Money Stuff

Bank Regulators and Cyber Ninjas

Also Finra flags, IPO checklists, avocado toast and variance swaps.

Financial regulation.

"The Trump administration laid out its highly anticipated plan for overhauling bank rules" yesterday, and it is pretty good I guess? Here is the Treasury Department report, and just as a matter of form, it generally seems to have been written by professionals who are familiar with bank regulation, which I can't say I entirely saw coming. (It "was spearheaded by Craig Phillips, a former BlackRock Inc. executive who was major fundraiser for Hillary Clinton’s presidential campaign.") 

As for content, there is a lot of it, and it is fairly miscellaneous, without too many unifying themes. One broad but boring theme seems to be that smallish banks -- below $10 or $50 billion in assets, depending on the provision -- should be exempted from Dodd-Frank stress tests and the Volcker Rule and other rules. I cannot get that excited about small-bank deregulation, but if you are a small bank this report will probably be pretty exciting for you.

Another theme that I can perhaps get a bit more excited about is: Treasury is worried about bond market liquidity. This comes up in various places, such as in the leverage ratio and the Volcker Rule, where the report calls for relaxing the "reasonably expected near term demand" requirement:

In particular, for illiquid securities, banks should be permitted to focus less on predicting with precision the future demands of clients based on past patterns and should have greater leeway to anticipate changes in markets that could increase demand for such securities. For over-the-counter derivatives, which are less suited to the RENTD framework, regulators should focus more on ensuring that banks appropriately hedge the positions they maintain.

Another big subject in the report is the power of the Consumer Financial Protection Bureau. The basic story of the CFPB is that Democrats like it and want it to maintain independent power, and Republicans dislike it and want it to be more subject to political oversight, and you can guess the main thrust of this Republican report. But more interesting to me was the discussion of the CFPB's rulemaking-by-enforcement approach: 

The CFPB should issue rules or guidance subject to public notice and comment procedures before bringing enforcement actions in areas in which clear guidance is lacking or the agency’s position departs from the historical interpretation of the law.

The CFPB wields broad authority to impose monetary sanctions through enforcement actions. The CFPB’s excessive reliance on case-by-case enforcement to develop the UDAAP standard, in particular, too often deprives regulated parties of fair notice and chills innovation in financial products and services. Consumers ultimately pay the price in reduced choices or higher costs.

To create a more stable regulatory environment, the CFPB should adopt regulations that more clearly delineate its interpretation of the UDAAP standard. The agency should seek monetary sanctions only in cases in which a regulated party had reasonable notice — by virtue of a CFPB regulation, judicial precedent, or FTC precedent — that its conduct was unlawful.

UDAAP is "Unfair, Deceptive or Abusive Acts and Practices," but this is a much more general feature of financial regulation: A great deal of regulation is conducted by deciding that a practice was bad and then punishing the people who did it. This puts future people on notice that the practice is now illegal, but the original people -- who did the practice when it was bad, sure, but before it was explicitly declared illegal by the regulators -- might feel a bit hard done by. Wouldn't it be fairer for the regulators to decide that a practice is bad and then announce that it's bad, and punish anyone who does it after that? This is a tricky subject, of course: Bankers are themselves constantly seeking novelty, and if they commit a novelty that really should have been illegal, you can see why the regulators would want to punish them immediately rather than outlaw it prospectively. Still, it is hard to argue with the general principle that people should be punished only if they had reasonable notice that their conduct was unlawful.

The DAO hack.

"Remember when I was telling you about that huge unhackable pile of money?", a man asks his wife in this rollicking story about ethereum and the DAO, and I bet you know where he was going with that! "'It's been hacked,' he told her." Sure it was, sure it was. We have talked about the DAO hack before: Basically, some people set up a "decentralized autonomous organization" on the ethereum blockchain, a set of smart contracts that were meant to constitute "a new breed of human organization never before attempted," "borne from immutable, unstoppable, and irrefutable computer code." Except that the code was wrong. Delightfully, the specific problem was in line 666 of the code, which allowed an investor in the DAO to withdraw as much money (well, ether) as she wanted. Someone figured this out and withdrew millions of ether from the DAO before anyone noticed. And then, when they did notice, the DAO developers decided that the best way to protect against this bank robbery was to rob the bank themselves and put the money somewhere safer:

To save the DAO, they’d have to steal the remaining ether, then give it back to its rightful owners.

