Pages: << 1 2 3 4 5 6 7 8 9 >>


Permalink 01:10:00 pm, by Dana Comolli Email , 978 words   English (US)
Categories: Disaster Recovery, Backoffice, Cyber Security

4 cyber security keys for CTAs

More than a buzzword, cyber security is core to how your systems are set up, what information passes through your business and how you plan to recover from a disaster. Here’s what you need to know.

Today, cyber security is a necessary worry and cost of doing business for everyone in the trading community, especially commodity trading advisors. The NFA’s new requirement that every member must have a cyber security plan in place is merely a formality for what a CTA should already have as part of its business set up. And today’s cyber security is not only a mechanism for dealing with viruses, phishing, and other forms of computer system intrusion. In reality, the concept of cyber security is something much broader; something that addresses how you ensure that your computing and information resources are protected from failure or compromise, and if that happens, how you plan to recover from that event.

One way to determine your exposure is to think of your computing and information systems in terms of the “surface area” they present to users and external entities. In a typical CTA, this would include email sending and receiving, web browsing, file transfers using FTP, user access to workstations and servers, remote backup providers, and cloud data and/or computing resource providers. Each of these must be both reliable and secure if a firm is to operate successfully.

Virtually all firms have anti-virus software installed on their workstations; you should since it comes for free with the Windows operating system. This may not be the case for all the servers within a firm as these generally require specific versions of the anti-virus software. Yet it is critical that they be protected as well because these systems are often the repository for files and data accessed by multiple workstations.

When it comes to cyber security, where organizations typically stumble is in other areas: intrusion detection and reporting, securing information “in transit,” securing information on mobile devices (laptops, tablets, cell phones), and access and recovery strategies when using cloud-based storage and computing platforms. Let’s look at each of these:

1) Intrusion detection and reporting are systems that monitor access to your computing resources and generate alarms when suspicious access is detected. For example, these could be triggered by a certain number of failed logon attempts, logon attempts using well know usernames, or access attempts from untrusted networks.

2) Securing information in transit involves either encrypting all files and messages sent via email and FTP or using end-to-end secure communication channels. In practice, encrypting the actual information sent is a more prudent solution as end-to-end encrypted email is rarely available and using encrypted versions of FTP still leaves the information at the destination in an unencrypted state.

3) Securing information on mobile devices (laptops, tablets, and cell phones) is more than simply having a password to access the device. The latest dust-up between the DOJ and Apple shows that it is possible to access a password-protected device without compromising the data. The information on the device also must be encrypted as losing physical control of a mobile device is possible. Also, as a “60 Minutes” investigation revealed recently, hacking into smart phone voice and data isn’t difficult, and that could be catastrophic for a CTA. (see transcript of that program:

4) Access and recovery strategies. Many organizations treat cloud-based storage and computing resources as if they are somehow immune from failure. While major vendors such as Amazon, Google, Rackspace, and Microsoft have impressive uptime statistics, their annual downtimes still are measured in hours. Virtual machines within these environments must be secured the same way as those on your premises, but access to these systems is limited by their uptime and your ability to access them (yours and their internet connections.)

When looking at recovery from a failure or other incident, the typical solution will be some type of disaster recovery (DR) system that replicates the systems required to operate the organization. These can be cost-effectively implemented in a cloud environment as there are billing models that only charge for the time the virtual machines are running. For a DR environment, that need only be the time it takes to snapshot data to the backup environment (typically a once-per-day event). For those whose primary environment is cloud-based, it’s a bad idea to have your DR in the same vendor’s cloud because your primary and backup would be exposed to downtime at the same time. Follow the industry adage and diversify to other vendors.

