Prof. Jayanth R. Varma’s Financial Markets Blog

A blog on financial markets and their regulation

SEC Regulatory Overreach

I have repeatedly worried about regulatory overreach (here, here and here); while most of the examples in those posts came from India, I was always clear that the phenomenon is global in nature. In a blog post (at CLS Blue Sky Blog) Johnson and Barry carry out an analysis of the US Securities and Exchange Commission (SEC) which documents the overreach of that regulator.

The Dodd Frank Act of 2010 greatly expanded the ability of the SEC to initiate proceedings in its own administrative courts before an Administrative Law Judge appointed by the commission instead of filing the case in a federal court. Since around 2013, the SEC has relied more on these proceedings which give substantial advantages to the SEC – less comprehensive discovery rules, no juries, and relaxed evidentiary requirements. A study by the Wall Street Journal showed that the SEC wins cases before its in-house judges much more frequently than before independent courts.

Johnson and Barry show that even this “home field” advantage is not enough – the SEC seems to be overreaching or overcharging its cases to such an extent that it is losing a number of high-profile administrative cases. They conclude:

When it began to shift away from filing cases in district court, it likely believed it would see more success in administrative proceedings, but that has not consistently been the case. Although the SEC is still winning many of its administrative cases, its recent losses reflect a failure to evaluate the strength of its proof, particularly in cases where scienter evidence is thin, or overall evidence of alternative theories consistent with innocence is equally strong.

Advertisements

Surveillance by countervailing power

I have long argued that it is a mistake to think of surveillance as being done solely by disinterested regulators who have no axe to grind. As I wrote in a blog post a decade ago, “complaints by rivals and other interested parties are the best leads that a regulator can get.”

But these rivals and other interested parties can go beyond complaining to the regulator; they can take matters into their own hands. This can often be the best and most effective form of surveillance. A recent order by the US Commodities and Futures Trading Commission (CFTC) against Statoil illustrates this very well.

According to the CFTC, Statoil traders bought physical propane in the Far East with a view to push up the Argus Far East Index (FEI) which was the reference price for Statoil’s derivative contracts on NYMEX. However, Statoil’s plan to profit by creating an artificial settlement price for the Argus FEI did not materialize as hoped. The CFTC quotes one of the Statoil traders:

Also, quite a few of the players in the market have a vested interested in holding the [Argus] FEI down and they have been willing to sell cargoes . . . at discounted prices . . . Statoil have bought 5 cargoes over the last week but this has not been enough to keep the [price] up.

So one group of players are trying to rig the price down, while another set is trying to do the opposite. Their efforts neutralize each other, and the market basically policed itself. The regulator can of course watch the fun and impose a penalty on one (or even both parties), but its actions are largely irrelevant.

Incidentally, the episode also shows that market manipulation is not the exclusive preserve of evil private sector speculators: Statoil is the Norwegian government oil company.

In the sister blog and on Twitter during August-November 2017

There were no posts on the sister blog (on Computing) during August-November 2017 other than cross posts from this blog.

Tweets during August-November 2017 (other than blog post tweets):

Large asset auctions: Russian versus East Asian models

In the context of the large asset auctions that are expected to happen in India as part of the new bankruptcy code for delinquent borrowers, I think it would be instructive to look at the lessons that can be learned from how such auctions were organized elsewhere in the world. Two episodes that come to my mind are:

  1. The large privatizations that happened in Russia after the collapse of the Soviet Union

  2. The massive sale of assets that happened in East Asia particularly Korea and Thailand after the Asian crisis.

Both of these were large operations carried out fairly quickly in a quite challenging environment. There was a huge amount of uncertainty about the true value of the assets, but that is unavoidable in situations like this. But the two episodes differed in many critical respects. All in all, most people would agree that the Russian auctions were a disaster. First they allow a bunch of oligarchs to acquire businesses very cheap because of inadequate competition. Second, the privatizations (at least ex post) have very little perceived legitimacy, and this vitiates Russian democracy even today. The East Asians (partly because of IMF pressure) were much more transparent about the process, and also opened up the sales to foreign bidders in a big way (amending the laws in some cases). This was not politically very pleasant, but was probably the only way to generate enough competitive bidding in an environment where most domestic players were liquidity constrained, and the banking system was ill equipped to support leveraged bidders.

