> Only Singh, Bankman-Fried and a few other top FTX and Alameda executives knew about the exemption in the code, according to three former executives briefed on the matter. A digital dashboard used by staff to track FTX customer assets and liabilities was programmed so it would not take into account that Alameda had withdrawn the client funds, according to two of the people and a screenshot of the portal that Reuters has previously reported.
If you want to see what you should never do as a software engineer if you like not being in jail, this is it.
Singh will definitely get prison time as well, though I'm sure all the higher-ups in FTX are trying to point fingers to get deals. In the Madoff scandal, 2 of Madoff's programmers were sentenced to 2 1/2 years each. In this case, Singh has much more culpability as a higher-up (not to mention a pre-collapse billionaire).
> If you want to see what you should never do as a software engineer if you like not being in jail, this is it.
Not quite the same level, but in my early days working on a payment system, a request from the product team was to create a summary screen where customer service reps could see payment histories AND THE CC INFORMATION USED FOR THE PAYMENTS. In my mind, there was no way that would end well, so I strenuously objected and had to endure some very heated conversations over the course of a month or two. Eventually product team agreed to last 4 digits + expiration.
Nowadays it wouldn't even be a conversation, but in the early 2000's, it was a different world.
My first job out of college (2007) involved a lot of removal of early 2000s one-off custom payment processing code. Access DBs full of years worth of credit card numbers, code that just emailed the credit card details to the site owner without keeping a record, etc. It was definitely a different world. Most of them, I just switched to PayPal shopping cart and checkout. In retrospect, I didn't know wtf I was doing and probably shouldn't have been working on it.
Yeah, I worked for an agency around the same sort of time and saw exactly the same kind of thing.
I remember one site that saved all the CC and order details to a plain text file in the web root. This was opened using an FTP programme every evening and someone would run the numbers through the machine in their store and post out the orders...
Sure, there's always room for improvement, but at the very least SSL/TLS is ubiquitous now, there actual TLS versions are much better, developers generally view holding onto CC data directly as toxic (the growth of things like Stripe checkout, etc.)
We wouldn't think of doing it. This is the kind of thing your auditors would see from outer space. If you're doing this and you don't have auditors, you're lying on your self-assessment questionnaire. Either way your merchant status is in jeopardy.
Remember Alamada wasn’t a normal customer. It was acting as a market maker/counterparty of last resort to many other FTX customers. In that case there could be situations where ‘normal customer liquidation rules’ shouldn’t apply - it can go in the red temporarily to enable others to trade (and FTX to make commission).
From the facts in the article (which are obviously not complete) if I was Singh my defence would be I assumed/was told the changes were to support Alamadas role as market maker and their actual long term exposure was being monitored elsewhere.
> Remember Alamada wasn’t a normal customer. It was acting as a market maker/counterparty of last resort to many other FTX customers. In that case there could be situations where ‘normal customer liquidation rules’ shouldn’t apply
This might be a reasonable argument in a vacuum, except that:
> [SBF] told investors and prospective investors that FTX had top-notch, sophisticated automated risk measures in place to protect customer assets, that those assets were safe and secure, and that Alameda was just another platform customer with no special privileges. [emphasis added]
And also:
> Bankman-Fried also told investors, and directed other FTX and Alameda
employees to tell investors, that Alameda received no preferential treatment from FTX. For example, Bankman-Fried told the Wall Street Journal in or around July 2022: “There are no parties that have privileged access.” Likewise, in a Bloomberg article published in or about September 2022, Bankman-Fried claimed that “Alameda is a wholly separate entity” than FTX. In the same article, Ellison is quoted as stating about Alameda: “We’re at arm’s length and don’t
get any different treatment from other market makers.” Bankman-Fried made similar statements directly to investors. [emphasis added]
(The above are direct quotes from the SEC complaint [1] against SBF.)
Singh might argue that he wasn't aware of the private statements to investors. But the WSJ and Bloomberg stories show the "arm's length" claim was something they consistently messaged to the public at the highest levels. To argue that Alameda's role as market maker of last resort justified a privileged status would be inconsistent with all their prior public claims to the contrary. "We lied to the public repeatedly about our risk management" isn't a defense; it's a confession.
It’s potentially a defense for the engineer though, if he had nothing to do with the advertising. Of course it’s all just idle speculation; the real interesting stuff will come out in the trial, years upon years from now.
Should an engineer be tracking what their company is telling media outlets? No one else is tasked with looking at my code except other engineers; why should engineers spend their precious time making sure that other business units are performing their duties ethically?
> Engineers are of course partly responsible for the things they implement.
That is outrageous. The company owners have limited liability protections. The employees should receive at least that unless they are in a position that requires specific legal training like an engineer legislatively appointed to be responsible for some safety function. Where they are appointed and remunerated specifically for their legal responsibility, in other words.
And the court cases after WWII are hardly reliable precedent. They were basically making it up as they went with fairly flimsy justification apart from the fact they had a bunch of troops still in fighting form.
Limited liability protects against financial loss, not criminal indictment. If you are an employee or owner and you do something to enable fraud the company as a whole is doing, you are still criminally liable.
