SEC Adopts Regulation SCI to Strengthen Securities Market Infrastructure

Annette Nazareth is a partner in the Financial Institutions Group at Davis Polk & Wardwell LLP, and a former commissioner at the U.S. Securities and Exchange Commission. The following post is based on a Davis Polk client memorandum by Ms. Nazareth, Lanny A. Schwartz, Jeffrey T. Dinwoodie, and Zachary J. Zweihorn.

On November 19, 2014, the Securities and Exchange Commission unanimously voted to adopt Regulation Systems Compliance and Integrity (“Regulation SCI”), a set of rules designed to strengthen the technology infrastructure of the U.S. securities markets. Regulation SCI replaces and builds on the SEC’s voluntary Automation Review Policy, which is currently mainly applicable to national securities exchanges, expanding upon existing practices and making them mandatory. Regulation SCI will apply to operators of certain alternative trading systems (“ATSs”), market data information providers and clearing agencies, in addition to national securities exchanges, subjecting these entities and, indirectly, certain officers to extensive new compliance obligations, with the goals of reducing the occurrence of technical issues that disrupt the securities markets and improving recovery time when disruptions occur.

Regulation SCI will take effect 60 days after its publication in the Federal Register, which is expected to occur shortly, with most compliance requirements taking effect nine months thereafter.

Background

Regulation SCI, which was adopted under the Securities Exchange Act of 1934 (the “Exchange Act”), is the centerpiece of the SEC’s response to the multiple high-profile disruptions in the U.S. securities markets that have occurred over the last several years—including, among others, technology failures impacting the initial public offering of Facebook, the August 2013 halt in the trading of Nasdaq-listed securities and the two-day closure of the U.S. securities markets following Hurricane Sandy in October 2012.

Summary of Regulation SCI

Regulation SCI applies to national securities exchanges, higher-volume equity ATSs, FINRA, securities information processors, each registered and one exempt clearing agency, and the Municipal Securities Rulemaking Board (“SCI Entities”). The SEC decided not to apply Regulation SCI to ATSs that trade only fixed-income securities, as it had proposed, out of a concern that this could discourage the greater adoption of automation in the fixed-income markets. In addition, despite the reported urging of two Commissioners, Regulation SCI will not apply to broker-dealers operating high-volume proprietary trading platforms, although Chair White has directed the SEC staff to prepare recommendations as to whether a similar framework should be developed for other key market participants, such as registered broker-dealers.

Regulation SCI will require, among other things, that SCI Entities comply with the following:

  • Systems Integrity and Security. Each SCI Entity will be required to implement reasonably designed written policies and procedures, with specific required elements, to ensure that its “SCI Systems” as well as its “Indirect SCI Systems,” are able to maintain the SCI Entity’s operational capabilities and promote fair and orderly markets. “SCI Systems” are an SCI Entity’s systems that support trading, clearance and settlement, order routing, market data (both consolidated and proprietary), market regulation and market surveillance, while “Indirect SCI Systems” are those systems of the SCI Entity or those of a third party operated by or on behalf of an SCI Entity, that if breached, would be reasonably likely to pose a security threat to SCI Systems. The SCI Entity’s policies and procedures must include, among other things, business continuity and disaster recovery plans that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of certain “critical SCI systems” following a wide-scale disruption. An SCI Entity’s policies and procedures would be deemed reasonably designed if they are consistent with widely recognized industry standards, examples of which have been published by the SEC staff.
  • Systems Compliance. Each SCI Entity will be required to implement reasonably designed written policies and procedures, with specific required elements, to ensure that its SCI Systems operate in a manner that complies with the Exchange Act, the rules thereunder, and the SCI Entity’s own rules.
  • SCI Event Response. In the event of a systems disruption, systems compliance issue or systems intrusion (each, an “SCI Event”), Regulation SCI will generally require that an SCI Entity (i) take corrective action, including to mitigate harm to investors and market integrity, (ii) provide the SEC with “immediate” notice and more detailed status updates and a final report regarding the SCI Event on new electronic Form SCI, and (iii) promptly disseminate information and provide regular updates to the SCI Entity’s affected members or participants (or, for certain major SCI Events, to all of its members or participants), other than with respect to market regulation or surveillance systems. However, where the SCI Event would have no or a de minimis impact on the SCI Entity’s operations or market participants, SEC notification and information dissemination will not be required. SCI Entities will be required to maintain records regarding all such events and provide the SEC with a quarterly report, also on Form SCI, regarding systems disruptions and systems intrusions.
  • Notification of Systems Changes. Each SCI Entity will be required to provide the SEC with a quarterly report on Form SCI regarding completed, ongoing and planned material changes to its SCI Systems and the security of its Indirect SCI Systems.
  • Annual SCI Review. Each SCI Entity will be required to conduct an annual review of its compliance with Regulation SCI (with systems penetration tests and assessments of market regulation and market surveillance systems being conducted at least every three years) and submit a report of the review to the SCI Entity’s senior management, and ultimately to its board of directors and the SEC.
  • Business Continuity Testing. Each SCI Entity will be required to participate in at least annual testing of the SCI Entity’s business continuity and disaster recovery plans, in coordination with industry or sector-wide testing with other SCI Entities. An SCI Entity will be required to designate which of its members or participants must participate in testing.
  • Application to SCI Entity Personnel. Each SCI Entity will be required to implement reasonably designed written policies and procedures for identifying and designating “responsible SCI personnel” with respect to each SCI System and Indirect SCI System, as well as escalation procedures to quickly inform responsible SCI personnel of potential SCI Events. Regulation SCI will effectively place regulatory responsibilities on these designated individuals, as many obligations under Regulation SCI (e.g., taking prompt corrective action, notifying the SEC, dissemination of SCI Event information) are triggered based on the time when responsible SCI personnel have a “reasonable basis to conclude” that an SCI Event has occurred. To provide some comfort against the risk of personal liability, the rule provides a safe harbor for SCI Entity personnel for secondary violations of the systems compliance provisions of Regulation SCI (e.g., aiding and abetting a violation by the SCI Entity of such provisions) where the person reasonably discharged his or her duties under the SCI Entity’s policies and procedures and did not have reasonable cause to believe that the policies and procedures for which such person had responsibility were not established, maintained or enforced.
  • Service Bureaus. Regulation SCI requires SCI Entities to maintain and make available to the SEC records relating to their compliance with Regulation SCI, but allows such records to be kept by a third-party service bureau. Such an arrangement is formalized through the submission of a written undertaking to the SEC, and must provide for adequate access to the SCI Entity’s records. The use of a service bureau does not relieve an SCI Entity of the obligation to prepare, maintain and provide the SEC with access to its records.

Conclusion

While it remains to be seen whether Regulation SCI will succeed at its goal of reducing the incidence or severity of market disruptions, and at what costs, the SEC has already indicated that it may consider expanding the scope of Regulation SCI to other market participants—such as non-ATS broker-dealers, security-based swap dealers, investment advisers, investment companies and transfer agents. In light of the increased use of automation technologies by all market participants, even non-SCI Entities should monitor the impact of Regulation SCI, as it may become a model for future SEC efforts to oversee the use of technology by all market participants.

Both comments and trackbacks are currently closed.
  • Subscribe or Follow

  • Supported By:

  • Program on Corporate Governance Advisory Board

  • Programs Faculty & Senior Fellows