At an open meeting on November 3rd, the Securities and Exchange Commission (the “SEC” or the “Commission”) unanimously approved Rule 15c3-5 (the “Rule”) under the Securities Exchange Act of 1934, as amended.1 The Rule, which was proposed in January,2 will require broker-dealers with access to an exchange or alternative trading system (“ATS”) by virtue of being a member or subscriber (“market access”), including those who provide sponsored or direct market access3 to customers or others (“sponsoring broker-dealers”),4 to establish, document, and maintain a system of risk management controls and supervisory procedures (“controls and procedures”) that are reasonably designed to (1) systematically limit the brokerdealer’s financial exposure resulting from providing such access to customers, and (2) ensure compliance with applicable regulatory requirements.

The requisite controls and procedures must be reasonably designed to prevent the entry of orders that exceed appropriate pre-set credit or capital thresholds, or that appear to be erroneous, and must be reasonably designed to prevent the entry of orders unless there has been compliance with all necessary pre-trade regulatory requirements,5 prevent entry of orders that the broker-dealer or customer is restricted from trading, restrict market access technology and systems to authorized persons, and assure that immediate post-trade execution reports are available to the appropriate surveillance personnel. The goal is to place on broker-dealers, including those providing customers and other market participants with access to the markets, sole responsibility for controlling the risks associated with having and providing such access. The Rule effectively prohibits giving customers “unfiltered” sponsored access — access without the application of any pre-trade filters or controls — by requiring the controls and procedures to be under the “direct and exclusive control” of the broker-dealer with market access (except for a limited exception to allow reasonable allocation of certain controls and procedures to another registered broker-dealer). The Rule will cover all securities, including equities, options, exchange-traded funds, and debt securities.  

The Rule reflects the SEC’s concerns that the speed and automation of today’s markets, and the increasing number of arrangements under which broker-dealers permit customers and others to trade in those markets using the broker-dealers’ market participant identifiers (“MPIDs”),6 has significantly increased the financial and regulatory risks inherent in such activity to a level that is not appropriately and effectively controlled. According to the SEC, sponsored access, especially unfiltered access, increases the possibility that the risks inherent in placing orders will not be appropriately managed, especially where the sponsoring broker-dealer relies solely on assurances from its customer that the customer has appropriate risk controls without any independent investigation into their existence or effectiveness. At the open meeting, SEC Chairman Mary L. Schapiro said that “I have previously likened unfiltered access to giving your car keys to a friend who doesn’t have a license and letting him drive unaccompanied,” and that “[t]his rule requires that broker-dealers not only remain in the car, but also maintain control of it so we can all be assured the rules of the road will be observed before the car is ever put into drive.” The Adopting Release points to the May 6, 2010 “flash crash” as an example of this.7  

According to the SEC, it is critical for broker-dealers (which are the only entities that may become members of exchanges, and constitute the majority of ATS subscribers), to take responsibility for controlling those to whom they provide such access. The SEC believes that controls and procedures that are not applied on a pre-trade basis and that are not under the exclusive control of the sponsoring broker-dealer are inadequate (except in certain limited circumstances) to effectively address the risks of market access arrangements, and pose a particularly significant vulnerability in the U.S. national market system. The Rule will thus require controls to be applied on an automated, pre-trade basis, under the “direct and exclusive control” of the sponsoring broker-dealer. The required controls and procedures also must include adequate security procedures to assure that only authorized, appropriately trained personnel have access to the sponsoring broker-dealer’s systems, in order to minimize the risk of order entry errors and inappropriate or malicious trading activity.  

The SEC did provide an exception from the “direct and exclusive control” requirement that allows a sponsoring broker-dealer to reasonably allocate to a customer that is itself a registered broker-dealer, by written contract after a thorough due diligence review, control over specific regulatory risk management controls and procedures (but not financial risk management controls and procedures), provided that the sponsoring brokerdealer has a reasonable basis for determining that its brokerdealer customer has better access to the ultimate customer and its trading information, and thus can more effectively implement the necessary controls and procedures. However, the sponsoring broker-dealer will continue to have overall responsibility to establish, document, and maintain a system of risk management controls and supervisory procedures reasonably designed to manage the financial, regulatory, and other risks of market access.  

Sponsoring broker-dealers will be permitted to use risk management tools and technology provided by a third party that is independent of the customer, provided that the sponsoring broker-dealer has direct and exclusive control over the tools and technology, and performs appropriate due diligence. This includes outsourcing the design and building of the tools and technology, the monitoring of controls, and the performance of routine maintenance and technology upgrades, provided that the sponsoring broker-dealer performs appropriate due diligence as to their effectiveness. Risk management tools and technology may be located at the third party’s facilities, so long as the brokerdealer can directly monitor their operation and has the exclusive ability to make adjustments.8 Independent third parties may be other broker-dealers, exchanges, ATSs, service bureaus, or other entities, provided that they are not affiliates of, and are otherwise independent of, the customer. In all such cases, the broker-dealer remains fully responsible for the effectiveness of the controls.  

The sponsoring broker-dealer will also be required to establish, document, and maintain a system for regularly reviewing the effectiveness of its controls and procedures, and for promptly addressing issues, and will be required to perform and document, at least annually, a review of its activities relating to market access to ensure the overall effectiveness of the controls and procedures. The sponsoring broker-dealer’s Chief Executive Officer will be required to certify annually that the controls and procedures comply with the Rule and that the required review has been conducted.

The Rule will be effective 60 days from the date of the Adopting Release’s publication in the Federal Register, which is expected shortly. Once effective, broker-dealers subject to the Rule will have six months to comply with its requirements.