> Limited liability is a legal status in which a person's financial liability is limited to a fixed sum, most commonly the value of a person's investment in a corporation, company or partnership.
Engineers are responsible for strictly technical failures. When a piece of software does what a representative of company management asks for it hasn't failed.
Software engineers are not lawyers and they are bad at interpreting laws.
> Software engineers are not lawyers and they are bad at interpreting laws.
Right, so if something seems sketchy ("please ignore these specific deductions when calculating our holdings") , get a lawyer - or CEO or CFO or whatever - to say in writing that it's fine.
And if something seems actually illegal ("just run the blood test results out-of-spec and report them anyway") just don't do it. Nothing absolves you of some things.
Sure. But if the engineer doesn't think it is sketchy enough to seek out a lawyer, why would they suddenly be liable for issues where they are obviously ignorant, and never expected to be competent?
I’ve received yearly training as part of my job outlining my civil and criminal liabilities as a software engineer going back 20 years. It’s par for the course in finance.
The tautological answer is that it's because we the people have made laws that in certain specific situations make people criminally responsible for how the product of their labor is being used.
The practical answer is that it's because we do want to discourage criminals from "splitting liability" by having most of a gang doing some illegal goal together stay "clean" and only delegating a single "fall guy" for the final touch; so criminal law is explicitly written to consider everyone who knowingly assists a crime to be partly liable as well.
Engineer doesn't imply honesty. In those jurisdiction where it's a protected title, it just implies that you have some mix of STEM topics in your degree. Software engineers, in these jurisdictions, have that mix, and are as real as bioengineers (a.k.a hospital lab workers), chemical process engineers, construction engineers, etc.
No one has had their engineer title taken away for being a crook, as far as I know. Unless the crooked thing they did was fake their diploma.
It doesn't imply honesty. It does imply liability, so if something bad happens because you're dishonest, you will lose the title, and suffer other consequences.
> No one has had their engineer title taken away for being a crook, as far as I know
This seems an absurd claim, unless you're going to get very pedantic about some distinction between "engineer title" and "legal right to function as an engineer".
This is one example found after just a few seconds of searching, but it is absolutely commonplace to have your engineering license revoked for carrying out criminal activity.
> In those jurisdiction where it's a protected title, it just implies that you have some mix of STEM topics in your degree.
This seems a bizarre claim too. In jurisdictions where membership of a professional licensing body is necessary in order to refer to oneself as an engineer and practice as an engineer, it is absolutely not the case that all you need is the right "mix of STEM topics in your degree". It means you have a certain degree, have completed a set amount of work experience, have completed a professional certification exam and then maintain that license, which may require meeting other requirements periodically. And yes, "not being a crook" is certainly one of those requirements, and being involved in major criminal activity, especially criminal activity related to your professional practice, is absolutely grounds for having your license and certification as an engineer revoked.
Why not? Why do we keep Apple responsible for Foxconn's labor practices? Isn't Foxconn an independent company after all? The reason is because we don't want evil to spread by externalizing the responsibility to third parties.
Most things are ambiguous, so you can have an argument about what intent was. Even things like firearms, you can say, "well, I made this gun so people can use it in self defense".
This seems pretty unambiguous though. Sometimes you're just facilitating breaking the law, or making things dangerously unsafe.
> When individuals are responsible for the theft, loss, or unauthorized disclosure of PHI, the most common consequence is the loss of employment. However, in the most serious HIPAA violations, criminal charges can be filed against the individual(s) responsible.
Yep.
"comprehensive knowledge of their companies media output" is an interesting way to put it. I would really just recommend engineers maintain some sense of self awareness.
Singh was the chief engineer for a major exchange. It's his job to know better than this.
If the chief engineer for NASDAQ put in a backdoor to allow a market maker unlimited margin, would you assume they just figured it was legit because someone said so?
He knows how markets work too well for a defense like that.
I never understood why Alameda took risky bets when it could just make a bunch of cash off buy/ask spreads assuming trading volume was decent. Running the exchange they can front run any large trades and move the market.
Crypto is flooded with liquidity so market making is like selling ice to an eskimo.
These days a naive market making strategy in crypto just incinerates capital very reliably as the tiny bid ask spread is a small fraction of the adverse selection risk (whole spread moving past). They did probably make money on this in the early days and got smoked when the sophisticated tradfi players joined.
Front running large trades by looking at non public info on the order book is possible but this is also fraud, so not a strategy to avoid legal troubles, and it also only works if the large traders are naive and not adversarial (putting fake large orders to front run you etc).
What SBF could have done is close down Alameda when it was clear they were not competitive, and concentrate on growing the exchange by reinvesting the fees, but that would have clipped the growth and donations/acquisitions lifestyle to something much less flamboyant.
> Crypto is flooded with liquidity so market making is like selling ice to an eskimo.
This is not true at all, in general quoting in these markets is absurdly capital-intensive compared to tradfi.
> These days a naive market making strategy in crypto just incinerates capital very reliably as the tiny bid ask spread is a small fraction of the adverse selection risk (whole spread moving past). They did probably make money on this in the early days and got smoked when the sophisticated tradfi players joined.
Are the sophisticated tradfi players here yet? Seems like no?
