed 
Sec.  1.80(f) continues to require an AT Person to periodically review 
its compliance with Sec.  1.80 to determine whether it has effectively 
implemented sufficient measures reasonably designed to prevent an 
Algorithmic Trading Event.\427\ The Commission has revised this section 
to account for the possibility that an AT Person has delegated Sec.  
1.80(a) compliance to an FCM, and requires the AT Person to 
periodically review such FCM's compliance with Sec.  1.80(a). The 
Commission assumes that some AT Persons will delegate compliance with 
Sec.  1.80 to its executing FCM under Sec.  1.80(d), and thus review 
such FCM's compliance with Sec.  1.80(a) pursuant to Supplemental 
proposed Sec.  1.80(f). While the Commission cannot estimate how many 
AT Persons will delegate compliance, the Commission believes that the 
costs associated with review are the same as those associated with 
compliance with Sec.  1.80 generally.
---------------------------------------------------------------------------

    \427\ The Commission notes that the Supplemental proposes a 
reasonably designed to prevent and reduce the potential risk of 
standard under Sec.  1.80.
---------------------------------------------------------------------------

c. Sec.  1.83(a)--AT Person Recordkeeping Requirements
    As discussed above, the Commission estimated in the NPRM that 420 
entities would qualify as AT Persons under Regulation AT. Pursuant to 
Supplemental proposed Sec.  1.3(xxxx), the Commission now estimates 
that 120 entities will be AT Persons. The Commission's new, lower 
estimate for the number of AT Persons is a function of the volume 
threshold test that market participants would have to satisfy to fall 
within the definition of AT Person

[[Page 85382]]

under Supplemental proposed Sec.  1.3(xxxx).
    The Commission has updated its Regulatory Flexibility Act analysis 
from the NPRM for proposed Sec.  1.83, based on its updated estimate of 
120 AT Persons in the Supplemental NPRM (as opposed to the 420 AT 
Persons estimated in the NPRM). The Commission's Regulatory Flexibility 
Act analysis for Supplemental proposed Sec.  1.83 assumes the same cost 
on a per AT Person basis as was used in the NPRM analysis. 
Specifically, the Commission estimated in the NPRM that proposed Sec.  
1.83 requirements that AT Persons keep and provide books and records 
relating to NPRM proposed Sec. Sec.  1.80 and 1.81 compliance would 
result in initial outlay of 60 hours of burden per AT Person. Under 
Supplemental proposed Sec.  1.83(a), the 120 AT Persons would therefore 
initially incur 7,200 burden hours in total. In the NPRM, the 
Commission estimated that, on an initial basis, an AT Person would 
incur a cost of $5,130 to draft and update recordkeeping policies and 
procedures and make technology improvements to recordkeeping 
infrastructure. Under Supplemental proposed Sec.  1.83(a), the 120 AT 
Persons would therefore incur a total initial cost of $615,600.
    The Commission estimated in the NPRM that proposed Sec.  1.83 
requirements that AT Persons keep and provide books and records 
relating to NPRM proposed Sec. Sec.  1.80 and 1.81 compliance would 
result in annual costs of 30 hours of burden per AT Person. Under 
Supplemental proposed Sec.  1.83(a), the 120 AT Persons would therefore 
incur 3,600 burden hours in total. In the NPRM, the Commission 
estimated that, on an annual basis, an AT Person would incur a cost of 
$2,670 to ensure compliance with the NPRM proposed Sec.  1.83(a) 
recordkeeping rules relating to NPRM proposed Sec.  1.82 compliance. 
Under Supplemental proposed Sec.  1.83(a), the 120 AT Persons would 
therefore incur a total annual cost of $320,400.
d. Sec.  1.84--Maintenance of Algorithmic Trading Source Code and 
Related Records
    Supplemental proposed Sec.  1.84 would require AT Persons to retain 
three categories of records for a period of five years: (1) Algorithmic 
Trading Source Code; (2) records that track changes to Algorithmic 
Trading Source Code; and (3) log files that record the activity of the 
AT Person's ATS. For purposes of Supplemental proposed Sec.  1.84, 
Algorithmic Trading Source Code includes computer code, hardware 
description language, scripts and formulas as well as the configuration 
files and parameters used to carry out the trading. These records are 
required to be maintained in their native format. Supplemental proposed 
Sec.  1.84 also requires that these records be kept in a form and 
manner that ensures the authenticity and reliability of the information 
contained in the records, and that AT Persons have systems available to 
promptly retrieve and display the records.
    Supplemental proposed Sec.  1.84 applies to AT Persons, including 
any AT Persons that are floor brokers, floor traders, CTAs, or IBs. The 
Commission's best understanding is that at this time, all floor brokers 
are natural persons. Given the technological and personnel costs 
associated with Algorithmic Trading, the Commission's expectation is 
that only entities, not natural persons, would meet the definition of 
``AT Person.'' Accordingly, the Commission does not believe that any 
floor brokers would be AT Persons impacted by Supplemental proposed 
Sec.  1.84.
    With respect to New Floor Traders, CTAs, and IBs that would meet 
the definition of AT Person, the Commission does not believe it is 
feasible to estimate the total number of such entities that would be 
small entities. However, under this Supplemental NPRM, the Commission 
estimates that there will be a total of 120 AT Persons, a subset of the 
estimated 420 AT Persons described in the NPRM. The Commission noted in 
the NPRM that the proposed definition of AT Person was limited to 
entities that conduct Algorithmic Trading, and the NPRM proposed 
definition of New Floor Traders was further limited to those entities 
with DEA.\428\ The Commission stated that it believed entities with 
such capabilities are generally not small entities.\429\ Thus, the 
population of AT Persons under the Supplemental NPRM is even less 
likely to include small entities, since they must meet the additional 
volume threshold measures discussed above. Consequently, the Commission 
does not believe that Supplemental proposed Sec.  1.84 will impact a 
substantial number of small entities.
---------------------------------------------------------------------------

    \428\ NPRM at 78886.
    \429\ Id.
---------------------------------------------------------------------------

    In order to comply with the requirements set out in Supplemental 
proposed Sec.  1.84(a), an AT Person must have a version control system 
and an application log management system in place. The Commission 
expects that most AT Persons have version control software to manage 
each change made to their software and identify who made the change and 
why. The Commission also expects that most AT Persons manage their 
application logs through some form of application log management 
system.
    For firms that do not have version control systems and application 
log management systems in place, the effort involved in setting one up 
includes the acquisition of the hardware to run the system, the 
application software itself, the migration of the existing Algorithmic 
Trading Source Code and logs into the software, and the creation of 
policy and procedures related to the use of the system by the firm. For 
appropriate hardware to accomplish this task, a machine with sufficient 
storage space and sufficient redundancy will be needed. The Commission 
expects that ten terabytes of data would constitute sufficient storage 
capacity. A number of software options are available, from open-source 
products to industry-standard tools.
i. Firms Without Sufficient Hardware and Software in Place
    The Commission estimates that Supplemental proposed Sec.  1.84(a), 
which requires AT Persons to maintain specified records related to 
their Algorithmic Trading Source Code and their Algorithmic Trading 
systems' activity, will result in initial outlay of 420 hours of burden 
per AT Person without sufficient hardware and software in place to 
comply with proposed Sec.  1.84(a), and 33,600 burden hours in total. 
The estimated burden was calculated as follows:
    Burden: Supplemental proposed Sec.  1.84(a), which would require AT 
Persons to maintain certain records.
    Respondents/Affected Entities: 120 AT Persons.
    Estimated total burden on each AT Person or executing FCM: 420 
hours.
    Burden statement-all AT Persons and executing FCMs: 120 respondents 
x 420 hours = 50,400 Burden Hours initial year.
    The Commission estimates that an AT Person without the hardware and 
software in place to maintain the records required by Supplemental 
proposed Sec.  1.84(a) would incur a cost of $41,840 to purchase and 
set up the required hardware and software, migrate existing Algorithmic 
Trading Source Code and logs into the software and draft appropriate 
recordkeeping policies and procedures and make technology improvements 
to recordkeeping infrastructure. This cost is broken down as follows: 
Hardware costing $12,000,\430\

[[Page 85383]]

software costing $2,000,\431\ 1 Project Manager for the Algorithmic 
Trading Source Code and log migration effort, working for 60 hours (60 
x $70 = $4,200); 1 Developer for the Algorithmic Trading Source Code 
and log migration effort, working for 60 hours (60 x $75 = $4,500), 1 
Project Manager to develop the related policies and procedures, working 
for 120 hours (120 x $70 = $8,400), 1 Business Analyst to develop the 
related policies and procedures, working for 120 hours (120 x $52 = 
$6,240), and 1 Developer to develop the related policies and 
procedures, working for 60 hours (60 x $75 = $4,500). The 120 AT 
Persons would therefore incur a total initial cost of $5,020,800 (120 x 
$41,840).
---------------------------------------------------------------------------

    \430\ The Commission estimates that the hardware could cost from 
$1,000 to $25,000 depending on factors including which hardware 
vendor an AT Person chooses, the amount of business the AT Person 
does with the hardware vendor and the pricing the hardware vendor 
provides the AT Person as a result.
    \431\ The Commission estimates that the software could cost from 
$0 to $5,000 depending on factors including which hardware vendor an 
AT Person chooses, the amount of business the AT Person does with 
the hardware vendor and the pricing the hardware vendor provides the 
AT Person as a result.
---------------------------------------------------------------------------

ii. Firms With Sufficient Hardware and Software in Place
    Firms that have the necessary systems in place may nevertheless 
need to make changes to their policies and procedures and enhance their 
hardware to provide more storage capacity, in each case to address the 
requirements of Supplemental proposed Sec.  1.84(a). The discussion 
below addresses both the effort it takes to determine what upgrades 
need to be made, and to implement those upgrades.
    The Commission estimates that Supplemental proposed Sec.  1.84(a) 
requiring AT Persons to maintain specified records related to their 
Algorithmic Trading Source Code and their Algorithmic Trading systems' 
activity will result in initial outlay of 90 hours of burden per AT 
Person with sufficient hardware and software to comply with 
Supplemental proposed Sec.  1.84(a), and 10,800 burden hours in total. 
The estimated burden was calculated as follows:
    Burden: Supplemental proposed Sec.  1.84(a), which would require AT 
Persons to maintain certain records.
    Respondents/Affected Entities: 120 AT Persons.
    Estimated total burden on each respondent: 90 hours.
    Burden statement--all respondents: 120 respondents x 90 hours = 
10,800 Burden Hours initial year.
    The Commission estimates that, on an initial basis, an AT Person 
with the hardware and software in place to maintain the records 
required by Supplemental proposed Sec.  1.84(a) would incur a cost of 
$12,160 to purchase and set up the required hardware and software, 
migrate existing Algorithmic Trading Source Code and logs into the 
software and draft appropriate recordkeeping policies and procedures 
and make technology improvements to recordkeeping infrastructure. This 
cost is broken down as follows: Hardware costing $4,000,\432\ 1 Project 
Manager to develop the related policies and procedures, working for 30 
hours (30 x $70 = $2,100), 1 Business Analyst to develop the related 
policies and procedures, working for 30 hours (30 x $52 = $1,560), and 
1 Developer to develop the related policies and procedures, working for 
60 hours (60 x $75 = $4,500). The 120 AT Persons would therefore incur 
a total initial cost of $1,459,200 (120 x $12,160).
---------------------------------------------------------------------------

    \432\ The Commission estimates that the hardware could cost from 
$1,000 to $10,000 depending on factors including which hardware 
vendor an AT Person chooses, the amount of business the AT Person 
does with the hardware vendor and the pricing the hardware vendor 
provides the AT Person as a result.
---------------------------------------------------------------------------

e. Supplemental Proposed Sec. Sec.  1.84(b) and (c)
    In order to comply with the requirements set out in Supplemental 
proposed Sec. Sec.  1.84(b) and 1.84(c), AT Persons will have to use 
their version control software to manage their software's version 
history. This will require a standard monthly effort to maintain the 
environment so that each AT Person is able to respond to special calls 
and/or subpoenas.
    Monthly Maintenance: The Commission estimates that Supplemental 
proposed Sec. Sec.  1.84(b) and 1.84(c), which require AT Persons to 
produce records of Algorithmic Trading in response to a special call or 
subpoena, will result in ongoing costs of 324 hours of burden per AT 
Person per year, and 38,880 annual burden hours in total. The estimated 
burden was calculated as follows:
    Burden: Rule requiring AT Persons to produce Algorithmic Trading 
records in response to a Special Call or Subpoena.
    Respondents/Affected Entities: 120 AT Persons.
    Estimated total burden on each respondent: 324 hours.\433\
---------------------------------------------------------------------------

    \433\ The Commission estimates 27 burden hours per respondent/
affected entity per month. Annualizing this monthly figure by 
multiplying by 12 results in the 324 total burden hour estimate.
---------------------------------------------------------------------------

    Burden statement-all respondents: 120 respondents x 324 hours = 
38,880 Burden Hours per year.
    The Commission estimates that, on an annual basis, an AT Person 
will incur a cost of $25,380 to draft and update recordkeeping policies 
and procedures and make technology improvements to recordkeeping 
infrastructure. This cost is broken down as follows: 1 Project Manager, 
working for 3 hours per month x 18 months = 54 hours per year (54 x $70 
= $3,780); and 1 Developer, working for 24 hours per month x 12 months 
= 288 hours per year (288 x $75 = $21,600). The 120 AT Persons would 
therefore incur a total initial cost of $3,045,600 (120 x $25,380).
    Costs Per Response to a Special Call or Subpoena. The Commission 
estimates that Supplemental proposed Sec. Sec.  1.84(b) and 1.84(c), 
which require AT Persons to produce records of Algorithmic Trading in 
response to a special call or subpoena, will result in costs per 
response of 48 hours of burden per AT Person, and 12,960 burden hours 
in total. The estimated burden was calculated as follows:
    Burden: Rule requiring AT Persons to produce Algorithmic Trading 
records in response to a Special Call or Subpoena.
    Respondents/Affected Entities: 120 AT Persons.
    Estimated number of responses: 120.
    Estimated total burden on each respondent: 108 hours.
    Frequency of collection: Intermittent.
    Burden statement-all respondents: 120 respondents x 108 hours = 
12,960 Burden Hours per year.
    The Commission estimates that, on an intermittent basis, an AT 
Person will incur a cost of $5,844 to ensure compliance with those 
aspects of Supplemental proposed Sec. Sec.  1.84(b) and 1.84(c) 
requiring AT Persons to produce records of Algorithmic Trading in 
response to a special call or subpoena. This cost is broken down as 
follows: 1 Project Manager, working for 12 hours (12 x $70 = $840); 1 
Developer, working for 36 hours (36 x $75 = $2,700); and 1 Compliance 
Attorney, working for 24 hours (24 x $96 = $2,304). The 120 AT Persons 
would therefore incur a total annual cost of $701,280 (120 x $5,844).
f. Sec.  1.85--Use of Third-Party Algorithmic Trading Systems or 
Components
    Supplemental proposed Sec.  1.85 would allow AT Persons who are 
unable to comply with a particular development and testing requirement 
or a particular maintenance or production requirement related to 
Algorithmic Trading strategy, due solely to their use of third-party 
system components, to obtain a certification that the third party is 
complying with the obligation. Pursuant to Supplemental proposed Sec.  
1.84, AT Persons must also conduct due diligence regarding the accuracy 
of the

[[Page 85384]]

certification.\434\ In addition, in all cases, under the Supplemental 
NPRM, an AT Person is responsible for ensuring that records are 
retained and produced as required pursuant to Supplemental proposed 
Sec.  1.84.
---------------------------------------------------------------------------

    \434\ The Supplemental NPRM does not set forth the means by 
which due diligence must be conducted. The Commission expects that 
due diligence may take a variety of forms, including but not limited 
to, email exchanges, teleconferences, reviews of files, and in-
person meetings.
---------------------------------------------------------------------------

