The best reason for keeping central banks out of the regulation of markets is highlighted by the announcement a couple of days back by the Bank of England that it was suspending one of its employees and beginning an independent investigation into whether any of its staff were involved in or aware of any attempted manipulation of the foreign exchange market.

The simple fact of the matter is that the central bank is totally conflicted when it comes to market regulation. It is a big participant in financial markets – in fact its primary mandate is to legally manipulate these markets in the pursuit of the macroeconomic mandates entrusted to it. Monetary policy gives central banks a mandate to manipulate bond markets to fix interest rates at particular levels; in several countries, central banks are also mandated to manipulate foreign exchange markets; and occasionally (for example, Hong Kong and Japan at different points of time), they have even been mandated to manipulate the stock index market.

This completely legal manipulation mandate makes central banks unsuitable for enforcing conduct regulation of financial markets. There is too great a temptation for the central bank to condone or even encourage large banks to indulge in manipulation of markets in the same direction that the central bank desires. After all, this is just another very convenient “transmission mechanism” for the central bank.

In this light, the post crisis decision in the UK to move market regulation into a subsidiary of the central bank is a ghastly mistake.

Rajgopal and White have a paper euphemistically (or sarcastically) titled “Stock Picking Skills of SEC Employees”. The paper is actually about potential insider trading by the regulator’s employees. The empirical results show that sales (but not purchases) by SEC employees earned abnormal profits (as measured by the standard Fama-French four factor model). There is evidence that some of these sales were based on impending SEC enforcement actions or disclosures made to the SEC that have not yet been made public. This indicates that the measures introduced by the SEC after an earlier insider trading scandal in 2009 (see here, pages 40-43) are not sufficiently effective or are not properly enforced.

If my memory serves me right, back in 2000, when I was in SEBI (the Securities and Exchange Board of India), employees (from the Chairman down to all staff) were forbidden from investing in equities except through mutual funds. This is arguably too draconian, but clearly the SEC rules (and their enforcement) were not tight enough.

Last week, Maris Jensen released her web site SEC Filings for Humans. (There is a nice interview with Maris Jensen at E Pluribus Unum.)

I use the SEC’s Edgar database quite often, but nowadays I never go there without first having identified the exact document that I need through other means. Searching for the document itself on Edgar is not for the faint hearted. I use Yahoo Finance and Google Finance quite extensively and find both quite disappointing. It is therefore truly amazing that one individual using a bunch of open source software (particularly D3.js and SQLAlchemy) can do something that none of these powerful organizations with vast resources have been able to accomplish.

For example, on Edgar, if you look for JPMorgan, you will find two registrants with the same name Jpmorgan Chase & Co. Only by trial and error would you be able to figure out which is the true JPMorgan. At Maris’ site, both registrants are listed, but the correct one is identified by the ticker symbol (JPM). Not rocket science, but saves a few minutes of searching for the wrong documents. Once you select JPM, you can view all its financial information (from the XBRL filings) in tabular form instead of wading through a huge text file. A lot of interesting information is displayed visually – for example, you can find a time series chart of all of the company’s subsidiaries. (For a company like JPM with hundreds of subsidiaries, this chart is quite intimidating, a similar chart for say Apple is more enjoyable). The influence chart of cross ownership is also truly impressive.

It is quite likely that in a few days as more and more users try out her website, it will become unresponsive and possibly even crash. One hopes that a large organization with more bandwidth and hardware takes over the site and keeps it running. But the prospects do not look very good – Maris tried to donate the whole thing to the SEC, but they did not even bother to respond. Meanwhile the SEC spends a lot of money buying back its own Edgar data from commercial vendors.

Finally, will something like this ever become available in India?

The World Gold Council (WGC) reported last week that despite import curbs imposed during 2013, Indian gold demand continued to grow with gold smuggling (what the WGC euphemistically calls unofficial gold imports) compensating for the fall in official imports. This is of course in line with a lot of anecdotal evidence.

In principle, gold smuggling should show up in the balance of payments (BOP) data in some form – after all the smuggled gold also has to be paid for in foreign exchange. For example, smugglers could collect foreign currency from migrant workers outside India and remit the money in Indian rupees to their families in India via the “hawala” channels. Corporate “hawala” could take the form of under/over invoicing of trade or inflating outbound foreign direct investment from India.