Great! I'm just continually surprised, because my firm is 4 people with a combined 1.5 years of very outdated tradfi experience and these markets are very good to us.
For example, it's surprising that big tradfi players were not able to prevent take-only basis arb bots written in Python running on a un-tuned VPS from printing five figures on individual new listings in mid 2021, or permitted us to click trade tokenized stock quarterly futures minutes from expiry for nearly guaranteed profit also in mid 2021.
Some examples of hidden information that doesn't generally get disseminated in exchange orderbook APIs:
* Attribution: who's making the order?
* Short labelling... are they selling or shorting?
* Non-display or iceberg orders (not common in crypto?)
* Immediate-or-cancel orders... the executions hit the feed, but not the original order details. Also whiffs (order but no fill) don't get disseminated in any way.
* Certain order types that may rest on the exchanges order book but either don't have a specific price or display doesn't make sense... market orders, midpoint orders, pegged orders, auction order books (less common in crypto)
EDIT: On the attribution side -- they could also know the leverage any customer is taking and use that adversarially (which was the straw that broke their camel).
Thanks, yeah attribution is an interesting one. You usually have the cryptographic address of the maker but not any link to FTX account that might be responsible, and as you say the ability to correlate an order with other positions
> Certain order types that may rest on the exchanges order book but either don't have a specific price or display doesn't make sense.
I suppose orders than are designed to only be consumed by a matching engine don't need to be made public unless they are matched.
The order book from the API is at the very minimum delayed (by network and protocol latency if nothing else) and aggregated/sampled (full feed is too big), so an insider can have an advantage of more complete and timely data.
That's for honestly run APIs, then an exchange can play some games with that feed if they want to...
It depends on the time, it's public after the fact, but not-public during the time gap where someone like Alameda could do front-running by managing to get in other transactions before the loser's orders get executed, or before any others get the chance to take that order.
You don’t need speed to front run someone you need special access, which Alameda had.
That said they are being accused of something much less sophisticated. They were allowed to take money out when they made money but didn’t have to pay money in when they lost.
Even if you have special access, if you need 40ms (500ms p999) to compute a square root, you're not gonna be able to make worthwhile decisions on the basis of this access
These are our observed latencies for their risk checks after sending millions of orders per day for months at a time (which doesn't sound like much, and isn't much, but is the entire order rate that they gave us while we were doing 0.5% of the maker volume on their exchange).
You’re stating confidently that python is orders of magnitude slower than it actually is because of some pseudo code, which you haven’t seen implemented, and you called into across a network link?
Arrogance, they thought they were smarter than the market.
There are people who make a living playing poker that are not intellectually gifted. Their secret? Do as you say, play boring, safe strategies that will guarantee you will make money in the long run. They might not run up 1000$ to 10000$ very often but they sure do win. However, remove discipline, add intellectual ability and an abundance of overconfidence and you get FTX and Alameda Research.
Judging from some of the videos that circulated from the Alameda CEO I'd say it's also a significant portion of incompetence. I'm not going to guess which one was more though.
Front running requires pretty invasive changes to the very performance critical parts of the trading engine. You have to analyse the queued trades, decide on a trading strategy and insert new trades, all without inserting too much latency.
It would be hard (but not impossible) to implement such functionality without dozens of software engineers being very aware of it's existence and the implications.
This kind of software change only touches the edges and can be done with much more plausible deniability. The exclusion to margin calls was a single if statement inserted by a single engineer with the justification Alameda were the primary market maker. The dashboard change might have been just a bug they avoided fixing (If you normally automatically margin call negative balances, why would your dashboard bother reporting negative balances?)
There was huge amounts of money to be made. They got too greedy, made a play for it, then the market dropped. If things kept going, it would have made them all a lot of money.
SBF, through his industry connections, was able to figure out how to take the difference while trading Bitcoin between different countries, as the premiums are different. It's basically a legal money printer.
I am baffled by why fraud was necessary. I guess it's just means to an end for "effective altruism".
Yeah its not as simple as putting two limit orders and collecting your fee. Market makers take huge risks when there is a big market move. When Luna crashed for example Alameda provided exit liquidity to traders and was left holding the bag.
A lot of people have said this, but that day was easily the best day to be quoting. There was lots of volume on both sides all day, even as the price increment became very large compared to the price
You mean kind of like how the US market works now with PFOF?
And the fact that by far the largest market maker in the US is also a hedge fund (two different companies with the same owner(s), where have we seen that before?).
Not an excuse. They had a programme for external liquidators giving some slack for trades taking the other side of liquidating positions, so Alameda should have used that. This looks worse.
In any case it's not needed: liquidators get the 3% initial margin so are usually in profit. For the cases when the market moves faster than that, they should have done what the better-run exchanges do and close the most leveraged positions from the opposite side: if lots of longs get liquidated in aggregate the shorts get their profit trimmed by the losses of the longs beyond maintenance margin, in order of leverage, which is fair enough when duly documented in the terms.
FTX and Alameda publicly represented that Alameda's relationship with the exchange was the same as any other market maker's, and any other market maker could sign contracts to become a counterparty of last resort by joining the Backstop Liquidity Provider program.
