SEC Open Meeting on Regulation SCI
Key Topics & Takeaways
- Unanimously Approved: All Commissioners voted to approve Regulation Systems Compliance and Integrity (SCI). The new rules become effective 60 days after publication in the Federal Register. Entities subject to Regulation SCI generally must comply with the requirements nine months after the effective date.
- Controls and Prompt Action: SEC Chair White stated that Reg SCI requires the market participants most essential to the efficient functioning of the U.S. securities markets to have in place robust technology controls and promptly take corrective action when problems arise.
- Production Environment: SEC’s Liu stated that Reg SCI would focus on those systems that are in a production environment, including those related to trading, clearing and settlement, market data, market regulation, and market surveillance.
- Exclusion of Broker-Dealers: Commissioners Aguilar and Stein stressed that more work needs to be done to address market participants not covered by the final rules, such as broker-dealers that operate proprietary trading platforms and algorithms.
- Achieving SCI’s Goal: Commissioners Gallagher and Piwowar stated that Reg SCI has been tailored to achieve its goal of promoting systems compliance and integrity, without inflicting unnecessary costs and burdens on market participants.
SEC Commissioners and Staff
- Mary Jo White, SEC Chairman
- Luis Aguilar, SEC Commissioner
- Daniel Gallagher, SEC Commissioner
- Kara Stein, SEC Commissioner
- Michael Piwowar, SEC Commissioner
- David Shillman, Associate Director, Division of Trading and Markets
- David Liu, Division of Trading and Markets
- Mark Flannery, Chief Economist, Division of Economic and Risk Analysis
Opening Statement
Chair White
Mary Jo White, Chair of the Securities and Exchange Commission (SEC), said in her opening statement that today marks an historical shift in the regulation of the central functions of the United States Securities markets. White recognized that, over the past two decades, the Commission’s oversight of technology controls in the securities markets has focused closely on the clearing agencies, exchanges, Financial Industry Regulatory Authority (FINRA), and the plan processors that disseminate consolidated market data in the equities and options markets. She further noted that this oversight has been voluntary and that over time, the number and significance of technology-related incidents have grown as automation increased, demonstrating the need for stronger rules. White stressed that today’s market system need robust rules, strong internal controls, and vigorous enforcement.
White stated that Regulation SCI (Reg SCI) requires the market participants most essential to the efficient functioning of the U.S. securities markets to have in place robust technology controls and promptly take corrective action when problems arise. Accordingly, White highlighted four principal ways that she believes the recommendation accomplishes this goal:
- The rules have significant and substantial sweep. White provided that the recommendation focuses on self-regulatory organizations (SROs), including the national securities exchanges and registered clearing agencies, FINRA, Municipal Securities Rulemaking Board (MSRB), as well as processors of consolidated market data, and significant alternative trading systems (ATS).
- The rules require comprehensive programs for technology controls in five key areas. White stated that the covered entities (SCI Entities) must implement policies and procedures to ensure that their market systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain their operational capability and promote the maintenance of fair and orderly markets. Chair White further noted that there must be policies and procedures designed to ensure that their systems operate in compliance with the Exchange Act and their own rules. She further noted that the rules also now specify a series of minimum standards for these compliance policies and procedures – an important enhancement from the voluntary program.
- The rules demand action if a systems incident occurs. White provided that SCI Entities must take prompt corrective action and notify the Commission, as well as their members and participants, when an incident occurs.
- The rules required enhanced responsibility and accountability. White stated that SCI entities must report their systems changes quarterly to the Commission and undertake an annual review of compliance with Reg SCI performed by objective personnel.
White further noted that Reg SCI should not be seen as the end of the Commissions work to strengthen the infrastructure of the securities markets and noted previous SEC efforts to strengthen the securities markets including market-wide circuit breakers, limit up-limit down mechanisms, market access controls at broker-dealers, and exchange kill switches.
