Posts this month
A blog on financial markets and their regulation
The Securities and Exchange Board of India (SEBI), the Indian securities regulator, put out a discussion paper a couple of weeks ago on the Growth and Development of Equity Derivatives Market in India. The Indian Equity Derivatives Market is one of the success stories of financial market development in India and clearly, it makes sense to study this market to draw lessons that could help replicate this success in other segments (bond markets for example) that have remained under developed after 25 years of reforms.
Unfortunately, the SEBI discussion paper seems to prefer levelling down to levelling up. Rather than bring other markets up to the high standards set by the equity derivatives markets, it seeks to clamp down on this successful market to reduce it to the mediocrity of other lacklustre markets.
The discussion paper is worried about the high ratio of derivative market turnover to cash market turnover, and thinks that therefore there must be something wrong with the derivative market. The correct conclusion is quite the opposite: there is something grievously wrong about the cash market. Several policy makers have conspired to prevent a vibrant cash market from emerging in India:
The government in its greed for tax revenue (with near zero collection cost) has pushed up the securities transaction tax to punitive levels in the cash market. Though the difference in price elasticity in the two markets could make the revenue maximizing rate of taxation unequal in the two markets, it is likely that the current rates are not actually optimal even from a revenue maximizing point. More importantly, the rate of transaction tax in the cash market is far too high from a social welfare point of view.
These factors have stunted the growth of the cash equities market in India. The liquid derivatives market has ameliorated this problem for the top 50-100 companies. But that leaves hundreds of other companies in the lurch. In my view, this is a serious problem because a vibrant equity market is important for economic growth. All policy makers (SEBI, RBI and the Finance Ministry) need to come together to fix the flaws in the cash equities market.
I believe that India can create a reasonably liquid market for the top 1000 companies in the country. Market participants laugh at me when I say this, but if the US can do this, I do not see why India cannot. We have all the institutional prerequisites for such a market – world class depositories, exchanges, and clearing corporations; a large ecosystem of intermediaries; a strong regulator; and above all a vast investor base. I hope that regulators will raise their sights and aim for this, rather than try to cripple the derivative market so that it is no longer obvious that the cash market is limping.
The US SEC has published an Investigation Report concluding that crpyto-currency tokens issued by The DAO constitute securities under US law. I am not a lawyer, and it is not my intention in this post to dispute the SEC’s conclusion which is, on balance, probably correct. What bothers me is that some vital facts seem to me to have been suppressed and misrepresented in the report. In particular, several passages look like the kind of suppresio veri suggestio falsi that one does not expect from a top notch regulator like the SEC which commands global respect:
DAO Token holders’ votes were limited to proposals whitelisted by the Curators, and, although any DAO Token holder could put forth a proposal, each proposal would follow the same protocol, which included vetting and control by the current Curators. While DAO Token holders could put forth proposals to replace a Curator, such proposals were subject to control by the current Curators, including whitelisting and approval of the new address to which the tokens would be directed for such a proposal.
This ignores the ability to split The DAO and create a new “child” DAO with a new curator. The hacking of The DAO (which the SEC refers to as the Attack below) involved exactly this splitting.
Second, the pseudonymity and dispersion of the DAO Token holders made it difficult for them to join together to effect change or to exercise meaningful control. … This was later demonstrated through the fact that DAO Token holders were unable to effectively address the Attack without the assistance of Slock.it and others.
In reality, it is the DAO Attack that constitutes the biggest obstacle to the theory that The DAO tokens were securities. The tokens looked much more like securities when they were issued than they do in retrospect after the Attack:
The major assistance that Slock.it provided in reversing the Attack was not in their role as developers of The DAO, but in their role as developers of Ethereum which was the platform on which The DAO ran. What the core developers did was to change the rules of Ethereum to undo the Attack.
The right analogy is that of a company where the government has been outvoted in a shareholder’s meeting (because it has been reduced to a minority stake), and the government proceed to change the law and use its sovereign powers to get its way. This would establish not that the government still controls the company, but that it has lost control. The analogy is apt because Ethereum was the closest thing to the sovereign when it comes to The DAO.
Even this “assistance” (changing the rules of Ethereum) was well beyond the powers of Slock.it. Ethereum is far more decentralized than The DAO; even the SEC has not claimed that the Ethereum coin offering was a securities issue! The Ethereum community did not actually care much about the wishes of Slock.it. Whatever influence was there was the personal influence of Vitalik Buterin. (In much the same vein, the Ethereum community probably did not care much about Cornell University, but listened with respect to Emin Gun Sirer). Even Buterin’s enormous personal credibility could not prevent a split in Ethereum and the creation of the parallel coin, Ethereum Classic
In short, the Attack demonstrated that at truly important junctures, crypto communities are truly decentralized. The events in Bitcoin in the last few weeks provide additional corroboration of this.
