REGULATION SCI: regulators take aim at exchanges’ electronic systems
As issues with electronic systems continue to impact exchange operations, the US Securities and Exchange Commission (SEC) has proposed a new regulation designed to improve the stability, performance and security integrity of a variety of computerized systems in the listed securities markets. In this article, Jim Myers introduces Regulation Systems Compliance and Integrity (Reg SCI), discusses industry reaction and proposes steps exchanges can take now to prepare for this new legislation.
Over the past six months, several major exchanges have fallen victim to systems-related issues, losing valuable time and money—and damaging their reputations in the process. On April 12, the Chicago Board Options Exchange (CBOE) delayed its opening for more than three hours due to a problem with a system update designed to accommodate extended trading hours. In August, the NASDAQ stock exchange halted trading for approximately three hours due to systems issues concerning data feeds between NASDAQ and other exchanges. These events and others like them were the impetus for a meeting on September 12 between the SEC and the exchanges. At this meeting, the exchanges were given 60 days to propose new ways to avoid these types of outages. Key takeaways from this meeting included the SEC’s desire for the exchanges to implement “kill switches,” assess their infrastructure for vulnerabilities, review interexchange communication and participate in discussions regarding industry-wide stress testing.
The SEC has had its sights set on the exchanges’ systems well before the most recent high-profile outages. In March 2013, the SEC introduced a new regulation called Regulation Systems Compliance and Integrity (Reg SCI). The stated aim of Reg SCI is to address concerns regarding the stability, performance and security integrity of a variety of computerized systems in the listed securities markets. The impetus behind the draft regulation included the May 2010 “Flash Crash,” the 2011 violations of federal securities law at Direct Edge’s EDGX, the hacking attack at NASDAQ in 2011 and the 2012 “systems issues” during both the BATS Global Markets and Facebook IPOs.
The History of Reg SCI
Reg SCI is not the SEC’s first attempt to create more transparency into the exchanges’ electronic systems. The Automation Review Policy (commonly referred to as the ARP or ARP plan) is composed of three different SEC findings that regulate the following: application controls, capacity planning, computer operations, production environment controls, contingency planning, information security, networking, auditing, outsourcing, physical security and systems development methodology.
These guidelines were installed as a reactionary measure in response to market events and trends that have developed over the course of the past 25 years. The initial iteration was enacted after the Black Monday Crash of 1987. This first ARP plan was published in 1989 and called for “comprehensive planning and assessment programs to test systems and vulnerability.” Further, the plan recommended annual reviews by a neutral party to assess the validity of the exchanges’ policies. The ARP plan was published without going through the formal SEC rulemaking process and has been deemed unenforceable.
The second ARP iteration was published in 1991 and sought to add some increased specificity to the earlier plan, including the stipulation that the Independent Reviewer report should be presented to senior management at the individual selfregulatory organizations (SROs) as well as made available to ARP staff. The ARP staff would then review the submission from the SRO with regard to its ARP compliance, perform on-site inspections and create recommendations. Despite these new measures, there was still no mechanism to compel an SRO to act on the suggested recommendations, and so the acceptance of the new policies varied widely among the exchanges.
The third iteration is known as the Regulation Alternative Trading Systems (Reg ATS), which was adopted in 1998 to address the significant percentage of transactions that were performed in an off-exchange setting, commonly referred to as Dark Pools. The regulation stated that, subject to certain thresholds, ATSs would be subject to the same review guidelines established in ARP and ARP2. To date, no ATS has breached the percentage thresholds as laid out in Reg ATS and, as such, no ATS is subject to the review regime as laid out in the first two ARP iterations, rendering Reg ATS ineffective.
Reg SCI is an expanded and enforceable version of the legacy ARP plan. Reg SCI is currently working its way through the formal SEC regulation process and upon completion will carry the same weight as other enforceable SEC regulations. While largely a “policies and procedures” based regulation, the SCI staff will have the ability to investigate incidents, reconcile internal compliance with stated policies and procedures and levy sanctions as it deems appropriate. In addition, the proposed regulation may mandate industry-wide testing and kill switches as discussed at the September 12 meeting.
The new rules have also expanded in scope relative to the ARP plan to address regulation and surveillance systems, and broadly cover any “systems that share network resources with [SCI] systems that, if breached, would be reasonably likely to pose a security threat to such systems.”1 SROs must also document on a biannual basis any material systems changes, submit the new reporting form—Form SCI—and provide the SCI staff with “reasonable access” to their systems.
