SEC Seeks Comment on Proposed Rule for New Regulation Systems Compliance and Integrity

On March 8, 2013, the SEC released proposed Regulation Systems Compliance and Integrity (the “Proposed Rule” or “Reg SCI”). The Proposed Rule reflects sweeping changes in the securities market resulting from increased automation and the proliferation of trading venues. The “vast majority” of stocks are now traded electronically in a multiplicity of venues, and no single exchange accounts for more than 20 percent of equities transaction volume. These changes have made the market more vulnerable to systems disruptions such as those that occurred in the May 2010 “Flash Crash,” the difficulties encountered by Nasdaq in the Facebook IPO and by BATS in its own IPO, and the shutdown of the markets during the recent Superstorm Sandy. 

The Proposed Rule announces the SEC’s view that in this increasingly automated era, the rules promoting systems compliance and integrity should be mandatory rather than voluntary. The Proposed Rule would affect a broad spectrum of market participants such as self-regulatory organizations (“SROs”), alternative trading systems (“ATSs”), the Municipal Securities Rulemaking Board, and “plan processors” that provide market data to investors. Reg SCI would include not only trading systems, but also certain related systems, such as those that provide security for trading systems. The Proposed Rule would require affected parties to establish policies and procedures governing the function and integrity of their systems, to file notices and reports about the occurrence of certain adverse system events or material changes to such systems, and would require SRO members to participate in routine and industry-wide testing of their systems. 

The 370 page proposing release includes more than 200 requests for comments, including regarding the scope of its application to market participants and trading venues, and estimated compliance burdens. The release asks whether the rule should be extended beyond SROs and ATSs to certain broker-dealer or other entities, including market makers, clearing firms, broker-dealers providing market access, and swap facilities, among others. For those likely to be affected by the rule, now is the time to weigh in; comments must be submitted by May 24, 2013.  Below we describe the major elements of the Proposed Rule.

Background

The Proposed Rule would replace the SEC’s existing Automation Review Policy (“ARP”), a voluntary program conducted by the SEC’s Division of Trading and Markets, and related Rule 301(b)(6) of Regulation ATS. The ARP, applicable to SROs, focuses on systems that process and disseminate quotation and transaction data on behalf of the National Market Systems (“NMS”) plans. 

Entities Subject to the Proposed Rule

The Proposed Rule will apply to “SCI entities,” which includes not only SROs, but also ATSs that meet specified volume thresholds, “plan processors,” and “exempt clearing agencies subject to ARP.”

The term “SCI entity” includes “SCI self-regulatory organizations, SCI alternative trading system, plan processors, and exempt clearing agencies.”

• An “SCI self-regulatory organization” includes all national securities exchanges (and their facilities), FINRA, registered clearing agencies, and the MSRB.
• An “SCI alternative trading system” includes any ATS, as defined under Rule 300(a) of Reg ATS, that during at least of four of preceding six calendar months, had:
  • (1) With respect to NMS stocks, at least either (i) five percent in any single NMS stock, and 0.25 percent or more in all NMS stocks, of the average daily dollar trading volume; or (ii) at least one percent, in all NMS stocks, of the average daily dollar trading volume;
  • (2) For non-NMS stocks for which transactions are reported to an SRO, at least five percent of average daily dollar trading volume as calculated by SRO to which transactions are reported; or
  • (3) For municipal securities or corporate debt securities, at least 5 percent of either average daily dollar trading volume in the United States, or average daily transaction volume in the United States.¹
• A “plan processor” is “any self-regulatory organization or securities information processor² acting as an exclusive processor³ in connection with the development, implementation and/or operation of any facility contemplated by an effective national market system plan.” This category presently would affect only two entities: NYSE Euronext’s subsidiary the Securities Industry Automation Corporation (SIAC), and Nasdaq.

Requirements and Obligations of SCI Entities:

The Proposed Rule would require that each SCI entity:

• Establish, maintain, and enforce written policies and procedures reasonably designed to ensure that:
  • SCI systems and SCI security systems (defined below) have levels of capacity, integrity, resiliency, availability, and security adequate to maintain the SCI entity’s operational capability and to promote the maintenance of fair and orderly markets;
  • SCI systems operate in the manner intended;
• Respond to SCI events (defined below) with appropriate corrective action, report them to the SEC and provide follow-up reports, as applicable;
• Disseminate information regarding certain SCI events to SCI entity members or participants;
• Report material systems changes to the SEC;
• Conduct an annual review of SCI systems;
• Submit annual reports to the SEC;
• Mandate participation by designated members or participants in scheduled testing of the operation of the SCI entity’s business continuity and disaster recovery plans, including backup systems, and coordinate such testing on an industry- or sector-wide basis with other SCI entities; 
• Make, keep, and preserve records relating to the matters covered by Reg SCI, and provide them to Commission representatives upon request; and
• Submit all required written notifications and reports to the Commission electronically using new proposed Form SCI.

Systems Subject to the Proposed Rule

The Proposed Rule is intended to cover “all of the systems that would be reasonably likely to impact an SCI entity’s operational capability and the maintenance of fair and orderly markets.” Accordingly, the Proposed Rule covers not only “SCI systems” operated by or on behalf of an SCI entity, but also any “SCI security systems” that share network resources with an SCI system and that, if breached, would pose a security threat to SCI systems. 

