[Federal Register Volume 78, Number 57 (Monday, March 25, 2013)]
[Proposed Rules]
[Pages 18084-18186]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2013-05888]
[[Page 18083]]
Vol. 78
Monday,
No. 57
March 25, 2013
Part III
Securities and Exchange Commission
-----------------------------------------------------------------------
17 CFR Parts 242 and 249
Regulation Systems Compliance and Integrity; Proposed Rule
Federal Register / Vol. 78 , No. 57 / Monday, March 25, 2013 /
Proposed Rules
[[Page 18084]]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
17 CFR Parts 242 and 249
[Release No. 34-69077; File No. S7-01-13]
RIN 3235-AL43
Regulation Systems Compliance and Integrity
AGENCY: Securities and Exchange Commission.
ACTION: Proposed rule and form; proposed rule amendment.
-----------------------------------------------------------------------
SUMMARY: The Securities and Exchange Commission (``Commission'') is
proposing Regulation Systems Compliance and Integrity (``Regulation
SCI'') under the Securities Exchange Act of 1934 (``Exchange Act'') and
conforming amendments to Regulation ATS under the Exchange Act.
Proposed Regulation SCI would apply to certain self-regulatory
organizations (including registered clearing agencies), alternative
trading systems (``ATSs''), plan processors, and exempt clearing
agencies subject to the Commission's Automation Review Policy
(collectively, ``SCI entities''), and would require these SCI entities
to comply with requirements with respect to their automated systems
that support the performance of their regulated activities.
DATES: Comments should be submitted on or before May 24, 2013.
ADDRESSES: Interested persons should submit comments by any of the
following methods:
Electronic Comments
[ssquf] Use the Commission's Internet comment form (http://www.sec.gov/rules/proposed.shtml); or
[ssquf] Send an email to [email protected]. Please include File
Number S7-01-13 on the subject line; or
[ssquf] Use the Federal eRulemaking Portal (http://www.regulations.gov). Follow the instructions for submitting comments.
Paper Comments
[ssquf] Send paper comments in triplicate to Elizabeth M. Murphy,
Secretary, Securities and Exchange Commission, 100 F Street NE.,
Washington, DC 20549-1090.
All comment letters should refer to File No. S7-01-13. This file number
should be included on the subject line if email is used. To help us
process and review your comments more efficiently, please use only one
method. The Commission will post all comments on the Commission's
Internet Web site (http://www.sec.gov/rules/proposed.shtml). Comments
are also available for public inspection and copying in the
Commission's Public Reference Room, 100 F Street NE., Washington, DC
20549 on official business days between the hours of 10 a.m. and 3 p.m.
All comments received will be posted without change; we do not edit
personal information from submissions. You should submit only
information that you wish to make publicly available.
FOR FURTHER INFORMATION CONTACT: Heidi Pilpel, Special Counsel, Office
of Market Supervision, at (202) 551-5666, Sara Hawkins, Special
Counsel, Office of Market Supervision, at (202) 551-5523, Jonathan
Balcom, Special Counsel, Office of Market Supervision, at (202) 551-
5737, Yue Ding, Attorney, Office of Market Supervision, at (202) 551-
5842, Dhawal Sharma, Attorney, Office of Market Supervision, at (202)
551-5779, Elizabeth C. Badawy, Senior Accountant, Office of Market
Supervision, at (202) 551-5612, and Gordon Fuller, Senior Special
Counsel, Office of Market Operations, at (202) 551-5686, Division of
Trading and Markets, Securities and Exchange Commission, 100 F Street
NE., Washington, DC 20549-7010.
SUPPLEMENTARY INFORMATION: Proposed Regulation SCI would supersede and
replace the Commission's current Automation Review Policy (``ARP''),
established by the Commission's two policy statements, each titled
``Automated Systems of Self-Regulatory Organizations,'' issued in 1989
and 1991.\1\ Regulation SCI also would supersede and replace aspects of
those policy statements codified in Rule 301(b)(6) under the Exchange
Act,\2\ applicable to significant-volume ATSs.\3\ Proposed Regulation
SCI would require SCI entities to establish written policies and
procedures reasonably designed to ensure that their systems have levels
of capacity, integrity, resiliency, availability, and security adequate
to maintain their operational capability and promote the maintenance of
fair and orderly markets, and that they operate in the manner intended.
It would also require SCI entities to mandate participation by
designated members or participants in scheduled testing of the
operation of their business continuity and disaster recovery plans,
including backup systems, and to coordinate such testing on an
industry- or sector-wide basis with other SCI entities. In addition,
proposed Regulation SCI would require notices and reports to be
provided to the Commission on a new proposed Form SCI regarding, among
other things, SCI events and material systems changes, and would
require SCI entities to take corrective action upon any responsible SCI
personnel becoming aware of SCI events. SCI events would be defined to
include systems disruptions, systems compliance issues, and systems
intrusions. The proposed regulation would further require that
information regarding certain types of SCI events be disseminated to
members or participants of SCI entities. In addition, proposed
Regulation SCI would require SCI entities to conduct a review of their
systems by objective personnel at least annually, and would require SCI
entities to maintain certain books and records. The Commission also is
proposing to modify the volume thresholds in Regulation ATS \4\ for
significant-volume ATSs, apply them to SCI ATSs (as defined below), and
move this standard from Regulation ATS to proposed Regulation SCI.
---------------------------------------------------------------------------
\1\ See Securities Exchange Act Release Nos. 27445 (November 16,
1989), 54 FR 48703 (November 24, 1989) (``ARP I Release'' or ``ARP
I'') and 29185 (May 9, 1991), 56 FR 22490 (May 15, 1991) (``ARP II
Release'' or ``ARP II'' and, together with ARP I, the ``ARP policy
statements'').
\2\ See 17 CFR 242.301(b)(6). See also Securities Exchange Act
Release No. 40760 (December 8, 1998), 63 FR 70844 (December 22,
1998) (``ATS Release'').
\3\ See infra note 26.
\4\ 17 CFR 242.300-303 (``Regulation ATS'').
---------------------------------------------------------------------------
Table of Contents
I. Background
A. History and Evolution of the Automation Review Policy
Inspection Program
B. Evolution of the Markets Since the Inception of the ARP
Inspection Program
C. Successes and Limitations of the Current ARP Inspection
Program
D. Recent Events
II. Proposed Codification and Enhancement of ARP Inspection Program
III. Proposed Regulation SCI
A. Overview
B. Proposed Rule 1000(a): Definitions Establishing the Scope of
Regulation SCI
1. SCI Entities
2. Definition of SCI Systems and SCI Security Systems
3. SCI Events
a. Systems Disruption
b. Systems Compliance Issue
c. Systems Intrusion
d. Dissemination SCI events
4. Material Systems Changes
C. Proposed Rule 1000(b): Obligations of SCI Entities
1. Policies and Procedures to Safeguard Capacity, Integrity,
Resiliency, Availability, and Security
a. Proposed Rule 1000(b)(1)(i)
b. Proposed Rule 1000(b)(1)(ii)
2. Systems Compliance
3. SCI Events--Action required; Notification
a. Corrective Action
[[Page 18085]]
b. Commission Notification
c. Dissemination of Information to Members or Participants
4. Notification of Material Systems Changes
5. Review of Systems
6. Periodic Reports
7. Proposed Rule 1000(b)(9): SCI Entity Business Continuity and
Disaster Recovery Plans Testing Requirements for Members or
Participants
D. Proposed Rule 1000(c)-(f): Recordkeeping, Electronic Filing
on Form SCI, and Access
1. Recordkeeping Requirements
2. Electronic Submission of Reports, Notifications, and Other
Communications on Form SCI
3. Access to the Systems of an SCI Entity
E. New Proposed Form SCI
1. Notice of SCI Events Pursuant to Proposed Rule 1000(b)(4)
2. Notices of Material Changes Pursuant to Proposed Rule
1000(b)(6)
3. Reports Submitted Pursuant to Rule 1000(b)(8)
4. Notifications of Member or Participant Designation Standards
and List of Designees Pursuant to Proposed Rule 1000(b)(9)
5. Other Information and Electronic Signature
F. Request for Comment on Applying Proposed Regulation SCI to
Security-Based Swap Data Repositories and Security-Based Swap
Execution Facilities
G. Solicitation of Comment Regarding Potential Inclusion of
Broker-Dealers, Other than SCI ATSs, and Other Types of Entities
IV. Paperwork Reduction Act
V. Economic Analysis
A. Background
B. Economic Baseline
C. Consideration of Costs and Benefits, and the Effect on
Efficiency, Competition, and Capital Formation
D. Request for Comment on Economic Analysis
VI. Consideration of Impact on the Economy
VII. Regulatory Flexibility Act Certification
VIII. Statutory Authority and Text of Proposed Amendments
I. Background
A. History and Evolution of the Automation Review Policy Inspection
Program
Section 11A(a)(2) of the Exchange Act,\5\ enacted as part of the
Securities Acts Amendments of 1975 (``1975 Amendments''),\6\ directs
the Commission, having due regard for the public interest, the
protection of investors, and the maintenance of fair and orderly
markets, to use its authority under the Exchange Act to facilitate the
establishment of a national market system for securities in accordance
with the Congressional findings and objectives set forth in Section
11A(a)(1) of the Exchange Act.\7\ Among the findings and objectives in
Section 11A(a)(1) is that ``[n]ew data processing and communications
techniques create the opportunity for more efficient and effective
market operations'' \8\ and ``[i]t is in the public interest and
appropriate for the protection of investors and the maintenance of fair
and orderly markets to assure * * * the economically efficient
execution of securities transactions.'' \9\ In addition, Sections 6(b),
15A, and 17A(b)(3) of the Exchange Act impose obligations on national
securities exchanges, national securities associations, and clearing
agencies, respectively, to be ``so organized'' and ``[have] the
capacity to * * * carry out the purposes of [the Exchange Act].'' \10\
---------------------------------------------------------------------------
\5\ 15 U.S.C. 78k-1(a)(2).
\6\ Public Law 94-29, 89 Stat. 97 (1975).
\7\ 15 U.S.C. 78k-1(a)(1).
\8\ Section 11A(a)(1)(B) of the Exchange Act, 15 U.S.C. 78k-
1(a)(1)(B).
\9\ Section 11A(a)(1)(C)(i) of the Exchange Act, 15 U.S.C. 78k-
1(a)(1)(C)(i). Further, the Senate Committee Report accompanying the
1975 Amendments states further that a paramount objective of a
national market system is ``the maintenance of stable and orderly
markets with maximum capacity for absorbing trading imbalances
without undue price movements.'' Senate Comm. On Banking, Housing
and Urban Affairs, Report to accompany S. 249, Sen. Rep. 94-75, 94th
Cong., 1st Sess. at 7 (1975).
\10\ See Sections 6(b)(1), 15A(b)(2), and 17A(b)(3) of the
Exchange Act, 15 U.S.C. 78f(b)(1), 78o-3(b)(2), 78q-1(b)(3),
respectively. See also Section 2 of the Exchange Act, 15 U.S.C. 78b,
and Section 19 of the Exchange Act, 15 U.S.C. 78s.
---------------------------------------------------------------------------
For over two decades, Commission staff has worked with SROs to
assess their automated systems under the Commission's ARP inspection
program (``ARP Inspection Program''), a voluntary information
technology review program created in response to the October 1987
market break.\11\ In 1989, the Commission published ARP I, its first
formal policy statement regarding steps that SROs should take in
connection with their automated systems.\12\ In ARP I, the Commission
discussed the development by SROs of automated execution, market
information, and trade comparison systems to accommodate increased
trading activity from the 1960s through the 1980s.\13\ The Commission
acknowledged improvements in efficiency during that time period, but
noted that the October 1987 market break had exposed that automated
systems remained vulnerable to operational problems during extreme high
volume periods. The Commission also expressed concern about the
potential for systems failures to negatively impact public investors,
broker-dealer risk exposure, and market efficiency.\14\ The Commission
further stated in ARP I that market movements should be ``the result of
market participants' changing expectations about the direction of the
market for a particular security, or group of securities, and not the
result of investor confusion or panic resulting from operational
failures or delays in SRO automated trading or market information
systems.'' \15\ The Commission issued ARP I as a result of these
concerns, and stated that SROs should ``establish comprehensive
planning and assessment programs to test systems capacity and
vulnerability.'' \16\ In particular, the Commission recommended that
each SRO should: (1) Establish current and future capacity estimates
for its automated order routing and execution, market information, and
trade comparison systems; (2) periodically conduct capacity stress
tests to determine the behavior of automated systems under a variety of
simulated conditions; and (3) contract with independent reviewers to
assess annually whether these systems could perform adequately at their
estimated current and future capacity levels and have adequate
protection against physical threat.\17\ In addition, ARP I
[[Page 18086]]
called for each SRO to have its automated systems reviewed annually by
an ``independent reviewer.'' \18\
---------------------------------------------------------------------------
\11\ See ARP I, supra note 1, 54 FR 48706.
\12\ See ARP I, supra note 1, 54 FR 48705-48706, stating that
SROs should ``take certain steps to ensure that their automated
systems have the capacity to accommodate current and reasonably
anticipated future trading volume levels and respond to localized
emergency conditions.'' In ARP I, the Commission also defined the
terms ``automated systems'' and ``automated trading systems'' to
refer ``collectively to computer systems for listed and OTC
equities, as well as options, that electronically route orders to
applicable market makers and systems that electronically route and
execute orders, including the data networks that feed the systems *
* * [and encompass] systems that disseminate transaction and
quotation information and conduct trade comparisons prior to
settlement, including the associated communication networks.'' See
id. at n. 21. See also id. at n. 26 (stating that the Commission may
suggest expansion of the ARP I policy statement to cover ``other SRO
computer-driven support systems for, among other things, clearance
and settlement, and market surveillance, if the Commission finds it
necessary to ensure the maintenance of fair and orderly markets'').
\13\ See id. at 48705.
\14\ See id. at 48705. The Commission noted that problems
encountered by trading systems during the October 1987 market break
included: (i) Inadequate computer capacity causing queues of
unprocessed orders to develop that, in turn, resulted in significant
delays in order execution; (ii) inadequate contingency plans to
accommodate increased order traffic; (iii) delays in the
transmission of transaction reports to both member firms and
markets; and (iv) delays in order processing.
\15\ See id. at 48705.
\16\ See id. at 48705-48706.
\17\ See id. at 48706-48707. With respect to capacity estimates
and testing, the Commission urged SROs to institute procedures for
stress testing using ``standards generally set by the computer
industry,'' and report the results of stress testing to Commission
staff. The Commission also requested comment on whether it should
mandate specific standards for the SROs to follow, and if so, what
those standards should be. See id. With respect to vulnerability of
systems to external and internal threat, the Commission requested in
ARP I that SROs assess the susceptibility of automated systems to
computer viruses, unauthorized use, computer vandalism, and failures
as result of catastrophic events (such as fire, power outages, and
earthquakes), and promptly notify Commission staff of any instances
in which unauthorized persons gained or attempted to gain access to
SRO systems, and follow up with a written report of the problem, its
cause, and the steps taken to prevent a recurrence.
\18\ See id.
---------------------------------------------------------------------------
In 1991, the Commission published ARP II.\19\ In ARP II, the
Commission further articulated its views on how SROs should conduct
independent reviews.\20\ ARP II stated that such reviews and analysis
should: ``(1) Cover significant elements of the operations of the
automation process, including the capacity planning and testing
process, contingency planning, systems development methodology and
vulnerability assessment; (2) be performed on a cyclical basis by
competent and independent audit personnel following established audit
procedures and standards; and (3) result in the presentation of a
report to senior SRO management on the recommendations and conclusions
of the independent reviewer, which report should be made available to
Commission staff for its review and comment.'' \21\
---------------------------------------------------------------------------
\19\ See ARP II Release, 56 FR 22490, supra note 1.
\20\ See id.
\21\ See id. at 22491. In ARP II the Commission also explained
that, in its view, ``a critical element to the success of the
capacity planning and testing, security assessment and contingency
planning processes for [automated] systems is obtaining an objective
review of those planning processes by persons independent of the
planning process to ensure that adequate controls and procedures
have been developed and implemented.'' Id.
---------------------------------------------------------------------------
In addition, ARP II addressed how SROs should notify the Commission
of material systems changes and significant systems problems.
Specifically, ARP II stated that SROs should notify Commission staff of
significant additions, deletions, or other changes to their automated
systems on an annual and an as-needed basis, as well as provide real-
time notification of unusual events, such as significant outages
involving automated systems.\22\ Further, in ARP II, the Commission
again suggested development of standards to meet the ARP policy
statements, stating that ``the SROs, and other interested parties
should begin the process of exploring the establishment of (1)
standards for determining capacity levels for the SROs' automated
trading systems; (2) generally accepted computer security standards
that would be effective for SRO automated systems; and (3) additional
standards regarding audits of computer systems.'' \23\
---------------------------------------------------------------------------
\22\ See id. at 22491.
\23\ See id.
---------------------------------------------------------------------------
The current ARP Inspection Program was developed by Commission
staff to implement the ARP policy statements,\24\ and has garnered
participation by all active registered clearing agencies, all
registered national securities exchanges, the Financial Industry
Regulatory Authority (``FINRA''), the only registered national
securities association, one exempt clearing agency, and one ATS.\25\ In
1998, the Commission adopted Regulation ATS which, among other things,
imposed by rule certain aspects of ARP I and ARP II on significant-
volume ATSs.\26\ Thereafter, administration of these aspects of
Regulation ATS was incorporated into the ARP Inspection Program.
---------------------------------------------------------------------------
\24\ While participation in the ARP Inspection Program is
voluntary, the underpinnings of ARP I and ARP II are rooted in
Exchange Act requirements. See supra notes 5-10 and accompanying
text.
\25\ See infra note 91 and accompanying text. One ATS currently
complies voluntarily with the ARP Inspection Program. However, ARP
staff has conducted ARP inspections of other ATSs over the course of
the history of the ARP Inspection Program. See also infra notes,
134-135 and accompanying text.
\26\ See Rule 301(b)(6) of Regulation ATS, 17 CFR 242.301(b)(6).
With regard to systems that support order entry, order routing,
order execution, transaction reporting, and trade comparison,
Regulation ATS requires significant-volume ATSs to: establish
reasonable current and future capacity estimates; conduct periodic
capacity stress tests of critical systems to determine their ability
to accurately, timely and efficiently process transactions; develop
and implement reasonable procedures to review and keep current
system development and testing methodology; review system and data
center vulnerability to threats; establish adequate contingency and
disaster recovery plans; perform annual independent reviews of
systems to ensure compliance with the above listed requirements and
perform review by senior management of reports containing the
recommendations and conclusions of the independent review; and
promptly notify the Commission of material systems outages and
significant systems changes. See Rule 301(b)(6)(ii) of Regulation
ATS, 17 CFR 242.301(b)(6)(ii). Regulation ATS defines significant-
volume ATSs as ATSs that, during at least 4 of the preceding 6
calendar months, had: (i) with respect to any NMS stock, 20 percent
or more of the average daily volume reported by an effective
transaction reporting plan; (ii) with respect to equity securities
that are not NMS stocks and for which transactions are reported to a
self-regulatory organization, 20 percent or more of the average
daily volume as calculated by the self-regulatory organization to
which such transactions are reported; (iii) with respect to
municipal securities, 20 percent or more of the average daily volume
traded in the United States; or (iv) with respect to corporate debt
securities, 20 percent or more of the average daily volume traded in
the United States. See Rule 301(b)(6)(i) of Regulation ATS, 17 CFR
242.301(b)(6)(i).
---------------------------------------------------------------------------
Under the ARP Inspection Program, staff in the Commission's
Division of Trading and Markets (``ARP staff'') conduct inspections of
ARP entity systems, attend periodic technology briefings presented by
ARP entity staff, monitor the progress of planned significant system
changes, and respond to reports of system failures, disruptions, and
other systems problems of ARP entities. An ARP inspection typically
includes ARP staff review of information technology documentation,
testing of selected controls, and interviews with information
technology staff and management of the ARP entity.\27\
---------------------------------------------------------------------------
\27\ ARP inspections are typically conducted independently from
the inspections and examinations of SROs, ATSs, and broker-dealers
conducted by staff in the Commission's Office of Compliance
Inspections and Examinations (``OCIE'') for compliance with the
federal securities laws and rules thereunder.
---------------------------------------------------------------------------
Just as markets have become increasingly automated and information
technology programs and practices at ARP entities have changed, ARP
inspections also have evolved considerably over the past 20 years.
Today, the ARP Inspection Program covers nine general inspection areas,
or information technology ``domains:'' application controls; capacity
planning; computer operations and production environment controls;
contingency planning; information security and networking; audit;
outsourcing; physical security; and systems development
methodology.\28\ The goal of an ARP inspection is to evaluate whether
an ARP entity's controls over its information technology resources in
each domain are consistent with ARP and industry guidelines,\29\ as
identified by ARP staff from a variety of information technology
publications that ARP staff believes reflect industry standards for
securities market participants.
---------------------------------------------------------------------------
\28\ Each domain itself contains subcategories. For example,
``contingency planning'' includes business continuity, disaster
recovery, and pandemic planning, among other things.
\29\ The domains covered during an ARP inspection depend in part
upon whether the inspection is a regular inspection or a ``for-
cause'' inspection. Typically, however, to make the most efficient
use of resources, a single ARP inspection will cover fewer than nine
domains.
---------------------------------------------------------------------------
Most recently, these publications have included, among others,
publications issued by the Federal Financial Institutions Examination
Council (``FFIEC'') and the National Institute of
[[Page 18087]]
Standards and Technology (``NIST'').\30\ ARP staff has also relied on
the 2003 Interagency White Paper on Sound Practices to Strengthen the
Resiliency of the U.S. Financial System \31\ and the 2003 Policy
Statement on Business Continuity Planning for Trading Markets.\32\
Since 2003, however, the Commission has not issued formal guidance on
which publications establish the most appropriate guidelines for ARP
entities. At the conclusion of an ARP inspection, ARP staff typically
issues a report to the ARP entity with an assessment of its information
technology program with respect to its critical systems, including any
recommendations for improvement.
---------------------------------------------------------------------------
\30\ Other examples of publications that ARP staff has referred
to include those issued by the Center for Internet Security (http://benchmarks.cisecurity.org/en-us/?route=downloads.benchmarks);
Information Systems Audit and Control Association (Control
Objections for Information Technology Framework, available at:
http://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Online.aspx); Defense Information Systems Agency, Security Technical
Implementation Guides (available at http://iase.disa.mil/stigs/index.html); and Government Accountability Office (Federal
Information System Controls Audit Manual (February 2009), available
at: http://www.gao.gov/assets/80/77142.pdf).
\31\ See Securities Exchange Act Release No. 47638 (April 7,
2003), 68 FR 17809 (April 11, 2003) (Interagency Paper on Sound
Practices to Strengthen the Resilience of the U.S. Financial
Systems) (``2003 Interagency White Paper'').
\32\ See Securities Exchange Act Release No. 48545 (September
25, 2003), 68 FR 56656 (October 1, 2003) (Policy Statement: Business
Continuity Planning for Trading Markets) (``2003 Policy Statement on
Business Continuity Planning for Trading Markets'').
---------------------------------------------------------------------------
Another significant aspect of the ARP Inspection Program relates to
the monitoring of planned significant systems changes and reports of
systems problems at ARP entities. As noted above, ARP II stated that
SROs should notify Commission staff of significant additions,
deletions, or other changes to their automated systems on an annual and
an as-needed basis, as well as provide real-time notification of
unusual events, such as significant outages involving automated
systems.\33\ Likewise, Regulation ATS requires significant-volume ATSs
to promptly notify the Commission of material systems outages and
significant systems changes.\34\
---------------------------------------------------------------------------
\33\ See supra note 22 and accompanying text.
\34\ See 17 CFR 242.301(b)(6)(ii)(G). See also supra note 26.
---------------------------------------------------------------------------
In addition to the Commission's ARP policy statements and Rule
301(b)(6) of Regulation ATS, Commission staff has provided guidance to
ARP entities on how the staff believes they should report planned
systems changes and systems issues to the Commission. For example, in
2001, Commission staff sent a letter to the SROs and other participants
in the ARP Inspection Program to clarify what should be considered a
``significant system change'' and a ``significant system outage'' for
purposes of reporting systems changes and problems to Commission
staff.\35\ Further, in 2009, Commission staff sent a letter to the
national securities exchanges and FINRA expressing the staff's view
that SROs are obligated to ensure that their systems' operations comply
with the federal securities laws and rules and the SRO's rules, and
that failure to satisfy this obligation could lead to sanctions under
Section 19(h)(1) of the Exchange Act.\36\ Unlike ARP I, ARP II, and
Rule 301(b)(6) of Regulation ATS, the 2001 Staff ARP Interpretive
Letter and 2009 Staff Systems Compliance Letter were not issued by the
Commission and constitute only staff guidance. Proposed Regulation SCI,
if adopted, would consolidate and supersede all such staff guidance, as
well as the Commission's ARP policy statements and Rule 301(b)(6) of
Regulation ATS.
---------------------------------------------------------------------------
\35\ In June 2001, staff from the Division of Market Regulation
sent a letter to the SROs and other participants in the ARP
Inspection Program regarding Guidance for Systems Outage and System
Change Notifications (``2001 Staff ARP Interpretive Letter''),
advising them that the staff considers a significant system change
to include: (i) Major systems architectural changes; (ii)
reconfiguration of systems that cause a variance greater than five
percent in throughput or storage; (iii) introduction of new business
functions or services; (iv) material changes in systems; (v) changes
to external interfaces; (vi) changes that could increase
susceptibility to major outages; (vii) changes that could increase
risks to data security; (viii) a change that was, or will be,
reported or referred to the entity's board of directors or senior
management; or (ix) changes that may require allocation or use of
significant resources. The 2001 Staff ARP Interpretive Letter also
advised that Commission staff considers a ``significant system
outage'' to include an outage that results in: (i) Failure to
maintain service level agreements or constraints; (ii) disruption of
normal operations, including switchover to back-up equipment with no
possibility of near-term recovery of primary hardware; (iii) loss of
use of any system; (iv) loss of transactions; (v) excessive back-ups
or delays in processing; (vi) loss of ability to disseminate vital
information; (vii) communication of an outage situation to other
external entities; (viii) a report or referral of an event to the
entity's board of directors or senior management; (ix) a serious
threat to systems operations even though systems operations are not
disrupted; or (x) a queuing of data between system components or
queuing of messages to or from customers of such duration that a
customer's normal service delivery is affected. The 2001 Staff ARP
Interpretive Letter is available at http://www.sec.gov/divisions/marketreg/sroautomation.shtml.
\36\ In December 2009, staff from the Division of Trading and
Markets and Office of Compliance Inspections and Examinations sent a
letter (``2009 Staff Systems Compliance Letter'') to each national
securities exchange and FINRA reminding each of its obligation to
ensure that its systems' operations are consistent with the federal
securities laws and rules and the SRO's rules, and clarifying the
staff's expectations regarding SRO systems compliance. The 2009
Staff Systems Compliance Letter also expressed the staff's view that
SROs and other participants in the ARP Inspection Program should
have effective written policies and procedures for systems
development and maintenance that provide for adequate regulatory
oversight, including testing of system changes, controls over system
changes, and independent audits. The 2009 Staff Systems Compliance
Letter also expressed the staff's expectation that, if an SRO
becomes aware of a system function that could lead or has led to a
failure to comply with the federal securities laws or rules, or the
SRO's rules, the SRO should immediately take appropriate corrective
action including, at a minimum, devoting adequate resources to
remedy the issue as soon as possible, and notifying Commission staff
and (if appropriate) the public of the compliance issue and efforts
to rectify it. The 2009 Staff Systems Compliance Letter was sent to
BATS, BATS-Y, CBOE, C2, CHX, EDGA, EDGX, FINRA, ISE, Nasdaq, Nasdaq
OMX BX, Nasdaq OMX Phlx, NSX, NYSE, NYSE MKT (f/k/a NYSE Amex), NYSE
Arca. See infra notes 47 and 51.