Lastly, White stated that another important issue for review is whether Reg SCI should be adapted and expanded to cover other types of market participants who operations can have a significant market impact if they are disrupted. Accordingly, she explained that she has directed the SEC staff to prepare recommendations for the Commission’s consideration as to whether an SCI-like framework should be developed for other key market participants, such as broker-dealers and transfer agents.
Staff Presentation
David Shillman
David Shillman, Associate Director, Division of Trading and Markets, recommended that the Commission adopt Regulation SCI. Shillman provided that Regulation SCI would codify, enhance, and supersede the SEC’s Automation Review Policy (ARP) and certain aspect of Regulation ATS. He noted that Regulation SCI would create a framework that among other things provides dissemination of event notices, annual compliance reviews and Business Continuity Planning.
David Liu
David Liu, Division of Trading and Markets, stated that Reg SCI would focus on those systems that are in a production environment, including those related to trading, clearing and settlement, market data, market regulation, and market surveillance. Liu stated that certain systems would be identified as “Critical SCI Systems,” because of the high risk they pose to the markets in the event of a systems issue, and would be held to heightened requirements. He further noted that certain systems would be identified as “Indirect SCI Systems,” or systems that, if breached, would be reasonably likely to pose a security threat to SCI systems.
Liu further noted that Regulation SCI would require each SCI entity to have written policies and procedures reasonably designed to ensure that its systems operate in a manner that complies with the Exchange Act, the Commission’s rules and regulations and the entity’s rules and governing documents. Liu also noted the rule would provide individuals with a safe harbor from liability.
Liu explained that Reg SCI would provide a notification framework scaled based on the type of event. He added that SCI Events would require immediate notification to the Commission, followed up in writing within 24-hours, and that the Commission must be provided with regular updates. Liu stated that certain events deemed to be “De minimis SCI Events” would not be subject to the immediate reporting requirements. Rather, he said, the rules would require an SCI entity to make, keep, and preserve records relating to all de minimis SCI events and provide a summary description of these systems intrusions in quarterly reports to the Commission.
With respect to Major SCI Events, Liu noted that these events would require SCI entities to disseminate information to their members or participants. Lastly, Liu indicated that Reg. SCI would require a a quarterly report to the Commission describing completed, ongoing, and planned material changes to their systems. The original proposal, he noted, had required 30-day advanced notice.
Mark Flannery
Mark Flannery, Chief Economist, Division of Economic and Risk Analysis (DERA), stated that DERA had considered the potential economic effects of the rule, and as well as the associated costs and benefits. Flannery said that DERA believes Reg SCI will promote capacity and integrity, result in fewer market disruptions, and will encourage market participants to have more robust systems. When reviewing if additional ATSs should be included under the rule, DERA believed that while expanding the rule would minimize possible disruptions, such an expansion could also result in barriers to entry. Lastly, Flannery stated that DERA expects the current rule to include participants that have a significant role in the market.
Commissioner Statements
Commissioner Aguilar
Commissioner Aguilar, in his statement, said that the rules “represent a clear improvement” over the original proposal. He noted that modern technology has revolutionized the market’s infrastructure in beneficial ways, but that the “blinding speeds” of trade execution leave people unable to intervene quickly enough “when something goes awry.”
Aguilar stated that a “single rouge algorithm” can destroy billions of dollars of market value “in the blink of an eye” and noted that there have been 27 “serious technical malfunctions” around the world over the past three years. He highlighted that securities information providers (SIPs) are also at risk and stressed his concern with cybercriminals targeting the capital markets infrastructure.
Aguilar then pointed out three areas where the final rule addresses shortcomings in the proposed version.
First, he said the proposal failed to mandate a set of minimum standards that SCI entities must include in their policies and procedures, but that the final rule addresses this and requires that all SCI systems be tested before implementation.
