Regulation Systems Compliance and Integrity (Regulation SCI)

Posted by on January 09, 2018

Regulation Systems Compliance and Integrity (Regulation SCI)- The SEC adopted Regulation Systems Compliance and Integrity (Regulation SCI) on November 3, 2015 to improve regulatory standards and processes related to technology in the securities business including by financial services firms.

Regulation SCI requires covered entities to establish written policies and procedures, with specific controls and systems that support trading, clearance and settlement, order routing, market data, market regulation and market surveillance. The written procedures must address levels of capacity, integrity, resiliency, availability and security. Such written policies must be designed to ensure that technological systems can maintain operations with minimal disruptions to the trading markets.

Regulation SCI also requires covered entities to comply with quarterly regulatory notification and reporting requirements and mandatory testing. Testing must include designated third parties and test business continuity and disaster recovery plans, including backup systems. SCI-covered entities must report any disruptions in their systems, compliance issues or system intrusions. The systems and technology of an SCI-covered entity must be reviewed annually by third-party qualified sources.

The specific systems obligations of SCI entities are laid out in Rules 1001-1004 of Regulation SCI. Rule 1001 contains the policy and procedure requirements with respect to operational capacity and maintenance of fair and orderly markets. Rule 1002 contains the obligations with respect to SCI events, including corrective action, SEC notification and information dissemination. Rule 1003 contains requirements related to material system changes, and SCI reviews. Finally, Rule 1004 contains requirements related to business continuity and disaster recovery plan testing.

Rule 1001 generally requires SCI entities to maintain reasonably designed policies and procedures to ensure the adequate capacity, integrity, resiliency, availability, and security of SCI systems (and security for indirect SCI systems) to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets. Guidance and discussion on the Rule indicate that the SEC has a risk-based approach requiring more robust policies and procedures for higher-risk systems. An SCI entity’s policies and procedures should ensure its own operational capability, including the ability to maintain effective operations, minimize or eliminate the effect of performance degradations, and have sufficient backup and recovery capabilities.

SCI policies and procedures must provide, at a minimum, (i) the establishment of reasonable current and future technology infrastructure capacity planning estimates; (ii) periodic capacity stress tests of systems to determine their ability to process transactions in an accurate, timely, and efficient manner; (iii) a program to review and keep current systems development and testing methodology; (iv) regular reviews and testing, as applicable including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or man-made disasters.; (v) business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and are reasonably designed to achieve next-business-day resumption of trading and two-hour resumption of clearance and settlement services following a wide-scale disruption; (vi) standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data (in this regard, a sample of reasonable standards are provided in Table A); and (vii) standards for monitoring SCI systems and making prompt changes as necessary.

In the next LawCast in this series I will continue with the requirements of the Regulation SCI rules.