---------------------------------------------------------------------------
In addition, OCIE conducts inspections of SROs, as part of the
Commission's oversight of them. Unlike ARP inspections, however, which
focus on information technology controls, OCIE primarily conducts risk-
based examinations of securities exchanges, FINRA, and other SROs to
evaluate whether they and their member firms are complying with the
Exchange Act and the rules thereunder, as well as SRO rules. Examples
of OCIE risk-based examination areas include: governance, regulatory
funding, trading regulation, member firm examination programs,
disciplinary programs for member firms, and exchange programs for
listing compliance. In 2011, OCIE conducted baseline assessments of all
of the national securities exchanges then operating. These assessments
included these areas, among others, but did not include examinations of
the exchanges' systems, as systems inspections are conducted under the
ARP Inspection Program.\37\ As part of the Commission's oversight of
the SROs, OCIE also reviews systems compliance issues reported to
Commission staff. The information gained from OCIE's review of reported
systems compliance issues helps to inform its examination risk-
assessments for SROs.
---------------------------------------------------------------------------
\37\ See text accompanying notes 24-29.
---------------------------------------------------------------------------
B. Evolution of the Markets Since the Inception of the ARP Inspection
Program
Since the inception of the ARP Inspection Program more than two
decades ago, the securities markets have experienced sweeping changes,
evolving from a collection of relatively few, mostly manual markets, to
a larger number and broader variety of trading centers that are almost
completely automated, and dependent upon sophisticated technology and
extremely
[[Page 18088]]
fast and interconnected systems. Regulatory developments, such as
Regulation NMS,\38\ decimalization,\39\ Regulation ATS,\40\ and the
Order Handling Rules,\41\ also have impacted the structure of the
markets by, among other things, mandating and providing incentives that
encourage automation and speed. Although some markets today retain
trading floors and accommodate some degree of manual interaction, these
markets also have implemented electronic trading for their products. In
stock markets, for example, in almost all cases, the volume of
electronic trading dominates any residual manual activity.\42\ In
addition, in recent years, the new trading systems developed by
existing or new exchanges and ATSs rely almost exclusively on fully-
electronic, automated technology to execute trades.\43\ As a result,
the overwhelming majority of securities transactions today are executed
on such automated systems.\44\ A primary driver and catalyst of this
transformation has been the continual evolution of technologies for
generating, routing, and executing orders. These technologies have
dramatically improved the speed, capacity, and sophistication of the
trading functions that are available to market participants.\45\ The
increased speed and capacity of automated systems in the current market
structure has contributed to surging message traffic.\46\
---------------------------------------------------------------------------
\38\ 17 CFR 242.600-612. See also Securities Exchange Act
Release No. 51808 (June 9, 2005), 70 FR 37496 (June 29, 2005).
\39\ See Securities Exchange Act Release No. 42360 (January 28,
2000), 65 FR 5003 (February 2, 2000).
\40\ 17 CFR 242.300-303. See also ATS Release, supra note 2.
\41\ Securities Exchange Act Release No. (September 6, 1996), 61
FR 48290 (September 12, 1996). See also Concept Release on Equity
Market Structure, supra note 42, at 3594.
\42\ See, e.g., Securities Exchange Act Release No. 61358
(January 14, 2010), 75 FR 3594, 3594-95 (January 21, 2010) (Concept
Release on Equity Market Structure). See also Securities Exchange
Act Release No. 58845 (October 24, 2008), 73 FR 64379 (October 29,
2008) (SR-NYSE-2008-46) (order approving NYSE's New Market Model, an
electronic trading system with floor-based components).
\43\ See, e.g., Securities Exchange Act Release Nos. 62716
(August 13, 2010), 75 FR 51295 (August 19, 2010) (order approving
the exchange registration application of BATS-Y Exchange, Inc.);
61698 (March 12, 2010), 75 FR 13151 (March 18, 2010) (order
approving the exchange registration applications of EDGA Exchange
Inc. and EDGX Exchange Inc.); 57478 (March 12, 2008), 73 FR 14521
(March 18, 2008) (order approving a proposed rule change, as
amended, by the NASDAQ Stock Market LLC to establish rules governing
the trading of options on the NASDAQ Options Market).
\44\ For example, less than 30 percent of stock trading takes
place on listing exchanges as orders are dispersed to more than 50
competing venues, almost all of which are fully electronic. See,
e.g., http://www.batstrading.com/market_summary. See also Concept
Release on Equity Market Structure, supra note 42, for a more
detailed discussion of equity market structure.
\45\ For example, the speed of trading has increased to the
point that the fastest traders now measure their latencies in
microseconds. See Concept Release on Equity Market Structure, supra
note 42, at 3598.
\46\ See, e.g., ``Climbing Mount Message: How Exchanges are
Managing Peaks,'' Markets Media (posted on June 29, 2012), available
at: http://marketsmedia.com/climbing-mount-message-exchanges-managing-peaks/ (noting that message volumes across U.S. exchanges
hit a daily peak of 4.47 million messages per second).
---------------------------------------------------------------------------
In addition to these changes, there has been an increase in the
number of trading venues, particularly for equities. No longer is
trading in equities dominated by one or two trading venues. Today, 13
national securities exchanges trade equities, with no single stock
exchange having an overall market share of greater than twenty percent
of consolidated volume for all NMS stocks,\47\ but each with a
protected quotation \48\ that may not be traded through by other
markets.\49\ ATSs, including electronic communications networks
(``ECNs'') and dark pools, as well as broker-dealer internalizers, also
execute substantial volumes of securities transactions.\50\ Each of
these trading venues is connected with the others through a vast web of
linkages, including those that provide connectivity, routing services,
and market data. The number of venues trading options has likewise
grown, with 11 national securities exchanges currently trading options,
up from five as recently as 2004.\51\
---------------------------------------------------------------------------
\47\ See, e.g., market volume statistics reported by BATS
Exchange, Inc., available at: http://www.batstrading.com/market_summary (no single national securities exchange executed more than
20 percent of volume in NMS stocks during the 5-day period ending
February 7, 2013). The following national securities exchanges have
equities trading platforms: (1) BATS Exchange, Inc. (``BATS''); (2)
BATS Y-Exchange, Inc. (``BATS-Y''); (3) Chicago Board Options
Exchange, Incorporated (``CBOE''); (4) Chicago Stock Exchange, Inc.
(``CHX''); (5) EDGA Exchange, Inc. (``EDGA''); (6) EDGX Exchange,
Inc. (``EDGX''); (7) NASDAQ OMX BX, Inc. (``Nasdaq OMX BX''); (8)
NASDAQ OMX PHLX LLC (``Nasdaq OMX Phlx''); (9) NASDAQ Stock Market
LLC (``Nasdaq''); (10) National Stock Exchange, Inc. (``NSX''); (11)
New York Stock Exchange LLC (``NYSE''); (12) NYSE MKT LLC (``NYSE
MKT''); and (13) NYSE Arca, Inc. (``NYSE Arca'').
\48\ A ``protected quotation'' is defined by Regulation NMS as a
quotation in an NMS stock that (i) is displayed by an automated
trading center; (ii) is disseminated pursuant to an effective
national market system plan; and (iii) is an automated quotation
that is the best bid or best offer of a national securities
exchange, the best bid or best offer of The Nasdaq Stock Market,
Inc., or the best bid or best offer of a national securities
association other than the best bid or best offer of The Nasdaq
Stock Market, Inc. See Rule 600(b)(57)-(58) of Regulation NMS, 17
CFR 242.600(b)(57)-(58).
\49\ See Rule 611(a)(1) of Regulation NMS, 17 CFR 242.601(a)(1).
\50\ See Concept Release on Equity Market Structure, supra note
42.
\51\ The following venues trade options today: (1) BATS Exchange
Options Market; (2) Boston Options Exchange LLC (``BOX''); (3) C2
Options Exchange, Incorporated (``C2''); (4) CBOE; (5) International
Securities Exchange, LLC (``ISE''); (6) Miami International
Securities Exchange, LLC (``MIAX''); (7) NASDAQ Options Market; (8)
NASDAQ OMX BX Options; (9) Nasdaq OMX Phlx; (10) NYSE Amex Options;
and (11) NYSE Arca.
---------------------------------------------------------------------------
The increased number of trading venues, dispersal of trading
volume, and the resulting reliance on a variety of automated systems
and intermarket linkages have increased competition and thus investor
choice, but have also increased the complexity of the markets and the
challenges for market participants seeking to manage their information
technology programs and to ensure compliance with Commission rules.\52\
These changes have also substantially heightened the potential for
systems problems originating from any number of sources to broadly
affect the market. Given the increased interconnectedness of the
markets, a trading venue may not always recognize the true impact and
cost of a problem that originates with one of its systems.
---------------------------------------------------------------------------
\52\ For example, one important type of linkage in the current
market structure was created to comply with legal obligations to
protect against trade-throughs as required by Rule 611 of Regulation
NMS under the Exchange Act, 17 CFR 242.611. A trade-through is the
execution of a trade at a price inferior to a protected quotation
for an NMS stock. Importantly, Rule 611 applies to all trading
centers, not just those that display protected quotations. Trading
center is defined broadly in Rule 600(b)(78) of Regulation NMS to
include, among others, all exchanges, all ATSs (including ECNs and
dark pools), all OTC market makers, and any other broker-dealer that
executes orders internally, whether as agent or principal. See
Concept Release on Equity Market Structure, supra note 42, at 3601.
---------------------------------------------------------------------------
C. Successes and Limitations of the Current ARP Inspection Program
While the Commission generally considers the ARP Inspection Program
to have been successful in improving the automated systems of the SROs
and other entities participating in the program over the past 20 years,
the Commission is mindful of its limitations. For example, because the
ARP Inspection Program is established pursuant to Commission policy
statements, rather than Commission rules,\53\ the Commission's ability
to assure compliance with ARP standards with certainty or adequate
thoroughness is limited. In particular, the Commission may not be able
to fully address major or systemic market problems at all entities that
would meet the proposed definition of SCI entity. Further, the
Government Accountability Office
[[Page 18089]]
(``GAO'') has identified the voluntary nature of the ARP Inspection
Program as a limitation of the program and recommended that the
Commission make compliance with ARP guidelines mandatory.\54\
---------------------------------------------------------------------------
\53\ As discussed in infra Section III.B.1, no ATS currently
meets the volume thresholds in Rule 301(b)(6) of Regulation ATS.
\54\ See GAO, Financial Market Preparedness: Improvements Made,
but More Action Needed to Prepare for Wide-Scale Disasters, Report
No. GAO-04-984 (September 27, 2004). GAO cited instances in which
the GAO believed that entities participating in the ARP Inspection
Program failed to adequately address or implement ARP staff
recommendations as the reasoning behind its recommendation to make
compliance with ARP guidelines mandatory. As noted in supra Section
I.A, the obligations underlying the policy statements are
statutorily mandated.
---------------------------------------------------------------------------
The Commission believes that the continuing evolution of the
securities markets to the current state, where they have become almost
entirely electronic and highly dependent on sophisticated trading and
other technology (including complex regulatory and surveillance
systems, as well as systems relating to the provision of market data,
intermarket routing and connectivity, and a variety of other member and
issuer services), has posed challenges for the ARP Inspection Program.
Accordingly, the Commission believes that the guidance in the ARP
policy statements should be updated and formalized, and that clarity
with respect to a variety of important matters, including regarding
appropriate industry practices, notice to the Commission of all SCI
events and to members or participants of SCI entities of certain
systems problems, Commission access to systems, and procedures designed
to better ensure that SRO systems comply with the SRO's own rules,
would improve the Commission's oversight capabilities. Furthermore,
given the importance of ensuring that an SRO's trading and other
systems are operated in accordance with its rules, the Commission
believes that improvements in SRO procedures could help to ensure that
such systems are operating in compliance with relevant rules, and to
promptly identify and address any instances of non-compliance.\55\
---------------------------------------------------------------------------
\55\ Section 19(b)(1) of the Exchange Act requires each SRO to
file with the Commission any proposed rule or any proposed change
in, addition to, or deletion from the rules of such SRO (a
``proposed rule change''), accompanied by a concise general
statement of the basis and purpose of such proposed rule change, and
provides that no proposed rule change shall take effect unless
approved by the Commission or otherwise permitted in accordance with
the provisions of this section. See 15 U.S.C. 78s(b)(1). An SRO's
failure to file a proposed rule change when required would be a
violation of Section 19(b)(1).
---------------------------------------------------------------------------
D. Recent Events
In the Commission's view, recent events further highlight why
rulemaking in this area may be warranted. On May 6, 2010, according to
a report by the staffs of the Commission and the Commodity Futures
Trading Commission (``CFTC''), the prices of many U.S.-based equity
products experienced an extraordinarily rapid decline and recovery,
with major equity indices in both the futures and securities markets,
each already down over four percent from their prior day close,
suddenly plummeting a further five to six percent in a matter of
minutes before rebounding almost as quickly.\56\ According to the May 6
Staff Report, many individual equity securities and exchange traded
funds suffered similar price declines and reversals within a short
period of time, falling 5, 10, or even 15 percent before recovering
most, if not all, of their losses.\57\ The May 6 Staff Report stated
that some equities experienced even more severe price moves, both up
and down, with over 20,000 trades in more than 300 securities executed
at prices more than 60 percent away from their values just moments
before.\58\
---------------------------------------------------------------------------
\56\ See Findings Regarding The Market Events Of May 6, 2010,
Report Of The Staffs Of The CFTC And SEC To The Joint Advisory
Committee On Emerging Regulatory Issues, September 30, 2010 (``May 6
Staff Report'').
\57\ See id.
\58\ These trades subsequently were broken by the exchanges and
FINRA. See id.
---------------------------------------------------------------------------
Among the key findings in the May 6 Staff Report was that the
interaction between automated execution programs and algorithmic
trading strategies can quickly erode liquidity and result in disorderly
markets, and that concerns about data integrity, especially those that
involve the publication of trades and quotes to the consolidated tape,
can contribute to pauses or halts in many automated trading systems and
in turn lead to a reduction in general market liquidity.\59\ According
to the May 6 Staff Report, the events of May 6, 2010 clearly
demonstrate the importance of data in today's world of fully automated
trading strategies and systems, and that fair and orderly markets
require the maintenance of high standards for robust, accessible, and
timely market data.\60\
---------------------------------------------------------------------------
\59\ See id. at 78.
\60\ See id. at 8.
---------------------------------------------------------------------------
Both before and after the May 6, 2010 incident, individual markets
have also experienced other systems-related issues. In February 2011,
NASDAQ OMX Group, Inc. revealed that hackers had penetrated certain of
its computer networks, though Nasdaq reported that at no point did this
intrusion compromise Nasdaq's trading systems.\61\ In October 2011, the
Commission sanctioned EDGX and EDGA, two national securities exchanges,
and their affiliated broker, Direct Edge ECN LLC, for violations of
federal securities laws arising from systems incidents.\62\ In the
Direct Edge Order, the Commission noted that the ``violations occurred
against the backdrop of weaknesses in Respondents' systems, processes,
and controls.'' \63\
---------------------------------------------------------------------------
\61\ See announcement by Nasdaq OMX (February 5, 2011),
available at: http://www.nasdaq.com/includes/announcement-2-5-11.aspx (accessed May 20, 2011). See also Devlin Barrett, ``Hackers
Penetrate NASDAQ Computers,'' Wall St. J., February 5, 2011, at A1;
Devlin Barrett et al., ``NASDAQ Confirms Breach in Network,'' Wall
St. J., February 7, 2011, at C1.
\62\ See Securities Exchange Act Release No. 65556, In the
Matter of EDGX Exchange, Inc., EDGA Exchange, Inc. and Direct Edge
ECN LLC (settled action: October 13, 2011), available at: http://www.sec.gov/litigation/admin/2011/34-65556.pdf (``Direct Edge
Order''); see also Commission News Release, 2011-208, ``SEC
Sanctions Direct Edge Electronic Exchanges and Orders Remedial
Measures to Strengthen Systems and Controls'' (October 13, 2011).
EDGX, EDGA, and their affiliated routing broker, Direct Edge ECN LLC
(dba DE Route), consented to an Order Instituting Administrative and
Cease-and-Desist Proceedings Pursuant to Sections 19(h) and 21C of
the Securities Exchange Act of 1934, Making Findings, and Imposing
Remedial Sanctions and a Cease-and-Desist Order.
\63\ See Direct Edge Order, supra note 62, at 3.
---------------------------------------------------------------------------
More recently, in 2012, systems issues hampered the initial public
offerings of BATS Global Markets, Inc. and Facebook, Inc.\64\ On March
23, 2012, BATS announced that a ``software bug'' caused BATS to shut
down the IPO of its own stock, BATS Global Markets, Inc.\65\ On May 18,
2012, issues with Nasdaq's trading systems delayed the start of trading
in the high-profile IPO of Facebook, Inc. and some market participants
experienced delays in notifications over whether orders had been
filled.\66\
---------------------------------------------------------------------------
\64\ See also infra note 334 and accompanying text.
\65\ See ``BATS BZX Exchange Post-Mortem'' by BATS, March 23,
2012, available at: www.batstrading.com/alerts (accessed July 2,
2012).
\66\ See ``Post-Mortem for NASDAQ issues related to the Facebook
Inc. (FB) IPO Cross on Friday, May 18, 2012'' by NASDAQ, May 18,
2012, available at: http://www.nasdaqtrader.com/TraderNews.aspx?id=ETA2012-20 (accessed July 2, 2012).
---------------------------------------------------------------------------
While these are illustrative high-profile examples, they are not
the only instances of disruptions and other systems problems
experienced by SROs and ATSs.\67\ Moreover, the risks
[[Page 18090]]
associated with cybersecurity, and how to protect against systems
intrusions, are increasingly of concern to all types of entities,
including public companies.\68\
---------------------------------------------------------------------------
\67\ The Commission notes that outages have occurred on foreign
markets recently as well. See, e.g., Kana Inagaki and Kosaku
Narioka, ``Tokyo Tackles Trading Glitch,'' Wall St. J., February 2,
2012; and Neil Shah and Carrick Mellenkamp, ``London Exchange
Paralyzed by Glitch,'' Wall St. J., September 9, 2008, Europe
Business News. See also discussion in infra Section III.C.1.b
regarding business continuity planning during October 2012 due to
Superstorm Sandy.
\68\ See, e.g., CF Disclosure Guidance: Topic No. 2,
Cybersecurity (October 13, 2011), available at: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm (providing the
Division of Corporation Finance's views regarding disclosure
obligations relating to cybersecurity risks and cyber incidents).
---------------------------------------------------------------------------
On October 2, 2012, the Commission conducted a roundtable entitled
``Technology and Trading: Promoting Stability in Today's Markets''
(``Roundtable'').\69\ The Roundtable examined the relationship between
the operational stability and integrity of the securities market and
the ways in which market participants design, implement, and manage
complex and interconnected trading technologies.\70\ Panelists offered
their views on how market participants could prevent, or at least
mitigate, technology errors as well as how error response could be
improved.
---------------------------------------------------------------------------
\69\ See Securities Exchange Act Release No. 67802 (September 7,
2012), 77 FR 56697 (September 13, 2012) (File No. 4-652). A webcast
of the Roundtable is available at: www.sec.gov/news/otherwebcasts/2012/ttr100212.shtml.
\70\ See Securities Exchange Act Release No. 67725 (August 24,
2012), 77 FR 52766 (August 30, 2012) (File No. 4-652). The
Roundtable included panelists from academia, clearing agencies,
national securities exchanges, broker-dealers, and other
organizations. Panelists for the first panel were: Dr. Nancy
Leveson, Professor of Aeronautics and Astronautics and Engineering
Systems, MIT (``MIT''); Sudhanshu Arya, Managing Director, ITG
(``ITG''); Chris Isaacson, Chief Operating Officer, BATS Exchange
(``BATS''); Dave Lauer, Market Structure and HFT Consultant, Better
Markets, Inc. (``Better Markets''); Jamil Nazarali, Head of Citadel
Execution Services, Citadel (``Citadel''); Lou Pastina, Executive
Vice President--NYSE Operations, NYSE (``NYSE''); Christopher Rigg,
Partner--Financial Services Industry, IBM (``IBM''); and Jonathan
Ross, Chief Technology Officer, GETCO LLC (``Getco'').
Panelists for the second panel were: Dr. M. Lynne Markus,
Professor of Information and Process Management, Bentley University
(``Bentley''); David Bloom, Head of UBS Group Technology (``UBS'');
Chad Cook, Chief Technology Officer, Lime Brokerage LLC (``Lime'');
Anna Ewing, Executive Vice President and Chief Information Officer,
Nasdaq; Albert Gambale, Managing Director and Chief Development
Officer, Depository Trust and Clearing Corp. (``DTCC''); Saro
Jahani, Chief Information Officer, Direct Edge (``DE''); and Lou
Steinberg, Chief Technology Officer, TD Ameritrade (``TDA''). See
Technology and Trading: Promoting Stability in Today's Markets
Roundtable -- Participant Bios, available at: http://www.sec.gov/news/otherwebcasts/2012/ttr100212-bios.htm.
The Roundtable was announced on August 3, 2012, following a
report by Knight Capital Group, Inc. (``Knight'') that, on August 1,
2012, it ``experienced a technology issue at the opening of trading
at the NYSE * * * [which was] related to Knight's installation of
trading software and resulted in Knight sending numerous erroneous
orders in NYSE-listed securities into the market * * * Knight * * *
traded out of its entire erroneous trade position, which * * *
resulted in a realized pre-tax loss of approximately $440 million.''
See Knight Capital Group Provides Update Regarding August 1st
Disruption To Routing In NYSE-listed Securities (August 2, 2012),
available at: http://www.knight.com/investorRelations/pressReleases.asp?compid=105070&releaseID=1721599.
Although the Knight incident highlights the importance of the
integrity of broker-dealer systems, the focus of the Roundtable was
not limited to broker-dealers. But see infra Section III.G,
soliciting comment regarding the potential inclusion of broker-
dealers, other than SCI ATSs, in the proposed definition of SCI
entity.
---------------------------------------------------------------------------
Although the discussion was wide-ranging, several themes emerged,
with panelists generally agreeing that areas of focus across the
industry should be on adherence to best practices, improved quality
assurance, more robust testing, increased pre-trade and post-trade risk
controls, real-time monitoring of systems, and improved communications
when systems problems occur. The panelists also discussed whether there
should be regulatory or other mandates for quality standards and
industry testing, and whether specific mechanisms, such as ``kill
switches,'' \71\ would be useful to protect the markets from technology
errors and to advance the goal of bolstering investor confidence in the
markets.\72\ Several panelists also stated that, given the frequency of
coding changes in the current market environment, testing of software
changes should be far more robust.\73\
---------------------------------------------------------------------------
\71\ The term ``kill switch'' is a shorthand expression used by
market participants, including Roundtable participants and
Roundtable commenters, to refer to mechanisms pursuant to which one
or more limits on trading could be established by a trading venue
for its participants that, if exceeded, would authorize the trading
venue to stop accepting incoming orders from such participant. See
also infra note 76 and accompanying text.
\72\ With regard to quality assurance in particular, Roundtable
panelists differed on the role of third parties in providing quality
assurance, with some panelists believing that, given the difficulty
for an outside party to understand the complex systems of trading
firms and other market participants, such a role should be performed
by internal staff who are better able to understand such systems,
with other panelists opining that there it was critical that
independent parties provide quality assurance.
\73\ Panelists urging greater testing in general and industry
testing in particular included those from BATS, Better Markets, DE,
ITG, Getco, Nasdaq, NYSE, and TDA.
---------------------------------------------------------------------------
In addition to the Roundtable panels, the Commission solicited
comment with respect to the Roundtable's topics, and received
statements from some of the Roundtable panelists, as well as comment
letters from the public.\74\ Many comment letters specifically
recommended improved testing as a way to aid error prevention.\75\ In
addition, several commenters expressed support for a ``kill-switch''
mechanism that would permit exchanges or other market centers to
terminate a firm's trading activity if such activity was posing a
threat to market integrity.\76\
---------------------------------------------------------------------------
\74\ See http://www.sec.gov/comments/4-652/4-652.shtml, listing
and publishing all comment letters received by the Commission with
respect to the Roundtable. The letters received cover a broad array
of topics, some of which are unrelated to proposed Regulation SCI.
This proposing release discusses and references the following
letters when relevant to the discussion of proposed Regulation SCI:
Letter dated September 5, 2012, from James J. Angel, Ph.D., CFA,
Georgetown University and the Wharton School, University of
Pennsylvania (``Angel''); Letter dated September 27, 2012, from Eric
Swanson, BATS Global Markets, Inc.; Letter dated October 2, 2012,
from Dave Lauer, Market Structure and HFT Consultant, Better Markets
(``Better Markets''); Letter dated October 1, 2012, from Jamil
Nazarali, Citadel (``Citadel''); Letter dated October 23, 2012, from
Scott Goebel, Senior Vice President and General Counsel, Fidelity
Management & Research Company (``Fidelity''); Letter dated November
1, 2012, from Arsalan Shahid, Program Director, Financial
Information Forum (``FIF''); Letter dated October 19, 2012, from
Courtney Doyle McGuinn, Operations Director, FIX Protocol Ltd.
(``FIX''); Letter dated October 1, 2012, from Elizabeth K. King,
Head of Regulatory Affairs, GETCO LLC (``Getco''); Letter dated
October 18, 2012, from Adam Nunes, President, Hudson River Trading
LLC (``Hudson''); Letter dated September 23, 2012, from Patrick J.
Healy, CEO, Issuer Advisory Group LLC (``IAG''); Letter dated
October 23, 2012, from Karrie McMillan, General Counsel, Investment
Company Institute (``ICI''); Letter dated October 22, 2012, from
James P. Selway III, Managing Director, Head of Liquidity
Management, and Sudhanshu Arya, Managing Director, Head of
Technology for Liquidity Management, ITG Inc. (``ITG''); Letter
dated September 28, 2012, from Joseph M. Mecane, NYSE Euronext;
Richard G. Ketchum, FINRA; Eric Noll, Nasdaq OMX, Inc.; Christopher
A. Isaacson, BATS Global Markets, Inc.; Bryan Harkins, DirectEdge;
David Herron, Chicago Stock Exchange; Murray Pozmanter, The
Depository Trust & Clearing Corporation; Bank of America Merrill
Lynch; Citadel LLC; Citigroup Global Markets Inc.; Deutsche Bank
Securities Inc.; GETCO; Goldman, Sachs & Co/Goldman Sachs Execution
and Clearing; IMC Chicago LLC; ITG, Inc.; Jane Street; J.P. Morgan
Securities LLC; RBC Capital Markets, LLC; RGM Advisors, LLC; Two
Sigma Securities; UBS Securities LLC; Virtu Financial; Wells Fargo
Securities (``Industry Working Group''); Letter dated September 25,
2012, from R. T. Leuchtkafer (``Leuchtkafer''); Letter dated August
14, 2012, from Stuart J. Kaswell, Executive Vice President, Managing
Director & General Counsel, Managed Funds Association (``MFA'');
Letter dated October 1, 2012, from Richard Gorelick, RGM Advisors,
Cameron Smith, Quantlab, and Peter Nabicht, Allston Trading
(``RGM''); Letter dated September 28, 2012, from Nasser A. Sharara,
Managing Director, Product Management, Raptor Trading Systems
(``Raptor''); Letter dated October 1, 2012, from Lou Steinberg,
Managing Director, Chief Technology Officer, TDA (``TDA''); Letter
dated October 24, 2012, from David Weisberger, Executive Principal,
Two Sigma Securities, LLC (``Two Sigma'').
\75\ See, e.g., letters from Angel, BATS, Better Markets,
Citadel, Fidelity, FIF, FIX, Getco, Hudson, IAG, ICI, ITG, Industry
Working Group, Leuchtkafer, MFA, RGM, and Two Sigma, supra note 74.
Some of these commenters specifically urged greater integration
testing and stated that testing with exchanges and other market
centers under simulated market conditions were necessary in today's
extremely fast and interconnected markets. One commenter (Angel)
suggested that exchanges operate completely from their backup data
centers one day each year to test such systems and market
participants' connectivity to them.
\76\ See, e.g., letters from Angel, BATS, Citadel, FIF, Getco,
IAG, Industry Working Group, MFA, RGM, and Raptor, supra note 74.
See also letters from Fidelity, FIX, Hudson and ITG, supra note 74,
submitted after the Roundtable, suggesting possible approaches for
establishing kill switch criteria. See also supra note 71,
describing the use of the term ``kill switch'' in this release.
