12950 Worldgate Drive, Herndon, VA 20170 * Phone: 703.707.9901 * Fax: 703.707.9910 * Web: www.surety.com
February 6, 2004
Mr. Jonathan G. Katz
United States Securities and Exchange Commission
450 Fifth Street, N.W.
Washington, D.C. 20549-0609
RE: File No. S7-27-03: Comments in response to proposed regulation "Amendments to Rules Governing Pricing of Mutual Fund Shares."
Release No. IC-26288 (Dec. 11, 2003), 68 FR 70388 (Dec. 17, 2003)
Dear Mr. Katz:
Surety, LLC ("Surety") welcomes the opportunity to provide comments on the Securities and Exchange Commission's ("Commission") proposed amendments to Rule 22c-1 under the Investment Company Act of 1940 ("Investment Company Act" or "Act").1
Headquartered in Herndon, Virginia, Surety is the leading provider of data integrity validation solutions for electronic records. For over ten years, Surety's flagship product, AbsoluteProofsm, has been a market-leading time-stamping and digital notarization solution. Built on patented technology and secure hashing algorithms, AbsoluteProof is the only long-lived, cryptographically and independently verifiable data integrity system in the world. AbsoluteProof is auditable, provable and completely independent of any internal system controls inside the organization. Surety generates irrefutable, tamperproof evidence of exactly what electronic records were created and precisely when they were created. We provide mission-critical technology for all applications that protect intellectual property, ensure corporate governance, and drive regulatory compliance.
In its Proposed Rule, the Commission requested comment on the proposal that "all purchase and redemption orders be received by the fund, a single transfer agent... or a registered clearing agency no later than the time at which the fund prices its securities, in order to obtain the current day's price."2 The Commission also requested comment on an alternative approach that would require fund intermediaries, in order to submit orders to the fund transfer agent or Fund/SERV after 4:00 p.m., to have adopted certain protections designed to prevent late trading, including the "electronic or physical time-stamping of orders in a manner that cannot be altered or discarded once the order is entered into the trading system."3 The Commission should be aware that simple time-stamping solutions may be altered, forged, compromised or invalidated due to expiration. Surety recommends that in any approach considered by the Commission, there be a consistent requirement to independently verify transaction content and sequence to prevent deleting or tampering with trade orders. The Commission acknowledges that current system controls are easily circumvented and has openly questioned the issue of independent auditor validation:
Some broker-dealers appear to have easily circumvented current system controls, including the time-stamping required by our rules...We are therefore concerned that an independent auditor may fail to detect weaknesses in internal controls that allow late trading to occur. How could we prevent any such protections and controls from being circumvented similarly in the future?4
Our intent in this comment letter is to first, provide a brief context of how late traders routinely circumvent established system controls. Second, we highlight the risks inherent in "trust-based" time-stamping systems. Third, we comment on existing, scalable technology that provides complete transparency for third-party auditors who must independently validate the integrity of time-stamps generated by mutual fund trading systems. Finally, we recommend that the Commission, adopt standards required under Rule 22c-1, specifying that time-stamp and transaction integrity at least meet the minimum criteria of being unalterable, unforgeable, permanent and independently auditable. Regardless of which approach the Commission ultimately chooses to adopt, we strongly urge the Commission to consider mandating the aforementioned minimum criteria to ensure the integrity of the time deadline by which transactions must be entered in order to receive the fund's current day price.
"Late Trading" Abuses
Widespread accounts of late trading by mutual funds and favored investors5 have led to a crisis of confidence by investors in mutual funds. As Commission Chairman William Donaldson succinctly stated at the Commission's open meeting on December 3rd, "We have seen a betrayal of individual investors."6
Since the Net Asset Value ("NAV") is dependent on both the content of the portfolio and the precise time of the calculation, the integrity of the firm may be defended or challenged on the basis of how it measures and calculates its NAV for each of its funds. Allowing selected clients to trade shares against an already posted NAV is a breach of fiduciary responsibility and, in most cases, a violation of state and federal securities laws. Nevertheless, that is exactly what happened to an ever-growing list of funds. The self-discipline that is required by the current system seems to have been selectively applied - with favoritism given to large fund customers and fund personnel.
