Regulation SCI Rules
Posted by Attorney Laura Anthony on January 16, 2018
Regulation SCI Rules- The SEC adopted Regulation Systems Compliance and Integrity (Regulation SCI) on November 3, 2015 to improve regulatory standards and processes related to technology in the securities business including by financial services firms. In the last LawCast in this series I was reviewing the specific Regulation SCI rules. I will continue with that review in this LawCast.
Rule 1001 requires that SCI entities establish written policies and procedures designed to ensure that the entity complies with the Securities Exchange Act and the rules and regulations thereunder as well as the entity’s own governing documents. The Rule provides a non-exhaustive list of minimum elements that must be included in such compliance policies and procedures. These elements include: “(i) testing of all SCI systems and any changes to SCI systems prior to implementation; (ii) a system of internal controls over changes to SCI systems; (iii) a plan for assessments of the functionality of SCI systems designed to detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Act and the rules and regulations thereunder and the SCI entity’s rules and governing documents; and (iv) a plan of coordination and communication between regulatory and other personnel of the SCI entity, including by responsible SCI personnel, regarding SCI systems design, changes, testing, and controls designed to detect and prevent systems compliance issues.”
Rule 1002 contains the obligations with respect to SCI events, including corrective action, SEC notification and information dissemination. Under the Rule an SCI-delineated person must take the required action upon reasonably confirming that an SCI event has occurred. As such, the SEC requires an SCI entity to have written policies and procedures that “include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events.” Such “responsible SCI personnel” means “for a particular SCI system or indirect SCI system impacted by an SCI event, such senior manager(s) of the SCI entity having responsibility for such system, and their designee(s).”
The Rule contains in-depth and detailed discussion of corrective actions, notification requirements and information dissemination requirements. In essence, the SEC must be immediately notified of all SCI events other than de minimis events, although even de minimis events contain recordkeeping requirements and must be included In SCI reports. Until the SCI event is resolved, the SCI entity must keep the SEC regularly updated as to the progress of the investigation and resolution of the event, and must file a report with the SEC once the event is resolved. Subject to certain exceptions, the SCI entity must disseminate information to its members and participants regarding all SCI events.
Rule 1003 contains requirements related to material system changes, and SCI reviews. In particular, Rule 1003 requires quarterly reports to the SEC describing completed, ongoing, and planned material systems changes to its SCI systems and security of indirect SCI systems. Rule 1003 also requires a minimum of an annual review of an SCI entity’s compliance with Regulation SCI.
Rule 1004 contains requirements related to business continuity and disaster recovery plan testing. As with notification requirements, an SCI entity must designate certain personnel to complete business continuity and disaster recovery plan testing. In particular, the SCI entity must designate those members or participants “that the SCI entity reasonably determines are, taken as a whole, the minimum necessary for the maintenance of fair and orderly markets in the event of the activation of such plans.” Such testing must be completed at least once every 12 months.
The recordkeeping and electronic filing requirements of Regulation SCI are laid out in Rules 1005 through 1007.