Second, he highlighted that the proposal did not require senior management certification of policies and procedures. The final rule, he explained, requires senior managers to review annual reports that assess SCI entities’ compliance with the regulation, noting that “senior management” has been defined to include the Chief Technology Officer, Chief Executive Officer, Chief Financial Officer, General Counsel, and Chief Compliance Officer. He also said that annual reports will be filed with the Commission, “not just furnished,” which would lead to more interest from management and that the rules require that the Board of Directors receive copies of the annual SCI reviews.
Third, he said that the proposal’s exemption from liability for entities “seriously compromised the rule” but that the final rule addresses this by only allowing a “safe harbor” for individual employees who have “discharged their duties in a responsible manner.”
In closing, Aguilar said that more work needs to be done to address market participants not covered by the final rules, such as broker-dealers that operate proprietary trading platforms. He noted that these broker-dealers handle nearly 18 percent of all trade volume and nearly all retail orders. He also highlighted that the Reg SCI does not apply to broker-dealers and other entities that run proprietary trading algorithms, which he said “presents very serious risks” as evidenced in the “flash crash” of 2010. However, he said he is optimistic that Chair White’s request to staff for recommendations on expanding the scope of Reg SCI would address these issues.
Commissioner Gallagher
Commissioner Daniel Gallagher stated that Reg SCI has taken “a long, winding, and bumpy road” to get to final form. He explained that the rules were initially supposed to simply codify the voluntary ARP program, and that it was unfortunate that the Reg SCI proposal “morphed into something so unwieldy and burdensome.” The final rule, he said, “while certainly more prescriptive than I would have preferred, makes mandatory the most important aspects of the ARP program while minimizing the accompanying burdens to the extent possible.”
He stated that it is vital for the Commission to recognize that SCI Entities “have more skin in the game than we do” and thus the SEC needs to design a system of oversight “that harnesses the natural incentives of the market participants it covers.”
He expressed support for the safe harbor provision for individuals, saying “we do not want fear of personal liability in the securities industry to leave us with the B- and C-team technologists and operations professionals.”
Commissioner Stein
Commissioner Kara Stein, in her remarks, also highlighted that advances in market infrastructure have made system “lightening fast and more competitive” but has exposed the market to new vulnerabilities. She said that recent technology disruptions and failures “erode confidence and trust” in the markets and that “stable and reliable” markets are needed to give investors the confidence to invest.
Stein called the final rule “an important first step” but “only an initial step” toward recognizing the challenges of the computerized marketplace. She highlighted that Reg SCI applies to approximately 44 entities but that it excludes: 1) over 4,400 broker-dealers; 2) 32 ATSs trading equities; 3) 43 ATS trading fixed income and other non-equity securities; 4) broker-dealer trading centers and other ATS involved in swap transactions; and 5) intraday proprietary trading firms. She stated, “around $14 trillion worth of equity trades are ignored” by Reg SCI.
Stein concluded that “all firms with direct access to the markets and execution venues should be required to have procedures for testing their systems” to ensure they do not cause market failures and that “material changes to critical market systems should be independently tested and verified.”
Commissioner Piwowar
Commissioner Michael Piwowar, in his remarks, said it is “undeniable” that automated trading has transformed how the securities markets function and introduced risks that “could have severe consequences” for investors and the market.
Piwowar said that Reg SCI has been tailored based on comments received to “achieve its goal of promoting systems compliance and integrity, without inflicting unnecessary costs and burdens on market participants.” He also noted that the rules will “remain relevant as technology advances” because the staff guidance on current industry standards will be periodically updated.
He concluded by expressing concerns about cybersecurity, saying that “it is imperative that all market participants and registrants are vigilant about identifying and protecting against cybersecurity threats” regardless of whether the entity falls under Reg SCI.
The Commission voted unanimously to approve Reg SCI.
For more information on this meeting and to view an archived webcast, please click here.