The Indian retail credit boom

In the last 3-4 years, in the face of collapsing corporate credit demand and rising defaults in corporate loans (dating back to the days of a booming economy), the Indian banking system has been focused on growing the retail loan portfolio. Non bank finance companies have also been doing the same. For public sector bankers worried about investigations into suspected corrupt lending, retail lending has another big advantage from a career point of view. Since retail credit decisions are based on computer algorithms, there is much less risk of corruption allegations against individual staff members (and computers cannot be sent to jail).

Two questions arise at this point:

  1. Has this retail credit boom progressed beyond the point of prudent lending? Anecdotal evidence suggests that at least for some lenders, the answer is yes. Since nobody wants to admit that they are lending imprudently, I prefer to ask market participants what CIBIL score cutoffs their competitors are using. During the last couple of years, I have heard this number fall from 650-700 to 600 and recently to 550.

  2. How much of an impact would job losses in telecom and software services have on delinquencies in retail loans? It is too early to say, but clearly the impact would be non trivial.

I would think that the ongoing public sector bank recapitalization needs to keep this in mind. And perhaps at least some private sector lenders might want to think of a pre-emptive recapitalization.

Bitcoin as a way to short bad things

Many people are perplexed that there is no asset underlying Bitcoin. One answer is that there is nothing underlying fiat money either. But, it is more interesting to think about Bitcoin not as being long something good but as being short something bad. Bitcoin is short untrustworthy/incompetent banks/politicians.

Bitcoin has soared in value as trust in G7/G10/G20 politicians has eroded. Capital flight from untrustworthy peripheral countries has historically been to core country safe havens like the US dollar. But when trust in the core is eroded, where does one go? Traditionally, money poured into gold, and to some extent it still does, but today’s technology utopians see gold as Luddite and medieval. Bitcoin has many of the key attributes of gold (most importantly, it is beyond the control of politicians), but it is modern and futuristic.

So one way to think about Bitcoin as an investment is to ask yourself whether you are optimistic about today’s G7/G10/G20 politicians in terms of trustworthiness and competence. If your answer is yes, you should probably forget about Bitcoin, but if your answer is negative, Bitcoin deserves some serious consideration. In the latter case, you would think of Bitcoin (and Ethereum and the rest) as the way to reinvent capitalism so as to make it less dependent on bad/stupid politicians and their crony capitalists.

In this vein, I have been thinking about two episodes separated by a quarter century. In September 1992, the UK government was battling the Hungarian, and in order to defend the British pound, the Bank of England raised interest rates an unprecedented second time on the same day (the first hike at 11:00 am was from 10% to 12%, while the second hike at 2:15 pm was from 12% to 15%). For the first few minutes, the London stock market fell sharply in response to this shock and awe strategy. At that time, the stock market was essentially short the politicians: if the politicians won, the UK economy would suffer from an overvalued currency and the high interest rates required to sustain it: stocks would fare badly. If the politicians lost, then lower interest rates and a weaker currency would propel the economy and the stock market higher. So the initial response of the market was one of dejection: the politicians seemed to be winning at the cost of inflicting even more damage to the economy.

But within minutes, the London stock market began to rally furiously as it realized that the second rate hike in the day was a sign not of strength but of despair. The market was now convinced that the politicians would lose, and so it turned out. The pound crashed out of the ERM and the second rate hike was canceled before it came into force. Jeremy Siegel tells the whole story quite nicely in his book Stocks for the Long Run (in the section on Stocks and the Breakdown of the European Exchange-Rate Mechanism).

Twenty five years later, in September 2017, a few weeks before the five-yearly Congress of the Communist Party of China, the Chinese government launched a crack down on crypto currencies including Bitcoin. Clearly, the thought of people investing in an asset beyond the control of the state and the party was anathema to the Chinese rulers. Again the initial response of the market was that the politicians would win this fight and Bitcoin dropped about 30% very quickly. It took a couple of weeks for the market to realize that (like the Bank of England’s second rate hike), the Chinese crackdown on Bitcoin too was the outcome not of strength but of despair. The ban would only reduce the influence of China in the growing global Bitcoin ecosystem. Bitcoin began to rebound and the centre of Bitcoin trading shifted out of China to elsewhere in the world. When the party Congress began in mid October, Bitcoin was trading at record highs well above the pre ban levels.

