The SEC adopted Regulation Systems Compliance and Integrity (Regulation SCI) on November 3, 2015 to improve regulatory standards and processes related to technology in the securities business including by financial services firms. Regulation SCI was originally proposed in March 2013. Security and standards related to technological processes, data storage and systems has been a top priority of the SEC over the last few years and continues to be so this year.
Background
Technology has transformed the securities industry over the last years both in the area of regulatory oversight such as through algorithms to spot trading anomalies that could indicate manipulation and/or insider trading issues, and for market participants through enhanced speed, capacity, efficiency and sophistication of trading abilities. Enhanced technology carries the corresponding risk of failures, disruptions and of course hacking/intrusions. Moreover, as U.S. securities market systems are interconnected; an issue with one entity or system can have widespread consequences for all market participants.
Regulation SCI was proposed and adopted to require key market participants to have comprehensive written policies and procedures to ensure the security and resilience of their technological systems, to ensure systems operate in compliance with federal securities laws, to provide for review and testing of such systems and to provide for notices and reports to the SEC. Key market participants generally include national securities exchanges and associations, significant alternative trading systems (such as OTC Markets, which has confirmed is in compliance with the Regulation), clearing agencies, and plan processors.
Prior to enactment of Regulation SCI, there was no formal regulatory oversight of U.S. securities markets technological systems. Rather, oversight was historically through a voluntary Automation Review Policy (“ARP”). Under the ARP, the SEC created an ARP Inspection Program as well as policy statements and ongoing guidance. Compliance with ARP policies has been included in rules over the years, including Regulation ATS for high-volume automated trading systems. Although most major market participants, including SRO’s and national exchanges, participate in the ARP program, it remained voluntary and the SEC had no power to ensure compliance or enforce standards.
In recent years technology has outpaced the ARP program’s reach. Today the U.S. securities markets are almost entirely electronic and, as noted in the SEC rule release, “highly dependent on sophisticated trading and other technology, including complex and interconnected routing, market data, regulatory, surveillance and other systems.” The need for a codified regulatory system has been amplified by real-world issues such as, for example, the effects of hurricane Sandy on DTC and the markets in general; the multiple occasions of halting and delay of trading on exchanges due to systems issues; the highly publicized NYSE breakdown resulting in orders being booked at incorrect prices as well as multiple well known breaches in security. In fact, the SEC rule release contains multiple pages of examples of breakdowns and issues with technology in the markets.
Overview of Regulation SCI
Regulation SCI consists of 7 rules (Rules 1000 through 1007) as follows: (i) Rule 1000 contains definitions, including defining an SCI entity; (ii) Rule 1001 contains the policies and procedures requirements for SCI entities for operational capability, the maintenance of fair and orderly markets and systems compliance; (iii) Rule 1002 contains the obligations of SCI entities when there is an SCI defined event, including corrective measures, SEC notification and public notification; (iv) Rule 1003 contains requirements related to material changes and SCI reviews; (v) Rule 1004 contains requirements related to business continuity and disaster testing; (vi) Rule 1005 contains recordkeeping requirements; (vii) Rule 1006 contains requirements related to electronic filings and submissions; and (viii) Rule 1007 contains requirements for service bureaus.
SCI Entities
Regulation SCI broadly defines an SCI Entity as “an SCI self-regulatory organization, SCI alternative trading system, plan processor, or exempt clearing agency subject to ARP” and then contains drilled-down definitions within the broad categories. Regulation SCI is meant to encompass and include any entity that is significant in the operation and maintenance of fair and orderly markets.
SCI self-regulatory organizations include registered national securities associations (FINRA being the only one), all national securities exchanges, registered clearing agencies (DTC) and the Municipal Securities Rulemaking Board (MSRB). As a side note, there are currently 18 registered national securities exchanges including: (1) BATS Exchange, Inc. (“BATS”); (2) BATS Y-Exchange, Inc. (“BATS-Y”); (3) Boston Options Exchange LLC (“BOX”); (4) CBOE; (5) C2; (6) Chicago Stock Exchange, Inc. (“CHX”); (7) EDGA Exchange, Inc. (“EDGA”); (8) EDGX Exchange, Inc. (“EDGX”); (9) International Securities Exchange, LLC (“ISE”); (10) Miami International Securities Exchange, LLC (“MIAX”); (11) NASDAQ OMX BX, Inc. (“Nasdaq OMX BX”); (12) NASDAQ OMX PHLX LLC (“Nasdaq OMX Phlx”); (13) Nasdaq; (14) National Stock Exchange, Inc. (“NSX”); (15) NYSE; (16) NYSE MKT; (17) NYSE Arca; and (18) ISE Gemini, LLC (“ISE Gemini”).