And yet as they scrambled that Friday, qualms emerged within the group. “What does it even mean to hack something?” Van de Sande asks. No one knew if what they were about to do was legal. Also, wouldn’t their hack look just as bad as the theft they were trying to stop?

"What does it even mean to hack something" seems to be the key philosophical question of the DAO episode, and I submit to you that you probably don't want to invest your life savings in projects that raise philosophical questions like that. If your bank ever said to you "well, what does it even mean to hack something," you would worry. You know what it means! It's just that, with the DAO, the code didn't know what it means, and the whole point of the DAO was to substitute the code's judgment for yours. Anyway: cyber ninjas.

“You literally have cyber ninjas warring on the blockchain,” says Vessenes, the programming expert. “What they’re doing is almost certainly illegal, but they’re claiming it’s for the greater good.”

And now it was Van de Sande’s job to let the community know that the Robin Hood group counterattack was benign. He took to Twitter, where he wrote “DAO IS BEING SECURELY DRAINED. DO NOT PANIC.”

Again, we have reached a point in the U.S. financial system where major banks almost never communicate with customers by tweeting "DO NOT PANIC" in all caps, which is something to consider when you hear blockchain and smart-contract proponents sneering at the backwardness of bank money transfer protocols.

The good hackers didn't quite succeed in stealing the money to prevent it from being stolen, but instead other ethereum developers figured out an even better way to prevent it from being stolen, which was by initiating a "hard fork" in which everyone on the ethereum blockchain just agreed to forget about the whole incident and put the money back where it had been. (“Some bitcoin users see the hard fork as in some ways violating their most fundamental values,” said ethereum creator Vitalik Buterin. “I personally think these fundamental values, pushed to such extremes, are silly.”) This mostly worked, but not everyone on the ethereum blockchain agreed, so the fork ended up creating two ethereum blockchains: "ethereum," which has forgotten about the DAO hack, and "ethereum classic," which lovingly preserves it.

Alexis Roussel, co-founder of, a digital currency broker in Switzerland, still marvels at the aftereffects of the hard fork and the wild world of the blockchain. “This is something that doesn’t happen in traditional finance,” he says. “If something happens with Apple, you don’t suddenly have a clone of Apple.”

Right, true, though isn't that sort of a tempting idea? Like if only 51 percent of shareholders approve a controversial merger, then the other 49 percent can just fork off into an alternate universe where the merger never happens? Anyway these days ethereum classic is valuable enough that the hackers' take is worth about $67.4 million.


I don't know where high-pressure Long Island retail brokerage firms get their lists of prospects to cold call, but whoever gave Joseph Stone Capital its list had a good sense of humor.

Joseph Stone was investigated by the state of Montana after one of its sales representatives, Lawrence Sullivan, cold-called the office of Montana’s Commissioner of Securities and Insurance to pitch an investment on January 15, 2016, according to a report on the incident by the regulator.


During the call that got the firm into trouble, Sullivan pitched Navarro on an investment in Paypal stock, the report said. After Navarro informed Sullivan that he worked for the state’s securities regulator, Sullivan blurted out “Happy New Year!” and hung up.

It is perhaps not surprising that Joseph Stone had trouble with its cold-calling list, when you consider its list of brokers: "71 percent of the firms’ 59 brokers had FINRA flags on their records, according to the Reuters analysis." That story is from a Reuters report on brokerage firms who employ lots of brokers with "a history of regulatory run-ins, legal disputes or personal financial difficulties" that the Financial Industry Regulatory Authority requires them to report. Of course Finra is a self-regulatory organization made up of industry representatives, and it is pleasing to learn that Florida-based brokerages with lots of regulatory flags are represented on its board:

At least one executive from a firm identified in the Reuters analysis serves on FINRA’s 24-member Board of Governors - Brian Kovack, president of Fort Lauderdale-based Kovack Securities Inc.

Thirty-four percent of the firm’s 388 brokers have a history of FINRA flags, according to the Reuters analysis.

