Prof. Jayanth R. Varma’s Financial Markets Blog

A blog on financial markets and their regulation

Easy to fix speculators, harder to fix problems

Looking at the turbulence in the Yuan HIBOR market, I was reminded of Thailand in 1997-98. I remember writing about the Thai episode at that time:

To speculate against the baht, a hedge fund has to sell baht, and to do so, it must directly or indirectly borrow baht. If the attack succeeds, the hedge fund would be able to buy back the baht at lower prices and repay the borrowing. The Bank of Thailand attempted to make this difficult by preventing residents from lending baht to non residents in any form including direct loans, overdrafts, currency swaps, interest rate swaps, forward rate agreements, currency options, interest rate options, outright forward transactions. It also preventing residents from selling baht to non residents against payment in foreign currencies. Simultaneously, the Bank of Thailand intervened heavily in the offshore market especially in the forward market. All this created an acute shortage of baht in the offshore market and drove up interest rates in that market to several hundred percent. In the process, several hedge funds reportedly made losses as they scrambled to buy or borrow baht to meet their obligations. When they tried to obtain baht by selling Thai stocks, the Bank of Thailand responded with a rule that the proceeds of all stock sales must be remitted in foreign currency and not in baht.

This policy was hugely successful in its immediate objective of punishing the hedge funds who had the temerity to short the Thai baht. Both the technocrats who engineered this and their political masters were immensely pleased with this result, and boasted about their success. But, all this did nothing to save the baht or fix Thailand’s economic problems back then. Unfortunately, neither the technocrats nor the politicians ever seem to learn the critical lesson that it is easy for a sovereign to fix the speculators, it is much harder to fix the underlying problems that cause the speculation in the first place.

Clearing Corporation Vulnerabilities

Last month, LCH published a White Paper entitled CCP Conundrums which raise a number of interesting issues, though I think that “conundrums” is a bit of a euphemism in this context. In my view, Central Counter Parties (CCPs) or Clearing Corporations globally face serious vulnerabilities arising out of a confluence of factors:

  1. After the Global Financial Crisis, regulators have pushed more and more products into clearing, even though they do not trade in liquid markets. The benefits of CCPs in exchange traded products flow as much from the price discovery in exchange trading as they do from clearing, netting and collateralization. In many of the products now being pushed into trading, price discovery is suspect because of poor liquidity or oligopolistic market structure.

  2. The opening up of several new products to clearing has created a once-in-a-lifetime opportunity for the top clearing corporations to expand into potentially large market segments. There is a temptation to gain market share through lower margins and less stringent risk management.

  3. There is no regulatorily imposed minimum margin that could prevent such a race to the bottom. In fact, there is a tendency for banking regulators to turn a blind eye to this risk because they have no desire to shore up the CCPs by draining liquidity and capital from the banks.

  4. Ultra loose monetary policy in the developed world is leading to yield chasing and suppression of risk aversion. This may be the intended “portfolio balance channel” of monetary policy transmission, but it creates an environment where risks are probably being ignored.

  5. This is what LCH refers to as the risk of pro-cyclicality of risk management at the CCPs. LCH is more or less openly saying that margins need to be increased before monetary conditions tighten as it would be too late to do so after tightening has already happened.

For all these reasons, I have been worrying for quite some time now that in the coming years, the failure of a large global CCP is more a matter of when rather than whether.

Why waste taxpayer money to enforce stupid exchange rules?

Early this month, the US SEC passed an order against Behruz and Kenny about how they fraudulently obtained liquidity rebates from the option exchanges on which they traded. When I read this order, my first reaction was to laugh out loud at the stupidity of the alleged victims: some of the largest option exchanges in the US were running pretty silly liquidity rebate schemes. I can understand that regulators might wish to step in to protect small retail investors against their own stupidity, but if somebody like the CBOE chooses to run a scheme that is basically an open invitation to be gamed, my inclination would be to let them suffer the consequences. For the regulator to go after the alleged offender is to my mind a waste of tax payers’ money. I do take Stigler’s classic paper on the optimum enforcement of laws quite seriously.

