Friday, September 19, 2008

Don't Just Regulate -- Reward Self-Regulation

Few things flood the streets of American punditry with disclaimers like a good financial crisis. The economy is just so technical and esoteric that nobody gets it all. Of course, that doesn't stop the pundits from rendering opinions. I heard an interesting combination of exaggerated disclaimer followed by ridiculous claim on Jay Severin's WTKK talk show the other day.

(Aside: Why do I keep listening to Severin? Every once in a while, he makes a good point, but more importantly, he knows how to enunciate. Is there an unwritten rule that 90% of the broadcasting industry has to have some sort of speech impediment?)

He said that the overall financial crisis is rooted in the collapsing mortgage market. So far, so good. Then he says that the bad mortgages were allowed because of changes in lending policy introduced by Democrats years ago. This doesn't sound right to me.

My understanding was that a spike in loan defaults wasn't itself anything out of the ordinary -- it was the fact that Wall Street had figured out a way to repackage mortgages as a new type of investment vehicle, the CDO or collateralized debt obligation, that created the ripple effect. That repackaging technique flooded the market with CDOs which were then snapped up by all kinds of banks and other financial services firms.

Without CDOs, I'm sure the housing collapse would still have had serious repercussions, but I'm guessing they would have been confined strictly to banks, not investment houses and other financial institutions.

(Another Severin point: government bailouts are bad because they'll force us to either raise taxes or engage in further deficit spending. "$85 billion to bail out AIG!" Well guess what, Jay: $85 billion is the price tag of only 34 weeks in Iraq. At this point in the war's progress, we've bailed out AIG 7.6 times already. In this way, I feel fiscal conservatives' pain: they don't get to bang their usual drums, because the single most fiscally irresponsible thing we've done in
the last decade was on their own party's watch. If fiscal conservatives vote their conscience this year, Bob Barr will get at least as many votes as Ross Perot did.)

Back to CDOs. Reading Wikipedia's article about them, I learned they are a type of synthetic
security
:
"Any combination of financial instruments producing a market instrument with different characteristics than could otherwise be achieved, for example, higher yield, better liquidity, or interest rate protection."

A "natural security" would be a stock or a bond -- investment vehicles that have been around for centuries and are understood well. A synthetic security is made up -- an artificial construct that had to be designed by some financial genius, composed of more basic parts.

This strikes me as being very similar to computer programming. In programming, you're given a few basic operations, and expected to put them together in ingenious ways to create software whose overall behavior exhibits the desired characteristics. A synthetic security is to the rules of finance what a software program is to the rules of computer science.

Now, as we've learned through years of painful experience, software can be good or bad. It can be reliable or buggy. It can be deliberately installed or contracted like a virus. It can follow the paths of least resistance in networks to propagate itself throughout an entire system.

The computer security guru Bruce Schneier has described in several of his essays an "arms race" between the "black-hats" who write malicious software and the "white-hats" who write software that defends against it. The black-hats are constantly inspecting and examining the technology landscape, looking for loopholes and vulnerabilities that they can exploit. Once they develop and popularize an exploit, the white-hats figure out how to detect it, motivating the black-hats to just look elsewhere for new holes.

Or as Schneier puts it: "improvements in detection technologies lead to improvements in...detection evasion, which in turn spur the development of better detection capabilities." And so on.

The advent of synthetic securities has brought that arms race to the financial world. People can argue about whether increased government regulation is (part of) the answer to our current problems, but one thing that everyone has to agree on is that the capabilities of regulation -- any amount of regulation -- are constrained by the knowledge of the regulators. You can't regulate what isn't yet known to be a threat.

S&Ls, junk bonds, CDOs -- these are all exploits that were developed by financial black-hats who spent years scrutinizing the workings of financial markets looking for loopholes and vulnerabilities. Those black-hats were strongly motivated, because if they could find just one working exploit, they could make themselves mega-rich. So what if it had disastrous downstream consequences for everyone else?

After each of those exploits became popular and caused a problem, regulations were changed to prevent them from working. In other words, the vulnerabilities that enabled the exploit were patched. But this patching is simply another change to the system -- and every change has the potential to introduce a new vulnerability. Fix one bug, introduce another. The black-hats will never stop looking for them, and never stop coming up with new exploits.

David Brooks recognized this and declared: "We’re going to need regulators who can anticipate what the next Wall Street business model is going to look like, and how the next crisis will be different than the current one."

That might work. But it's just a continuation of the arms race. There is one technique, one dynamic, that could be borrowed from the computer security world and implemented in the financial world, that could potentially bring the arms race under control.

Instead of having "squads of low-paid regulators who can stay ahead of the highly paid bankers, auditors and analysts who pace this industry," why not grant one-time amnesty to whichever black-hat notifies the regulators of a new exploit?

Think about CERT, the Computer Emergency Response Team at Carnegie Mellon University. CERT is a neutral clearinghouse for computer security information. Software makers who find security vulnerabilities in their own products can notify CERT so that its users can protect themselves. But the majority of information that flows into CERT comes from black-hats
who have actually developed an exploit for whatever vulnerability they've found.

Imagine this dynamic in finance. A black-hat financial genius scrutinizes the market and discovers some vulnerability. He cooks up a synthetic security that exploits that vulnerability. The exploit makes him shitloads of money. But instead of allowing other financial folks to notice this and quietly pile on, creating a new bubble based on that synthetic security, the black-hat notifies the regulators. The regulators immediately outlaw or otherwise restrict the new synthetic security -- and as a thank-you to the black-hat for doing the responsible thing, he's allowed to keep all the money it earned him.

This harnesses the behavior of the blackhats and allows them to satisfy their primary goal -- to get wildly rich through insidiously clever means -- while shielding the overall market from the unintended consequences of their cleverness. It's introducing a new set of incentives that motivates the market to police itself.

We still need traditional regulation to take care of the practices that are known to be disruptive. But until we introduce a channel through which regulators can be alerted to new, unknown practices, those regulators will remain blind to them until they explode in another crisis like the one we're dealing with now.

No comments: