Loyola University School of Law, J.D. 2019
Background of Regulation Systems Compliance and Integrity
The U.S. Securities and Exchange Commission (the “SEC”) adopted Regulation Systems Compliance and Integrity (“Reg SCI”) to strengthen the technology infrastructure of the U.S. securities markets by imposing new regulatory requirements on SCI entities. The term “SCI entity” includes self-regulatory organizations (“SROs”) such as stock and options exchanges, registered clearing agencies, the Financial Industry Regulatory Authority (“FINRA”), and the Municipal Securities Rulemaking Board (“MSRB”); certain alternative trading systems; disseminators of consolidated market data, such as the Consolidated Tape Association; and certain exempt clearing agencies. The regulatory requirements were designed to reduce the occurrence of systems issues, improve resiliency when systems problems do occur, and to enhance the SEC’s oversight and enforcement of securities market technology infrastructure.Reg SCI primarily applies to the systems of SCI entities that directly support key securities market functions i.e., trading, clearance and settlement, order routing, market data, market regulation, and market surveillance (“SCI systems”). With certain exceptions, the date by which SCI entities had to comply with the requirements of Reg SCI was November 2015.
What Reg SCI requires of the SROs (and Other SCI Entities)
Reg SCI Rule 1001(b) requires the SCI entities to establish written policies and procedures reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain their operational capability. The SCI entities must also reasonably ensure that their systems promote the maintenance of fair and orderly markets, and that they operate in a manner that complies with the Exchange Act. In addition, SCI entities are required to take corrective action with respect to SCI events. SCI events include systems disruptions, systems compliance issues, and systems intrusions. Reg SCI Rule 1002 requires that SCI entities notify the SEC of such events, and disseminate information about certain SCI events to affected members or participants (and, for certain major SCI events, to all members or participants of the SCI entity). Reg SCI Rule 1001 also requires SCI entities to conduct a review of their systems by objective, qualified personnel at least annually, submit quarterly reports regarding completed, ongoing, and planned material changes to their SCI systems to the SEC, and maintain certain books and records. Finally, Reg SCI requires that Reg SCI entities conduct mandatory participation of designated parties in scheduled testing of their business continuity and disaster recovery plans, including backup systems, and to coordinate such testing on an industry- or sector-wide basis with other SCI entities. Id. The SEC has published interpretive guidance for Reg SCI in the form of a Frequently Asked Questions document.
Practical Impact of Reg SCI on SCI Entities
Most SCI entities had already implemented policies and procedures that guided their systems development, testing and operation prior to the implementation of Reg SCI. However, the detection and reporting requirements of Reg SCI required the SROs and other SCI entities to develop robust mechanisms, policies and procedures to reasonably ensure that their systems operation conformed to their SEC approved rules and that their processes for detecting and curing variances from those operations were sufficient to meet the escalation and reporting requirements imposed under Reg SCI.
Reg SCI Rule 1000 defines three types of Reg SCI events with distinct reporting obligations and escalation requirements: (1) a systems disruption that significantly degrades the normal operation of and SCI entity, (2) a systems compliance issue that causes an SCI system or SCI entity to operate in a manner non-compliance with the Securities Exchange Act of 1934, as amended, and the rules and regulations thereunder or of the SCI entities rules and governing documents, and (3) an unauthorized systems intrusion in any SCI system, whether direct or indirect. Potential SCI Events almost always require some form of escalation within an SCI entity, and SCI Events must be reported to the SEC immediately, within 24-hours of discovery and belief that the matter comprises an SCI Event, unless the event is characterized as de minimis impact. De minimis events are included in quarterly reporting to the SEC. In addition, material changes to SCI systems must also be reported to the SEC.
Finally, Reg SCI Rule 1003 requires each SCI entity to review its compliance with Reg SCI at least annually and provide reporting to its senior management and to the SEC. An SCI review must contain (1) a risk assessment of the SCI entity’s SCI systems, and (2) an expansive assessment of the SCI entity’s internal controls of the design and effectiveness of the entity’s SCI systems, including security controls, development processes, and information technology governance, consistent with industry standards. SCI entities are required to submit their initial reports to the SEC within 60-days following the senior management review of the report.
Compliance staff of the SROs and other SCI entities have a material role in the development, ongoing coordination, and oversight of their Reg SCI programs. This role includes reporting and notice provisions of Reg SCI which require adequate notice of the impact of an SCI Event, excluding de minimis events, to the affected members or participants. As a result, the SROs’ websites and RSS feeds provide notice of such events to members and the interested public. Although difficult in its implementation, Reg SCI has largely achieved its goal of improving the integrity and resilience of the national market system.