This seems flaky at best. Either becoming an extreme lapse of judgment - or intentional ignorance. His position as a higher up makes claiming the former difficult.
My claim to fame is that I dealt with SBF and Nishad to get some Python code for their api client merged in, the first non-FTX committer. I coded up a lot of the api functionalities that were missing. They never gave me a tip. A couple years later when I pitched for investment they declined it as they "were looking for more volume".
> If you want to see what you should never do as a software engineer if you like not being in jail, this is it.
> Singh will definitely get prison time as well
But how long? Jerome O'Hara and George Perez were arguably more complicit in Madoff's scheme than anyone, having written the computer software to generate the fake investment return reports and even actively helped dupe the investigating regulators but were only sentenced to two and a half years in prison.
That's true, but likely factors were: they were in an adversarial power relationship with some of the other participants (notably: Madoff himself who repeatedly assured them that he actually made the trades that they reported but I fail to see how they could have been so gullible) and may have been put under significant pressure and it likely is a first offense all of which would result in a lesser sentence. But it still is obviously a very serious transgression, and none of their claims that they didn't know what was really going on seem to have fooled the jury.
Even the most kind reading of the situation leaves little doubt that they knew exactly what was going on.
> If you want to see what you should never do as a software engineer if you like not being in jail, this is it.
Strange comment.
Are the engineers who made the code change responsible?? Do engineers need to be lawyers and financial gurus too, and evaluate every ticket they are given for possible illegality in every country the software is used??
Yes of course they need to know the law. Anyone who might potentially break the law during the course of their work needs to know what that law is. ‘Just following orders’ is not a defence.
This is very odd special pleading by programmers. Every industry needs to do this: journalists learn media law in their university degrees, architects have to learn the building regulations. Why is programming any different?
Because programming is usually applied to different industries. Yes, you should know the laws of your own industry (in tech that would be privacy, licenses, export rules, copyright, some patent basics etc.) but you can‘t know the law of each industry you write software for.
Holding people personally liable is the exception and not the norm. It makes sense too, like if the company lawyers say something is fine then you have to be able to trust them, unless it's something obviously wrong.
This is not an argument against programmers, like other professionals, learning the aspects of the law which are relevant to their job. Why should programming be the one profession where this is not required?
Because to be criminally liable for something requires both a) actually doing something that is against the law and b) doing so with intent (i.e. you knew what you're doing is against the law and you did it anyway... because you thought you will not get caught or just didn't care). It is then up to the prosecution to prove, beyond reasonable doubt, that you actually intended to break the law. (With the exception of strict liability crimes, which are limited in scope to minor infractions and things like drunk driving or statutory rape.)
You can still get sued in civil court of course, but that's not the state trying to put you in a cage and so the standard goes from beyond reasonable doubt to most likely.
If you're a coder coding shady shit for your shady employer, you most likely know you're doing so and there's typically some trace or record left. But coders are not investment bankers and in fact may not even know anything about investment laws and regulations. And it's completely unreasonable to expect them to know. I worked on many projects, including medical and education... if I had to question and investigate every executive decision impacting my work then I wouldn't get anything done.
"Mens rea" is a requirement for certain crimes, but not all, you definitely can be criminally liable for doing something without intent. The trivial example is murder vs manslaughter, the latter does not require intent but obviously can be and is criminally prosecuted.
Furthermore, even in cases where mens rea is required, it gets satisfied if you intended to achieve the prohibited result even if you thought that the result was permitted. "Intent" is not about intent to break the law, it's about the intent to do the thing that happens to be illegal. In this case, it matters if you knew what the thing you're making was going to be used for (e.g. hide some stuff from auditors) but your knowledge or ignorance of the relevant laws and regulations doesn't matter at all - as another poster noted, https://en.wikipedia.org/wiki/Ignorantia_juris_non_excusat .
Sorry but this is completely wrong. “Mens rea” means knowing you were doing a particular thing. It doesn’t mean knowing that it was illegal.
E.g. if I take your wallet off of a table because I thought it was mine, I’m probably not guilty of theft. If I took it because I didn’t know theft was illegal, I probably still am.
In English courts, there’s some debate about a defendant’s ignorance of the law.
In this Chancery case from 2021, the judge mulls over what it means that a defendant is “unaware”. He considers the distinction between someone who knows about the relevant law and misunderstands it vs someone who doesn’t know at all. And the judge briefly wonders whether someone working in regulated activity (like finance) and completely unaware poses the most risk to the public.
The judge left the issue unsettled, but it raises the possibility that ignorance might count against a defendant. The Chancery Division handles business disputes, though, and I imagine the criminal courts have their own rules.
They won't until they do. When it's something seemingly egregious like this, it has the potential to be something that makes an example and changes curriculum for CS students across the country for decades.
I expect other engineers to know laws when creating things (not like having a JD). Accredited business schools in the US teach business law to their undegrads. It's absolutely not ridiculous or a stretch to have a similar expectation.
There's a big difference between the HN crowd shouting "they should know the laws!" vs. licensed and controlled professionals like architects and structural engineers that "follow the law" via established codes, which have clear boundaries that can be evaluated and prosecuted when violated.
> When it's something seemingly egregious like this
You don't even know what "this" is. So the BI engineer that stitches together data for a report should have known that combining these two values was illegal? What silliness.
‘clear boundaries that can be evaluated and prosecuted when violated.’
Have you ever looked at media law or libel law? It does not have clear boundaries, but journalists are still expected to follow the law. Journalists are not absolved of the responsibility because it’s complicated.
You just need to not break the law. It’s how it works. If you don’t want exposure to liability, you need to acquaint yourself with relevant law.
They absolutely have boundaries that a lawyer or prosecutor can use to make a case in a court of law. How do you think the law works? Interpretation of laws is a big part of how the common law system works.
If there are clear boundaries, there would be no need for interpretation. Interpretation is needed to resolve questions that arise because the boundaries are not clear.
> If there are clear boundaries, there would be no need for interpretation
You can't prosecute someone for murder just for insulting you. You can't prosecute someone for robbery if all they did was jaywalking. Media laws have clear boundaries sufficient for legal professionals to do their job. Building codes have clear boundaries sufficient for legal professionals to do their job.
I don't know, we hold other engineers responsible for the consequences of their work, personally I think the industry would be better off if we had more accountability for programmers.
But we don't hold the gun-industry accountable for mass-shootings. Maybe we should. But situation is a little bit similar here. The engineer created the gun. He didn't use the software to shoot people. Or maybe he did. The question is did he personally benefit from the change made more than his usual salary?
Or think about people who build bridges. They just follow the orders they get from higher ups. Bridge collapses. The higher-ups should be held accountable not the workers. The question I think is did the engineer here just follow orders? Perhaps he understood very little about finance, only about programming.
A gun has many purposes, some legitimate (law enforcement, "defense" etc), others less so. A code change that allows the company to do illegal things has no legitimate purpose.
I think what's up to debate is to what extent the developers were lied to regarding the purpose of the code. Maybe they were told it was for testing purposes only, or the higher ups managed to convince them that it's ok despite them questioning it. I suppose those things will come up during investigation and will certainly affect their sentences, but I don't think they will be off the hook that easily.
A `DELETE FROM` function can be used for good or bad. A gun can be used for good or bad (see the war in Ukraine, it can be used to murder or protect your family from murderers).
A code change excluding a known, named entity from safety checks is more like rigging a bridge to explode when your enemy crosses the bridge.
The gun manufacturers have a special law passed at the federal level to prevent civil liability (PLCAA). That is being chipped away at but it’s currently a special privilege they hold enacted by the legislature of the US.
> "The question is did he personally benefit from the change made more than his usual salary?"
I would guess the compensation structure at FTX included a lot of their own crypto tokens, since the company can mint those at no cost. And Alameda was a big holder of those FTT/Serum tokens.
So you're a software engineer who owns theoretically millions of dollars worth of FTT tokens, and then the boss comes to you and asks to make an exception for Alameda... Since you work at FTX, you're probably aware that Alameda holds and trades a lot of FTT. If you do the code change to make Alameda look better and maintain the value of your own crypto portfolio, there's no question that you're a part of the fraud.
> The question is did he personally benefit from the change made more than his usual salary?
That’s not the question — as in, it won’t be an element of any of the crimes he’s eventually charged with. The question is whether he was knowingly or recklessly involved in a scheme to defraud people.
And just generally, legal reasoning does frequently use analogies but they need to be tighter than the ones you’re using. This case isn’t much like building a faulty bridge.
I would think that in most crimes the motivation of the accused is a factor. Think about hate-crimes. They are not hate-crimes unless the person did them out of hate for the PURPOSE of hurting members of some minority.
Murder-in-first-degree means you didn't just recklessly cause the death of somebody, it means you did it intentionally, on purpose.
Was this engineer knowingly and intentionally helping to commit the crime? We don't know because we haven't seen many details or testimonies in this case. He must be assumed innocent until proven guilty. And proving him guilty must include proving he had criminal intent, Mens Rea. The court of public opinion as in Hacker News is of course a different matter.
If a bridge collapses it's the /engineer/ that's held accountable. Engineers sign off on things. They are accoutable to the product that they build and those that use their product. This guy calls himself a software engineer, so he should accept all the responsibility and accountability that goes with that title.
Your gun analogy is not fair and it does not translate well to the actual situation at hand. A gun engineer is not responsible for all the deaths the weapon causes. But said engineer will be very much accountable if the weapon blows up in the wielder's hands during normal use (even though practically this might not be the case due to liability disclaimers and all that).
We have case studies where deaths were caused by shit software, where the engineer of that wrote the software is clearly the accountable one.
Software engineers are some of the highest quality engineers there are. Objectively by a simple metric: lives ended through incompetence. Software engineers lead. No other engineering discipline comes close.
When an executive level manager is paid multiple times (or orders of magnitude) what an engineer is paid, I feel there should be a different assignment of responsibility and exposure to risk.
Because there’s not been a large obvious reminder for some time. In fact the last such reminder was before most currently living software developers were born.
In some cases, yes, they are held responsible. When I was trained on HIPAA compliance lawyers made it clear that individual employees could be held responsible for some violations. And yes, we restricted service availability based on region until we achieved compliance with GDPR and various regional PII/PHI data export laws.
I work in another regulated industry today, and throughout the year sign off on understanding various regulations and trainings of 3 letter agencies, that are essentially in place to indemnify the company in case of a violation. I’d expect financial services follows similar steps.
But if you only told someone to do it and haven’t actually done it yourself, are you guilty of breaking the law?
Yes, you are. Splitting responsibility between those who give orders and those who follow them to avoid penalties is exactly why both are persecuted and put in jail.
The person who commissioned this change, knowing the potential financial ramifications that it opened them and their depositors money up to, is the one who should be charged.
Really? I feel like intent would be really hard to prove.
"Hey, due to the way our accounting works I need you to subtract X from our dashboard."
"Ok boss."
Are programmers expected to know finance law? If I build a program for a dairy farmer am I supposed to know the laws of the interstate dairy trade? I can't believe that would be the case.
Nishad Singh wasn't some low-level coder. He was FTX's Director of Engineering.
> "Hey, due to the way our accounting works I need you to subtract X from our dashboard."
That is not what happened here. The fact alone that very few people knew about Alameda's special treatment, and, importantly, deliberately conspired to keep that treatment secret is a pretty strong indicator that he knew it was wrong.
Director of engineering != product manager in charge of deciding what features to include. If somebody tells engineering, “we will not use this feature illegally,” then it’s the fault of the higher ups who are possibly (?) trying to scapegoat somebody to protect themselves
Directors have specific, well defined legal duties to their company which includes a duty of fiduciary responsibility. That is why they're directors rather than "head of product" or "VP of marketing" or whatever other meaningless title people bestow on themselves. Saying "my boss told me to do it so it is not my fault" is nonsense because you have no boss beyond your shareholders.
A senior developer of anything in this area would be expected to fully understand the risk implications of this. I have written the code to closeout positions automatically multiple times in multiple jobs.
It may have been possible someone directed a junior developer to make this change, but then it would be a case of hunting down who told them. If that happened in my team I'd be documenting everything I saw and running, not walking, not walking briskly, out the door.
This said, nothing is black and white. For example, due to immature processes, they might have told the developer that the main account was only one of many accounts they can call on, but the code only allows for one, so we have to make an exception. I'd still be freaking out.
If Jamie Dimon asked a developer at the bank "hey can you have Chase ATMs allow these 10 accounts that are in my name to withdraw unlimited funds?" everyone involved would be in jail.
"For testing purposes, these 10 account numbers should be allowed to remove cash from any of our ATMs. The testers will put the money back." It doesn't sound that nefarious. If you told me this is how ATMs are currently being tested in the industry, I wouldn't be able to contradict you.
...A bench test of an ATM probably doesn't involve real money. No one in finance is stupid enough to use real money on production environments for testing purposes.
There is test... And there is PROD. Never do the two meet. Ever.
If someone out there does, please make yourself known so we can get the investigators over there ASAP.
You can test in production if you have multi-tenancy aware services, where tenancy is some string value like Foo to make sure reads to Foo can only read data that was written to Foo.
That's not testing in production, that's just the same as saying your test VMWare environment is in the same datacentre as your prod VMWare environment.
>If Jamie Dimon asked a developer at the bank "hey can you have Chase ATMs allow these 10 accounts that are in my name to withdraw unlimited funds?" everyone involved would be in jail.
This isn't true
I worked for a large bank. I managed data for their mortgages. We bought another bank and processed their mortgages with our systems. There were several thousand accounts that we called "friends of the <former CEO>" because they had really weird terms.
A noteworthy example is: $10m Home Equity loan, with 2% interest for 40 years, and the owner could refinance any anytime without any fees
In English, this means we can't repossess their loan, they pay a super low monthly payment, and the final amount is never really due.
I fail to see the equivalence. These are just loans with weirdly favorable terms. If the other bank had shareholders, then this would be a breach of the fiduciary duty. Otherwise it's just bad business? Bad business != fraud.
I'm not sure why would that be fraud - who would be the defrauded party there? Offering wildly different conditions or prices to different customers definitely isn't fraud.
The other customers have no standing there, they have no relationship whatsoever that contract between the bank and another customer, they have no legal expectation to get the same conditions or to know what conditions other customers get. If the bank explicitly and intentionally lied that no other customers get so favorable conditions, that might be false advertising but I'm not sure, I'd expect a reasonable court to interpret that a bank "telling your customers you don't and can't do this" is exaggeration/puffery (i.e. permissible) and doesn't have to literally mean that they're not doing that for anyone, it means that they absolutely refuse to do it for you.
I’m assuming the poster meant refinance with the same terms. So the borrower can get another 40 years to pay back the remaining balance anytime they like.
You're right. I believe the technical term is "recast" where you take all of the outstanding balance and spread it over the course of "the next 40 years" with the same interest rate.
Another fact I omitted is that the interest rate is 2%, but the minimum payment is lower. So the borrower is accumulating owed balance because they are paying less than interesting accruing.
Given the market of the last couple of years they may actually have been able to re-finance that loan with a different bank and gotten better terms. 40 years is a long time.
$10M ona 40 year term and a 2% rate is like $30k/mo in payments. I wouldn't say most people would think of $30k a month a super low payment.
And now that the bank has new ownership they might be able to refinance again and continue to kick the can down the road, but they're less likely to get as favorable of terms I'd imagine.
Your math is right. I forgot to mention than the minimum payment might be less than the interest rate.
And the technical term for the type of refinance is "recast" (iirc) - so the "new bank" honors the terms because it is a part of the originating documents.
Working on fintech and transaction rails? Probably. I had to know regulations when I worked in fintech. Plus, you don't have to know the law to be found guilty of breaking it.
The engineers working on this are innocent until proven guilty, but you'd better believe all internal comms, meeting notes, and commit messages will be scrutinized.
Someone had to ask for the system to behave this way, and that will have produced certain artifacts.
Engineers with knowledge may be cut deals to testify against the bigger players.
"When asked to clarify whether they were both gone, Bankman-Fried said that Wang was "scared" and Singh was "ashamed and guilty" because FTX customers' deposits had been lost."
Isn't that a strange thing to say? Singh is the guy who made the change, per Reuters, and this snake knew that.
Isn't it completely unscalable? I work for a big automaker, there's literally people whose only job is to be compliant and inform the necessary leads about it. There's hundreds of countries, each with very specific things. If I study everything, I can't code.
When knowledge arrives at my team, is already condensed to the point of: "in X country, you must tell the prices of a call if you show a phone number for assistance"
Why should I explore every loophole of law to be compliant? That's the companies job, not mine.
For some reason, I've seen a lot of people try to make arguments around FTX that completely miss the scale and malfeasance that occurred. This wasn't a case of "oh, you got some esoteric GAAP depreciation rule wrong". This was an engineering leader putting a ton of special cases in the code saying "For our most beloved partner, none of the rules apply, including letting them take unlimited amounts of customer funds. Oh, and be sure to hide this from the dashboards the rest of the company uses."
This is not hard. Nobody needs to be versed in the ins-and-outs of jurisdictional compliance rules to see this was blatant and egregious.
If any of this looks remotely familiar to any software devs out there, you should really re-examine your morals. Or at least hire a lawyer.
Down to the trivia level for an entire global company, sure, but this is a lot more general and bigger. Like if you have rules against accepting gifts from vendors, maybe you don’t remember if the threshold is $10 or $15, but you shouldn’t need to ask to know it’s not $30k in a suitcase.
I would say no. They just need to know how to implement what they are asked to implement.
Say you are an engineer working for a gun manufacturer. You need to know how to manufacture the gun. You don't need to know what it is used for or by whom or even how much it is sold for.
If you are aware that a crime is going on you in principle are required to report it, but not doing so is not nearly at the same level of crime as actually doing the crime. So here I think the court will look at two things?
Did the engineer know that a crime was being committed?
Did the engineer personally benefit from the proceeds of the crime more than their ordinary salary?
I am not a lawyer though so don't take my advise.:-)
That is a very bad analogy. Guns are not illegal, what people do with them might be. What these developers made had no lawful use. A better analogy would be if some engineers in a gun factory were making chemical weapons.
There are laws against chemical weapons but I don't think there are laws against producing any kind of software. It's more what you do with the software. Whereas with chemical weapons they are criminalized as such because it is clear they can be used only for one purpose.
That's a nice little fantasy. In the real world, competent developers with that level of domain knowledge mostly don't exist at any price. In the healthcare field where I work, not many developers have ever gone to medical school.
You're telling me a software engineer could make a change that allowed spending money a company could not legally spend and he had no idea about it? Come on. That is preposterous. At any respectable company alarm bells would be going off everywhere and fingers would all start pointing to that change. Theres virtually 0 chance that there was not intent.
i worked for a fintech startup in a similar space:
> Are programmers expected to know finance law?
in our case, we were. it was drilled in, and tested, reviewed, and audited. i’m not saying that something like this couldn’t have happened, but in my case anyone who would have been involved would definitely have known the legality.
Developers should know to ask questions when a weird request is made.
Developers presumably know how to think and have a vague idea of what the business does to know that a ask to futz with internal financials programmatically is fucking wierd.
IME, it depends on your chain of command. I've literally been reprimanded in my career for asking questions. My boss at that time was crap. I didn't choose him. Asking questions can very likely get you fired.
Also got reprimanded for disobeying an order at once; my boss — same one as above — would not take "no, we are in a regulated industry, and I cannot do that" for an answer. I ended up going behind his back, getting the approvals he should have gotten himself, and once I'd secured those, granted him the access he wanted. I also tried to escalate to his boss (my grand-boss) … but he didn't respond until it was all moot.
But there is a lot of stress when you're fearing for your job, even though you're just trying to do things by the book. I'm inclined to side with engineers, to a degree: the chain of command's responsibility is to never put eng in that position. (Although here, the eng in question seems far higher up than I am. I'm just a bottom rung eng…)
> Developers presumably know how to think and have a vague idea of what the business does to know that a ask to futz with internal financials programmatically is fucking wierd.
They should but IME they often don't, and even if they do, people are lazy. It's a struggle to get people to do the things they should do some days.
I'm in an industry with a lot of migrant workers, I was asked to write software that would change the time records for migrant workers so they never get overtime.
