On November 19, 2014, the Securities and Exchange Commission (SEC) approved the adoption of Regulation Systems Compliance and Integrity (Reg SCI) under the Securities Exchange Act of 1934, as amended (Exchange Act).1 Reg SCI will supersede and replace the SEC’s current Automation Review Policy (ARP) and expand it to include additional SCI Entities.2
Reg SCI was proposed in response to a number of high-profile market events, including the "flash crash" of May 6, 2010, with the goal of protecting investors and the financial markets from technology disruptions and failures.3 The Proposing Release provided for comprehensive rules relating to automated systems used by "SCI entities." Such entities were defined to include:
- Most self-regulatory organizations, including FINRA;
- Certain alternative trading systems (ATSs) that exceeded prescribed thresholds relating to transaction volume (SCI ATSs);
- Plan processors (e.g., the SIPs); and
- Exempt clearing agencies subject to the ARP Program (e.g., Omgeo).
The Proposing Release placed a number of obligations on SCI entities and their employees, including the following:
- Supervisory Procedures Requirement: Establish written supervisory procedures relating to "the capacity, integrity, resiliency and security" of certain systems;
- SEC Event Reporting Requirement: Report "SCI Events" to the SEC including (i) systems disruptions, (ii) systems compliance issues and (iii) systems intrusions;
- Member Event Reporting Requirement: Report certain SCI Events to members and participants;
- Advance Notice Requirement: Provide 30-days’ notice to the SEC of any "material systems changes";
- Annual Review Requirement: Engage in an annual review of their compliance with Reg SCI and provide the results of the review to firm senior management and the SEC;
- Disaster Recovery Testing: Engage in annual business continuity and disaster recovery testing, coordinated with both designated members and participants and other SCI entities; and
- Direct Access Requirement: Provide SEC staff with remote or on-site access to SCI systems.
Reg SCI was adopted largely as proposed, although revisions were made to, among other things, the Annual Review Requirements and the definition of SCI ATS. Additionally, the Direct Access Requirement was not adopted.
Definition of SCI Entity
Expansion to Broker-Dealers
The Proposing Release sought comments regarding the expansion of Reg SCI to all broker-dealers, not just those that operate SCI ATSs. As adopted, the final rules will only apply to broker-dealers that operate SCI ATSs and certain "exchange-affiliated routing brokers that are facilities of national securities exchanges." However, SEC Chair Mary Jo White has directed SEC staff to "develop recommendations to expand Regulations SCI’s reach to additional market participants."4 As such, market participants should remain cognizant of the possible expansion of Reg SCI’s fundamental requirements to additional market participants, including broker-dealers that operate proprietary trading platforms and broker-dealers that run proprietary trading algorithms.5
Alternative Trading Systems
As adopted, Reg SCI will only apply to "SCI ATSs"6 and, in a departure from the Proposing Release, will not apply to platforms that trade exclusively municipal and/or corporate debt. The SEC anticipates that 14 ATSs will fall within the definition of "SCI ATS."7 It remains to be seen how the provisions of Reg SCI will be applied in practice to those systems of SCI ATS operators that are not primarily used in the operation of the SCI ATS.8
Advance Notice Requirement
Certain SEC reporting requirements have been altered in the adopted rule. For instance, the proposed 30-day advance reporting requirement for material systems changes has been replaced with a quarterly reporting requirement. As adopted, the quarterly reports must include "completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters."
This Direct Access Requirement, which was met with a number of comments from industry participants regarding potential security risks, was not adopted in the final rule. Rather, the SEC determined that existing record keeping requirements and examination authority are sufficient to evaluate SCI systems.
Supervisory Procedures Requirement
As proposed, Reg SCI required SCI entities to establish written policies and procedures relating to "the capacity, integrity, resiliency and security" of SCI systems. This requirement has largely been adopted as proposed, although the adopted rule now provides that SCI entities' policies and procedures must be, and remain, consistent with "SCI Industry Standards."
SCI Industry Standards were released concurrently with the Adopting Release9 and will be continually updated by SEC staff to account for future technology advances.10 SCI Industry Standards provide a "series of minimum standards [for SCI systems’] compliance policies and procedures." This includes, among other things, a requirement to "test all SCI systems, and modifications to such systems, before they are implemented."11
Annual Review Requirement
The Proposing Release provided that an SCI Entity’s annual review of its compliance with Reg SCI would be provided to senior management within the firm. As adopted, senior management involved in the annual review will have to certify that they have implemented policies and procedures reasonably designed to ensure compliance with Reg SCI. This requirement, which was not included in the Proposing Release, is similar to the CEO certification regarding market access controls and procedures required under Exchange Act rule 15c3-5.
Disaster Recovery Testing
As provided in the Proposing Release, SCI entities are required to engage in annual business continuity and disaster recovery testing, coordinated with both designated members and participants and other SCI entities. This has been adopted largely as proposed, although with certain technical revisions.
In the Proposing Release, SCI entities that developed and established appropriate policies, procedures and controls would have been entitled to a "safe harbor" from liability regarding their systems’ compliance with Reg SCI. Further, individuals who reasonably discharged their responsibilities under these procedures would be entitled to a safe harbor from individual liability. As adopted, the SCI entity safe harbor has been removed, although the safe harbor for individuals remains.
Reg SCI will become effective 60 days after publication in the Federal Register. SCI entities generally must comply with the requirements within nine months of the effective date. ATSs that satisfy the volume thresholds in the rules for the first time will be provided an additional six months from that time to comply. Further, SCI entities will have 21 months from the effective date to comply with the industry- or sector-wide coordinated testing requirement.