How to do IPOs.

I used to do equity capital markets offerings (disclosure, which will become relevant in a moment: at Goldman Sachs Group Inc.), and like any sensible person I kept a checklist in a Microsoft Excel file listing everything I had to do to get an offering done, because if I forgot to, say, call compliance, or make sure that the company had enough authorized shares to do the deal, then someone would yell at me. There was a lot of creative thinking that went into structuring these deals, and a lot of marketing and client advising that went into getting them done, but also there was a checklist, and checking the number of authorized shares was on the checklist. Anyway Goldman has figured out that you can automate the checklist:

Just 21 months after the firm disclosed its plan to re-engineer one of Wall Street’s most lucrative businesses, the project has found ways to eliminate thousands of hours of work long performed by humans. A computer-based interface called Deal Link has replaced informal checklists that were once tended and passed down between generations of rainmakers. It now arranges and tracks legal and compliance reviews, fills in forms and generates reports.

It came too late for me, but for succeeding generations of rainmakers this seems like a straightforwardly good thing. As always, there is some worrying that this will lead to job losses, but I don't see it. I mean, I used Excel, which automated a much more central part of the banker's job than calling compliance. It is not like the invention of spreadsheets caused a collapse in investment banking employment; quite the reverse. And it's not like Goldman will now lay off the junior banker whose job was to keep the deal checklist. That was just one small part of her job. Now she can focus on higher-value projects, or just go home a bit earlier, which seems to be a thing in banking these days.

By the way, don't you love, like, "financial technology"? This basic sort of business-process automation is so obvious and dull that it wouldn't be news in any other industry. ("Goldman Sachs’s approach may seem obvious, but it’s cutting edge for Wall Street.") But there is so much interest in the higher-order automation of Wall Street -- in replacing the intellectual functions of stock trading and investment management and maybe even banking with artificial intelligence -- that, when a bank just automates a checklist, it is exciting and controversial.


With the recent volatility in bitcoin it is becoming increasingly clear that the true monetary foundation of the modern economy is avocado toast. It is famously a store of value, which millennials apparently use as a substitute for owning real estate, but it is also apparently a unit of exchange? Here is a story about Zelle, an instant-money-transfer service that big banks are introducing to compete with Venmo:

More than 30 banks plan to introduce the service in the coming year, including major institutions like Bank of America, Chase, Wells Fargo, Citi, U.S. Bank, First Bank, and Fifth Third.

This might sound like an old-school group of institutions not known for their prowess with slick mobile apps. But don't worry: Zelle is all about the kids. There's even a photo of avocado toast on its website.

I like eating avocado toast sometimes, but I am probably too old to fully understand its centrality to modern finance. I guess I have the same problem with ethereum though.

People are worried that people aren't worried enough.

Here's a front-page article about "The Snowballing Power of the VIX, Wall Street’s Fear Index," which includes some prime worrying-about-insufficient-worrying quotes:

The lack of fear scares some investors who say bloated stock prices portend a painful reckoning when monetary policy tightens.

“They’re not adding to market stability. They’re just building a bigger bomb,” says Tom Chadwick, a New Hampshire financial adviser who uses VIX options to help protect his clients’ portfolios from downturns. He says the Fed’s policies have kept volatility artificially low for so long that the speed of any reversal will be more severe. “When this goes, you’re going to see the mushroom cloud from Saturn.”

The bulk of the article is a history of how CBOE Holdings Inc.'s VIX volatility index came into being and became democratized as a retail product. It's an interesting history; apparently Mark Cuban once tried to buy a VIX future from Goldman Sachs Group Inc. and was rejected, after which Goldman "rewrote the VIX formula, expanding it to a larger universe of stock-market bets and making it possible to create a tradable futures contract," which then led to lots of VIX futures trading, and VIX exchange-traded funds, and the whole VIX ecosystem.