These facts diminished the ability of DAO Token holders to exercise meaningful control over the enterprise through the voting process, rendering the voting rights of DAO Token holders akin to those of a corporate shareholder.
The SEC forgets that The DAO did not have a Board or a Chief Executive who run the company on a day to day basis. In the case of The DAO, the day to day administration of the organization was in the hands of the token holders.
By contract and in reality, DAO Token holders relied on the significant managerial efforts provided by Slock.it and its co-founders, and The DAO’s Curators, as described above.
The claim “By contract” is very rich. The DAO was very clear in all its communications that it was governed by its code and repeatedly emphasized that all English language descriptions were subordinate to the smart contract embedded in the code: code is law. And, I am sorry, the code did not contain any promises by Slock.it to provide managerial efforts.
This week, I read two apparently unrelated things that on later reflection are deeply related:
The link that I see from the esoteric paper to the Libor situation is that markets require very rich communication structures to be viable. One way to facilitate the required amount of multi-way communication is through the high degree of pre-trade and post-trade transparency that is created by trading on an exchange. The other method that was used in the past in various over the counter (OTC) markets was informal communication channels between traders in different firms. Some of these traders might have worked together in the past or might have other personal and social connections. Using various messaging and chat media, these traders used to accomplish an extremely rich communication structure. Of course, these informal communication networks were abused to allow key players to make greater profits (information is money in all markets). After the Global Financial Crisis, regulators shut down the informal communication channels in an attempt to clean up the markets. They succeeded beyond their wildest expectations – there is by definition no manipulation in a market that does not trade at all.
Post crisis, there was a move towards mandatory clearing, but not towards mandatory exchange based trading. This is clearly a huge mistake: the only real alternative to informal communication channels is formal information flows mediated by exchanges. So we see breakdown of previously highly liquid markets. On the other side, central clearing in a market without adequate liquidity and transparency is a prescription for disaster sooner or later. So far, most of the problems have been pushed under the carpet by the central banks that have become market makers of first and last resort in many markets. As they normalize their balance sheets, dysfunctional markets could become a progressively bigger problem.
Using Aadhaar (India’s biometric authentication system) to verify a person’s identity is relatively secure, but using it to authenticate a transaction is extremely problematic. Every other form of authentication is bound to a specific transaction: I sign a document, I put my thumb impression to a document, I digitally sign a document (or message as the cryptographers prefer to call it). In Aadhaar, I put my thumb (or other finger) on a finger print reading device, and not on the document that I am authenticating. How can anybody establish what I intended to authenticate, and what the service provider intended me to authenticate? Aadhaar authentication ignores the fundamental tenet of authentication that a transaction authentication must be inseparably bound to the document or transaction that it is authenticating. Therefore using Aadhaar to authenticate a transaction is like signing a blank sheet of paper on which the other party can write whatever it wants.
All this was brought home to me when I bought a new SIM card recently and was asked to authenticate myself with a finger print. The employee of the telecom company told me that there was a problem and I needed to try again. Being a little suspicious, I stretched forward and twisted my neck to peep at the computer screen in front of the employee (this screen would otherwise not have been visible to me). My suspicion was allayed on seeing an error message on the screen and I tried again only to get the same error message. After three attempts, the employee suggested that I come again the next day. Back home, I saw three emails from UIDAI (Unique Identification Authority of India) stating “Your Aadhaar number ___ was used successfully to carry out e-KYC Authentication using ‘Fingerprint’ on ___ at ___ Hrs at a device deployed by ___.” Note the word successfully.
That is when I realized that the error message that I saw on the employee’s screen was not coming from the Aadhaar system, but from the telecom company’s software. That is a huge problem. This conclusion was corroborated the next day when after one more error message, I found that the employee had left one field in the form partially filled and the error message disappeared when that was corrected.
Let us think about why this is a HUGE problem. Very few people would bother to go through the bodily contortion required to read a screen whose back is turned towards them. An unscrupulous employee could simply get me to authenticate the finger print once again though there was no error and use the second authentication to allot a second SIM card in my name. He could then give me the first SIM card and had over the second SIM to a terrorist. When that terrorist is finally caught, the SIM that he was using would be traced back to me and my life would be utterly and completely ruined.