The Commission noted a number of mechanisms by which funds and intermediaries circumvented the requirements of Rule 22c-1:
Fund intermediaries have blended late trades with legitimate trades in the file containing net order information submitted to Fund/SERV or a fund's primary transfer agent after 4 p.m., effectively concealing the late trades from fund managers and from our compliance examiners. When we adopted rule 22c-1, we also amended our broker-dealer recordkeeping rules to require the time-stamping of fund orders, which would permit us to detect late trades. The rule has been circumvented by, for example, routinely permitting favored investors to place orders before 4 p.m., but cancel them after late news is received. ... Similarly, orders have been placed before 4 p.m. to be modified or changed after 4 p.m. Also clients that had placed an order for one fund's shares before 4 p.m. that was rejected by the fund, have been permitted to substitute an order for another fund's shares after 4 p.m. In each of these circumstances, the broker's records would appear to support a series of bona fide trades all of which were time-stamped before 4 p.m. (emphasis added)7
It is instructive to recognize for the purpose of this discussion that the Commission's requirements for time-stamping of trade orders were written in 1968,8 well before the advent of modern encryption and electronic systems.
The Commission has proposed to address the blatant disregard for the requirements of Rule 22c-1 by amending the Rule. The amendment requires that, in order to obtain the current days price, a mutual fund, its designated transfer-agent, or a registered securities clearing agency must be in receipt of a purchase and redemption order by the time the NAV for that fund is established (e.g. 4:00 p.m.).
This approach has certainly generated a great deal of controversy. While some mutual funds have endorsed this approach, many of the intermediaries - and their national trade associations - have complained that such a requirement will unnecessarily disadvantage them, and ultimately, their investors to create unwarranted economic loss. These intermediaries and their respective trade associations have proposed allowing trades at the intermediary level until the NAV is established, provided that the intermediary can demonstrate sufficient safeguards within their systems as to alleviate concerns about endemic late trading.9
Even if the Commission's proposal were to be adopted without revision, the same circumstances that permitted late trading to become pervasive will continue to exist, albeit at the fund or transfer-agent level rather than at the intermediary level. As we will describe below, unless the Commission articulates minimum regulatory criteria to ensure the integrity of the technological systems taking orders, the inherent weaknesses of the current regulatory scheme will continue to be perpetuated.
Inherent Risks in Trust-Based Systems
As the Commission itself noted, the common hallmark of the various late trading schemes was that the broker's records were altered so as to "appear to support a series of bona fide trades all of which were time-stamped before 4p.m." 10 However, the systems of funds and designated transfer agents are just as susceptible to manipulation as those of the brokers. These systems are controlled internally by presumably trusted employees with good practices, procedures and policies in place to ensure proper asset protection. Unfortunately, where there is a breakdown of trust, often committed by rogue employees, good practices, policies, procedures and people can no longer guarantee, nor can they prove, that compliant mutual fund transactions occur.
Examples of Risks in Internal Control Systems
Internally managed systems are dependent upon the trust and discretion of human beings-and human beings are imperfect.11 Traders, administrators, and technical personnel are all subject to the malign influences of ego, greed, arrogance and ambition. According to noted security expert, Linda McCarthy, nearly 86% of computer crimes originate inside the network.12
In the context of mutual funds, the Commission has recently uncovered numerous cases where the prohibition on late trading was flagrantly disregarded. We believe the establishment of minimum criteria on time-stamping would have made recent late trading far more difficult to accomplish and much easier to detect. In a November 25, 2003 Commission press release, the Commission illustrated a case whereby they found abuses of late trading. The following account, as set forth in the Commission's press release, is levied against Phoenix, Arizona-based Security Trust Company, N.A. ("STC") and its former chief executive officer, president, and senior vice president:
From May 2000 to July 2003, STC facilitated hundreds of mutual fund trades in nearly 400 different mutual funds by several hedge funds controlled by Edward J. Stern, known as the Canary Capital funds. Approximately 99% of these trades were transmitted to STC after the 4:00 p.m. EST market close; 82% of the trades were sent to STC between 6:00 p.m. and 9:00 p.m. EST. The hedge funds' late trading was effected by STC through its electronic trading platform, which was designed primarily for processing trades by TPAs for retirement plans. At the direction of Seeger and McDermott, STC repeatedly misrepresented to mutual funds that the hedge funds were a retirement plan account, even though STC, Seeger, Kenyon, and McDermott knew that the hedge funds were not a TPA or a retirement plan account. Mutual funds expected that retirement plans and their TPAs required several hours after the market closed to process trades submitted by plan participants before market close. In contrast, the hedge funds had no such business purpose for submitting their own trades as late as five hours after market close.13
Another example of late trading abuse occurred when Security Brokerage, Inc., a self-clearing broker-dealer, created false internal records in which the order time for all trades was entered as 3:59 p.m. ET. In a final example, the Commission alleged in a December 4, 2003 press release that Mutuals.com, a Commission-registered broker-dealer, and its principals, routinely received trading instructions from customers after 4:00 p.m. ET and executed those trades as if the trading instructions had been received prior to that closing time. According to the Commission, Mutuals.com and its affiliates attempted to conceal late trading activities by omitting portions of the trading information that they were required to provide to clearing agents.
