SEC Approves Rule Requiring Technology Safeguards

Despite concerns that it may be too limited in its current form, the Securities and Exchange Commission on Tuesday unanimously approved Regulation SCI, new rules intended strengthen the technology infrastructure of securities markets, improve their resilience, and enhance the Commissions’ ability to oversee them.

Regulation SCI (the acronym stands for “systems, compliance, and integrity”) requires exchanges and clearing houses to have policies and procedures in place to maintain and secure their technology. It replaces a voluntary program for exchanges and self-regulatory organizations that dates back to 1989. In particular, the rule looks to minimize the affect of So-called “flash crashes” that have become more common as automated trading gets faster and faster.

The final rule requires covered firms to ensure that their systems have adequate levels of “capacity, integrity, resiliency, availability, and security.” It also requires testing business continuity and disaster recovery plans on at least an annual basis.

The rule applies to exchanges, clearing agencies, FINRA, the Municipal Securities Rulemaking Board, and securities information processors (SIPs), clearing agencies otherwise exempt from SEC registration, and certain alternative trading systems. All records related to Regulation SCI must be maintained and available to SEC examiners upon request. Notifications and reports will be made electronically, using a proposed Form SCI.

SEC Chair Mary Jo White called the new rule “a major step forward in what is–and must be–a continuous process of enhancing the technological infrastructure of our markets.”

White addressed the rule’s limited treatment of alternative trading systems. The rule’s risk-based approach focuses on large-volume platforms and does not include smaller equity platforms that, on average account for less than 0.2 percent of the consolidated dollar volume in National Market System stocks, she explained. When a platform develops volume significant enough to affect trading across the market or even in a single security, the controls of Regulation SCI will be triggered.

The rule also exempts platforms that trade exclusively in corporate and municipal debt securities. Because they rely much less on automation and electronic trading, the benefits of applying Regulation SCI to them is comparatively low, White said.

Commissioner Luis Aguilar said many of his initial concerns were addressed in the final rule. The proposal failed to mandate a set of minimum standards that must be included in policies and procedures to ensure compliance; the final rule establishes and a requirement to test all systems before they are implemented.

The final rule also stipulates that internal controls be developed to govern any system changes. This will help prevent market disruptions that result from software changes that were not sufficiently tested prior to implementation, Aguilar said.

The proposal did not require senior management to certify compliance with Regulation SCI and lacked personal accountability, Aguilar said. “The final rules remedy this flaw by requiring senior managers to review the annual reports that assess compliance,” he said. To ensure that those in positions of authority and responsibility will be included in the process, the final rules define senior management to include not only an entity’s Chief Technology Officer, but also its CEO, CFO, General Counsel, and Chief Compliance Officer. The final rule also requires that the Board of Directors receive copies of the annual SCI reviews.

Commissioner Kara Stein, although she ultimately supported the final rule, expressed reservations. “It is only an initial step toward recognizing the challenges of our computerized marketplace,” she said.

Chief among Stein’s concerns was that the regulation leaves out more than 4,400 broker-dealers, 32 alternative trading venues trading equities, and 43 alternative trading venues trading fixed income and other non-equity securities. It also excludes broker-dealer trading centers and intraday proprietary trading firms that use sophisticated algorithms to interact at high speeds with the market. “Around $14 trillion worth of equity trades are ignored by Regulation SCI,” she said.

Stein, however, said she was encouraged by White’s commitment “to actively consider extending a rule like Regulation SCI to other key participants” including, potentially, broker-dealers and transfer agents.