On November 19, 2014, the U.S. Securities and Exchange Commission (SEC)1 voted unanimously to adopt Regulation Systems Compliance and Integrity (Reg. SCI)2 under the Securities Exchange Act of 1934, as amended (Exchange Act). Reg. SCI requires covered entities (SCI entities), including national securities exchanges, clearing agencies, the Financial Industry Regulatory Authority (FINRA) and certain alternative trading systems (SCI ATSs)3 to, among other things, establish robust technology controls and promptly address and report technology-related problems.
No Current Application to Broker-Dealers — But the SEC Will Consider Expanding the Framework
In proposing Reg. SCI, the SEC sought comment on whether to apply the regulation to broker-dealers. While the SEC ultimately chose not to do so, broker-dealers should be aware of continued support for potential expansion of Reg. SCI among some Commissioners. At the SEC’s November 19, 2014, meeting, Commissioners Aguilar and Stein indicated they may favor extending the reach of Reg. SCI to broker-dealers and transfer agents. In addition, Chair Mary Jo White announced that she directed the SEC staff to prepare recommendations as to whether there should be requirements similar to Reg. SCI for broker-dealers and other market participants because of the risks they pose to the securities markets should they experience disruptions.
If the SEC decides to extend Reg. SCI or a similar framework to broker-dealers and other market participants, justifying the imposition of the associated costs is likely to be a significant consideration in the rulemaking process. Due to statutory obligations governing the SEC’s rulemaking, the agency will have to consider the burden on competition and the promotion of efficiency, competition and capital formation associated with any comprehensive set of mandatory technology requirements for broker-dealers.4 For a number of reasons, justifying the costs of adding such a framework may prove challenging. As stated by Commissioner Gallagher, broker-dealers already possess strong, natural market incentives to establish and maintain resilient and secure automated systems. High-profile technology disruptions at financial institutions have recently shown that a failure to make successful systems operations a top priority can rapidly cause major reputational damage and financial loss. Because broker-dealers generally do not consolidate and process securities transactions on the same scale, and therefore do not pose exactly the same risks, as national securities exchanges, clearing agencies, or NMS plan processors, there is also the practical potential that social, political and regulatory interests will not be as strong regarding ensuring their continued operations. Moreover, the SEC already has in place certain broker-dealer specific requirements that, while more narrowly focused than Reg. SCI, are similarly designed to address risks associated with the pervasive use of technology in today’s securities markets. Specifically, the SEC release adopting Rule 15c3-5 provides that broker-dealers with market access must have appropriate risk management controls and supervisory procedures to prevent trading errors and ensure compliance with applicable regulatory requirements, “so as not to jeopardize their own financial condition, that of other market participants, the integrity of trading on the securities markets, and the stability of the financial system.”
As an example of the SEC’s deliberative process regarding the reach of Reg. SCI, the SEC concluded in designating SCI ATSs as SCI entities that Rule 15c3-5 was an inadequate substitute for the broader range of Reg. SCI requirements because of the role that SCI ATSs play “as markets and a potential significant source of liquidity.” Considering the extent to which broker-dealers, transfer agents, and other market participants do not play these same rules and pose similar risks, it may be more difficult for the SEC to justify extending Reg. SCI or establishing an analogous framework. The adopting release acknowledged this to a degree in stating that although a number of market participants could pose risks to the securities markets if they experience systems issues, “given the potential costs of compliance,” Reg. SCI should focus at this time only on entities that “because of their current role in the U.S. securities markets and/or their level of trading activity, have the potential to pose the most significant risk in the event of a systems issue.”
Indirect Effects for Broker-Dealers and Other Market Participants
Although not directly subject to Reg. SCI, broker-dealers and certain other market participants will nevertheless be impacted by its requirements.
SCI Systems, Critical SCI Systems and Indirect SCI Systems. As described in more detail in the Reg. SCI overview section below, the requirements of Reg. SCI apply to (SCI systems), (critical SCI systems), and (indirect SCI systems). Reg. SCI defines each of these terms to include certain systems operated on behalf of an SCI entity. Thus, although an SCI entity may outsource operation of certain systems, those systems may nevertheless fall within the scope of Reg. SCI. While an SCI entity retains ultimate responsibility for ensuring that all Reg. SCI requirements applicable to its outsourced systems are met, third parties, which may include broker-dealers, that operate these systems will need to work with the SCI entities to facilitate compliance, and they may incur costs in doing so. Those costs may include, for example, significant systems upgrades, the willingness to submit to regulatory audits, and certifying compliance with certain aspects of Reg. SCI.
