As the speed and complexity of automation rises, market participants have a duty to ensure that they pursue and maintain best practices.
Most professions have a set of ethics that guide behaviour – think of the Hippocratic Oath for doctors. In the absence of similar guidelines for our occupations in the hectic world of electronic trading, the Code of Ethics of the Institute of Electrical and Electronic Engineers (IEEE) has served me well since the early 1980s when I first joined the IEEE and the IEEE Computer Society. There is a degree of diligence associated with every profession.
When we examine some of the major recent crimes in our industry, it is clear that there was an enabling technology component and an enabling financial technologist. Would Nick Leeson have been able to take down Barings Bank without the assistance of an IT specialist who hid trades within the error account? Would Bernie Madoff have been able to continue his Ponzi scheme for so many years without the aid of technologists?
These are important questions we should ask ourselves. Every day we are faced with choices that separate someone merely putting in the time from someone that is committed to a profession. So, we should ask whether we actively promote best practices and standards for automation, operations, and testing, or merely do what is obligatory to meet regulatory requirements.
This is especially pertinent now. Electronic trading has grown in speed and complexity since the early days when the FIX timestamp only had a resolution down to the second.
The most advanced among us measure time in picoseconds or the equivalent the length of fibre optic cable in millimetres.
Yet, there are still firms that are struggling to implement basic time synchronization and will face significant challenges to comply with the Markets in Financial Instruments Directive (MiFID) II in Europe and the Consolidated Audited Trail in the United States.
There are several other serious failures of resolution within the industry:
• Information Security
Professional firms always encrypt their FIX network connections, use two factor authentication to access resources, and maintain access control lists and auditing on sensitive data. However, there is a disturbing laxity regarding protecting data in motion and at rest, and in fact, the CPMI-IOSCO white paper on cyber resiliency singled out the FIX Protocol as having information security issues.
The FIX Community is stepping up by creating a cybersecurity handbook and in defining the FIX session layer, which is a formalisation of the long-standing recommendation to operate FIX over a Transport Level Security (TLS).
• Resiliency
The best firms implement a business continuity plan that includes failover and hardening of key points of failure. The financial markets were early adopters of fault tolerant architectures, using systems made by Tandem and Stratus, for example.
The industry then migrated to high availability architectures, some of which have implemented quite sophisticated and optimized versions of the Byzantine quorum algorithm. Yet, just a few years ago, some alternative trading systems and brokers were running on a single platform with no or inconsistent backups and no physical access security.
• Operations
Best practices in the financial services industry finds one of the major global exchanges using continuous testing so extensively that it can push an update of its platform into production weekly. This is near the top in terms of achieving DevOps nirvana.
Some firms have fully integrated monitoring and alerting and a mature issue resolution practice. On the other hand, there are firms that lack full control over their operational environment and have to be informed by their customers when there is an outage or other failure.
• Testing
There are now market participants starting to adopt model-based testing that can exhaustively monitor all edge cases of complex systems. The best firms use a combination of virtualisation of both venue and customer interfaces to continuously test their systems. Yet, again, many firms perform minimal testing and only discover the edge cases in the production environment.
• Supporting Standards
While working on the MiFID II response within the FIX Community we found that many firms were unwilling to adopt the party component block to carry the additional party information, even though it is permitted under the FIX standard and would not require them to upgrade their FIX version.
Twenty-five years on since the inception of FIX, these firms push to obtain user defined fields so that they can add in relevant party information, instead of adopting standard fields or upgrading to more modern and feature rich versions of FIX. There are still remnants of FIX.4.1 in use in the industry.
We could continue elaborating these contrasts – but, you get the point. The question each of us must ask ourselves is whether we are professionals who are responsible for upholding high levels of standards and quality – or are we just time serving?
Now I will put in some time and do some introspection, and identify those areas where I am falling short of my ideals and values when it comes to my involvement in the electronic trading profession.