The first charge against Behruz and Kenny is that they earned $2 million of liquidity rebates (and exchange fees avoided) from the option exchanges by misrepresenting “customer” status for their trading accounts. If you are not a broker-dealer, your orders are treated as “customer” orders unless your trading goes above the threshold of 390-order per day. To reach the 390-order threshold, you would have to enter an order every minute from market open to market close. “Customer” orders do not incur any transaction fees and receive higher liquidity rebates from the exchanges. In practice, trading activity was reviewed quarterly to determine to determine the “customer” status. If the trading was below 390-order per day during one quarter, then the trading account received “customer” status in the next quarter. To see how silly this is, note that if you did not trade at all one quarter, you would have “customer” status in the next quarter even if you were pumping thousands of orders a day in that quarter. Why somebody would think up such a stupid implementation of the rule in this day and age is beyond me.

Behruz and Kenny could have traded thousands of orders a day for six months in the year, and spent their time at the beach for the remaining six months without falling afoul of the SEC. But they were more greedy and wanted to trade with “customer” status round the year. So they created two accounts and switched between them each quarter – when they were trading thousands of orders a day in one account, they kept the other account almost dormant so that that other account would have “customer” status in the next quarter when the first account lost that status. The rules did however require that accounts with the same beneficial ownership should be aggregated for determining “customer” status, and Behruz and Kenny misrepresented the beneficial ownership to avoid this result. One way of looking at the SEC action is that they brought offenders to book, but the other way of looking at it is that the SEC is encouraging large and sophisticated players to create silly rules and implement them in silly ways, confident that the SEC will clean up after them.

The second charge is that Behruz and Kenny used spoofing orders to earn liquidity rebates from the (Nasdaq OMX) PHLX options exchange. The typical scheme was to enter a series of large hidden All-or-None (AON) orders to buy options at a price that was a penny more than the option’s current best bid. Because they are hidden, these AON orders do not change the best bid. Behruz and Kenny then placed smaller (typically one lot), non-bona fide sell orders at the same price as the AON. These orders were too small to execute against the AON order, but (since they were not hidden) they lowered the option’s best offer by one penny. The idea was to induce genuine sellers to send sell orders at the new best offer. When enough such sell orders arrived to make up the quantity of the AON order, they all executed against the AON. The PHLX in its infinite wisdom regarded the AON orders (that nobody could see) as having provided liquidity to the market. Since the AON buy order was sitting in the order book before the sale orders arrived, the AON was deemed to have provided liquidity while the sell orders were deemed to have taken liquidity. The PHLX gave a liquidity rebate to Behruz and Kenny, and charged a liquidity take fee to the sellers. Behruz and Kenny then turned around to execute the same strategy on the opposite side to dispose of the options that they had just bought – a large hidden AON sell order and a small displayed buy order.

One can have a debate on whether liquidity rebates and the maker-taker model make sense at all. But there is no debate about the silliness of what PHLX is doing. The idea that a hidden AON buy order that did not even move the best bid offered liquidity to the market is laughable. In a rational market, exchanges that do stupid things should lose money or business or both – the survival of the smartest. The regulators should not be trying to protect the silly and impede this market dynamic.

A recent blog post by the Streetwise Professor makes an even broader but similar argument about spoofing in general. He says that sophisticated and knowledgeable players have the incentive to detect spoofing and take defensive measures that would reduce the frequency and scale of spoofing activity. Therefore regulators need not bother much about it. I tend to agree. Harris’ classic book on market microstructure for practictioners (Trading and Exchanges, OUP, 2002) has a whole chapter on “bluffers” and within that there is a section in particular on how bluffers discipline liquidity providers. We might have invented a more exotic name (spoofing) for what has been known for centuries as bluffing, but the basic principles remain the same – spoofers discipline the HFTs.

Operational versus financial creditors redux

A month back when I blogged about Creditor versus Creditor and Creditor versus Debtor, I talked about the potential for conflicts between operational and financial creditors, but did not have any good examples of such battles. I am able to remedy that gap now thanks to the fading fortunes of shale oil producers in the United States. A couple of days ago, Reuters carried a story about three instances where operational creditors had initiated involuntary bankruptcy proceedings against large energy producers to avoid being outmanoeuvred by financial creditors:

Involuntary bankruptcy gives vendors some say over how an energy producers’ dwindling funds are managed, and vendors can use it to try to stop a company from cutting deals that favor lenders or investors.

