By Nathan Lynch, Thomson Reuters

The revelation that a technology firm managed to pre-empt Twitter's latest results announcement, using a simple strategy, has raised questions about the extent to which traders are able to front-run key information releases. The publication of data mining firm Selerity's "coup" has sent shockwaves through compliance and IT departments around the world, in what must rank as one of the finest pieces of free publicity a start-up could possibly engineer. The information leak has also posed huge challenges for regulators, who would find it difficult to take enforcement action against any algorithmic trading firms that take advantage of such opportunities.

At 3.07pm on April 29, almost two hours before the scheduled announcement, Selerity used Twitter's own platform to reveal to the world that the company would miss its first quarter revenue targets.

"#BREAKING: Twitter $TWTR Q1 Revenue misses estimates, $436M vs. $456.52M expected," the tweet, which was written by an algorithm, stated.

Twitter was taken aback by the leak. Its shares fell 6 percent before the company could secure a trading halt.

The market and Twitter were left to ponder the source of the leak, which was too accurate to be mere guesswork, for almost 30 minutes. Selerity followed up with a tweet at 3.34pm stating: "Today’s $TWTR earnings release was sourced from Twitter’s Investor Relations website https://investor.twitterinc.com . No leak. No hack."

The plot thickened.

In a detailed article released this week, Selerity's chief technology officer Andrew Brook explained how his firm managed to secure market-sensitive information hours before the official release of Twitter's results. As it turns out the leak was from Twitter's IT department, which uploaded the Q1 results report to its publicly available web server with two hours to spare before the official release and conference call. The IT team took the view that until a link to the document was made public, it would simply sit idle in cyberspace; a destination with no paths to reach it.

Twitter used a set formula for its URLs (or web addresses) and the result was highly predictable for anyone who was paying attention. As such, Selerity wrote a piece of computer code called a "web scraper" to poll the predicted URL every couple of seconds from 2pm on the afternoon of the announcement.

By 3.07pm and 54 seconds, the algorithm had not detected any changes at the specific URL (https://investor.twitterinc.com/results.cfm?Quarter=1&Year=2015). Then, two seconds later, it scored a hit. The IT team had uploaded a file to that address.

Lightning-fast leak

Perhaps the most frightening thing for regulators and compliance teams is how quickly the algorithm reacted to the file with a "real world" response. Within three seconds Selerity's code had downloaded the linked document (a PDF titled "2015 Q1 Earnings Release FINAL - WOTB.pdf"), extracted the key text from the file, set multiple algorithms to work on it and then published the key information via the company's Twitter feed.

Seven seconds after the IT team had uploaded the file there was a surge in trading activity, according to Nasdaq data. In human terms, that speed is unthinkable. For compliance practitioners and regulators, it is obvious that organisations with a different agenda to Selerity could have been quietly trading on the data, unbeknown to the rest of the market.

Brook takes umbrage to the claim that Selerity's strategy was a "hack". He said the word hack implies that there was a breach of laws or privacy, which he said was "something Selerity would never do".

"Nor was it a 'leak' by Selerity; it had already been published in the expected manner in the expected location. It was just early. We did not 'guess' the URL that contained Twitter's quarterly earnings results," Brook said.

The Twitter leak is not the first of its kind and this type of "web scraping" is far from an obscure strategy among technology specialists. In 2011 Selerity rode a wave of publicity after managing to pull off a similar coup against Microsoft, releasing its results to the market more than an hour early.

Selerity at the time said it was not uncommon to be able to unearth key results early, though usually it was just a matter of minutes or seconds before the official announcement.

Ripples around the world

The Twitter "technical leak" sent waves as far as Australia where the country's central bank has been plagued by suspicious trading ahead of its February, March and April monetary policy announcements. The Australian Securities and Investments Commission (ASIC) is investigating possible insider trading in foreign exchange instruments after the February, March and April RBA meetings were pre-empted by a clear movement in the value of the Australian dollar just seconds before the official 2.30pm announcements.

The Reserve Bank of Australia (RBA) said it had ruled out "any evidence of procedural lapses or conduct that could have led to the early release of relevant information." Yet some market participants have been speculating that the RBA may have fallen victim to a Selerity-style "technical leak".

The difference in the RBA's case is that if a leak had occurred, then it was discovered by traders, not by Selerity.

Certainly the RBA's media releases follow a predictable formula, as the list below indicates:

• February: http://www.rba.gov.au/media-releases/2015/mr-15-01.html
• March: http://www.rba.gov.au/media-releases/2015/mr-15-03.html
• April: http://www.rba.gov.au/media-releases/2015/mr-15-05.html

If those files became active minutes or seconds before the links were posted on the RBA website's home page, then algorithms would have had ample opportunity to front run the official 2.30pm announcement by trading on foreign exchange markets.

The regulator, which is investigating the trades, said it had not found any evidence of misconduct in its initial investigations. ASIC has attributed the suspicious trading patterns to the combined effects of algorithmic trading and a lack of liquidity prior to the official announcements, which amplifies the market effect of any trades.