It is possible that the Chinese crackdown would come back to haunt them. China’s geopolitical rivals (US, Japan, India and others) are surely reflecting on this episode and wondering whether Bitcoin could be the Achilles’ heel of the Chinese state’s control over their economy. At the same time, Russia and China are probably wondering whether Bitcoin is the Achilles’ heel of the US control of the global payment system.

So if you believe that the world is run by somewhat honest and tolerably competent politicians, you could bet that Bitcoin is just a passing fad that we would all be laughing at in a few years’ time. If you want to short this rosy view, Bitcoin beckons: it is now too big and strong to be shut down by
untrustworthy/incompetent politicians.

PS: I have recently started referring to the man who broke the Bank of England simply as the Hungarian because of the current Hungarian government’s extreme hostility to him.

Building credit bureaus that have no personal information

In two blog posts (here and here), I have argued that in an era of widespread hacking, the credit bureau’s business model is unsustainable because it requires storing enormous amounts of confidential information on tens of millions of individuals who are not even its customers.

However, these bureaus serve a useful function of aggregating information about an individual from multiple sources and condensing all this information into a credit score that measures the credit worthiness of the individual, An individual has credit relationships with many banks and other agencies. He might have a credit card from one bank, a car loan from another bank and a home loan from a third; he may have overdue payments on one or more of these loans. He might also have an unpaid utility bill. When he applies for a new loan from a yet another bank, the new bank would like to have all this information before deciding on granting the loan, but it is obviously impractical to write to every bank in the country to seek this information. It is far easier for all banks to provide information about all their customers to a central credit bureau which consolidates all this information into a composite credit score which can be accessed by any bank while granting a new loan.

The problem is that though this model is very efficient, it creates a single point of failure – a single entity that knows too much information about too many individuals. What is worse, these individuals are not customers of the bureau and cannot stop doing business with it if they do not like the privacy and security practices of the bureau.

We need to find ways to let the bureaus perform their credit scoring function without receiving storing confidential information at all. The tool required to do this (homomorphic encryption) has been available for over a decade now, but has been under utilized in finance as I discussed in a blog post two years ago.

Suppose there is only one bank

To explain how a secure credit bureau can be built, I begin with a simple example where the bureau obtains information only from one bank (or other agency) which has the individual as a customer. I will then extend this to multiple banks.

  • The credit score of an individual can be approximated by a linear function (weighted sum) of a bunch of attributes relating to the individual:

    score = w1 x1 + w2 x2 + … + wn xn

    where wi is a weight (coefficient) and xi is an attribute (for example, xi could indicate whether the individual is delinquent on a car loan and x2 could represent the credit card debt outstanding as a percentage of the credit limit). Since xi could be a non linear function (for example, the square or logarithm) of the underlying variable, the linear form is not really restrictive.

  • The attributes xi are known only to the bank. These are never revealed to the bureau which sees only the weighted sum above.

  • The weights wi are proprietary information that needs to be known only to the credit bureau. The bureau encrypts the weights and sends the encrypted weights to the bank.

  • Homomorphic encryption allows the bank to compute the weighted sum

    score = w1 x1 + w2 x2 + … + wn xn

    without decrypting the weights. Actually, the bank does not see the weighted sum (the score). What it computes using homomorphic encryption is the encrypted weighted sum, but the credit bureau can decrpyt this and obtain the score. Since the xi are known to the bank, the computation of this scalar product requires only Additive or Partial Homomorphic Encryption (AHE or PHE) which is much more efficient than Full Homomorphic Encryption (FHE). The GLLM method (Goethals et al. “On private scalar product computation for privacy-preserving data mining.” ICISC. Vol. 3506. 2004.) based on the Paillier AHE can do the job.

  • At the end therefore:

    1. The credit bureau knows the credit score of the individual.

    2. The credit bureau has not revealed either its scoring rule or the credit score of the individual.

    3. The bank has not revealed any confidential information about the customer to the credit bureau other than the credit score. (Note for the geeks: The privacy guarantee here is at the highest possible level – it is information theoretical (Theorem 1 of Goethals et al.) and not merely cryptographic. Even in the implausible worst case scenario where the cryptography is somehow broken, that would leak information from the credit bureau to the banks but not in the other direction.)

