Software and delegation of authority

Introduction

The last one and a half years the author works in the non-banking financial market. These are stock exchanges, brokers (dealers), management companies, registrars, as well as clearing, settlement and depository organizations. Each of these types of activities requires a legal entity to obtain a license from the state regulator - the Federal Financial Markets Service.

There are strict legal restrictions on combining activities. For example, a broker cannot be a stock exchange at the same time. At the same time, the transfer of authority to carry out licensed activities to another person is not allowed.

This is in theory. But in practice, well, the stock market, like many other areas, cannot exist without outsourcing. Without it, in the economy, the technological division of labor is not possible, thanks to which we do not live in subsistence farming, but are engaged in our favorite information technologies.

Outsourcing

The stock market has not opened up new types of outsourcing. I will dwell on two of them:

1. Software development;
2. The provision of services.

The services of third-party software developers resort almost all participants of the stock market. Not every large brokerage firm can afford to develop services from scratch that provide its customers with market information and access to stock and other exchanges, and the office itself can monitor risks and process transactions. The most famous developer in our country is ARQA, but there are others.

Small brokerage offices do not have the ability to maintain their own server infrastructure. The same ARQA provides not only software, but also services: i.e. The brokerage office exists on paper and in the office, but in reality the bulk of the activity is practiced by the services provided by the outsourcer.
')
In the organization of exchange activities, the same situation is possible: a nominally exchange (clearing, settlement, depositary) license is held by one organization, while the actual exchange service developed by another organization runs on the third server.

The same situation, to varying degrees, is possible in any other area requiring licensing, for example, in banking.

There are questions:

1. Does the license holder delegate, in fact, the execution of part of its licensed functions to the outsourcer?
2. If it delegates, do the risks that the license is intended to reduce increase too?
3. If the risks increase, then how to reduce them?

Self control

In short, the answer to the first question is positive. Everyone who thought about this topic understands this. Everyone understands that an outsourcer, in the person of its employees (programmers, system administrators), has the opportunity to spy on something or even intervene in the course of licensed activities.

In the case of the stock market, it is enough just to peep, and we are not necessarily talking about getting access to the record to the accounts and requests of the broker’s client.

Say, it is enough to see that some customer wants to submit a large application at the best price, and insert his own before this application. This is called front running, practiced all over the world, the most famous example is the investment bank Goldman and Sachs, which frontier its customers.

The state bodies understand this and do nothing, really. For two reasons:

1. As already mentioned, if outsourcing is canceled, then the cost-effectiveness of licensed industries is likely to decrease;
2. Theoretically, it remains possible to move from one outsourcer to another.

Risks

It is quite difficult to assess the risks caused by outsourcing. Because while everything was fine, while the market, pumped by emission dollars, was growing, no one had any problems. Now the stock market is withering, its participants are quietly disappearing, the client base of outsourcers is also declining. The base is declining, and the temptations are increasing.

At the same time, it is almost impossible to track down insider information leaks, in the face of huge automated data flows. At the same time, how to understand, looking from the outside, is there a great deal of abuse in the licensed area of ​​abuse? How to understand this to the state regulator?

You can, of course, introduce licensing for outsourcers, but, unfortunately, human temptations are not limited to licenses. Although, people can be called insiders, but who will understand, who is an IT person who is an insider, and who is not? And will there be too many of them? But the state regulator simply does not have specialists capable of understanding the intricacies of the information infrastructure.

It is also possible, by law, to introduce the requirement that licensed activities should be carried out exclusively on the software supplied with the source codes. But, the perennial question is, will the security of these systems decrease?

Conclusion

The author asked more questions than gave answers to them. There is a suspicion that some questions can be found near-technological answer. I would like to discuss.