The Indian balance of payments data is available only for July-September 2013 while smuggling is likely to have picked up more in the subsequent quarter. Nevertheless, the data does show some tentative evidence for the financing of gold smuggling. For example, in item (Other capital transfers including migrants transfers), the gross inflows fell by nearly $1.0 billion and the net flow fell by $0.8 billion. Similarly, item 3.1.B (Direct Investment by India) rose by $1.2 billion on gross outflow basis and by $0.6 billion on a net outflow basis. I am grateful to my colleague Prof. Ravindra Dholakia for pointing out to me that the gross flows are possibly more important than the net flows.

The WGC data and the BOP data are consistent with the anecdotal evidence that smuggling is on the rise. Some economists tend to be dismissive of such anecdotal evidence – their standard refrain is that “the plural of anecdote is not data”. In finance, we tend to be much more respectful of anecdotal and suggestive evidence. Our standard reflex is to “buy the rumour and sell the fact”. Financial markets are forward looking and by the time conclusive statistical data becomes available, it is too late to be actionable.

In any case, it is dangerous to let smuggling take root. Smuggling of gold requires setting up a complex and sophisticated supply chain including financing, insurance, transportation, warehousing and distribution. Stringent import curbs create incentives to incur the large fixed costs required to set up such a supply chain. But once the supply chain has been set up, it may continue to operate even after the curbs are relaxed so long as the arbitrage differentials exceed the variable costs of the supply chain. In this sense, there are large hysteresis effects (path dependence) in these kinds of phenomena. More dangerously, the supply chain created to smuggle gold can be easily re-purposed for more nefarious activities. In the long run, the gold import curbs may turn out to be a very costly mistake.

My colleagues, Prof. Sobhesh Kumar Agarwalla and Prof. Joshy Jacob and I have a working paper on “High Frequency Manipulation at Futures Expiry: The Case of Cash Settled Indian Single Stock Futures” (also available at SSRN).

Some extracts from the abstract and the conclusion:

In 2013, the Securities and Exchange Board of India identified a case of alleged manipulation (in September 2012) of the settlement price of cash settled single stock futures based on high frequency circular trading. This alleged manipulation exploited several interesting characteristics of the Indian single stock futures market: (a) the futures contract is cash settled, (b) the settlement price is not based on a call auction or special session, but is the volume weighted average price (VWAP) during the last half an hour of trading in the cash market on the expiry date, and (c) anecdotal evidence suggests that the Indian market is more vulnerable to circular trading in which different entities associated with the same person trade with each other to create a false market.

We demonstrate that the combination of cash settlement with the use of a volume weighted average price (VWAP) to determine the settlement price on expiry day makes the Indian single stock futures market vulnerable to a form of high frequency manipulation that targets price insensitive execution algorithms. This type of manipulation is hard to prevent using mechanisms like position limits, and therefore it is necessary to establish a robust program to detect and deter manipulation.

We develop an econometric technique that uses high frequency data and which can be integrated with the automated surveillance system to identify suspected cases of high frequency manipulation very close to the event. Human judgement then needs to be applied to identify cases which prima facie justify detailed investigation and possible prosecution. Our results suggest that high frequency manipulation of price insensitive execution algorithms may be taking place. However, successful manipulation of the settlement price is relatively rare with only one clear instance (the September 27, 2012 episode) and one (milder) parallel.

Finally, the use of the volume weighted average price (VWAP) to determine the cash settlement price of the futures contract might require reconsideration.

A few years ago, somebody asking this question would have been dismissed as a nit picking nerd, but today that question has become extremely important. Last week, the Wall Street Journal’s MoneyBeat blog carried an interesting story about how this difference cost a trader $100,000.

The official market close in the US is 4:00:00 pm, but the computers at Nasdaq keep humming for almost one second longer to reconcile all trades and determine the market closing price. About 150 milliseconds after 4:00 pm on December 5, the earnings announcement of Ulta Salon Cosmetics & Fragrance Inc. hit Business Wire and within 50 milliseconds after that a series of sale orders started hitting the market. When the market closed 700 milliseconds after 4:00 pm, the stock had fallen from $122 to $118.

