Anatomy of a Regulation - Case Study
This week’s essay will compare a single regulation against my list of principles for effective regulation of emerging technology. We’ll use an existing regulation as our example, since existing regulations don’t change too frequently, so this essay should stay fairly evergreen. However, this technique would be most valuable if used while drafting new regulations or providing input on proposed regulations. After all, those are the regulations that stakeholders have the most power to change!
So, as you read this essay, think about how you might use a similar process to assess proposed regulations and formulate your feedback before those regulations become finalized. Many, though not all, countries use a notice-and-comment model for proposed regulations, and there’s an interesting survey of those practices in this World Bank blog post. (In the US, this is called the public comment period.)
All right, let’s get started.
We’ll be focusing on SEC Rule 15c3-5, since I think it’s a good example of good regulation overall, and also I think it’s better to point out a good example than to snipe unnecessarily at a bad one.
What does this regulation do? In regulator-speak, it requires, “brokers or dealers with access to trading securities directly on an exchange or alternative trading system (“ATS”), including those providing sponsored or direct market access to customers or other persons, and broker-dealer operators of an ATS that provide access to trading securities directly on their ATS to a person other than a broker or dealer, to establish, document, and maintain a system of risk management controls and supervisory procedures that, among other things, are reasonably designed to (1) systematically limit the financial exposure of the broker or dealer that could arise as a result of market access, and (2) ensure compliance with all regulatory requirements that are applicable in connection with market access.”1
Hmm, say what?
In simple terms: this regulation mandates that broker-dealers apply pre-trade risk controls to orders, with the goal of reducing the systemic risk of algorithmic trading. It makes broker-dealers more like strategic chokepoints in the system.
The prior state was quite different: broker-dealers could give clients their market participant identifier (MPID) and let the clients send orders directly to the markets themselves. As algorithmic trading became more popular and transactions happened at higher speeds, this posed potentially significant risks for markets and for the broker-dealer if a client (e.g., a hedge fund) did not have sufficient controls to catch erroneous orders sent by the client’s trading algorithms. An order might be too large (a so-called fat-finger order), or an algorithm might send hundreds of thousands or millions of orders in quick succession, causing market instability and risk exposure.
After the regulation came into effect, orders had to flow through a layer of broker-dealer risk controls, which had to meet reasonable baseline standards. Broker-dealers have sufficient money and resources to implement controls in a way their small clients might not. (Broker-dealers also had to implement controls on orders they originated themselves.)
At a high level, you can probably see why this regulation was good. But let’s make a step-by-step assessment against some specific characteristics of good regulation.
1. Good regulation is targeted.
Yep! This regulation targeted the entities with direct market access: broker-dealers. It didn’t state, “Every entity that trades algorithmically needs to implement pre-trade risk controls.” That would have been difficult for small entities to do well—so they would likely have done it poorly. And poorly implemented controls can themselves increase risk.
Fortunately and smartly, this regulation targeted entities that were generally larger, already regulated, and had sufficient resources (staffing, experience, funding, etc.) to handle the new requirements.
2. Good regulation engages the governed, listening to their concerns and gaining their trust as a governed party to ensure buy-in at a strategic level instead of tactical compliance in a check-the-box exercise.
This is the public comment period in action: there’s ample opportunity to respond formally and in writing to proposed regulations. Often, regulatory agencies also host roundtables to discuss new developments, risks, and proposed approaches. These tools are essential to ensuring strategic rather than surface-level compliance when a regulation becomes final.
For this regulation, some tweaks were made in response to comments on the proposal. For example, the scope of requirements was narrowed for a subset of broker-dealers engaged only in outbound routing (they still had to implement controls to prevent erroneous orders, though).2 This also relates to the next criteria on flexibility.
3. Good regulation is not make-work and is reasonably time-efficient, allowing sufficient flexibility in implementation for different types of businesses and organizations.
Here the regulation did a pretty good job. Pre-trade risk controls are definitely not make-work, and the regulation does allow flexibility in implementation by mandating that the controls be “reasonably designed”; it doesn’t get too prescriptive. In fact, the final rule outright states that it is not “one-size-fits-all,” noting that, “For example, a broker-dealer that only handles order flow from retail clients may very well develop different risk management controls and supervisory procedures than a broker-dealer that mostly services order flow from sophisticated high frequency traders.”3
The regulation offers more flexibility by stating that controls and related procedures “…must be under the direct and exclusive control of the broker or dealer with market access, with limited exceptions specified in the Rule that permit reasonable allocation of certain controls and procedures to another registered broker or dealer that, based on its position in the transaction and relationship with the ultimate customer, can more effectively implement them.”4
The rule also notes that broker-dealers’ existing controls may satisfy the requirements in some cases (time efficiency!), while in other cases, controls will need to be strengthened to meet baseline standards of reasonableness.5
And there’s an annual effectiveness review and certification required, which doesn’t seem overly onerous in frequency. (If it were quarterly, that could be a pain and might qualify as unnecessary paperwork, in my view.6 I am also not a fan of quarterly earnings, though.7)
4. Good regulation ideally makes required something industry participants mostly wanted to do anyway but couldn’t since doing so would have put them at a perceived or actual market disadvantage. In essence, regulation in this situation is a key for overcoming a prisoner’s dilemma.
This is a main reason why I chose this regulation as a good example. As the final rule states, “The Commission received 47 comment letters on Proposed Rule 15c3-5 from broker-dealers, markets, institutional and individual investors, technology providers, and other market participants. Nearly all of the commenters supported the overarching goal of the proposed rulemaking.”8
That is a sentence you want to write if you’re a regulator. Also, “Market participants recognize the risks associated with naked sponsored access, with one commenter noting, for example, that the potential systemic risk is now ‘too large to ignore.’”9 Bingo. If you see comments like these, and if most of the comments are generally in agreement (regardless of commenters’ quibbles about a few specifics), you are on the right track as a regulator.