    Supplemental proposed Sec.  1.85 would have the effect of reducing 
the burdens on AT Persons under Supplemental proposed Sec.  1.84 
because an AT Person could effectively shift its burden to comply with 
certain obligations onto a third party, provided that the third party 
provides a certification to the AT Person. Since Supplemental proposed 
Sec.  1.85 is burden reducing with respect to AT Persons, the 
Commission does not believe that the proposed rule would have a 
``significant economic impact'' on AT Persons for purposes of the 
Regulatory Flexibility Act.
    Additionally, the Commission assumes that the third parties that 
would provide certifications under Supplemental proposed Sec.  1.85 
would not be small entities, given the levels of complexity and 
sophistication required to provide third-party system components to AT 
Persons in connection with such AT Person's Algorithmic Trading 
strategy. The Commission invites comment on the accuracy of its 
assumption.
    The Commission estimates that the requirement under Supplemental 
proposed Sec.  1.85 that an AT Person may comply with an obligation 
under NPRM proposed Sec. Sec.  1.81(a)(1)(i), 1.81(a)(1)(iii), 
1.81(a)(1)(iv), 1.81(a)(2), or Supplemental proposed Sec. Sec.  
1.81(a)(1)(ii) or 1.84 by obtaining a certification from a third party 
that the third party is fulfilling the obligation, will result in: (1) 
60 one-time hours of burden per AT Person, and 7,200 burden hours in 
total; (2) 36 hours (on a recurring annual basis) of burden per AT 
Person, and 4,320 burden hours in total; (3) 60 one-time hours of 
burden per third party, and 3,000 burden hours in total; and (4) 36 
hours (on a recurring annual basis) of burden per third party, and 
1,800 burden hours in total. The estimated burden was calculated as 
follows:
    Burden: AT Person establishing the process for obtaining third-
party certifications, obtaining the initial certifications and 
conducting due diligence on the accuracy thereof.
    Respondents/Affected Entities: 120.\435\
    Estimated number of responses: 120.\436\
    Estimated total burden on each respondent: 60 hours.\437\
    Frequency of collection: One-time.
    Burden statement-all respondents: 120 respondents x 60 hours = 
7,200 Burden Hours per year.
---------------------------------------------------------------------------

    \435\ The Commission estimates 120 AT Persons will rely on third 
party certifications pursuant to Supplemental proposed Sec.  1.85. 
This estimate is based on an assumption that each AT Person will 
rely on one third party service providers for such AT Person's ATS 
or components. In fact, the Commission anticipates that some AT 
Persons will not rely on any third party service providers for their 
ATSs or components, while other AT Persons will rely on two third 
party service providers. For purposes of this PRA analysis, the 
Commission believes that the best available estimate is that there 
will be a total of 120 Respondents/Affected Entities. The Commission 
seeks comment on this estimate.
    \436\ This is calculated as the product of 120 estimated 
Respondents/Affected Entities and one initial response (i.e., 
establishing the process for obtaining third party certifications, 
obtaining the initial certifications and conducting due diligence on 
the accuracy thereof).
    \437\ The Commission estimates that the initial response will 
take a Project Manager 24 hours, a Compliance Attorney 24 hours and 
a Developer 12 hours. The sum of those hours is 60 hours.
---------------------------------------------------------------------------

    The Commission estimates that an AT Person will incur a one-time 
cost of $3,506 to establish the process for initially obtaining the 
third-party certifications permitted by Supplemental proposed Sec.  
1.85, conduct the related due diligence and obtain the initial 
certifications. This cost is broken down as follows: 1 Project Manager, 
working for 24 hours (24 x $70 = $1,680); 1 Compliance Attorney, 
working for 24 hours (24 x $96 = $2,304); and 1 Developer working for 
12 hours (12 x $75 = $900). The estimated 120 AT Persons that will rely 
on Sec.  1.85 would therefore incur a total one-time cost of $586,080 
(120 x $4,884).
    Burden: AT Person updating its certifications from third parties 
and conducting updated due diligence on the accuracy thereof.
    Respondents/Affected Entities: 120.
    Estimated number of responses: 120.
    Estimated total burden on each respondent: 54 hours.
    Frequency of response: Annual.
    Burden statement-all respondents: 120 respondents x 54 hours = 
6,480 Burden Hours per year.
    The Commission estimates that, on an annual basis, an AT Person 
will incur a cost of $2,892 to obtain the third-party certifications 
permitted by Supplemental proposed Sec.  1.85 and conduct the related 
due diligence. This cost is broken down as follows: 1 Project Manager, 
working for 12 hours (12 x $70 = $840); 1 Compliance Attorney, working 
for 12 hours (12 x $96 = $1,152); and 1 Developer working for 12 hours 
(12 x $75 = $900). The estimated 120 AT Persons that will rely on Sec.  
1.85 would therefore incur a total annual cost of $347,040 (120 x 
$2,892).
    The Commission also anticipates that an AT Person will incur a one-
time cost of $2,304 to re-write its contracts with third parties, so 
that the AT Persons can comply with the recordkeeping and production 
provisions of Supplemental proposed Sec.  1.84. This cost is broken 
down as follows: 1 Compliance Attorney, working for 24 hours (24 x $96 
per hour = $2,304).
    Burden: Third party establishing the process for providing 
certifications to AT Persons, providing the initial certifications and 
cooperating with AT Persons conducting due diligence on the accuracy 
thereof.
    Respondents/Affected Entities: 50.\438\
    Estimated number of responses: 50.\439\
    Estimated total burden on each respondent: 60 hours.\440\
    Frequency of response: One-time.
    Burden statement-all respondents: 50 responses x 60 hours = 3,000 
Burden Hours per year.
---------------------------------------------------------------------------

    \438\ The Commission estimates that there will be a total of 50 
third party service providers to AT Persons for their ATSs or 
components. The Commission seeks comment on this estimate.
    \439\ This is calculated as the product of 50 third parties and 
one initial response (i.e., establishing the process for providing 
third party certifications, providing the initial certifications and 
cooperating with AT Persons conducting due diligence on the accuracy 
thereof). The Commission assumes that each third party will provide 
a single certification to all AT Persons using a product or service 
from the third party. The Commission seeks comment on this estimate.
    \440\ The Commission estimates that, as with the initial 
collection burden on AT Persons, the initial response will take a 
third party Project Manager 24 hours, a third party Compliance 
Attorney 24 hours and a third party Developer 12 hours. The sum of 
those hours is 60 hours.
---------------------------------------------------------------------------

    The Commission estimates that a third party will incur a one-time 
cost of $4,884 to establish the process for initially providing the 
third-party certifications permitted by Supplemental proposed Sec.  
1.85 and cooperate with AT Persons conducting the related due 
diligence. This cost is broken down as follows: 1 Project Manager, 
working for 24 hours (24 x $70 = $1,680); 1 Compliance Attorney, 
working for 24 hours (24 x $96 = $2,304); and 1 Developer working for 
12 hours (12 x $75 = $900). The Commission estimates that third-party 
ATS providers will issue 120 certifications per year, either as initial 
or annual certifications. This reflects the Commission's estimate of 
120 AT Persons, and the fact that some AT Persons will rely on multiple 
third-party providers, while others will develop their systems entirely 
in-house. The estimated 50 third parties that provide certifications 
pursuant to Supplemental

[[Page 85385]]

proposed Sec.  1.85 would therefore incur a total annual cost of 
$244,200 (50 x $4,884).
    Burden: Third parties annually updating their certifications to AT 
Persons and cooperating with AT Persons conducting due diligence on the 
accuracy thereof.
    Respondents/Affected Entities: 50.\441\
    Estimated number of responses: 120.
    Estimated total burden on each respondent: 36 hours.\442\
    Frequency of response: Annual.
    Burden statement-all respondents: 120 responses x 36 hours = 4,320 
Burden Hours per year.
---------------------------------------------------------------------------

    \441\ The Commission estimates that there will be a total of 50 
third party service providers to AT Persons for their ATSs or 
components.
    \442\ The Commission estimates that, as with the recurring 
annual collection for AT Persons, the annual collection will take a 
third party Project Manager 12 hours, a third party Compliance 
Attorney 12 hours and a third party Developer 12 hours. The sum of 
those hours is 36 hours. However, the Commission believes that in a 
typical year, the actual number of burden hours would be lower, 
provided that the product or service the AT Person receives from the 
third party provider has not changed substantially.
---------------------------------------------------------------------------

    The Commission estimates that, on an annual basis, a third party 
will incur a cost of $2,892 to provide AT Persons the third-party 
certifications permitted by Supplemental proposed Sec.  1.85 and 
cooperate with AT Persons conducting the related due diligence. The 
Commission estimates that third-party ATS providers will issue 120 
certifications per year, either as initial or annual certifications. 
This reflects the Commission's estimate of 120 AT Persons, and the fact 
that some AT Persons will rely on multiple third-party providers, while 
others will develop their systems entirely in-house. This cost is 
broken down as follows: 1 Project Manager, working for 12 hours (12 x 
$70 = $840); 1 Compliance Attorney, working for 12 hours (12 x $96 = 
$1,152); and 1 Developer working for 12 hours (12 x $75 = $900). The 
estimated 50 third parties that will rely on Sec.  1.85 would therefore 
incur a total annual cost of $144,600 (50 x $2,892).
    In addition to the costs of providing certifications, the 
Commission anticipates that third-party providers will incur additional 
costs relating to Supplemental proposed Sec.  1.85(a), which 
contemplates that third parties will provide to AT Persons systems or 
components that comply with NPRM proposed Sec. Sec.  1.81(a)(1)(i), 
1.81(a)(1)(iii), 1.81(a)(1)(iv), 1.81(a)(2), or Supplemental proposed 
Sec. Sec.  1.81(a)(1)(ii) or 1.84. The Commission estimates that, on an 
annual basis, a third party will incur costs to comply with the 
proposed rules listed above that are comparable to the costs that an AT 
Person would incur to comply with such rules. The estimated costs for 
an AT Person to comply with Supplemental proposed Sec.  1.84 are 
discussed in Section IX(B)(2)(e) above. The estimated costs for an AT 
Person to comply with proposed Sec.  1.81(a) were discussed in detail 
in the NPRM.\443\
---------------------------------------------------------------------------

    \443\ See NPRM at 78888, 78900. In the NPRM, the Commission 
estimated that an AT Person that has not implemented any of the 
requirements of proposed Sec.  1.81(a) (development and testing of 
ATSs) would incur a total cost of $349,865 to implement those 
requirements. This cost was broken down as follows: 1 Project 
Manager, working for 1,707 hours (1,707 x $70 = $119,490); 2 
Business Analysts, working for a combined 853 hours (853 x $52 = 
$44,356); 3 Testers, working for a combined 2,347 hours (2,347 x $52 
= $122,044); and 2 Developers, working for a combined 853 hours (853 
x $75 = $63,975). The Commission notes that this calculation would 
apply only to third parties that have not implemented any of the 
requirements of proposed Sec.  1.81(a). However, the Commission 
anticipates that many third-party providers--e.g., software 
development firms--already develop and test systems or components in 
the ordinary course of their business. Indeed, the Commission 
anticipates that third-party providers would generally be as 
sophisticated, if not more sophisticated, than AT Persons with 
respect to the development and testing of ATSs. Therefore, the 
Commission believes that the cost of compliance for third parties 
would be lower than the estimate calculated above. In addition, the 
Commission anticipates that compliance costs under Supplemental 
proposed Sec.  1.81(a)(1)(ii) will be lower than the costs estimated 
in the NPRM, since the Commission is proposing to eliminate the 
requirement under NPRM proposed Sec.  1.81(a)(1)(ii) that AT Persons 
must test all Algorithmic Trading code and related systems on each 
DCM on which Algorithmic Trading will occur (while retaining a more 
general requirement that AT Persons must test all ATSs).
---------------------------------------------------------------------------

    The Commission also anticipates that a third-party will incur a 
one-time cost of $2,304 to re-write its contracts with AT Persons, so 
that the AT Persons can comply with the recordkeeping and production 
provisions of Supplemental proposed Sec.  1.84. This cost is broken 
down as follows: 1 Compliance Attorney, working for 24 hours (24 x $96 
per hour = $2,304).
g. Sec.  40.22--Compliance With DCM Reviews
    The Commission expects that Supplemental proposed Sec.  40.22, 
which requires DCMs to periodically review AT Persons' compliance with 
Sec. Sec.  1.80 and 1.81 executing FCMs' compliance with Sec.  1.82, 
will also impose burdens on the AT Persons that will be subject to such 
reviews. The Commission believes that an adequate review program will 
typically require DCMs to evaluate AT Persons' compliance every two 
years. Low-risk parties may require less frequent review, while high-
risk parties could require more frequent evaluation. The Commission 
estimates (on an annual basis) 48 hours of burden per AT Person, and 
2,880 burden hours in total per year. The estimated burden was 
calculated as follows:
    Burden: Compliance by AT Persons with DCM Reviews.
    Respondents/Affected Entities: 120.
    Estimated number of responses: 60 per year (120/2, or half of the 
total population per year).
    Estimated total burden on each AT Person or executing FCM: 48 
hours.
    Frequency of response: Once every two years.
    Burden statement-all AT Persons and executing FCMs: 60 respondents 
x 48 hours = 2,880 Burden Hours per year.
    The Commission estimates that, on an annual basis, an AT Person 
will incur a cost of $3,720 to facilitate a DCM's compliance with 
Supplemental proposed Sec.  40.22. Such costs reflect to the burden to 
an AT Person of providing written information, responding to questions, 
and otherwise furnishing such information as the DCM may need to 
discharge its responsibilities. This cost is broken down as follows: 1 
Senior Compliance Specialist, working for 36 hours (36 x $57 = $2,052); 
and 1 Chief Compliance Officer, working for 12 hours (12 x $139 = 
$1,668). The 120 AT Persons that will be subject to Sec.  1.83(a) would 
therefore incur a total annual cost of $446,400 (120 x $3,720).
h. Sec.  40.22(d)--Certification Requirement
    The Commission estimates that Supplemental proposed Sec.  40.22(d), 
which states that DCMs must require each AT Person to provide the DCM 
an annual certification attesting that the AT Person complies with the 
requirements of Sec. Sec.  1.80 and 1.81, will result in (on an annual 
basis) 12 hours of burden per AT Person and 1,440 burden hours total. 
The Commission expects that the annual certification requirement will 
involve preparation and transmittal of a document that makes the 
required certification, and that most of the burden hours associated 
with this requirement would involve review and analysis by compliance 
personnel of the entity's compliance with Sec. Sec.  1.80 and 1.81 
necessary to enable the CCO or CEO to sign the certification. The 
estimated burden was calculated as follows:
    Burden: Compliance certifications submitted by AT Persons to DCMs.
    Respondents/Affected Entities: 120 AT Persons.
    Estimated number of responses: 120.
    Estimated total burden on each respondent: 12 hours.
    Frequency of collection: Annual.
    Burden statement-all respondents: 120 respondents x 12 hours = 
1,440 Burden Hours per year.

[[Page 85386]]

    The Commission estimates that, on an annual basis, an AT Person 
will incur a cost of $1,176 to submit the compliance certification that 
will be required by proposed Sec.  40.22(d). This cost is broken down 
as follows: 1 Senior Compliance Specialist, working for 6 hours (6 x 
$57 = $342); and 1 Chief Compliance Officer, working for 6 hours (6 x 
$139 = $834), for each certification to one DCM. The 120 AT Persons 
that will be subject to DCM rules implemented pursuant to Sec.  
40.22(d) would therefore incur a total annual cost of $141,120 (120 x 
$1,176).\444\
---------------------------------------------------------------------------

    \444\ The six hours of work for each employee consists of five 
hours for the initial certification and one hour to prepare 
additional certifications for three other DCMs.
---------------------------------------------------------------------------

    64. The Commission invites comment on its Regulatory Flexibility 
Act analysis. In particular, the Commission specifically invites 
comment on the accuracy of its assumption that the third parties 
referenced in Supplemental proposed Sec.  1.85 would not be ``small 
entities'' for Regulatory Flexibility Act purposes.
    65. Do you agree that revising the definition of AT Person to 
include one of the proposed volume threshold will mean that no natural 
persons will be AT Persons?
    66. Do you agree that revising the definition of AT Person to 
include one of the proposed quantitative measures will mean that there 
will not be a substantial number of small entities impacted by the 
information collection?