Business Continuity and Disaster Recovery Testing. SCI entities will be required at least once every 12 months to test their disaster recovery and business continuity plans and to coordinate that testing with certain of their members and participants and other SCI entities. In adopting this requirement, the SEC noted its belief that “a factor in the shutdown of the equities and options markets in the wake of Superstorm Sandy was the exchanges’ belief regarding the inability of some market participants to operate from the backup facilities of all market centers.” The testing requirement obligates SCI entities to develop standards to designate, in the event that a disaster recovery or business continuity plan is activated, the members or participants the SCI entity reasonably believes would represent the class, taken as a whole, of members and participants that would be necessary for the maintenance of fair and orderly markets.
Broker-dealers and other market participants that are chosen by an SCI entity or multiple SCI entities to participate in the business continuity and disaster recovery testing will incur associated costs. The extent to which resources will need to be deployed will depend in large part on the scope of the business continuity and disaster recovery testing ultimately developed and performed by the particular SCI entity and how many SCI entities designate a participant that is common across multiple SCI entities. The SEC recognized that Reg. SCI will likely lead to greater costs on a firm that is designated by multiple SCI entities. However, the SEC indicated its belief that “these greater costs are warranted for such firms, as they represent significant participants in each of the SCI entities for which they are designated, and their participation in the testing of each such SCI entity’s [business continuity and disaster recovery] plans is necessary to evaluate whether such plans are reliable and effective.”
Overview of Regulation SCI
Who and What Is Covered: SCI entities, SCI systems, and SCI events
- SCI entities. Reg. SCI applies to SCI entities. This term captures any SCI self-regulatory organization, which includes all national securities exchanges and clearing agencies registered with the SEC, FINRA and the Municipal Securities Rulemaking Board. SCI entities also include any SCI ATS, any processor for NMS plans, and any clearing agency that is exempt from registration and subject to the SEC’s Automation Review Policy.
- SCI systems. Reg. SCI applies to SCI systems, which encompass those systems that directly support six areas traditionally considered to be central to the functioning of the U.S. securities markets. SCI systems include all computer, network, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity that, with respect to securities, directly support: (1) trading; (2) clearance and settlement; (3) order routing; (4) market data; (5) market regulation; or (6) market surveillance.
- Critical SCI systems and indirect SCI systems. Certain sub-categories of SCI system will be subject to particular requirements of Reg. SCI. First, critical SCI systems will be subject to heightened resilience and information dissemination requirements in recognition of the high risk they pose to the markets in the event of a systems issue. Critical SCI systems are SCI systems of, or operated by or on behalf of, an SCI entity that directly support: (1) clearance and settlement systems of clearing agencies; (2) openings, reopenings, and closings on the primary listing market; (3) trading halts; (4) initial public offerings; (5) the provision of consolidated market data (i.e., securities information processors); and (6) exclusively-listed securities. Also included are SCI systems that provide functionality to the securities markets and for which the availability of alternatives is significantly limited or non-existent and without which there would be a material impact on fair and orderly markets.5 Second, indirect SCI systems, which are systems of an SCI entity, or any other system that an SCI entity operates or that is operated on its behalf, that if breached would reasonably pose a security threat to the SCI systems of an SCI entity, will be subject to other requirements under Reg. SCI.
- SCI events. An (SCI event) requires SCI entities to take certain actions. The term SCI event includes (1) (systems disruptions), (2) (system compliance issues) and (3) (systems intrusions). A systems disruption is any event in the SCI systems of an SCI entity that disrupts or significantly degrades the operation of that SCI system. A systems compliance issue is an event that causes an SCI system of an SCI entity to operate in a manner that does not comply with the Exchange Act, the SCI entity’s own rules, and its governing documents. A systems intrusion is any unauthorized entry into an SCI system or indirect SCI system of an SCI entity.