5. Good regulation helps ensure safety for stakeholders that have insufficient leverage to negotiate with more powerful stakeholders on their own (consumer protection regulation is an example).
This rule aims to help all stakeholders avoid systemic risk, including those with insufficient leverage. For example, regular investors can be affected by flash crashes and other algorithmic trading mishaps that reach the markets, possibly triggering stop-loss orders or otherwise harming their portfolios. But how many regular investors even know what a market participant identifier (MPID) is?
The good news is that they don’t have to know. This regulation made most investors safer behind the scenes and without fanfare—the Volcker Rule got way more publicity, as an example—but it still counts.
6. Good regulation is forward-looking, with consideration of how processes and systems are evolving and how the regulation might apply to their anticipated future states.
The future is notoriously hard to bull’s-eye. Yet, this regulation did a pretty good job. It established a well-scoped overarching framework without getting into the weeds by over-defining requirements. Systems have changed (a lot!) since this regulation went into effect, yet there haven’t been any more market-wide flash crashes of the magnitude that likely prompted this rule. (There was the Knight Capital meltdown, and Knight was subsequently charged with having violated this rule.)
It remains to be seen how newer AI systems may affect trading infrastructure and flows, but the framework set forth in this regulation seems like it would still be valid even as the specifics change.
7. Good regulation costs businesses and societies less than the risk it protects against.
I think this is probably a win. Pre-trade controls operate during every second of every trading day, and they have likely prevented significant losses, though it’s hard to prove a negative. Aside from the Knight Capital incident, in which that firm lost more than $400 million in about 45 minutes, there haven’t been massive meltdowns due to algorithmic trading. Erroneous orders certainly occur, but controls likely prevent most of them from reaching the markets.
I anticipate that the controls also cost a significant amount of resources to implement and operate—but given the trading revenues and profits involved on a broad scale, the control spending is likely a small percentage of that and protects firms from self-imploding or being affected by other firms’ incidents.
8. Good regulation has second-order effects that are manageable and do not undermine the intent of the regulation (e.g., by driving activity outside of the regulatory jurisdiction en masse without actually reducing risk in the system as a whole).
This is related to criterion #2: ensuring buy-in of stakeholders prior to finalizing a regulation. If stakeholders are at least somewhat willingly on board, implementation is far more likely to be strategic and actually address risks, rather than simply adding procedures and paperwork tactically without reducing risks much at all. As far as I can tell, the second-order effects of this regulation appear to have been manageable.
Other types of current and upcoming regulations pose more concerns. For example, cross-jurisdictional consistency on general principles and approaches for regulating AI will be helpful in avoiding jurisdiction-shopping. Climate regulations also walk this tightrope of making meaningful progress without driving activity elsewhere (which ends up not reducing risk much at all).
I hope this deep-dive has been helpful by providing one possible rubric for assessing regulations, with a finalized, effective regulation serving as a good example. In future essays, I’ll walk through some proposed regulations to see how they compare to the criteria; those proposals may be relatively fluid and open to public comment, so it’s worth starting to think now about what makes good regulation.
“Risk Management Controls for Brokers or Dealers with Market Access”, page 1, https://www.sec.gov/rules/final/2010/34-63241.pdf
“Risk Management Controls for Brokers or Dealers with Market Access”, pages 14-15, https://www.sec.gov/rules/final/2010/34-63241.pdf
“Risk Management Controls for Brokers or Dealers with Market Access”, page 24, https://www.sec.gov/rules/final/2010/34-63241.pdf
“Risk Management Controls for Brokers or Dealers with Market Access”, page 13, https://www.sec.gov/rules/final/2010/34-63241.pdf
“Risk Management Controls for Brokers or Dealers with Market Access,” pages 26-27, https://www.sec.gov/rules/final/2010/34-63241.pdf
Side note: that’s because I’m talking about the paperwork certifying the controls, although the less onerous, shorter, and more relevant the paperwork, the more frequently it can be required without becoming cruft. Meanwhile, the actual controls should be automated and running continuously to detect problems that crop up during algorithmic trading activities.
I’m a fan of frequent, low-overhead internal reporting that highlights problems and brings them to management’s attention proactively.
“Risk Management Controls for Brokers or Dealers with Market Access”, pages 3-4, https://www.sec.gov/rules/final/2010/34-63241.pdf
“Risk Management Controls for Brokers or Dealers with Market Access”, page 8, https://www.sec.gov/rules/final/2010/34-63241.pdf
This essay is a tribute to how nearly any topic is there for the taking on Substack. This was a fabulous explanation and explored the balance of risk and reward. One of my favorite authors (on a wide breadth of topics) is Michael Lewis. His book "The Flash Boys" was about program trading and creating advantage by having the least delay in the computerized trading systems. While far from his most famous book it was enlightening and entertaining. It also touched on the proprietary systems inside the investment Bank trading systems (like Goldman) where pools of trades might be order-manipulated in order to manage the amounts inside the system known as the dark pools where there wasn't any clarity or transparency. Preferred clients might benefit from ordering of the trades in the pool for example and since it was not transparent, it was likely an unfair market condition. You managed in this once through on a rule to make it easy to understand and relate to my LIMITED understanding. That is a talent. If you keep this up we will have to refer to you as a quant :)
This was an interesting analysis, thank you. Although you're right about the value of looking at a good regulation, I also think it would be interesting to see some analysis of bad regulations. I'm wondering about some of New Zealand's Health and Safety legislation now. Not sure if it's good or bad, people complain a lot, but then they complain if something goes wrong because people didn't have adequate Health and Safety too.