Such cases also allow creditors to choose the court, and all three of the recent cases have been filed outside the busy bankruptcy court in Wilmington, Delaware. Bankruptcy lawyers in Texas said that may suggest suppliers are worried the court is too eager to approve quick sales of businesses, which tend to favor secured creditors.

A lawyer for the creditors … said the involuntary bankruptcy prevented the Gulf of Mexico producer from being stripped of all of its value in favor of the company’s owners.

If the facts stated in the story are correct, then standard theory (governance rights vest with residual rights) would imply that the operational creditors should indeed be in charge of the bankruptcy process.

Have Indian banks gone berserk on FATCA?

Under the US FATCA Act and the related Inter-Governmental Agreement between India and the US, banks and other financial institutions in India are required to report information about accounts held with them by US persons or entities controlled by US persons. All the documents that I have read are clear that this should not affect Indian citizens who are tax resident in India. But I find Indian banks and financial institutions send out notices demanding complex information and threatening closure of accounts to Indian citizens resident in India.

I am not a lawyer, but both Rule 114H(3) and the RBI Guidance Notes are very clear that banks should seek information from the account holder only if any of the indicia of foreign citizenship or foreign tax residence are present. The indicia include:

  • Foreign citizenship or residence
  • US place of birth
  • Foreign address or telephone number
  • Repeating payment instructions to US address or US account
  • Power of Attorney or signatory authority granted to a person with a US address
  • “Care of” or “Hold mail” address is the sole address for the account holder

In the cases that I am referring to, the account is fully KYC compliant, the Indian address and identity documents are on record with the bank, and none of the other indicia are present, and still the FATCA notice is being sent. In one case, where the Indian citizen and Indian resident account holder was threatened with closure of account, I spent several minutes struggling to understand the complex form in which information was sought before realizing that the form that had been sent to an individual account holder was the form relevant for legal entities! Surely, a bank should know whether its customer is an individual or a corporate entity. But this elementary confusion had caused the bank to apply the $250,000 threshold applicable to legal entities for identifying “high value” accounts instead of the $1 million threshold applicable to individuals. It is another matter that even if it was classified as a “high value” account, the FATCA notice should not have been sent because the bank knew that none of the indicia were present.

I think tax terrorism by governments in both hemispheres of the world has become so severe that banks would rather harass their customers needlessly and go berserk with enforcing non existent compliance requirements than risk being held guilty of any shortfall in compliance. Perhaps some customers should sue the banks for sending baseless threatening letters so that banks would start doing what is required by law – neither more nor less.

Data access controls within banks

An order last month by the UK Financial Conduct Authority (FCA) against Barclays Bank highlights the problems faced by banks and other financial services firms in controlling the access that their employees have to customer data. I have long heard complaints about this: for example, some bank employees keep telling me that as soon as their bonus is paid to them, other employees with access to the core banking software can find out the exact quantum of this bonus.

Now we have confirmation that when one of the largest banks in the world wants to limit who can see the information about a customer, the best they can do is to go back to paper hard copies stored in a vault.

The FCA order refers to a £1.88 billion transaction that Barclays was doing for a group of ultra-high net worth Politically Exposed Persons (PEPs) who wanted a very high degree of confidentiality:

Prior to Barclays arranging the Transaction, Barclays agreed to enter into the Confidentiality Agreement which sought to keep knowledge of the Clients’ identity restricted to a very limited number of people within Barclays and its advisers. In the event that Barclays breached these confidentiality obligations, it would be required to indemnify the Clients up to £37.7 million. The terms of the Confidentiality Agreement were onerous and were considered by Barclays to be an unprecedented concession for clients who wished to preserve their confidentiality. (Para 4.11)

In view of these confidentiality requirements, Barclays determined that details of the Clients and the Transaction should not be kept on its computer systems. (Para 4.12)

Barclays decided to omit the names of the Clients from its internal electronic systems in order to comply with the terms of the Confidentiality Agreement. As a result, automated checks that would typically have been carried out against the Clients’ names were not undertaken. Such checks would have included regular overnight screenings of client names against sanctions and court order lists. If, for example, the Clients had become the subjects of law enforcement proceedings in any jurisdiction, Barclays could have been unaware of such a development. No adequate alternative manual process for carrying out such checks was established by Barclays. (Para 4.49)

Some documents relating to the Business Relationship were held by Barclays in hard copy in a safe purchased specifically for storing information relating to the Business Relationship. This was Barclays’ alternative to storing the records electronically. While there is nothing inherently wrong with keeping documents in hard copy, they must be easily identifiable and retrievable. However, few people within Barclays knew of the existence and location of the safe. (Para 4.52)

I am sure that 130,000 clients of HSBC Private Bank in Switzerland (now accused of evading taxes in their home countries) wish that their data too was kept in paper form in a vault beyond the reach of Falciani’s hacking skills.