,Blog Tags:,Blog Categories:,Blog TrackBack:,Blog Pingback:No,Hearing Summaries Issues:Market Structure,Hearing Summaries Agency:SEC,Publish Year:2014
Key Topics & Takeaways
- Unanimously Approved: All Commissioners voted to approve Regulation Systems Compliance and Integrity (SCI). The new rules become effective 60 days after publication in the Federal Register. Entities subject to Regulation SCI generally must comply with the requirements nine months after the effective date.
- Controls and Prompt Action: SEC Chair White stated that Reg SCI requires the market participants most essential to the efficient functioning of the U.S. securities markets to have in place robust technology controls and promptly take corrective action when problems arise.
- Production Environment: SEC’s Liu stated that Reg SCI would focus on those systems that are in a production environment, including those related to trading, clearing and settlement, market data, market regulation, and market surveillance.
- Exclusion of Broker-Dealers: Commissioners Aguilar and Stein stressed that more work needs to be done to address market participants not covered by the final rules, such as broker-dealers that operate proprietary trading platforms and algorithms.
- Achieving SCI’s Goal: Commissioners Gallagher and Piwowar stated that Reg SCI has been tailored to achieve its goal of promoting systems compliance and integrity, without inflicting unnecessary costs and burdens on market participants.
SEC Commissioners and Staff
- Mary Jo White, SEC Chairman
- Luis Aguilar, SEC Commissioner
- Daniel Gallagher, SEC Commissioner
- Kara Stein, SEC Commissioner
- Michael Piwowar, SEC Commissioner
- David Shillman, Associate Director, Division of Trading and Markets
- David Liu, Division of Trading and Markets
- Mark Flannery, Chief Economist, Division of Economic and Risk Analysis
Opening Statement
Chair White
Mary Jo White, Chair of the Securities and Exchange Commission (SEC), said in her opening statement that today marks an historical shift in the regulation of the central functions of the United States Securities markets. White recognized that, over the past two decades, the Commission’s oversight of technology controls in the securities markets has focused closely on the clearing agencies, exchanges, Financial Industry Regulatory Authority (FINRA), and the plan processors that disseminate consolidated market data in the equities and options markets. She further noted that this oversight has been voluntary and that over time, the number and significance of technology-related incidents have grown as automation increased, demonstrating the need for stronger rules. White stressed that today’s market system need robust rules, strong internal controls, and vigorous enforcement.
White stated that Regulation SCI (Reg SCI) requires the market participants most essential to the efficient functioning of the U.S. securities markets to have in place robust technology controls and promptly take corrective action when problems arise. Accordingly, White highlighted four principal ways that she believes the recommendation accomplishes this goal:
- The rules have significant and substantial sweep. White provided that the recommendation focuses on self-regulatory organizations (SROs), including the national securities exchanges and registered clearing agencies, FINRA, Municipal Securities Rulemaking Board (MSRB), as well as processors of consolidated market data, and significant alternative trading systems (ATS).
- The rules require comprehensive programs for technology controls in five key areas. White stated that the covered entities (SCI Entities) must implement policies and procedures to ensure that their market systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain their operational capability and promote the maintenance of fair and orderly markets. Chair White further noted that there must be policies and procedures designed to ensure that their systems operate in compliance with the Exchange Act and their own rules. She further noted that the rules also now specify a series of minimum standards for these compliance policies and procedures – an important enhancement from the voluntary program.
- The rules demand action if a systems incident occurs. White provided that SCI Entities must take prompt corrective action and notify the Commission, as well as their members and participants, when an incident occurs.
- The rules required enhanced responsibility and accountability. White stated that SCI entities must report their systems changes quarterly to the Commission and undertake an annual review of compliance with Reg SCI performed by objective personnel.
White further noted that Reg SCI should not be seen as the end of the Commissions work to strengthen the infrastructure of the securities markets and noted previous SEC efforts to strengthen the securities markets including market-wide circuit breakers, limit up-limit down mechanisms, market access controls at broker-dealers, and exchange kill switches.