  • The above procedure is repeated for each individual. The wi would be the same for all individuals, but xi would of course vary from individual to individual. To be precise, we should write the i’th attribute of the k’th individual as xki.

  • If the credit bureau is hacked, confidential information belonging to the individuals is not exposed because the bureau does not have this at all. The credit scores and the scoring rule may be exposed, but this is a loss primarily to the credit bureau and there are no negative externalities involved.

Extension to Multiple Banks

In general, the credit bureau will need information from many (say m) banks (or other agencies).

  • The credit score of an individual can be represented as a weighted sum of sub scores from various banks (the bureau may or may not use equal weights ui = 1 or ui = 1/m for this purpose):

    Total Score = u1 subscore1 + u2 subscore2 + … + um subscorem

    where the uj is the weight of bank j and subscorej is the sub score computed using information only from bank j as follows:

    subscorej = w1 xj1 + w2 xj2 + … + wn xjn

    where xji is the i’th attribute of the individual at bank j.

  • Bank j can use homomorphic encryption to compute uj subscorej. We first define a set of modified weights vji for attribute i for bank j as:

    vji = uj wi

    and then let the bank compute a weighted sum exactly as in the one bank case but using weights vji instead of wi:

    uj subscorej = vj1 xj1 + vj2 xj2 + … + vjn xjn

  • The credit bureau adds up all the uj subscorej that it receives from various banks to find the credit score of the individual.

  • We can however get one further level of privacy in this case where the credit bureau is able to compute the total score of an individual without learning any of the subscorej. If this extra privacy is desired, we modify the procedure as follows:

    1. Bank j computes

      disguised_subscorej = uj subscorej + rj

      where rj is a random number chosen by bank j. The bank communicates the disguised_subscore to the credit bureau. (Note for the geeks: Actually since the bank computes and communicates an encrypted form of this quantity homomorphically, it needs to encrypt rj also. This is possible since we are using public key cryptography – the public key of the credit bureau is publicly available and anybody can encrypt using this key; but only the bureau can perform decrpytion because only it has the private key).

    2. All the banks collectively compute the sum of all the rj using secure multi party computation based on secret sharing methods which ensure that no bank learns the rj of any other bank. The sum of all the rj (let us call it sum_r) is communicated to the credit bureau.

    3. The credit bureau computes the sum of all the disguised_subscorej. From this result, it subtracts sum_r to get the correct total credit score.

  • At the end therefore:

    1. The credit bureau knows the total credit score of the individual.
    2. The credit bureau has not revealed either its scoring rule or the credit score of the individual.

    3. The bank has not revealed any confidential information about the customer to the credit bureau: not even the sub score based on data in its possession.

  • The above procedure is repeated for each individual. The modified weights vji would be the same for all individuals at the same bank, but xji would of course vary from individual to individual. To be precise, we should write the i’th attribute of the k’th individual at the j’th bank as xjki. The rj (and therefore sum_r) should also ideally vary from individual to individual: strictly speaking, these are actually rkj and sum_rk for individual k. Similarly, disguised_subscorej should strictly speaking be disguised_subscorekj

Allowing the individual to verify all computations

How does an individual detect any errors in the credit score? How does an external auditor verify the computations for a sample of individuals?

The individual k would be entitled to receive a credit report from the credit bureau that includes (a) the unencrypted total credit score (total_scorek), (b) the encrypted disguised_subscorekj for all j, (c) the encrypted modified weights vji for all i and j and (d) sum_rk. Actually, (b), (c) and (d) should be publicly revealed by the credit bureau on its website because they do not leak any information.

The individual k would also be entitled to get two pieces of information from bank j: (a) the attributes xjki for all i and (b) the random number rkj.

With this information, the individual k can verify the computation of the encrypted disguised_subscorekj for all j (using the same homomorphic encryption method used by the banks). The individual can also verify sum_rk by adding up the rkj. Using the public key of the credit bureau, the individual can also encrypt total_scorek – sum_rk and compare this with the encrypted sum obtained by adding up all the disguised_subscorekj homomorphically.