Actually, even my precaution of trying to read the employee’s screen is completely pointless. The screen is not an inseparable part of the finger print reader. On the contrary. the fingerprint reader is attached by a flimsy cable to a computer (which is out of view) and the screen is purportedly attached to the same computer. It is very easy to attach the fingerprint reader to one computer (from which a malicious transaction is carried out) and attach the screen on the counter to another computer which displays the information that I expect to see.
Another way of looking at the same thing is that a rogue employee of the telecom company could effortlessly execute what is known in computer security as an MitM (Man in the Middle) attack on the communication between me and the Aadhaar system. In fact, I see some analogies between the problem that I am discussing and the MitM attack described by Nethanel Gelerntor, Senia Kalma, Bar Magnezi, and Hen Porcilan in their recent paper (h/t Bruce Schneier). Neither I nor the Aadhaar system has any way of detecting or foiling this MitM attack.
I think the whole model is fundamentally broken, and Aadhaar should be used only to verify identities, and not to authenticate transactions. Transaction authentication must happen with a thumb impression, a physical signature, a digital signature or something similar that is inseparably bound to a document.
Dolgopolov has a nice paper on the conditions under which secret arrangements between exchanges and high frequency traders might or might not constitute securities fraud. Modern exchanges use complex order types and intricate order hiding and matching rules, and they could claim that any bugs or flaws in their trading protocols are honest implementation mistakes. Smart traders who exploit these trading imperfections and frictions could simply claim to be skillful beneficiaries who discovered the bugs by their own effort. In many cases, there appears to be collusion between the exchange and the HFT firms (the exchanges often disclose undocumented features and bugs privately to their best customers in return for getting more business from these firms), but this is not easy to prove. Dolgopolov proposes legal theories under which securities fraud liability could be imposed on the HFT firms themselves.
For over a decade now, I have been arguing for a different solution: regulators should mandate that critical exchange software be open source (here, here, here and here). At the risk of sounding like a broken record, I would like to reiterate my view that “regulators and self regulatory organizations have not yet understood the full power of the open source methodology in furthering the key regulatory goals of market integrity.”
Historically, the VIX (the volatility of the US stock market implied by option prices) has been an important barometer of global risk aversion that has a strong influence on global capital flows. A BIS Working Paper published last month (Avdjiev, Gambacorta, Goldberg and Schiaffi, “The Shifting Drivers of Global Liquidity”) demonstrate that this changed in the aftermath of the Global Financial Crisis with US monetary policy becoming the dominant driver of capital flows while the VIX declined in importance. They also point out that this phenomenon peaked in 2013 and there has been a partial return to pre-crisis patterns since then.
The results make intuitive sense: as global central banks pursued unconventional monetary policy, a large amount of duration risk ended up on the ever expanding balance sheets of these central banks. They thus became the marginal risk taker in the economy. (The authors use the Wu-Xia shadow rate as their measure of US monetary policy to take account of the impact of unconventional monetary policy). Since 2013, the central banks have been in tapering mode and they are no longer the marginal risk taker in the economy.
Though the authors do not venture down this path, I think their results explain well why the 2013 taper talk had such a drastic impact on emerging markets while the coordinated tightening by global central banks during the last year has had such a muted impact. The marginal risk taker is now the private investor and the low level of VIX currently indicates that the marginal risk taker is in “risk on” mode. This suggests that we should be looking at the VIX rather than at global monetary policy for the early warning signs of the next wave of turbulence in emerging markets.
A couple of days back, the Reserve Bank of India (RBI) issued new guidelines regarding who bears the loss from online banking frauds. The effect is to limit the liability of the customer and thereby transfer the loss to the banks. This measure has been seen as a customer friendly one. Basic economics teaches us to be careful about coming to such a conclusion. In equilibrium, banks would probably recover all expenses incurred by them from their customers. In fact, today, bank customers in India are probably paying higher fees as banks try to recover their bad loan losses from their customers. Unless banking becomes more competitive, the effect of the RBI regulation would more likely be a transfer from one group of customers (those who do not use online banking or have not been defrauded) to those who have lost money.
I think that the RBI regulation is a very good move for a very different reason: incentive compatibility. The important thing is that the regulation places losses on the party that can do something to reduce frauds. A customer cannot improve the bank’s computer security, she cannot ensure that the bank patches all its software, follows a good password policy, and so on. Only the bank can do all this. Unfortunately, computer security does not receive adequate attention from the top management of banks in India. If the new policy helps concentrate the minds of top management, that would be a good thing. If that does not happen, maybe the bank will wake up when the losses materialize. That is the true benefit of the new regulation – it has the potential to reduce online frauds.