Lastly, White stated that another important issue for review is whether Reg SCI should be adapted and expanded to cover other types of market participants who operations can have a significant market impact if they are disrupted. Accordingly, she explained that she has directed the SEC staff to prepare recommendations for the Commission’s consideration as to whether an SCI-like framework should be developed for other key market participants, such as broker-dealers and transfer agents.
Staff Presentation
David Shillman
David Shillman, Associate Director, Division of Trading and Markets, recommended that the Commission adopt Regulation SCI. Shillman provided that Regulation SCI would codify, enhance, and supersede the SEC’s Automation Review Policy (ARP) and certain aspect of Regulation ATS. He noted that Regulation SCI would create a framework that among other things provides dissemination of event notices, annual compliance reviews and Business Continuity Planning.
David Liu
David Liu, Division of Trading and Markets, stated that Reg SCI would focus on those systems that are in a production environment, including those related to trading, clearing and settlement, market data, market regulation, and market surveillance. Liu stated that certain systems would be identified as “Critical SCI Systems,” because of the high risk they pose to the markets in the event of a systems issue, and would be held to heightened requirements. He further noted that certain systems would be identified as “Indirect SCI Systems,” or systems that, if breached, would be reasonably likely to pose a security threat to SCI systems.
Liu further noted that Regulation SCI would require each SCI entity to have written policies and procedures reasonably designed to ensure that its systems operate in a manner that complies with the Exchange Act, the Commission’s rules and regulations and the entity’s rules and governing documents. Liu also noted the rule would provide individuals with a safe harbor from liability.
Liu explained that Reg SCI would provide a notification framework scaled based on the type of event. He added that SCI Events would require immediate notification to the Commission, followed up in writing within 24-hours, and that the Commission must be provided with regular updates. Liu stated that certain events deemed to be “De minimis SCI Events” would not be subject to the immediate reporting requirements. Rather, he said, the rules would require an SCI entity to make, keep, and preserve records relating to all de minimis SCI events and provide a summary description of these systems intrusions in quarterly reports to the Commission.
With respect to Major SCI Events, Liu noted that these events would require SCI entities to disseminate information to their members or participants. Lastly, Liu indicated that Reg. SCI would require a a quarterly report to the Commission describing completed, ongoing, and planned material changes to their systems. The original proposal, he noted, had required 30-day advanced notice.
Mark Flannery
Mark Flannery, Chief Economist, Division of Economic and Risk Analysis (DERA), stated that DERA had considered the potential economic effects of the rule, and as well as the associated costs and benefits. Flannery said that DERA believes Reg SCI will promote capacity and integrity, result in fewer market disruptions, and will encourage market participants to have more robust systems. When reviewing if additional ATSs should be included under the rule, DERA believed that while expanding the rule would minimize possible disruptions, such an expansion could also result in barriers to entry. Lastly, Flannery stated that DERA expects the current rule to include participants that have a significant role in the market.
Commissioner Statements
Commissioner Aguilar
Commissioner Aguilar, in his statement, said that the rules “represent a clear improvement” over the original proposal. He noted that modern technology has revolutionized the market’s infrastructure in beneficial ways, but that the “blinding speeds” of trade execution leave people unable to intervene quickly enough “when something goes awry.”
Aguilar stated that a “single rouge algorithm” can destroy billions of dollars of market value “in the blink of an eye” and noted that there have been 27 “serious technical malfunctions” around the world over the past three years. He highlighted that securities information providers (SIPs) are also at risk and stressed his concern with cybercriminals targeting the capital markets infrastructure.
Aguilar then pointed out three areas where the final rule addresses shortcomings in the proposed version.
First, he said the proposal failed to mandate a set of minimum standards that SCI entities must include in their policies and procedures, but that the final rule addresses this and requires that all SCI systems be tested before implementation.
