Regulations for Systems Compliance and Integrity (Reg SCI)
Regulations for Systems Compliance and Integrity, dubbed “Reg SCI” in the financial community, are designed to strengthen the technology infrastructure of the US securities markets, requiring entities to have comprehensive policies and procedures in place for market impacting technologies.
They also offer guidance to take corrective actions when system issues or planned changes occur, provide notifications and status reports to the SEC, inform members and participants about system issues and changes, conduct business continuity testing and conduct annual reviews of their systems.
Firms subject to these rules must comply with the requirements by November 2015. Alternative Trading Systems (“ATSs”) newly meeting the volume thresholds in the rules for the first time are allowed an additional six months from the time the ATS first meets the thresholds. Entities must also comply with the sector-wide testing requirement, which will be required by November 2016.
These rules will primarily apply to self-regulatory organizations (SROs), SCI alternative trading systems (SCI ATS) and plan processors and exempt clearing agencies subject to the Automation Review Policy. The SEC also included systems covered by third parties, and left the door open to later include non-ATS broker-dealers, security-based swap dealers, investment advisors, investment companies, and transfer agents.
Although the rule currently applies to 44 larger entities there is every indication from industry experts and from the SEC leadership themselves that they plan to continue to drive this down to firms with direct market access and higher-trading volumes that if left uncontrolled, could potentially disrupt market activities. In order to ensure your firm is prepared, your firm should perform a comprehensive technology controls assessment, identifying where improvements may be needed, especially surrounding systems disruptions, intrusions and compliance issues, establish a technology controls roadmap to continue driving toward a ‘best in class’ application controls management; regularly review your Software Development Lifecycle (“SDLC”) management processes around Application Governance, Roles and Responsibilities – Business, IT, Operations, Risk, Compliance, Legal & Internal Audit, etc., Risk and Issue Management processes, Regulatory Compliance – Rule 15c3-5 (Market Access) certification, 3120 Review/Testing and Regulatory Reporting, Software Design and Development procedures and code versioning controls and Quality Assurance: all phases of testing, defect/enhancement management and change control processes.