C. Paperwork Reduction Act

    The Paperwork Reduction Act (``PRA'') \445\ imposes certain 
requirements on federal agencies in connection with their conducting or 
sponsoring any collection of information as defined by the PRA. As 
discussed in the NPRM, Regulation AT would result in new collection of 
information requirements within the meaning of the PRA. As explained 
above, the Commission believes that the proposed volume threshold will 
reduce the number of AT Persons, which would accordingly reduce the PRA 
estimates provided in the NPRM. The Commission invites the public to 
comment on any aspect of how the proposed volume threshold would impact 
the paperwork burdens discussed in the NPRM.
---------------------------------------------------------------------------

    \445\ 44 U.S.C. 3501 et seq.
---------------------------------------------------------------------------

1. Sec.  1.3(x)(1)(iii)--Submissions by Newly Registered Floor Traders 
\446\
---------------------------------------------------------------------------

    \446\ 78 FR 78891.
---------------------------------------------------------------------------

    In the NPRM, the Commission estimated that there would be 100 new 
Floor trader registrants under the proposed definition of floor trader 
in Sec.  1.3(x)(3). The Commission estimated that the NPRM proposed 
rules requiring registration would result in 11 hours of burden per 
affected entity, and 1,100 burden hours total. The Commission estimated 
that new registrants would incur a one-time cost of $1,056. While the 
Commission estimated that there would be 420 AT Persons under the NPRM 
proposed rules for Regulation AT, and approximately 100 would be 
required to register as Floor traders, the Commission has revised its 
estimate to 120 AT Persons under the modified rules proposed in this 
Supplemental NPRM.\447\ While the Commission recognizes that the 
modifications in the Supplemental NPRM may reduce the number of 
entities required to register, the Commission estimates that there will 
be approximately 100 new Floor trader registrants under Supplemental 
proposed Sec.  1.3(x)(1)(iii). The Commission estimates that the 100 
entities subject to the registration requirement would incur a total 
one-time cost of $105,600 (100 x $1,056).
---------------------------------------------------------------------------

    \447\ See Section II(C)(1).
---------------------------------------------------------------------------

2. Sec.  1.80(d)--Pre-Trade Risk Controls for AT Persons--Delegation
    Supplemental proposed Sec.  1.80(d) allows an AT Person to delegate 
compliance with Sec.  1.80(a) to its executing FCM. Under Supplemental 
proposed Sec.  1.80(d)(2), an AT Person may only delegate such 
functions when (i) it is technologically feasible for each relevant FCM 
to comply with Sec.  1.80(a) with a level of effectiveness reasonably 
designed to prevent and reduce the potential risk of an Algorithmic 
Trading Event; and (ii) each relevant FCM notifies the AT Person in 
writing that the FCM has accepted the AT Person's delegation and that 
it will comply with Sec.  1.80(a) on behalf of the AT Person. The 
Commission expects that the written notification pursuant to 
Supplemental proposed Sec.  1.80(d)(2)(ii) will involve preparation and 
transmittal of a document that confirms that the FCM accepted the 
delegation and will comply with Sec.  1.80(a). Accordingly, the 
Commission estimates that Supplemental proposed Sec.  1.80(d)(2)(ii) 
will result in two burden hours per affected entity to prepare and send 
the notification: 1 Compliance Attorney, working for 1 hour (1 x $96 = 
$96); and 1 Chief Compliance Officer, working for 1 hour (1 x $139). 
The Commission is unable to estimate the exact number of the 120 AT 
Persons that will choose to delegate Sec.  1.80(d) compliance. Assuming 
that all 70 executing FCMs accept delegation for at least one AT 
Person, the Commission estimates that the 70 executing FCMs would incur 
a total one-time cost of $16,450 (70 x $235).
3. Sec.  1.83(a)--AT Person Retention and Production of Books and 
Records \448\
---------------------------------------------------------------------------

    \448\ Supplemental proposed Sec.  1.83(a) is identical to NPRM 
proposed Sec.  1.83(c). NPRM proposed Sec. Sec.  1.83(a) and (b) 
have been removed in this Supplemental NPRM, and Sec.  1.83 has been 
renumbered accordingly.
---------------------------------------------------------------------------

    As discussed above, the Commission estimated in the NPRM that 420 
entities would qualify as AT Persons under Regulation AT. Pursuant to 
Supplemental proposed Sec.  1.3(xxxx), the Commission now estimates 
that 120 entities will be AT Persons. The Commission's new, lower 
estimate for the number of AT Persons is a function of the volume 
threshold test that market participants would have to satisfy to fall 
within the definition of AT Person under Supplemental proposed Sec.  
1.3(xxxx).
    The Commission has updated its PRA analysis from the NPRM for 
proposed Sec.  1.83, based on its updated estimate of 120 AT Persons in 
the Supplemental NPRM (as opposed to the 420 AT Persons estimated in 
the NPRM). The Commission's PRA analysis for Supplemental proposed 
Sec.  1.83 assumes the same cost on a per AT Person basis as was used 
in the NPRM analysis. Specifically, the Commission estimated in the 
NPRM that proposed Sec.  1.83 requirements that AT Persons keep and 
provide books and records relating to NPRM proposed Sec. Sec.  1.80 and 
1.81 compliance would result in initial outlay of 60 hours of burden 
per AT Person. Under Supplemental proposed Sec.  1.83(a), the 120 AT 
Persons would therefore initially incur 7,200 burden hours in total. In 
the NPRM, the Commission estimated that, on an initial basis, an AT 
Person would incur a cost of $5,130 to draft and update recordkeeping 
policies and procedures and make technology improvements to 
recordkeeping infrastructure. Under Supplemental proposed Sec.  
1.83(a), the 120 AT Persons would therefore incur a total initial cost 
of $615,600.
    The Commission estimated in the NPRM that proposed Sec.  1.83 
requirements that AT Persons keep and provide books and records 
relating to NPRM proposed Sec. Sec.  1.80 and 1.81 compliance would 
result in annual costs of 30 hours of burden per AT Person. Under 
Supplemental proposed Sec.  1.83(a), the 120 AT Persons would therefore 
incur 3,600 burden hours in total. In the NPRM, the Commission 
estimated that, on an annual basis, an AT Person would incur a cost of 
$2,670 to ensure

[[Page 85387]]

compliance with the NPRM proposed Sec.  1.83(a) recordkeeping rules 
relating to NPRM proposed Sec.  1.82 compliance. Under Supplemental 
proposed Sec.  1.83(a), the 120 AT Persons would therefore incur a 
total annual cost of $320,400.
4. Sec.  1.83(b)--Executing FCM Retention and Production of Books and 
Records \449\
---------------------------------------------------------------------------

    \449\ Supplemental proposed Sec.  1.83(b) amends the provisions 
of NPRM Sec.  1.83(d). NPRM Sec. Sec.  1.83(a) and (b) have been 
removed in this Supplemental NPRM, and Sec.  1.83 has been 
renumbered accordingly.
---------------------------------------------------------------------------

    As discussed above, Supplemental proposed Sec.  1.83(b) would 
govern FCM retention and production of books and records relating to 
Sec.  1.82 compliance. NPRM Sec.  1.83(d) applied to ``clearing'' FCMs. 
In contrast, Supplemental proposed Sec.  1.83(b) would apply to 
``executing'' FCMs. The Commission's PRA analysis for Supplemental 
proposed Sec.  1.83 assumes the same cost on a per AT Person basis as 
was used in the NPRM analysis. In the NPRM, the Commission estimated 
that compliance with Sec.  1.83(d) would result in initial outlay of 60 
hours of burden per FCM, and 3,420 burden hours total. In the NPRM, the 
Commission estimated that, on an initial basis, an FCM would incur a 
cost of $5,130 to draft and update recordkeeping policies and 
procedures and make technology improvements to recordkeeping 
infrastructure. Under Supplemental proposed Sec.  1.83(b), the 70 
executing FCMs would therefore incur a total initial cost of $359,100.
    The Commission estimated in the NPRM that proposed Sec.  1.83 
requirements that clearing FCMs keep and provide books and records 
relating to NPRM proposed Sec.  1.82 compliance would result in annual 
costs of 30 hours of burden per FCM. In the NPRM, the Commission 
estimated that compliance with Sec.  1.83(d) would result in annual 
costs of 30 hours of burden per FCM, and 1,710 burden hours total. In 
the NPRM, the Commission estimated that, on an initial basis, an FCM 
would incur a cost of $2,670 relating to Sec.  1.82 compliance, 
including the updating of policies and procedures and technology 
infrastructure, and to respond to DCM record requests. Under 
Supplemental proposed Sec.  1.83(b), the 70 executing FCMs would 
therefore incur a total annual cost of $186,900.
5. Sec.  1.84--Retention, Production and Confidentiality of Algorithmic 
Trading Records
a. Supplemental Proposed Sec.  1.84(a)
    In order to comply with the requirements set out in Supplemental 
proposed Sec.  1.84(a), an AT Person must have a version control system 
and an application log management system in place. The Commission 
expects that most AT Persons have version control software to manage 
each change made to their software and identify who made the change and 
why. The Commission also expects that most AT Persons manage their 
application logs through some form of application log management 
system.
    For firms that do not have version control systems and application 
log management systems in place, the effort involved in setting one up 
includes the acquisition of the hardware to run the system, the 
application software itself, the migration of the existing Algorithmic 
Trading Source Code and logs into the software, and the creation of 
policy and procedures related to the use of the system by the firm. For 
appropriate hardware to accomplish this task, a machine with sufficient 
storage space and sufficient redundancy will be needed. The Commission 
expects that 10 terabytes of data would constitute sufficient storage 
capacity. A number of software options are available, from open-source 
products to industry-standard tools.
i. Firms Without Sufficient Hardware and Software in Place
    The Commission estimates that Supplemental proposed Sec.  1.84(a), 
which requires AT Persons to maintain specified records related to 
their Algorithmic Trading Source Code and their Algorithmic Trading 
systems' activity, will result in initial outlay of 420 hours of burden 
per AT Person without sufficient hardware and software in place to 
comply with proposed Sec.  1.84(a), and 50,400 burden hours in total. 
The estimated burden was calculated as follows:
    Burden: Supplemental proposed Sec.  1.84(a), which would require AT 
Persons to maintain certain records.
    Respondents/Affected Entities: 120 AT Persons.
    Estimated total burden on each respondent: 420 hours.
    Burden statement-all respondents: 120 respondents x 420 hours = 
50,400 Burden Hours initial year.
    The Commission estimates that an AT Person without the hardware and 
software in place to maintain the records required by Supplemental 
proposed Sec.  1.84(a) would incur a cost of $41,840 to purchase and 
set up the required hardware and software, migrate existing Algorithmic 
Trading Source Code and logs into the software and draft appropriate 
recordkeeping policies and procedures and make technology improvements 
to recordkeeping infrastructure. This cost is broken down as follows: 
Hardware costing $12,000,\450\ software costing $2,000,\451\ 1 Project 
Manager for the Algorithmic Trading Source Code and log migration 
effort, working for 60 hours (60 x $70 = $4,200); 1 Developer for the 
Algorithmic Trading Source Code and log migration effort, working for 
60 hours (60 x $75 = $4,500), 1 Project Manager to develop the related 
policies and procedures, working for 120 hours (120 x $70 = $8,400), 1 
Business Analyst to develop the related policies and procedures, 
working for 120 hours (120 x $52 = $6,240), and 1 Developer to develop 
the related policies and procedures, working for 60 hours (60 x $75 = 
$4,500). Therefore, if none of the 120 AT Persons had sufficient 
hardware and software to comply, they would therefore incur a total 
initial cost of $5,020,800 (120 x $41,840).
---------------------------------------------------------------------------

    \450\ The Commission estimates that the hardware could cost from 
$1,000 to $25,000 depending on factors including which hardware 
vendor an AT Person chooses, the amount of business the AT Person 
does with the hardware vendor and the pricing the hardware vendor 
provides the AT Person as a result.
    \451\ The Commission estimates that the software could cost from 
$0 to $5,000 depending on factors including which hardware vendor an 
AT Person chooses, the amount of business the AT Person does with 
the hardware vendor and the pricing the hardware vendor provides the 
AT Person as a result.
---------------------------------------------------------------------------

ii. Firms With Sufficient Hardware and Software in Place
    Firms that have the necessary systems in place may nevertheless 
need to make changes to their policies and procedures and enhance their 
hardware to provide more storage capacity, in each case to address the 
requirements of Supplemental proposed Sec.  1.84(a). The discussion 
below addresses both the effort it takes to determine what upgrades 
need to be made, and to implement those upgrades.
    The Commission estimates that Supplemental proposed Sec.  1.84(a) 
requiring AT Persons to maintain specified records related to their 
Algorithmic Trading Source Code and their Algorithmic Trading systems' 
activity will result in initial outlay of 90 hours of burden per AT 
Person with sufficient hardware and software to comply with 
Supplemental proposed Sec.  1.84(a), and 10,800 burden hours in total. 
The estimated burden was calculated as follows:
    Burden: Supplemental proposed Sec.  1.84(a), which would require AT 
Persons to maintain certain records.
    Respondents/Affected Entities: 120 AT Persons.
    Estimated total burden on each respondent: 90 hours.

[[Page 85388]]

    Burden statement--all respondents: 120 respondents x 90 hours = 
10,800 Burden Hours initial year.
    The Commission estimates that, on an initial basis, an AT Person 
with the hardware and software in place to maintain the records 
required by Supplemental proposed Sec.  1.84(a) would incur a cost of 
$12,160 to purchase and set up the required hardware and software, 
migrate existing Algorithmic Trading Source Code and logs into the 
software and draft appropriate recordkeeping policies and procedures 
and make technology improvements to recordkeeping infrastructure. This 
cost is broken down as follows: Hardware costing $4,000,\452\ 1 Project 
Manager to develop the related policies and procedures, working for 30 
hours (30 x $70 = $2,100, 1 Business Analyst to develop the related 
policies and procedures, working for 30 hours (30 x $52 = $1,560), and 
1 Developer to develop the related policies and procedures, working for 
60 hours (60 x $75 = $4,500). The 120 AT Persons would therefore incur 
a total initial cost of $1,459,200 (120 x $12,160).
---------------------------------------------------------------------------

    \452\ The Commission estimates that the hardware could cost from 
$1,000 to $10,000 depending on factors including which hardware 
vendor an AT Person chooses, the amount of business the AT Person 
does with the hardware vendor and the pricing the hardware vendor 
provides the AT Person as a result.
---------------------------------------------------------------------------

b. Supplemental Proposed Sec. Sec.  1.84(b) and (c)
    In order to comply with the requirements set out in Supplemental 
proposed Sec. Sec.  1.84(b) and 1.84(c), AT Persons will have to use 
their version control software to manage their software's version 
history. This will require a standard monthly effort to maintain the 
environment so that each AT Person is able to respond to special calls 
and/or subpoenas.
    Monthly Maintenance: The Commission estimates that Supplemental 
proposed Sec. Sec.  1.84(b) and 1.84(c), which require AT Persons to 
produce records of Algorithmic Trading in response to a special call or 
subpoena, will result in ongoing costs of 324 hours of burden per AT 
Person per year, and 38,880 annual burden hours in total. The estimated 
burden was calculated as follows:
    Burden: Rule requiring AT Persons to produce Algorithmic Trading 
records in response to a Special Call or Subpoena.
    Respondents/Affected Entities: 120 AT Persons.
    Estimated total burden on each respondent: 324 hours.\453\
---------------------------------------------------------------------------

    \453\ The Commission estimates 27 burden hours per respondent/
affected entity per month. Annualizing this monthly figure by 
multiplying by 12 results in the 324 total burden hour estimate.
---------------------------------------------------------------------------

    Burden statement--all respondents: 120 respondents x 324 hours = 
38,880 Burden Hours per year.
    The Commission estimates that, on an annual basis, an AT Person 
will incur a cost of $24,120 to draft and update recordkeeping policies 
and procedures and make technology improvements to recordkeeping 
infrastructure. This cost is broken down as follows: 1 Project Manager, 
working for 3 hours per month x 12 months = 36 hours per year (36 x $70 
= $2,520); and 1 Developer, working for 24 hours per month x 12 months 
= 288 hours per year (288 x $75 = $21,600). The 120 AT Persons would 
therefore incur a total annual cost of $2,894,400 (120 x $24,120).
    Costs per Response to a Special Call or Subpoena: The Commission 
estimates that Supplemental proposed Sec. Sec.  1.84(b) and 1.84(c), 
which require AT Persons to produce records of Algorithmic Trading in 
response to a special call or subpoena, will result in costs per 
response of 72 hours of burden per AT Person, and 12,960 burden hours 
in total. The estimated burden was calculated as follows:
    Burden: Rule requiring AT Persons to produce Algorithmic Trading 
records in response to a Special Call or Subpoena.
    Respondents/Affected Entities: 120 AT Persons.
    Estimated number of responses: 120.
    Estimated total burden on each respondent: 108 hours.
    Frequency of collection: Intermittent.
    Burden statement--all respondents: 120 respondents x 108 hours = 
12,960 Burden Hours per year.
    The Commission estimates that, on an intermittent basis, an AT 
Person will incur a cost of $5,844 to ensure compliance with those 
aspects of Supplemental proposed Sec. Sec.  1.84(b) and 1.84(c) 
requiring AT Persons to produce records of Algorithmic Trading in 
response to a special call or subpoena. This cost is broken down as 
follows: 1 Project Manager, working for 12 hours (12 x $70 = $840); 1 
Developer, working for 36 hours (36 x $75 = $2,700); and 1 Compliance 
Attorney, working for 24 hours (24 x $96 = $2,304). The 120 AT Persons 
would therefore incur a total annual cost of $701,280 (120 x $5,844).
6. Sec.  1.85--Third-Party Algorithmic Trading Systems or Components
    The Commission estimates that the requirement under Supplemental 
proposed Sec.  1.85 that an AT Person may comply with an obligation 
under NPRM proposed Sec. Sec.  1.81(a)(1)(i), 1.81(a)(1)(iii), 
1.81(a)(1)(iv), 1.81(a)(2), or Supplemental proposed Sec. Sec.  
1.81(a)(1)(ii) or 1.84 by obtaining a certification from a third party 
that the third party is fulfilling the obligation, will result in: (1) 
60 one-time hours of burden per AT Person, and 7,200 burden hours in 
total; (2) 36 hours (on a recurring annual basis) of burden per AT 
Person, and 4,320 burden hours in total; (3) 60 one-time hours of 
burden per third party, and 3,000 burden hours in total; and (4) 36 
hours (on a recurring annual basis) of burden per third party, and 
1,800 burden hours in total. The estimated burden was calculated as 
follows:
    Burden: AT Person establishing the process for obtaining third-
party certifications, obtaining the initial certifications and 
conducting due diligence on the accuracy thereof.
    Respondents/Affected Entities: 120.\454\
---------------------------------------------------------------------------