An SCI Alternative Trading System is defined by volume broken down by NMS (National Market Systems) and non-NMS stocks and generally includes an Alternative Trading System with 1% or more of the NMS stocks volume or 5% or more of non-NMS stocks volume. Alternative Trading Systems which trade only municipal securities or corporate debt securities are excluded from the requirements. The OTC Markets is an SCI Entity and has confirmed that it is in compliance with Regulation SCI.
Interestingly, broker-dealers are not included as SCI Entities. The SEC reasoned that all broker-dealers are subject to Rule 15c3-5 and other FINRA rules which impose requirements related to the capacity, integrity and security of the broker-dealers’ systems and technology. However, the SEC did note that some broker-dealers are large enough that they could pose a real market risk if their systems were to break down or be infiltrated. The SEC may amend the rules in the future to include these firms.
An SCI “plan processor” includes “any self-regulatory organization or securities information processor acting as an exclusive processor in connection with the development, implementation and/or operation of any facility contemplated by an effective national market system plan.” There are currently four plan processors including the CTA Plan, CQS Plan, NASDAQ UTP Plan and OPRA Plan.
An “exempt clearing agency subject to ARP” includes “an entity that has received from the Commission an exemption from registration as a clearing agency under Section 17A of the Act, and whose exemption contains conditions that relate to the Commission’s Automation Review Policies, or any Commission regulation that supersedes or replaces such policies.” There is currently only one entity that meets this definition, Omgeo Matching Services – US, LLC.
In addition, Regulation SCI breaks systems down into three categories, including “SCI systems,” “critical SCI systems” and “indirect SCI systems,” meant to encompass systems and processes that are subject to heightened requirements, processes and procedures. “SCI Systems” include trading, clearance and settlement, order routing, market data, market regulation, and market surveillance. In particular, an “SCI System” is defined as “all computer, network, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity that, with respect to securities, directly support trading, clearance and settlement, order routing, market data, market regulation, or market surveillance.”
A “critical SCI system” is an SCI system that directly supports (i) clearance and settlement systems of clearing agencies; (ii) openings, reopenings, and closings on primary trading markets; (iii) trading halts; (iv) initial public offerings; (v) the provision of consolidated market data (i.e., SIPs); or (vi) exclusively listed securities. In addition, a “critical SCI system” is an SCI system that provides critical functionality to the market. An “indirect SCI system” is “any systems of, or operated by or on behalf of, an SCI entity that, if breached, would be reasonably likely to pose a security threat to SCI systems” and such systems only have to comply with the Regulation SCI provisions related to security and intrusions.
SCI Events
An SCI Event is defined as “an event at an SCI entity that constitutes: (1) a systems disruption; (2) a systems compliance issue; or (3) a systems intrusion.” A “systems disruption” is “an event in an SCI entity’s SCI systems that disrupts, or significantly degrades, the normal operation of an SCI system.” A “systems compliance issue” is defined as an “an event that has caused an SCI system to operate in a manner that does not comply with the [Securities Exchange] Act” and the rules and regulations thereunder and the entity’s rules and governing documents, as applicable. A “systems intrusion” is defined as “any unauthorized entry into the SCI systems or indirect SCI systems of an SCI entity.”
An SCI Event triggers certain obligations including taking corrective action, notifying the SEC and disseminating information. While the response to an SCI Event does not include a materiality analysis, it does include a risk-based analysis. Although the SEC provided for exceptions to the reporting and information requirements for events the de minimus or no impact on the SCI Entity’s operations or market participants, all disruptions require certain recordkeeping, assessment, and corrective measures regardless of how seemingly small they might be.
