Reg SCI Compliance is a Good Idea for Everyone, Not Just Exchanges

By Oyster Consulting LLC

Individual typing on a laptop.

What’s Happening:

Remember Regulation SCI? Unless you are an exchange or a systemically important market participant, the answer is “probably not.”

You’ve undoubtedly heard of the “Flash Crash” of 2010, or maybe the Nasdaq system problem that messed up the Facebook IPO, or the “glitch” on July 8, 2015 that halted trading on the NYSE. And you might recall that in response to these kinds of problems, the SEC enacted Regulation SCI, which required exchanges and systemically important market participants to improve their technology preparedness. But since you weren’t an exchange or a systemically important market participant, you probably went about your regular business without giving any of this much more thought.

If that’s the case, now might be a good time to start paying attention again, because now that Phase I of Regulation SCI has been implemented, there’s reason to believe that the SEC is considering expanding its reach beyond the initial participants.

What is Regulation SCI?

In late 2014 the Securities and Exchange Commission (SEC) voted to adopt rules designed to strengthen the technology infrastructure of the US securities markets, requiring entities to have comprehensive policies and procedures in place for market impacting technologies. Dubbed “Reg SCI” in the financial community, these rules also offer guidance to take corrective actions when system issues or planned changes occur, provide notifications and status reports to the SEC, inform members and participants about system issues and changes, conduct business continuity testing and conduct annual reviews of their systems.

Firms subject to these rules had to comply with the requirements by November 2015.  ATSs newly meeting the volume thresholds in the rules for the first time are allowed an additional six months from the time the ATS first meets the thresholds. Entities must also comply with the sector-wide testing requirement, which will be required by November 2016.

While these rules primarily apply to self-regulatory organizations (SROs), SCI alternative trading systems (SCI ATS) and plan processors and exempt clearing agencies subject to the Automation Review Policy. The SEC also included systems covered by third parties, and left the door open to later include non-ATS broker-dealers, security-based swap dealers, investment advisors, investment companies, and transfer agents.

How Might It Affect My Firm?

There is indication from industry experts and from the SEC leadership themselves that they plan to continue to drive this down to firms with direct market access and higher trading volumes that if left uncontrolled, could potentially disrupt market activities. Applying the principals of Reg SCI is a good idea as a risk management test for your organization. You should consider as part of your ongoing testing:

  • Performing a comprehensive technology controls assessment, identifying where improvements may be needed, especially surrounding systems disruptions, intrusions and compliance issues;
  • Establishing a technology controls roadmap in order to continue driving toward a ‘best in class’ application controls management;
  • Reviewing your policies and procedures around how you document and respond to technology issues, including failing over to an established back-up system or manual process, ensuring that your firm meets its ongoing compliance obligations, and communicating to customers, counterparties and regulators.

Your firm should also regularly review your Software Development Lifecycle (“SDLC”) management processes around:

  • Application Governance
  • Roles and Responsibilities – Business, IT, Operations, Risk, Compliance, Legal & Internal Audit, etc.
  • Risk and Issue Management processes
  • Regulatory Compliance – Rule 15c3-5 (Market Access) certification, 3120 Review/Testing and Regulatory Reporting
  • Software Design and Development procedures and code versioning controls
  • Quality Assurance: all phases of testing, defect and enhancement management and change control processes
  • Release Management & Post-release Monitoring
  • Incident Management and Technical and User Support
  • Change Management and Implementation processes
  • Information & Data Security, Cyber Security and Data Management
  • Business Continuity and Disaster Recovery policies, procedures and testing
  • Performance and Capacity Management
  • Application Access Management, Monitoring and Controls
  • Record keeping procedures

How Can Oyster Help?

Oyster Consulting’s experts have years of industry-specific technology experience, enabling them to perform a comprehensive technology controls review to help your firm stay ahead of the regulatory curve. Oyster will analyze your firm’s existing policies and procedures and supervisory responsibilities, and provide a report assessing strengths and weaknesses in the systems’ environment, process and potential resource risks. The analysis will include specific recommendations, and provide a tactical plan to implement them.