    \454\ The Commission estimates 120 AT Persons will rely on third 
party certifications pursuant to Supplemental proposed Sec.  1.85. 
This estimate is based on an assumption that each AT Person will 
rely on one third party service providers for such AT Person's ATS 
or components. In fact, the Commission anticipates that some AT 
Persons will not rely on any third party service providers for their 
ATSs or components, while other AT Persons will rely on two third 
party service providers. For purposes of this PRA analysis, the 
Commission believes that the best available estimate is that there 
will be a total of 120 Respondents/Affected Entities. The Commission 
seeks comment on this estimate.
---------------------------------------------------------------------------

    Estimated number of responses: 120.\455\
---------------------------------------------------------------------------

    \455\ This is calculated as the product of 120 estimated 
Respondents/Affected Entities and one initial response (i.e., 
establishing the process for obtaining third party certifications, 
obtaining the initial certifications and conducting due diligence on 
the accuracy thereof).
---------------------------------------------------------------------------

    Estimated total burden on each respondent: 60 hours.\456\
---------------------------------------------------------------------------

    \456\ The Commission estimates that the initial response will 
take a Project Manager 24 hours, a Compliance Attorney 24 hours and 
a Developer 12 hours. The sum of those hours is 60 hours.
---------------------------------------------------------------------------

    Frequency of collection: One-time.
    Burden statement--all respondents: 120 respondents x 60 hours = 
7,200 Burden Hours per year.
    The Commission estimates that an AT Person will incur a one-time 
cost of $4,884 to establish the process for initially obtaining the 
third-party certifications permitted by Supplemental proposed Sec.  
1.85, conduct the related due diligence and obtain the initial 
certifications. This cost is broken down as follows: 1 Project Manager, 
working for 24 hours (24 x $70 = $1,680); 1 Compliance Attorney, 
working for 24 hours (24 x $96 = $2,304); and 1 Developer working for 
12 hours (12 x $75 = $900). The estimated 120 AT Persons that will rely 
on Sec.  1.85 would therefore incur a total one-time cost of $586,080 
(120 x $4,884).
    Burden: AT Person updating its certifications from third parties 
and

[[Page 85389]]

conducting updated due diligence on the accuracy thereof.
    Respondents/Affected Entities: 120.
    Estimated number of responses: 120.
    Estimated total burden on each respondent: 36 hours.\457\
---------------------------------------------------------------------------

    \457\ The Commission estimates that the annual collection will 
take a Project Manager 12 hours, a Compliance Attorney 12 hours and 
a Developer 12 hours. The sum of those hours is 36 hours. However, 
the Commission believes that in a typical year, the actual number of 
burden hours would be lower, provided that the product or service 
the AT Person receives from the third party provider has not changed 
substantially.
---------------------------------------------------------------------------

    Frequency of collection: Annual.
    Burden statement--all respondents: 120 respondents x 36 hours = 
4,320 Burden Hours per year.
    The Commission estimates that, on an annual basis, an AT Person 
will incur a cost of $2,892 to obtain the third-party certifications 
permitted by Supplemental proposed Sec.  1.85 and conduct the related 
due diligence. This cost is broken down as follows: 1 Project Manager, 
working for 12 hours (12 x $70 = $840); 1 Compliance Attorney, working 
for 12 hours (12 x $96 = $1,152); and 1 Developer working for 12 hours 
(12 x $75 = $900). The estimated 120 AT Persons that will rely on Sec.  
1.85 would therefore incur a total annual cost of $347,040 (120 x 
$2,892).
    Burden: Third party establishing the process for providing 
certifications to AT Persons, providing the initial certifications and 
cooperating with AT Persons conducting due diligence on the accuracy 
thereof.
    Respondents/Affected Entities: 50.\458\
---------------------------------------------------------------------------

    \458\ The Commission estimates that there will be a total of 50 
third party service providers to AT Persons for their ATSs or 
components. The Commission seeks comment on this estimate.
---------------------------------------------------------------------------

    Estimated number of responses: 50.\459\
---------------------------------------------------------------------------

    \459\ This is calculated as the product of 50 third parties and 
one initial response (i.e., establishing the process for providing 
third party certifications, providing the initial certifications and 
cooperating with AT Persons conducting due diligence on the accuracy 
thereof). The Commission assumes that each third party will provide 
a single certification to all AT Persons using a product or service 
from the third party. The Commission seeks comment on this estimate.
---------------------------------------------------------------------------

    Estimated total burden on each respondent: 60 hours.\460\
---------------------------------------------------------------------------

    \460\ The Commission estimates that, as with the initial 
collection burden on AT Persons, the initial response will take a 
third party Project Manager 24 hours, a third party Compliance 
Attorney 24 hours and a third party Developer 12 hours. The sum of 
those hours is 60 hours.
---------------------------------------------------------------------------

    Frequency of collection: One-time.
    Burden statement--all respondents: 50 responses x 60 hours = 3,000 
Burden Hours per year.
    The Commission estimates that a third party will incur a one-time 
cost of $4,884 to establish the process for initially providing the 
third-party certifications permitted by Supplemental proposed Sec.  
1.85 and cooperate with AT Persons conducting the related due 
diligence. This cost is broken down as follows: 1 Project Manager, 
working for 24 hours (24 x $70 = $1,680); 1 Compliance Attorney, 
working for 24 hours (24 x $96 = $2,304); and 1 Developer working for 
12 hours (12 x $75 = $900). The estimated 50 third parties that provide 
certifications pursuant to Supplemental proposed Sec.  1.85 would 
therefore incur a total initial cost of $244,200 (50 x $4,884).
    Burden: Third parties annually updating their certifications to AT 
Persons and cooperating with AT Persons conducting due diligence on the 
accuracy thereof.
    Respondents/Affected Entities: 50.\461\
---------------------------------------------------------------------------

    \461\ The Commission estimates that there will be a total of 50 
third party service providers to AT Persons for their ATSs or 
components.
---------------------------------------------------------------------------

    Estimated number of responses: 120.
    Estimated total burden on each respondent: 36 hours.\462\
---------------------------------------------------------------------------

    \462\ The Commission estimates that, as with the recurring 
annual collection for AT Persons, the annual collection will take a 
third party Project Manager 12 hours, a third party Compliance 
Attorney 12 hours and a third party Developer 12 hours. The sum of 
those hours is 36 hours. However, the Commission believes that in a 
typical year, the actual number of burden hours would be lower, 
provided that the product or service the AT Person receives from the 
third party provider has not changed substantially.
---------------------------------------------------------------------------

    Frequency of collection: Annual.
    Burden statement--all respondents: 120 responses x 36 hours = 4,320 
Burden Hours per year.
    The Commission estimates that, on an annual basis, a third party 
will incur a cost of $2,892 to provide AT Persons the third-party 
certifications permitted by Supplemental proposed Sec.  1.85 and 
cooperate with AT Persons conducting the related due diligence. This 
cost is broken down as follows: 1 Project Manager, working for 12 hours 
(12 x $70 = $840); 1 Compliance Attorney, working for 12 hours (12 x 
$96 = $1,152); and 1 Developer working for 12 hours (12 x $75 = $900). 
The estimated 50 third parties that will rely on Sec.  1.85 would 
therefore incur a total annual cost of $144,600 (50 x $2,892).
7. Sec.  38.255(c)--Risk Controls for Trading--FCM Certification to DCM
    Supplemental proposed Sec.  38.255(c) requires a DCM that permits 
DEA to require that an FCM use DCM-provided risk controls, or 
substantially equivalent controls developed by the FCM itself or a 
third party. Prior to an FCM's use of its own or a third party's 
systems and controls, the FCM must certify to the DCM that such systems 
and controls are in fact substantially equivalent to the systems and 
controls that the DCM makes available pursuant to Supplemental proposed 
Sec.  38.255(b). The Commission expects that the written notification 
pursuant to Supplemental proposed Sec.  38.255(c) will involve 
preparation and transmittal of a certification document. Accordingly, 
the Commission estimates that Supplemental proposed Sec.  38.255(c) 
will result in two burden hours per affected entity to prepare and send 
the notification: 1 Compliance Attorney, working for 1 hour (1 x $96 = 
$96); and 1 Chief Compliance Officer, working for 1 hour (1 x $139). 
The Commission is unable to estimate the exact number of FCMs that will 
choose to use its own or a third party's systems and controls. Assuming 
that all 70 executing FCMs were to do so for four DCMs, the Commission 
estimates that the 70 executing FCMs would incur a total one-time cost 
of $65,800 (70 x $235 x 4).\463\
---------------------------------------------------------------------------

    \463\ DCMs will incur some costs with respect to preparing an 
exchange rule requiring FCMs to provide Sec.  38.255(c) 
certifications. Exchange rule-writing costs are generally covered in 
the existing Part 40 PRA collection.
---------------------------------------------------------------------------

8. Sec.  40.22(a)-(c)--Compliance With DCM Reviews
    The Commission expects that Supplemental proposed Sec.  40.22(a)-
(c), which requires DCMs to periodically review AT Persons' compliance 
with Sec. Sec.  1.80 and 1.81 executing FCMs' compliance with Sec.  
1.82, will also impose burdens on the AT Persons and executing FCMs 
that will be subject to such reviews. The Commission believes that an 
adequate review program will typically require DCMs to evaluate AT 
Persons' and executing FCMs' compliance every two years. Low-risk 
parties may require less frequent review, while high-risk parties could 
require for frequent evaluation. The Commission estimates (on an annual 
basis) 48 hours of burden per AT Person and executing FCM, and 4,320 
burden hours in total per year. The estimated burden was calculated as 
follows:
    Burden: Compliance by AT Persons and FCMs with DCM Reviews.
    Respondents/Affected Entities: 180 (120 AT Persons + 60 FCMs).\464\
---------------------------------------------------------------------------

    \464\ The Commission is using 60, as opposed to 70, FCMs for 
purposes of this calculation because every FCM does not operate on 
all DCMs. Accordingly, a single DCM would not necessarily have to 
review every FCM.
---------------------------------------------------------------------------

    Estimated number of responses: 90 per year (180/2, or half of the 
total population per year).
    Estimated total burden on each AT Person or executing FCM: 48 
hours.
    Frequency of response: Once every two years.

[[Page 85390]]

    Burden statement--all AT Persons and executing FCMs: 90 respondents 
x 48 hours = 4,320 Burden Hours per year.
    The Commission estimates that, on an annual basis, an AT Person or 
an executing FCM will incur a cost of $3,720 to facilitate a DCM's 
compliance with Supplemental proposed Sec.  40.22. Such costs reflect 
to the burden to an AT Person or executing FCM of providing written 
information, responding to questions, and otherwise furnishing such 
information as the DCM may need to discharge its responsibilities. This 
cost is broken down as follows: 1 Senior Compliance Specialist, working 
for 36 hours (36 x $57 = $2,052); and 1 Chief Compliance Officer, 
working for 12 hours (12 x $139 = $1,668). The 180 AT Persons and 
executing FCMs that will be subject to Sec.  40.22 DCM review programs 
would therefore incur a total annual cost of $334,800 (90 x $3,720).
9. Sec.  40.22(d)--Certification Requirement
    The Commission estimates that Supplemental proposed Sec.  40.22(d), 
which states that DCMs must require each AT Person to provide the DCM 
an annual certification attesting that the AT Person complies with the 
requirements of Sec. Sec.  1.80 and 1.81, will result in (on an annual 
basis) 12 hours of burden per AT Person and 1,440 burden hours total. 
The Commission expects that the annual certification requirement will 
involve preparation and transmittal of a document that makes the 
required certification, and that most of the burden hours associated 
with this requirement would involve review and analysis by compliance 
personnel of the entity's compliance with Sec. Sec.  1.80 and 1.81 
necessary to enable the CCO or CEO to sign the certification. The 
estimated burden was calculated as follows:
    Burden: Compliance certifications submitted by AT Persons to DCMs.
    Respondents/Affected Entities: 120 AT Persons.
    Estimated number of responses: 120.
    Estimated total burden on each respondent: 12 hours.
    Frequency of collection: Annual.
    Burden statement--all respondents: 120 respondents x 12 hours = 
1,440 Burden Hours per year.
    The Commission estimates that, on an annual basis, an AT Person 
will incur a cost of $1,176 to submit the compliance certification that 
will be required by proposed Sec.  40.22(d). This cost is broken down 
as follows: 1 Senior Compliance Specialist, working for 6 hours (6 x 
$57 = $342); and 1 Chief Compliance Officer, working for 6 hours (6 x 
$139 = $834), for each certification to one DCM. The 120 AT Persons 
that will be subject to DCM rules implemented pursuant to Sec.  
40.22(d) would therefore incur a total annual cost of $141,120 (120 x 
$1,176).
    Proposed Sec.  40.22(d) also states that DCMs must require that 
each executing FCM provide the DCM with an annual certification 
attesting that the executing FCM complies with the requirements of 
Sec.  1.82. The Commission estimates that this requirement will result 
in (on an annual basis), 10 hours of burden per executing FCM, and 
2,800 burden hours total. The Commission expects that the annual 
certification requirement will involve preparation and transmittal of a 
document that makes the required certification, and that most of the 
burden hours associated with this requirement would involve review and 
analysis by compliance personnel of the entity's compliance with Sec.  
1.82 necessary to enable the CCO or CEO to sign the certification. The 
estimated burden was calculated as follows:
    Burden: Compliance certifications submitted by executing FCMs to 
DCMs.
    Respondents/Affected Entities: 70 executing FCMs.
    Estimated number of responses: 70.
    Estimated total burden on each respondent: 12 hours.
    Frequency of collection: Annual.
    Burden statement--all respondents: 70 respondents x 12 hours = 840 
Burden Hours per year.
    The Commission estimates that, on an annual basis, an executing FCM 
will incur a cost of $1,176 to submit the compliance certification 
required by proposed Sec.  40.22(d). This cost is broken down as 
follows: 1 Senior Compliance Specialist, working for 6 hours (6 x $57 = 
$342); and 1 Chief Compliance Officer, working for 5 hours (5 x $139 = 
$834), for each certification to one DCM. The 70 executing FCMs that 
will be subject to DCM rules implemented pursuant to Sec.  40.22(d) 
would therefore incur a total annual cost of $82,320 (70 x $1,176).
10. Commission Questions
    67. The Commission welcomes all comments on the PRA analysis set 
forth in this Supplemental NPRM and, in particular, all comments 
regarding the accuracy of its estimate that 120 AT Persons would rely 
on third-party certifications pursuant to Supplemental proposed Sec.  
1.85.
    68. The Commission seeks comment on its estimate that 50 third 
parties would provide certifications to AT Persons pursuant to 
Supplemental proposed Sec.  1.85.
    69. The Commission seeks comment on its estimated costs on AT 
Persons and third parties in connection with Supplemental proposed 
Sec.  1.85.
    70. The Commission is assuming that each third party that provides 
certifications under Supplemental proposed Sec.  1.85 will provide a 
single certification to all AT Persons that use a product or service 
from such third party. The Commission seeks comment on whether it is 
feasible for a third party to provide a single certification to all AT 
Persons using such third party's products or services.

List of Subjects

17 CFR Part 1

    Commodity futures, Commodity pool operators, Commodity trading 
advisors, Definitions, Designated contract markets, Floor brokers, 
Futures commission merchants, Introducing brokers, Major swap 
participants, Reporting and recordkeeping requirements, Swap dealers.

17 CFR Part 38

    Commodity futures, Designated contract markets, Reporting and 
recordkeeping requirements.