The same procedure would allow an auditor to verify the computation for any sample of individuals.

The careful reader might wonder how the individual can detect an attempt by a bank to falsify rkj. In that case, sum_rk will not match the sum obtained by adding up the rkj, but how can the individual determine which bank is at fault? To alleviate this problem, each bank j would be required to construct a Merkle tree of the rkj (for all k) and publicly reveal the root hash of this Merkle tree. Individual k would then also be entitled to receive a path of hashes in the Merkle tree leading up to rkj. It is then impossible to falsify any of the rkj without falsifying the entire Merkle tree. Any reasonable audit procedure would detect a falsification of the entire Merkle tree. Depending on the setup, the auditor might also be able to audit (a sample of) the secure multi party computation of rkj directly by verifying a (sub) sample of the secret shares.

Conclusion

At the end, we would have built a secure credit bureau. A Equifax scale hacking of such a bureau would be of no concern to the public; it would be a loss only for the bureau itself. Mathematics gives us the tools required to do this. The question is whether we have the good sense and the will to use these tools. The principal obstacle might be that the credit bureau would have to earn its entire income by selling credit scores; it would not be able to sell personal information about the individual because it does not have that information. But this is a feature and not a bug.

Credit bureaus as fundamentally dangerous businesses

I received a lot of push back against my suggestion that Equifax should be shutdown in response to the massive data hack that has been described as the worst leak of personal info ever. Many people thought that this was too drastic: one comment was that it “would shake the ground under capitalism.” Some thought that all computers can get hacked and we cannot keep shutting down a company whenever this happens.

I think of this in terms of the standard legal maxim of “strict liability” which is described for example here:

A strict liability tort holds a person or entity responsible for unintended consequences of his actions. In other words, some circumstances or activities are known to be fundamentally dangerous, so when something goes wrong, the perpetrator is held legally responsible.

I regard credit bureaus as fundamentally dangerous businesses that ought not to exist in their current form. When something goes wrong in these businesses, the liability should be absolute and punitive. What has happened in Equifax is so bad that imposition of a reasonable liability would simply put them out of business. Simultaneously, we start building modern, safer alternatives to this fundamentally dangerous business.

I see the past, present and future of credit bureaus as follows:

  1. Past: Credit bureaus were first formed more than a century ago in the age of paper records and manual systems, and the business was relatively safe at that time. Society therefore encouraged the growth and development of these institutions.

  2. Present: With the emergence of the internet, the business has rapidly become a systemic risk to the entire financial system, but till now we have tolerated them because there seemed to be no viable alternatives.

  3. Future: Recent advances in cryptography today provide much safer alternatives to the credit bureaus in their current form.

We are today at the cusp of the transition from the second to the third stage:

  • Credit bureaus are fundamentally dangerous businesses.
  • They have become large, profitable and powerful and see no need to change. Change will have to be imposed on them by forcing them to internalize the negative externalities that they create for consumers.

  • It is possible to move quickly toward safer alternatives that use homomorphic encryption and other tools of modern cryptography.

I plan to write a separate blog post on how homomorphic encryption can solve the problems that plague current credit bureaus.

How insider trading laws became the crooks’ best friend

Andrew Verstein’s blog post on “Insider Tainting: Strategic Tipping of Material Non-Public Information” at the CLS Blue Sky Blog made me think about the numerous ways in which insider trading laws have become the crooks’ best friend. Verstein gives an example based on a controversial real life episode, but I would prefer to rephrase it as a purely hypothetical situation:

Consider a small company (let us call it SmallCo) which has not been doing too well. The company plans to issue new shares to shore up its capital though this would dilute the existing shareholders. At this point of time, SmallCo’s CEO comes to know that the largest shareholder in the company (let us call him John) is on the verge of selling his shares. If John sells his block, that would send a negative signal to the market about SmallCo’s prospects and would frustrate its plans to raise new capital. More menacingly, if John’s stake ends up in the hands of an activist investor, that would lead to a lot of pressure on the existing management and even a change of management – SmallCo’s CEO could end up losing his job. The CEO comes up with a brilliant plan to stop John from selling his stake (and save his job): he simply calls up John and informs him of the confidential plan to sell new shares. John is now “tainted” with insider information, and may not be able to sell his stake without attracting insider trading laws.