These are just some of the recent examples of conduct that illustrate the risks of internally managed or internal controls systems managed and manipulated by humans.
Vulnerabilities of Internal Control Systems
Simply put, the ability to know conclusively that an electronic record has not been altered can no longer be achieved simply through the affirmation of the people administering the system. Stored data - the basic building blocks of any electronic records - can be easily manipulated, changed or backdated, often without senior management's or compliance department's knowledge.
At each step of the system, there are basic vulnerabilities. These include:
- Creating a record with a forged time-stamp (e.g., creating a record indicating a trade order was received or canceled before the 4:00 p.m. deadline). This can be accomplished by tampering with the time source, system software, or stored data;
- Modifying the date or content of an existing record (e.g., modifying a record to change the size of a trade after the 4:00 p.m. deadline); and/or
- Deleting a record (e.g., removing a record after the 4:00 p.m. deadline and thereby effectively canceling a trade).
Surety's Proposed Solution
The Commission's current time-stamping requirements for broker-dealers were first issued in 1968. At that time, technological constraints on time-stamps were limited. In fact, one had to literally run a piece of paper through a pre-programmed machine that indicated the time and date that the paper record was submitted.
Today, most trade orders are input through electronic systems - not simply by routing paper through vacuum tubes. The advent of microchips, high-speed processors, and the Internet makes trading possible at speeds and volumes that were unthinkable in the late 1960s. Today's technology permits the Commission- in fact any regulator - to set much more stringent criteria for ensuring the integrity of those electronic records than could have been reasonably contemplated 36 years ago.
A powerful technology that could be applied to the lack of transaction integrity problem is the secure hash algorithm (e.g., SHA-1, SHA-2, MD5, RIPEMD).14 A secure hash algorithm provides a way to obtain a digital fingerprint of an electronic record. If the electronic record changes, then the digital fingerprint necessarily changes. Thus, one can use a hash algorithm to make a record tamper-evident.
Although secure hash algorithms are a building block for a solution, they are not a total solution. There are several problems. First, assuming there is a time-stamp in the record, how does one know that the date placed in the record was correct in the first place (i.e., the record has not been back-dated)? Second, what prevents someone from tampering with both the record and the fingerprint?
Fortunately, there is a simple, elegant solution to both of these problems. The solution is to widely publish the fingerprint to demonstrate its existence as of a particular time. If a fingerprint of a trading record was widely published at 4:00 p.m., then it would prove that: (1) the record existed before that time-because the creation of the record must precede the fingerprint, and (2) that it hasn't been altered since-meaning that any alteration would change the already published fingerprint.
It is important to note that the electronic record itself is not widely published; only its digital fingerprint is. Moreover, one cannot reverse engineer or recreate the electronic record from its digital fingerprint, thus protecting the sensitivity and privacy of the record itself.
It would be infeasible to publish fingerprints for all financial records. Fortunately, there is a way to create a "summary fingerprint" for all fingerprints created during a particular time period. The technical name for this approach is called cryptographic hash chain linking.15 Using this approach, only one fingerprint needs to be published for an organizational entity. This one widely witnessed fingerprint proves that all organizational records were created before the time of publication and have not been tampered with since. Subsequently, cryptographic hash chain linking scales incredibly well to handle the massive numbers of transactions that could be executed during the trading day and more specifically, moments before the 4:00 p.m. ET close. The power of cryptographic hash chain linking, coupled with secure hashing and digital notarization, where the transaction time, content and sequence are locked down, are instrumental in proving whether or not trades occurred, were altered, or were deleted. This capability enables an independent auditor to prove sequentially that given transactions occurred before or after the 4:00 p.m. ET trading deadline.
The next question is how to publish the fingerprint for widely witnessed verification. For the financial industry, there are numerous ways this could be done. One way is to have an organization send the fingerprints to a clearinghouse. Another way is to have the organization itself publish the fingerprints on a widely distributed financial information network. Either way, the effect would be to associate an undisputable time with the fingerprint and to ensure the fingerprint's integrity.
The aforementioned approach does not solve the problem of record deletion. This challenge can be addressed by cryptographically linking records together in a chain, using the same linking technology referenced above but executed locally on mutual fund transaction systems. If any record were deleted, it would be easily detected as a break in the chain.
This simple approach, using widely accepted and well-understood technology, empowers the Commission to implement enforceable minimal criteria of unforgeable, unalterable, permanent and independently verifiable mutual fund transaction and time integrity. What's more, this solution has already been acknowledged as part of a digital time-stamping standard by the International Standards Organization (ISO), and is implemented worldwide by major corporations and legal institutions.