In addition to recovering from hard system or environment failures, the ability to quickly recover lost or otherwise corrupted files must be another aspect of a firm’s cyber security plan. While there is no substitute for a robust, daily backup strategy, using products that replicate and version files into the cloud (Dropbox, SecuriSync, and others) can provide rapid access to compromised files from non-compromised systems. (Note: The issue here is that files are replicated as they are changed, so if a file gets corrupted, such as with a virus, that corrupted file will be replicated. These services must keep track of versions so you can retrieve the pre-corrupted versions of the file.)

Effective cyber security is critical to the ongoing health and well-being of a CTA and should be approached with the same (or greater) vigor as any other aspect of a firm’s procedures. Get started with a thorough review of the surface area of your systems and follow up with protection and recovery plans for each potential failure.


Dana M. Comolli is president of DMAXX (, a back office software design firm for alternative investment managers. TheBooks software is designed for the trader, and is built to do price, position and order management, reconciliation, trade accounting, performance reporting, risk and data management and act as a gateway to a wide variety of execution platforms. You can reach Dana at:


Permalink 09:19:00 am, by Dana Comolli Email , 1161 words   English (US)
Categories: Futures Trading, Backoffice, Hedging, Compliance

Regulation AT: If you think it does not apply to you, think again

Algorithmic trading typically conjures up thoughts of Michael Lewis’ “Flash Boys” and high frequency traders. The objections to these market participants have come from many areas and they have been blamed for bouts of volatility that make little sense. The response from regulators has been expected, but certainly not in the scattershot form of Regulation AT (CFTC proposed regulation RIN 3038-AD52, Regulation Automated Trading[1]).  The CFTC states as its purpose “to address the risks of algorithmic trading through a series of pre-trade risk controls and other measures that AT Persons, clearing member FCMs and DCMs must implement.” Any new regulatory proposal raises hackles, but this one, with its all-inclusiveness as well as potential risks, has caused outright howling.

At the heart of the regulation are the definition of two terms: Algorithmic Trading and AT Persons.  An AT person is an entity that uses Algorithmic Trading and would then be subject to the provisions of the proposed regulations.  Unfortunately, the CFTC has chosen definitions for these terms that would result in virtually any organization that trades an electronic market to be considered an AT Person.

Essentially, it defines Algorithmic Trading[2] as using one or more computer algorithms or systems in the trading, input or modification of an order. Which says if a computer generates an order - with the sole exception of a person typing it exactly into a computer with no further discretion by any computer system - it is Algorithmic Trading.

But that’s not all. Let’s say that after you type the order into the trading platform, you use an auto-spreader or have the order worked as a TWAP or VWAP order, you would now be doing Algorithmic trading.  If you were a long-term trend follower, generated signals once per day and produced an order file that you emailed to an FCM that imported it into an X-Trader system on your behalf, you are doing Algorithmic trading.  If you were an energy provider and used Excel to help size the number of Natural Gas contracts needed to hedge your contracted deliveries, then transferred those requirements into an electronic platform (say WebICE) for execution, you are doing Algorithmic trading.

As you can see, the net has been cast far and wide for this definition.

The definition of AT Person is equally expansive:

“entities that may be considered an AT Person: persons registered or required to be registered as FCMs, floor brokers, SDs, MSPs, CPOs, CTAs, or IBs that engage in Algorithmic Trading on or subject to the rules of a DCM, or persons registered or required to be registered as floor traders.

Such persons or entities would be AT Persons if they engage in Algorithmic Trading on or subject to the rules of a DCM, or persons registered or required to be registered as floor traders as defined in § 1.3(x)(3).”

This encompasses just about any organization involved in trading futures especially because the definition of floor trader is proposed to be expanded to include anyone with direct market access, which includes using platforms such as CQG, TT, and Bloomberg, or exchange-specific interfaces such as WebICE and is not restricted to those traders using direct connections using FIX.

Many of the 88 comment[3] letters were from firms concerned the new rule would subject their source codes to cyber hackers, not believing the CFTC has strong enough firewall protections, not to mention staff leaving with the knowledge of their algorithms. CTA Two Sigma’s letter noted: “Trade secret protection depends on our efforts to prevent unauthorized disclosure of our confidential information and, as proposed, Reg AT inadvertently lessens those protections.”