The SEC rightfully points out that outwardly inconsequential technological issues may later prove to have been a significant cause of larger issues. In addition, an SCI entity’s records of small events may prove useful to the SEC in identifying patterns, weaknesses or circumstances that result in significant issues. Along the same lines, the SEC requires recordkeeping and reporting related to both intentional and unintentional SCI Events.
Obligations of SCI Entities
Regulation SCI requires covered entities to establish written policies and procedures, with specific controls and systems that support trading, clearance and settlement, order routing, market data, market regulation and market surveillance. The written procedures must address levels of capacity, integrity, resiliency, availability and security. Such written policies must be designed to ensure that technological systems can maintain operations with minimal disruptions to the trading markets.
Regulation SCI also requires covered entities to comply with quarterly regulatory notification and reporting requirements and mandatory testing. Testing must include designated third parties and test business continuity and disaster recovery plans, including backup systems. SCI-covered entities must report any disruptions in their systems, compliance issues or system intrusions. The systems and technology of an SCI-covered entity must be reviewed annually by third-party qualified sources.
The specific systems obligations of SCI entities are laid out in Rules 1001-1004 of Regulation SCI. Rule 1001 contains the policy and procedure requirements with respect to operational capacity and maintenance of fair and orderly markets. Rule 1002 contains the obligations with respect to SCI events, including corrective action, SEC notification and information dissemination. Rule 1003 contains requirements related to material system changes, and SCI reviews. Finally, Rule 1004 contains requirements related to business continuity and disaster recovery plan testing.
Rule 1001 generally requires SCI entities to maintain reasonably designed policies and procedures to ensure the adequate capacity, integrity, resiliency, availability, and security of SCI systems (and security for indirect SCI systems) to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets. Guidance and discussion on the Rule indicate that the SEC has a risk-based approach requiring more robust policies and procedures for higher-risk systems. An SCI entity’s policies and procedures should ensure its own operational capability, including the ability to maintain effective operations, minimize or eliminate the effect of performance degradations, and have sufficient backup and recovery capabilities.
SCI policies and procedures must provide, at a minimum, (i) the establishment of reasonable current and future technology infrastructure capacity planning estimates; (ii) periodic capacity stress tests of systems to determine their ability to process transactions in an accurate, timely, and efficient manner; (iii) a program to review and keep current systems development and testing methodology; (iv) regular reviews and testing, as applicable including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or man-made disasters.; (v) business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and are reasonably designed to achieve next-business-day resumption of trading and two-hour resumption of clearance and settlement services following a wide-scale disruption; (vi) standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data (in this regard, a sample of reasonable standards are provided in Table A); and (vii) standards for monitoring SCI systems and making prompt changes as necessary.
Rule 1001 requires that SCI entities establish written policies and procedures designed to ensure that the entity complies with the Securities Exchange Act and the rules and regulations thereunder as well as the entity’s own governing documents. The Rule provides a non-exhaustive list of minimum elements that must be included in such compliance policies and procedures. These elements include: “(i) testing of all SCI systems and any changes to SCI systems prior to implementation; (ii) a system of internal controls over changes to SCI systems; (iii) a plan for assessments of the functionality of SCI systems designed to detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Act and the rules and regulations thereunder and the SCI entity’s rules and governing documents; and (iv) a plan of coordination and communication between regulatory and other personnel of the SCI entity, including by responsible SCI personnel, regarding SCI systems design, changes, testing, and controls designed to detect and prevent systems compliance issues.”
Rule 1002 contains the obligations with respect to SCI events, including corrective action, SEC notification and information dissemination. Under the Rule an SCI-delineated person must take the required action upon reasonably confirming that an SCI event has occurred. As such, the SEC requires an SCI entity to have written policies and procedures that “include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events.” Such “responsible SCI personnel” means “for a particular SCI system or indirect SCI system impacted by an SCI event, such senior manager(s) of the SCI entity having responsibility for such system, and their designee(s).”
The Rule contains in-depth and detailed discussion of corrective actions, notification requirements and information dissemination requirements. In essence, the SEC must be immediately notified of all SCI events other than de minimis events, although even de minimis events contain recordkeeping requirements and must be included In SCI reports. Until the SCI event is resolved, the SCI entity must keep the SEC regularly updated as to the progress of the investigation and resolution of the event, and must file a report with the SEC once the event is resolved. Subject to certain exceptions, the SCI entity must disseminate information to its members and participants regarding all SCI events.
