The Securities and Exchange Commission approved new rules—Regulation System Compliance or Reg SCI—aimed at improving the resiliency of the technological backbone of US securities markets and the SEC’s oversight of such infrastructures.

The SEC’s new rules will govern securities (but not securities futures) exchanges and clearing agencies, the Financial Industry Regulatory Authority, the Municipal Securities Rulemaking Board, securities information processors and alternative trading systems (so-called "dark pools"). However, the rules will only capture ATSs meeting certain minimum volume thresholds and exclude ATSs that trade solely municipal or corporate debt securities.

During her opening remarks at the November 19 SEC open meeting to announce Reg SCI, Chair Mary Jo White noted that the new rules require “technology controls” in five key areas. According to Ms. White:

The covered entities must implement policies and procedures to ensure that their market systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain their operational capability and promote the maintenance of fair and orderly markets. These entities also need to ensure that their policies and procedures are designed to ensure that their systems operate in compliance with the Exchange Act and their own rules. The rules also now specify a series of minimum standards for these compliance policies and procedures—an important enhancement from the [current] voluntary program.

The new rules, said Commissioner Luis Aguilar, will have specific requirements regarding change management and testing:

The final rules now mandate a set of minimum standards that include a requirement to test all SCI systems, and modifications to such systems, before they are implemented. SCI entities must also devise and implement a set of internal controls to govern all changes to SCI systems. These requirements are important because of the experience with market disruptions that resulted from software changes that were not sufficiently tested prior to implementation.

The rules have heightened requirements regarding so-called “critical SCI systems.” These are systems that support securities clearing agencies’ clearance and settlement systems; openings; reopenings and closings on the primary listed market; trading halts; initial public offerings; the dissemination of consolidated market data; or exclusively-listed securities. Critical SCI systems also include those that “[p]rovide functionality to the securities markets for which the availability of alternatives is significantly limited or nonexistent and without which there would be a material impact on fair and orderly markets.”

At a minimum, policies and procedures regarding SCI systems must address planning estimates for current and future technological requirements; periodic stress tests to assess system performance and accuracy; system development and testing methodology; regular review and testing “to identify vulnerabilities pertaining to internal and external threats, physical hazards and natural or manmade disasters;” business continuity and disaster recovery;  standards to ensure that system design and maintenance accomodates “successful” handling of market data; and monitoring to identify breakdowns,  intrusions  and compliance issues – so-called “SCI Events.”

The rules also establish requirements regarding reporting of SCI Events to the SEC as well as organizations' members and market participants.

Under the new rules, covered market participants must report quarterly to the SEC about their systems changes and conduct an annual review of their compliance with Reg SCI using “objective personnel.” Reports of these annual reviews must be reviewed by certain enumerated senior managers (including, among others, the general counsel and the chief compliance officer) and filed with the SEC. Ultimately, the rule also requires mandatory industry- or sector-wide business continuity and disaster recovery plan testing.

Reg SCI will be effective 60 days after publication in the Federal Register, and covered entities must comply with applicable requirements by nine months afterwards. ATSs will have an additional six months for compliance after they first meet relevant volume thresholds. Entities will have 21 months after the rules’ effective date to comply with industry- or sector-wide testing requirements.

The SEC first issued a proposed version of Reg SCI in March 2013.

(Click here for additional information in the article “SEC Adopts Regulation Systems Compliance and Integrity Rules” in the November 21, 2014 edition of Corporate & Financial Weekly Digest by Katten Muchin Rosenman LLP.)

Compliance Weeds: Reg SCI may not be applicable to broker-dealers at this time, let alone many other participants in the financial services industry, but strong controls around technology and software are critical for all financial service participants. Not only is this mandatory as a matter of good business, but despite the lack of proscriptive regulations addressing requirements related to technology infrastructures, regulators are not timid to seek redress against market participants for breakdowns relying on other regulations in their arsenal. In just this edition of Bridging the Week, there are reports of Credit Suisse Securities in the United States and RBS Group companies in the United Kingdom being fined by regulators because of breakdowns related to their handling of proprietary software. Other prior editions have more examples of enforcement consequences for technology infrastructure breakdowns (click here to see another example in the article “Computer Coding Errors Result in Fines for Two SEC Registrants” in the January 27 to 31 and February 3, 2014 edition of Bridging the Week). It is critical that firms review their technology-related policies and procedures, particularly around system capacity and robustness; software development and amendment, and business continuity and disaster recovery, all along the general principles of Reg SCI. Procedures also need to exist outlining what to do when things go wrong (including notifications) particularly setting forth strict time frames by when firms will switch to disaster recovery mode. Compliance with these procedures should be formally reviewed on a regular basis.