17 CFR Part 40

    Commodity futures, Definitions, Designated contract markets, 
Reporting and recordkeeping requirements.

17 CFR Part 170

    Commodity futures, Commodity pool operators, Commodity trading 
advisors, Floor brokers, Futures commission merchants, Introducing 
brokers, Major swap participants, Reporting and recordkeeping 
requirements, Swap dealers.

    For the reasons stated in the preamble, the Commodity Futures 
Trading Commission proposes to amend 17 CFR chapter I as follows:

PART 1--GENERAL REGULATIONS UNDER THE COMMODITY EXCHANGE ACT

0
1. The authority citation for part 1 continues to read as follows:

    Authority:  7 U.S.C. 1a, 2, 5, 6, 6a, 6b, 6c, 6d, 6e, 6f, 6g, 
6h, 6i, 6k, 6l, 6m, 6n, 6o, 6p, 6r, 6s, 7, 7a-1, 7a-2, 7b, 7b-3, 8, 
9, 10a, 12, 12a, 12c, 13a, 13a-1, 16, 16a, 19, 21, 23, and 24 
(2012).

0
2. Amend Sec.  1.3 as follows:
0
a. Revise paragraph (x);
0
b. Reserve paragraphs (tttt)-(vvvv);
0
c. Add paragraphs (wwww), (xxxx), and (yyyy);
0
d. Reserve paragraphs (zzzz) and (aaaaa); and
0
e. Add paragraphs (bbbbb), (ccccc), and (ddddd).

[[Page 85391]]

    The revisions and additions to read as follows:


Sec.  1.3   Definitions.

* * * * *
    (x) Floor trader--(1) In general. This term means any person:
    (i) Who, in or surrounding any pit, ring, post or other place 
provided by a contract market for the meeting of persons similarly 
engaged, purchases, or sells solely for such person's own account--
    (A) Any commodity for future delivery, security futures product, or 
swap; or
    (B) Any commodity option authorized under section 4c of the Act; or
    (ii) Who is registered with the Commission as a floor trader; or
    (iii)(A) Who, in or surrounding any other place provided by a 
contract market for the meeting of persons similarly engaged, purchases 
or sells solely for such person's own account--
    (1) Any commodity for future delivery, security futures product, or 
swap; or
    (2) Any commodity option authorized under section 4c of the Act;
    (B) Who uses Direct Electronic Access as defined in paragraph 
(yyyy) of this section, in whole or in part, to access such other place 
for Algorithmic Trading;
    (C) Who is not registered with the Commission as a futures 
commission merchant, floor broker, swap dealer, major swap participant, 
commodity pool operator, commodity trading advisor, or introducing 
broker; and
    (D) Who, with respect to purchases or sales on any designated 
contract market of any commodity for future delivery, security futures 
product, or swap, or any commodity option authorized under section 4c 
of the Act, satisfies the volume threshold test set forth in paragraph 
(x)(2) of this section.
    (2) Volume threshold test. A person satisfies the volume threshold 
test for purposes of paragraph (x)(1)(iii)(D) of this section if such 
person trades an aggregate average daily volume of at least 20,000 
contracts for such person's own account, the accounts of customers, or 
both where:
    (i) Such person shall calculate the aggregate average daily volume 
across all products and on the electronic trading facilities of all 
designated contract markets where such person trades;
    (ii) Such person shall calculate the aggregate average daily volume 
for each January 1 through June 30 and July 1 through December 31 
period, based on all trading days in the respective period; and
    (iii) For purposes of calculating the aggregate average daily 
volume, such person shall aggregate its own trading volume and that of 
any other persons controlling, controlled by or under common control 
with such person.
    (3) Registration period. (i) Unregistered persons who satisfy 
paragraphs (x)(1)(iii)(A)-(C) of this section, and who satisfy the 
volume threshold test set forth in paragraph (x)(2) of this section in 
any January 1 through June 30 or July 1 through December 31 period, 
shall register as a floor trader within 30 days after the end of such 
period and shall comply with all requirements of AT Persons pursuant to 
Commission regulations in this chapter within 90 days after the end of 
such period.
    (ii) For any group consisting of a person and any other persons 
controlling, controlled by or under common control with such person, if 
such group of persons in the aggregate satisfies the volume threshold 
test set forth in paragraph (x)(2) of this section, then one or more 
persons in such group shall register as floor traders under paragraph 
(x)(3)(i) of this section, so that the aggregate average daily volume 
of the unregistered persons in the group trade an aggregate average 
daily volume below the volume threshold test set forth in paragraph 
(x)(2) of this section.
    (4) Anti-Evasion. (i) No person shall trade contracts or cause 
contracts to be traded through multiple entities for the purpose of 
evading the registration requirements imposed on floor traders under 
paragraph (x)(3) of this section, or to avoid meeting the definition of 
AT Person under paragraph (xxxx) of this section.
    (ii) Contracts that any person trades or causes to be traded 
through multiple entities for the purpose of evading the registration 
requirements imposed on floor traders under paragraph (x)(3) of this 
section, or to avoid meeting the definition of AT Person under 
paragraph (xxxx) of this section, shall be attributed to such person 
for purposes of the volume threshold test calculation contained in 
paragraph (x)(2) of this section.
* * * * *
    (tttt)-(vvvv) [Reserved]
    (wwww) AT Order Message. This term means each new order submitted 
through Algorithmic Trading by an AT Person and each modification or 
cancellation submitted through Algorithmic Trading by an AT Person with 
respect to such an order.
    (xxxx) AT Person. (1) This term means any person registered or 
required to be registered as a--
    (i) Futures commission merchant, floor broker, swap dealer, major 
swap participant, commodity pool operator, commodity trading advisor, 
or introducing broker that--
    (A) Engages in Algorithmic Trading on or subject to the rules of a 
designated contract market; and
    (B) With respect to purchases or sales of any commodity for future 
delivery, security futures product, or swap, or any commodity option 
authorized under section 4c of the Act, satisfies, or has satisfied, 
the volume threshold test set forth in paragraph (x)(2) of this 
section; provided, however, that if an AT Person does not satisfy such 
volume threshold test for two consecutive semi-annual periods, as 
outlined in paragraph (x)(2) of this section, then such person shall no 
longer be considered an AT Person; or
    (ii) Floor trader as defined in paragraph (x)(1)(iii) of this 
section.
    (2)(i) A person who does not satisfy the conditions of paragraph 
(xxxx)(1) of this section may elect to become an AT Person, provided 
that such person:
    (A) Registers as a floor trader as defined in paragraph (x)(1)(ii) 
of this section; and
    (B) Submits an application for membership in at least one 
registered futures association pursuant to Sec.  170.18 of this 
chapter.
    (ii) A person that elects to become an AT Person pursuant to 
paragraph (xxxx)(2)(i) of this section shall comply with all 
requirements of AT Persons pursuant to Commission regulations in this 
chapter.
    (yyyy) Direct Electronic Access. For purposes of Sec. Sec.  1.3(x), 
1.3(xxxx), 1.80, 1.81, and 1.82, and Sec. Sec.  38.255 and 40.20 of 
this chapter, this term means the electronic transmission of an order 
for processing on or subject to the rules of a contract market, 
including the electronic transmission of any modification or 
cancellation of such order; provided however that this term does not 
include orders, or modifications or cancellations thereof, 
electronically transmitted to a designated contract market by a futures 
commission merchant that such futures commission merchant first 
received from an unaffiliated natural person by means of oral or 
written communications.
    (zzzz)-(aaaaa) [Reserved]
    (bbbbb) Electronic Trading Order Message. This term means each new 
order submitted by Electronic Trading and each modification or 
cancellation submitted by Electronic Trading with respect to such an 
order.
    (ccccc) Algorithmic Trading Source Code. Algorithmic Trading Source 
Code

[[Page 85392]]

generally means computer commands written in a computer programming 
language that is readable by natural persons. For purposes of 
Sec. Sec.  1.81 and 1.84, Algorithmic Trading Source Code shall include 
at minimum computer code, logic embedded in electronic circuits, 
scripts, parameters input into an Algorithmic Trading system, formulas, 
and configuration files.
    (ddddd) Electronic Trading. For purposes of Sec. Sec.  1.80, 1.82, 
and 1.83, and Sec. Sec.  38.255, 40.20, and 40.22 of this chapter, this 
term means trading in any commodity interest as defined in paragraph 
(yy) of this section on an electronic trading facility as such term is 
defined by section 1a(16) of the Act, where the order, order 
modification or order cancellation is electronically submitted for 
processing on or subject to the rules of a designated contract market.
0
3. Add subpart A to read as follows:
Subpart A--Requirements for Algorithmic Trading
Sec.
1.80 Pre-trade risk controls for AT Persons.
1.81 Standards for the development, monitoring, and compliance of 
Algorithmic Trading systems.
1.82 Executing futures commission merchant risk management.
1.83 AT Person and executing futures commission merchant 
recordkeeping.
1.84 Maintenance of Algorithmic Trading Source Code and related 
records.
1.85 Use of third-party Algorithmic Trading systems or components.

Subpart A--Requirements for Algorithmic Trading


Sec.  1.80   Pre-trade risk controls for AT Persons.

    For all AT Order Messages, an AT Person shall implement pre-trade 
risk controls and other measures reasonably designed to prevent and 
reduce the potential risk of an Algorithmic Trading Event, including 
but not limited to:
    (a) [Reserved]
    (1) [Reserved]
    (2) Pre-trade risk controls shall be set at a level or levels of 
granularity that shall include as appropriate the level of each AT 
Person, product, account number or designation, or one or more 
identifiers of the natural persons or the order strategy or Algorithmic 
Trading system associated with an AT Order Message.
    (b) [Reserved]
    (c) [Reserved]
    (d) Delegation. (1) An AT Person may choose to comply with 
paragraph (a) of this section by implementing required pre-trade risk 
controls, or it may instead delegate compliance with such obligations 
to its executing futures commission merchant(s).
    (2) An AT Person may only delegate such functions when--
    (i) It is technologically feasible for each relevant futures 
commission merchant to comply with paragraph (a) of this section with a 
level of effectiveness reasonably designed to prevent and reduce the 
potential risk of an Algorithmic Trading Event; and
    (ii) Each relevant futures commission merchant notifies the AT 
Person in writing that the futures commission merchant has accepted the 
AT Person's delegation and that it will comply with paragraph (a) of 
this section on behalf of the AT Person.
    (e) [Reserved]
    (f) Periodic review for sufficiency and effectiveness. Each AT 
Person shall periodically review its compliance with this section to 
determine whether it has effectively implemented sufficient measures 
reasonably designed to prevent and reduce the potential risk of an 
Algorithmic Trading Event. Each AT Person that has delegated its pre-
trade risk controls to a futures commission merchant pursuant to 
paragraph (d) or paragraph (g)(2)-(3) of this section shall 
periodically review such futures commission merchant's compliance with 
the requirements of paragraph (a) of this section on behalf of the AT 
Person. Each AT Person shall take prompt action to remedy any 
deficiencies it identifies in its own measures or in those of a futures 
commission merchant to which it has delegated.
    (g) AT Persons' pre-trade risk controls for electronic trading. (1) 
An AT Person shall also apply the risk control mechanisms described in 
paragraphs (a), (b), and (c) of this section to its Electronic Trading 
Order Messages that do not arise from Algorithmic Trading, after making 
appropriate adjustments in the risk control mechanisms to accommodate 
the application of such mechanisms to Electronic Trading Order 
Messages.
    (2) An AT Person may choose to comply with paragraph (g)(1) of this 
section as to the risk controls in paragraph (a) of this section by 
implementing required pre-trade risk controls, or it may instead 
delegate compliance with such obligations to its executing futures 
commission merchant(s).
    (3) An AT Person may only delegate such functions when--
    (i) It is technologically feasible for each relevant futures 
commission merchant to comply with paragraph (g)(1) of this section as 
to risk control mechanisms required by paragraph (a) of this section 
with a level of effectiveness reasonably designed to prevent and reduce 
the potential risk of a disruption associated with Electronic Trading; 
and
    (ii) Each relevant futures commission merchant notifies the AT 
Person in writing that the futures commission merchant has accepted the 
AT Person's delegation and that it will comply with paragraph (a) of 
this section on behalf of the AT Person.


Sec.  1.81   Standards for the development, monitoring, and compliance 
of Algorithmic Trading systems.

    (a) Development and testing of Algorithmic Trading Systems. (1) 
[Reserved]
    (i) [Reserved]
    (ii) Testing of all Algorithmic Trading systems, including 
Algorithmic Trading Source Code, and any changes to such systems or 
code, prior to their implementation. Such testing shall be reasonably 
designed to effectively identify circumstances that may contribute to 
future Algorithmic Trading Events.
    (iii)-(iv) [Reserved]
    (2) [Reserved]
    (b)-(d) [Reserved]


Sec.  1.82   Executing futures commission merchant risk management.

    (a) Electronic Trading Order Messages not originating with an AT 
Person. Each executing futures commission merchant shall comply with 
the following requirements for all Electronic Trading Order Messages 
not originating with an AT Person:
    (1) Make use of pre-trade risk controls reasonably designed to 
prevent and reduce the potential risk of a disruption associated with 
Electronic Trading (including an Algorithmic Trading Disruption), 
including at a minimum:
    (i) Maximum Electronic Trading Order Message frequency per unit 
time and maximum execution frequency per unit time; and
    (ii) Order price parameters and maximum order size limits.
    (2) Pre-trade risk controls must be set at a level or levels of 
granularity that will prevent and reduce the potential risk of an 
Electronic Trading disruption, which shall include as appropriate the 
level of each customer, product, account number or designation, or one 
or more identifiers of the natural persons or the order strategy or 
Algorithmic Trading system associated with an Electronic Trading Order 
Message.
    (3) The futures commission merchant shall have policies and 
procedures reasonably designed to ensure that natural person monitors 
at the futures

[[Page 85393]]

commission merchant are promptly alerted when pre-trade risk control 
parameters established pursuant to this section are breached.
    (4) Make use of order cancellation systems that have the ability 
to:
    (i) Immediately disengage Electronic Trading;
    (ii) Cancel selected or up to all resting orders when system or 
market conditions require it; and
    (iii) Prevent submission of new Electronic Trading Order Messages.
    (b) Direct Electronic Access orders. For all Electronic Trading 
Order Messages not originating with an AT Person and that are submitted 
to a trading platform through Direct Electronic Access as defined in 
Sec.  1.3(yyyy), the futures commission merchant may comply with the 
requirements of paragraphs (a)(1), (2), and (4) of this section by 
implementing the pre-trade risk controls and order cancellation systems 
provided by designated contract markets pursuant to Sec.  38.255(b) and 
(c) of this chapter.
    (c) Non-Direct Electronic Access orders. For all Electronic Trading 
Order Messages not originating with an AT Person and that are not 
submitted to a trading platform through Direct Electronic Access as 
defined in Sec.  1.3(yyyy), the futures commission merchant shall 
comply with the requirements of paragraphs (a)(1), (2), and (4) of this 
section by--
    (i) Itself establishing and maintaining the pre-trade risk controls 
and order cancellation systems described in paragraphs (a)(1), (2), and 
(4) of this section; or
    (ii) Implementing the pre-trade risk controls and order 
cancellation systems provided by designated contract markets pursuant 
to Sec.  38.255(b) and (c) of this chapter.


Sec.  1.83   AT Person and executing futures commission merchant 
recordkeeping.

    (a) AT Person recordkeeping. Each AT Person shall keep, and provide 
upon request to each designated contract market on which such AT Person 
engages in Algorithmic Trading, books and records regarding such AT 
Person's compliance with all requirements pursuant to Sec. Sec.  1.80 
and 1.81.
    (b) Executing futures commission merchant recordkeeping. Each 
executing futures commission merchant shall keep, and provide upon 
request to each designated contract market on which its customers 
engage in Electronic Trading, books and records regarding such futures 
commission merchant's compliance with all requirements pursuant to 
Sec.  1.82.


Sec.  1.84   Maintenance of Algorithmic Trading Source Code and related 
records.