While this is a shocking illustration of how a crooked CEO may be able to recruit the securities regulator itself as his partner in market manipulation, the more important question to ask is why did the securities regulator choose to frame laws that end up having this perverse effect. In my opinion, the true reason for this is the regulatory capture of securities regulators worldwide by the intermediaries that they regulate.

As part of this argument, I would like to draw on a brilliant blog post by Judge Rakoff in 2013 on “Why Have No High Level Executives Been Prosecuted In Connection With The Financial Crisis?” (I blogged about this piece at that time). Rakoff quickly dismisses the argument that no fraud was committed, and that the Global Financial Crisis was simply a result of negligence, of the kind of inordinate risk-taking commonly called a ‘bubble.’ The judge cites various official reports to demonstrate that “in the aftermath of the financial crisis, the prevailing view of many government officials (as well as others) was that the crisis was in material respects the product of intentional fraud.” He then articulates what he regards as the most important reason why no such prosecutions happened:

First, the prosecutors had other priorities.

Alternative priorities, in short, is, I submit, one of the reasons the financial fraud cases were not brought, especially cases against high level individuals that would take many years, many investigators, and a great deal of expertise to investigate.

Insider trading prosecutions (Martha Stewart, Raj Rajaratnam and Rajat Gupta) and Ponzi scheme prosecutions (Bernie Madoff) in my view played an important role here. The public’s anger was assuaged by prosecuting some high profile individuals, and this served to deflect attention from the fact that the executives running the large institutions escaped scot-free.

What is interesting about insider trading prosecution is that it allows financial sector regulators to target people who are outside (or at the periphery of) the financial system. It is therefore extremely attractive to regulators who have been captured by its regulatees. It is able to project an image of being a very tough regulator without causing much harm to its own regulatees.

This perspective explains several puzzling facts about the evolution of insider trading law:

  1. Insider trading law and enforcement has expanded though there has been a strong academic argument going back half a century for legalizing insider trading (see for example, Henry Manne and Hu and Noe). Even if one does not go that far, there is a strong argument for decriminalizing insider trading and making it purely a civil liability. I have been making this argument for nearly 15 years now (see for example here).

  2. Regulators have progressively sought to enlarge the definition of insider trading to cover many legitimate activities on the ground that without such an expansive definition, insider trading becomes hard to prove. I often joke that the prohibition of “insider trading” has gradually morphed into the prohibition of “informed trading.”

  3. Regulators have rarely used their powers judiciously and have typically tended to pursue specific high-profile cases for extraneous reasons.

Norway and the tail risk of bonds

I have long been an admirer of the transparent and sound investment policies of Norway’s sovereign wealth fund (Government Pension Fund Global). However, I was perplexed by their recent proposals regarding the bond portfolio of this fund.

In the long term, the gains from broad international diversification are considerable for equities but moderate for bonds. For an investor with 70 percent of his investments in an internationally diversified equity portfolio, there is little reduction in risk to be obtained by also diversifying his bond investments across a large number of currencies.

The benchmark index for bonds currently consists of 23 currencies. Our recommendation is that the number of currencies in the bond index is reduced. This will have little impact on risk in the overall benchmark index.

An index consisting of bonds issued in dollars, euros and pounds alone will be sufficiently liquid and investable for the fund.

I tend to think of the risk of the high grade bonds (of the kind that Norway invests in) as consisting predominantly of tail risk. This is well described by Adam Fergusson’s When Money Dies about the German hyperinflation of the 1920s. A long term investor like the Norway sovereign fund needs to worry about this tail risk. A policy of concentrating the bond portfolio in just three currencies does not appear prudent to me.

The other possibility is that the Norway fund is ceasing to be the long term investor it used to be. As the accumulation phase comes to an end, and the fund enters its draw down phase, it may be prioritizing liquidity over everything else. (In 2016, Norway drew down from the sovereign fund for the first time in its history.) The management of the bond portfolio of the fund then begins to resemble normal foreign exchange reserve management which tends to concentrate holdings in a handful of highly liquid reserve currencies.