---------------------------------------------------------------------------
[[Page 18091]]
The Commission believes that the information presented at the
Roundtable and received from commenters, as broadly outlined above,
highlights that quality standards, testing, and improved error response
mechanisms are among the issues needing very thoughtful and focused
attention in today's securities markets.\77\ In formulating proposed
Regulation SCI, the Commission has considered the information and views
discussed at the Roundtable and received from commenters.
---------------------------------------------------------------------------
\77\ The Commission notes that Roundtable panelists and
commenters offering their views and suggestions generally did so in
the context of discussing the market as a whole, rather than
focusing on the roles and regulatory status of different types of
market participants. However, some commented on the utility of the
ARP Inspection Program and suggested that it could be expanded. See,
e.g., letter from Leuchtkafer, supra note 74. In addition, the
panelists from Getco, Nasdaq, and NYSE also suggested that ARP could
be expanded, with the panelist from NYSE in particular advocating
that the applicability of any new ARP-related regulations not be
limited to SROs. One commenter suggested that the Commission update
and formalize the ARP Inspection Program before extending it to
other market participants. See letter from Fidelity, supra note 74.
This commenter added further that, if the ARP program is extended to
other market participants, it should not include a requirement that
broker-dealers submit certain information, such as algorithmic code
changes, for independent review. See also infra Section III.G,
soliciting comment on whether the requirements of proposed
Regulation SCI should apply, in whole or in part, to broker-dealers
or a subset thereof.
---------------------------------------------------------------------------
Most recently, the U.S. national securities exchanges closed for
two business days in the wake of Superstorm Sandy, a major storm that
hit the East Coast of the United States during October 2012, and which
caused significant damage in lower Manhattan, among other places.\78\
Press reports stated that, while the markets planned to open on the
first day of the storm (with the NYSE planning to operate under its
contingency plan as an electronic-only venue),\79\ after consultation
with market participants, including the Commission and its staff, and
in light of concerns over the physical safety of personnel and the
possibility of technical issues, the national securities exchanges
jointly decided not to open for trading on October 29 and October 30,
2012.\80\ The market closures occurred even though the securities
industry's annual test of how trading firms, market operators and their
utilities could operate through an emergency using backup sites, backup
communications, and disaster recovery facilities occurred on October
27, 2012, just two days before the storm.\81\ According to press
reports, the test did not uncover issues that would preclude markets
from opening two days later with backup systems, if they so chose.\82\
In addition, NYSE's contingency plan was tested seven months prior to
the storm, though press reports indicate that a large number of NYSE
members did not participate.\83\ The Commission also has considered the
impact of Superstorm Sandy on the securities markets, particularly with
respect to business continuity planning and testing, in formulating
proposed Regulation SCI.
---------------------------------------------------------------------------
\78\ See ``NYSE to Remain Open for Trading While Physical
Trading Floor and New York Building Close in Accordance with Actions
Taken by City and State Officials,'' (October 28, 2012) (``NYSE
Floor Closure Statement''), available at: http://www.nyse.com/press/1351243407197.html; and ``NYSE Euronext Statement on Closure of U.S.
Markets on Monday Oct. 29 and Pending Confirmation on Tuesday, Oct.
30, 2012,'' (October 28, 2012) (``NYSE Closure Statement''),
available at: http://www.nyse.com/press/1351243418010.html.
\79\ The NYSE had initially planned to act pursuant to NYSE Rule
49 (Emergency Powers), which permits a designated official of the
NYSE, in the event of an emergency (as defined in Section 12(k)(7)
of the Exchange Act), to designate NYSE Arca to receive and process
bids and offers and to execute orders on behalf of the NYSE. See
``NYSE Contingency Trading Plan in effect for Monday, October 29,
2012,'' (October 28, 2012) (``Market Operations Update''), available
at: http://markets.nyx.com/nyse/trader-updates/view/11503. The
Commission approved NYSE Rule 49 on December 16, 2009. See
Securities Exchange Act Release No. 61177 (December 16, 2009), 74 FR
68643 (December 28, 2009) (SR-NYSE-2009-105) (approving proposed
rule change by the NYSE relating to the designation of NYSE Arca as
the NYSE's alternative trading facility in an emergency).
\80\ See, e.g., ``A giant storm and the struggle over closing
Wall Street,'' October 31, 2012, available at: http://www.reuters.com/article/2012/10/31/us-storm-sandy-nyse-insight-idUSBRE89T0F920121031. See also, e.g., NYSE Closure Statement, supra
note 78.
\81\ See, e.g., ``Storm Over Wall Street Going Dark,'' November
12, 2012, available at: http://www.tradersmagazine.com/news/storm-over-wall-street-going-dark-110526-1.html.
\82\ See id. See also http://www.sifma.org/services/bcp/industry-testing.
\83\ See id. and NYSE Floor Closure Statement, supra note 78.
---------------------------------------------------------------------------
II. Proposed Codification and Enhancement of ARP Inspection Program
In the Commission's view, the convergence of several developments--
the evolution of the markets to become significantly more dependent
upon sophisticated automated systems, the limitations of the existing
ARP Inspection Program, and the lessons of recent events--highlight the
need to consider an updated and formalized regulatory framework for
ensuring that the U.S. securities trading markets develop and maintain
systems with adequate capacity, integrity, resiliency, availability,
and security, and reinforce the requirement that such systems operate
in compliance with the Exchange Act. The Commission is proposing new
Regulation SCI because the Commission preliminarily believes that it
would further the goals of the national market system and reinforce
Exchange Act obligations to require entities important to the
functioning of the U.S. securities markets to carefully design,
develop, test, maintain, and surveil systems integral to their
operations.
Proposed Regulation SCI would replace the two ARP policy
statements. Although proposed Regulation SCI would codify in a
Commission rule many of the principles of the ARP policy statements
with which SROs and other participants in the ARP Inspection Program
are familiar, the proposed rule would apply to more entities than the
current ARP Inspection Program and would place obligations not
currently included in the ARP policy statements on entities subject to
the rule. Specifically, proposed Regulation SCI would apply to ``SCI
entities,'' a term that would include ``SCI SROs,'' ``SCI ATSs,''
``plan processors,'' and ``exempt clearing agencies subject to ARP.''
\84\
---------------------------------------------------------------------------
\84\ Each of these terms is discussed in detail in Section
III.B.1 below.
---------------------------------------------------------------------------
Further, to help ensure that the proposed rule covers key systems
of SCI entities, the proposed rule would define (for purposes of
Regulation SCI) the term ``SCI systems'' to mean those systems of, or
operated by or on behalf of, an SCI entity that directly support
trading, clearance and settlement, order routing, market data,
regulation, or surveillance. In addition, the term ``SCI security
systems'' would include systems that share network resources with SCI
systems that, if breached, would be reasonably likely to pose a
security threat to such systems.\85\ The proposed rule also would
define several other terms intended to specify what types of systems
changes and problems (``SCI events'') the Commission considers to be
most significant and, therefore, preliminarily believes should be
covered by the proposed rule's requirements.
---------------------------------------------------------------------------
\85\ See infra Section III.B.2 for a discussion of the proposed
definitions of SCI systems and SCI security systems.
---------------------------------------------------------------------------
In addition, proposed Regulation SCI would specify the obligations
SCI entities would have with respect to covered systems and SCI events.
Specifically, proposed Regulation SCI would require that each SCI
entity: (1)
[[Page 18092]]
Establish, maintain, and enforce written policies and procedures
reasonably designed to ensure that its SCI systems and, for purposes of
security standards, SCI security systems, have levels of capacity,
integrity, resiliency, availability, and security, adequate to maintain
the SCI entity's operational capability and promote the maintenance of
fair and orderly markets; (2) establish, maintain, and enforce written
policies and procedures reasonably designed to ensure that its SCI
systems operate in the manner intended; (3) respond to SCI events with
appropriate corrective action; (4) report SCI events to the Commission
and submit follow-up reports, as applicable; (5) disseminate
information regarding certain SCI events to members or participants of
the SCI entity; (6) report material systems changes to the Commission;
(7) conduct an SCI review of its systems not less than once each
calendar year; (8) submit certain periodic reports to the Commission,
including a report of the SCI review, together with any response by
senior management; (9) mandate participation by designated members or
participants in scheduled testing of the operation of the SCI entity's
business continuity and disaster recovery plans, including backup
systems, and coordinate such testing on an industry- or sector-wide
basis \86\ with other SCI entities; and (10) make, keep, and preserve
records relating to the matters covered by Regulation SCI, and provide
them to Commission representatives upon request. The proposal also
would require that an SCI entity submit all required written
notifications and reports to the Commission electronically using new
proposed Form SCI.
---------------------------------------------------------------------------
\86\ See infra Section III.C.7 for a discussion of the terms
industry-wide and sector-wide.
---------------------------------------------------------------------------
III. Proposed Regulation SCI
A. Overview
The purpose of proposed Regulation SCI is to enhance the
Commission's regulatory supervision of SCI entities and thereby further
the goals of the national market system by helping to ensure the
capacity, integrity, resiliency, availability, and security, and
enhance compliance with federal securities laws and regulations, of
automated systems relating to the U.S. securities markets through the
formalization of standards to which their automated systems would be
held, and a regulatory framework for ensuring more effective Commission
oversight of these systems. Proposed Rule 1000(a) sets forth several
definitions designed to establish the scope of the new rule. Proposed
Rule 1000(b) sets forth the obligations that would be imposed on SCI
entities with respect to systems and systems issues. Proposed Rules
1000(c)-(f) set forth recordkeeping and electronic filing requirements
and address certain other related matters.
B. Proposed Rule 1000(a): Definitions Establishing the Scope of
Regulation SCI
A series of definitions set forth in proposed Rule 1000(a) relate
to the scope of proposed Regulation SCI. These include the definitions
for ``SCI entity,'' ``SCI systems,'' ``SCI security systems,'' ``SCI
event,'' ``systems disruption,'' ``systems compliance issue,''
``systems intrusion,'' ``dissemination SCI event,'' and ``material
systems change.''
1. SCI Entities
Although the ARP policy statements are rooted in Exchange Act
requirements, the ARP Inspection Program has developed without the
promulgation of Commission rules applicable to SROs or plan processors.
Under the ARP Inspection Program, Commission staff conducts inspections
of SROs to assess the capacity, integrity, resiliency, availability,
and security of their systems. These inspections also have historically
included the systems of entities that process and disseminate quotation
and transaction data on behalf of the Consolidated Tape Association
System (``CTA Plan''), Consolidated Quotation System (``CQS Plan''),
Joint Self-Regulatory Organization Plan Governing the Collection,
Consolidation, and Dissemination of Quotation and Transaction
Information for Nasdaq-Listed Securities Traded on Exchanges on an
Unlisted Trading Privileges Basis (``Nasdaq UTP Plan''), and Options
Price Reporting Authority (``OPRA Plan'').\87\ The ARP Inspection
Program has also included one exempt clearing agency.\88\ Pursuant to
Rule 301(b)(6) of Regulation ATS, certain aspects of the ARP policy
statements apply mandatorily to significant-volume ATSs, as they are
currently defined under Regulation ATS.\89\ However, because no ATSs
currently meet the significant-volume thresholds specified in Rule
301(b)(6) of Regulation ATS,\90\ compliance with the ARP Inspection
Program is not mandatory at this time for any ATS.\91\ Proposed
Regulation SCI would provide mandatory uniform requirements for ``SCI
entities.'' Proposed Rule 1000(a) would define ``SCI entity'' as an
``SCI self-regulatory organization, SCI alternative trading system,
plan processor, or exempt clearing agency subject to ARP.'' The
proposed rule also would define each of these terms for the purpose of
designating specifically the entities that the Commission preliminarily
believes should be subject to the rule.
---------------------------------------------------------------------------
\87\ See ARP I Release, supra note 1, at n. 8 and n. 17. Each of
the CTA Plan, CQS Plan, Nasdaq UTP Plan, and OPRA Plan, is a
``national market system plan'' (``NMS Plan'') as defined under Rule
600(a)(43) of Regulation NMS under the Exchange Act, 17 CFR
242.600(a)(43). Rule 600(a)(55) of Regulation NMS under the Exchange
Act, 17 CFR 242.600(a)(55), defines a ``plan processor'' as ``any
self-regulatory organization or securities information processor
acting as an exclusive processor in connection with the development,
implementation and/or operation of any facility contemplated by an
effective national market system plan.'' Section 3(a)(22)(B) of the
Exchange Act, 15 U.S.C. 78c(22)(B), defines ``exclusive processor''
to mean ``any securities information processor or self-regulatory
organization which, directly or indirectly, engages on an exclusive
basis on behalf of any national securities exchange or registered
securities association, or any national securities exchange or
registered securities association which engages on an exclusive
basis on its own behalf, in collecting, processing, or preparing for
distribution or publication any information with respect to (i)
transactions or quotations on or effected or made by means of any
facility of such exchange or (ii) quotations distributed or
published by means of any electronic system operated or controlled
by such association.''
As a processor involved in collecting, processing, and preparing
for distribution transaction and quotation information, the
processor of each of the CTA Plan, CQS Plan, Nasdaq UTP Plan, and
OPRA Plan meets the definition of ``exclusive processor;'' and
because each acts as an exclusive processor in connection with an
NMS Plan, each also meets the definition of ``plan processor'' under
Rule 600(a)(55) of Regulation NMS, as well as proposed Rule 1000(a)
of Regulation SCI. For ease of reference, an NMS Plan having a
current or future ``plan processor'' is referred to herein as an
``SCI Plan.'' The Commission notes that not every processor of an
NMS Plan would be a ``plan processor,'' as proposed to be defined in
Rule 1000(a), and therefore not every processor of an NMS Plan would
be an SCI entity subject to the requirements of proposed Regulation
SCI. For example, the processor of the Symbol Reservation System
associated with the National Market System Plan for the Selection
and Reservation of Securities Symbols (File No. 4-533) would not be
a ``plan processor'' subject to Regulation SCI because it does not
meet the ``exclusive processor'' statutory definition, as it is not
involved in collecting, processing, and preparing for distribution
transaction and quotation information.
\88\ See infra notes 133-135 and accompanying text.
\89\ See 17 CFR 242.301(b)(6). See also supra note 26.
\90\ 17 CFR 242.301(b)(6).
\91\ One ATS currently participates voluntarily in the ARP
Inspection Program, though, in the past, other ATSs have also
participated in the ARP Inspection Program.
---------------------------------------------------------------------------
Proposed Rule 1000(a) would define the term ``SCI self-regulatory
organization.'' The definition of ``SCI self-regulatory organization,''
or ``SCI SRO,'' would be consistent with the definition of ``self-
regulatory organization'' set forth in Section 3(a)(26) of the Exchange
Act,\92\ and
[[Page 18093]]
would cover all national securities exchanges registered under Section
6(b) of the Exchange Act,\93\ registered securities associations,\94\
registered clearing agencies,\95\ and the Municipal Securities
Rulemaking Board (``MSRB'').\96\ The definition would, however, exclude
an exchange that lists or trades security futures products that is
notice-registered with the Commission as a national securities exchange
pursuant to Section 6(g) of the Exchange Act, as well as any limited
purpose national securities association registered with the Commission
pursuant to Exchange Act Section 15A(k).\97\ Accordingly, the
definition of SCI SRO in proposed Rule 1000(a) would mandate that all
national securities exchanges registered under Section 6(b) of the
Exchange Act, all registered securities associations, all registered
clearing agencies, and the MSRB, comply with Regulation SCI.\98\
---------------------------------------------------------------------------
\92\ See 15 U.S.C. 78c(a)(26): ``The term `self-regulatory
organization' means any national securities exchange, registered
securities association, or registered clearing agency, or (solely
for purposes of sections 19(b), 19(c), and 23(b) of this title) the
Municipal Securities Rulemaking Board established by section 15B of
this title.'' See infra note 96.
\93\ Currently, these registered national securities exchanges
are: (1) BATS; (2) BATS-Y; (3) BOX; (4) CBOE; (5) C2; (6) CHX; (7)
EDGA; (8) EDGX; (9) ISE; (10) MIAX; (11) Nasdaq OMX BX; (12) Nasdaq
OMX Phlx; (13) Nasdaq; (14) NSX; (15) NYSE; (16) NYSE MKT; and (17)
NYSE Arca.
\94\ FINRA is the only registered national securities
association.
\95\ Currently, there are seven clearing agencies (Depository
Trust Company (``DTC''); Fixed Income Clearing Corporation
(``FICC''); National Securities Clearing Corporation (``NSCC'');
Options Clearing Corporation (``OCC''); ICE Clear Credit; ICE Clear
Europe; and CME) with active operations that are registered with the
Commission. See also infra notes 133-135 and accompanying text. The
Commission notes that it recently adopted Rule 17Ad-22, which
requires registered clearing agencies to have effective risk
management policies and procedures in place. See Securities Exchange
Act Release No. 68080 (October 22, 2012), 77 FR 66220 (November 2,
2012). Among other things, Rule 17Ad-22(d)(4) requires that
registered clearing agencies ``[i]dentify sources of operational
risk and minimize them through the development of appropriate
systems, controls, and procedures; implement systems that are
reliable, resilient and secure, and have adequate, scalable
capacity; and have business continuity plans that allow for timely
recovery of operations and fulfillment of a clearing agency's
obligations.'' In its adopting release, the Commission stated that
Rule 17Ad-22(d)(4) ``* * * complements the existing guidance
provided by the Commission in its Automation Review Policy
Statements and the Interagency White Paper on Sound Practices to
Strengthen the Resilience of the U.S. Financial System.'' Similarly,
the Commission preliminarily believes that proposed Regulation SCI,
to the extent it addresses areas of risk management similar to those
addressed by Rule 17Ad-22(d)(4), complements Rule 17Ad-22(d)(4). See
also infra note 203.
\96\ 15 U.S.C. 78c(a)(26). See also supra note 92. Historically,
the ARP Inspection Program has not included the MSRB, but instead
has focused on entities having trading, quotation and transaction
reporting, and clearance and settlement systems more closely
connected to the equities and options markets. In considering the
entities that should be subject to proposed Regulation SCI, the
Commission preliminarily believes that it would be appropriate to
apply proposed Regulation SCI to all SROs (subject to the exception
noted in infra note 97), of which the MSRB is one, particularly
given the fact that the MSRB is the only SRO relating to municipal
securities and is the sole provider of consolidated market data for
the municipal securities market. Specifically, in 2008, the
Commission amended Rule 15c2-12 to designate the MSRB as the single
centralized disclosure repository for continuing municipal
securities disclosure. In 2009, the MSRB established the Electronic
Municipal Market Access system (``EMMA''). EMMA now serves as the
official repository of municipal securities disclosure, providing
the public with free access to relevant municipal securities data,
and is the central database for information about municipal
securities offerings, issuers, and obligors. Additionally, the
MSRB's Real-Time Transaction Reporting System (``RTRS''), with
limited exceptions, requires municipal bond dealers to submit
transaction data to the MSRB within 15 minutes of trade execution,
and such near real-time post-trade transaction data can be accessed
through the MSRB's EMMA Web site. While pre-trade price information
is not as readily available in the municipal securities market, the
Commission's Report on the Municipal Securities Market also
recommends that the Commission and MSRB explore the feasibility of
enhancing EMMA to collect best bids and offers from material ATSs
and make them publicly available on fair and reasonable terms. See
Report on the Municipal Securities Market (July 31, 2012), available
at: http://www.sec.gov/news/studies/2012/munireport073112.pdf.
\97\ See 15 U.S.C. 78f(g); 15 U.S.C. 78o-3(k). These entities
are security futures exchanges and the National Futures Association,
for which the CFTC serves as their primary regulator. The Commission
preliminarily believes that it would be appropriate to defer to the
CFTC regarding the systems integrity of these entities.
\98\ For any SCI SRO that is a national securities exchange, any
facility of such national securities exchange, as defined in Section
3(a)(2) of the Exchange Act, 15 U.S.C. 78c(a)(2), also would be
covered because such facilities are included within the definition
of ``exchange'' in Section 3(a)(1) of the Exchange Act, 15 U.S.C.
78c(a)(1).
---------------------------------------------------------------------------
Proposed Rule 1000(a) would define the term ``SCI alternative
trading system,'' or ``SCI ATS,'' as an alternative trading system, as
defined in Sec. 242.300(a), which during at least four of the
preceding six calendar months, had: (1) With respect to NMS stocks--(i)
five percent or more in any single NMS stock, and 0.25 percent or more
in all NMS stocks, of the average daily dollar volume reported by an
effective transaction reporting plan, or (ii) one percent or more, in
all NMS stocks, of the average daily dollar volume reported by an
effective transaction reporting plan; (2) with respect to equity
securities that are not NMS stocks and for which transactions are
reported to a self-regulatory organization, five percent or more of the
average daily dollar volume as calculated by the self-regulatory
organization to which such transactions are reported; or (3) with
respect to municipal securities or corporate debt securities, five
percent or more of either--(i) the average daily dollar volume traded
in the United States, or (ii) the average daily transaction volume
traded in the United States.\99\
---------------------------------------------------------------------------
\99\ Proposed Regulation SCI includes specific quantitative
requirements, such as proposed Rule 1000(a), which would include
numerical thresholds in the definition of SCI ATS. The Commission
recognizes that the specificity of each such quantitative threshold
could be read by some to imply a definitive conclusion based on
quantitative analysis of that threshold and its alternatives. The
numerical thresholds in the definition of SCI ATS have not been
derived from econometric or mathematical models. Instead, they
reflect a preliminary assessment by the Commission, based on
qualitative and some quantitative analysis, of the likely economic
consequences of the specific quantitative thresholds proposed to be
included in the definition. There are a number of challenges
presented in conducting such a quantitative analysis in a robust
fashion as discussed in this section. Accordingly, the selection of
the particular quantitative thresholds for the definition of SCI ATS
reflects a qualitative and preliminary quantitative assessment by
the Commission regarding the appropriate thresholds. In making such
assessments and, in turn, selecting the proposed quantitative
thresholds, the Commission has reviewed data from OATS and other
sources. The Commission emphasizes that it invites comment,
including relevant data and analysis, regarding all aspects of the
various quantitative standards reflected in the proposed rules.
---------------------------------------------------------------------------
As proposed, ATSs would be covered if they met the proposed
thresholds for at least four of the preceding six months, which the
Commission preliminarily believes is an appropriate time period over
which to evaluate the trading volume of an ATS.\100\ The Commission
preliminarily believes that this time period would help ensure that the
standards are not so low as to capture ATSs whose volume would still be
considered relatively low, but, for example, that may have had an
anomalous increase in trading on a given day or small number of days.
---------------------------------------------------------------------------
\100\ The proposed measurement period would remain unchanged
from the period currently in Rule 301(b)(6) of Regulation ATS.
---------------------------------------------------------------------------
The proposed definition would modify the thresholds currently
appearing in Rule 301(b)(6) of Regulation ATS that apply to
significant-volume ATSs.\101\ Specifically, the proposed definition
would: Use average daily dollar volume thresholds, instead of an
average daily share volume threshold, for ATSs that trade NMS stocks or
equity securities that are not NMS stocks (``non-NMS stocks''); use
alternative average daily dollar and transaction volume-based tests for
ATSs that trade municipal securities or corporate debt securities;
lower the volume thresholds applicable to ATSs for each category of
asset class; and move the proposed thresholds to Rule 1000(a) of
proposed Regulation SCI. In particular, with respect to NMS stocks, the
Commission proposes to
[[Page 18094]]
change the volume threshold from 20 percent of average daily volume in
any NMS stock such that an ATS that trades NMS stocks that meets either
of the following two alternative threshold tests would be subject to
the requirements of proposed Regulation SCI: (i) Five percent or more
in any NMS stock, and 0.25 percent or more in all NMS stocks, of the
average daily dollar volume reported by an effective transaction
reporting plan; or (ii) one percent or more, in all NMS stocks, of the
average daily dollar volume reported by an effective transaction
reporting plan. This change is designed to ensure that proposed
Regulation SCI is applied to an ATS that could have a significant
impact on the NMS stock market as a whole, as well as an ATS that could
have a significant impact on a single NMS stock and some impact on the
NMS stock market as a whole at the same time.\102\ Specifically, by
imposing both a single NMS stock threshold and an all NMS stocks
threshold in (i) above, proposed Regulation SCI would not apply to an
ATS that has a large volume in a small NMS stock and little volume in
all other NMS stocks. Based on data collected from FINRA's Order Audit
Trail System (``OATS data'') for one week of trading in May 2012,\103\
the Commission preliminarily believes that approximately 10 ATSs
trading NMS stocks would exceed the proposed thresholds and fall within
the definition of SCI entity, accounting for approximately 87 percent
of the dollar volume market share of all ATSs trading NMS stocks.
---------------------------------------------------------------------------
\101\ 17 CFR 242.301(b)(6). See also supra note 26.
\102\ Under the proposed thresholds, inactive ATSs would not be
included in the definition of SCI ATS.
The Commission has considered barriers to entry and the
promotion of competition in setting the threshold (see discussion at
infra Section V.C.4.b) such that new ATSs trading NMS stocks would
be able to commence operations without, at least initially, being
required to comply with--and thereby not incurring the costs
associated with--proposed Regulation SCI. If the proposed thresholds
are adopted, a new ATS could engage in limited trading in any one
NMS stock or all NMS stocks, until it reached an average daily
dollar volume of five percent or more in any one NMS stock and 0.25
percent or more in all NMS stocks, or one percent in all NMS stocks,
over four of the preceding six months. Because a new ATS could begin
trading in NMS stocks for at least three months (i.e., less than
four of the preceding six months), and conduct such trading at any
dollar volume level without being subject to proposed Regulation
SCI, and would have to exceed the specified volume levels for the
requisite period to become so subject, the Commission preliminarily
believes that these proposed thresholds should not prevent a new ATS
entrant from having the opportunity to initiate and develop its
business.
\103\ Commission staff analyzed OATS data for the week of May 7-
11, 2012, a week with average market activity and no holidays or
shortened trading days, and thus intended to be a representative
trading week. However, because the OATS data analysis does not
consider trading volume over a six-month period and does not base
the threshold test on four out of the preceding six calendar months
as prescribed in proposed Rule 1000(a), it may overestimate the
number of ATSs that would meet the proposed thresholds. For example,
a large block trade during a single week could skew an ATS's numbers
upward from what would be observed over the course of the four
months with the highest volumes during a six-month period,
particularly with respect to the proposed single-stock threshold. In
addition, because the OATS data does not identify all ATSs and does
not identify some ATSs uniquely, some ATSs may not be accounted for
in the estimated number of ATSs that would meet the proposed
threshold. Nevertheless, the Commission believes the analysis of
OATS data offers useful insights.
---------------------------------------------------------------------------
The Commission notes that its analysis of the OATS data does not
reveal an obvious threshold level above which a particular subset of
ATSs may be considered to have a significant impact on individual NMS
stocks or the overall market, as compared to another subset of ATSs.
The Commission preliminarily believes that inclusion of the proposed
dual dollar volume threshold is appropriate to help prevent an ATS from
avoiding the requirements of proposed Regulation SCI by circumventing
one of the two threshold tests. The Commission also preliminarily
believes that a threshold that accounts for 87 percent of the dollar
volume market share of all ATSs trading NMS stocks is a reasonable
level that would not exclude new entrants to the ATS market.\104\
Moreover, the Commission preliminarily believes the proposed thresholds
would appropriately include ATSs having NMS stock dollar volume
comparable to the NMS stock dollar volume of the equity exchanges that
are SCI SROs and therefore covered by proposed Regulation SCI.\105\
---------------------------------------------------------------------------
\104\ The Commission preliminarily believes that the remaining
13 percent of the dollar volume of all ATSs trading NMS stocks is
limited to trading conducted on small and new ATSs. See also supra
note 102.
\105\ For example, based on trade and quotation data published
by NYSE Euronext for the period July 1, 2012 through December 31,
2012, the national securities exchanges with the smallest market
shares in NMS stocks (based on average daily dollar volume) had
market shares slightly above and, in one case, below, the proposed
0.25 percent threshold in all NMS stocks (the market shares of CBOE,
NSX, and NYSE MKT were approximately 0.44 percent, 0.27 percent, and
0.06 percent, respectively). Further, all national securities
exchanges that trade NMS stocks had at least 5 percent or more of
the average daily dollar volume in at least one NMS stock, with most
exceeding such threshold for multiple NMS stocks.