Rule 1003 contains requirements related to material system changes, and SCI reviews. In particular, Rule 1003 requires quarterly reports to the SEC describing completed, ongoing, and planned material systems changes to its SCI systems and security of indirect SCI systems. Rule 1003 also requires a minimum of an annual review of an SCI entity’s compliance with Regulation SCI.
Rule 1004 contains requirements related to business continuity and disaster recovery plan testing. As with notification requirements, an SCI entity must designate certain personnel to complete business continuity and disaster recovery plan testing. In particular, the SCI entity must designate those members or participants “that the SCI entity reasonably determines are, taken as a whole, the minimum necessary for the maintenance of fair and orderly markets in the event of the activation of such plans.” Such testing must be completed at least once every 12 months.
The recordkeeping and electronic filing requirements of Regulation SCI are laid out in Rules 1005 through 1007.
The Author
Laura Anthony, Esq.
Founding Partner
Legal & Compliance, LLC
Corporate, Securities and Going Public Attorneys
LAnthony@LegalAndCompliance.com
Securities attorney Laura Anthony and her experienced legal team provides ongoing corporate counsel to small and mid-size private companies, OTC and exchange traded issuers as well as private companies going public on the NASDAQ, NYSE MKT or over-the-counter market, such as the OTCQB and OTCQX. For nearly two decades Legal & Compliance, LLC has served clients providing fast, personalized, cutting-edge legal service. The firm’s reputation and relationships provide invaluable resources to clients including introductions to investment bankers, broker dealers, institutional investors and other strategic alliances. The firm’s focus includes, but is not limited to, compliance with the Securities Act of 1933 offer sale and registration requirements, including private placement transactions under Regulation D and Regulation S and PIPE Transactions as well as registration statements on Forms S-1, S-8 and S-4; compliance with the reporting requirements of the Securities Exchange Act of 1934, including registration on Form 10, reporting on Forms 10-Q, 10-K and 8-K, and 14C Information and 14A Proxy Statements; Regulation A/A+ offerings; all forms of going public transactions; mergers and acquisitions including both reverse mergers and forward mergers, ; applications to and compliance with the corporate governance requirements of securities exchanges including NASDAQ and NYSE MKT; crowdfunding; corporate; and general contract and business transactions. Moreover, Ms. Anthony and her firm represents both target and acquiring companies in reverse mergers and forward mergers, including the preparation of transaction documents such as merger agreements, share exchange agreements, stock purchase agreements, asset purchase agreements and reorganization agreements. Ms. Anthony’s legal team prepares the necessary documentation and assists in completing the requirements of federal and state securities laws and SROs such as FINRA and DTC for 15c2-11 applications, corporate name changes, reverse and forward splits and changes of domicile. Ms. Anthony is also the author of SecuritiesLawBlog.com, the OTC Market’s top source for industry news, and the producer and host of LawCast.com, the securities law network. In addition to many other major metropolitan areas, the firm currently represents clients in New York, Las Vegas, Los Angeles, Miami, Boca Raton, West Palm Beach, Atlanta, Phoenix, Scottsdale, Charlotte, Cincinnati, Cleveland, Washington, D.C., Denver, Tampa, Detroit and Dallas.
Contact Legal & Compliance LLC. Technical inquiries are always encouraged.
Follow me on Facebook, LinkedIn, YouTube, Google+, Pinterest and Twitter.
Download our mobile app at iTunes.
Legal & Compliance, LLC makes this general information available for educational purposes only. The information is general in nature and does not constitute legal advice. Furthermore, the use of this information, and the sending or receipt of this information, does not create or constitute an attorney-client relationship between us. Therefore, your communication with us via this information in any form will not be considered as privileged or confidential.
This information is not intended to be advertising, and Legal & Compliance, LLC does not desire to represent anyone desiring representation based upon viewing this information in a jurisdiction where this information fails to comply with all laws and ethical rules of that jurisdiction. This information may only be reproduced in its entirety (without modification) for the individual reader’s personal and/or educational use and must include this notice.
© Legal & Compliance, LLC 2016