I said I wouldn't do it unless they showed me the legal advise saying that it was ok. The office sycophant piped up and said "I'll do it". From then on I stopped being invited to meetings and my job transitioned into answering the phone and then out the door.
I hope they jail the developers for 500 years, that's the sort of signal that needs to be sent.
You want Engineer in your job title? Then you say no, and you damned well ask questions, and you damned well make sure to leave the moment they make it impossible for you to act ethically.
This sounds great on paper. However, the reason "Engineer" matters is because regulation requires it. If my company is required to get a sign off from an Engineer before software is updated, then you can be 100% sure those who are qualified to sign off take their title seriously. Until then, it is just a fancy title.
My impression is that this title comes from the practice of "software engineering", not necessarily that the practitioners are licensed Engineers.
Right, "software engineer" is often used just as a synonym for "Programmer". That's just how the industry is, currently.
There are no regulations as to who can develop what software as far as I know. Whereas there are for who can design a bridge, act as your lawyer, or prescribe you medicine.
Yes and when we as software engineers / programmers act as if we don‘t care we should not be surprised if software engineering / programming gets regulated, too.
People gatekeeping the word “engineer” is a bit annoying, since the word “engineer” dates to at least 1380 and originally just means someone who works on engines. “Engineer” as a legally super special class of job is a thing that came much later and only ever applied to certain jurisdictions anyway.
“Software engineer” is just a synonym for “programmer”, in the actually existing practice of the English language.
And 'doctor' means someone with a PhD. I know a lot of doctors. However, when you talk about medicine, we mean 'Doctor' with an M.D. and they are literally held to higher standards of ethics and liability. They are licensed and people who practice professionally without a license are subject to legal ramifications.
Call yourself whatever you want, but that doesn't mean you get to define what 'Engineers' are and what ethics they are bound to. Just because you use the term in your title and say it is used properly in English, doesn't mean that you won't get treated any different than someone with a PhD demanding to be called Doctor and pretending there is no difference between them an and M.D.
Of course the word “doctor” means different things, just like “engineer”. The OP is the one who was trying to conflate them. It’s like if you told someone with a PhD in CS “if you want to be called ‘doctor’, you had better be able to heal sick people”.
In Denmark you need to hold a degree of engineering for you to call you an engineer of any kind. It's a protected term. As I remember, in the US it is not protected and anyone can call themselves engineers.
I don't know about finance but for HIPAA and CCPA, the answer is yes. Is there an accounting equivalent to the yearly, mandatory 20 minute compliance training videos?
Yes, in US fintech there are mandatory courses in anti-money laundering and know your customer laws that programmers are required to take along with everyone else.
I don’t know what exists in the crypto world operating in the Bahamas, but I’m not going to lose a lot of sleep if the FTX director of engineering winds up going to prison for this.
Ignorance of the law is never an excuse if you are found to be breaking the law. So if you think what you are doing is possibly in violation of the law you better bone up or ask a lawyer for a statement on letterhead that what you are doing is ok.
For C-level execs that is probably not going to work, but for people lower on the totem pole it may well give at least some relief. You might end up convicted anyway but with a more lenient sentence if the argument is considered believable.
There are blatantly illegal things you can do in any field of work. You need to be aware of what is and isn't within the law on a loose basis yes. Even labourers on a building site have to do some training to avoid breaching health and safety legislation (or at least to minimise the companies liability when they error).
You also need to have faith in the compliance team and senior management. If your company works in legally sticky territory like crypto doubly so.
If you are in finance or law it is a good idea to know what you can go to jail for. Engineers are people and people can go to jail for breaking laws they didn’t know about.
If you want to write code for a financial institution? You bet you should be expected to know what you are doing, and understand there are relevant laws, and also not violate those laws. It's not hard. I know the relevant laws to my domain of job.
Propably not, but a solid understanding of the rules and regulations, and legal requirements, of your field and thebindustry your working in is actually a pretty good thing.
If you work in a company where there is no one that has some idea about the laws that apply to what you do that you could check with, you would be a little concerned.
Interesting article! So Brady took "an equity stake in the company and [got] a signing bonus in crypto", then went on to make advertisements even though "The NFL has banned cryptocurrency and NFT sponsorships for its teams". Seems that he, or likely his lawyer and/or financial adviser, will have been evaluated the legitimacy since he's deep into caveat emptor territory. Like innocently buying a stolen car: you're unlikely to be in legal peril but you will lose the car (and gain a claim against the thief that sold it to you)
I think it depends a lot on the jurisdiction. In some countries there are laws around ethics and disclosure especially if you work in a certified occupation (i.e. a licensed profession, such as traditional engineering).
Software probably makes things even more hazy but in traditional engineering world there are very clear cut rules around professional ethics, personal liability and disclosure.
If you want to see what you should never do as a software engineer if you like not being in jail, this is it.
Singh will definitely get prison time as well, though I'm sure all the higher-ups in FTX are trying to point fingers to get deals. In the Madoff scandal, 2 of Madoff's programmers were sentenced to 2 1/2 years each. In this case, Singh has much more culpability as a higher-up (not to mention a pre-collapse billionaire).