Jayanth R Varma: Electronic transparency

Source code disclosure will make the regulatory regime fully transparent

While our financial markets have become more or less electronic, the regulation of these markets is still stuck in the manual era.

In the old era, regulations and circulars were implemented by human beings; today they must be implemented by computers after being embedded in software.

The true regulatory regime is not what is written in the regulations, circulars and by-laws, but what is written in the software. Regulators and SROs worldwide have not, however, changed the way regulations are drafted, disclosed or enforced.

The result: (a) The true regulatory regime is not disclosed to the public, (b) the true regulatory regime is not arrived at by open and transparent processes, but is effectively decided by a group of software developers with only imperfect guidance in the form of the English text of the regulations, and (c) there is incomplete accountability for software errors because, after all, it is not possible to prosecute a computer.

Several recent incidents highlight the inadequacies of focusing all regulatory efforts on the English language text of the regulation and the need to turn attention to the computer source code that actually constitutes the true regulatory regime.

The most recent is the incident involving the ONGC offer for sale where wrong share allotments and their subsequent reversal threw the entire market into confusion and turmoil. Wrong processing of a computer file was blamed for the errors.

A few weeks earlier, there was another incident where we were told that the figures being reported about the quantum of bids in book-built issues were exaggerated by double counting. A faulty computer software was said to be the culprit.

Probably the most serious such incident took place a few years ago, when the Calcutta Stock Exchange faced a serious payment crisis. It was said that a software bug had led to wrong computation of margins allowing some large operators to avoid paying margins.

These incidents involve different intermediaries (registrar, stock exchange and clearing house) performing very different functions (allotment, book building and margining). They show that computer-related errors constitute a pervasive threat to market safety and integrity.

Computer bugs are not the only problem. Even if there were no bugs, the fact that computer source code is not disclosed means that common investors are left in the dark about the true regulatory regime under which they operate. They know only the English language text of the regulations which provide only an imperfect summary of the regulations as they operate in reality.

Since key people in the exchanges or other intermediaries that actually run the relevant software are aware of how the software operates, there is enormous scope for insider trading and market manipulation. Since surveillance today is fixated on human actions and inactions, it is very likely that such malpractices would go largely undetected.

It is, therefore, necessary to completely redefine what we mean by the full text of a regulation. We must recognise the actual computer source code itself as the authoritative text of the regulation.

The computer source code must be open and transparent and must be subject to the same public disclosure and comment process to which we subject the English text of our regulations.

The GNU General Public Licence contains an excellent definition of source code which we can borrow: "The source code for a work means the preferred form of the work for making modifications to it. ... (It includes) any associated interface definition files, plus the scripts used to control compilation and installation of the executable ... (but) ... need not include anything that is normally distributed ... with the ... operating system on which the executable runs ..."

Disclosure of the source code can be made without giving the public the right to modify the code or to exploit it commercially. For example, Microsoft has disclosed its source code to over a million customers and other entities under a 'shared source initiative'.

Source code disclosure would not only make the regulatory regime fully transparent, but would also reduce the incidence of bugs. This is because thousands of investors with large monetary stakes would scan the code for bugs that may impact them adversely.

One more thing is needed. An independent auditor must certify that the software that is actually used is the same as what is disclosed. This would typically require the software auditor to independently build and run the software from the disclosed source code and compare a sample output with that of the actual software.

(Jayanth R Varma is a professor at Indian Institute of Management, Ahmedabad. He can be contacted at: jrvarma@iimahd.ernet.in.)