But in addition to that concern, Regulation AT would force organizations to:

  • Implement specific Pre-Trade and other risk controls (message and execution throttles, maximum order sizes, price collars, and other automated controls)
  • Implement specific standards for the development, testing, monitoring, and compliance of the trading systems
  • Implement maintaining source code for trading systems in accordance with Commission regulation § 1.31, meaning it must be available for the CFTC and DOJ for inspection at any time.
  • Prepare and submit compliance reports to DCMs

CFTC Commissioner J. Christopher Giancarlo has gone on record[4] questioning whether the regulation “sufficiently benefits the safety and soundness of America’s futures markets so as to outweigh its additional costs and burdens?”

He specifically raised concerns about how the costs of the proposal may disproportionately impact small market participants especially because the commission admits in the proposal that they do not have a good understanding of how many organizations would be affected. That said, the proposal was unanimously passed and put out for comment. CFTC Chairman Tim Massad has stated that the CFTC handles confidential information “all the time,” adding that with Regulation AT, the CFTC wants to make sure the “source code is preserved and is available to us when we need to reconstruct market events.”

The comment period closed the day Chairman Massad spoke to the Futures Industry Association in Boca Raton, Fla. He assured the audience the CFTC would “review comments carefully and decide if there are any issues on which it would be beneficial to invite additional comment.” This is a good sign, meaning the regulator may be open to more industry input. Then again, he says they want the rule finalized by year’s end, so steel yourself to the possibility of new regulation that comes with more administrative burdens, costs, and yes, questionable impact.

Dana M. Comolli is president of DMAXX (, a back office software design firm for alternative investment managers. TheBooks software is designed for the trader, and is built to do price, position and order management, reconciliation, trade accounting, performance reporting, risk and data management and act as a gateway to a wide variety of execution platforms. You can reach Dana at:


[2] CFTC defines Algorithmic Trading as:

“trading in any commodity interest as defined in Regulation 1.3(yy) 169 on or subject to the rules of a DCM, where: (1) one or more computer algorithms or systems determines whether to initiate, modify, or cancel an order, or otherwise makes determinations with respect to an order, including but not limited to: the product to be traded; the venue where the order will be placed; the type of order to be placed; the timing of the order; whether to place the order; the sequencing of the order in relation to other orders; the price of the order; the quantity of the order; the partition of the order into smaller components for submission; the number of orders to be placed; or how to manage the order after submission; and (2) such order, modification or order cancellation is electronically submitted for processing on or subject to the rules of a DCM; provided, however, that Algorithmic Trading does not include an order, modification, or order cancellation whose every parameter or attribute is manually entered into a front-end system by a natural person, with no further discretion by any computer system or algorithm, prior to its electronic submission for processing on or subject to the rules of a DCM.”




Permalink 01:49:00 pm, by Dana Comolli Email , 988 words   English (US)
Categories: Accounting, Backoffice, Compliance

Best Practices for a CTA's back office - part 2

Trading can be hazardous, but not being on top of your business and accounting can be even worse. As we noted in the last blog good performance is great, but good performance with a stable, efficient and reliable back office is what investors want. What exactly does that mean to the CTA?

Mike Dever, CEO and Director of Research of Brandywine Asset Management, has been a CTA since the 1980s and has gone through many allocator reviews – and received many investments. He says typically the allocator will send an itinerary of what they want to review and if they don’t, Mike will ask for one. Also, more common today is two groups come from the allocator: one that comes to discuss philosophy, research and strategies with the manager/traders, and the second is operational, charged with determining how the CTA executes trades, what’s its relationship to its brokers, and what is the underlying technology; basically the back office details.