---------------------------------------------------------------------------
Since the time that the Commission originally adopted Regulation
ATS, the equity markets have evolved significantly, resulting in an
increase in the number of trading centers and a reduction in the
concentration of trading activity.\106\ As such, even smaller trading
centers, such as certain ATSs, now collectively represent a significant
source of liquidity for NMS stocks and, by comparison, no single
registered securities exchange executes more than 20 percent of volume
in NMS stocks.\107\ Given these developments in market structure, the
Commission preliminarily believes that setting the average daily dollar
volume threshold for NMS stocks at five percent in any NMS stock and
0.25 percent in all NMS stocks, or one percent in all NMS stocks, is
appropriate to help ensure that entities that have determined to
participate (in more than a limited manner) in the national market
system as markets that bring buyers and sellers together, are subject
to the requirements of proposed Regulation SCI. In addition, the
Commission preliminarily believes that it is appropriate to propose
average daily dollar volume thresholds for NMS stocks, rather than
average daily share volume thresholds, because, by using dollar volume,
the price level of a stock will not skew an ATS's inclusion or
exclusion from the definition of SCI entity, as may be the case when
using share volume, and the use of dollar thresholds may better reflect
the economic impact of trading activity.\108\
---------------------------------------------------------------------------
\106\ See supra notes 47-51 and accompanying text.
\107\ See supra note 47.
\108\ For example, if a threshold is based on the average daily
share volume in all NMS stocks, an ATS that transacts in a stock
that has recently been through a stock split could experience a
significant increase in its share volume (or, for reverse stock
splits, a decrease in its share volume), whereas the dollar value
transacted would remain the same.
---------------------------------------------------------------------------
In sum, the Commission preliminarily believes that the proposed
dollar volume thresholds for NMS stocks would further the goals of the
national market system by ensuring that ATSs that meet the thresholds
are subject to the same baseline standards as other SCI entities for
systems capacity, integrity, resiliency, availability, and security.
With respect to non-NMS stocks, municipal securities, and corporate
debt securities, the Commission is proposing to lower the current
thresholds in Rule 301(b)(6) of Regulation ATS. Specifically, the
Commission is proposing to reduce the standard from 20 percent to five
percent for these types of securities,\109\ the same percentage
threshold for such types of securities that triggers the fair access
provisions of Rule 301(b)(5) of Regulation ATS.\110\ The Commission
preliminarily believes that ATSs that trade non-NMS stocks, municipal
securities, and corporate debt securities above the proposed
[[Page 18095]]
thresholds are those that play a significant role in the market for
such securities and thus preliminarily believes that the proposed
thresholds are appropriately designed.
---------------------------------------------------------------------------
\109\ See proposed Rule 1000(a). As discussed in this Section
III.B.1, the thresholds in proposed Rule 1000(a) would be based on
average daily dollar or transaction volume.
\110\ See Rule 301(b)(5) of Regulation ATS under the Exchange
Act. 17 CFR 242.301(b)(5).
---------------------------------------------------------------------------
With respect to non-NMS stocks for which transactions are reported
to a self-regulatory organization, the Commission proposes to lower the
threshold to five percent or more of the average daily dollar volume as
calculated by the self-regulatory organization to which such
transactions are reported. Using data from the first six months of
2012, the Commission believes that an ATS executing transactions in
non-NMS stocks at a level exceeding five percent of the average daily
dollar volume traded in the United States would be executing trades at
a level exceeding $31 million daily.\111\ Based on data collected from
Form ATS-R for the second quarter of 2012, the Commission estimates
that two ATSs would exceed this threshold and fall within the
definition of SCI entity. The Commission requests comment on the
accuracy of these estimates.
---------------------------------------------------------------------------
\111\ Source: Data provided by OTC Markets.
---------------------------------------------------------------------------
With respect to municipal securities and corporate debt securities,
the Commission proposes to lower the threshold to five percent or more
of either: (i) The average daily dollar volume \112\ traded in the
United States; or (ii) the average daily transaction volume traded in
the United States. The Commission preliminarily believes that this two-
pronged threshold is appropriate for the debt market, as it should
capture both ATSs that are focused on retail orders and facilitate a
relatively greater number of trades with relatively lower dollar
values, as well as those ATSs that are focused on institutional orders
and facilitate a relatively lower number of trades with relatively
greater dollar values. The Commission preliminarily believes that both
of these thresholds are important in identifying ATSs that play a
significant role in the debt markets for executing both retail- and
institutional-sized trades.\113\
---------------------------------------------------------------------------
\112\ As with the proposed measures for ATSs that trade NMS
stocks or non-NMS stocks, the Commission is proposing to use average
daily dollar volume for debt securities, which the Commission
preliminarily believes is the measure most commonly used when
analyzing daily trading volume in the debt markets.
\113\ Most corporate and municipal bond trades are small (i.e.,
less than $100,000), but small trades do not account for most of the
dollar volume in these markets. See, e.g., Edwards, Amy K., Harris,
Lawrence and Piwowar, Michael S., Corporate Bond Market Transaction
Costs and Transparency, Journal of Finance, Vol. 62, No. 3 (June
2007) and Lawrence E. Harris and Michael S. Piwowar, Secondary
Trading Costs in the Municipal Bond Market, J.FIN. (June 2006). An
ATS that specializes in large trades may account for a small portion
of the trades but a large portion of the dollar volume. Likewise, an
ATS that specializes in small trades may account for a small portion
of the dollar volume but a large portion of the trades. Therefore, a
systems disruption, systems compliance issue, or systems intrusion
in either of these ATS types could potentially disrupt a large
portion of the market.
As the Commission stated in the ATS Release, ``many of the same
concerns about the trading of equity securities on alternative
trading systems apply equally to the trading of fixed income
securities on alternative trading systems. Specifically, it is
important that markets with significant portions of the volume in
particular instruments have adequate systems capacity, integrity,
and security, regardless of whether those instruments are equity
securities or debt securities. Similarly, as electronic systems for
debt grow, it will become increasingly important for the fair
operation of our markets for market participants to have fair access
to significant market centers in debt securities. One of the
consequences of the growing role of alternative trading systems in
the securities markets generally is that debt securities are
increasingly being traded on these systems, similar to the way
equity securities are traded.'' See ATS Release, supra note 2, at
70862.
---------------------------------------------------------------------------
Using data from the first six months of 2012, the Commission
believes that an ATS executing transactions in municipal securities at
a level exceeding five percent of the average daily dollar volume
traded in the United States would be executing trades at a level of at
least approximately $550 million daily,\114\ and that an ATS executing
transactions in municipal securities at a level exceeding five percent
of the average daily transaction volume traded in the United States
would be executing an average of at least approximately 1,900
transactions daily.\115\ Based on data collected from Form ATS-R for
the second quarter of 2012, the Commission preliminarily believes that
currently no ATSs executing transactions in municipal securities would
exceed the proposed average daily dollar volume threshold and fall
within the definition of SCI entity pursuant to that proposed prong.
ATSs are not required to report transaction volume data for municipal
securities on Form ATS-R. However, based on discussions with industry
sources, the Commission preliminarily believes that three ATSs
executing transactions in municipal securities would likely exceed the
proposed average daily transaction volume threshold.\116\ The
Commission requests comment on the accuracy of these estimates.
---------------------------------------------------------------------------
\114\ For the period of January 1, 2012 to June 30, 2012, the
average daily dollar volume of trades was over $11 billion. See
http://emma.msrb.org/marketactivity/ViewStatistics.aspx (accessed
January 30, 2013). Five percent of this amount is approximately $550
million.
\115\ For the period of January 1, 2012 to June 30, 2012, the
average daily transaction volume was approximately 39,000. See
http://emma.msrb.org/marketactivity/ViewStatistics.aspx (accessed
January 30, 2013). Five percent of this amount is approximately
1,900 trades.
\116\ See, e.g., the Commission's Report on the Municipal
Securities Market, supra note 96 at n.715. The Commission
preliminarily believes that the three ATSs that would likely exceed
the proposed average daily transaction volume threshold for
municipal securities are the same three ATSs that would likely
exceed the corresponding threshold for corporate debt securities.
See infra note 119.
---------------------------------------------------------------------------
Using data from the first six months of 2012, the Commission
believes that an ATS executing transactions in corporate debt at a
level exceeding five percent of the average daily dollar volume traded
in the United States would be executing trades at a level of at least
approximately $900 million daily,\117\ and that an ATS executing
transactions in corporate debt at a level exceeding five percent of the
average daily transaction volume traded in the United States would be
executing an average of at least approximately 2,100 transactions
daily.\118\ Based on data collected from Form ATS-R for the second
quarter of 2012, the Commission preliminarily believes that currently
no ATSs executing transactions in corporate debt would exceed the
proposed average daily dollar volume threshold and fall within the
definition of SCI entity pursuant to that proposed prong. ATSs are not
required to report transaction volume data for corporate debt on Form
ATS-R. However, based on discussions with industry sources, the
Commission preliminarily believes that three ATSs executing
transactions in corporate debt would likely exceed the proposed average
daily transaction volume threshold.\119\ The Commission requests
comment on the accuracy of these estimates.
---------------------------------------------------------------------------
\117\ For the period of January to June 2012, the average daily
dollar volume was approximately $18 billion. Five percent of this
amount is approximately $900 million. See U.S. Bond Market Trading
Volume, available at: http://www.sifma.org/research/statistics.aspx.
\118\ Source: Corporate bond transactions reported to TRACE from
January through June 2012, excluding instruments subject to Rule
144A and April 6, 2012 (short trading day).
\119\ As noted above, the Commission preliminarily believes that
the three ATSs that would likely exceed the proposed average daily
transaction volume threshold for corporate debt securities are the
same three ATSs that would likely exceed the corresponding threshold
for municipal securities. See supra note 116.
---------------------------------------------------------------------------
The Commission is proposing these numerical thresholds as a
preliminary best estimate of when a market is of sufficient
significance to the trading of the relevant asset class (i.e., NMS
stocks, non-NMS stocks, municipal securities, and corporate debt
securities) as to warrant the protections and obligations of proposed
Regulation SCI. As noted
[[Page 18096]]
above,\120\ the numerical thresholds in the definition of SCI ATS have
not been derived from econometric or mathematical models. Instead, they
reflect a preliminary assessment by the Commission, based on
qualitative and some quantitative analysis, of the likely economic
consequences of the specific quantitative thresholds proposed to be
included in the definition. The Commission recognizes that there may
reasonably be differing views as to what the threshold levels for
inclusion should be and thus the Commission solicits comment on the
appropriateness of the proposed threshold levels.
---------------------------------------------------------------------------
\120\ See supra note 99.
---------------------------------------------------------------------------
The Commission recognizes that it is proposing numerically higher
thresholds for non-NMS stocks, municipal securities, and corporate debt
securities as compared to NMS stocks (five percent, as compared to one
percent in all NMS stocks). While the Commission preliminarily believes
that similar concerns about the trading of NMS stocks on ATSs apply to
the trading of non-NMS stocks and debt securities on ATSs (namely, that
markets with significant portions of the volume in particular
instruments have adequate systems capacity, integrity, resiliency,
availability, and security), the Commission notes that it has
traditionally provided special safeguards with regard to NMS stocks in
its rulemaking efforts relating to market structure.\121\
---------------------------------------------------------------------------
\121\ See, e.g., Regulation NMS, 17 CFR 242.600-612; Securities
Exchange Act Release No. 51808 (June 9, 2005), 70 FR 27496 (June 29,
2005).
---------------------------------------------------------------------------
Further, in part due to the greater availability of, and reliance
on, electronic trading for NMS stocks, the trading of such securities
is generally more accessible to a wider range of investors and has
resulted in increases in electronic trading volumes relative to 15
years ago, as compared to other markets, such as the debt markets,
which still largely rely on manual trading. Because the degree of
automation and electronic trading is generally lower in markets that
trade non-NMS stocks and debt securities than in the markets that trade
NMS stocks, the Commission preliminarily believes that a systems issue
at an SCI entity that trades non-NMS stocks or debt securities would
not have as significant an impact as readily as a systems issue at an
SCI entity that trades NMS stocks. Therefore, the Commission
preliminarily believes there is less need in the markets for those
securities for more stringent thresholds that would trigger the
requirements of proposed Regulation SCI.\122\ For example, the most
recent widely publicized issues involving systems problems and
disruptions in the securities markets have generally all been related
to NMS stocks.\123\ The Commission also believes that imposition of a
threshold that is set too low in markets that lack automation could
have the unintended effects of discouraging automation in these markets
and discouraging new entrants into these markets. For these reasons,
the Commission preliminarily believes that it is appropriate at this
time to apply a different threshold to ATSs trading NMS stocks than
those ATSs trading non-NMS stocks, municipal securities, and corporate
debt securities.
---------------------------------------------------------------------------
\122\ See also discussion in infra Section V.C.3.c.
\123\ See, e.g., supra notes 61-66 and accompanying text.
---------------------------------------------------------------------------
Under Proposed Rule 1000(a), the term ``plan processor'' would have
the meaning set forth in Rule 600(b)(55) of Regulation NMS, which
defines ``plan processor'' as ``any self-regulatory organization or
securities information processor acting as an exclusive processor in
connection with the development, implementation and/or operation of any
facility contemplated by an effective national market system plan.''
\124\ As noted above, the ARP Inspection Program has developed to
include the systems of the plan processors of the four current SCI
Plans.\125\ Any entity selected as the processor of an SCI Plan is
responsible for operating and maintaining computer and communications
facilities for the receipt, processing, validating, and dissemination
of quotation and/or last sale price information generated by the
members of such plan.\126\ Although an entity selected as the processor
of an SCI Plan acts on behalf of a committee of SROs, such entity is
not required to be an SRO, nor is it required to be owned or operated
by an SRO.\127\ The Commission believes, however, that the systems of
such entities, because they deal with key market data, form the ``heart
of the national market system,'' \128\ and should be subject to the
same systems standards as SCI SROs, and proposes to include ``plan
processors'' in the definition of SCI entity.\129\
---------------------------------------------------------------------------
\124\ See 17 CFR 242.600(b)(55).
\125\ See supra note 87, defining the term ``SCI Plan'' and
discussing plan processors.
\126\ See, e.g., CTA Plan Section V(d) and CQS Plan Section
V(d), available at: http://www.nyxdata.com/cta; see also OPRA Plan,
Section V, available at: http://www.opradata.com/pdf/opra_plan.pdf;
and Nasdaq UTP Plan Section IV, available at: http://www.utpplan.com.
\127\ Pursuant to Section 11A of the Exchange Act (15 U.S.C.
78k-1), and Rule 609 of Regulation NMS thereunder (17 CFR 242.609),
such entities, as ``exclusive processors,'' are required to register
with the Commission as securities information processors on Form
SIP. See 17 CFR 249.1001 (Form SIP, application for registration as
a securities information processor or to amend such an application
or registration).
\128\ See Concept Release on Equity Market Structure, supra note
42, at 3600 (quoting H.R. Rep. No. 94-229, 94th Cong., 1st Sess. 93
(1975)).
\129\ See supra note 87.
---------------------------------------------------------------------------
Pursuant to its terms, each SCI Plan is required to periodically
review its selection of its processor, and may in the future select a
different processor for the SCI Plan than its current processor.\130\
The proposed inclusion of ``plan processors'' in the definition of SCI
entity is designed to ensure that the processor for an SCI Plan,
regardless of its identity, is independently subject to the
requirements of proposed Regulation SCI. Thus, the proposed definition
would cover any entity selected as the processor for a current or
future SCI Plan.\131\ The Commission preliminarily believes that it is
important for such plan processors to be subject to the requirements of
proposed Regulation SCI because of the important role they serve in the
national market system: Operating and maintaining computer and
communications facilities for the receipt, processing, validating, and
dissemination of quotation and/or last sale price information generated
by the members of the plan.\132\
---------------------------------------------------------------------------
\130\ See CTA Plan Section V(d) and CQS Plan Section V(d),
available at: http://www.nyxdata.com/cta; OPRA Plan Section V,
available at: http://www.opradata.com/pdf/opra_plan.pdf; and Nasdaq
UTP Plan Section V, available at: http://www.utpplan.com.
\131\ Currently, the Securities Industry Automation Corporation
(``SIAC'') is the processor for the CTA Plan, CQS Plan, and OPRA
Plan and Nasdaq is the processor for the Nasdaq UTP Plan. SIAC is
wholly owned by NYSE Euronext. Both SIAC and Nasdaq are registered
with the Commission as securities information processors, as
required by Section 11A(b)(1) of the Exchange Act, 15 U.S.C. 78k-
1(b)(1), and in accordance with Rule 609 of Regulation NMS
thereunder, 17 CFR 242.609. The Commission preliminarily believes
that the proposed definition of plan processor also would include
any entity selected and acting as exclusive processor of a future
NMS plan, such as that contemplated by the Commission's rules to
create a consolidated audit trail. See Securities Exchange Act No.
67457 (July 18, 2012), 77 FR 45722 (August 1, 2012) (``Consolidated
Audit Trail Adopting Release'').
\132\ See supra note 126 and accompanying text.
---------------------------------------------------------------------------
Under proposed Rule 1000(a), the term ``exempt clearing agency
subject to ARP'' would mean ``an entity that has received from the
Commission an exemption from registration as a clearing agency under
Section 17A of the Act, and whose exemption contains conditions that
relate to the Commission's Automation Review Policies, or any
Commission regulation that supersedes or replaces such policies.'' This
proposed definition of
[[Page 18097]]
``exempt clearing agency subject to ARP'' presently would apply to one
entity, Global Joint Venture Matching Services--US, LLC
(``Omgeo'').\133\
---------------------------------------------------------------------------
\133\ On April 17, 2001, the Commission issued an order granting
Omgeo an exemption from registration as a clearing agency subject to
certain conditions and limitations in order that Omgeo might offer
electronic trade confirmation and central matching services. See
Global Joint Venture Matching Services--US, LLC; Order Granting
Exemption from Registration as a Clearing Agency, Securities
Exchange Act Release No. 44188 (April 17, 2001), 66 FR 20494 (April
23, 2001) (File No. 600-32) (``Omgeo Exemption Order''). Because the
Commission granted it an exemption from clearing agency
registration, Omgeo is not a self-regulatory organization. See id.
at 20498, n.41.
---------------------------------------------------------------------------
Among the operational conditions required by the Commission in the
Omgeo Exemption Order were several that directly related to the ARP
policy statements.\134\ For the same reasons that it required Omgeo to
abide by the conditions relating to the ARP policy statements set forth
in the Omgeo Exemption Order, the Commission preliminarily believes it
would be appropriate that Omgeo (or any similarly situated exempt
clearing agency) should be subject to the requirements of proposed
Regulation SCI, and thus is proposing to include any ``exempt clearing
agency subject to ARP'' as explained above, within the definition of
SCI entity.\135\
---------------------------------------------------------------------------
\134\ These conditions required Omgeo to, among other things:
Provide the Commission with an audit report addressing all areas
discussed in the Commission ARP policy statements; provide annual
reports prepared by competent, independent audit personnel in
accordance with the annual risk assessment of the areas set forth in
the ARP policy statements; report all significant systems outages to
the Commission; provide advance notice of any material changes made
to its electronic trade confirmation and central matching services;
and respond and require its service providers to respond to requests
from the Commission for additional information relating to its
electronic trade confirmation and central matching services, and
provide access to the Commission to conduct inspections of its
facilities, records and personnel related to such services. See id.
\135\ In the Omgeo Exemption Order, the Commission stated that,
``[b]ecause these conditions are designed to promote
interoperability, the Commission intends to require substantially
the same conditions of other Central Matching Services that obtain
an exemption from registration as a clearing agency.'' See id.
---------------------------------------------------------------------------
Request for Comment
1. The Commission requests comment generally on the proposed
definition of SCI entity and its constituent parts. Do commenters
believe that entities of the type that would satisfy the proposed
definition of SCI entity play significant roles in the U.S. securities
markets such that they should be subject to proposed Regulation SCI?
Why or why not?
2. Do commenters believe the scope of the proposed definition of
SCI SRO is appropriate? Does the proposed definition of SCI SRO include
types of entities that should not be subject to the proposed
requirements, or exclude types of entities that should be subject to
the proposed requirements? If so, please identify such types of
entities and explain why they should or should not be included in the
definition of SCI entity or SCI SRO. Should the definition of ``SCI
self-regulatory organization'' include exchanges notice-registered with
the Commission pursuant to 15 U.S.C. 78f(g) or a limited purpose
national securities association registered with the Commission pursuant
to 15 U.S.C. 78o-3(k)? Do commenters believe that it is appropriate to
defer to the CFTC regarding the systems compliance and integrity of
such entities? Why or why not?
3. Do commenters believe that the proposed definition of ``SCI
alternative trading system'' is appropriate? Why or why not? Do
commenters believe that the proposed volume thresholds for the
different asset classes under the proposed definition of SCI ATS are
appropriate? Specifically, are the proposed average daily dollar volume
thresholds of five percent or more in any NMS stock and 0.25 percent or
more in all NMS stocks, or one percent or more in all NMS stocks,
appropriate? Would higher or lower daily dollar volume thresholds for
NMS stocks be more appropriate? \136\ Please explain and provide data
in support. Alternatively, would a different threshold measurement be
more appropriate (e.g., transaction volume, share volume, etc.)? If so,
which and at what threshold level? \137\ Please explain and provide
data in support.
---------------------------------------------------------------------------
\136\ For example, based on data from FINRA's Order Audit Trail
System, if the threshold were instead to be set at five percent or
more in any NMS stock and 0.5 percent or more in all NMS stocks, the
Commission preliminarily estimates that approximately nine ATSs
would satisfy the thresholds, accounting for approximately 84
percent of the dollar-volume market share of all ATSs trading NMS
stocks (i.e., not including NMS stocks traded on SROs). If the
threshold were instead to be set at five percent or more in any NMS
stock and one percent or more in all NMS stocks, the Commission
preliminarily estimates that approximately three ATSs would satisfy
the thresholds, accounting for approximately 38 percent of the
market share. Further, if the threshold were instead to be set at
0.25 percent in all NMS stocks, the Commission preliminarily
estimates that approximately ten ATSs would satisfy the threshold.
If the threshold were instead to be set at 0.5 percent in all NMS
stocks, the Commission preliminarily estimates that approximately
nine ATSs would satisfy the threshold.
\137\ For example, based on data collected from Form ATS-R for
the second quarter of 2012 and consolidated NMS stock share volume
from the first six months of 2012, if the threshold were instead to
be set at 0.25 percent of average daily NMS stock consolidated share
volume, the Commission preliminarily estimates that approximately 15
ATSs would satisfy the threshold, accounting for approximately 14
percent of the total average daily consolidated share volume. If the
threshold were instead to be set at 0.5 percent of average daily NMS
stock consolidated share volume, the Commission preliminarily
estimates that approximately 12 ATSs would satisfy the threshold,
accounting for approximately 13 percent of the total average daily
consolidated share volume. If the threshold were instead to be set
at one percent of average daily NMS stock consolidated share volume,
the Commission preliminarily estimates that approximately 6 ATSs
would satisfy the threshold, accounting for approximately nine
percent of the total average daily consolidated share volume. Based
on consolidated NMS stock share volume from the first six months of
2012, the Commission estimates that the equity securities exchanges
with the smallest volume each account for approximately 0.2 percent
to 0.4 percent of the total average daily consolidated share volume.
---------------------------------------------------------------------------
4. The Commission notes that, unlike the threshold levels
applicable to NMS stocks currently in Rule 301(b)(6) of Regulation ATS,
the proposed thresholds for NMS stocks are based on average daily
dollar volume in an individual NMS stock and/or all NMS stocks. Do
commenters believe that these are appropriate standards? Why or why
not? If not, what should be the appropriate standard, and why? Do
commenters believe the proposed thresholds of five percent or more in
any NMS stock and 0.25 percent or more in all NMS stocks would prevent
a situation in which an ATS that has a large volume in one NMS stock
and little volume in other NMS stocks would be covered by proposed
Regulation SCI? How common is it for an ATS to trade illiquid NMS
stocks without also trading more liquid NMS stocks? Please provide any
data relevant to this question.
5. Should the SCI ATS thresholds be triggered only with respect to
certain NMS stocks, for example, only with respect to the most liquid
NMS stocks? If so, how should the Commission define the ``most liquid''
NMS stocks? For example, should the thresholds be triggered only for
the 500 most liquid NMS stocks? The 100 most liquid NMS stocks? Another
amount? Why or why not? Please describe your reasoning. Further, what
would be the appropriate threshold measurement (e.g., average daily
share volume, average daily dollar volume, or another measurement)?
Please explain.
6. Is the proposed five percent threshold level appropriate for
non-NMS stocks, municipal securities (approximately $550 million in
daily dollar volume or 1,900 in daily transaction volume based on data
from the first six months of 2012), and corporate debt securities
(approximately $900 million in daily dollar volume or 2,100 in daily
transaction volume based
[[Page 18098]]
on data from the first six months of 2012)? Why or why not? Please
explain and provide data in support. If not, what should be the
appropriate thresholds and why?
7. As with NMS stocks, the proposed five percent thresholds for
non-NMS stocks are to be calculated by reference to daily dollar
volume, though the proposed threshold would only be with reference to
all such stocks (as opposed to average daily dollar volume in
individual NMS stocks and/or all NMS stocks). Do commenters believe
that this is the appropriate standard for non-NMS stocks? Why or why
not?
8. Do commenters agree with the Commission's assessment that there
is less automation among markets that trade non-NMS stocks, municipal
securities, and corporate debt securities as compared to markets that
trade NMS stocks? Why or why not? What is the current level of
automation in these markets?
9. Do commenters believe that there should be different thresholds
for NMS stocks than non-NMS stocks, municipal securities, and corporate
debt securities? Why or why not? Do commenters believe that the
proposed two-pronged thresholds are appropriate for municipal
securities and corporate debt securities? Why or why not? Would the
proposed two-pronged approach be relevant or appropriate for securities
other than municipal and corporate debt securities? Why or why not?
10. Do commenters believe that the Commission's estimates of the
current number of ATSs that would meet the proposed thresholds are
accurate? Why or why not? If not, please provide any data or estimates
that commenters believe would more accurately reflect the number of
ATSs that would meet the proposed thresholds.
11. The Commission is also considering whether it should instead
adopt a definition for SCI ATS that is based solely on a single type of
threshold measurement (such as average daily dollar volume), which
would be simpler and provide consistency across different asset
classes, rather than the differing types of threshold tests for NMS
stocks, non-NMS stocks, municipal securities, and corporate debt
securities currently proposed. In particular, the Commission is
considering whether it would be appropriate to solely use a threshold
based on a percentage of average daily dollar volume for all asset
classes. Would a threshold based on a percentage of average daily
dollar volume be an appropriate single measure that the Commission
should use for all asset classes (i.e., NMS stocks, non-NMS stocks,
municipal securities, and corporate debt securities) within the
definition of SCI ATS? Why or why not? If so, would it be appropriate
for the Commission to adopt the same dollar volume threshold
measurement that applies for all of the asset classes? Why or why not?
Please explain. If so, what would be an appropriate threshold
measurement? For example, would five percent of the asset class's total
average daily dollar volume be appropriate? Should the measurement be
higher or lower? Please be specific and explain. Or, rather than a
threshold measurement that is based on a percentage of the asset
class's total average daily dollar volume, would a fixed average daily
dollar volume threshold, such as $500 million, be appropriate? If so,
should such a threshold be higher or lower than $500 million? Why or
why not? Should such a fixed dollar threshold be different for
different asset classes? Why or why not? If so, what should such
thresholds be for each asset class? Please be specific. What are the
advantages and disadvantages of a percentage-based threshold versus a
fixed dollar threshold? Please explain.
12. Would it be appropriate for the Commission to adopt a single
dollar volume threshold measurement that applies across all asset
classes? For example, if an ATS trades both municipal securities and
corporate debt securities, should its trading volume in both asset
classes be aggregated to determine whether it exceeded the threshold
measurement? Why or why not?
13. The proposed SCI ATS thresholds are to be calculated by
reference to executions ``during at least four of the preceding six
calendar months,'' the measurement period and method that is currently
used in Regulation ATS. Do commenters believe this is the appropriate
time frame and method to be included in Regulation SCI? Why or why not?
If not, is there a more appropriate approach? If so, what should it be
and why?
