Financial services firm Knight Capital lost more than $460 million last summer when an error in its automated trading software unleashed a series of unwanted orders, but the company is still on the hook for more. On Oct. 16, the Securities and Exchange Commission announced that Knight Capital had agreed to pay $12 million to settle charges related to the incident. The SEC noted that the company did not have adequate safeguards in place, nor had it properly reviewed the tools involved in the fiasco.
“The market access rule is essential for protecting the markets, and Knight Capital’s violations put both the firm and the markets at risk,” said Andrew Ceresney, co-director of the SEC’s Division of Enforcement. “Given the rapid pace of trading in today’s markets and the potential massive impact of control breakdowns, broker-dealers must be held to the high standards of compliance necessary for the safe and orderly operation of the markets.”
The SEC pinpointed two coding errors that helped precipitate the Aug. 1, 2012, incident. First, in 2005, the company moved a section of code in an automated equity router to an earlier point in the sequence, leaving one of the router functions defective. This function was intended to remain unused, but it was not removed from the router. When new code was incorrectly deployed to the same router in late July 2012, it activated the defective function, rendering it unable to recognize when orders had been filled. This caused it to release more than 4 million orders into the market in an attempt to fill just 212 customer orders. The problem was compounded by the fact that a series of 97 automated emails generated by the system that “provided an opportunity to identify and fix the problem before the markets opened” went unread by the personnel they were sent to.
How to prevent a meltdown
The SEC charged Knight Capital with violating the agency’s market access rule in a number of ways. The company lacked an automated control immediately preceding order submissions, such as a command that would check orders being filed against those entered. It didn’t link the account controlling the transactions to automated controls related to the firm’s overall financial exposure. It lacked thorough documentation, review and written procedures for preventing and responding to errors.
On a software level, it was also culpable of insufficient testing in its code deployments, with the SEC noting that Knight Capital “did not have adequate controls and procedures for code deployment and testing for its equity order router.” Bloomberg’s Sam Mamudi pointed to this list of violations as a suggestion that the firm’s testing processes were at fault rather than the underlying technology.
“The administrative order outlining the settlement painted Knight not as a victim of computers gone haywire, but as a firm that failed to test its systems adequately or prepare for potential breakdowns,” Mamudi wrote.
The Knight Capital incident has become something of an example case as those in the financial services industry call for more automated safeguards on algorithmic trading and software errors become fodder for business disputes. The substance of the SEC fine effectively proposes that one of the tools for avoiding such incidents is more organizational support for testing and code review. New code deployments can be vetted using source code analysis tools, and old code can be maintained with code refactoring tools. By building in these practices, companies can avoid the types of organizational errors that led to Knight Capital’s eventual software meltdown. The SEC fines can be seen as not only a warning of the cost of an error but also as a reminder that there are ways to avoid such issues altogether.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.