Data Breaches and Last Looks – Bloomberg

Insider trading.

Yesterday evening Bloomberg News reported that “three Equifax Inc. senior executives sold shares worth almost $1.8 million in the days after the company discovered a security breach that may have compromised information on about 143 million U.S. consumers,” and over a month before it disclosed that breach. About 15 people tweeted that story at me, with some asking if it justifies a new Eighth Law of Insider Trading. No? What would it be? Like, “if you are an officer of a company, and you discover material bad news, don’t trade on that news before disclosing it to your shareholders”? That’s just the First Law of Insider Trading, which is: Don’t do it. 

Also, though, I found it hard to imagine that those Equifax executives were consciously insider trading. It would just be too dumb. Equifax’s press release reporting the breach says that it “discovered the unauthorized access on July 29 of this year and acted immediately to stop the intrusion,” though it didn’t announce it until yesterday because it was still investigating. The three executives filed Form 4s reporting sales on Aug. 1 and 2, days after the discovery. You could just about imagine them learning of the security breach, panicking, and selling everything — except that they didn’t sell everything. One sold about 4 percent of his stock holdings, another about 9 percent, another about 13 percent. Why do such comically obvious insider trading if you’re only selling a small percentage of your stock? And indeed the company explained that these executives “had no knowledge that an intrusion had occurred at the time.” I guess the time between “tech person discovers a security breach” and “top executives discover it’s a huge embarrassing crisis” is more than a couple of days.

In any case, there is a general lesson here. (Besides: If you discover a data breach affecting 143 million people, don’t wait over a month to disclose it!) Remember how I sometimes say that every bad thing a public company does is also securities fraud? If a public company does a bad thing without disclosing it to shareholders, then the shareholders can claim to have been defrauded by the failure to immediately disclose it. (And public companies tend not to do bad things that they contemporaneously disclose.) A corollary is that every bad thing a public company does is also insider trading — if you trade. If a company does a bad thing — or, as here, has a bad thing happen to it — without disclosing it to shareholders, and executives are meanwhile selling their shares, then that is going to look suspicious after the fact. 

Insider trading (2).

Meanwhile in more traditional insider trading:

The Securities and Exchange Commission today announced insider trading charges against a former Amazon financial analyst who allegedly leaked confidential information to his former fraternity brother in advance of a company earnings announcement so they could turn an illegal profit.  The college friend and his trading partner also are charged in the SEC’s complaint.

This case has a little of everything. The Amazon analyst allegedly leaked the information not so much to do a favor for his old fraternity brother, and more because the frat brother promised him a $10,000 payoff for the tip. The frat brother is currently in prison on an unrelated iPhone-shipping-fraud case. He also allegedly got a little too excited about the tip:

On the morning of April 23, Rezakhani sold securities in his brokerage account to free up available funds and placed orders to purchase 4,400 shares of Amazon for $1.715 million. Around the same time, Rezakhani posted the revenue and EPS numbers again on an internet platform and boasted that the “numbers are so obvious” that a “5 year old can guess what they will do.”

I hope that is what got them caught. Certainly it’s what the SEC bragged about:

“Rezakhani boasted on social media that he could accurately predict Amazon’s financial performance,” said Jina Choi, head of the SEC’s San Francisco office. “But he failed to predict that we would catch him and his accomplices in their illegal scheme.”

If the SEC really is searching internet platforms for obnoxious overconfident earnings predictions, then that is just a great use of regulatory resources and should be encouraged.

State Street.

Yesterday State Street Bank and Trust Company agreed to pay a $3 million penalty to the Securities and Exchange Commission for running a government-bond trading platform called GovEx that gave one market maker a “last look” capability:

Between July 2010 and October 2010, State Street provided Subscriber A with Last Look in a single market maker account on GovEx, in which Subscriber A streamed quotes (the “Last Look Account”). Last Look gave Subscriber A a short period of time in which to reject a match to a quote that it had submitted on GovEx. State Street provided Last Look to Subscriber A to mitigate its risk as a market maker with the hope that it would provide more liquidity on GovEx. State Street did not provide this trading functionality to any other GovEx subscriber.