The problem is that companies that want to release earnings after trading hours assume that trading stops at 4:00:00 pm, while smart traders know that the actual close is nearer to 4:00:01. That creates a profit opportunity for the fastest machine readable news feeds and the fastest trading algorithms. Traders are thinking in terms of milliseconds, but regulators are probably thinking in terms of minutes. Time for the regulators to catch up!

Steven J. Murdoch and Ross Anderson have a fascinating paper entitled “Security Protocols and Evidence: Where Many Payment Systems Fail” (h/t Bruce Schenier). The paper proposes five principles to guide the design of good security protocols:

Principle 1: Retention and disclosure. Protocols designed for evidence should allow all protocol data and the keys needed to authenticate them to be publicly disclosed, together with full documentation and a chain of custody.

Principle 2: Test and debug evidential functionality. When a protocol is designed for use in evidence, the designers should also specify, test and debug the procedures to be followed by police officers, defence lawyers and expert witnesses.

Principle 3: Open description of TCB [trusted computing base]. Systems designed to produce evidence must have an open specification, including a concept of operations, a threat model, a security policy, a reference implementation and protection profiles for the evaluation of other implementations.

Principle 4: Failure-evidentness. Transaction systems designed to produce evidence must be failure-evident. Thus they must not be designed so that any defeat of the system entails the defeat of the evidence mechanism.

Principle 5: Governance of forensic procedures. The forensic procedures for investigating disputed payments must be repeatable and be reviewed regu- larly by independent experts appointed by the regulator. They must have access to all security breach notifications and vulnerability disclosures.

EMV cards violate several of these principles and the authors propose several ideas to improve the evidential characteristics of the system. One idea is a cryptographic audit log of all transactions to be maintained by the card. A forward secure Message Authentication Code (MAC) would prevent a forger from inserting fake transactions in the past even with possession of the current audit key. Similarly, committing a hash chain over all past transactions would mean that a forger with knowledge of the audit key (but not the card itself) cannot insert fake transactions without inducing a discrepancy between the bank server log and the audit log on the genuine card. By putting the card into a forensic mode to retrieve the audit log, a customer would thus be able to demonstrate that the card was not present in a disputed transaction – presumably, the merchant and the bank will be left to figure out how to share the loss.

One of the comments (by mike~acke) on Bruce Schneier’s blog points out that in today’s system, the card holder has to trust the merchant completely: “when you use your card: you are NOT authorizing ONE transaction: you are giving the merchant INDEFINITE UNRESTRICTED access to your account.”. His solution is a very simple though radical idea which simply removes the merchant from the trusted chain. (mike~acke’s comment below is probably easier to understand if you interpret POST to mean merchant and PCI to mean bank though neither identification is completely correct.)

When the customer presents the card it DOES NOT send the customer’s card number to the POST. Instead, the POST will submit an INVOICE to the customer’s card. On customer approval the customer’s card will encrypt the invoice together with authorization for payment to the PCI (Payment Card Industry Card Service Center) for processing and forward the cipher text to the POST. Neither the POST nor the merchant’s computer can read the authorizing message because it is PGP encrypted for the PCI service. Therefore the merchant’s POST must forward the authorizing message cipher text to the PCI service center. On approval the PCI Service Center will return an approval note to the POST and an EFT from the customer’s account to the merchant’s account. The POST will then print the PAID invoice. The customer picks up the merchandise and the transaction is complete. The merchant never knows who the customer was: the merchant never has ANY of the customer’s PII data.

I like this idea and would like to extend the idea even to ATM cards. That way, we will never have to worry about inserting a card into a fake or compromised ATM, because our ATM card would not trust the ATM machine – it would talk directly to the bank server in encrypted messages that the ATM cannot understand. At the end of it all, the bank server would simply send a message to the ATM to dispense the cash.

Updated February 11, 2014 to insert block quotes and ellipses in quote from Murdoch-Anderson paper.


Get every new post delivered to your Inbox.

Join 75 other followers