More seriously, banks need to rethink the way they maintain customer confidentiality. With anywhere banking, far too many employees have access to the complete data of every customer. A lot of progress can be made with some very simple access control principles:

  1. Every access to customer information must be logged to provide a detailed audit trail of who, when, what and why. Ideally, the customer should have access to a suitably anonymously form of these logs.

  2. Every access must require justification in terms of a specific task falling within the accessor’s job profile.

  3. Every access request should only result in the minimal information required to complete the task for which the access is requested.

For example, a customer comes to a branch (assuming such archaic things still exist) for a cash withdrawal. The cashier requests access by providing details of the requested withdrawal; and the system accepts the request because it is part of the cashier’s job to process these withdrawals (Principle #2). The system responds with only a yes or a no: either the customer has sufficient balance to allow this withdrawal or not. The actual balance is not provided to the cashier (Principle #3). It should be emphasized that without Principle #1 and #2, the cashier could make repeated queries with different hypothetical withdrawal amounts and guess the true balance within a relatively small range using what computer scientists would recognize as a binary search method.

In my view, access controls are easy to implement if banks decide to prioritize (or regulators decide to enforce) customer confidentiality. However access controls have their limits and cryptographic tools are indispensable to achieve more complex objectives. Banks need to promote further research into these tools in order to make them usable for their needs:

  • To deal with Falciani risk, the entire customer data must be encrypted even inside the core banking software. The Snowden episode demonstrates that even system administrators must not have access to all information. Banks need to think very carefully about database level and column level encryption of the core banking data. Of course, banks need to worry about application security of their core banking systems: one publicly released security report of three different popular core banking software products revealed poor applications security to the point of causing an operational risk to the banks concerned.
  • The problem that Barclays had of running automated tests against sanctions and court order lists while keeping the customer identity confidential can be solved using a more sophisticated cryptographic tool –
    homomorphic encryption. Homomorphic encryption is a form of encryption which allows computations to be performed on data without first decrypting it. For example, suppose two numbers a and b have been encrypted into cypher texts x and y, and it is desired to compute a+b. Homomorphic encryption would perform some computations on x and y and produce a result z such that decrypting z yields a+b. The person who is performing the computation knows that she is adding two numbers, but does not know which numbers are being added. Moreover, she does not know what was the sum; she obtains only an encrypted version of the sum. Only the person with the encryption key or password can determine the sum by decrypting z.

    Some special cases of homomorphic encryption are reasonably efficient, but fully homomorphic encryption is currently impractical. Banks need to think creatively about how to use partially homomorphic cryptosystems to achieve their goals efficiently. Simple transactions like deposits and withdrawals involve only addition (and subtraction) which are more amenable to homomorphic encryption than more complex computations.

  • It is desirable to allow compliance staff to verify that adequate documentation exists without being privy to the confidential information. Another advanced cryptographic tool comes to our rescue – zero-knowledge proof. Suppose the relationship staff who know the client are trying to satisfy the compliance staff that they have obtained the requisite documentation from the client, but the compliance staff are not allowed to see the documents themselves to protect the confidentiality of the customer. A zero-knowledge proof is a technique which must satisfy three properties:

    • If the documentation actually exists, the compliance staff will be convinced of this fact by the “proofs” provided by the relationship staff.
    • If the documentation is missing, it is almost certain that the relationship staff would fail to convince the compliance staff that it exists.
    • If the documentation actually exists, then the “proof” of its existence (provided by the relationship staff) will not allow the compliance staff to learn anything about the documentation other than that it exists.