But State Street didn’t disclose this last-look function, didn’t tell other subscribers when their matching trades were rejected due to last look, and gave customers all the usual blather that people use about being “fair and transparent,” “a new fair market structure,” “facilitat[ing] natural buy side to buy side crossing,” and creating “a level playing field” for traders. (Also, when asked directly, State Street said “There is no Last Look functionality on GovEx.”) 

My basic model of market structure is that every trading platform faces a trade-off between (1) being welcoming to high-frequency market makers who actually provide liquidity and (2) telling its customers that it will protect them from high-frequency traders. One approach is to create a genuine platform for “natural buy side to buy side crossing,” and just accept that you won’t do that many trades. (How often does a natural buy sider want to sell exactly what a natural buy sider wants to buy, at exactly the same time?) Another approach is to give the high-frequency traders everything they want, have a lot of liquidity, and accept that people will complain constantly about predatory HFTs.

But the surprisingly popular third approach is to give the HFTs everything they want and then lie about it, and a lot of market-structure enforcement actions have been about exactly that. Similarly, if you give a market maker last-look capabilities, then it will be incentivized to make markets on your platform; if you tell your other customers that there’s no last look, then they will feel safe trading on your platform; if you do both, then your platform will be popular and useful and do a lot of trades, though you will eventually get in trouble. I find myself feeling a bit sympathetic to all the platform operators who get caught doing this, though. There is a cognitive dissonance in expectations about market structure: Customers really want liquidity, and they really want to be told that they’re being protected from HFTs. Those goals are hard to reconcile honestly, but they’re easy enough to reconcile. State Street was just giving its customers what they wanted.

State Street (2).

Along with its last-look settlement, yesterday State Street also agreed to pay a $32.3 million penalty to the SEC “to settle charges that it fraudulently charged secret markups for transition management services.” Basically, State Street would agree to sell massive portfolios of securities for customers at low or zero commissions, and would then throw in hidden markups on the individual trades to make the deal more attractive to itself. This is sort of old news — State Street settled with the U.K. Financial Conduct Authority for the same behavior back in 2014, and we talked about it then — but the SEC order has some new funny quotes from State Street about what they were up to:

McLellan: “Did [legal] look at original agreement?”

State Street U.K. Employee A: “Absolutely not. Nor did they look at the periodic notice. This can of worms stays closed!”

State Street U.K. Employee A: “[By the way] – there is no way we can disclose our spread.”

McLellan: “Agreed.”

The basic way that government investigations of financial institutions work is that someone gets an inkling of some misbehavior, and then the institution hires an outside law firm to investigate that misbehavior, and then the law firm searches the institution’s emails and chat logs to find embarrassing discussions of that misbehavior, and then an army of junior lawyers reads all those emails to decide which ones to turn over to the government. (It is counterintuitive in some respects.) I don’t know the details of how typical search filters work, but if “this can of worms stays closed” wasn’t on the list of search terms before this case, it is now. Don’t type that, come on! Honestly if you find yourself saying that — or for that matter if you find yourself entering agreements without showing them to your legal department — then you have made some mistakes in your life. But typing it, in an eternally preserved and searchable electronic format, only compounds those mistakes. 

Whistle-blowing as an export industry.

Here is a story about law firms that hunt for Europeans to bring cases under U.S. laws so they can get those sweet sweet U.S. whistle-blower rewards, which features this terrific quote:

The ability of British citizens to avail themselves of American whistle-blower laws “is a great example of how the global economy opens up opportunities for whistle-blowers from around the world to point out fraud against the U.S. government,” said Mary Inman, who arrived in London in July to start Constantine Cannon’s whistle-blower practice in Europe.

“The global economy”! Well, why not? It is pleasing that if you create a new spigot of money by fiat, people will cluster around it and treat it seriously as an economic activity. An industry will spring up, people will devote their careers to it, it will be cited as a pillar of the global economy. I guess that’s how bitcoin works too, come to think of it.

We may get to stop talking about the debt ceiling.

This was unexpected:

President Trump and Senate Minority Leader Charles E. Schumer (D-N.Y.) have agreed to pursue a deal that would permanently remove the requirement that Congress repeatedly raise the debt ceiling, three people familiar with the decision said.

