You may be exempt from Reg SCI, but you still need SCI!

By Oyster Consulting LLC

What’s Happening?

On November 19, 2014 the Securities and Exchange Commission (SEC) voted to adopt new rules designed to strengthen the technology infrastructure of the US securities markets, requiring entities to have comprehensive policies and procedures in place for market impacting technologies. These Regulations for Systems Compliance and Integrity, dubbed “Reg SCI” in the financial community, also offer guidance to take corrective actions when system issues or planned changes occur, provide notifications and status reports to the SEC, inform members and participants about system issues/changes, conduct business continuity testing and conduct annual reviews of their systems.

Firms subject to these rules must comply with the requirements by August 2015. Alternative Trading Systems (“ATSs”) newly meeting the volume thresholds in the rules for the first time are allowed an additional six months from the time the ATS first meets the thresholds. Entities must also comply with the sector-wide testing requirement, which will be required by August 2016.

Who Must Comply?

These rules will primarily apply to 18 major exchanges, 7 registered clearing firms, and 14 ATSs; however, the SEC also included systems covered by third parties, and it left the door open to later include non-ATS broker-dealers, security-based swap dealers, investment advisors, investment companies, and transfer agents.

What Should Your Firm Do?

Although the rule currently applies to 40+ larger entities, ensuring that your technology systems, and the policies, procedures, supervisory responsibilities and risk controls surrounding it are robust and ready for the new rules is paramount for the protection, continuity and growth of your business. There is every indication from industry experts and from the SEC leadership themselves that they plan to continue to drive this down to firms with direct market access and higher trading volumes, and that if left uncontrolled, could potentially disrupt market activities. In order to ensure your firm is prepared, your firm should:

  • Perform a comprehensive technology controls assessment; identifying where improvements may be needed.
  • Establish a technology controls roadmap in order to continue driving toward a ‘best in class’ application controls management program
  • Review your Software Development Lifecycle (“SDLC”) management processes around:
    • Application Governance
    • Roles and Responsibilities – Business, IT, Operations, Risk, Compliance, Legal & Internal Audit, etc.
    • Risk and Issue Management processes
    • Regulatory Compliance – Rule 15c3-5 (Market Access) certification, 3012 Review/Testing and Regulatory Reporting
    • Software Design and Development procedures and code versioning controls
    • Quality Assurance: all phases of testing, defect/enhancement management and change control processes
    • Release Management & Post-release Monitoring
    • Incident Management and Technical/User Support
    • Change Management and Implementation Processes
    • Information & Data Security, Cyber Security and Data Management
    • Business Continuity and Disaster Recovery Policies, Procedures and Testing
    • Performance and Capacity Management
    • Application Access Management, Monitoring and Controls

How Can Oyster Help?

Oyster Consulting’s experts have years of industry-specific technology experience, enabling them to perform a comprehensive technology controls review to help your firm stay ahead of the regulatory curve. Oyster will analyze your firm’s existing policies and procedures and supervisory responsibilities, and provide a report assessing strengths and weaknesses in the systems’ environment, process and potential resource risks. The analysis will include specific recommendations, and provide a tactical plan to implement them. Oyster does not have a one-size-fits-all approach to application controls and governance of systems. Oyster will establish a baseline assessment from which to measure step-change improvements in technology risk management. Our consultants can quickly assess which areas of your firm’s IT management controls need the most attention, and provide your firm with specific recommendations for enhancements to achieve industry best practices.

Related Content

star nebula representing AI in wealth management part 2

Podcast

AI in Wealth Management Podcast Series Part 2

AI’s Role in Transforming Wealth Management Artificial intelligence is increasingly integral to the wealth management sector’s shift towards data-driven, personalized, and secure services. However, as firms embrace AI technology, they also face escalating regulatory demands and risk management hurdles. In Part 1 of our Oyster Stew podcast series on AI and Wealth Management, we shared […]

Learn More
Alert birds on wire representing SEC T+1 Alert

Blog

SEC Issues T+1 Risk Alert

T+1 Risk Alert Highlights Examination Focus The U.S. financial market’s move to a T+1 settlement cycle has taken tremendous resources from industry participants including buy-side and sell-side participants, custodians, and clearing agencies. Not to be left out, regulatory authorities have finalized rule changes governing settlement activities to enforce the T+1 settlement cycle. The SEC Division […]

Learn More
AI Podcast announcement set with backdrop of stars in space

Podcast

AI in Wealth Management Podcast Series Part 1

Artificial Intelligence (AI) in Wealth Management As the use of artificial intelligence (AI) becomes more and more prevalent, the wealth management industry is shifting towards more data-driven, personalized and secure services.  However, regulatory concerns and risk management challenges remain as firms increasingly adopt AI technology.   In this week’s Oyster Stew podcast, Oyster experts Casey Dougherty, […]

Learn More
Get In Touch Scroll Up