14. With respect to calculating the proposed thresholds for
securities other than NMS stocks (i.e., non-NMS stocks, municipal
securities, and corporate debt securities), would ATSs have available
appropriate data with which to determine whether the proposed
thresholds have been met? FINRA, through its OTC Reporting Facility and
its Trade Reporting and Compliance Engine (``TRACE'') \138\ facility,
collects data on transactions in non-NMS stocks and corporate debt
securities, and the MSRB collects data on transactions in municipal
securities. Do commenters believe that FINRA, the MSRB, or another
appropriate entity should be required to disseminate data in a format
and frequency sufficient to enable ATSs to determine if they have met
the proposed thresholds? Is there another mechanism or structure that
could provide data in a format and frequency sufficient to enable ATSs
to determine whether the proposed thresholds have been met? Please
explain.
---------------------------------------------------------------------------
\138\ TRACE is an automated system that, among other things,
accommodates reporting and dissemination of transaction reports for
over-the-counter secondary market transactions in eligible fixed
income securities, in accordance with the FINRA Rule 6700 series.
---------------------------------------------------------------------------
15. Are there ATSs or types of ATSs that would satisfy the proposed
definition of SCI ATS that commenters believe should not be subject to
proposed Regulation SCI? If so, please explain. Are there ATSs or types
of ATSs that would not satisfy the proposed definition of SCI ATS that
commenters believe should be subject to proposed Regulation SCI? If so,
please explain. For example, should ATSs that execute transactions in
U.S. treasuries and/or repurchase agreements be subject to proposed
Regulation SCI? Why or why not? If a parent company owns multiple ATSs
for a given asset class (e.g., NMS stocks), should the trading volumes
of these ATSs be aggregated for purposes of determining whether the
ATSs exceed the proposed thresholds? Why or why not? If so, how should
such aggregation work? What are the advantages or disadvantages of such
an approach? Please explain.
16. Do commenters believe that, for purposes of Regulation SCI, the
proposed definition of plan processor is appropriate? Why or why not?
Is it appropriate to limit the definition of plan processor to entities
within the meaning of plan processor in Rule 600(b)(55) of Regulation
NMS? Why or why not? Do commenters believe the proposed definition is
sufficiently clear? Are there any other entities similar to the plan
processors of SCI Plans that commenters believe should be made subject
to the requirements of proposed Regulation SCI? If so, please describe
and explain why.
17. Do commenters believe that the proposed definition of ``exempt
clearing agency subject to ARP'' is appropriate? Why or why not? Are
there other exempt clearing agencies that should be included in the
proposed definition of SCI entity? Why or why not? Is it appropriate to
limit the definition of SCI entity with respect to exempt clearing
agencies to those with exemptions that
[[Page 18099]]
contain conditions that relate to the Commission's Automation Review
Policies or any Commission regulation that supersedes or replaces such
policies? Why or why not?
18. What are the current practices of the proposed SCI entities
with respect to the subject matter covered by the ARP policy
statements? How many of them have practices that are consistent with
ARP? How do they differ? Please be specific.
2. Definition of SCI Systems and SCI Security Systems
The Commission is proposing that Regulation SCI cover the systems
of SCI entities, which would include both SCI systems and, where
applicable, SCI security systems. Proposed Rule 1000(a) would define
the term ``SCI systems'' to mean ``all computer, network, electronic,
technical, automated, or similar systems of, or operated by or on
behalf of, an SCI entity, whether in production, development, or
testing, that directly support trading, clearance and settlement, order
routing, market data, regulation, or surveillance,'' and the term ``SCI
security systems'' to mean ``any systems that share network resources
with SCI systems that, if breached, would be reasonably likely to pose
a security threat to SCI systems.''
Thus, for purposes of all of the provisions of proposed Regulation
SCI, the proposed definition of SCI systems would cover all systems of
an SCI entity that directly support trading, clearance and settlement,
order routing, market data, regulation, and surveillance. In addition,
the proposed definition of SCI security systems is designed to cover
other types of systems if they share network resources with SCI systems
and, if breached, would be reasonably likely to pose a security threat
to SCI systems. Unlike SCI systems, only certain provisions of proposed
Regulation SCI would apply to SCI security systems.\139\
---------------------------------------------------------------------------
\139\ Specifically, under proposed Rule 1000(a), SCI security
systems are included in the proposed definitions of ``material
systems change,'' ``responsible SCI personnel,'' ``SCI review,'' and
``systems intrusion.'' For purposes of security standards, proposed
Rule 1000(b)(1) would also apply to SCI security systems. In
addition, with respect to systems intrusions, proposed Rules
1000(b)(3)-(5) would apply to SCI security systems. Further, because
of the definitions of material systems change and SCI review,
proposed Rules 1000(b)(6) and (7) would apply to SCI security
systems. Finally, proposed Rules 1000(c) and (f), relating to
recordkeeping and access, respectively, would apply to SCI security
systems.
---------------------------------------------------------------------------
The Commission preliminarily believes that the proposed definition
of SCI systems would reach those systems traditionally considered to be
core to the functioning of the U.S. securities markets, namely trading,
clearance and settlement, order routing, market data, regulation, and
surveillance systems.\140\ The proposed definition would also apply to,
for example, such systems of exchange-affiliated routing brokers that
are facilities of national securities exchanges or such systems
operated on behalf of national securities exchanges. It would also
apply to regulatory systems,\141\ including systems for the regulation
of the over-the-counter market, systems used to carry out regulatory
services agreements, and similar future systems, including the
Consolidated Audit Trail repository.\142\ In addition, if an SCI entity
contracts with a third party to operate its systems (such as those that
use execution algorithms) on behalf of the SCI entity, such systems
would also be covered by the proposed definition of SCI systems if they
directly support trading, clearance and settlement, order routing,
market data, regulation, or surveillance. Therefore, systems covered by
the proposed definition of SCI systems would not be limited only to
those owned by the SCI entity, but also could include those operated by
or on behalf of the SCI entity.
---------------------------------------------------------------------------
\140\ See ARP I, supra note 1.
\141\ SCI entities that are obligated to comply with Section 31
of the Exchange Act (15 U.S.C. 78ee), and Rule 31 thereunder (17 CFR
240.31), employ various systems to generate, process, transmit, or
store electronic messages related to securities transactions. Such
systems may include matching engines, transaction data repositories,
trade reporting systems, and clearing databases.
\142\ See Consolidated Audit Trail Adopting Release, supra note
131.
---------------------------------------------------------------------------
Based on Commission staff's experience with the ARP Inspection
Program, the Commission believes that some SCI systems of SCI entities
may in some cases be highly interconnected with SCI security systems
because the SCI systems and SCI security systems share network
resources. As a result, the Commission is concerned that a security
issue or systems intrusion with respect to SCI security systems would
be reasonably likely to cause an SCI event with respect to SCI systems.
Because certain SCI security systems of an SCI entity may present
likely vulnerable entry points to an SCI entity's network, the
Commission preliminarily believes that it is important that the
provisions of proposed Regulation SCI relating to security standards
and systems intrusions apply to SCI security systems.\143\
---------------------------------------------------------------------------
\143\ See supra note 139.
---------------------------------------------------------------------------
The proposed definition of SCI security systems does not identify
the types of systems that would be covered, but rather describes them
in terms of their connectivity and potential ability to undermine the
integrity of SCI systems. However, examples of SCI security systems
that could be highly interconnected with SCI systems and therefore be
reasonably likely to pose a threat to SCI systems may include systems
pertaining to corporate operations (e.g., systems that support web-
based services, administrative services, electronic filing, email
capability and intranet sites, as well as financial and accounting
systems) that are typically accessed by an array of users (e.g.,
employees or executives of the SCI entity) authorized to view non-
public information. In certain cases, such systems would likely offer
insight into the vulnerabilities of an SCI entity if they were, for
example, accessed by a hacker. The Commission is concerned that the
breach of such systems would likely lead to disruption of an SCI
entity's general operations and, ultimately, its market-related
activities. Similarly, systems by which an SCI entity provides a
service to issuers, participants, or clients (e.g., transaction
services, infrastructure services, and data services) may be accessed
by employees or other representatives of the issuer, participant, or
client organization, and may, in some instances, provide a point of
access (and thus share network resources) to an SCI entity's SCI
systems. Accordingly, the Commission is proposing that the term SCI
security systems include any systems that share network resources with
SCI systems that, if breached, would be reasonably likely to pose a
security threat to SCI systems, but only for the limited provisions of
proposed Regulation SCI noted above.\144\
---------------------------------------------------------------------------
\144\ See id.
---------------------------------------------------------------------------
In light of the above concerns, the proposed definitions of SCI
systems and SCI security systems together are intended to reach all of
the systems that would be reasonably likely to impact an SCI entity's
operational capability and the maintenance of fair and orderly markets,
rather than reaching solely SCI systems. Because of the dependence of
today's securities markets on highly sophisticated electronic trading
and other technology, including complex regulatory and surveillance
systems, as well as systems relating to clearance and settlement, the
provision of market data, and order routing, the Commission
preliminarily believes that the proposed definitions of SCI systems and
SCI security systems are appropriate to help ensure the capacity,
integrity, resiliency, availability, and security of an SCI entity's
systems.
[[Page 18100]]
Request for Comment
19. The Commission requests comment generally on the proposed
definitions of SCI systems and SCI security systems.
20. Do commenters believe that the proposed definitions
appropriately capture the scope of systems of SCI entities that would
be reasonably likely to impact the protection of investors and the
maintenance of fair and orderly markets? Specifically, do the proposed
definitions of SCI systems and SCI security systems capture the
components of the critical systems infrastructure of SCI entities in a
comprehensive manner? Are the proposed definitions sufficiently clear?
21. Are there any systems of SCI entities that should be included
but would not be captured by the proposed definitions? Please explain.
Are there any systems of SCI entities that should be excluded from the
proposed definitions? Please explain.
22. By including in the proposed definition of ``SCI systems''
those systems operated ``on behalf of'' an SCI entity, systems operated
by a third party under contract from an SCI entity and systems operated
by affiliates of an SCI entity that are utilized by such SCI entity
would also be included in the proposed definition of SCI systems. Do
commenters agree that such systems should be included? Please explain.
Should the requirements under proposed Regulation SCI apply differently
to systems that are operated on behalf of an SCI entity? Why or why
not? Please explain.
23. Do commenters agree with the proposal to distinguish between
SCI systems and SCI security systems for purposes of triggering the
various provisions of proposed Regulation SCI? For example, are the
requirements that would apply to SCI security systems appropriate? Why
or why not? If not, which requirements of proposed Regulation SCI
should apply to SCI security systems and why? Should the requirements
under proposed Regulation SCI apply differently to different types of
systems, as proposed? Or, should SCI security systems be subject to all
of the requirements of proposed Regulation SCI? Why or why not?
24. Alternatively, should SCI security systems be excluded entirely
from the application of proposed Regulation SCI? Why or why not? The
Commission is proposing its approach to distinguish between SCI systems
and SCI security systems because it preliminarily believes that the
interconnected nature of technology infrastructure today creates the
potential for systems other than SCI systems to expose vulnerable
points of entry that could lead to a security breach or intrusion into
SCI systems. In light of this potential, the Commission is proposing,
as discussed further below, that the following provisions of proposed
Regulation SCI apply to the SCI security systems of an SCI entity: (1)
For purposes only of the policies and procedures relating to systems
security, proposed Rule 1000(b)(1) would apply to its SCI security
systems; (2) proposed Rules 1000(b)(3)-(5) (relating to SCI events and
taking corrective action, Commission notification, and dissemination of
information to members or participants, respectively) would apply to
SCI security systems only with respect to systems intrusions; and (3)
proposed Rule 1000(b)(6) would require an SCI entity to report a
material systems change in a SCI security system only to the extent
that it materially affects the security of such system.\145\
---------------------------------------------------------------------------
\145\ See infra Sections III.C.1, III.C.3, and III.C.4. In
addition, the scope of the applicability of proposed Rules
1000(b)(7), 1000(b)(8), and 1000(c)-(f) to SCI security systems
would be determined by the provisions of the proposed Rules
1000(b)(1), and (3)-(6). See infra Sections III.C.5, III.C.6, and D.
---------------------------------------------------------------------------
25. The goal of this proposed approach is to ensure that SCI
systems, as the core systems of an SCI entity, are adequately secure
and protected from systems intrusions. However, the Commission
recognizes that there may be alternative ways to achieve this goal,
including those that do not extend the scope of the proposed rule
beyond the core systems that are defined as ``SCI systems,'' and that
focus the Commission's oversight on those systems. For example, one
alternative would be to limit the scope of the proposed rule to SCI
systems, but clarify that policies and procedures reasonably designed
to ensure that SCI systems have adequate levels of security necessarily
would require an assessment of security vulnerabilities created by
other systems that share network resources with SCI systems, and
appropriate steps to address those vulnerabilities. Specifically, under
such an alternative, the defined term ``SCI security systems,'' and all
references to them and any associated obligations, would be eliminated
from the proposed rule text described herein, and clarifying guidance
would be provided with respect to the security of SCI systems as noted
above. With such an alternative, consideration also would need to be
given to whether or not an SCI entity should notify the Commission (and
potentially its members or participants) of a systems intrusion with
respect to these non-SCI systems, or a systems change that materially
impacts the security of such systems. Accordingly, the Commission
solicits commenters' views on this or any other potential alternative
approaches that would not include a definition of SCI security systems
within the scope of the proposed rule.
26. If the Commission were to determine to eliminate the proposed
definition of SCI security systems from proposed Regulation SCI, what
would be the likely effect of such elimination on the ability of
proposed Regulation SCI to ensure that SCI systems are adequately
secure and protected from systems intrusions? Please explain.
Specifically, if the Commission eliminated the proposed definition of
SCI security systems from proposed Regulation SCI, and its direct
oversight of systems that share network resources with SCI systems,
would the Commission's ability to assure adequate security for SCI
systems be materially weakened? Why or why not? Would such an
alternative reduce compliance burdens for SCI entities, and improve the
efficiency of Commission oversight without materially undermining its
effectiveness?
27. If the Commission were to determine to eliminate the proposed
definition of SCI security systems from proposed Regulation SCI, would
it be appropriate, for example, for the Commission to interpret the
requirement of proposed Rule 1000(b)(1) that would require an SCI
entity to have ``policies and procedures reasonably designed to ensure
that its SCI systems have levels of * * * security * * * adequate to
maintain the SCI entity's operational capability and promote the
maintenance of fair and orderly markets'' to require that an SCI
entity's SCI systems be protected from security threats by other
systems with which they share network resources? Why or why not? Please
explain.
28. If the Commission were to determine to eliminate the proposed
definition of SCI security systems from proposed Regulation SCI, should
the Commission still require an SCI entity to report to the Commission
an intrusion into any system (and not just SCI systems) of an SCI
entity? Why or why not? If the Commission were to determine to
eliminate the proposed definition of SCI security systems from proposed
Regulation SCI, should the Commission require an SCI entity to notify
members and participants of an intrusion into any system of an SCI
entity? Why or why not? If the Commission were to determine to
eliminate the proposed definition of SCI
[[Page 18101]]
security systems from proposed Regulation SCI, are there any other
changes to the rule that would be appropriate? What are they, and why
would they be appropriate? Please describe in detail.
3. SCI Events
Pursuant to the current ARP policy statements and Regulation ATS, a
key element of the ARP Inspection Program has been to encourage ARP
participants to notify Commission staff of significant systems
disruptions so that the staff can work with the affected entity to help
ensure that the disruption is addressed promptly and effectively, and
that appropriate steps are taken to reduce the likelihood of future
problems. Commission staff has previously sought to provide guidance
and clarification on what should be considered a ``significant system
outage'' for purposes of reports to Commission staff. Specifically, in
the 2001 Staff ARP Interpretive Letter, Commission staff provided
examples of situations for which an outage is deemed significant and
thus should be reported.\146\ The examples listed in that letter
included: (1) Outages resulting in a failure to maintain any service
level agreements or constraints; (2) disruptions of normal operations,
e.g., switchover to back-up equipment with zero hope of near-term
recovery of primary hardware; (3) the loss of use of any system; (4)
the loss of transactions; (5) outages resulting in excessive back-ups
or delays in processing; (6) the loss of ability to disseminate vital
information; (7) outage situations communicated to other external
entities; (8) events that are (or will be) reported or referred to the
entity's board of directors or senior management; (9) events that
threaten systems operations even though systems operations are not
disrupted; for example, events that cause the entity to implement a
contingency plan; and (10) the queuing of data between system
components or queuing of messages to or from customers of such duration
that a customer's usual and customary service delivery is
affected.\147\
---------------------------------------------------------------------------
\146\ See 2001 Staff ARP Interpretive Letter, supra note 35.
\147\ See id.
---------------------------------------------------------------------------
The Commission believes that guidance in the 2001 Staff ARP
Interpretive Letter regarding what constitutes a significant systems
outage has been useful over the years to the entities that received the
2001 Staff ARP Interpretive Letter, but understands that Commission
action in this area would help SROs and other entities by providing
definitive guidance through a formal rulemaking process that includes
notice and comment. Furthermore, the Commission believes the term
``significant systems outage'' in plain usage denotes a category of
systems problems that is considerably narrower than those the
Commission believes could pose risks to the securities markets and
market participants. Therefore, the Commission proposes to specify the
types of events that would be required to be reported to the Commission
and the types of systems problems that would trigger notice
requirements on the part of an SCI entity. Specifically, the Commission
is proposing to define the term ``SCI event'' in Rule 1000(a) as ``an
event at an SCI entity that constitutes: (1) A systems disruption; (2)
a systems compliance issue; or (3) a systems intrusion.'' As discussed
in detail below, the proposed rule would define each of these terms
used in the proposed definition of SCI event.
a. Systems Disruption
The Commission proposes that the term ``systems disruption'' be
defined to mean ``an event in an SCI entity's SCI systems that results
in: (1) A failure to maintain service level agreements or constraints;
(2) a disruption of normal operations, including switchover to back-up
equipment with near-term recovery of primary hardware unlikely; (3) a
loss of use of any such system; (4) a loss of transaction or clearance
and settlement data; (5) significant back-ups or delays in processing;
(6) a significant diminution of ability to disseminate timely and
accurate market data; or (7) a queuing of data between system
components or queuing of messages to or from customers of such duration
that normal service delivery is affected.'' The proposed definition is
similar, but not identical, to the definition of ``significant systems
outage'' in the 2001 Staff ARP Interpretive Letter.\148\
---------------------------------------------------------------------------
\148\ See supra note 35. The Commission believes that the term
``systems disruption'' is a more appropriate term to describe the
types of events captured within the proposed definition and thus is
proposing to use the term ``systems disruption,'' rather than the
term ``systems outage,'' the term used in the ARP Inspection
Program.
---------------------------------------------------------------------------
As proposed, a systems disruption would be an event in an SCI
entity's SCI systems that manifests itself as a problem measured by
reference to one or more of seven elements. The first proposed element,
a failure to maintain service level agreements or constraints, is
unchanged from the 2001 Staff ARP Interpretive Letter. This would
include, for example, a failure or inability of the SCI entity to honor
its contractual obligations to provide a specified level or speed of
service to users of its SCI systems. A trading market could, for
example, contract to maintain its trading system without delays over a
specific threshold, e.g., 100 milliseconds, and its failure to honor
that obligation would thus be a systems disruption.
The second proposed element, ``a disruption of normal operations,
including switchover to back-up equipment with near-term recovery of
primary hardware unlikely'' differs from the element in the 2001 Staff
ARP Interpretive Letter (disruption of normal operations, e.g.,
switchover to back-up equipment with zero hope of near-term recovery of
primary hardware). This modification is intended to convey that the
Commission preliminarily believes that an SCI entity should be required
to notify Commission staff of a SCI systems problem that involves a
switchover to backup equipment, even if a determination that no
recovery is possible has not been made because the probability that
such switchover may continue indefinitely is significant. The
Commission also intends that this proposed element, a ``disruption of
normal operations,'' would capture problems with SCI systems such as
programming errors, testing errors, systems failures, or if a system
release is backed out after it is implemented in production.
The third proposed element, ``a loss of use of any such system,''
is unchanged from the 2001 Staff ARP Interpretive Letter and would
cover situations in which an SCI system is broken, offline, or
otherwise out of commission. For example, the Commission intends that a
failure of primary trading or clearance and settlement systems, even if
immediately replaced by backup systems without any disruption to normal
operations, would be covered under this third proposed element. The
Commission preliminarily believes the language of the fourth proposed
element, ``a loss of transaction or clearance and settlement data,'' is
more precise than the language in the 2001 Staff ARP Interpretive
Letter, which lists ``loss of transactions'' as an example of a systems
outage.
Similarly, the language of the fifth and sixth proposed elements is
intended to be more precise than the comparable language in the fifth
and sixth examples enumerated in the 2001 Staff ARP Interpretive
Letter. The Commission is not at this time proposing to quantify what
would constitute a ``significant back-up or delay in processing'' or a
``significant diminution of ability to disseminate timely and accurate
market data'' because it preliminarily believes that the varying
circumstances that
[[Page 18102]]
could give rise to such events, and the range of SCI systems
potentially impacted, make precise quantification impractical.\149\
These proposed elements are intended to include, for example,
circumstances in which a problem with an SCI system results in a
slowdown or disruption of operations that would adversely affect
customers, impair quotation or price transparency, or impair accurate
and timely regulatory reporting. Instances in which message traffic is
throttled (i.e., slowed) by an SCI entity for any market participant,
without a corresponding provision in the SCI entity's rules, user
agreements, or governing documents, as applicable, would also be
covered here.\150\ Further, the Commission preliminarily believes that
if customers or systems users, for example, have complained or inquired
about a slowdown or disruption of operations, including, for example, a
slowdown or disruption in their receipt of market data, then such
circumstance would be indicative of a problem at an SCI entity that
results in ``significant back-ups or delays in processing'' or a
``significant diminution of ability to disseminate timely and accurate
market data,'' that should be considered a ``systems disruption.'' The
fifth and sixth elements of the proposed definition of systems
disruption are also intended to cover the entry, processing, or
transmission of erroneous or inaccurate orders, trades, price-reports,
other information in the securities markets or clearance and settlement
systems, or any other significant deterioration in the transmission of
market data in an accurate, timely, and efficient manner. For example,
it is possible that an SCI system of an SCI entity that disseminates
market data could, as a result of a programming or testing error in
another system of the SCI entity, be overwhelmed with erroneous market
data to such an extent that the SCI entity's SCI systems are no longer
able to disseminate market data in a timely and accurate manner.
---------------------------------------------------------------------------
\149\ The Commission is, however, soliciting comment on whether
it would be appropriate to adopt quantitative criteria in connection
with the definition of ``systems disruption.''
\150\ However, if an SCI entity's rules or governing documents
provided for such throttling in specified scenarios as a part of
normal operations, such throttling would not be covered as such a
situation would not represent an unexpected back-up or delay in
processing but rather would be part of the SCI entity's normal
operation.
---------------------------------------------------------------------------
Finally, the seventh proposed element, ``a queuing of data between
system components or queuing of messages to or from customers of such
duration that normal service delivery is affected,'' is proposed to be
included because the Commission preliminarily believes that queuing of
data between system components of SCI systems is often a warning signal
of significant disruption of normal system operations.
Although the 2001 Staff ARP Interpretive Letter lists ``a report or
referral of an event to the entity's board of directors or senior
management'' and ``an outage situation communicated to other external
entities'' as examples of a significant systems outage, the Commission
is not proposing to include such reports or communications in the
definition of systems disruption because it preliminarily believes
these examples are more likely to be indicia of whether information
about a systems disruption or other systems problem warrants
dissemination to the SCI entity's members or participants.\151\
Further, although the 2001 Staff ARP Interpretive Letter lists ``a
serious threat to systems operations even though systems operations are
not disrupted'' as an example of a significant systems outage, the
Commission has not included that example as an element in the proposed
definition of systems disruption because it preliminarily believes that
such a threat would more likely be indicative of a systems intrusion or
systems compliance issue.\152\
---------------------------------------------------------------------------
\151\ See infra Section III.B.4.d, discussing whether an SCI
event is a ``dissemination SCI event.''
\152\ See infra Sections III.B.3.b and III.B.3.c, discussing the
proposed definition of systems compliance issue and systems
intrusion, respectively.
---------------------------------------------------------------------------
Request for Comment
29. The Commission requests comment generally on the proposed
definition of ``systems disruption.'' Do commenters believe that it is
appropriate to limit the proposed definition of ``systems disruption''
to SCI systems? Why or why not? Do commenters believe the proposed
definition of ``systems disruption'' is too broad? Why or why not?
Please explain.
30. Do commenters believe that there should be minimum thresholds
associated with the circumstances specified in any elements of the
proposed definition of systems disruption--e.g., quantitative criteria
describing when an event fitting the description of one of the elements
of the proposed definition would meet the definition of SCI event? If
so, what should such minimum thresholds be and to which elements of the
definition of ``systems disruption'' should such minimum thresholds
apply? Please explain. Should systems disruptions affecting different
types of SCI systems be treated differently? For example, should
trading systems have a different quantitative criteria than systems
dedicated to surveillance? Please be specific with respect to which
categories of SCI systems might deserve different treatment, and what
such quantitative criteria might be and why.
31. Do commenters believe the term ``transaction or clearance and
settlement data,'' as used in paragraph (4) of the proposed definition
of ``systems disruption,'' is appropriate? Why or why not? Should other
types of data be included, in addition to transaction and clearance and
settlement data? For example, should customer account data, regulatory
data, and/or audit trail data be included? Why or why not?
32. Do commenters believe that there should be exceptions to the
proposed definition of systems disruption? If so, what should such
exceptions be and why? For example, should the proposed definition of
systems disruption include a de minimis exception? If so, what types of
systems problems should be considered de minimis and what criteria
should be used to determine whether a systems problem is de minimis?
Should the proposed definition of systems disruption include a
materiality threshold? If so, what types of systems problems should be
considered material and what criteria should be used to determine
whether a systems problem is material? Should the definition of systems
disruption exclude regular planned outages occurring during the normal
course of business?
33. Should the proposed definition be expanded, narrowed, or
otherwise modified in any way? For example, should the proposed
definition include quantitative criteria that establish a minimum
deviation from normal performance levels, such as a tenfold increase or
greater in latency for queuing of data, for an event to be considered
an SCI event? Would a minimum deviation of 100 milliseconds from normal
system performance levels be an appropriate indication of system
degradation? Or, would a larger or smaller deviation be more
appropriate? Why or why not? For example, would the choice of a
specific threshold help to balance the tradeoff between the costs of
over-reporting systems disruptions and the costs of failing to report
systems disruptions that could lead to significant negative
consequences? Should different quantitative criteria be used across
different SCI systems? For example, a limited pause in the operations
of a clearing system may not raise the same issues as a similar pause
in the operation of a market data feed. If commenters believe that
different criteria should be maintained, please be specific and provide
examples of what
[[Page 18103]]
the appropriate minimum deviations should be for such systems.
34. Are there other types of circumstances that should be included
that are not part of the proposed definition? If so, please describe
and explain. For example, if an SCI SRO or SCI ATS suspects a
technology error originating from a third party (such as an SCI SRO's
member firm or an SCI ATS's subscriber) that has the potential to
disrupt the market, should that type of discovery be included in the
definition of systems disruption? Why or why not? Is there additional
guidance that commenters would find helpful to determine whether an
event would meet the proposed definition of systems disruption?
35. How often do SCI entities currently experience systems
disruptions?
b. Systems Compliance Issue
The Commission proposes that the term ``systems compliance issue''
be defined as ``an event at an SCI entity that has caused any SCI
system of such entity to operate in a manner that does not comply with
the federal securities laws and rules and regulations thereunder or the
entity's rules or governing documents, as applicable.'' \153\
Circumstances covered by the proposed definition would include, for
example, situations in which a lack of communication between an SCI
SRO's information technology staff and its legal or regulatory staff
regarding SCI systems design or requisite regulatory approvals resulted
in one or more SCI systems operating in a manner not in compliance with
the SCI SRO's rules and, thus, in a manner other than how the users of
the SCI SRO's SCI systems, as well as market participants generally,
have been informed that such systems would operate. Another example of
a systems compliance issue could arise when a change to an SCI system
is made by information technology staff that results in the system
operating in a manner that fails to comply with the federal securities
laws and rules thereunder.
---------------------------------------------------------------------------
\153\ As discussed in infra Section III.C.2, one of the elements
of the safe harbor in proposed Rule 1000(b)(2)(ii)(A) would require
that an SCI entity establish policies and procedures that provide
for ongoing monitoring of SCI systems functionality to detect
whether SCI systems are operating in the manner intended. This
element would require that each SCI entity establish parameters for
detection of a systems compliance issue, and is not intended to
suggest one set of parameters for all SCI entities.
---------------------------------------------------------------------------
The phrase ``operate in a manner that does not comply with * * *
the entity's rules or governing documents'' would mean that an SCI
entity is operating in a manner that does not comply with the entity's
applicable rules and other documents, whether or not filed with the
Commission. Generally, such rules or other documents are made available
to the public and/or to members, clients, users, and/or participants in
the SCI entity.\154\ Specifically, for an SCI SRO, this phrase would
include operating in a manner that does not comply with the SCI SRO's
rules as defined in the Exchange Act and the rules thereunder.\155\ For
a plan processor, this phrase would include operating in a manner that
does not comply with an applicable effective national market system
plan. For an SCI ATS or exempt clearing agency subject to ARP, this
phrase would include operating in a manner that does not comply with
documents such as subscriber agreements and any rules provided to
subscribers and users and, for ATSs, described in their Form ATS
filings with the Commission.\156\
---------------------------------------------------------------------------
\154\ For example, each SCI SRO is required to publish its rules
on its publicly available Web site. See 15 U.S.C. 78s(b)(2)(E). Each
plan processor is also required to post amendments to its national
market system plan on its Web site. See 17 CFR 242.608. Subscriber
agreements and other similar documents that govern operations of SCI
ATSs and exempt clearing agencies subject to ARP are generally not
publicly available, but are provided to subscribers and users of
such entities.
\155\ The rules of an SCI SRO are defined in Sections 3(a)(27)
and (28) of the Exchange Act to include, among other things, its
constitution, articles of incorporation, and bylaws. See 15 U.S.C.
78c(a)(27)-(28). See also Exchange Act Rule 19b-4(c), 17 CFR
240.19b-4(c).
\156\ See 17 CFR 242.301(b) for a description of the filing
requirements for ATSs.
---------------------------------------------------------------------------
Request for Comment
36. The Commission requests comment generally on the proposed
definition of ``systems compliance issue.'' Do commenters believe it
would be appropriate to define ``systems compliance issue'' to mean any
instance in which an SCI system operates in a manner that does not
comply with the federal securities laws and rules and regulations
thereunder, or the entity's rules or governing documents, as
applicable? Why or why not? If the proposed definition is not
appropriate, what would be an appropriate definition? Do commenters
believe that it is appropriate to limit the proposed definition of
``systems compliance issue'' to SCI systems? Why or why not? Please
explain.
37. Do commenters believe that there should be exceptions to the
proposed definition of systems compliance issue? If so, what should
such exceptions be and why? For example, should the proposed definition
of systems compliance issue include a de minimis exception? If so, what
types of systems compliance issues should be considered de minimis and
what criteria should be used to determine whether a systems compliance
issue is de minimis? Should the proposed definition of systems
compliance issue include a materiality threshold? If so, what types of
systems compliance issues should be considered material and what
criteria should be used to determine whether a systems compliance issue
is material?
38. Do commenters believe other types of documents or agreements
should be included in the definition? If so, please specify the types
of documents or agreements and explain why.
39. How often do SCI entities currently experience systems
compliance issues?
c. Systems Intrusion
The Commission proposes that ``systems intrusion'' be defined as
``any unauthorized entry into the SCI systems or SCI security systems
of an SCI entity.'' The proposed definition is intended to cover all
unauthorized entry into SCI systems or SCI security systems by
outsiders, employees, or agents of the SCI entity, regardless of
whether the intrusions were part of a cyber attack, potential criminal
activity, or other unauthorized attempt to retrieve, manipulate or
destroy data, or access or disrupt systems of SCI entities. The
proposed definition of systems intrusion would cover the introduction
of malware or other attempts to disrupt SCI systems or SCI security
systems of SCI entities provided that such systems were actually
breached. In addition, the proposed definition is intended to cover
unauthorized access, whether intentional or inadvertent, by employees
or agents of the SCI entity that result from weaknesses in the SCI
entity's access controls and/or procedures. The proposed definition
would not, however, cover unsuccessful attempts at unauthorized entry.
An unsuccessful systems intrusion by definition is much less likely
than a successful intrusion to disrupt the systems of an SCI entity.
Moreover, because it is impossible to prevent attempted intrusions, the
Commission preliminarily believes at this time that the focus of this
aspect of proposed Regulation SCI should be on successful unauthorized
entry.
Request for Comment
40. The Commission requests comment generally on the proposed
definition of ``systems intrusion.'' Is the proposed definition
sufficiently clear? If not, why not? Do commenters believe that it is
appropriate to apply the proposed definition of ``systems
[[Page 18104]]
intrusion'' to both SCI systems and SCI security systems? Why or why
not? Please explain.
41. Do commenters believe it is appropriate to exclude from the
proposed definition of systems intrusion an attempted intrusion that
did not breach systems or networks? Why or why not? Should significant,
sophisticated, repeated, and/or attempted intrusions, even if
unsuccessful, be included? Why or why not? If yes, please explain what
categories of attempted intrusions should be covered by the proposed
rule and why.
42. Should the proposed definition of systems intrusion be expanded
to include the unauthorized use or unintended release of information or
data, for example, by an employee or agent of an SCI entity? Why or why
not? If so, should the definition be limited to the unauthorized use of
non-public or confidential information or should it apply to any
unauthorized use of information or data? The Commission recognizes that
including in the definition all instances of unauthorized use or
unintended release of information or data may be broad and solicits
comment generally on how the definition might be more narrowly defined
to encompass those types of events that commenters believe would be
appropriate to be included in proposed Regulation SCI.
43. How often do SCI entities currently experience known systems
intrusions or known attempted systems intrusions?
d. Dissemination SCI events
The Commission proposes that the term ``dissemination SCI event''
be defined as ``an SCI event that is a: (1) Systems compliance issue;
(2) systems intrusion; or (3) systems disruption that results, or the
SCI entity reasonably estimates would result, in significant harm or
loss to market participants.'' \157\
---------------------------------------------------------------------------
\157\ See proposed Rule 1000(a).
---------------------------------------------------------------------------
As discussed below in Section III.C.3, proposed Rule 1000(b)(5)
includes requirements for disseminating information regarding certain
SCI events to members or participants.\158\ Specifically, only
information relating to dissemination SCI events would be required to
be disseminated to members or participants pursuant to proposed Rule
1000(b)(5).\159\ The Commission recognizes that public disclosure of
each and every systems issue (such as very brief outages or minor
disruptions of normal systems operations where the effects on trading,
market data, and clearance and settlement are immaterial) could be
counterproductive, potentially overwhelming the public with
information, masking significant issues that might arise, and thus
preliminarily believes that requiring the dissemination of information
about dissemination SCI events to members or participants would promote
dissemination of information to persons who are most directly affected
by such events and who would most naturally need, want, and be able to
act on the information, without creating a separate regulatory standard
governing when broader public disclosure should be made.
---------------------------------------------------------------------------
\158\ Proposed Rule 1000(b)(5) would require the dissemination
of specified information relating to dissemination SCI events and
specify the nature and timing of such dissemination, with a delay in
dissemination permitted for certain systems intrusions. See infra
Section III.C.3.c.
\159\ See infra note 235.
---------------------------------------------------------------------------
In the case of a dissemination SCI event, the Commission
preliminarily believes that dissemination to members or participants of
the nature of the event and the steps being taken to remedy it would be
necessary to help ensure that potentially impacted market participants,
and others that might be evaluating whether to use the affected
systems, have basic information about the event so that they might be
able to better assess what, if any, next steps they might deem prudent
to take in light of the event.\160\
---------------------------------------------------------------------------
\160\ However, as discussed below, the Commission recognizes
that, in the case of systems intrusions, there may be circumstances
in which full prompt dissemination of information to members or
participants of a systems intrusion could hinder an investigation
into such an intrusion or an SCI entity's ability to mitigate it. As
such, the Commission is proposing that dissemination of information
for certain systems intrusions could be delayed in specified
circumstances. Specifically, the Commission is proposing that an SCI
entity disseminate information about a systems intrusion to its
members or participants, unless the SCI entity determines that
dissemination of such information would likely compromise the
security of the SCI entity's SCI systems or SCI security systems, or
an investigation of the systems intrusion, and documents the reasons
for such determination. See proposed Rule 1000(b)(5)(ii) and text
accompanying infra note 174. The Commission preliminarily believes,
however, that an SCI entity should ultimately disseminate
information regarding systems intrusions, and that the provisions of
proposed Rule 1000(b)(5)(ii) permitting a delay in dissemination, if
applicable, should only affect the timing of such dissemination.
The Commission notes that some Roundtable panelists and
commenters discussed the role that communications and disclosure
should play in mitigation of risk from systems issues. For example,
panelists from Citadel, DE, Nasdaq, Lime, and TDA, among others,
spoke about the role of communications and management involvement in
responding to errors. See discussion of Roundtable, supra Section
I.D. See also text accompanying infra note 238.
---------------------------------------------------------------------------
Proposed Rule 1000(a) specifies three categories of SCI events that
would constitute a dissemination SCI event. First, any SCI event that
is a systems compliance issue would be a dissemination SCI event.\161\
The Commission preliminarily believes that, if an SCI entity's SCI
systems were operating in a manner not in compliance with the federal
securities laws and rules and regulations thereunder, or the entity's
rules or governing documents, as applicable, the SCI entity should be
required to disseminate that information to all members or
participants, i.e., the users of its SCI systems. In addition, because
SCI entities that are SCI SROs or plan processors are required by the
Exchange Act to comply with their rules, proposing to require
dissemination of information about systems compliance issues to members
or participants should help to reinforce this statutory obligation.
---------------------------------------------------------------------------
\161\ See supra Section III.B.3.b, discussing the definition of
``systems compliance issue.''
---------------------------------------------------------------------------
Second, any SCI event that is a systems intrusion would also be a
dissemination SCI event. The Commission preliminarily believes that a
systems intrusion may represent a significant weakness in the security
of an SCI entity's systems and thus warrant dissemination of
information to an SCI entity's members or participants. However,
because detailed information about a systems intrusion may expose an
SCI entity's systems to further probing and attack, an SCI entity would
only be required to provide a summary description of the systems
intrusion, including a description of the corrective action taken by
the SCI entity and when the systems intrusion has been or is expected
to be resolved.\162\ In addition, because immediate dissemination of
information about a systems intrusion may in some cases further
compromise the security of the SCI entity's SCI systems or SCI security
systems, or an investigation of the systems intrusion, an SCI entity in
some cases may be permitted to delay the dissemination of information
about such systems intrusion.\163\
---------------------------------------------------------------------------
\162\ See infra Section III.C.3.c and proposed Rule
1000(b)(5)(ii).
\163\ See id.
---------------------------------------------------------------------------
Finally, the Commission is proposing that any systems disruption
that results, or the SCI entity reasonably estimates would result, in
significant harm or loss to market participants would also be a
dissemination SCI event. Some systems disruptions may have an
immediate, obvious, and detrimental impact on market participants,
hampering the ability of an SCI entity's members or participants to
utilize the SCI entity's SCI systems and, in some cases, making
[[Page 18105]]
such systems unusable. At the same time, the Commission recognizes that
disseminating information relating to a single systems disruption that
results in harm or loss to one or a small number of market participants
that is not significant may not warrant the cost of such dissemination.
Furthermore, the Commission preliminarily believes that the proposed
standard is appropriate in that it does not set a specific threshold or
definition of ``significant harm or loss to market participants,'' and
provides an SCI entity with reasonable discretion in estimating whether
a given systems disruption has resulted, or would result, in
significant harm or loss to market participants.\164\ Although the
particular facts and circumstances will differ for each systems
disruption, some systems disruptions would clearly result in
significant harm or loss to market participants and warrant
dissemination of information regarding such systems disruption to the
SCI entity's members or participants, even if the harm or loss, or the
potential harm or loss, is difficult to quantify. For example, if a
market experiences a problem with a trading system such that order
processing and execution in certain securities is halted and members
are not able to confirm transactions in such securities, the Commission
preliminarily believes that such a systems disruption would be a
dissemination SCI event. In contrast, if a trading market or a clearing
agency experienced a momentary power disruption causing a fail over to
the backup data center with no customer, member, or participant impact,
such SCI event would be a systems disruption requiring written notice
to the Commission, but would not be a dissemination SCI event.
---------------------------------------------------------------------------
\164\ The tradeoffs of setting thresholds are discussed in the
Economic Analysis Section below. See infra Section V.B.
---------------------------------------------------------------------------
Request for Comment
44. Do commenters believe the proposed definition of
``dissemination SCI event'' is appropriate? Why or why not?
45. Do commenters believe that a ``systems compliance issue''
should constitute a dissemination SCI event? Why or why not? Please
explain.
46. Do commenters believe that a ``systems intrusion'' should
constitute a dissemination SCI event? Why or why not? Please explain.
47. Do commenters believe that systems disruptions that meet the
``significant harm or loss to market participants'' standard should be
included as dissemination SCI events? Why or why not? If not, what
would be an appropriate threshold, and how should it be measured?
Should the term ``significant harm or loss to market participants'' be
further clarified or defined in the rule? Why or why not? If so, what
should such clarification or definition be and why?
48. Would an alternative measurement, or group of alternative
measurements, for systems disruptions, such as a 50 millisecond pause
in service or some other nonmonetary measure (for example, out of
memory situations, memory overloads, data loss due to an SCI system
exceeding capacity limitations, excessive queuing or throttling), also
be an appropriate and effective means to measure certain events about
which an SCI entity should disseminate information to its members or
participants? If so, what are they and why? Should any such
measurements vary based on the type of SCI system involved? If so, how?
Please be specific.
49. Are there any other types of systems disruptions that should be
required to be disseminated to members or participants? If so, please
explain why. Should, for example, information relating to a systems
disruptions be required to be disseminated to members or participants
if it affects a certain number of market participants? If so, how
should such a level (number of market participants) be determined?
4. Material Systems Changes
Rule 1000(a) of proposed Regulation SCI would define ``material
systems change'' as ``a change to one or more: (1) SCI systems of an
SCI entity that: (i) Materially affects the existing capacity,
integrity, resiliency, availability, or security of such systems; (ii)
relies upon materially new or different technology; (iii) provides a
new material service or material function; or (iv) otherwise materially
affects the operations of the SCI entity; or (2) SCI security systems
of an SCI entity that materially affects the existing security of such
systems.'' \165\ This proposed definition of ``material systems
change'' is substantively similar to the definition of ``significant
system change'' discussed in the ARP II Release.\166\
---------------------------------------------------------------------------
\165\ See proposed Rule 1000(a). See also infra Sections III.C.4
and III.C.6 discussing notices of material systems changes and
reports of material systems changes, respectively.
\166\ See ARP II Release, supra note 1, at 22592-93. See also
2001 Staff ARP Interpretive Letter, supra note 35 (citing ARP II,
supra note 1, at 22492-93: ``ARP II provides a non-exclusive list of
factors that should be considered in determining whether a system
change is significant and should be reported. The list includes a
change that: (1) Affects existing capacity or security; (2) in
itself raises capacity or security issues, even if it does not
affect other existing systems; (3) relies upon substantially new or
different technology; (4) is designed to provide a new service or
function for SRO members or their customers; or (5) otherwise
significantly affects the operations of the entity.'').
---------------------------------------------------------------------------
Item (1)(i) of the proposed definition of material systems change
differs from item (1) in the definition in the ARP II Release of
``significant system change,'' as proposed item (1)(i) refers to
changes to an SCI entity's SCI systems that affect not only capacity
and security, but also integrity, resiliency, and availability.\167\
Items (1)(ii) and (1)(iii) in the proposed definition of material
systems change are intended to be substantively identical to items (3)
and (4) of the definition of significant system change in the 2001
Staff ARP Interpretive Letter, generally covering changes to an SCI
entity's SCI systems designed to advance systems development.\168\
Proposed item (1)(iv), covering a change to an SCI entity's SCI systems
that ``otherwise materially affects the operations of the SCI entity,''
is intended to require notification of major systems changes to SCI
systems that are not captured by other elements of paragraph (1) of the
proposed definition. Proposed item (2), covering a change to an SCI
entity's SCI security systems that ``materially affects the existing
security of such systems,'' is intended to ensure that significant
changes that would affect the security of an SCI entity's SCI security
systems (i.e., systems that share network resources with SCI systems
that, if breached, would be reasonably likely to pose a security threat
to SCI systems) \169\ are reported to the Commission.
---------------------------------------------------------------------------
\167\ Proposed item (1)(i) consolidates items (1) and (2) of the
definition of material systems change in the 2001 Staff ARP
Interpretive Letter. The Commission believes that the addition of
integrity, resiliency, and availability aspects of SCI systems that
are important in today's automated trading environments
appropriately reflects the evolution of the types of systems issues
since the 2001 Staff ARP Interpretive Letter.
\168\ In addition, each of proposed items (1)(i) through
(1)(iii) are changes that concern the adequacy of capacity
estimates, testing, and security measures taken by an SCI entity,
for which adequate procedures are required by proposed Rule
1000(b)(1). See infra Section III.C.1.
\169\ See supra Section III.B.2 (discussing definition of SCI
security system).
---------------------------------------------------------------------------
Examples that the Commission preliminarily believes could be
included within the proposed definition of material systems change are:
Major systems architecture changes; reconfigurations of systems that
would cause a variance greater than five percent in throughput or
storage; the introduction of new business functions or services;
changes to external interfaces; changes that could increase
susceptibility to major outages; changes that could increase risks to
data
[[Page 18106]]
security; changes that were, or would be, reported to or referred to
the entity's board of directors, a body performing a function similar
to the board of directors, or senior management; and changes that could
require allocation or use of significant resources. These examples are
cited in the 2001 Staff ARP Interpretive Letter.\170\ Based on
Commission staff's experience working with SROs that have relied on the
guidance provided in the 2001 Staff ARP Interpretive Letter, the
Commission preliminarily believes that such examples could continue to
be relevant guidance to SCI SROs as well as to other SCI entities. In
addition, the Commission preliminarily believes that any systems change
occurring as a result of the discovery of an actual or potential
systems compliance issue, as that term would be defined in proposed
Rule 1000(a), would be material.
---------------------------------------------------------------------------
\170\ See supra note 35.
---------------------------------------------------------------------------
Based on its experience with SROs and other entities reporting
significant systems changes in the context of the ARP Inspection
Program, the Commission preliminarily believes that the proposed
definition of material systems change is appropriate for all SCI
entities. The Commission preliminarily believes that proposed items
(1)(i)-(iv) and (2), which would cover changes affecting capacity
estimates, security measures, the use of new technology and new
functionality, could also highlight the need for SCI entities that are
SROs, when applicable, to file a proposed rule change with the
Commission under Section 19(b) of the Exchange Act and SCI entities
that are SROs to file proposed amendments for SCI Plans under Rule 608
of Regulation NMS.\171\ As the Commission noted in ARP II, the purpose
of urging SROs to notify Commission staff of significant system changes
was not to supplant or provide an alternative means for SROs to satisfy
their obligations to file proposed rule changes as required by the
Exchange Act.\172\ Rather, under ARP II, the Commission was primarily
concerned with fulfilling its oversight responsibilities and was also
interested in obtaining a full view and understanding of systems
development at SROs.\173\ Likewise, the proposal to require an SCI
entity to notify the Commission of material systems changes would not
relieve an SCI SRO of any obligation it may have to file a proposed
rule change, the participants of an SCI Plan to file a proposed
amendment to such SCI Plan, or any other obligation any SCI entity may
have under the Exchange Act or rules thereunder.\174\
---------------------------------------------------------------------------
\171\ Section 19(b)(1) of the Exchange Act requires an SRO to
file proposed rules and proposed rule changes with the Commission in
accordance with rules prescribed by the Commission. See 15 U.S.C.
78s(b)(1). Section 19(b)(1) further requires the Commission to
solicit public comment on any proposed rule change filed by an SRO.
See id. Rule 608(a)(1) of Regulation NMS under the Exchange Act, 17
CFR 242.608(a)(1), permits ``self-regulatory organizations, acting
jointly, [to] file a national market system plan or [to] propose an
amendment to an effective national market system plan.'' Rule 608(b)
of Regulation NMS, 17 CFR 242.608(b), requires the Commission to
publish such proposed national market system plan or national market
system plan amendment for notice and comment, and, in certain
situations, approve such NMS plan or plan amendment before it may
become effective.
\172\ See ARP II, supra note 1, at 22493. ARP II explained that
because the rule change process pursuant to Section 19(b) of the
Exchange Act and Rule 19b-4 thereunder ``imposes shortened
timeframes for action on proposed rule changes and because not all
systems changes trigger the need for changes to rules of the SROs,''
the rule change process was not providing staff with timely and
complete detail on various significant systems changes occurring at
the SROs. The policy of urging SROs to provide timely and accurate
information on systems changes was intended as an adjunct to, and
not a substitution for the rule change process. See id.
\173\ See id. at 22493-94, n. 20.
\174\ See infra request for comment in Section III.C.1.b,
wherein the Commission solicits comment on whether SCI SROs should
be required to provide notice to their members of anticipated
technology deployments prior to implementation and offer their
members the opportunity to test anticipated technology deployments
prior to implementation.
---------------------------------------------------------------------------
Request for Comment
50. The Commission requests comment generally on the proposed
definition of ``material systems change.'' Is the proposed definition
of material systems change clear? Should the Commission provide
additional guidance on, or further define what would constitute a
``material systems change?'' Are there other factors that should be
included? Please be specific and give examples of types of system
changes that should be included in the proposed definition but
currently are not.
51. The Commission sets forth above examples of systems changes
that it preliminarily believes could be included within the proposed
definition of material systems change (i.e., major systems architecture
changes; reconfigurations of systems that would cause a variance
greater than five percent in throughput or storage; the introduction of
new business functions or services; changes to external interfaces;
changes that could increase susceptibility to major outages; changes
that could increase risks to data security; changes that were, or would
be, reported to or referred to the entity's board of directors, a body
performing a function similar to the board of directors, or senior
management; and changes that could require allocation or use of
significant resources). Do commenters agree each of these examples
could constitute material systems changes? Why or why not?
52. Should any of the proposed factors be eliminated or refined? If
so, please explain. Should material systems changes be defined to
include cumulative systems changes over a specified period that might
not otherwise qualify individually as a material systems change? For
example, if systems changes (such as reconfigurations of systems that
would cause a variance greater than five percent in throughput or
storage) occurred that, on their own, each would not constitute a
material systems change but, if grouped together with other similar or
even identical changes (or, alternatively, that occurred repeatedly
over a certain period of time such as a week or a month) could
represent a material system change, should such changes together be
considered a material systems change? If so, what would be the
appropriate number of similar or identical systems changes that should
be considered and/or what would be an appropriate time period to
consider? Should all non-material systems changes count towards this
threshold or should only non-material systems changes of the same or
similar type count? Would cumulative changes over a week be an
appropriate measurement period? Would a 30-day measurement period be
appropriate? Should the period be longer or shorter? Please explain.
53. Do commenters believe that a change to the SCI systems of an
SCI entity that ``materially affects the existing capacity, integrity,
resiliency, availability, or security of such systems'' should
constitute a material systems change as proposed? Why or why not?
Should a change with respect to any of the proposed characteristics of
such systems (i.e., capacity, integrity, resiliency, availability, or
security) be eliminated or modified? Should any be added? Please
explain.
54. Should a change to the SCI systems of an SCI entity that
``relies upon materially new or different technology'' constitute a
material systems change as proposed? Why or why not? Is the phrase
``materially new or different'' sufficiently clear? If not, please
explain.
55. Should a change to an SCI entity's SCI systems that ``provides
a new material service or material function'' constitute a material
systems change as proposed? Why or why not? Is the phrase ``a new
material service or
[[Page 18107]]
material function'' sufficiently clear? If not, please explain.
56. Do commenters believe it is appropriate to include a change to
an SCI entity's SCI systems that ``otherwise materially affects the
operations of the SCI entity'' as proposed? Why or why not? Please
explain.
57. Do commenters believe that a change to the SCI security systems
of an SCI entity that ``materially affects the existing security of
such systems'' should constitute a material systems change as proposed?
Why or why not? Please explain.
58. Do commenters believe the rule should include quantitative
criteria or other minimum thresholds for the effect of a change to an
SCI entity's SCI systems or SCI security systems beyond which the
Commission must be notified of the change? Why or why not? If so, what
should such quantitative criteria or other minimum thresholds be and
why?
59. How often do SCI entities currently make material systems
changes? How often do SCI SROs make material systems changes and what
percentage of the time are such changes filed with the Commission as
proposed rule changes under Section 19 of the Exchange Act?
C. Proposed Rule 1000(b): Obligations of SCI Entities
Paragraph (b) of proposed Rule 1000 would set forth requirements
that would apply to SCI entities relating to written policies and
procedures, obligations with regard to corrective actions, reporting of
SCI events to the Commission, dissemination of information relating to
certain SCI events to members or participants, reporting of material
systems changes, SCI reviews, and the participation of designated
members or participants of SCI entities in testing the business
continuity and disaster recovery plans of SCI entities.
1. Policies and Procedures To Safeguard Capacity, Integrity,
Resiliency, Availability, and Security \175\
---------------------------------------------------------------------------
\175\ See infra Sections IV.D.1.a and V.B for discussions
related to current practices of SCI entities.
---------------------------------------------------------------------------
Proposed Rule 1000(b)(1) would require each SCI entity to
establish, maintain, and enforce written policies and procedures,
reasonably designed to ensure that its SCI systems and, for purposes of
security standards, SCI security systems, have levels of capacity,
integrity, resiliency, availability, and security, adequate to maintain
the SCI entity's operational capability and promote the maintenance of
fair and orderly markets. Proposed Rule 1000(b)(1)(i) would further
provide that such policies and procedures include, at a minimum: ``(A)
The establishment of reasonable current and future capacity planning
estimates; (B) periodic capacity stress tests of such systems to
determine their ability to process transactions in an accurate, timely,
and efficient manner; (C) a program to review and keep current systems
development and testing methodology for such systems; (D) regular
reviews and testing of such systems, including backup systems, to
identify vulnerabilities pertaining to internal and external threats,
physical hazards, and natural or manmade disasters; (E) business
continuity and disaster recovery plans that include maintaining backup
and recovery capabilities sufficiently resilient and geographically
diverse to ensure next business day resumption of trading and two-hour
resumption of clearance and settlement services following a wide-scale
disruption; and (F) standards that result in such systems being
designed, developed, tested, maintained, operated, and surveilled in a
manner that facilitates the successful collection, processing, and
dissemination of market data.'' \176\ Proposed Rule 1000(b)(1)(ii)
would deem an SCI entity's policies and procedures required by proposed
Rule 1000(b)(1) to be reasonably designed if they are consistent with
SCI industry standards.\177\ In particular, for purposes of complying
with proposed Rule 1000(b)(1), if an SCI entity has policies and
procedures that are consistent with such SCI industry standards, as
discussed further in Section III.C.1.b below, such policies and
procedures would be deemed to be reasonably designed and thus the SCI
entity would be in compliance with proposed Rule 1000(b)(1). In
addition, under proposed Rule 1000(b)(1)(ii), compliance with the
identified SCI industry standards would not be the exclusive means to
comply with the requirements of proposed Rule 1000(b)(1).
---------------------------------------------------------------------------
\176\ See proposed Rule 1000(b)(1)(i)(A)-(F).
\177\ See infra Section III.C.1.b.
---------------------------------------------------------------------------
a. Proposed Rule 1000(b)(1)(i)
Proposed Rule 1000(b)(1) would require that an SCI entity have
policies and procedures that address items (i)(A)-(F) for its SCI
systems and, for purposes of security standards, SCI security systems.