Policy and Procedure Requirements
- Operational Capability. Each SCI entity must have written policies and procedures that are reasonably designed to ensure that its SCI systems, and for purposes of security standards, its indirect SCI systems, have levels of capacity, integrity, resiliency, availability and security that are adequate to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets.6 Policies and procedures will be considered “reasonably designed” if they are consistent with current industry standards (SCI industry standards). Contemporaneous with the adoption of Reg. SCI, the SEC staff issued an initial set of publications, processes, guidelines, frameworks and standards for SCI entities to use as guidance in developing their policies and procedures.7
This operational capability requirement is generally intended as a risk-based approach that will allow an SCI entity to tailor its policies and procedures to the relative criticality of an SCI system or indirect SCI system. However, there are seven minimum requirements that the policies and procedures must satisfy.8
- Systems Compliance. Each SCI entity would also be required to have written policies and procedures that are reasonably designed to ensure its systems operate in a manner that complies with the Exchange Act, SEC rules, and the rules and governing documents of the SCI entity. These policies and procedures will also be subject to four minimum requirements.9 SCI entities will be required to periodically review the effectiveness of the policies and procedures regarding systems compliance and to take prompt action to remedy deficiencies.
- Safe Harbor Regarding Systems Compliance. Under Reg. SCI, personnel of an SCI entity, including contractors, consultants and other personnel who are not SCI entity employees, will not be liable for aiding, abetting, counseling, commanding, causing, inducing or procuring a systems compliance violation by the SCI entity so long as (i) the person reasonably discharged the duties and obligations incumbent upon him or her by the SCI entity’s policies and procedures and (ii) he or she was without reasonable cause to believe that the policies and procedures relating to an SCI system, for which he or she was responsible or over which he or she had supervisory responsibility, were not established, maintained or enforced in accordance with Rule 1001(b) in any material respect. Personnel of an SCI entity who are not responsible for and do not have supervisory responsibility over SCI systems will meet the requirements of the safe harbor if they reasonably discharge the duties and obligations incumbent on them as specified in prong (i). Personnel who are responsible for or have supervisory responsibility over an SCI system must also satisfy the requirements of prong (ii).
Obligations Related to SCI Events
SCI entities are also required to have certain policies and procedures related to senior managers, and their designees, who have responsibility for SCI systems or indirect SCI systems (responsible SCI personnel).10 Whenever responsible SCI personnel have a reasonable basis to conclude that an SCI event has occurred, the SCI entity will be required to take certain corrective action, maintain certain records, notify the SEC and disseminate certain information, as described in greater detail below.
- Corrective Action. If responsible SCI personnel have a reasonable basis to conclude that an SCI event occurred, the SCI entity must begin to take corrective actions, including, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedying the SCI event as soon as reasonably practicable.
- SEC Notification. Upon responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, the SCI entity will be required to provide the SEC with certain notifications within specified time frames.
- Recordkeeping. SCI entities will not be required to report to the SEC de minimis SCI events. Instead, an SCI entity must make, keep, and preserve records relating to all de minimis SCI events and provide summary descriptions of de minimis systems disruptions and de minimis systems intrusions through quarterly reports to the SEC.
- Information Dissemination. SCI entities are required to disseminate information regarding an SCI event to certain of their members or participants. The scope of the dissemination will depend on whether the event has an impact on critical SCI systems or a significant impact on the SCI entity’s operations or on market participants (major SCI events). In the case of a major SCI event, an SCI entity must promptly disseminate information concerning the event to all its members and participants. In all other cases, an SCI entity must promptly disseminate information concerning the SCI event only to members and participants the SCI entity reasonably estimates are affected by the event.11
Material Systems Changes and Periodic SEC Reports
SCI entities are required to submit quarterly reports to the SEC that describe completed, ongoing and planned material changes to SCI systems or to the security of indirect SCI systems.12 In addition, at least annually, SCI entities must review their compliance with Reg. SCI and submit related reports to senior management, their boards of directors and the SEC.
The final rules will become effective Tuesday, February 3, 2015 (Effective Date). The compliance date, however, for the Reg. SCI requirements will generally be Tuesday, November 3, 2015, nine months after the Effective Date. Two exceptions provide separate and longer-term compliance dates for requirements applicable to SCI ATSs and industry- or sector-wide testing by SCI entities. The compliance date for an SCI ATS will be six months from the time it first meets the relevant volume threshold that causes it to be covered by Reg. SCI. The compliance date for industry- or sector-wide testing of business continuity and disaster recovery plans by SCI entities is Thursday, November 3, 2016, 21 months after the Effective Date.