Two New Jersey day traders, Joseph Taub (37) and Elazar Shmalo (21), were charged with spoofing and layering in parallel civil and criminal actions brought this week in federal court in Newark.

The complaints identify three sample trading patterns. The symbols traded aren’t named, but enough detail is provided to enable us to back out what the symbols were. Here’s what the patterns look like (click to enlarge, or follow the Surveyor links to view these sequences dynamically (free registration required)):

“Company A” ($KITE), January 8, 2015 (Surveyor link):


“Company B” ($ESPR), June 18, 2015 (Surveyor link):


“Company C” ($NGS), September 25, 2015 (Surveyor link):


The basic pattern here is nothing new: the traders entered multiple visible orders on one side of the market that pushed market prices towards waiting opposite side orders that were filled at improved prices. Classic spoofing and layering.

What is new is that the traders used 35 different accounts at six different (unnamed) brokerage firms to attempt to conceal a pattern that would have been obvious had it all been sent through one broker. Almost all brokers today have systems in place to detect patterns like this when the entire pattern occurs under their roof. Those systems have enabled brokers to identify and terminate problematic accounts. The response of some illicit traders has been to slice their tell-tale patterns into multiple pieces and then send each piece through a different broker. In this scenario, none of the brokers used sees enough of the pattern to be able to identify it as suspicious.

How then can multi-broker spoofing be detected?

The long term solution is the Consolidated Audit Trail. CAT will enable a central processor to see all order messages across all brokers and venues identified with customer ID tags. With that rich data set, it will be easy to paste the pieces of a scheme like this back together and see the entire pattern as if it was sent through one broker.

But most brokers won’t be reporting data to CAT for at least another three years.

In the interim, FINRA’s market surveillance team is able to perform a more difficult analysis of the order message data it currently receives from the exchanges. That analysis is difficult because those order messages do not contain customer ID tags. As a result, FINRA can’t tell whether a batch of orders from a large broker came from one account or from many unrelated accounts, without making a manual follow up request for ID-tagged data from the broker. FINRA has recently worked to streamline that process through its Cross-Market Report Cards program, through which FINRA alerts brokers that they may have received a piece of a sliced-up spoofing pattern. FINRA has also asked brokers to look for instances where a customer receives a favorable print at the end of a temporary price move (the large buys or large sells in the samples above) WITHOUT having first seen a collection of opposite side bids or offers from the same customer leading up to that print. We have recently added this check to the Surveyor platform, which we are calling “Away Account Spoofing.”