    (a) Records required to be maintained. Each AT Person shall retain 
the following records, in their native format, for a period of five 
years:
    (1) Any Algorithmic Trading Source Code used by the AT Person.
    (2) Any records generated by the AT Person in the ordinary course 
of business that track material changes to the Algorithmic Trading 
Source Code, including, if generated by the AT Person in the ordinary 
course of business, a record of when and by whom such changes were 
made.
    (3) Any logs or log files generated by the AT Person in the 
ordinary course of business that record the activity of the AT Person's 
Algorithmic Trading system, including a chronological record of such 
system's actions.
    (b) Commission access to required records pursuant to special call. 
AT Persons shall produce records required to be maintained pursuant to 
Sec.  1.84(a) as requested pursuant to special call of the Commission.
    (1) Form and manner. Such special call by the Commission may 
authorize the Director of the Division of Market Oversight to execute 
the special call and to specify the form and manner in which records 
shall be produced.
    (2) Accessibility and production of records of Algorithmic Trading 
activity. (i) The records required to be kept pursuant to Sec.  1.84(a) 
shall be maintained in a form and manner that ensures the authenticity 
and reliability of the information contained in such records.
    (ii) AT Persons shall have available at all times systems to 
promptly retrieve and display the records required to be maintained 
pursuant to Sec.  1.84(a) and the information contained in such 
records. Such systems shall, at a minimum, be equivalent to the systems 
used by the AT Persons when accessing records required to be maintained 
pursuant to Sec.  1.84(a) in the ordinary course of its business.
    (iii) Each AT Person must, at its own expense, produce promptly 
upon demand, such records as may be set forth in the Commission's 
special call or as specified by the Director of the Division of Market 
Oversight pursuant to special call by the Commission.
    (3) Confidentiality of records required to be maintained. Records 
required to be maintained pursuant to Sec.  1.84(a) are subject to 
section 8(a) of the Act when produced to the Commission pursuant to 
Sec.  1.84(b). Except as specifically authorized in the Act or the 
Commission's regulations in this chapter, the Commission shall not 
disclose any record provided pursuant to Sec.  1.84(b), including data 
and information that would separately disclose the market positions, 
business transactions, trade secrets, or names of customers of any 
person.
    (c) Subpoenas. The special call procedure set forth in paragraph 
(b) of this section in no way limits the ability of the Commission, any 
member of the Commission, or Commission staff to obtain records 
required to be maintained pursuant to paragraph (a) of this section via 
the subpoena procedure set forth in part 11 of this chapter.


Sec.  1.85   Use of third-party Algorithmic Trading systems or 
components.

    (a) Use of third-party Algorithmic Trading systems or components. 
With respect to Algorithmic Trading systems or components, AT Persons 
who are otherwise unable to comply with an obligation set forth in the 
following provisions: Sec. Sec.  1.81(a)(1)(i), 1.81(a)(1)(ii), 
1.81(a)(1)(iii), 1.81(a)(1)(iv), 1.81(a)(2), or 1.84, due solely to 
their use of third-party systems or components may comply with such 
obligation by obtaining a certification from the third party that the 
relevant system or component meets applicable regulatory requirements.
    (b) AT Persons shall obtain a new certification described in 
paragraph (a) of this section each time there is a material change to 
such third-party provided systems or components.
    (c) Each AT Person shall conduct due diligence to reasonably 
determine the accuracy and sufficiency of a certification provided by a 
third party.
    (d) Notwithstanding the provisions of paragraphs (a)-(c) of this 
section, each AT Person shall remain responsible for compliance with 
the obligations set forth in Sec.  1.84. Each AT Person shall retain 
records pursuant to Sec.  1.84(a), or shall cause such records to be 
maintained. Each AT Person shall also produce records pursuant to Sec.  
1.84(b), or cause such records to be produced, when requested by the 
Commission.

PART 38--DESIGNATED CONTRACT MARKETS

0
4. The authority citation for part 38 continues to read as follows:

    Authority:  7 U.S.C. 1a, 2, 6, 6a, 6c, 6d, 6e, 6f, 6g, 6i, 6j, 
6k, 6l, 6m, 6n, 7, 7a-2, 7b, 7b-1, 7b-3, 8, 9, 15, and 21, as 
amended by the Dodd-Frank Wall Street Reform and Consumer Protection 
Act, Pub. L. 111-203, 124 Stat. 1376.

0
5. Revise Sec.  38.255 to read as follows:


Sec.  38.255   Risk controls for trading.

    (a) [Reserved]

[[Page 85394]]

    (b) For all Electronic Trading Order Messages that are submitted to 
a designated contract market through Direct Electronic Access as 
defined in Sec.  1.3(yyyy) of this chapter, the designated contract 
market shall make available to the executing futures commission 
merchants effective systems and controls, reasonably designed to 
facilitate the items enumerated below:
    (1) The futures commission merchant's management of the risks, 
pursuant to Sec.  1.82(a)(1) and (2) of this chapter, that may arise 
from such Electronic Trading.
    (i) Such systems and controls shall include, at a minimum, the pre-
trade risk controls described in Sec.  1.82(a)(1) of this chapter.
    (ii) Such systems shall, at a minimum, enable the futures 
commission merchant to set the pre-trade risk controls at a level or 
levels of granularity that will prevent and reduce the potential risk 
of an Electronic Trading disruption, which shall include as appropriate 
the level of each customer, product, account number or designation, and 
one or more identifiers of the natural persons or the order strategy or 
Algorithmic Trading system associated with an Electronic Trading Order 
Message.
    (2) The future commission merchant's ability to make use of the 
order cancellation systems required by Sec.  1.82(a)(4) of this 
chapter. The designated contract market shall enable the future 
commission merchant to apply such order cancellation systems to orders 
at a level or levels of granularity that will prevent and reduce the 
potential risk of an Electronic Trading disruption, which shall include 
as appropriate orders from each customer, product, account number or 
designation, or one or more identifiers of the natural persons or the 
order strategy or Algorithmic Trading system associated with an 
Electronic Trading Order Message.
    (c) A designated contract market that permits Direct Electronic 
Access as defined in Sec.  1.3(yyyy) of this chapter shall also require 
futures commission merchants to use the systems and controls described 
in paragraph (b) of this section, or substantially equivalent systems 
and controls developed by the futures commission merchant itself or 
provided by a third party, with respect to all Electronic Trading Order 
Messages not originating with an AT Person that are submitted through 
Direct Electronic Access. Prior to a futures commission merchants' use 
of its own or a third party's systems and controls, the futures 
commission merchant must certify to the designated contract market that 
such systems and controls are substantially equivalent to the systems 
and controls that the designated contract market makes available 
pursuant to paragraph (b) of this section.

PART 40--PROVISIONS COMMON TO REGISTERED ENTITIES

0
6. The authority citation for part 40 continues to read as follows:

    Authority:  7 U.S.C. 1a, 2, 5, 6, 7, 7a, 8 and 12, as amended by 
Titles VII and VIII of the Dodd-Frank Wall Street Reform and 
Consumer Protection Act, Pub. L. 111-203, 124 Stat. 1376 (2010).


Sec. Sec.  40.13 through 40.19   [Reserved]

0
7. Add reserved Sec. Sec.  40.13 through 40.19.
0
8. Add Sec.  40.20 to read as follows:


Sec.  40.20   Risk controls for trading.

    A designated contract market shall implement pre-trade and other 
risk controls reasonably designed to prevent and reduce the potential 
risk of a disruption associated with Electronic Trading (including an 
Algorithmic Trading Disruption), including at a minimum all of the 
following:
    (a) Pre-trade risk controls. Pre-trade risk controls reasonably 
designed to address the risks from Electronic Trading on a designated 
contract market.
    (1) The pre-trade risk controls to be established and used by a 
designated contract market shall include:
    (i) Maximum Electronic Trading Order Message frequency per unit 
time and maximum execution frequency per unit time; and
    (ii) Order price parameters and maximum order size limits.
    (2) Designated contract markets must set the pre-trade risk 
controls at a level or levels of granularity that will prevent and 
reduce the potential risk of an Electronic Trading disruption, which 
shall include as appropriate the level of each trading firm, by product 
or one or more identifiers of the natural persons or the order strategy 
or Algorithmic Trading system associated with an Electronic Trading 
Order Message.
    (3) [Reserved]
    (b) Order cancellation systems. (1) Order cancellation systems that 
have the ability to:
    (i) Immediately disengage Electronic Trading;
    (ii) Cancel selected or up to all resting orders when system or 
market conditions require it;
    (iii) Prevent submission of new Electronic Trading Order Messages; 
and
    (iv) Cancel or suspend all resting orders from AT Persons in the 
event of disconnect with the trading platform.
    (2) [Reserved]
    (c) [Reserved]


Sec.  40.21   [Reserved]

0
9. Add reserved Sec.  40.21.
0
10. Add Sec.  40.22 to read as follows:


Sec.  40.22   DCM requirements for AT Persons and executing FCMs; DCM 
review program.

    A designated contract market shall comply with the following:
    (a) Compliance program. Establish a program for effective periodic 
review and evaluation of AT Persons' compliance with Sec. Sec.  1.80 
and 1.81 of this chapter and executing futures commission merchant 
compliance with Sec.  1.82 of this chapter. An effective program shall 
include measures by the designated contract market reasonably designed 
to identify and remediate any insufficient mechanisms, policies and 
procedures, including identification and remediation of any inadequate 
quantitative settings or calibrations of pre-trade risk controls 
required of AT Persons pursuant to Sec.  1.80(a) of this chapter;
    (b) Maintenance of books and records. Implement rules that require 
each AT Person to keep and provide to the designated contract market 
books and records regarding such AT Person's compliance with all 
requirements pursuant to Sec. Sec.  1.80 and 1.81 of this chapter, and 
require each executing futures commission merchant to keep and provide 
to the designated contract market books and records regarding such 
executing futures commission merchant's compliance with all 
requirements pursuant to Sec.  1.82 of this chapter; and
    (c) Reporting. Require such periodic reporting from AT Persons and 
executing futures commission merchants as is necessary to fulfill the 
designated contract market's obligations pursuant to paragraph (a) of 
this section.
    (d) Annual Certification. Require by rule that AT Persons and 
executing futures commission merchants provide the designated contract 
market with an annual certification attesting the AT Person or 
executing futures commission merchant complies with the requirements of 
Sec. Sec.  1.80, 1.81, and 1.82 of this chapter, as applicable. Such 
annual certification shall be made by the chief compliance officer or 
chief executive officer of the AT Person or the executing futures 
commission merchant, and shall state that, to the best of his or her 
knowledge and reasonable belief, the information contained in the 
certification is accurate and complete.


Sec. Sec.  40.23 through 40.28   [Reserved]

0
11. Add reserved Sec. Sec.  40.23 through 40.28.

[[Page 85395]]

PART 170--REGISTERED FUTURES ASSOCIATIONS

0
12. The authority citation for part 170 continues to read as follows:

    Authority:  7 U.S.C. 6d, 6m, 6p, 6s, 12a, and 21.

0
13. Add Sec.  170.18 to subpart C to read as follows:


Sec.  170.18   AT Persons.

    Each registrant, as defined in Sec.  1.3(oooo) of this chapter, 
that is an AT Person, as defined in Sec.  1.3(xxxx) of this chapter, 
that is not otherwise required to be a member of a futures association 
that is registered under section 17 of the Act pursuant to Sec. Sec.  
170.15, 170.16, or 170.17 must submit an application for membership in 
at least one futures association that is registered under section 17 of 
the Act and that provides for the membership therein of such 
registrant, unless no such futures association is so registered, within 
30 days of such registrant satisfying the volume threshold test set 
forth in Sec.  1.3(x)(2) of this chapter.

Subpart D [Reserved]


Sec.  170.19   [Reserved]

0
14. Add reserved subpart D, consisting of reserved Sec.  170.19.

    Issued in Washington, DC, on November 7, 2016, by the 
Commission.
Christopher J. Kirkpatrick,
Secretary of the Commission.

    Note:  The following appendices will not appear in the Code of 
Federal Regulations.

Appendices to Regulation Automated Trading--Commission Voting Summary, 
Chairman's Statement, and Commissioners' Statements

Appendix 1--Commission Voting Summary

    On this matter, Chairman Massad and Commissioner Bowen voted in 
the affirmative. Commissioner Giancarlo voted in the negative.

Appendix 2--Statement of Chairman Timothy G. Massad

    I support this supplemental proposal related to ``Regulation 
AT,'' our proposed rule to address the increased use of automated 
trading in our markets.
    Automated trading dominates the markets we oversee. More than 70 
percent of trading in futures is now automated. And this is not just 
in financial futures; we see it in physical commodity futures as 
well.
    Our markets have fundamentally changed as a result. In just a 
few years, we have gone from open-outcry pits where floor traders 
jostled elbow-to-elbow to make trades, to a machine dominated market 
where a millisecond is considered slow. In fact, the new measure is 
a microsecond. In the time it would take a trader to hang up the 
phone and signal a single bid with his hands in the pit, today's 
machines can potentially generate thousands of orders.
    But in another respect, our markets have not changed at all. 
Farmers, ranchers, manufacturers, exporters--businesses of all 
types--still depend on them to hedge routine risk and engage in 
price discovery. Whether it is corn or copper, crude oil or cocoa, 
equities or Treasuries, Japanese yen or British pounds--businesses 
need these markets. They need them to function reliably, fairly, and 
free of manipulation or disruption.
    If anything has changed, it is that those needs are greater 
today. Businesses operate worldwide, commodity markets are global, 
and products are more diverse.
    Market participants look to us to make sure these markets 
operate with integrity. So while the landscape has changed 
dramatically, our mission has stayed the same.
    I meet with market participants of all types, and I find that 
traditional end-users, such as those from the agricultural 
community, are particularly concerned about the effects of automated 
trading on these markets. It is especially important for us to be 
able to respond to the concerns of those who are not so-called 
``flash boys,'' and are only moving at human speed.
    The fact is that our regulations have not kept up with our 
modern markets. Today's proposal is a part of what we need to do to 
keep our regulatory system up-to-date, just as you need updates for 
your phone's operating system from time to time. There are other 
things we need to do to modernize our regulatory oversight and, in 
particular, to engage in adequate surveillance of modern trading 
methods. For example, we must continue to enhance our ability to 
receive and analyze message and other types of data, and cooperation 
among regulators will become increasingly important given how 
today's global markets are linked.
    This proposal focuses on minimizing the risk of disruption and 
other problems that can be caused by automated trading, and making 
sure we have the tools to deal with those problems should they 
occur. It requires reasonable risk controls, using a principles-
based approach that would codify many industry best practices. But 
it does not prescribe the parameters or limits of such controls, 
because we know how diverse market participants can be, and we 
believe they are the ones who should determine those specifics. It 
requires testing and monitoring of algorithms. It requires the 
preservation of source code and other records--the equivalent of the 
records that those trading at human speed have preserved for years. 
And it ensures that we would have access to such records when 
necessary, just as for years we have reviewed the records of non-
automated traders.
    In the last year, we received significant feedback on the 
proposal that the Commission unanimously approved in November of 
2015. And today's supplemental proposal makes a number of changes to 
that initial measure. They reflect the helpful suggestions and 
comments we have received.
    First, while our original proposal called for risk controls at 
three levels--the exchange, the futures commission merchant (FCM) 
and the trading firm--we heard from many respondents that this was 
redundant and costly. Many instead favored a two-tier structure. 
Therefore, today's proposal would require risk controls at the 
exchange level, and either the trader or FCM level. So for example, 
a firm could have its own controls--or opt in to the FCM controls, 
but we would not require both.
    In addition, we heard from many that the controls should pertain 
to all electronic trading, not just algorithmic trading. The 
proposal approved today also makes that change. It also provides 
greater flexibility regarding the level at which pre-trade risk 
controls must be set.
    We also heard that our registration requirement was overly 
broad. Some claimed it would require thousands of firms to register. 
Some even argued that we should not require registration at all; we 
should simply require risk controls.
    We need a registration requirement to make sure that some of the 
biggest traders in our markets are following the basic risk controls 
required by our proposal. But I am willing to have it appropriately 
tailored to those who are most active in our markets. Today, a small 
number of traders can represent a large percentage of total trading 
volume, including during periods of high volatility. For example, 
the evening after the UK's vote to exit the European Union, the ten 
most active firms represented approximately 60 percent of trade 
activity in British pound futures. This is why our supplemental 
proposal adds a volumetric test to our registration requirement, so 
that it pertains to those firms that are doing most of the trading.
    In addition, this proposal reduces Regulation AT's reporting 
requirements, by replacing the annual compliance report with a 
streamlined annual certification report.
    Finally, the proposal revises our original proposal on the issue 
of algorithmic trading source code. I have said many times that I 
support a rule that respects the proprietary value and 
confidentiality of source code. At the same time, this information 
may be critical to understanding what happened in the event of a 
market disruption or whether someone is complying with the law. This 
is why preservation of source code, as well as access, is critical. 
Therefore, this supplemental proposal makes the following changes.
    First, the proposal requires the Commission itself to make the 
decision to seek access to source code. No staff member can do so 
without Commission approval. This is a significant departure from 
our standard practice, which allows staff to seek access to 
information that registrants are required to preserve without a 
subpoena or specific Commission authorization. We have proposed this 
change in recognition of the concerns raised.
    The Commission could authorize the staff to seek such access 
either by means of a subpoena--which is sometimes the means used in 
the context of an enforcement investigation into behavior that may 
be unlawful--or a ``special call.'' The special

[[Page 85396]]

call is the means our surveillance division has used for many years 
to obtain and review information in connection with their oversight 
of trading, and it is issued by the staff. But in this case, we are 
proposing a process that will require the same level of Commission 
approval that comes with the issuance of a subpoena, even if it is 
for surveillance purposes.
    Our proposal also describes the steps we can take to preserve 
the confidentiality of source code. Exactly what we would do in any 
particular situation would depend on the facts, but confidentiality 
must always be preserved. It could include precautions like 
reviewing the source code on a computer that is not connected to the 
internet or any network, and housing that computer in a secure room. 
Further, employees of the agency are under statutory obligation to 
keep proprietary information like source code confidential. There 
are criminal penalties associated with violating that requirement. I 
would note that we have protected the confidentiality of source code 
in the past when we have obtained it.
    Finally, I disagree with the characterization that what we are 
doing amounts to a ``slippery slope.'' I would call this an ``uphill 
climb.'' Our markets have evolved much faster than our regulatory 
framework. We are climbing a steep hill to catch up; and to make 
sure we can always see and understand what is going on in our 
markets today.
    We have long engaged in surveillance that involves reviewing 
information that has significant proprietary value. This may consist 
of information on trading strategies, including activities in 
related markets, or information that would go to whether a position 
truly is a bona fide hedge, such as purchase or supply commitments 
of related cash commodities, inventory levels, production 
expectations, and so forth. Much of this information is confidential 
and proprietary, and so we protect it. Our review of it is not a 
denial of due process rights, nor is the proposal we have adopted 
today.
    We should not have a regulatory regime where those who still 
trade at human speed are subject to effective surveillance, but 
those who use machines are not. Our rules should not favor one 
method over another, and nobody should be able to hide behind their 
machines.
    I thank the hardworking CFTC staff for their work on this 
supplemental proposal and I thank my fellow Commissioners for their 
consideration.

