On November 19, 2014, the Securities and Exchange Commission (“Commission” or “SEC”) voted unanimously to adopt proposed Regulation Systems Compliance and Integrity (“Reg SCI”) under the Securities Exchange Act of 1934 (“Exchange Act”), as well as certain conforming amendments to Regulation ATS (“Reg ATS”). Reg SCI is intended “to strengthen the technology infrastructure of the U.S. securities markets, to improve its resilience, and to enhance the Commission’s ability to oversee it.” The adoption of Reg SCI represents the Commission’s latest action in its broader, ongoing efforts to strengthen and reform U.S. equity market structure. As explained by SEC Chair Mary Jo White, Reg SCI “provide[s] greater accountability for those responsible for our critical market systems, helping ensure that such systems operate effectively and that any issues are promptly corrected and communicated to market participants and the Commission.”
As it explained when proposing Reg SCI in 2013, the Commission believes that high-speed, automated trading that occurs on national securities exchanges and alternative trading systems (“ATSs”) has increased the potential for technological problems to broadly impact the equity markets. The ramifications of such problems have been manifested in recent market events, the occurrence of which further encouraged the Commission to revisit U.S. equity market structure. The Proposing Release outlined a framework that would replace the voluntary requirements of the SEC’s existing Automation Review Policy (“ARP Program”), and the system capacity, integrity, and security requirements of Rule 301(b)(6) of Reg ATS, with mandatory uniform requirements relating to the automated systems of “SCI entities,” which include certain self-regulatory organizations (“SROs”), ATSs, plan processors, and exempt clearing agencies subject to the ARP Program. The Proposing Release provided that SCI entities must, among other things:
- establish written policies and procedures reasonably designed to ensure that their systems have capacity, integrity, resiliency, availability, and security, and that they operate as intended;
- provide notice and reports to the Commission regarding certain systems-related events and take corrective action regarding such events, as necessary, and disseminate to members or participants information related to such events;
- mandate that members or participants participate in testing of business continuity and disaster recovery plans and coordinate testing on an industry- or sector-wide basis;
- conduct an objective annual review of their systems; and
- make, keep, and preserve certain books and records related to matters covered by Reg SCI.
In response to the concerns expressed in some of the 60 comment letters submitted regarding the Proposing Release that the scope of the proposal was unnecessarily broad and could be more tailored to lower compliance costs and still achieve the goal of reducing significant technology risk in the markets, the adopted, final rules reflect substantial changes from the original proposal. As a general matter, Reg SCI, as adopted, has been narrowed in numerous respects as the final rules use a risk-based approach and scaled back requirements to “provide the proper balance between requiring that the appropriate entities are subject to baseline standards for systems capacity, integrity, resiliency, availability, security, and compliance, while reducing the overall burden of the rule for all SCI entities.” Notable changes reflected in the adopted version of Reg SCI, and as described more fully below, include:
- tailoring various obligations based on the criticality of a system and based on the significance of an event by revising certain key definitions and introducing new defined terms;
- eliminating a safe harbor from liability for an SCI entity if it implements policies and procedures reasonably designed to ensure that its systems operate in the manner intended (the final rules continue to include a safe harbor for certain individuals);
- narrowing the definition of “SCI ATS” to exclude ATSs that trade only municipal securities or corporate debt securities;
- replacing the proposed 30-day advance reporting requirement for material systems changes with a quarterly reporting requirement;
- eliminating the proposed requirement to permit the Commission to directly access an SCI entity’s systems;
- requiring that an SCI entity submits a report evidencing its required SCI review to its senior management and board of directors;
- limiting the set of SCI entity members and participants required to participate in mandatory business continuity/disaster recover testing; and
- refining the reporting framework for SCI events by using a scaled approach that takes into account the nature of the severity of a particular event.
Although the adopted version of Reg SCI does not broaden the definition of an “SCI entity,” the Commission continues to indicate that it is considering an “SCI-like” framework that would apply more broadly to other market participants. Specifically, SEC Chair White “directed the [SEC] staff to prepare recommendations for the Commission’s consideration as to whether an SCI-like framework should be developed for other key market participants, such as broker-dealers and transfer agents.” SEC Commissioner Aguilar supported a broader framework, particularly one that applies to key market participants, such as “broker-dealers, that operate proprietary trading platforms” and “broker-dealers and other entities that run proprietary trading algorithms.” These comments reflect the Commission’s continued focus on reforming the equity markets and further regulating key market participants, such as market makers and those using high frequency and/or algorithmic trading strategies.
Reg SCI will become effective on February 3, 2015. SCI entities must comply with the rule by November 3, 2015, nine months after the effective date. ATSs that meet the volume thresholds in the definition of “SCI ATS” for the first time are permitted an additional six months from the time that they first meet the applicable volume threshold to comply with Reg SCI. SCI entities must comply with the industry or sector wide testing requirements by November 3, 2016.