The NASDAQ Facebook Fiasco and Open Sourcing Exchange Software

Last week, the US SEC issued an order imposing a $10 million fine on NASDAQ for the software errors that caused a series of problems during the Facebook IPO on May 18, 2012. I think the SEC has failed in its responsibilities because this order does nothing whatsoever to solve the problems that it has identified. The order reveals the complete cognitive capture of the SEC and other securities regulators worldwide by the exchanges that they regulate.

The entire litany of errors during the Facebook IPO demonstrates that critical financial market infrastructures like exchanges and depositories should be forced to publish the source code of the systems through which their rules and bylaws are implemented. Of course, the exchanges will complain about the dilution of their “intellectual property”. But the courts have whittled down the “intellectual property” embedded in standard-essential patents and this principle applies with even greater force to software which implements rules and bylaws that are effectively subordinate legislation. Financial regulators have simply fallen behind the times in this respect.

What is the point of an elaborate process of filing and approval for rule changes, if there is no equivalent process for the actual software that implements the rule? The SEC order shows several instances where the lack of disclosure or approval processes for software changes made a complete mockery of the disclosure or approval processes for the rules and regulations themselves:

• “While NASDAQ’s rules had previously provided for a randomization interval at the conclusion of the DOP, in 2007, NASDAQ filed a rule change removing the randomization period from its rule. ... However, the randomization function had never been removed from NASDAQ’s systems, and therefore the IPO Cross Application for Facebook – and for all other companies that had an IPO on NASDAQ since August 31, 2007 – was run after a randomized period of delay in contravention of NASDAQ’s rules.” (para 16).
• While installing an upgrade to the NASDAQ trading systems, an “employee misinterpreted the instructions associated with the upgrade and assumed that the SHO Through application was not needed and could be removed from the system. As a result, the employee removed the SHO Through application.” A second employee was responsible for checking the work of the first employee “also misinterpreted the upgrade instructions to mean that the SHO Through application could be removed” Personnel running the daily configuration test for the exchange’s trading systems“ received a system alert based on the fact that the SHO Through application was no longer part of the system. ... they also thought the SHO Through application could be removed.” The error was detected only several days later in response to an enquiry from a trading member.(para 52-54)
• With inadequate understanding of the software bug that was causing problems in the Facebook IPO, the exchange implemented a hasty software change to bypass a validation check with full knowledge that this would cause “the exchange itself to take the opposite side of the mismatch ” caused by the removal of the validation check. However, “NASDAQ did not have a rule that allowed NASDAQ ... to assume an error position in any listed security.” (para 24 and 28)

The Facebook fiasco was itself the result of an infinite loop in the software. This infinite loop would almost certainly have been detected if the source code had been publicly released and discussed with the same attention to detail that characterizes rule changes.

The lack of well defined processes for software testing is revealed in this tidbit: “Given the heightened anticipation for the Facebook IPO, NASDAQ took steps during the week prior to the IPO to test its systems in both live trading and test environments. Among other things, NASDAQ conducted intraday test crosses in NASDAQ’s live trading environment, which allowed member firms to place dummy orders in a test security (symbol ZWZZT) during a specified quoting period. NASDAQ limited the total number of orders that could be received in the test security to 40,000 orders. On May 18, 2012, NASDAQ members entered over 496,000 orders into the Facebook IPO cross.” It should be obvious that the one thing that could have been anticipated prior to the Facebook IPO was the vastly greater volumes than in small time IPOs. Doing a test that excluded this predictable issue is laughable. Proper rules would have required the postponement of the IPO when the volume exceeded the tested capacity of the system.

It is my considered view that the SEC and other securities regulators worldwide are complicit in the fraud that exchanges perpetrate on investors in their greed to protect the alleged “intellectual property” embedded in their software. I have been writing about this for a dozen years now: (1, 2, 3, and 4). So the chances of anything changing any time soon are pretty remote.

Posted at 6:38 pm IST on Sat, 1 Jun 2013         permanent link

Comments