Appendix 3--Concurring Statement of Commissioner Sharon Y. Bowen

    Thank you. I'm glad to be here this morning as the Commission 
considers this supplemental proposal to our rulemaking on Automated 
Trading. I've said several times that I am a firm believer in two 
things: The need to enhance our rules to ensure that they are 
appropriately rigorous and protective and to find a rule that works 
and can be effectively implemented. I am pleased to say that I 
believe today's release does both. I commend our staff for their 
hard work on this proposal.
    Following significant engagement with a variety of stakeholders, 
from exchanges and proprietary traders to advocates of financial 
reform, we are making several important revisions to our proposed 
rule on automated trading. Of these changes, there are two in 
particular that I want to flag. First, we are revising our 
registration regime to better focus our attention and regulations on 
the firms responsible for substantial amounts of automated trading 
in our markets. Under this proposal, firms that make use of Direct 
Electronic Access (DEA) to connect to our markets will not 
automatically have to register. Instead, only those firms which use 
DEA and also have an average of 20,000 or more trades each day over 
a six month period will be required to register.\1\ It only seems 
appropriate that the firms responsible for a substantial portion of 
trades in our markets should have heightened regulatory requirements 
than small firms only entering a handful of trades a day. While a 
one-size-fits-all system may work in some cases, I believe it would 
be unduly burdensome to small firms to require that anyone who uses 
DEA automatically has to register. By offering a specific threshold 
for registration, however, it is critical that we pick the right 
number. I therefore am looking forward to the comments from market 
participants on whether 20,000 trades per day is the right level, 
too high, or too low. Given the interest that our previous proposal 
on registration engendered, I am sure that there will be some 
spirited debates about just what the proper threshold should be.
---------------------------------------------------------------------------

    \1\ Supplemental Notice of Proposed Rulemaking on Regulation on 
Automated Trading at II.C.1 and proposed rule Sec.  1.3(x)(2).
---------------------------------------------------------------------------

    However, while small firms with small volumes will not be 
required to register, it is not the case that their trades will be 
unregulated. In fact, the second major revision of today's proposal 
will require that all electronic trading, algorithmic as well as 
non-algorithmic, will have two separate layers of pre-trade risk 
controls on it. For those trades originating from an AT Person, both 
the designated contract market (DCM) and the AT Person will be 
obligated to place pre-trade risk controls on their electronic 
trades, with the AT Person having the option of delegating this 
responsibility to the relevant futures commission merchant (FCM). 
Meanwhile, any electronic trading from entities other than AT 
persons will also be subject to two levels of pre-trade risk 
controls: One level set by the DCM and one by the FCM. As a result, 
under this proposal, we will be ensuring that every single 
electronic trade, automated as well as non-automated, in our markets 
is subject to two levels of pre-trade risk controls without 
exception. Given the nearly constant technological innovations and 
redesigns involving algorithmic trading, I believe having two levels 
of risk controls is not only the most prudent course of action for 
our markets, it is also critical protection against a market 
malfunction harming investors or our broader economy. For those of 
you worried that automated trading is occurring free of any 
oversight or regulation, this rule seeks to allay some of those 
fears.
    As I have said before, however, this regulation is merely a 
first cut. Having looked at this issue for nearly a year, I have 
some doubts whether we are doing enough to ensure that all market 
participants, especially end-users in certain markets, are being 
given a level-playing field at present due to the proliferation of 
algorithmic trading. I therefore believe that we should consider 
instituting pilot programs in certain small sections of the market 
that can test the effects of additional, more substantial 
restrictions on algorithmic trading on market operations. Please 
note, I do not believe it is the time to place more rigorous 
restrictions on algorithmic trading on all the markets we regulate. 
Instead, I believe only that we should see whether there are some 
markets where a significant percentage of end-users are interested 
in establishing greater monitoring and regulation of algorithmic 
trading. If one or two such markets do exist, then those markets 
could be candidates for a tailored pilot program to gather data on 
the effects of algorithmic trading on those markets. We could then 
gain important insight on the effects of new market dynamics that 
continue to evolve. If you are an end-user and believe that your 
market would benefit from such a tailored pilot program, I encourage 
you to convey that message to the Commission.
    I had the pleasure of meeting with some members of the National 
Cattlemen's Beef Association earlier this year and more recently, 
who informed me that they believe algorithmic trading is having a 
substantial impact on livestock markets and that they are interested 
in gaining more data on how algorithmic trading is influencing 
livestock prices. I share a desire for more information, both about 
whether this rule is regarded as being a step in the right direction 
and about what, if any, effects algorithmic trading is having on our 
markets. If an observer has an issue with any part of this rule, 
especially if you feel it is too weak, I sincerely hope you will lay 
out that concern in detail and let us know how we can improve it.
    Finally, I want to thank stakeholders, particularly several 
industry groups, for their engagement with the Commission since we 
released our proposal. I was very happy to learn that some aspects 
of this proposal, including the idea of requiring pre-trade risk 
controls on all electronic trades, were suggested by members of the 
industry. We have notice and comment requirements for many reasons: 
Increased transparency, an opportunity for public involvement, and 
of course to set procedural strictures on the government. But one of 
the reasons undergirding our system of notice and comment is the 
idea that regulators do not have all the answers all of the time, 
and there is a role for market participants to play during the 
regulatory process. The fact that industry participants were able to 
devise and endorse a broad regulatory requirement on all automated 
trading is to be commended.

Appendix 4--Dissenting Statement of Commissioner J. Christopher 
Giancarlo

Introduction

    I have previously said that proposed Regulation Automated 
Trading (Reg. AT) is a well-meaning attempt by the Commodity Futures 
Trading Commission (CFTC or

[[Page 85397]]

Commission) to catch up to the digital revolution in U.S. futures 
markets.\1\ However, I have also raised some concerns ranging from 
the prescriptive compliance burdens to the disproportionate impact 
on small market participants to the regulatory inconsistencies of 
the proposed rule.\2\ I have also warned that any public good 
achieved by the rule is undone by the now notorious source code 
repository requirement.\3\ Not surprisingly, dozens of commenters to 
the proposal echoed my concerns and vehemently opposed the source 
code requirement.
---------------------------------------------------------------------------

    \1\ Opening Statement of Commissioner J. Christopher Giancarlo 
before the CFTC Staff Roundtable on Regulation Automated Trading, 
June 10, 2016, https://www.cftc.gov/PressRoom/SpeechesTestimony/giancarlostatement061016.
    \2\ Regulation Automated Trading, 80 FR 78824, 78945-48 (Dec. 
17, 2015).
    \3\ Id. at 78947.
---------------------------------------------------------------------------

    So, here we are again almost a year later to consider a 
Supplemental Notice of Proposed Rulemaking on Regulation Automated 
Trading (Supplemental Notice) because proposed Reg. AT missed the 
mark the first time around.\4\
---------------------------------------------------------------------------

    \4\ I note that at a time when the CFTC continuously pleads for 
additional resources, this is an example where the Commission could 
have saved a lot of time and effort if it spent a little more time 
up front to craft a sensible proposed Reg. AT.
---------------------------------------------------------------------------

    This Supplemental Notice does improve proposed Reg. AT in some 
respects, such as moving from three levels of risk controls to two 
levels in order to simplify the framework and narrowing the scope of 
registration so it may not capture smaller market participants. 
However, the Supplemental Notice does not go far enough. It subjects 
the source code retention and inspection requirements to the special 
call process and provides an unworkable compliance process for AT 
Persons \5\ that use software from third-party providers.
---------------------------------------------------------------------------

    \5\ As defined in the Supplemental Notice.
---------------------------------------------------------------------------

    I proposed several reasonable changes to the Commission and 
staff in an effort to make the Supplemental Notice workable and less 
burdensome, while still achieving its objectives. It is 
disappointing that those changes were not accepted. On a brighter 
note, the Commission has agreed to extend the comment period from 30 
days to 60 days. While a longer comment period may provide some 
comfort to commenters that they do not have to rush to finish their 
comment letters over the Thanksgiving holiday, it does nothing to 
address my substantive issues. I am certain that many commenters 
will once again echo my concerns.
    While I could focus on a number of issues with proposed Reg. AT 
and the Supplemental Notice, I will first concentrate my statement 
on the source code issue and then the third-party software provider 
requirements. Thereafter, I will discuss a few other topics, such as 
the prescriptive nature of the proposal and burdensome reporting 
requirements. I welcome comments on all these issues and others.

Source Code Retention and Inspection Requirements

No Subpoena Means No Due Process of Law

    Let me make clear at the outset that the CFTC can today obtain 
the computer source code of market participants pursuant to a 
subpoena. Therefore, the issue raised by proposed Reg. AT and this 
Supplemental Notice is NOT whether the CFTC can examine source code 
of automated traders where appropriate to investigate suspected 
market misbehavior. The issue raised by this proposal is whether the 
owners of source code have any say in the matter.
    The subpoena process provides property owners with due process 
of law before the government can seize their property. It protects 
owners of property--not the government that already has abundant 
power. It allows property owners an opportunity to challenge the 
scope, timing and manner of discovery and whether any legal 
privileges apply to the process of surrendering property to the 
government.
    The subpoena process therefore provides a fair compromise 
between the rights of property owners and the government's right to 
seize their property. Without the subpoena process, there is no 
balance between the civil liberties of the governed and the 
unlimited power of the government.
    As a foundation of civil liberties, the subpoena process 
precedes the American Republic going back to English common law. As 
a legal principle, it was woven into the Bill of Rights. As a 
bulwark of modern civil society, it protects the liberty of the 
governed from the tyranny of the government.
    The Supplemental Notice before us today, however, would strip 
owners of intellectual property of due process of law. The CFTC 
justifies this abridgement of rights with the condition that before 
the Commission can take source code \6\ it will abide by two 
procedural hurdles--a majority vote of the Commission and the 
special call process operated by the Division of Market Oversight 
(DMO).\7\
---------------------------------------------------------------------------

    \6\ I also note my concern with the breadth of the new 
Algorithmic Trading Source Code definition and invite comment on it.
    \7\ The Supplemental Notice allows the Commission to authorize 
the Director of DMO to execute the special call and to specify the 
form and manner in which records shall be produced. DMO's existing 
special call process has not operated without operational error or 
inadvertent disclosure of confidential information. The process 
should be subject to enhanced checks and balances, procedural 
controls and greater objectivity in targeting market behavior.
---------------------------------------------------------------------------

    This justification entirely misses the point. Abrogating the 
legal rights of property owners is not assuaged by imposing a few 
additional procedural burdens on the government agency seizing their 
property. Source code owners will have lost any say in the matter. 
The proposal gives unchecked power to the CFTC to decide if, when 
and how property owners must turn over their source code.
    Moreover, the special call process provides the CFTC an end-run-
around the subpoena process. While the Supplemental Notice states 
that the CFTC will use the special call process to obtain source 
code in carrying out its market oversight responsibilities, there is 
no limit in the proposed rule on DMO staff from sharing source code 
with staff of the Division of Enforcement. The proposal will allow 
the Enforcement Division to view source code without bothering with 
a subpoena. Such sharing of information will likely become routine 
if this proposal is finalized.

No Specific Source Code Protections

    Commenters have rightly questioned what level of security the 
CFTC will deploy to safeguard seized source code. In an attempt to 
assure market participants that their source code will be kept 
secure, the Supplemental Notice lists the various statutes and 
regulations that require confidentiality of such information. The 
proposed rule text also includes a reference to Commodity Exchange 
Act (CEA) section 8(a), which prohibits the release of trade secrets 
and other information.\8\
---------------------------------------------------------------------------

    \8\ 7 U.S.C. 12(a); CEA section 8(a).
---------------------------------------------------------------------------

    Yet, these are not new protections. They are in place today. 
Simply citing them in the preamble and rule text of the Supplemental 
Notice gives little assurance that the CFTC will safeguard source 
code. If the agency is determined to protect confidentiality, then 
it should include specific protections in the rule. For example, the 
CFTC could provide that it will only review source code at a 
property owner's premises or on computers not connected to the 
Internet. The CFTC could also state that it will return all source 
code to the property owner once its review is finished. The rule 
text provides no such assurances.
    Absent specific measures, it is absurd to suggest that source 
code will be kept secure. Just look at the area of government 
cybersecurity. In the six months after the CFTC proposed Reg. AT, 
hackers breached the computer networks of the Federal Deposit 
Insurance Corporation and the Federal Reserve.\9\ Incredibly, the 
U.S. Office of Personnel Management (OPM) that gave up 21.5 million 
personnel records in a year-long cyber penetration failed a security 
audit last November--six months after the breach was discovered.\10\ 
In fact, federal, state and local government agencies rank last in 
cybersecurity when compared against 17 major private industries, 
including transportation, retail and healthcare.\11\
---------------------------------------------------------------------------

    \9\ Katie Bo Williams, Criminal Investigation Underway into 
Banking Regulator Data Breach, The Hill, May 12, 2016, https://thehill.com/policy/cybersecurity/279752-criminal-investigation-open-in-fdic-data-breach; Dustin Volz and Jason Lange, U.S. Lawmakers 
Probe Fed Cyber Breaches, Cite `Serious Concerns', Reuters, June 3, 
2016, https://t.reuters.com/article/topNews/idUSKCN0YP281.
    \10\ U.S. Office of Pers. Mgmt. Office of the Inspector Gen. 
Office of Audits, 4A-CI-00-15-011, Federal Information Security 
Modernization Act Audit FY 2015, Nov. 10, 2015; See also, Jack 
McCarthy, OIG Finds OPM Still Struggling with Security, Healthcare 
IT News, Nov. 30, 2015, https://www.healthcareitnews.com/blog/oig-finds-opm-still-struggling-security (discussing OIG's findings of 
OPM's security protocols six months after a massive data breach).
    \11\ Dustin Volz, U.S. Government Worse than All Major 
Industries on Cyber Security: Report, Reuters, Apr. 14, 2016, https://mobile.reuters.com/article/idUSKCN0XB27K.