Items (A)-(C) enumerated in proposed Rule 1000(b)(1)(i) are
substantively the same as the requirements of Rule 301(b)(6)(ii)(A)-(C)
of Regulation ATS, applicable to significant-volume alternative trading
systems, and trace their origin to the ARP I Release.\178\ With respect
to SCI systems and, as applicable, SCI security systems, proposed item
(A), which would require an SCI entity to establish, maintain, and
enforce policies and procedures for the establishment of reasonable
current and future capacity planning estimates, and proposed item (B),
which would require an SCI entity to establish, maintain, and enforce
policies and procedures for periodic capacity stress tests of such
systems, would help an SCI entity determine its systems' ability to
process transactions in an accurate, timely, and efficient manner, and
thereby help ensure market integrity. Proposed item (C), which would
require an SCI entity to establish, maintain, and enforce policies and
procedures that include a program to review and keep current systems
development and testing methodology for such systems, would help ensure
that the SCI entity continues to monitor and maintain systems capacity
and availability.
---------------------------------------------------------------------------
\178\ See 17 CFR 242.301(b)(6)(ii)(A)-(C); see also ARP I
Release, supra note 1, at 48706-07.
---------------------------------------------------------------------------
Proposed item (D), which would require an SCI entity to establish,
maintain, and enforce policies and procedures to review and test
regularly such systems, including backup systems, to identify
vulnerabilities pertaining to internal and external threats, physical
hazards, and natural or manmade disasters, would likewise assist an SCI
entity in ascertaining whether its SCI systems and SCI security systems
are and remain sufficiently secure and resilient. Unlike Rule
301(b)(6)(ii)(D) of Regulation ATS, proposed item (D) includes
``manmade disasters'' in the list of vulnerabilities an SCI entity
would be required to consider and protect against. The Commission
proposes to add ``manmade disasters'' to be clear that acts of
terrorism and sabotage--threats that some SCI entities have faced in
recent history \179\--are threats that an SCI entity must prepare for
in reviewing and testing its systems and operations.
---------------------------------------------------------------------------
\179\ See, e.g., supra note 61.
---------------------------------------------------------------------------
Proposed items (B), (C), and (D) would each require, among other
things, the establishment of policies and procedures relating to
various aspects of systems testing, including capacity stress tests,
testing methodology, and tests for systems vulnerabilities to internal
and external threats, physical hazards, and natural or manmade
disasters, respectively. The Commission preliminarily believes that, to
help ensure an effective testing regime, such
[[Page 18108]]
policies and procedures would need to address when testing with
members, participants, and other market participants would be
appropriate.\180\
---------------------------------------------------------------------------
\180\ See also the Commission's request for comment in infra
Sections III.C.1.b and III.C.7, on whether proposed Regulation SCI
should be more prescriptive regarding testing standards and
requirements in light of comments on testing made by Roundtable
panelists and commenters, and the closure of the national securities
exchanges in the wake of Superstorm Sandy, as discussed in the text
accompanying supra notes 78-83.
---------------------------------------------------------------------------
Proposed item (E), which would require SCI entities to establish,
maintain, and enforce policies and procedures for business continuity
and disaster recovery plans, is substantially similar to a requirement
in Rule 301(b)(6)(ii) of Regulation ATS and ARP I.\181\ However,
proposed item (E) would further require SCI entities to have plans for
maintaining backup and recovery capabilities sufficiently resilient and
geographically diverse to ensure next business day resumption of
trading and two-hour resumption of clearance and settlement services
following a wide-scale disruption. The proposed resiliency and
geographic diversity requirement is designed particularly to help
ensure that an SCI entity would be able to continue operations from the
backup site during a wide-scale disruption resulting from natural
disasters, terrorist activity, or other significant events. For
example, the Commission preliminarily believes that backup sites should
not rely on the same infrastructure components (e.g., transportation,
telecommunications, water supply, and electric power) used by the
primary site.\182\ The proposed next business day trading resumption
standard reflects the Commission's preliminary view that an SCI entity,
being part of the critical infrastructure of the U.S. securities
markets, should have plans to limit downtime caused by a wide-scale
disruption to less than one business day.\183\ Likewise, the proposed
two-hour resumption standard for clearance and settlement services,
which traces its origin to the 2003 Interagency White Paper,\184\
reflects the Commission's preliminary view that an SCI entity that is a
registered clearing agency or an ``exempt clearing agency subject to
ARP'' should have contingency plans to avoid a scenario in which
failure to settle transactions by the end of the day could present
systemic risk to the markets.\185\
---------------------------------------------------------------------------
\181\ See 17 CFR 242.301(b)(6)(ii)(E); ARP I Release, supra note
1, at 48706.
\182\ See 2003 Interagency White Paper, supra note 31.
As discussed further below in Section III.C.1.b, proposed Rule
1000(b)(1) would require an SCI entity to have policies and
procedures that are ``reasonably designed'' and ``adequate to
maintain [its] operational capability and promote the maintenance of
fair and orderly markets.'' Proposed Rule 1000(b)(1)(i)(E) would
require that such policies and procedures include ``business
continuity and disaster recovery plans that include maintaining
backup and recovery capabilities sufficiently resilient and
geographically diverse,'' (emphasis added) to ensure next business
day or two-hour resumption as applicable, following a wide-scale
disruption. While ``sufficient'' geographic diversity would be a
required element of reasonably designed business continuity and
disaster recovery plans, the proposed rule does not specify any
particular minimum distance or geographic location that would be
necessary to achieve the requisite level of geographic diversity.
Instead, the proposed rule focuses on the ability to achieve the
goal of resuming business within the applicable time frame in the
wake of a wide-scale disruption. As noted above, the Commission also
preliminarily believes that an SCI entity should have a reasonable
degree of flexibility to determine the precise nature and location
of its backup site depending on the particular vulnerabilities
associated with those sites, and the nature, size, technology,
business model, and other aspects of its business.
\183\ Standards with respect to resilient and geographically
remote back-up sites and resumption of operations are discussed in
the 2003 Interagency White Paper and the 2003 Policy Statement on
Business Continuity Planning for Trading Markets, and these
publications are proposed to be designated as industry standards in
the context of contingency planning. See 2003 Interagency White
Paper, supra note 31 and 2003 Policy Statement on Business
Continuity Planning for Trading Markets, supra note 32.
In addition, the 2003 Policy Statement on Business Continuity
Planning for Trading Markets urged SRO markets and ECNs to ``have a
business continuity plan that anticipates the resumption of trading
* * * no later than the next business day following a wide-scale
disruption.'' See supra note 32, at 56658.
\184\ See supra note 31. See also infra note 195, discussing
further the 2003 Interagency White Paper.
\185\ The Commission believes that all clearing agencies that
would be subject to proposed Regulation SCI (i.e., all of the
registered clearing agencies and the current ``exempt clearing
agency subject to ARP'') currently strive to adhere to this
standard.
---------------------------------------------------------------------------
Proposed item (F) would require SCI entities to have standards that
result in systems being designed, developed, tested, maintained,
operated, and surveilled in a manner that facilitates the successful
collection, processing, and dissemination of market data. As the
Commission previously noted, when Congress mandated a national market
system in 1975, it emphasized that the systems for collecting and
distributing consolidated market data would ``form the heart of the
national market system.'' \186\ As a result of consolidated market
data, the public has ready access to a comprehensive, accurate, and
reliable source of information for the prices and volume of any NMS
stock at any time during the trading day.\187\ This information helps
to ensure that the public is aware of the best displayed prices for a
stock, no matter where they may arise in the national market
system.\188\ It also enables investors to monitor the prices at which
their orders are executed and assess whether their orders received best
execution.\189\ Further, as noted above, one of the findings of the May
6 Staff Report is that ``fair and orderly markets require that the
standards for robust, accessible, and timely market data be set quite
high.'' \190\ The Commission believes that the accurate, timely and
efficient processing of data is similarly important to the proper
functioning of the securities markets. For example, if a clearing
agency were not able to process data accurately, settlements could
potentially be impacted. Similarly, if an exchange does not process
trades accurately, erroneous executions could occur.
---------------------------------------------------------------------------
\186\ See Concept Release on Equity Market Structure, supra note
42, at 3600 (quoting H.R. Rep. No. 94-229, 94th Cong., 1st Sess. 93
(1975)).
\187\ See id.
\188\ See id.
\189\ See id. The benefits of consolidated market data discussed
here are true for the options markets as well.
\190\ See May 6 Staff Report, supra note 56, at 8.
---------------------------------------------------------------------------
Consistent with these goals and Congress's statement, proposed item
(F) would be a new requirement that has no precedent in either Rule
301(b)(6) of Regulation ATS or the ARP policy statements and would
require SCI entities to have ``standards that result in such systems
being designed, developed, tested, maintained, operated, and surveilled
in a manner that facilitates the successful collection, processing, and
dissemination of market data.'' \191\ The Commission preliminarily
believes that proposed item (F) would assist an SCI entity in ensuring
that its market data systems are designed to maintain market integrity.
---------------------------------------------------------------------------
\191\ This proposed requirement is consistent with Rule 603(a)
of Regulation NMS, which states that any ``* * * broker or dealer
with respect to information for which it is the exclusive source,
that distributes information with respect to quotations for or
transactions in an NMS stock to a securities information processor
shall do so on terms that are fair and reasonable.'' In adopting
Regulation NMS, the Commission stated that Rule 603(a) ``prohibits
an SRO or broker-dealer from transmitting data to a vendor or user
any sooner than it transmits the data to a Network processor.'' Rule
603(a) by its terms applies only to NMS stocks. See supra note 121.
See also 17 CFR 242.603(a).
---------------------------------------------------------------------------
b. Proposed Rule 1000(b)(1)(ii)
Proposed Rule 1000(b)(1) would generally require that each SCI
entity's policies and procedures be reasonably designed to ensure that
its SCI systems and, for purposes of security standards, SCI security
systems, ``have levels of capacity, integrity, resiliency,
availability, and security, adequate to maintain the SCI entity's
operational capability and promote the maintenance
[[Page 18109]]
of fair and orderly markets.'' As discussed above, proposed Rule
1000(b)(1)(i) would also require that an SCI entity have policies and
procedures that address items (A)-(F). The Commission notes that SCI
entities that are ARP participants have been applying the ARP I
principles underlying proposed Rule 1000(b)(1)(i)(A)-(F) for many
years. However, while the items enumerated in proposed Rule
1000(b)(1)(i)(A)-(F) identify the areas that would be required to be
addressed by an SCI entity's policies and procedures, the Commission is
not proposing to prescribe the specific policies and procedures an SCI
entity must follow to comply with the requirements of proposed Rule
1000(b)(1). Instead, the Commission intends to, and preliminarily
believes that the proposed requirements as written would, provide SCI
entities sufficient flexibility, based on the nature, size, technology,
business model, and other aspects of their business, to identify
appropriate policies and procedures that would meet the articulated
standard, namely that they be reasonably designed to ensure that their
systems have levels of capacity, integrity, resiliency, availability,
and security adequate to maintain the SCI entity's operational
capability and promote the maintenance of fair and orderly markets.
However, the Commission also preliminarily believes that it would be
helpful to SCI entities to provide additional guidance about one way in
which they might elect to satisfy this general standard in proposed
Rule 1000(b)(1). Therefore, the Commission is proposing Rule
1000(b)(1)(ii), which would provide that, for purposes of complying
with proposed Rule 1000(b)(1), an SCI entity's policies and procedures
would be deemed to be reasonably designed, and thus satisfy the
requirements of proposed Rule 1000(b)(1), if they are consistent with
current SCI industry standards. Proposed Rule 1000(b)(1)(ii) further
states that such SCI industry standards shall be: (A) comprised of
information technology practices that are widely available for free to
information technology professionals in the financial sector; and (B)
issued by an authoritative body that is a U.S. governmental entity or
agency, association of U.S. governmental entities or agencies, or
widely recognized organization. Proposed Rule 1000(b)(1)(ii) would
additionally provide that compliance with the SCI industry standards
identified in the proposal would not be the exclusive means to comply
with the requirements of paragraph (b)(1). As noted above, the
Commission intends to, and preliminarily believes that the proposed
requirements as written would, provide SCI entities sufficient
flexibility, based on the nature, size, technology, business model, and
other aspects of their business, to identify appropriate policies and
procedures to comply with proposed Rule 1000(b)(1).
The Commission is proposing this approach because it preliminarily
believes that providing additional guidance on the types of industry
standards that would satisfy the requirements of proposed Rule
1000(b)(1) could assist an SCI entity in determining how to best
allocate resources to maintain its systems' operational capability, and
promote the maintenance of fair and orderly markets.\192\ The
Commission acknowledges that current industry standards applicable to
SCI entities have been developed in a number of areas to help ensure
that systems have adequate capacity, integrity, resiliency,
availability, and security. Accordingly, the current SCI industry
standards that would be deemed to be reasonably designed for purposes
of proposed Rule 1000(b)(1) are not limited to the SCI industry
standards discussed and contained in the publications identified in
Table A below, but rather may be found in a variety of publications,
issued by a range of sources. The Commission acknowledges that an SCI
entity's choice of a current SCI industry standard in a given domain or
subcategory thereof may be different than those contained in the
publications identified in Table A. Further, some of the identified
standards may be more relevant for some SCI entities than others, based
on the nature and amount of their respective activities. Thus, the
Commission's proposed approach is designed to provide a non-exclusive
method of compliance.
---------------------------------------------------------------------------
\192\ See infra Sections V.B and V.C, discussing market failures
and the anticipated economic benefits of proposed Regulation SCI.
Each SCI entity, to the extent it seeks to rely on SCI industry
standards in complying with proposed Rule 1000(b)(1), would have
discretion to identify those industry standards that provide an
appropriate way for it to comply with the requirements set forth in
the rule, given its technology, business model, and other factors.
---------------------------------------------------------------------------
The Commission preliminarily believes that the publications set
forth in Table A below \193\ contain examples of SCI industry standards
that an SCI entity may elect to look to in establishing its policies
and procedures under proposed Rule 1000(b)(1). However, as proposed
Rule 1000(b)(1)(ii) makes clear, compliance with such current SCI
industry standards would not be the exclusive means to comply with the
requirements of proposed Rule 1000(b)(1). Thus, as proposed, written
policies and procedures that are consistent with the relevant examples
of SCI industry standards contained in the publications identified in
Table A, would be deemed to be ``reasonably designed'' for purposes of
proposed Rule 1000(b)(1). The publications identified in Table A cover
nine inspection areas, or ``domains,'' that have evolved over the past
20 years of the ARP Inspection Program and that are relevant to SCI
entities' systems capacity, integrity, resiliency, availability, and
security, namely: Application controls; capacity planning; computer
operations and production environment controls; contingency planning;
information security and networking; audit; outsourcing; physical
security; and systems development methodology.
---------------------------------------------------------------------------
\193\ Each of these publications would meet the proposed
criteria that they be: (i) Information technology practices that are
widely available for free to information technology professionals in
the financial sector; and (ii) issued by an authoritative body that
is a U.S. governmental entity or agency, association of U.S.
governmental entities or agencies, or widely recognized
organization. See proposed Rules 1000(b)(1)(ii).
---------------------------------------------------------------------------
The publications included in Table A set forth industry standards
that the Commission understands are currently used by information
technology and audit professionals in the financial and government
sectors. These industry standards have been issued primarily by NIST
and FFIEC. NIST, an agency within the U.S. Department of Commerce, has
issued special publications regarding information technology systems.
The FFIEC is a U.S. intergovernmental body that prescribes uniform
principles and practices for the examination of certain financial
institutions by U.S. regulators, and has issued publications on
numerous topics, including development and acquisition of applications,
computer operations, outsourcing technology, business continuity
planning, information security, and internal audits.\194\ In addition
to these standards issued by FFIEC and NIST, financial regulatory
agencies, including the Commission, provided guidance on business
continuity and disaster recovery plans
[[Page 18110]]
in the 2003 Interagency White Paper \195\ and the 2003 Policy Statement
on Business Continuity Planning for Trading Markets.\196\
---------------------------------------------------------------------------
\194\ The federal agencies represented on the FFIEC are the
Board of Governors of the Federal Reserve System, the Federal
Deposit Insurance Corporation, the National Credit Union
Administration, Office of the Comptroller of the Currency, and the
Consumer Financial Protection Bureau.
\195\ See 2003 Interagency White Paper, supra note 31. In the
2003 Interagency White Paper, which was issued jointly by the
Commission, the Board of Governors of the Federal Reserve System,
and the Office of the Comptroller of the Currency, the agencies
identified a broad consensus on three important business continuity
objectives: (1) Rapid recovery and timely resumption of critical
operations following a wide-scale disruption; (2) rapid recovery and
timely resumption of critical operations following the loss or
inaccessibility of staff in at least one major operating location;
and (3) a high level of confidence, through ongoing use or robust
testing, that critical internal and external continuity arrangements
are effective and compatible. See id. at 17811.
The agencies also identified sound practices for core clearing
and settlement organizations and firms that play significant roles
in critical financial markets. They stated that in this context,
``core clearing and settlement organizations'' consist of market
utilities that provide clearing and settlement services for critical
financial markets or act as large-value payment system operators and
present systemic risk to the markets should they be unable to
perform. ``Firms that play significant roles in critical financial
markets'' refers to organizations whose participation in one or more
critical financial markets is significant enough that their failure
to settle their own or their customers' material pending
transactions by the end of the day could present systemic risk to
the markets. The sound practices address the risks of a wide-scale
disruption and strengthen the resilience of the financial system.
They also reduce the potential that key market participants will
present systemic risk to one or more critical markets because
primary and back-up processing facilities and staffs are
concentrated within the same geographic region.
The sound practices are as follows. First, identify clearing and
settlement activities in support of critical financial markets.
These activities include the completion of pending large-value
payments; clearance and settlement of material pending transactions;
meeting material end-of-day funding and collateral obligations
necessary to ensure the performance of pending large-value payments
and transactions; and updating records of accounts. Second,
determine appropriate recovery and resumption objectives for
clearing and settlement activities in support of critical markets.
In this regard, core clearing and settlement organizations are
expected to develop the capacity to recover and resume clearing and
settlement activities within the business day on which the
disruption occurs with the overall recovery goal of two hours after
an event. Third, maintain sufficient geographically dispersed
resources to meet recovery and resumption objectives. The 2003
Interagency White Paper states that back-up arrangements should be
as far away from the primary site as necessary to avoid being
subject to the same set of risks as the primary location and should
not rely on the same infrastructure components used by the primary
site. Fourth, routinely use or test recovery and resumption
arrangements. This includes regular tests of internal recovery and
resumption arrangements as well as cross-organization tests to
ensure the effectiveness and compatibility of recovery and
resumption strategies within and across critical markets. See id. at
17811-13.
\196\ See supra note 32. The Commission's policy statement
applies more broadly to all ``SRO markets'' and ECNs, not just those
that play ``significant roles in critical financial markets,'' as
discussed in the 2003 Interagency White Paper. Each SRO market and
ECN is expected to (1) have in place a business continuity plan that
anticipates the resumption of trading in the securities traded by
that market no later than the next business day following a wide-
scale disruption; (2) maintain appropriate geographic diversity
between primary and back-up sites in order to assure resumption of
trading activities by the next business day; (3) assure the full
resilience of shared information streams, such as the consolidated
market data stream generated for the equity and options markets; and
(4) confirm the effectiveness of the back-up arrangements through
testing. See id. at 56658.
---------------------------------------------------------------------------
Also included in Table A is a publication issued by the Institute
of Internal Auditors (``IIA''). The IIA is an international
professional association that has developed and published guidance
setting forth industry best practices in internal auditing for internal
audit professionals. It has more than 175,000 members in 165 countries
and territories around the world.\197\ IIA is also a credentialing
organization, awarding the Certified Internal Auditor (CIA), Certified
Government Auditing Professional (CGAP), Certified Financial Services
Auditor (CFSA), Certification in Control Self-Assessment (CCSA), and
Certification in Risk Management Assurance (CRMA) certifications to
those who meet the requirements.\198\ The Commission preliminarily
believes these factors support identification of IIA as an
authoritative body that is a widely recognized organization.
---------------------------------------------------------------------------
\197\ See IIA's 2011 Annual Report, available at: https://na.theiia.org/about-us/Pages/Annual-Reports.aspx.
\198\ See id.
---------------------------------------------------------------------------
In addition, one of the publications identified in Table A is
issued by the Security Benchmarks division of the Center for Internet
Security (``CIS''). The CIS is a not-for-profit organization focused on
enhancing the cybersecurity readiness and response of public and
private sector entities. The CIS Security Benchmarks division
facilitates the development of industry best practices for security
configuration, tools for measuring information security status, and
resources to assist entities in making security investment
decisions.\199\ Its members include commercial organizations, academic
organizations, government agencies, and security service, consulting,
and software organizations.\200\ According to the CIS, its benchmarks
are regularly referred to by U.S. government agencies for compliance
with information security rules and regulations.\201\ The Commission
preliminarily believes these factors support a determination that CIS
is an authoritative body that is a widely recognized organization.
---------------------------------------------------------------------------
\199\ See http://benchmarks.cisecurity.org/en-us/?route=default.about.
\200\ See http://benchmarks.cisecurity.org/en-us/?route=membership.
\201\ The CIS states that its benchmarks are widely accepted by
U.S. government agencies for compliance with the Federal Information
Security Management Act (FISMA), Gramm-Leach-Bliley Act, Sarbanes-
Oxley Act, The Health Insurance Portability and Accountability Act
of 1996 (HIPAA), and other the regulatory requirements for
information security. See http://benchmarks.cisecurity.org/en-us/?route=membership.
---------------------------------------------------------------------------
Table A lists the publication(s) that the Commission has
preliminarily identified as SCI industry standard(s) in each domain
that an SCI entity, taking into account its nature, size, technology,
business model, and other aspects of its business, could, but is not
required to, use to establish, maintain, and enforce reasonably
designed policies and procedures that satisfy the requirements of
proposed Rule 1000(b)(1). Thus, the Commission is proposing that the
industry standards contained in the publications identified in Table A
be one example of ``current SCI industry standards'' for purposes of
proposed Rule 1000(b)(1), and requests commenters' views on the
appropriateness of each publication identified in Table A as a
``current SCI industry standard.'' Each listed publication is
identified with specificity, and includes the particular publication's
date, volume number, and/or publication number, as the case may be.
Thus, to the extent an SCI entity seeks to rely on SCI industry
standards for purposes of complying with proposed Rule 1000(b)(1)(ii),
the Commission intends SCI entities that establish policies and
procedures based on the SCI industry standards contained in the
publications set forth in Table A to enforce written policies and
procedures, taking into account their nature, size, technology,
business model, and other aspects of their business, consistent with
relevant standards, even if the issuing organization were to
subsequently update a given industry practice, until such time as the
list of SCI industry standards were to be updated, as discussed
below.\202\ Of course, SCI entities could elect to use standards
contained in the publications other than those identified on Table A to
satisfy the requirements of proposed Rule 1000(b)(1)\\.
---------------------------------------------------------------------------
\202\ See discussion in this Section III.C.1.b following Table A
below.
\203\ The Commission recently adopted a similar contingency
planning practice in Rule 17Ad-22(d)(4) that requires registered
clearing agencies to have policies and procedures designed to
identify sources of operational risk and minimize those risks
through the development of appropriate systems controls and
procedures. See Securities Exchange Act Release No. 68080 (October
22, 2012), 77 FR 66220 (November 2, 2012). See also supra note 95.
[[Page 18111]]
Table A--Publications Relating to Industry Standards in 9 Domains
----------------------------------------------------------------------------------------------------------------
Domain Industry standards
----------------------------------------------------------------------------------------------------------------
Application Controls............................................. NIST DRAFT Security and Privacy Controls for
Federal Information Systems and
Organizations (Special Publication 800-53
Rev. 4) available at: http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf.
Capacity Planning................................................ FFIEC, Operations IT Examination Handbook
(July 2004), available at: http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_Operations.pdf.
Computer Operations and Production Environment Controls.......... NIST DRAFT Security and Privacy Controls for
Federal Information Systems and
Organizations (Special Publication 800-53
Rev. 4), available at: http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf.
Contingency Planning (BCP) \203\................................. NIST Contingency Planning Guide for Federal
Information Systems (Special Publication 800-
34 Rev. 1), available at: http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11-2010.pdf.
2003 Interagency White Paper on Sound
Practices to Strengthen the Resilience of
the U.S. Financial System, Securities
Exchange Act Release No. 47638 (April 8,
2003), 68 FR 17809 (April 11, 2003),
available at: http://www.sec.gov/news/studies/34-47638.htm.
2003 Policy Statement on Business Continuity
Planning for Trading Markets, Securities
Exchange Act Release No. 48545 (September
25, 2003), 68 FR 56656 (October 1, 2003),
available at: http://www.sec.gov/rules/policy/34-48545.htm.
Information Security and Networking.............................. NIST DRAFT Security and Privacy Controls for
Federal Information Systems and
Organizations (Special Publication 800-53
Rev. 4), available at: http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf.
NIST Guidelines on Security and Privacy in
Public Cloud Computing (Special Publication
800-144), available at: http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf.
The Center for Internet Security
Configuration Benchmarks, available at:
http://benchmarks.cisecurity.org/en-us/?route=downloads.benchmarks.
Audit............................................................ FFIEC, Audit IT Examination Handbook (August
2003), available at: http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_Audit.pdf.
IIA, The Role of Internal Auditing in
Enterprise-wide Risk Management, available
at: http://www.theiia.org/iia and http://www.theiaa.org/index.
Outsourcing...................................................... FFIEC, Outsourcing Technology Services IT
Examination Handbook (June 2004), available
at: http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_OutsourcingTechnologyServices.pdf.
Physical Security................................................ NIST DRAFT Security and Privacy Controls for
Federal Information Systems and
Organizations (Special Publication 800-53
Rev. 4), available at: http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf.
Systems Development Methodology.................................. NIST Security Considerations in the System
Development Life Cycle (Special Publication
800-64 Rev. 2), available at: http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf.
----------------------------------------------------------------------------------------------------------------
As noted above, each of the publications listed in Table A is
intended to identify information technology practices that are widely
available for free to information technology professionals in the
financial sector and are issued by an authoritative body that is a U.S.
governmental entity or agency, association of U.S. governmental
entities or agencies, or widely recognized organization.
Although the industry standards contained in the publications
identified in Table A above are intended as an appropriate initial set
of industry standards under proposed Regulation SCI, the Commission
does not seek to foreclose the development, whether by the Commission
or otherwise, of a set of industry standards that is more focused on
the specific businesses and systems of SCI entities.\204\ In such a
case, the Commission preliminarily believes that it would be
appropriate to use the industry standards contained in the publications
listed in Table A as a starting point for such development.
---------------------------------------------------------------------------
\204\ Standards issued by the Commission itself would meet the
proposed criteria in that they would be: (i) Comprised of
information technology practices that are widely available for free
to information technology professionals in the financial sector; and
(ii) issued by an authoritative body that is a U.S. governmental
entity or agency, association of U.S. governmental entities or
agencies, or widely recognized organization.
---------------------------------------------------------------------------
Further, the Commission recognizes that systems and technologies
are continually evolving. As such, the standards identified in this
proposal would likely be updated from time to time by the organizations
issuing them. However, the Commission also preliminarily believes that,
following its initial identification of one set of SCI industry
standards, it may be appropriate to update the identified set of
standards from time to time through the periodic issuance of Commission
staff guidance. Accordingly, the Commission preliminarily believes it
would be appropriate for Commission staff, from time to time, to issue
notices to update the list of previously identified set of SCI industry
standards after receiving appropriate input from interested
persons.\205\ The Commission preliminarily believes that this approach
would provide the public, including SCI entities and other market
participants, an opportunity to comment on newly proposed SCI industry
standards. However, until such time as Commission staff were to update
the identified set of SCI industry standards, the then-current set of
SCI industry standards would be the standards referred to in proposed
Rule 1000(b)(1)(ii) of Regulation SCI.
---------------------------------------------------------------------------
\205\ As noted in the request for comment section below, the
Commission solicits comment on the ways in which appropriate input
from interested persons should be obtained for updating the SCI
industry standards.
---------------------------------------------------------------------------
As noted above, proposed Rule 1000(b)(1)(ii) would require that any
SCI industry standards be: (i) Comprised of information technology
practices that are widely available for free to information technology
professionals in the financial sector; and (ii) issued by an
authoritative body that is a U.S. governmental entity or agency,
association of U.S. governmental entities or agencies, or a widely
recognized organization.
[[Page 18112]]
Request for Comment
60. The Commission requests comment generally on proposed Rule
1000(b)(1). Do commenters believe the proposed scope of required
policies and procedures is appropriate? Why or why not? Please explain.