    The core procedure of a zero-knowledge proof is interactive: it consists of a series of challenges by the compliance staff and a series of responses by the relationship staff which are so designed that it is very difficult to provide fake responses to fool the challenger. At the same time, each challenge and response is designed not to reveal anything about the content of the document, and the responses to different challenges cannot be put together to learn anything either.

    The regulatory regime needs to be redesigned from the ground up to exploit zero-knowledge proofs. The effort involved is non trivial, but the benefits are well worth the effort.

I think the time has come for consumers and regulators to start demanding that banks pay greater attention to customer confidentiality. Actually, there is a similar problem in regulatory and self-regulatory organizations. For example, the surveillance staff in a stock exchange (and in the capital market regulator) have access to too much information and there is immense scope for abuse of this information. Mathematics (in the form of cryptography) gives us the tools required to solve many of these problems; we just need the will to use these tools.

HBOS: An old fashioned bank failure

Most of the bank failures of the Global Financial Crisis involved complex products or an excessive reliance on markets rather than good old banking relationships. The HBOS failure as described in last month’s 400 page report by the UK regulators (PRA and FCA) is quite different. One could almost say that this was a German or Japanese style relationship bank.

The report describes the approach of the Corporate Division where most of the losses arose:

The often-quoted approach of the division was to be a relationship bank that would ‘lend through the cycle’. Elsewhere the division’s approach had been called ‘counter-cyclical’. This was described as standing by and supporting existing customers through difficult times, while continuing to lend to those good opportunities that could be found. The division claimed it had a deep knowledge of the customers and markets in which it operated, which would enable it to pursue this approach with minimal threat to the Group. It was an approach that was felt to have served BoS well in the early 1990s downturn. (Para 274)

What could go wrong with such old fashioned banking? The answer is very simple:

Taking into account renting, hotels and construction, the firm’s overall exposure to property and related assets increases to £68 billion or 56% of the portfolio. (para 285)

And in some ways, relationship banking made things worse:

The top 30 exposures included a number of individual high-profile businessmen. Many of these had been customers of the division for many years, some going back to the BoS pre-merger. True to the division’s banking philosophy, it had supported these customers as they grew and expanded their businesses. However, business growth and expansion sometimes meant a change in business model to become significant property investors; not necessarily the original core business and expertise of the borrower. In the crisis, a number of these businessmen, though not all, incurred losses on their property investments. (Para 318)

When you as a bank lend a big chunk of your balance sheet into a bubble, it does not matter whether you are a transaction bank or a relationship bank: you are well on your way to failure. (If you do not want to jump to conclusions based on one bank, a recent BIS Working Paper on US commercial banks studies all bank failures in the US during the Great Recession and comes to a very similar conclusion).

In the sister blog and on Twitter during October and November 2015

The following posts appeared on the sister blog (on Computing) during the last
two months.

Tweets during the last two months (other than blog post tweets):

Potential self-trades are worse than actual self-trades

Update: While linking to Ajay Shah’s blog for a summary of global regulatory regimes on self trades, I failed to mention that the particular post that I was referring to was authored not by Ajay Shah, but by Nidhi Aggarwal, Chirag Anand, Shefali Malhotra, and Bhargavi Zaveri.

Imagine that you are bidding at an auction and after a few rounds, most bidders have dropped out and you are left bidding against one competing bidder who pushes you to a very high winning bid before giving up. Much later you find that the competing bidder who forced you to pay close to your reservation price was an accomplice of the seller. You would certainly regard that as fraudulent; and many well running auction houses have regulations preventing it. Observe that the seller did not actually sell to himself; in fact there would have been no fraud (and no profit to the seller) if he actually did so. The seller defrauded you not by an actual (disguised) self-trade but by a (disguised) potential self-trade that did not actually happen. In fact, the best of auction houses do not prohibit actual self-trades: when the auction does not achieve the seller’s (undisclosed) reserve price, they allow the item to be “bought in” (the seller effectively buys the item from himself). So the lesson from well run auction houses is that potential self-trades (which do not happen) are much more dangerous than actual self-trades.