It is actually a little strange. When Cuban first called Goldman in 2002, they couldn't do a VIX future, but they "instead offered him an arcane derivative called a 'variance swap,' but Mr. Cuban wasn’t interested." I feel like the trick is maybe don't start with "hey this is an arcane derivative"? A variance swap, as these things go, is pretty simple: We agree that if the volatility of (say) the S&P 500 Index over the next (say) year is more than (say) 10 percent, I'll pay you the difference, and if it's less then you'll pay me. The VIX, meanwhile, is a bit of a monstrosity: It uses a formula to back out implied volatility from a bunch of S&P 500 options, and it is based on very short-term options so it constantly needs to be rolled over. If you want to bet on stock-market volatility over the next year, a variance swap just lets you do that straightforwardly; the VIX does not quite. It's fun to imagine what would have happened if, after turning Cuban down, Goldman had worked to mass-produce and democratize a volatility product based on variance swaps -- based on actual volatility -- rather than based on the VIX.

People are worried about unicorns.

I feel like a lot of public-company chief executive officers will be pretty jealous when they read this description of Uber Technologies Inc.'s employee stock buyback program, in which (1) employees can basically only sell their stock back to the company, not in a public market, and (2) if they sell any stock back to the company, they have to agree to vote their remaining stock as directed by CEO Travis Kalanick. "Even if a worker sells only 10 percent of his or her stock back to the company, that worker agrees to give Mr. Kalanick the voting rights to 100 percent of his or her stock." It seems a little weird to use corporate money to cement the CEO's personal voting control, but I guess that is more or less unicorn-standard these days.

Elsewhere in Uber, top Kalanick lieutenant Emil Michael is leaving as a result of the board's investigation of the company's culture, "signaling that the era of the boys’ club at the top is all but over at Uber." He is not happy about it:

Michael believes that a weak board of directors, a lax internal legal team, coupled with his tight friendship with co-founder Kalanick, ultimately led to his downfall—not the scandals, two people close to Michael said.

He places the blame on the directors, particularly investor Bill Gurley, for his removal, accusing them of not having the backbone to stand by him amid what he sees as largely mischaracterized and inconsequential controversies, the people said.

Elsewhere in the Enchanted Forest, here's a story about Andreessen Horowitz partner Jeff Jordan's pickup basketball game. ("Stanford Business School now is a tech incubator," he says.) And here is an argument that to foster diversity, startups should be more professional and work less:

When our office culture is focused on business rather than socializing, we reduce the number of ways in which we all have to be the same. When we do that, we allow diversity to flourish. If your culture expects people to work long hours or hang out off-hours, the strain on the people who are different, in whatever way, is increased, and your ability to retain a diverse work force is reduced.

People are worried about bond market liquidity.

I mean, Treasury is, see supra. Meanwhile: "Markets Unfazed as Federal Reserve Nears Plan to Shed Bonds."

Things happen.

U.S. Lawsuit Links $2.2 Billion Deal to Malaysian 1MDB Scandal. Brussels insists on power to control euro clearing after Brexit. Puerto Rico Finds Going Bust Isn't Cheap as Consultant Fees Rise. Viking to Return $8 Billion to Investors. “Mike Mayo will still be Mike Mayo,” says Mike Mayo. "The reality is that since Mr. Trump was elected, mergers have fallen off a cliff." Subordinated debt at small Spanish banks feels the heat. "Systematic, computer-driven strategies probably had a hand in Friday’s tech plunge." SoftBank’s Son uses rare structure for $93bn tech fund. England’s Growing Wine Industry in Ferment Over Brexit. Flying Cows to Qatar Is One Man’s Way to Beat the Saudis. "The native New Yorker likes to go beyond the usual interactions between managers and would-be investors in conference rooms which he describes as a 'Kabuki dance' in reference to a Japanese dance-drama that involves stylized expressions and melodramatic plots." COVFEFE Act. "Technology, doing the right hashtags, connecting it to social and audience and growth and clicks, using PhotoShop and resizing photos, moderating comments." Tokyo Zoo Panda Gives Birth, Sending Shares in Retailers Surging. 

If you'd like to get Money Stuff in handy email form, right in your inbox, please subscribe at this link. Thanks! 

(Corrects the description of the VIX formula in the sixth item.)
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.

    To contact the author of this story:
    Matt Levine at

    To contact the editor responsible for this story:
    James Greiff at

    Before it's here, it's on the Bloomberg Terminal.