To prepare, Dever and his team put together all the requested information, data print outs and examples, in one large notebook that they’ll review with the allocator when they visit. They also will go through the actual back office process, for example, providing a demo account, allowing the allocator to sit in and experience the process step-by-step.  He says his team does practice drills before an allocator review to make sure the meeting runs smoothly.

So let’s discuss these best practices and what they mean to the CTA:

1) What is your general setup: legal structure, ownership breakdown and financial strength? But beyond that they want to know about key personnel and with that, segregation of duties (ie. compliance can’t be sales, operations shouldn’t be accounting). Some back office accounting software, like TheBooks, have the ability to limit access to certain parts of the business via security codes, and can be defined by personnel or job function.

Also scrutinized will be cross training of personnel; if someone is sick or an emergency arises, can others step in and provide the same quality of service? Do you have a process set up for new hires? And what happens when you travel? What is your back up, both for that day as well as the bigger picture in transacting the business?

2) Who are your key service providers? These include back office accounting software, general accountants, FCMs, technology providers, administrators and even temp agencies.  You’ll need to outline how these firms are chosen, what roles they fulfill and on what basis are they are dismissed. Here allocators look for depth: they want to make sure the CTA is buying the provider not just for pricing, but because it actually does what is needed. Also, how do you monitor vendors? For example, do you or someone else at the firm review end-of-day results, and if not, they should be. Allocators will want to see a checklist.

Annette Cazenave, principal of A. Cazenave LLC, says: “Let’s face it, your two big areas of liability are striking NAV and how you sell [your products], so you need to review everything before you push it out the door.” Also, if you lose a key person, can your service providers step in to fulfill that need until you’ve gotten the next person up to speed? Do you have that action plan set up?

3) Operational processes and procedures for trading controls, compliance, valuation and treasury. This includes being able to show reproducibility of trades, daily trade files, valuation checks and transparency. It also means showing how you move the money around as well as how you handle new allocations.

Dever says they typically need to document a trade: how was it generated, how did it get sized, how was it allocated per client and why, who was involved in trade? Again, having reliable back office software that can document trades is key. Todd Fulton, senior VP, capital introduction, for R.J. O’Brien, advocates all traders have back office software, noting, “Trade checking is a major part of what I like about TheBooks.” Alan Zenk, who runs CTA Services, a service bureau for smaller CTAs, says that the NFA recently has focused on trade allocations and making sure they are handled similarly across all accounts. With various sized managed accounts, this could be a nightmare for CTAs and a major trip up in a due diligence review.

4) IT infrastructure, cyber security and disaster recovery: You’ll need to outline the IT infrastructure of the company, explain your account security and what happens if an event, man-made or not, brings the system down. This doesn’t mean necessarily a 9/11, but could mean the Internet going down, an electricity grid failure, or a snowstorm (or other natural disaster). For example, if a huge storm is coming, are you getting hotel rooms for key personnel? The answer may be yes, but what’s your game plan? Remember too, third party vendors are helpful in this situation as they can serve as back ups and remote offices: know ahead of time what you can rely on and be able to explain it. This certainly is a mark of a prepared trader who is ready to take on large allocations.

It’s a formidable task to be a successful CTA, but actually designing a winning model and/or strategy is only one part of the success quotient. Making sure your back office is well structured is key, and though standards may differ allocator to allocator, the points highlighted here are a minimum.  Think of it like this: Trading is driving the racecar, but it’s the pit crew that wins you the race.

Dana M. Comolli is president of DMAXX (, a back office software design firm for alternative investment managers. TheBooks software is designed for the trader, and is built to do price, position and order management, reconciliation, trade accounting, performance reporting, risk and data management and act as a gateway to a wide variety of execution platforms. You can reach Dana at:

<< 1 2 3 4 5 6 7 8 9 >>

September 2020
Mon Tue Wed Thu Fri Sat Sun
 << <   > >>
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30        
The official blog for users and others interested in TheBooks®


XML Feeds

powered by b2evolution free blog software