May 20, 2004

Mutual Funds - Timestamping

In a rare arisal of a useful use of cryptography in real life, the mutual funds industry is looking to digital timestamping to save its bacon [1]. Timestamping is one of those oh-so-simple applications of cryptography that most observers dismiss for its triviality.

Timestamping is simply where an institution offers to construct a hash or message digest over your document and the current time. By this, evidence is created that your document was seen at that time. There are a few details as to how to show that the time in ones receipt is the right one, but this is trivial (meaning we know how to do it, not that it is cheap to code up..) by interlinking a timestamp with the preceeding and following ones. So without even relying on the integrity of the institution, we can make strong statements such as "after this other one and before this next one."

The SEC is proposing rule changes to make the 4pm deadline more serious and proposes USPS timestamping as one way to manage this [2]. There are several things wrong with the USPS and SEC going into this venture. But there are several things right with timestamping in general, to balance this. On the whole, given the complicated panopoly of strategic issues outlined earlier, timestamping could be a useful addition to the mutual funds situation [3].

First what's wrong: timestamping doesn't need to be regulated or charged for, as it could easily be offered as a loss leader by any institution. A server can run a timestamping service and do 100,000 documents a day without noticing. If there is any feeling that a service might not be reliable, use two! And, handing this commercial service over to the USPS makes no regulatory sense in a competitive market, especially when there are many others out there already [4].

Further, timestamping is just a small technical solution. It shouldn't need to be regulated at all, as it should be treated in any forum as evidence. Either the mutual fund accepts orders with timestamps, or it doesn't. If it doesn't, then it is taking a risk of being gamed, and not having anything to cover it. An action will now be possible against it. If it does only accept timestamped orders, then it's covered. Timestamping is better seen as "best practices" not as Regulation XXX.

Especially, there are better ways of doing it. A proper RTGS transactional system has better protections built in of its nature than timestamping can ever provide, and in fact a regulation requiring timestamping will interfere with the implementation of proper solutions (see for example the NSCC solution in [1]). It will become just another useless reg that has to be complied with, at cost to all and no benefit to anyone.

Further, it should be appreciated that timestamping does not "solve the problem" (but neither does the NSCC option). What it allows for is evidence that orders were received by a certain time. As explained elsewhere, putting a late order in is simply one way of gaming the fund [5]. There are plenty of other ways.

Coming back to where we are now, though, timestamping will allow the many small pension traders to identify when they got their order in. One existing gaping loophole is that small operators are manual processors and can take a long time about what they do. Hence 4pm was something that could occur the next day, as agreed by the SEC! With timestamping, 4pm could still be permitted to occur tomorrow, as long as the pension trader has timestamped some key piece of info that signals the intent.

For this reason, timestamping helps, and it won't hinder if chosen. The SEC is to be applauded for pushing this forward with a white paper. Just as long as they hold short of regulation, and encourage mutual funds to adopt this on an open, flexible basis as we really don't want to slow down the real solutions, later on.

[1] U.S. Postal Service Wants to Deliver Fairness to Mutual Funds
[2] White Paper on Mutual Fund Reform and the USPS Electronic Postmark®
[3] Mutual Funds - the Softball Option
[4] E.g., DigiStamp,
[5] Nesfield and Grigg, "Mutual Funds and Financial Flaws," testimony before U.S. Senate Finance Committee, 27th January 2004.

Posted by iang at May 20, 2004 04:53 AM | TrackBack

I would mention that the SEC has NOT proposed the USPS/Authentidate solution. The SEC is still examining the overwhelming responses from the market on their proposed rule amendments which advanced the hard 4pm close at the mutual fund. The intermediaries cried foul and sent in alternative proposals to the SEC which include timestamping technology as a point solution in many, if not all, of their proposals. My company, Surety, offers a digital timestamping and notarization solution, and we are taking an active role in influencing the SEC to upgrade the mutual fund industry timestamping standards that were first adopted in 1968 to authenticate paper-based transactions. Our comment letter to the SEC may be found on our website at

Posted by: Tom Klaff at May 25, 2004 04:29 PM

FWIW, I told a brokerage client back in 1993 that timestamping orders was necessary, in order to prevent fraudulent paper-trails in electronic trading. I wasn't persuasive enough -- they ignored that recommendation, AFAIK.

Posted by: "someone" at May 25, 2004 04:59 PM