“All populists are at heart conspiracy theorists,” said the Economist earlier this year, “who pretend that easy solutions exist to society’s woes and have only not been tried to date because elites are wicked and deaf to the sturdy common-sense of decent, ordinary folk.” Usually those conspiracy theories are wrong. But it’s true about the debt ceiling! A really easy solution to the periodic manufactured crises of the U.S. debt ceiling really does exist! You can just get rid of it, and Congress can decide how much to spend and how much to tax and thus how much to borrow, without having occasional random showdowns about whether the U.S. government should default on its debt. I realize that repealing the debt ceiling isn’t actually the populist approach, but still, it is an easy solution to a dangerous and recurring problem. Though “we have a great respect for the sanctity of the debt ceiling,” Trump also said, so really who knows.

Blockchain blockchain blockchain.

Here is a company that makes … fabric … that will … know how much you are wearing it … and then … sell that information back to clothing companies … on the … blockchain:

Loomia’s fabrics have sensors on them, which will collect data about the person wearing Loomia-powered apparel. Those sensors collect data about temperature, motion, or frequency of wear, then store it in the Loomia  Tile, the battery pack that powers Loomia’s technology.

One of Loomia’s goals is to give  consumers some power over that data. On Thursday, Loomia is announcing a new way to do that with a token sale — effectively creating a new blockchain-based currency that it will sell to investors.

Well, look. I have complete power over all the data that my shirts generate, insofar as my shirts are not electrified or connected to the internet, and if I want their manufacturer to know how often I wear them, I have to call up the manufacturer and say “I wear your shirt once a week,” at which point the manufacturer will say “What? Who is this?” But I guess in the future manufacturers will be desperate for that information, and consumers will be desperate to sell it to them, but only if they can do so using a cryptographically secure distributed ledger, and so you might as well buy tokens for that ledger today, because … because the world is outstandingly dumb, I don’t know. 

It’s what I said the other day about Juicero: People want their products to be enchanted, to pulse with mana or qi or midichlorians or whatever the currently popular flavor of magic is, and right now the popular magic is blockchain. So why buy a regular shirt when you can buy a blockchain shirt? And, given the way initial coin offerings usually work, why buy a blockchain shirt when you can buy a token that will maybe one day function with a blockchain shirt?

Elsewhere here’s an MIT Media Lab Digital Currency Initiative report on “Cryptographic vulnerabilities in IOTA” that contains this important conclusion:

The digital currency space is still new, and we are confident that robust, useful technologies will continue to emerge and gain adoption. But the fact that none of IOTA’s partners raised these concerns about a glaring vulnerability in a ~$2B cryptocurrency, or spoke about the other red flags, is worrisome. While one of the most important features of blockchains is removing the need for trusted third parties, most people don’t have the time or background to thoroughly evaluate the software, which means that trust is still needed: trust in the developers of the project, or someone else capable of evaluating the software. 

An appeal of cryptocurrency, blockchains and smart contracts is that they don’t require trust, that they function through the immutable operations of open transparent code. But that’s not particularly useful if it requires every user to independently verify that all of that code works as intended. If you want widespread adoption, you need to give people some reason to trust that the code does what they expect it to, and that reason can’t just be “well go look at the code yourself.” Some essentially social trust mechanism has to be reintroduced into the system for it to work.

People are worried about bond market liquidity.

Here is an “Alternative Theory on Corporate Bond Market Liquidity” from Chris White of ViableMkts:

While the impact of market regulations on corporate bond liquidity is debated, an unintended consequence of new rules has been to change the competitive dynamics of market making. As the market has grown, the market share of the top dealers has increased, which has led to greater concentration of trading activity. Throughout history, resolving systemic financial market liquidity issues has required broader participation from a larger group of market makers. Unfortunately, the trend in the US corporate bond market is in the opposite direction. Without participation from a more diverse group of market makers, it is unlikely that the institutional corporate bond trading environment will support the growing liquidity needs of the buy-side institutions that represent the investing public. 

Things happen.


Write a Reply or Comment:

Your email address will not be published.*