Regulation SCI, for "Systems Compliance and Integrity."

[ by Howard Haykin ]

The SEC unanimously proposed new rules to require certain key market participants to have comprehensive policies and procedures in place surrounding their technological systems.  "Regulation Systems Compliance and Integrity," or Regulation SCI, would replace the current voluntary compliance program with enforceable rules designed to better insulate the markets from vulnerabilities posed by systems technology issues.

SROs, certain ATSs, plan processors, and certain exempt clearing agencies, ....  and each would be required to carefully design, develop, test, maintain, and surveil systems that are integral to their operations. The proposed rules would require them to ensure their core technology meets certain standards, conduct business continuity testing, and provide certain notifications in the event of systems disruptions and other events.

SEC Chairman Elisse Walter notes that “Reg SCI would provide more explicit technology and control standards to help ensure that our markets remain resilient against technological vulnerabilities,”  and added that the SEC will seek hold a 60-day comment period for Reg SCI.

SEC FACT SHEET:  Improving Systems Compliance and Integrity.   The new regulation was addressed at an Open Meeting held 3/7/13. 

The Flash Crash in May 2010 gave impetus to a series of measures to help limit the impact of technological errors, and the SEC approved a rule known as the market access rule - requiring brokers and dealers with market access to put in place risk management controls and supervisory procedures designed to manage the financial, regulatory, and other risks posed to the markets by a malfunctioning of their technological systems.

Yet, with no mandatory rules governing the Automation Review Policy that address the automated systems of SRO - e.g., national securities exchanges, clearing agencies, FINRA, and MSRB.  Instead, since the 1990's, they've followed a voluntar

y set of principles articulated in the SEC’s Automation Review Policy and participated in what is known as the ARP Inspection Program.

More recent technological issues - including the IPOs of Facebook and BATS Global Markets - along with the Knight Capital trading incident, have made it much more apparent that investors can be put at risk when technology fails, and confidence in the markets can falter.  And, the market closures caused by Superstorm Sandy also highlight the importance of having a robust market technology infrastructure.  These events and discussions have helped shape the development of the rulemaking being proposed today.

Proposed Rule — Regulation SCI.   As proposed by the SEC, this set of rules would formalize and make mandatory many of the provisions of the SEC’s Automation Review Policy that have developed during the last 2 decades.  The proposed rule applies the policy and proposes additional measures to entities at the heart of U.S. securities market infrastructure in order to protect that infrastructure.

Regulation SCI would seek to ensure:

• Core technology of national securities exchanges, significant alternative trading systems (ATSs), clearing agencies, and plan processors meet certain standards.

• These entities conduct business continuity testing with their members or participants.

• These entities provide certain notifications regarding systems disruptions and other types of systems issues.

Proposed Scope:  The proposed rule would apply to the systems of “SCI entities" that are core to the functioning of the securities markets - such as those that directly support trading, clearance and settlement, order routing, market data, regulation, or surveillance.  "SCI Entities" would include:

• SROs - the registered national securities exchanges, registered clearing agencies, FINRA, and MSRB.

• ATSs - those that exceed specified volume thresholds (SCI ATSs).

• "Plan Processors”-  that disseminate market data under certain National Market Systems plans.

• Certain clearing agencies - those exempt from SEC registration.

Proposed Provisions.   As proposed, each SCI entity would be required, among other things, to:

• Establish pols and procedures relating to the capacity, integrity, resiliency and security of its technology systems.

• Establish pols and procedures to ensure its systems operate in the manner intended, including in compliance with relevant federal securities laws and rules.

• Take timely corrective action in response to systems disruptions, systems compliance issues and systems intrusions.

• Notify and provide the SEC with detailed information when such systems issues occur as well as when there are material changes in its systems.  Written notices would be filed electronically on new Form SCI.

• Inform its members or participants about certain systems problems and provide information about the systems and market participants affected by the problem and the progress of corrective action.

• Conduct an annual review of its compliance with Regulation SCI, and submit a report of the annual review to its senior management and the SEC.

• Designate certain individuals or firms to participate in the testing of its business continuity and disaster recovery plans at least once annually, and coordinate such testing with other entities on an industry- or sector-wide basis.

• Provide SEC staff with access to its systems to assess compliance with Regulation SCI.

For further details, go to:   [ SEC PR 13-35, 3/7/13 ]     and     [ SEC Proposed Rule Release No. 34-69077, 3/8/13 ].