---------------------------------------------------------------------------

[[Page 85398]]

    The CFTC itself has an imperfect record as a guardian of 
confidential proprietary information.\12\ If this rule goes forward, 
the CFTC will make itself a target for a broader group of cyber 
criminals, including those engaged in commercial espionage.
---------------------------------------------------------------------------

    \12\ See generally Bart Chilton, The Government Can't be Trusted 
to Collect Source Code and Other Private Property, Business Insider, 
Nov. 1, 2016, https://www.businessinsider.com/bart-chilton-government-cant-be-trusted-to-collect-source-code-2016-11; Gregory 
Meyer and Philip Stafford, US Regulators Propose Powers to 
Scrutinise Algo Traders' Source Code, Financial Times, Dec. 1, 2015, 
https://www.ft.com/content/137f81bc-944f-11e5-b190-291e94b77c8f.
---------------------------------------------------------------------------

    Last Friday, we learned that a former employee of the Office of 
the Comptroller of the Currency (OCC) downloaded thousands of files 
from the agency's servers onto two removable thumb drives without 
authorization prior to retiring from the agency.\13\ The OCC said 
that when it contacted the former employee about those files, he was 
``unable to locate or return the thumb drives to the agency.'' \14\
---------------------------------------------------------------------------

    \13\ Ben Lane, OCC Reveals Major Information Security Breach 
Involving Former Employee, HousingWire, Oct. 28, 2016, https://www.housingwire.com/articles/38402-occ-reveals-major-information-security-breach-involving-former-employee.
    \14\ Id.
---------------------------------------------------------------------------

    The OCC breach surely sent shivers up the spines of source code 
owners who received notice that same day of the CFTC's intention to 
move forward with the Supplemental Notice. They must have been 
doubly spooked when the CFTC's own servers crashed a few hours later 
due to a denial-of-service attack.

Establishment of Dangerous Regulatory Precedent

    If the CFTC adopts the source code provisions of the 
Supplemental Notice, the Securities and Exchange Commission (SEC) 
will likely copy it and so will other U.S. and overseas regulators--
and not just regulators of financial markets.\15\ Regulators like 
the Federal Communications Commission may demand source code for 
Apple's iPhone. The Federal Trade Commission may seek source code 
used in the matching engines of Google, Facebook and Snapchat. The 
National Security Agency may demand to see the source code of 
Cisco's switches and Oracle's servers. The Department of 
Transportation may demand Uber's auction technology and Tesla's 
driverless steering source code. Where does it end?
---------------------------------------------------------------------------

    \15\ Congressman Sean P. Duffy Letter to SEC Chair Mary Jo 
White, Aug. 10, 2016, https://modernmarketsinitiative.org/wp-content/uploads/2016/08/16.08.10-Automated-Trading-Letter-to-SEC.pdf.
---------------------------------------------------------------------------

    It certainly will not end on American shores. Overseas 
regulators will also mimic the rule. The German chancellor has said 
that she wants her government to examine the source code used in the 
matching engines of Google and Facebook because she does not like 
their political coverage of her administration.\16\ The Chinese 
government has already tried to put in place a rule to obtain the 
source code of U.S. technology firms.\17\ If the CFTC adopts this 
rule, it will make a mockery of the U.S. government's past attempts 
to oppose China's efforts to view proprietary commercial source 
code.\18\ It confirms that the CFTC is not on the same page as its 
own U.S. government counterparts.
---------------------------------------------------------------------------

    \16\ Article, Angela Merkel wants Facebook and Google's Secrets 
Revealed, BBC, Oct. 28, 2016, https://www.bbc.com/news/technology-37798762.
    \17\ Eva Dou, U.S., China Discuss Proposed Banking Security 
Rules, The Wall Street Journal, Feb. 13, 2015, https://www.wsj.com/articles/china-banking-regulator-considering-source-code-rules-1423805889; Shannon Tiezzi, US-China Talk Intellectual Property, 
Market Access at Trade Dialogue, The Diplomat, Nov. 25, 2015, https://thediplomat.com/2015/11/us-china-talk-intellectual-property-market-access-at-trade-dialogue/.
    \18\ Id. Congressmen Scott Garrett and Randy Neugebauer Letter 
to CFTC Chairman Timothy Massad, Aug. 3, 2016, https://modernmarketsinitiative.org/wp-content/uploads/2016/08/20160802-ESG-RN-Letter-to-CFTC-re-Reg-AT2.pdf.
---------------------------------------------------------------------------

    Undoubtedly, this proposed rule is a reckless step onto a 
slippery slope. Today, the federal government is coming for the 
source code of seemingly faceless algorithmic trading firms. 
Tomorrow, however, governments worldwide may come for the source 
code underlying the organizing and matching of Americans' personal 
information--their snapchats, tweets and instagrams, their online 
purchases, their choice of reading material and their political and 
social preferences. Seriously, where will it end?

Possible Constitutional Challenge

    Fortunately, our country's founders protected Americans against 
unreasonable searches and seizures and guaranteed them due process 
of law in the U.S. Constitution. The Supreme Court has routinely and 
recently upheld these fundamental civil rights. If the CFTC adopts 
the Supplemental Notice as proposed, its source code seizure 
provisions may be robustly challenged in federal court. The 
litigation will consume the agency's precious, limited resources and 
its credibility in defending such a dubiously constitutional rule. 
That will be a sad waste of American taxpayer money.
    The CFTC justifies its actions based on its need to oversee the 
growing incidence of algorithmic trading and disruption in the 
financial markets. Given the relative ease of obtaining an 
administrative subpoena,\19\ I disagree with the assertion in the 
proposal that the special call process is necessary to review source 
code in association with usual trading events or market disruptions. 
The subpoena and the proposed special call process both require a 
Commission vote. One process is therefore not faster than the other. 
The only difference is that the special call process is an end-run-
around the subpoena process and deprives source code owners of due 
process of law.
---------------------------------------------------------------------------

    \19\ United States v. Morton Salt Company, 338 U.S. 632 (1950).
---------------------------------------------------------------------------

Third-Party Software Providers

    If the source code requirements are not bad enough, AT Persons 
who use third-party algorithmic trading systems and those third-
parties are in for a real treat. Under the Supplemental Notice, AT 
Persons who use third-party trading systems are liable for turning 
over the source code of the third-party providers. An AT Person has 
no control over a third party's source code. And, third-parties have 
already said that they will not give out their source code.\20\
---------------------------------------------------------------------------

    \20\ Trading Technologies, Staff Roundtable, Elements of 
Proposed Regulation Automated Trading, Transcript, at 250-252, June 
10, 2016 (Roundtable Tr.), https://www.cftc.gov/idc/groups/public/@newsroom/documents/file/transcript061016.pdf.
---------------------------------------------------------------------------

    In addition, the Supplemental Notice requires an AT Person who 
uses a third-party algorithmic trading system to obtain a 
certification and conduct due diligence to ensure that the third-
party is complying with the development and testing requirements in 
proposed Reg. AT. The AT Person must obtain a new certification each 
time there is a material change to such third-party's system.
    These requirements are infeasible and could harm innovation and 
intellectual property rights. Participants at the Regulation AT 
roundtable also found the certification and due diligence suggestion 
impractical.\21\ One commenter said it could hurt smaller third-
party vendors.\22\ Another commenter said that AT Persons may not 
have the necessary expertise to perform due diligence of third-party 
systems.\23\ They are correct. The CFTC must revisit these 
requirements. I invite commenters to propose less burdensome 
solutions.
---------------------------------------------------------------------------

    \21\ Id. at 239.
    \22\ Id.
    \23\ Tethys Technology, Roundtable Tr. at 248.
---------------------------------------------------------------------------

Other Issues

    Finally, let me highlight three issues: (1) The prescriptive 
nature of risk controls and development and testing requirements; 
(2) burdensome reporting requirements; and (3) the need for a 
phased-in implementation process. I reassert the issues I raised 
from proposed Reg. AT last year. I thank the many commenters for 
responding to those questions and concerns.

Prescriptive Nature of Risk Controls and Development and Testing 
Requirements

    When proposed Reg. AT was issued, I noted that the CFTC is 
basically playing catch-up to an industry that has already developed 
and implemented risk controls and related testing standards for 
automated trading.\24\ I supported a principles-based approach to 
risk controls and testing that built upon, rather than hindered 
ongoing industry efforts.\25\
---------------------------------------------------------------------------

    \24\ 80 FR at 78945.
    \25\ Id. at 78946.
---------------------------------------------------------------------------

    Many commenters to Reg. AT supported such a principles-based 
approach to risk controls and development and testing requirements 
and noted that proposed Reg. AT was too prescriptive.\26\ Commenters 
supported providing participants' flexibility to determine which 
risk controls are needed

[[Page 85399]]

and how those controls are applied and administered based on each 
participant's unique risk profile and business situation.\27\ 
Commenters also noted that many of the proposed development and 
testing requirements are not practical and do not reflect how 
software is customarily developed, tested, deployed and 
monitored.\28\
---------------------------------------------------------------------------

    \26\ See, e.g., FIA Comment Letter at 3, 4-5 (Mar. 16, 2016); 
CME Comment Letter at 6, 7-8 (Mar. 16, 2016); ICE Comment Letter at 
10 (Mar. 16, 2016); CTC Comment Letter at 1 (Mar. 15, 2016).
    \27\ See, e.g., FIA Comment Letter at 3 (Mar. 16, 2016); CME 
Comment Letter at 7-8 (Mar. 16, 2016).
    \28\ See, e.g., FIA Comment Letter at 5 (Mar. 16, 2016); CTC 
Comment Letter at 12-14 (Mar. 15, 2016).
---------------------------------------------------------------------------

    I believe that the marketplace has implemented effective best 
practices and procedures for risk controls and development and 
testing of automated trading systems that account for different 
types of systems and businesses. Reg. AT's approach is a one-size-
fits-all model that does not take into account individual 
circumstances. For example, the proposed risk controls may not apply 
to all market participants or at all levels and may have negative 
unintended consequences.\29\ The proposed development and testing 
requirements will require AT Persons to make costly changes to 
existing business practices and procedures with no material market 
benefit.\30\ Once again, I urge the CFTC to adopt a principles-based 
approach in the final rule so that AT Persons have the necessary 
flexibility to administer controls and testing based on their 
trading and risk profiles.
---------------------------------------------------------------------------

    \29\ See, e.g., FIA Comment Letter, Attachment A at 24-25 (Mar. 
16, 2016).
    \30\ See, e.g., CTC Comment Letter at 12 (Mar. 15, 2016).
---------------------------------------------------------------------------

Still Burdensome Reporting Requirements

    The Supplemental Notice replaces the requirement in proposed 
Reg. AT that AT Persons and clearing member futures commission 
merchants (FCMs) prepare certain annual reports with an annual 
certification requirement. While that is positive, the Supplemental 
Notice requires designated contract markets (DCMs) to establish a 
program for effective periodic review and evaluation of AT Persons' 
and FCMs' compliance with risk controls and other requirements. The 
Supplemental Notice also retains proposed Reg. AT's requirement that 
the DCM must identify and remediate any insufficient mechanisms, 
policies and procedures, including identification and remediation of 
any inadequate quantitative settings or calibrations of pre-trade 
risk controls required of AT Persons.
    The Supplemental Notice touts the significantly decreased costs 
and enhanced flexibility to DCMs in designing a compliance program 
by replacing the annual reports with a certification requirement. I 
am not so sure that will be the case. The Supplemental Notice does 
not eliminate the compliance program altogether and replace it with 
a certification requirement. DCMs must still establish such a 
program and review and evaluate AT Persons' and FCMs' compliance 
with risk control and other requirements. I am concerned that this 
requirement could necessitate DCMs hiring additional staff to 
conduct periodic reviews with limited benefits for reducing risk.
    Even more problematic, DCMs are on the hook to identify and 
remediate any insufficient mechanisms, policies and procedures, 
including inadequate quantitative settings or calibrations of pre-
trade risk controls. The Supplemental Notice acknowledges, but 
dismisses, DCMs' own concerns that they lack the technical 
capability to assess whether the quantitative settings or 
calibrations of AT Persons' controls are sufficient.\31\ In my 
statement on proposed Reg. AT, I suggested a much simpler process of 
self-assessments like FINRA requires.\32\ Commenters also suggested 
similar less burdensome processes.\33\ I urge the Commission to 
revisit this provision and provide a more workable solution that 
does not hold DCMs liable for identifying and remediating inadequate 
settings of AT Persons.
---------------------------------------------------------------------------

    \31\ CME Comment Letter at 20 (Mar. 16, 2016); ICE Comment 
Letter at 9-10 (Mar. 16, 2016); FIA Comment Letter at 10 (Mar. 16, 
2016); MGEX Comment Letter at 16-17 (Mar. 16, 2016).
    \32\ 80 FR at 78947.
    \33\ CME Comment Letter at 20 (Mar. 16, 2016); ICE Comment 
Letter at 9-10 (Mar. 16, 2016); FIA Comment Letter at 10 (Mar. 16, 
2016); MGEX Comment Letter at 16-17 (Mar. 16, 2016).
---------------------------------------------------------------------------

Any Final Rule Must Be Phased-In

    Proposed Reg. AT and this Supplemental Notice if finalized in 
their current form will be a huge undertaking for all parties 
involved. The Futures Industry Association (FIA) estimated that it 
could take several years to implement.\34\ In this regard, FIA 
recommended that the CFTC implement Reg. AT in three separate rules: 
Pre-trade and other risk controls, policies and procedures regarding 
development and testing of algorithmic trading systems and 
registration.\35\ Other commenters also recommended phased-in 
rulemakings.\36\
---------------------------------------------------------------------------

    \34\ FIA Comment Letter at 11 (Mar. 16, 2016).
    \35\ Id. at Attachment A at 14-15.
    \36\ MGEX Comment Letter at 3 (Mar. 16, 2016); NASDAQ Futures 
Comment Letter at 2 (Mar. 16, 2016).
---------------------------------------------------------------------------

    Reg. AT is a major rulemaking that covers a broad range of 
automated trading issues. Commenters asserted that the costs of the 
proposal are substantially higher than estimated by the Commission 
and provided quantitative estimates to back up their assertions.\37\ 
The Supplemental Notice does not do enough to fix the issues with 
proposed Reg. AT and reduce unnecessary costs on the marketplace. 
Given the scope of Reg. AT and the cost concerns, I believe the CFTC 
should at least phase-in the implementation process for any final 
Reg. AT rulemaking. I invite commenters to provide suggestions on 
how to do so.
---------------------------------------------------------------------------

    \37\ See, e.g., CME Comment Letter at 5 (Mar. 16, 2016); MFA 
Comment Letter at 34-35 (Mar. 16, 2016); MGEX Comment Letter at 25-
28 (Mar. 16, 2016).
---------------------------------------------------------------------------

Conclusion

    It has been my general practice as a CFTC commissioner to vote 
in support of publishing proposed rules for public comment even when 
I have substantial concerns and issues. That is because on most 
proposals reasonable people can have differences of opinion. I try 
to hear a broad range of sensible views before making a final 
decision. I have also taken this approach because of the enormous 
respect I have for my two fellow commissioners. It continues to be 
an honor to serve alongside them.
    So, it is a disappointment that on this rule I must depart from 
my preferred practice of voting in favor of proposed rulemakings.
    Reg. AT is unlike any other rule proposal that I have seen in my 
time of service. What should be a step forward by the agency in its 
mission to oversee twenty-first century digital markets is 
squandered by its giant stumble backwards in undoing Americans' 
legal and Constitutional rights.
    The Commission recommends that we adopt this Supplemental Notice 
in order to address the growing incidence of algorithmic trading and 
to determine if algorithms are disrupting financial markets. That is 
all well and good. Automated trading presents a number of critical 
challenges to our markets.\38\ My many meetings with America's 
farmers and ranchers have confirmed the importance of enhancing the 
CFTC's ability to catch-up to the digital transformation of twenty-
first century futures markets.\39\
---------------------------------------------------------------------------

    \38\ See Guest Lecture of Commissioner J. Christopher Giancarlo, 
Harvard Law School, Fidelity Guest Lecture Series on International 
Finance, Dec. 1, 2015, https://www.cftc.gov/PressRoom/SpeechesTestimony/opagiancarlo-11.
    \39\ See Address of CFTC Commissioner J. Christopher Giancarlo 
to the American Enterprise Institute, 21st Century Markets Need 21st 
Century Regulation, Sept. 21, 2016, https://www.cftc.gov/PressRoom/SpeechesTestimony/opagiancarlo-17.
---------------------------------------------------------------------------

    Yet, jettisoning the subpoena process does nothing to address 
the challenge of automated trading given the existing ease and speed 
of obtaining an administrative subpoena.\40\
---------------------------------------------------------------------------

    \40\ United States v. Morton Salt Company, 338 U.S. 632 (1950).
---------------------------------------------------------------------------

    Benjamin Franklin is said to have warned that ``A people that 
are willing to give up their liberty for temporary security deserve 
neither--and will lose both.''
    Franklin was right. Reg. AT is a threat to Americans' liberty 
AND their security. After twelve score years of ordered freedom, it 
is a degree turn in the direction of unchecked state authority. If 
adopted in its present form, it will put out of balance centuries-
old rights of the governed against the creeping power of the 
government.
    Thus, I have no choice but to vote against this proposal.

[FR Doc. 2016-27250 Filed 11-23-16; 8:45 am]
 BILLING CODE 6351-01-P
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.