"The reduction in liquidity providers is a usual occurrence prior to announcement in all markets. Much of the trading reviewed to date was linked to position unwinds by automated trading accounts linked to risk management logic and not misconduct," ASIC said in an official announcement.

Yet the RBA and regulator's explanations do not explain why the suspicious activity occurred for three consecutive months and then stopped. Nor do they explain how the pre-2.30pm trading was an accurate predictor of the RBA decisions, despite some of those decisions going against consensus forecasts.

"No comment"

When Compliance Complete put the "URL scraping" theories to ASIC the regulator said that it had no further comment to make, beyond its most recent public statement on the day of the May RBA decision. Likewise, the RBA itself declined to comment further on the investigations or to reveal whether technological leaks such as those at Twitter had been investigated as a possibility.

For regulators the early release of public information is a complex issue. Whenever an organisation publishes market-sensitive material to its public internet servers it has effectively released the material — regardless of whether the official release has occurred or whether the link to that material has been made available to the public.

Selerity's Brook said: "The process of obtaining earnings press releases immediately after publication isn't very hard — which is a good thing since these are intended to be easily accessible to everyone ... Anyone with a Web browser and an Internet connection could have followed the links from the main investor relations page to the same PDF file that Selerity found."

Brook noted that open source web scraping libraries and third-party web scraping services abound and do not require especially powerful computers. The scraper that downloaded the Twitter earnings report runs on a two-year-old commodity Dell server.

In addition, the Securities and Exchange Commission (SEC) in the United States has not initiated any regulatory investigations in relation to the trading that took place on the back of Selerity's tweet. The reason is that, under inside trading laws, the information is no longer "non-public" once a company has uploaded material to its public servers. The information is publicly available to anyone with an internet connection who has the dedication and technical nous to access it.

Brook said: "Anyone with a web browser and an internet connection could have followed the links from the main investor relations page to the same PDF file that Selerity found."

David Jacobson, principal at Bright Law, said it is well established that it is not insider trading or "hacking" or theft to use technology to access files that are posted online. He said similar issues have arisen with documents whose metadata is not cleaned and spreadsheets that are published with their worksheets or other sensitive material intact.

"The issue is really one of compliance education for technology and marketing staff. They need to ensure that they understand the importance of securing files and the timing of their public release," Jacobson said.

Given that Brook believes the pre-loading of files is endemic, and regulators' hands are effectively tied, the responsibility for ensuring an orderly release of market announcements falls back to the organisations concerned. It is essentially up to the organisations themselves to ensure that market integrity is upheld by only releasing market-sensitive information through the right channels at the right time.

Key lessons

The vital lessons from the Twitter and Microsoft cases are that organisations need to have clear lines of communication between compliance, risk and IT practitioners to ensure that appropriate systems and controls are in place for the release of key information. With some critical thinking between risk and compliance teams, who should foresee these types of risks, and the IT teams who control the release of information, it is not difficult to avoid these technical leaks.

Teams need to ensure that PDFs or web pages containing sensitive material go live as close to the public announcement as possible, ideally through synchronized servers. In addition, as a second line of defence, organisations should move away from predictable URLs for sensitive announcements and instead use random strings of characters. That way, it becomes virtually impossible to predict and poll the URL containing the market-sensitive data, even if it does "go live" a few seconds before the link is made public.

While the Twitter "technical leak" is embarrassing in its simplicity, it is understandable that no organisation would want to get caught out with such a simple compliance oversight.

Belinda Gibson, principal at consultancy BG Advisory, said the situation for listed companies is even more complex as they may have a requirement to make any announcements via the exchange. In Australia, for instance, Listing Rule 3.1 on continuous disclosure requires organisations to report certain material information via the ASX market announcements office. Under Listing Rule 15.7, an entity must not release this information until it has been given to ASX and the entity has received an acknowledgement from the exchange that the information has been released to the market. "This includes releasing the information to the media or to analysts, even on an embargoed basis," the ASX's guidance notes.

"Market announcements cannot go live until they are lodged with the ASX and prudent companies wait until the ASX has in turn posted to the public announcements before they go live," Gibson said.

Gibson said an organisation could be in breach of the continuous disclosure obligations if it has a live document on its public website, regardless of whether the specific link has been made public.

"Market participants and issuers need to understand the technology behind the announcement timing process to ensure that no inadvertent advantage is given to anyone," said Gibson, a former deputy chairman of ASIC.

Even more worrying is Selerity's observation that technology is moving in leaps and bounds in this field and the early release of Twitter's financial results is "just a taste of what's to come".

In this environment, regulators and compliance teams need to develop a robust, clear, open and regular dialogue with their IT specialists to ensure they are staying ahead of the risk curve. In managing these types of risks, IT specialists can help to identify the emerging risks, while risk and compliance teams can help to structure appropriate internal controls.