Regulation SCI, SCI Entities and Rules 1000 Through 1007
Posted by Laura Anthony, Esq. on January 02, 2018
Regulation SCI, SCI Entities and Rules 1000 Through 1007- SEC’s recent statements and initiatives on Cybersecurity.
The SEC adopted Regulation Systems Compliance and Integrity (Regulation SCI) on November 3, 2015 to improve regulatory standards and processes related to technology in the securities business including by financial services firms.
Regulation SCI consists of 7 rules (Rules 1000 through 1007) as follows: (i) Rule 1000 contains definitions, including defining an SCI entity; (ii) Rule 1001 contains the policies and procedures requirements for SCI entities for operational capability, the maintenance of fair and orderly markets and systems compliance; (iii) Rule 1002 contains the obligations of SCI entities when there is an SCI defined event, including corrective measures, SEC notification and public notification; (iv) Rule 1003 contains requirements related to material changes and SCI reviews; (v) Rule 1004 contains requirements related to business continuity and disaster testing; (vi) Rule 1005 contains recordkeeping requirements; (vii) Rule 1006 contains requirements related to electronic filings and submissions; and (viii) Rule 1007 contains requirements for service bureaus.
Regulation SCI broadly defines an SCI Entity as “an SCI self-regulatory organization, SCI alternative trading system, plan processor, or exempt clearing agency subject to ARP” and then contains drilled-down definitions within the broad categories. Regulation SCI is meant to encompass and include any entity that is significant in the operation and maintenance of fair and orderly markets.
SCI self-regulatory organizations include registered national securities associations (FINRA being the only one), all national securities exchanges, registered clearing agencies (DTC) and the Municipal Securities Rulemaking Board (MSRB).
An SCI Alternative Trading System is defined by volume broken down by NMS (National Market Systems) and non-NMS stocks and generally includes an Alternative Trading System with 1% or more of the NMS stocks volume or 5% or more of non-NMS stocks volume. Alternative Trading Systems which trade only municipal securities or corporate debt securities are excluded from the requirements. The OTC Markets is an SCI Entity and has confirmed that it is in compliance with Regulation SCI.
Interestingly, broker-dealers are not included as SCI Entities. The SEC reasoned that all broker-dealers are subject to Rule 15c3-5 and other FINRA rules which impose requirements related to the capacity, integrity and security of the broker-dealers’ systems and technology. However, the SEC did note that some broker-dealers are large enough that they could pose a real market risk if their systems were to break down or be infiltrated. The SEC may amend the rules in the future to include these firms.
An SCI “plan processor” includes “any self-regulatory organization or securities information processor acting as an exclusive processor in connection with the development, implementation and/or operation of any facility contemplated by an effective national market system plan.” There are currently four plan processors including the CTA Plan, CQS Plan, NASDAQ UTP Plan and OPRA Plan.
An “exempt clearing agency subject to ARP” includes “an entity that has received from the Commission an exemption from registration as a clearing agency under Section 17A of the Act, and whose exemption contains conditions that relate to the Commission’s Automation Review Policies, or any Commission regulation that supersedes or replaces such policies.” There is currently only one entity that meets this definition.
In addition, Regulation SCI breaks systems down into three categories, including “SCI systems,” “critical SCI systems” and “indirect SCI systems,” meant to encompass systems and processes that are subject to heightened requirements, processes and procedures. “SCI Systems” include trading, clearance and settlement, order routing, market data, market regulation, and market surveillance. In particular, an “SCI System” is defined as “all computer, network, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity that, with respect to securities, directly support trading, clearance and settlement, order routing, market data, market regulation, or market surveillance.”