SEC Final Rule: Regulation Systems Compliance and Integrity
|FINAL RULE: Approved November 19, 2014. Entered Federal Register December 5, 2014. Effective Date February 5, 2015|
|Proposal Date||Comment Deadline||Final Rule Issue||Effective Date|
|March 25, 2013||July 8, 2013||November 19, 2014||February 3, 2015|
On November 19, 2014, the SEC approved a final rule on Regulation SCI, improving system compliance and integrity. Under the final rules, self-regulatory organizations, certain alternative trading systems (ATSs), plan processors, and certain exempt clearing agencies will be required to have comprehensive policies and procedures in place for their technological systems. The rules also provide a framework for these entities to, among other things, take appropriate corrective action when systems issues occur; provide notifications and reports to the SEC regarding systems problems and systems changes; inform members and participants about systems issues; conduct business continuity testing; and conduct annual reviews of their automated systems.
The rule's effective date is February 3, 2015. Compliance is required by November 2015, except:
- ATSs newly meeting the thresholds in the definition of ‘‘SCI ATS;’’ and
- The industry- or sector-wide coordinated testing requirement.
The compliance periods for these two exceptions are decribed in the Federal Register document embedded below, on page 72367.
After the May 6, 2010 "flash crash," the Joint CFTC-SEC Advisory Committee on Emerging Regulatory Issues was formed in order to address market structure and regulatory issues that may contribute to volatility. On February 18, 2011, the committee issued its recommendations regarding a regulatory response to the flash crash. In response to the recommendations, the SEC has finalized regulations on risk management controls on participants with direct market access and on a consolidated audit trail system.
In October 2012, the SEC held a roundtable on automated trading systems and how a regulatory structure could be implemented. (View Roundtable Summary).
In March 2013, the commission published the proposed Regulation SCI and invited public comment. The final rule keeps the majority of the language from the proposal intact, with several changes to address issues raised by commenters from the proposal and 2012 roundtable. Material changes are noted below.
Final Rule: Summary of Changes from the Proposed Rule
- Certain key definitions were revised, such as the definition of SCI systems and the definition of SCI ATS to exclude ATSs that trade only municipal securities or corporate debt securities, the reporting framework for SCI events;
- A proposed 30-day advanced reporting requirement for material systems changes was replaced with a quarterly reporting requirement;
- The proposal was modified to differentiate certain obligations and requirements, including:
- Tailoring certain obligations based on the criticality of a system
- Defining a new term “critical SCI system” for which heightened requirements will apply,
- Defining a new term, “major SCI event” for purposes of the dissemination requirements,
- Establishing differing reporting obligations for SCI events that have had little or no impact on the SCI entity’s operations or on market participants;
- The rule modified policies and procedures requirements relating to both operational capability and the maintenance of fair and orderly markets, as well as systems compliance;
- The scope of SCI entity members and participants were refined to require mandatory business continuity/disaster recovery plan testing; and
- A proposed requirement was eliminated in which SCI entities provide Commission representatives reasonable access to their systems. The Commission can adequately assess an SCI entity’s compliance with Regulation SCI through existing recordkeeping requirements and examination authority, as well as through the new recordkeeping requirement in Rule 1005 of Regulation SCI.
Staff Guidance on Current SCI Industry Standards
In conjunction with the final rule SCI, the SEC staff issued guidance on current industry standards, to be used by firms as they develop policies and procedures to comply with the regulation. The guidance includes a list of publications that the staff believes accurately describe processes, guidelines, standards and frameworks covering these nine inspection areas or "domains:"
- application controls;
- capacity planning;
- computer operations and production
- environment controls;
- contingency planning;
- information security and networking;
- physical security; and
- systems development methodology.
The guidance is embedded below, and the list of publications is listed in a table on pages 6-8.
Related Document: Federal Register Entry
- SEC Adopts Rules to Improve Systems Compliance and Integrity. SEC. Retrieved on November 21, 2014.