Relevant/Reportable Events Under the Proposed Rule

The systems events for which an SCI entity must take corrective action, and/or report to the SEC, are defined as an “SCI event” and include any “event at an SCI entity that constitutes: (1) a systems disruption; (2) a systems compliance issue; or (3) a systems intrusion.” The SCI entity must notify its members or participants upon the occurrence of a “dissemination SCI event” (defined below) and must notify the SEC in advance of any “material systems changes.”

• “Systems disruption” is “an event in an SCI entity’s SCI systems that results in: (1) a failure to maintain service level agreements or constraints; (2) a disruption of normal operations, including switchover to back-up equipment with near-term recovery of primary hardware unlikely; (3) a loss of use of any such system; (4) a loss of transaction or clearance and settlement data; (5) significant back-ups or delays in processing; (6) a significant diminution of ability to disseminate timely and accurate market data; or (7) a disruption in queuing data between system components or queuing messages to or from customers of such duration that normal service delivery is affected.”
• “Systems compliance issue” is “an event at an SCI entity that has caused any SCI system of such entity to operate in a manner that does not comply with the federal securities laws and rules and regulations there under or the entity’s rules or governing documents, as applicable.”
• “Systems intrusion” is “any unauthorized entry into the SCI systems or SCI security systems of an SCI entity.”
• “Dissemination SCI event” is “an SCI event that is a: (1) systems compliance issue; (2) systems intrusion; or (3) systems disruption that results, or the SCI entity reasonably estimates would result, in significant harm or loss to market participants.”
• “Material systems change” is “a change to one or more: (1) SCI systems of an SCI entity that: (i) materially affects the existing capacity, integrity, resiliency, availability, or security of such systems; (ii) relies upon materially new or different technology; (iii) provides a new material service or material function; or (iv) otherwise materially affects the operations of the SCI entity; or (2) SCI security systems of an SCI entity that materially affects the existing security of such systems.” 

Possible Expansion of Proposed Rule to Other Market Participants

• The Proposed Rule does not apply to other types of market participants, such market makers or other types of broker-dealers.
• However, the Proposed Rule cautions that systems disruptions, systems compliance issues, and systems intrusions at broker-dealers, including OTC market makers and clearing broker-dealers, could pose a significant risk to the market. If the SEC were to decide to propose to apply the requirements of the Proposed Rule to additional entities, the SEC will issue a separate release discussing such a proposal.
• The Proposed Rule lists additional categories of market participants that may, at some future time, be made subject to Reg SCI, and requests comments regarding which of the Proposed Rule’s requirements and what market-activity thresholds could be applied to such additional participants, including:
  • OTC market makers;
  • Exchange market makers;
  • Order entry firms that handle and route order flow for execution;
  • Clearing broker-dealers;
  • Large multi-service broker-dealers that engage in a variety of order handling, trading, and clearing activities;
  • Broker-dealers providing market access;
  • Regulation NMS “market centers”;
  • Transfer agents; and/or
  • Other unspecified entities.
• Separate from the Proposed Rule, the SEC has proposed Exchange Act Rules 13n-6 and 822, which would establish requirements for the automated systems of security-based swap data repositories (“SDSDRs”) and security-based swap execution facilities (“SBSEFs”). The standards proposed in Rules 13n-6 and 822 are comparable to the ARP standards, but are not as comprehensive as obligations that would be imposed by the Proposed Rule if it were to apply to SDSDRs and SBSEFs.

Conclusion

Proposed Reg SCI shows that the SEC is committed to impose enhanced mandatory compliance and reporting obligations on market participants with respect to IT systems that connect to the national markets. Reg SCI follows other measures, such as the recent implementation of Exchange Act Rule 15c3-5 regarding direct market access systems, designed to achieve the same goal. The Release explains the likely scope and shape of the Proposed Rule, although the large number of specific questions and requests indicate that the SEC will consider changes in light of public comment, and there may be considerable revisions to any final rule. Given that the SEC has suggested that the Proposed Rule may be extended to additional market participants, all broker-dealers and service firms should review the Proposed Rule in order to assess the potential for impact on their operations, and evaluate whether to submit comments to the SEC. 

*This alert was co-authored by Bingham alumnus Frances Cohen, as well as W. Hardy Callcott and Timothy Foley.

Contacts

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:

¹ These thresholds differ from current threshold in Rule 301(b)(6) of Reg ATS, which has a volume threshold of 20 percent of average daily trading volume for any NMS stock.

² “Securities information processor” means “any person engaged in the business of (i) collecting, processing, or preparing for distribution or publication, or assisting, participating in, or coordinating the distribution or publication of, information with respect to transactions in or quotations for any security (other than an exempted security) or (ii) distributing or publishing (whether by means of a ticker tape, a communications network, a terminal display device, or otherwise) on a current and continuing basis, information with respect to such transactions or quotations.” 15 U.S.C. 78c(22)(A).

³ “Exclusive processor” means “any securities information processor or self-regulatory organization which, directly or indirectly, engages on an exclusive basis on behalf of any national securities exchange or registered securities association, or any national securities exchange or registered securities association which engages on an exclusive basis on its own behalf, in collecting, processing, or preparing for distribution or publication any information with respect to (i) transactions or quotations on or effected or made by means of any facility of such exchange or (ii) quotations distributed or published by means of any electronic system operated or controlled by such association.” 15 U.S.C. 78c(22)(B).