As currently written, “SCI entities” would include all national securities exchanges registered under Section 6(b) of the Exchange Act, all registered securities associates, all registered clearing agencies (excluding CFTC-regulated entities), and the Municipal Securities Rulemaking Board (MSRB). This new regulation will also affect Swap Data Repositories (SDRs) and Swap Execution Facilities (SEFs) that are subject to SEC regulation. One major amendment to the policy is that the thresholds for the inclusion of ATSs into the Reg SCI regime have been lowered such that a minimum of 15 ATSs will now be covered by the regulation. As it stands, over 40 organizations currently meet the definition of an SCI Entity.
Industry Response to Reg SCI
The proposed Reg SCI was published in the Federal Register on March 25. At the same time, the SEC began gathering feedback, asking the industry more than 200 questions about the proposed regulation. These questions ranged from: which entities should qualify as SCI entities to who should perform the audits and what should constitute a reportable event. The respondents were largely in agreement that the definitions of SCI systems and SCI security systems need to be further refined prior to the implementation of the regulation. This is due to the fact that currently the scope includes every system that the SCI entity operates, regardless of the risk that system poses to the stability and integrity of the market. Without a clear list detailing which systems would be regulated, exchanges would need to gather and report on a greater number of systems—many of which have no impact on the functioning of the exchanges.
Many respondents took issue with the inclusion of specific SCI standards in the text of the regulation. Several of these standards are viewed as outdated and seem to run counter to current industry best practices; therefore, they are problematic for a regulatory entity to address. The SEC will likely either greatly expand the list of acceptable standards or opt for more general language in the text.
Several respondents also argued that the mandate to require significant testing and QA practices would be extremely challenging for some of the smaller players covered under the regulation. Of notable concern are the industry-wide tests, which were cited as being extremely difficult and expensive to coordinate without a central organizing agency.
A broad reading of the definition of a “material systems change” could reasonably apply to virtually any change in any system at an SCI entity. The respondents felt in large part that this section of the regulation would lead to an enormous increase in paperwork, which may not add value—and could actually hamper the Commission’s review of submissions by the exchange.
Duplicative regulation was a recurring theme in several of the respondents’ comment letters to the SEC. The general argument is that many of the SCI entities are already regulated by multiple agencies, and as such, many provisions of Reg SCI duplicate existing mandates from other agencies.
Furthermore, they asserted that due to the breadth of the proposed regulation, a significant amount of effort will be wasted on behalf of both the SEC and SCI entities in monitoring and creating reports which will have little, if any, substantive impact on market stability and integrity.
The SCI Staff Access provision was another part of the proposal generating numerous comments. Many respondents were unclear as to exactly what the SEC meant by granting “access to systems.” Some argued that allowing SCI staff to access exchange systems would increase the security threat to the specific systems that the SEC and exchanges are attempting to purge.
Preparing for Reg SCI
Even though many believe implementation is unlikely to occur before Q1 2015, several steps need to be taken concurrently by entities in preparation for the implementation of Reg SCI— many of which may already be standard in some organizations. Entities must ensure that existing policies and procedures match actual practices within their organization. Firms should also conduct periodic reviews of their procedures and compare them to best practices both within their own industry and across all industries with comparable operational demands. While periodic reviews of risk factors, testing of fail-over systems, security procedures and business practices are often normal practice for many firms, they must now be reevaluated in light of the demands inherent in Reg SCI.
Additionally, specific steps can be taken immediately to help mitigate the most recent issues in the industry. A review of release standards should be part of this evaluation. These standards should include all procedures taken to release changes to systems currently in production, such as development, testing, QA and support. Due to the interconnectedness of all of the exchanges, capacity and stress testing must be performed on an industry-wide basis. If they are to have meaningful impact on the reliability and resilience of the markets, the SEC or preferably an industry group must take the lead on coordinating the testing program.
Reg SCI is just one piece in the larger regulatory puzzle facing industry participants. As with other regulations, it will increase operational costs for those affected. Initial costs as reported in the draft legislation were estimated to be 242 million USD for the initial implementation and 191 million USD annually— although some in the industry believe these numbers to be grossly understated. If exchanges must dedicate more budget dollars to regulatory reporting and system maintenance, it is likely that those costs will be passed on to market participants.
is a Senior Manager of Business Consulting based in Chicago. Since joining Sapient Global Markets, Jim has helped exchanges deal with the challenges associated with increased regulatory pressure. He has also focused on a variety of regulatory change initiatives spanning the US, Europe and APAC. Prior to joining Sapient, Jim spent 17 years managing and trading as a partner in a variety of proprietary trading firms and is an expert in Exchange Traded Derivatives.
Special thanks to Vikas Tyagi, Abhilasha Vyas, Mike Johnson, Varun Sharma, Mukesh Singh and Rahul Pandit for their contributions to this article.