In the financial markets, we have lost sight of this basic intuition and focused on preventing actual self-trades instead of limiting potential self-trades. India goes overboard on this by regarding all self-trades as per se abusive. Most other countries also frown on self-trades but do not penalize bona fide self-trades; they take action only against self-trades that are manipulative in nature. However, they too regard frequent self-trades as suggestive of manipulative intent (see Ajay Shah for a nice summary of these regulatory regimes). Many exchanges and commercial software around the world therefore now provide automated methods of preventing self-trades: when an incoming order by an entity would execute against a pre-existing order on the opposite side by the same entity, these automated procedures cancel either the incoming order or the resting order or both.

A little reflection on the auction example would show that the whole idea of automated self-trade prevention is an utterly misguided response to an even more misguided regulatory regime. Manipulation does not happen when the trade is executed: it happens when the order is entered into the system. The first sign that the regulators are understanding this truth is in the complaint that the US Commodity and Futures Trading Commission (CFTC) filed against Oystacher and others last month. Para 53 of the complaint states:

Oystacher.and 3 Red manually traded these futures markets, using a commercially available trading platform, which included a function called “avoid orders that cross.” The purpose of this function is to prevent a trader’s own orders from matching with one another. Defendants exploited this functionality to place orders which automatically and almost simultaneously canceled existing orders on the opposite side of the market (that would have matched with the new orders) and thereby effectuated their manipulative and deceptive spoofing scheme …

Far from preventing manipulation, automated self-trade prevention software is actually facilitating market manipulation. This might appear counter intuitive to many regulators, but is not at all surprising when one thinks through the auction example.

Creditor versus Creditor and Creditor versus Debtor

In India, for far too long, bankruptcy has been a battle between creditor and debtor with the dice loaded against the creditor. In its report submitted earlier this month, the Bankruptcy Law Reforms Committee (BLRC) proposes to change all this with a fast track process that puts creditors in charge. It appears to me however that the BLRC ignores the fact that in well functioning bankruptcy regimes, the fight is almost entirely creditor and creditor: it is very much like the familiar scene in the Savannah where cheetahs, lions, hyenas and vultures can be seen fighting over the carcass which has no say in the matter.

The BLRC ignores this inter-creditor conflict completely and treats unsecured financial creditors as a homogeneous group; it believes that everything can be decided by a 75% vote of the Creditors Committee. In practice, this is not the case. Unsecured financial creditors can be senior or junior and multiple levels of subordination are possible. Moreover, the bankruptcy of any large corporate entity involves several levels of holding companies and subsidiary companies which also creates an implicit subordination among different creditors made more complex by inter company guarantees.

Consider for example, the recommendation of the BLRC that:

The evaluation of these proposals come under matters of business. The selection of the best proposal is therefore left to the creditors committee which form the board of the erstwhile entity in liquidation. (p 100)

If the creditors are homogeneous, this makes eminent sense. The creditors are the players with skin in the game and they should take the business decisions. The situation is much more complex and messy with heterogeneous creditors. Suppose for example that a company has 60 of senior debt and 40 of junior debt and that the business is likely to be sold for something in the range of 40-50. In this situation, the junior creditors should not have any vote at all: like the equity shareholders, they too are part of the carcass in the Savannah which others are fighting over. On the other hand, if the expected sale proceeds are 70-80, then the senior creditors should not have a vote at all. The senior creditors have no skin in the game because it matters absolutely nothing to them whether the sale fetches 70 or 80; they get their money in any case. They are like the lion that has had its fill and leaves it to lesser mortals to fight over what is left of the carcass.

The situation is made more complex by the fact that in practice the value of the proposals is not certain, and the variance matters as much as the expected value. A junior creditor’s position is often similar to that of the holder of an out of the money option – it tends to prefer proposals that are highly risky. Much of the upside of a risky sale plan may flow to the junior creditor, while most of the downside may be to the detriment of the senior creditor.

Another recommendation of the BLRC that I am uneasy about is the stipulation that operational creditors should be excluded from the decision making:

The Committee concluded that, for the process to be rapid and efficient, the Code will provide that the creditors committee should be restricted to only the financial creditors. (p 84)

Suppose for example that Volkswagen’s liabilities to its cheated customers were so large as to push it into bankruptcy. Would it make sense not to give these “operational creditors” a seat at the table? What about the bankruptcy of a electric utility whose nuclear reactor has suffered a core meltdown?

Follow

Get every new post delivered to your Inbox.

Join 2,460 other followers