Second, he highlighted that the proposal did not require senior management certification of policies and procedures. The final rule, he explained, requires senior managers to review annual reports that assess SCI entities’ compliance with the regulation, noting that “senior management” has been defined to include the Chief Technology Officer, Chief Executive Officer, Chief Financial Officer, General Counsel, and Chief Compliance Officer. He also said that annual reports will be filed with the Commission, “not just furnished,” which would lead to more interest from management and that the rules require that the Board of Directors receive copies of the annual SCI reviews.
Third, he said that the proposal’s exemption from liability for entities “seriously compromised the rule” but that the final rule addresses this by only allowing a “safe harbor” for individual employees who have “discharged their duties in a responsible manner.”
In closing, Aguilar said that more work needs to be done to address market participants not covered by the final rules, such as broker-dealers that operate proprietary trading platforms. He noted that these broker-dealers handle nearly 18 percent of all trade volume and nearly all retail orders. He also highlighted that the Reg SCI does not apply to broker-dealers and other entities that run proprietary trading algorithms, which he said “presents very serious risks” as evidenced in the “flash crash” of 2010. However, he said he is optimistic that Chair White’s request to staff for recommendations on expanding the scope of Reg SCI would address these issues.
Commissioner Gallagher
Commissioner Daniel Gallagher stated that Reg SCI has taken “a long, winding, and bumpy road” to get to final form. He explained that the rules were initially supposed to simply codify the voluntary ARP program, and that it was unfortunate that the Reg SCI proposal “morphed into something so unwieldy and burdensome.” The final rule, he said, “while certainly more prescriptive than I would have preferred, makes mandatory the most important aspects of the ARP program while minimizing the accompanying burdens to the extent possible.”
He stated that it is vital for the Commission to recognize that SCI Entities “have more skin in the game than we do” and thus the SEC needs to design a system of oversight “that harnesses the natural incentives of the market participants it covers.”
He expressed support for the safe harbor provision for individuals, saying “we do not want fear of personal liability in the securities industry to leave us with the B- and C-team technologists and operations professionals.”
Commissioner Stein
Commissioner Kara Stein, in her remarks, also highlighted that advances in market infrastructure have made system “lightening fast and more competitive” but has exposed the market to new vulnerabilities. She said that recent technology disruptions and failures “erode confidence and trust” in the markets and that “stable and reliable” markets are needed to give investors the confidence to invest.
Stein called the final rule “an important first step” but “only an initial step” toward recognizing the challenges of the computerized marketplace. She highlighted that Reg SCI applies to approximately 44 entities but that it excludes: 1) over 4,400 broker-dealers; 2) 32 ATSs trading equities; 3) 43 ATS trading fixed income and other non-equity securities; 4) broker-dealer trading centers and other ATS involved in swap transactions; and 5) intraday proprietary trading firms. She stated, “around $14 trillion worth of equity trades are ignored” by Reg SCI.
Stein concluded that “all firms with direct access to the markets and execution venues should be required to have procedures for testing their systems” to ensure they do not cause market failures and that “material changes to critical market systems should be independently tested and verified.”
Commissioner Piwowar
Commissioner Michael Piwowar, in his remarks, said it is “undeniable” that automated trading has transformed how the securities markets function and introduced risks that “could have severe consequences” for investors and the market.
Piwowar said that Reg SCI has been tailored based on comments received to “achieve its goal of promoting systems compliance and integrity, without inflicting unnecessary costs and burdens on market participants.” He also noted that the rules will “remain relevant as technology advances” because the staff guidance on current industry standards will be periodically updated.
He concluded by expressing concerns about cybersecurity, saying that “it is imperative that all market participants and registrants are vigilant about identifying and protecting against cybersecurity threats” regardless of whether the entity falls under Reg SCI.
The Commission voted unanimously to approve Reg SCI.
For more information on this meeting and to view an archived webcast, please click here.