In sum, Surety strongly urges the Commission to take advantage of the technology that is available today to all market participants - from broker-dealers, to 401K companies, to designated transfer-agents to registered national securities clearing agencies to mutual fund companies - and to mandate that under any solution for time-stamps required by Rule 22c-1, that it be independently verifiable by outside auditors and the Commission, and at least meet the minimum criteria of being:
- Permanent; and
By instituting such standards to Rule 22c-1, the Commission can allow technology to assist its efforts in guaranteeing that late trading is exceedingly difficult to accomplish, no matter which entity - broker, fund, clearinghouse or transfer-agent - is the ultimate guardian of the 4:00 p.m. close.
Thank you very much for your consideration of our comments.
Thomas L. Klaff, CEO
|1|| U.S. Securities and Exchange Commission, Amendments to Rules Governing Pricing of Mutual Fund
Shares (Proposed Rule), 68 Fed. Reg. at 70388. (Dec. 17, 2003).
|2|| Proposed Rule, Fed. Reg. at 70389.
|3|| Proposed Rule, Fed. Reg. at 70390.
|4|| Proposed Rule, Fed. Reg. at 70390.
|5|| See, for example: "Spitzer Kicks Off Fund Probe with a $40 Million Settlement," Wall Street Journal, September 4, 2003; "Spitzer's Investigation Continues; Information From Vanguard, Millennium Management Sought," Wall Street Journal, September 8, 2003; "More Traders Are Drawn Into Mutual Fund Probe," Wall Street Journal, September 9, 2003; "Fund Probe Turns to Wall Street: Most Major Securities Firms Face SEC Demands For Data; Agency Queries 80 Mutual Funds," Wall Street Journal, September 10, 2003; "Illinois Probes Samaritan Hedge Fund," Reuters, September 11, 2003; "Timing Probe Puts A Focus On Millennium," Wall Street Journal, October 2, 2003; "Fidelity Says It Received Subpoena From Spitzer," Wall Street Journal, October 7, 2003; "Federated Finds Improper Trading," Wall Street Journal, October 23, 2003; "SEC Proposes Mutual Fund Curbs," The Washington Post, December 4, 2003.
|6|| Speech by SEC Chairman William H. Donaldson: Opening Statement at Open Securities and Exchange Commission Meeting on mutual fund regulations, December 3, 2003.
|7|| Proposed Rule, Fed. Reg. at 70389.
|8|| Proposed Rule, Fed. Reg. at 70389, Footnote 18.
|9|| Proposed Rule, Fed. Reg. at 70390, Footnotes 23-24, , 70397, Footnote 86.
|10|| Proposed Rule, Red. Reg. at 70389.
|11|| See, for example: "Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure," Computer Security Journal, January 2000; "PKI: Who Do You Trust?", EarthWeb, June 7, 2002; "Missing PKI Root Key Causes Panic Attack," Computerworld, February 3, 2003; "MS Outlook digital sigs easily forged," The Register, March 9, 2002.
|12|| Intranet Security, by Linda McCarthy, Sun Microsystems Press, 1997.
|13|| U.S. Securities and Exchange Commission press release, SEC Charges Security Trust Company, N.A. and Three Former Executives for Facilitating Fraudulent Mutual Fund Late Trading and Market Timing Schemes, November 25, 2003.
|14|| See, for example: Rivest, R.L., "The MD5 message-digest algorithm," Request for Comments (RFC) 1810, April 1992; Dobbertin, H., Bosslaers, A., Preneel, B., "RIPEMD-160: A Strengthened Version of RIPEMD," Fast Software Encryption, Third International Workshop, pp. 71-82, Springer-Verlag, 1996; "Secure Hash Standards (SHS)," Federal Information Processing Standards (FIPS) Publication 180-2, U.S. DoC/NIST, August 1, 2002.
|15|| See, for example: S. Haber, W. Stornetta, "How to Time-Stamp a Digital Document," Journal of Cryptology, Vol. 3, No. 2, pp. 99-111, 1991; D. Bayer, S. Haber, W. Stornetta, "Improving the Efficiency and Reliability of Digital Time-Stamping," Sequences II: Methods in Communication, Security and Computer Science, eds. R. Capocelli, A. De Santis and U. Vaccaro, pp. 329-334, Springer-Verlag, 1993; S. Haber, W. Stornetta, "Secure Names for Bit-Strings," Proceedings of the 4th ACM Conference on Computer and Communication Security, April 1997; Adams, C., Cain, P., Pinkas D., Zuccherato, R., "Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)," Request For Comments (RFC) 3161, August 2001; "Information technology - Security techniques - Time-stamping services - Part 3: Mechanisms producing linked tokens," ISO/IEC 18014-3, 2004.