Securities and Exchange Commission
The Securities and Exchange Commission has unanimously proposed new rules to require certain key market participants to have comprehensive policies and procedures in place surrounding their technological systems.
The SEC’s proposal called Regulation SCI would replace the current voluntary compliance program with enforceable rules designed to better insulate the markets from vulnerabilities posed by systems technology issues.
Self-regulatory organizations, certain alternative trading systems, plan processors, and certain exempt clearing agencies would be required to carefully design, develop, test, maintain, and surveil systems that are integral to their operations. The proposed rules would require them to ensure their core technology meets certain standards, conduct business continuity testing, and provide certain notifications in the event of systems disruptions and other events.
“While it’s not possible to prevent every technological error that market participants may commit, we must ensure that our regulations are designed to minimize their impact on our markets and ultimately investors,” said SEC Chairman Elisse B. Walter. “Reg SCI would provide more explicit technology and control standards to help ensure that our markets remain resilient against technological vulnerabilities.”
The SEC will seek public comment on Reg SCI for 60 days following its publication in the Federal Register.
Today’s securities markets rely extensively on technology more than ever before. As with any industry, the consequences can be significant when technology goes awry.
The high-speed automated trading that occurs both on national securities exchanges and alternative trading systems has heightened the potential for a technological problem to broadly impact the market.
Following the Flash Crash in May 2010, the SEC approved a series of measures to help limit the impact of such technological errors. For instance, the SEC approved rules to halt trading when a stock price falls too far, too fast as well as rules to provide certainty in advance of when an erroneous trade would be broken and rules to eliminate stub quotes.
Additionally, the SEC approved a rule known as the market access rule, which requires brokers and dealers with market access to put in place risk management controls and supervisory procedures designed to manage the financial, regulatory, and other risks posed to the markets by a malfunctioning of their technological systems.
Automation Review Policy
There are no mandatory rules governing the automated systems of self-regulatory organizations, such as national securities exchanges, clearing agencies, FINRA, and the MSRB. Instead, for the past two decades, they have followed a voluntary set of principles articulated in the SEC’s Automation Review Policy and participated in what is known as the ARP Inspection Program.
Recent technological issues in the securities markets including those that arose during the initial public offerings of Facebook and BATS Global Markets as well as the Knight Capital trading incident have shown that investors can be put at risk when technology fails, and confidence in the markets can falter.
The SEC convened a roundtable in October 2012 to discuss how market participants could prevent or at least mitigate systems issues, and how the response to such issues could be improved. The market closures following Superstorm Sandy also highlight the importance of having a robust market technology infrastructure. These events and discussions have helped shape the development of the rulemaking being proposed today.
Proposed Rule – Regulation SCI
The set of rules proposed by the Commission – called Regulation Systems Compliance and Integrity (Regulation SCI) – would formalize and make mandatory many of the provisions of the SEC’s Automation Review Policy that have developed during the last two decades. The proposed rule applies the policy and proposes additional measures to entities at the heart of U.S. securities market infrastructure in order to protect that infrastructure.
Regulation SCI would seek to ensure:
- Core technology of national securities exchanges, significant alternative trading systems, clearing agencies, and plan processors meet certain standards.
- These entities conduct business continuity testing with their members or participants.
- These entities provide certain notifications regarding systems disruptions and other types of systems issues.
Regulation SCI is intended to reduce the chance of technology problems occurring in the first place and ensure that key entities are well-positioned to take appropriate corrective action if problems do occur.
The proposed rule would apply to “SCI entities,” a term that would include:
- Self-regulatory organizations (the registered national securities exchanges, registered clearing agencies, FINRA, and MSRB).
- Alternative trading systems that exceed specified volume thresholds (SCI ATSs).
- Disseminators of market data under certain National Market Systems plans (“plan processors”).
- Certain clearing agencies exempt from SEC registration.
It would apply primarily to the systems of SCI entities that are core to the functioning of the securities markets, such as those that directly support trading, clearance and settlement, order routing, market data, regulation, or surveillance.
Under the proposed rule, each SCI entity would be required among other things to:
- Establish policies and procedures relating to the capacity, integrity, resiliency and security of its technology systems.
- Establish policies and procedures to ensure its systems operate in the manner intended, including in compliance with relevant federal securities laws and rules.
- Take timely corrective action in response to systems disruptions, systems compliance issues and systems intrusions.
- Notify and provide the SEC with detailed information when such systems issues occur as well as when there are material changes in its systems. Written notices would be filed electronically on new Form SCI.
- Inform its members or participants about certain systems problems and provide information about the systems and market participants affected by the problem and the progress of corrective action.
- Conduct an annual review of its compliance with Regulation SCI, and submit a report of the annual review to its senior management and the SEC.
- Designate certain individuals or firms to participate in the testing of its business continuity and disaster recovery plans at least once annually, and coordinate such testing with other entities on an industry- or sector-wide basis.
- Provide SEC staff with access to its systems to assess compliance with Regulation SCI.
A 60-day public comment period will follow Reg SCI’s publication in the Federal Register.