61. Do commenters believe that it is appropriate to apply the
requirements of proposed Rule 1000(b)(1) to SCI systems and, for
purposes of security standards, to SCI security systems? Why or why
not? Please explain.
62. Do commenters believe the enumeration of the items in proposed
Rule 1000(b)(1)(i)(A)-(F) that are to be addressed in the required
policies and procedures is appropriate? Why or why not? Specifically,
is the proposal to require that such policies and procedures include
the establishment of reasonable current and future capacity planning
estimates, as provided in proposed Rule 1000(b)(1)(i)(A), appropriate?
Why or why not?
63. Should the Commission specify the interval (e.g., monthly or
quarterly) at which SCI entities would be required to conduct periodic
capacity stress tests of relevant systems, as provided in proposed Rule
1000(b)(1)(i)(B)? Should such periodic tests be limited to a subset of
systems? If so, for which systems should such tests be required and why
would that limitation be appropriate?
64. Should the Commission require SCI entities to have a program to
review and keep current systems development and testing methodology, as
proposed to be required in proposed Rule 1000(b)(1)(i)(C)? Why or why
not?
65. Should the Commission specify the interval at which SCI
entities would be required to conduct reviews and tests of SCI systems
and SCI security systems, including backup systems, to identify
vulnerabilities pertaining to internal and external threats, physical
hazards, and natural or manmade disasters, as provided in proposed Rule
1000(b)(1)(i)(D)? Why or why not? And, if so, what would be appropriate
intervals and why?
66. The Commission notes that items (i)(B), (C), and (D) would each
require the establishment of policies and procedures for: Testing of
capacity, testing methodology, and testing for vulnerabilities,
respectively. The Commission also notes that the need for improved
testing was a recurring theme during the Roundtable and discussed in
several comment letters.\206\ The Commission requests comment on
whether the testing policies and procedures requirements in proposed
Rule 1000(b)(1)(i)(B), (C), and (D) would be sufficiently comprehensive
to foster development of the types of testing that Roundtable panelists
and commenters recommended. Why or why not? Please be specific. Should
the Commission require certain types of testing by SCI entities? Why or
why not? Please be specific. If so, what specific types of testing
should the Commission require in proposed Regulation SCI? Please
describe in detail.
---------------------------------------------------------------------------
\206\ See text accompanying supra note 72, discussing
recommendations by Roundtable panelists and commenters to lower
rates of error in software development by improving testing
opportunities and participation in testing by member firms. See also
text accompanying supra note 180.
---------------------------------------------------------------------------
67. Should the Commission require SCI entities to have, and make
available to their members or participants, certain infrastructure or
mechanisms that would aid industry-wide testing or direct testing with
an SCI entity, such as test facilities or test symbols? Why or why not?
If so, please specify what types of infrastructures or mechanisms
should be required.
68. Should the Commission require industry-wide testing for certain
types of anticipated technology deployments? \207\ Why or why not? If
so, what should be the criteria for identifying anticipated technology
deployments that warrant mandatory industry-wide testing and which
market participants should be required to participate? Please explain
in detail.
---------------------------------------------------------------------------
\207\ See also infra Section III.C.7 (discussing, among other
things, the requirement of proposed Rule 1000(b)(9)(ii) that an SCI
entity coordinate the testing of the SCI entity's business
continuity and disaster recovery plans, including its backup
systems, with other SCI entities).
---------------------------------------------------------------------------
69. Should the Commission require SCI entities to mandate that
their members or participants participate in direct testing with such
SCI entities for certain types of anticipated technology deployments by
the members or participants? \208\ Why or why not? If so, what should
be the criteria for identifying anticipated technology deployments that
warrant mandatory testing with an SCI entity? Should the Commission
identify such criteria, or should SCI entities identify such criteria?
Please explain.
---------------------------------------------------------------------------
\208\ See also infra Section III.C.7 (discussing, among other
things, the requirement of proposed Rule 1000(b)(9)(i) that an SCI
entity require participation by designated members or participants
in scheduled functional and performance testing of the operation of
the SCI entity's business continuity and disaster recovery plans,
including its backup systems).
---------------------------------------------------------------------------
70. Similarly, would proposed item (i)(E), regarding policies and
procedures for business continuity and disaster recovery plans, be
sufficiently comprehensive to foster the establishment of the types of
contingency plans discussed by Roundtable panelists and Roundtable
commenters, such as predetermined communication plans, escalation
procedures, and/or kill switches? \209\ Why or why not? Should proposed
Regulation SCI expressly require that an SCI entity's contingency plans
include such details? \210\ Why or why not? Please explain. Should SCI
entities' contingency plans and the testing of such plans be required
to account for specific types of disaster or threat scenarios, such as
an extreme volume surge, the failure of a major market participant,
and/or a terrorist or cyber attack? Why or why not? Please explain. If
so, what other types of scenarios should such plans take into account?
Please be specific.
---------------------------------------------------------------------------
\209\ See discussion of Roundtable in supra Section I.D. The
Commission is not proposing at this time any requirements related to
kill switches.
\210\ See also infra Section III.C.3.a, discussing proposed Rule
1000(b)(3), which would require an SCI entity, upon any responsible
SCI personnel becoming aware of an SCI event, to begin to take
appropriate corrective action, including, at a minimum, mitigating
potential harm to investors and market integrity resulting from the
SCI event and devoting adequate resources to remedy the SCI event as
soon as reasonably practicable, and the associated request for
comment.
---------------------------------------------------------------------------
71. There was considerable discussion at the Roundtable about kill
switches, with several panelists advocating the kill switch proposal
outlined in the Industry Working Group comment letter,\211\ while
others expressed concerns.\212\ The Commission is not proposing at this
time any requirements related to kill switches. However, do commenters
believe that the implementation of kill switches, as outlined in the
Industry Working Group comment letter, would assist SCI entities in
maintaining the integrity of their systems? Why or why not? If so, how,
if at all, should the Commission foster the development of coordinated
contingency plans among SCI SROs and SCI ATSs that would include such a
kill switch mechanism?
---------------------------------------------------------------------------
\211\ See letter from Industry Working Group, supra note 74 and
accompanying text.
\212\ See, e.g., letter from TDA, supra note 74.
---------------------------------------------------------------------------
72. Should the Commission include the criteria of geographic
diversity in the requirement relating to business continuity and
disaster recovery plans in proposed Rule 1000(b)(1)(i)(E)? Why or why
not? Please explain. Should the Commission specify minimum standards
for ``geographically diverse'' in proposed Rule 1000(b)(1)(i)(E)? Why
or why not? If so, what would be an appropriate standard?
73. Is the next business day resumption of trading following a
wide-scale disruption requirement in
[[Page 18113]]
proposed Rule 1000(b)(1)(i)(E) appropriate? Why or why not? Is the two-
hour resumption of clearance and settlement services following a wide-
scale disruption an appropriate requirement for an SCI entity that is a
registered clearing agency or ``exempt clearing agency subject to
ARP?'' Why or why not?
74. As discussed above, the U.S. national securities exchanges
closed for two business days in October 2012 in the wake of Superstorm
Sandy, even though the securities industry's annual test of how trading
firms, market operators, and their utilities could operate through an
emergency using backup sites, backup communications, and disaster
recovery facilities occurred without significant incident on October
27, 2012, just two days before the storm.\213\ As discussed in greater
detail below, proposed Rule 1000(b)(9) would require SCI entities to
mandate participation by designated members or participants in
scheduled testing of the operation of their business continuity and
disaster recovery plans, including backup systems, and to coordinate
such testing with other SCI entities.\214\ Are there other industry
practices related to proposed Regulation SCI that should be considered
further in light of the two-day closure of the U.S. securities markets
during the storm? If so, what are they? For example, for SCI entities
that are trading markets, should the Commission limit the extent to
which an SCI entity's business continuity and disaster recovery plans
may involve changing how trading may be conducted? For example, the
NYSE, pursuant to its rules, initially proposed to conduct trading only
electronically on October 29, 2012, using NYSE Arca systems, rather
than conduct trading both electronically as well as on a physical
trading floor, as it normally does.\215\ Should an SCI entity that is
experiencing a wide-scale disruption be permitted to offer its members
or participants an alternative that significantly differs from its
usual method of operation? Please explain. What are the costs and
benefits associated with each type of approach?
---------------------------------------------------------------------------
\213\ See supra Section I.D.
\214\ See infra Section III.C.7.
\215\ See supra Section I.D.
---------------------------------------------------------------------------
75. Should business continuity and disaster recovery plans
involving backup data centers be required to be tested in a live
``production'' environment on a periodic basis (e.g., annually, or at
some other frequency)? Why or why not? Please explain.
76. The Commission understands that certain entities that would be
defined as SCI entities (such as registered clearing agencies) are
already effectively operating under business resumption requirements of
less than one business day. Should the Commission consider revising the
proposed next business day resumption requirement for trading to a
shorter or longer period, for example, a specific number of hours less
or more than one business day or within the business day for certain
entities that play a significant role within the securities markets?
Why or why not? Similarly, should the proposed two-hour resumption
standard for clearance and settlement services be shortened or
lengthened? Why or why not?
77. Following a systems disruption (including, for example,
activation of an SCI entity's business continuity plan), should the
Commission require user testing and certification prior to resuming
operation of the affected systems? Why or why not? If so, what should
the testing requirements be? Should they vary depending on the type of
system(s) affected? To whom should an SCI entity certify that an
affected system or group of systems is ready to resume operation?
78. Is the requirement in proposed Rule 1000(b)(1)(i)(F) for
``standards that result in such systems being designed, developed,
tested, maintained, operated, and surveilled in a manner that
facilitates the successful collection, processing, and dissemination of
market data'' appropriate? Are there other factors that the Commission
should consider in determining whether standards to process data are
adequate? Or, should some of the proposed standards be eliminated or
modified? If so, please explain how and why.
79. Do commenters believe there are specific internal controls or
other mechanisms that would reinforce the effectiveness of an SCI
entity's reasonably designed policies and procedures under proposed
Rule 1000(b)(1)? Why or why not? Please explain. How do SCI entities
presently use specific internal controls or other mechanisms to
maintain the SCI entity's operational capability and promote the
maintenance of fair and orderly markets? How do commenters generally
view the advantages and disadvantages of specific internal controls or
other mechanisms? The Commission is not proposing to prescribe specific
internal controls under proposed Rule 1000(b)(1). Should the Commission
propose that any particular internal controls or other mechanisms be
required (for example, that a senior officer be designated to be
responsible for the SCI entity's compliance with proposed Regulation
SCI, or that personnel of the SCI entity certify that the SCI entity's
policies and procedures are reasonably designed)?
80. Would any of the Commission's proposed requirements under
proposed Rule 1000(b)(1) create inappropriate barriers to entry for new
entities seeking to register with the Commission as an SRO, ATS, or
plan processor? Would any of the proposed requirements inappropriately
limit the growth or expansion of entities currently registered with the
Commission as an SRO, ATS, or plan processor? Why or why not?
81. As noted above, the Commission proposes that policies and
procedures would be deemed to be reasonably designed for purposes of
proposed Rule 1000(b)(1) if they are consistent with current SCI
industry standards. Do commenters agree with this approach? Why or why
not? What are the advantages or disadvantages of such an approach?
82. Do commenters believe that the publications listed in Table A
represent publications that are suitable for purposes of proposed Rule
1000(b)(1)(ii) and that should be the ``current SCI industry
standards'' for purposes of proposed Rule 1000(b)(1)(ii)? Why or why
not? If not, what publications would be appropriate? Do commenters
believe that SCI entities currently follow the industry standards
contained in the publications listed in Table A?
83. Are there areas within one of the nine identified domains that
these publications do not cover? For example, should the Commission
identify additional publications that provide industry standards for
specific areas such as personnel security or information security risk
management? If so, please identify any such publications that would be
appropriate for the Commission to apply to SCI entities. Are there
other areas that commenters believe are not covered at all by the
publications listed in Table A that should be included? If so, what
publications would be appropriate for such areas? Are there any areas
within one of the nine identified domains that commenters believe
should not be included? If so, why not?
84. Should any of the publications listed in Table A be eliminated?
If so, which ones and why? Are there any publications that should be
added? If so, which ones and why? Are there industry practices that
apply to, or are developed by, entities related to the securities
markets that should be considered? If so, what are they and why? Are
there any types of SCI entities for which the proposed publications
would not be appropriate? If so, which
[[Page 18114]]
types of entities and why? How should any such possible concerns be
addressed? The Commission notes that many of the publications in Table
A have been issued by either NIST or FFIEC. Do commenters believe that
SCI entities generally currently follow the industry standards issued
by one of these organizations more frequently than the other? If so,
which one and why? Is one organization's publications more appropriate
or preferable for SCI entities? If so, please explain. What are the
advantages and/or disadvantages of the publications issued by each
organization?
85. The Commission seeks comment on whether commenters believe that
the identified publications, and the industry standards within, are
adequate in terms of the detail, specificity and scope. Are there areas
in which the industry standards listed in the publications in Table A
should be modified to provide adequate guidance to SCI entities? If so,
please explain in detail. For example, the Commission understands that
many businesses, including SCI entities, now utilize cloud computing as
part of their operations, and the Commission has identified industry
standards with respect to cloud computing among the publications listed
in Table A. However, do commenters believe that these industry
standards provide an adequate level of specificity to allow an SCI
entity to ascertain how to comply with such standards? Further, do the
industry standards contained in the publications in Table A cover all
of the relevant areas related to a particular subject area (such as
cloud computing)? Similarly, the Commission notes that it has
identified publications with respect to capacity planning, but that the
industry standards in such publications focus primarily on continuity
of operations. As such, the Commission seeks comment on whether
commenters believe that the identified publications with respect to
capacity planning are adequate in terms of the detail, specificity, and
scope? Specifically, do these publications provide an adequate level of
specificity to allow an SCI entity to ascertain how to comply with such
standards, and do the industry standards cover all of the necessary
areas related to a particular subject area such as capacity planning?
Why or why not? As noted above, compliance with the industry standards
contained in the publications on Table A would not be the exclusive
means to comply with the requirements of proposed Rule 1000(b)(1).
86. Do commenters agree with the Commission's proposed policies and
procedures approach to the requirements of proposed Rule 1000(b)(1)?
Why or why not? If not, is there another approach that is more
appropriate? If so, please describe and explain. Do commenters agree
with the Commission's proposed approach to deem an SCI entity's
policies and procedures to be reasonably designed if they are
consistent with current SCI industry standards, as provided for in
proposed Rule 1000(b)(1)(ii)? Why or why not? How do commenters believe
the actions of SCI entities might differ if such a provision were not
available? What are the costs and benefits of the Commission's approach
? What would be the costs and benefits of other approaches? Please
explain.
87. Do commenters agree or disagree with the Commission's proposed
criteria to evaluate publications suitable for inclusion on Table A as
an SCI industry standard and to update such list? Do commenters agree
with the proposed criteria that identified publications should be: (i)
Comprised of information technology practices that are widely available
for free to information technology professionals in the financial
sector; and (ii) issued by an authoritative body that is a U.S.
governmental entity or agency, association of U.S. governmental
entities or agencies, or widely recognized organization? Why or why
not? Are there other criteria that would be more appropriate? Should
the proposed criteria allow for a publication that may be available for
an incidental charge rather than being required to be available for
free? Why or why not? How frequently should such list of publications
be updated and revised and what should the process be to update and/or
revise them?
88. Are there SCI entities for which the proposed requirements in
Rule 1000(b)(1) would be inappropriate (e.g., not cost effective)? If
so, please identify such type of entity or entities, or the
characteristics of such entity or entities, and explain which proposed
requirements would be inappropriate and why. Would cost burden be an
appropriate reason to omit an SCI entity or proposed requirement
generally? Alternatively, would cost burden be an appropriate reason to
omit an SCI entity or proposed requirement, on a case-by-case basis, as
the Commission determined to be consistent with Exchange Act
requirements?
89. When the Commission adopts new rules, or when SCI SROs
implement rule changes, SCI SROs and their members often need to make
changes to their systems to comply with such new rules. Would the
requirements of proposed Rule 1000(b)(1) add additional time to this
process and would the requirements increase the amount of time SCI
entities would need to adjust their systems for Commission or SCI SRO
rule changes? If so, how much additional time would SCI SROs need to
adjust their systems? If not, should proposed Regulation SCI or another
Commission rule require SCI SROs to provide minimum advance notice to
their members of anticipated technology deployments prior to the
implementation of any associated new rule or rule change by the SCI
SRO? Why or why not? If so, how much advance notice should be required
(e.g., a few days, a week, 30 days, 60 days, some other period)? Along
with any such advance notice, should SCI SROs be required to offer to
its members the opportunity to test such change with the SCI SRO prior
to deployment of the new technology and implementation of any
associated new rule or rule change? Why or why not? Should there be a
similar requirement for other types of SCI entities? Why or why not? If
so, what types of entities and what sorts of requirements should be
included?
90. Do commenters believe the potential additional time SCI SROs
allocate to this process would result in fewer SCI events by helping to
ensure that SCI SROs properly implement systems changes? Why or why
not? How would the benefits and costs of such potential additional time
compare? Please be as specific as possible.
91. The Commission generally solicits comments on its proposed
process for updating current SCI industry standards. Do commenters
believe that it would be appropriate that Commission staff, from time
to time, issue notices to update the list of previously identified
publications containing SCI industry standards after receiving
appropriate input from interested persons? Is there a more appropriate
method? If so, what would it be? If not, why not?
92. Would such a process in allow for Commission staff to receive
sufficient input from the public, including experts, SCI entities, and
other market participants regarding the appropriate standards it should
update, and how to do so? Why or why not?
93. Would it be useful, for example, to provide notice to the
public that it was focusing on a given domain or standard and seek
comment on a domain-by-domain, or standard-by-standard, basis? Would it
be useful for the Commission to set up a committee to advise Commission
staff on such standards? If so, which groups or types of market
participants should be represented on such a committee and
[[Page 18115]]
why? Is there any other process that the Commission or its staff should
use to help it obtain useful input? Would it be appropriate to instead
require SROs, for example, to submit an NMS plan under Rule 608 of
Regulation NMS that contained standards? Why or why not?
94. If the Commission, its staff, or another entity seeks to
develop a set of standards that is more focused on the specific
businesses and systems of SCI entities, do commenters agree that the
industry standards contained in the publications listed in Table A
would be appropriate to be used as a starting point for this effort?
Why or why not? If not, what publication(s) should be used as a
starting point? Please describe in detail and explain.
95. Do commenters believe it would be feasible to establish
industry standards through means other than identification through
Table A? For example, should SCI entities take the lead in developing
such standards? Why or why not? If so, how should the process be
organized and what parameters should be put in place to facilitate the
process? For example, should SCI entities jointly develop industry
standards that apply to all SCI entities or should the various types of
SCI entities (e.g., national securities exchanges, ATSs, plan
processors, clearing agencies) work separately to develop their own
standards? Should one or more industry organizations take the lead in
developing such standards? If so, which ones, and why? Should any such
standards identified by the SCI entities and/or industry organizations
be formally approved or disapproved by the Commission as part of any
such process?
2. Systems Compliance
Proposed Rule 1000(b)(2)(i) would require each SCI entity to
establish, maintain, and enforce written policies and procedures
reasonably designed to ensure that its SCI systems operate in the
manner intended, including in a manner that complies with the federal
securities laws and rules and regulations thereunder and the entity's
rules and governing documents, as applicable.\216\ Whereas proposed
Rule 1000(b)(1) concerns the robustness of the SCI entity's SCI systems
and SCI security systems--i.e., such systems' capacity and resiliency
against failures and security threats--proposed Rule 1000(b)(2)
concerns the SCI entity's establishment of policies and procedures
reasonably designed to ensure the operational compliance of an SCI
entity's SCI systems with applicable laws, rules, and the SCI entity's
governing documents. Diligent discharge of this proposed obligation to
establish, maintain, and enforce written policies and procedures would
establish the organizational framework for an SCI entity to meet its
other obligations under proposed Regulation SCI. In particular, with
respect to SCI SROs, compliance with proposed Rule 1000(b)(2)(i) should
help to ensure that SCI SROs comply with Section 19(b)(1) of the
Exchange Act, which requires each SRO to file with the Commission
copies of any proposed rule or any proposed change in, addition to, or
deletion from the rules of the SRO.\217\ Therefore, compliance with
this proposed requirement may help ensure not only that SCI SROs
operate in compliance with the Exchange Act, but also help reinforce
existing processes for filing SRO rule changes in order to better
assist market participants and the public in understanding how the SCI
systems of SCI SROs are intended to operate.\218\
---------------------------------------------------------------------------
\216\ See supra Section III.B.3.b, discussing the definition of
``systems compliance issue.''
\217\ See 15 U.S.C. 78s(b)(1).
\218\ SCI SROs would similarly be assisted in meeting their
obligations to file plan amendments to SCI Plans under Rule 608 of
Regulation NMS.
---------------------------------------------------------------------------
Because of the complexity of SCI systems and the breadth of the
federal securities laws and rules and regulations thereunder and the
SCI entities' rules and governing documents, the Commission
preliminarily believes that it would be appropriate to provide an
explicit safe harbor for SCI entities and their employees in order to
provide greater clarity as to how they can ensure that their conduct
will comply with this provision. Therefore, the Commission is proposing
Rules 1000(b)(2)(ii) and (iii), which would provide a safe harbor from
liability under proposed Rule 1000(b)(2)(i) for SCI entities and
persons employed by SCI entities, respectively, as further described
below.
Specifically, proposed Rule 1000(b)(2)(ii) would provide that an
SCI entity would be deemed not to have violated proposed Rule
1000(b)(2)(i) if: (A) the SCI entity has established and maintained
policies and procedures reasonably designed to provide for: (1) Testing
of all SCI systems and any changes to such systems prior to
implementation; (2) periodic testing of all such systems and any
changes to such systems after their implementation; (3) a system of
internal controls over changes to such systems; (4) ongoing monitoring
of the functionality of such systems to detect whether they are
operating in the manner intended; (5) assessments of SCI systems
compliance performed by personnel familiar with applicable federal
securities laws and rules and regulations thereunder and the SCI
entity's rules and governing documents, as applicable; and (6) review
by regulatory personnel of SCI systems design, changes, testing, and
controls to prevent, detect, and address actions that do not comply
with applicable federal securities laws and rules and regulations
thereunder and the SCI entity's rules and governing documents, as
applicable; (B) the SCI entity has established and maintained a system
for applying such policies and procedures which would reasonably be
expected to prevent and detect, insofar as practicable, any violations
of such policies and procedures by the SCI entity or any person
employed by the SCI entity; and (C) the SCI entity: (1) has reasonably
discharged the duties and obligations incumbent upon the SCI entity by
such policies and procedures, and (2) was without reasonable cause to
believe that such policies and procedures were not being complied with
in any material respect.
The Commission preliminarily believes that, if an SCI entity
establishes and maintains policies and procedures reasonably designed
to provide for the items in proposed Rule 1000(b)(2)(ii)(A)(1)-(6),
such policies and procedures would meet the requirement articulated in
proposed Rule 1000(b)(2)(i). Specifically, the Commission preliminarily
believes that items (1) and (2), which, for purposes of qualifying for
the safe harbor, would require SCI entities to have policies and
procedures requiring the testing of SCI systems and changes to such
systems before they are put into production and periodically
thereafter, should help SCI entities to identify potential problems
before such problems have the ability to impact markets and investors.
Items (3) and (4), which, for purposes of qualifying for the safe
harbor, would require a system of internal controls over changes to SCI
systems and ongoing monitoring of the functionality of such systems,
would provide a framework for SCI entities seeking to bring newer,
faster, and more innovative SCI systems online. In conjunction with
ongoing monitoring, the Commission preliminary believes the policies
and procedures proposed to be required in items (3) and (4) for
purposes of qualifying for the safe harbor, would help prevent SCI
systems becoming noncompliant resulting from, for example, inattention
or failure to review compliance with established written policies and
procedures.
[[Page 18116]]
Further, the Commission preliminarily believes that item (5)
(which, for purposes of qualifying for the safe harbor, would require
that an SCI entity establish, maintain, and enforce written policies
and procedures for assessments of SCI systems compliance by personnel
familiar with applicable federal securities laws, rules and regulations
thereunder, and the SCI entity's rules and governing documents), in
conjunction with item (6) (which, for purposes of qualifying for the
safe harbor, would require policies and procedures directing that
regulatory personnel review SCI systems design, changes, testing, and
controls), would help foster coordination between the information
technology and regulatory staff of an SCI entity so that SCI events and
other issues related to an SCI entity's SCI systems would be more
likely to be addressed by a team of staff in possession of the
requisite range of knowledge and skills to help ensure compliance with
the SCI entity's obligations under proposed Regulation SCI.
Insofar as an SCI entity follows them to qualify for the safe
harbor, proposed items (5) and (6) also are intended to help to ensure
that an SCI entity's business interests do not undermine regulatory,
surveillance, and compliance functions and, more broadly, the
requirements of the federal securities laws, during the development,
testing, implementation, and operation processes for SCI systems. Thus,
proposed items (1)-(6) together, insofar as SCI entities follow them to
qualify for the safe harbor, are meant to promote the development and
implementation of policies and procedures consistent with the
functioning of SCI systems of SCI entities as planned and as described
by the SCI entity's rules and governing documents, as well as in
compliance with applicable federal securities laws and rules.\219\
---------------------------------------------------------------------------
\219\ See supra note 154-156 and accompanying text.
---------------------------------------------------------------------------
In addition to establishing and maintaining the policies and
procedures described in proposed Rule 1000(b)(2)(ii)(A)(1)-(6), to
qualify for the safe harbor, an SCI entity would also be required to
satisfy two additional requirements. First, under proposed Rule
1000(b)(2)(ii)(B), it would be required to have established and
maintained a system for applying such policies and procedures which
would reasonably be expected to prevent and detect, insofar as
practicable, any violations of such policies and procedures by the SCI
entity or any person employed by the SCI entity. In addition, under
proposed Rule 1000(b)(2)(ii)(C), the SCI entity would be required to:
(1) Have reasonably discharged the duties and obligations incumbent
upon it by such policies and procedures; and (2) have been without
reasonable cause to believe that such policies and procedures were not
being complied with in any material respect. To the extent an SCI
entity seeks to qualify for the safe harbor, the elements of proposed
Rules 1000(b)(2)(ii)(B) and (C) would require not only that its
policies and procedures are reasonably designed to achieve SCI systems
compliance, as described in items (A)(1)-(6) above, but also that, as
part of such policies and procedures, the SCI entity establishes and
maintains a system for applying those policies and procedures, and
enforces its policies and procedures, in a manner that would reasonably
allow it to prevent and detect violations of the policies and
procedures. Proposed Rules 1000(b)(2)(ii)(B) and (C) are also designed
to ensure that the SCI entity reasonably discharges duties and
obligations incumbent upon it by such policies and procedures and is
without reasonable cause to believe that such policies and procedures
were not being complied with in any material respect.
In addition, proposed Rule 1000(b)(2)(iii) would provide a safe
harbor from liability for individuals. Specifically, proposed Rule
1000(b)(2)(iii) would provide that a person employed by an SCI entity
shall be deemed not to have aided, abetted, counseled, commanded,
caused, induced, or procured the violation by any other person of
proposed Rule 1000(b)(2)(i) if the person employed by the SCI entity
has reasonably discharged the duties and obligations incumbent upon
such person by such policies and procedures, and was without reasonable
cause to believe that such policies and procedures were not being
complied with in any material respect. The Commission preliminarily
believes that the safe harbor for individuals under proposed Rule
1000(b)(2)(iii) would appropriately provide protection from liability
under Rule 1000(b)(2) to employees of SCI entities who reasonably
conduct their assigned responsibilities under the SCI entity's policies
and procedures and do not have reasonable cause to believe the policies
and procedures were not being complied with in any material respect.
In this regard, an SCI entity would not be deemed to violate
proposed Rule 1000(b)(2)(i) merely because it experienced a systems
compliance issue, and could take advantage of the safe harbor for SCI
entities if it satisfied the elements enumerated in proposed Rule
1000(b)(2)(ii).\220\ Likewise, an employee of an SCI entity, including
an employee involved in the design or implementation of policies and
procedures under the rule, would not be deemed to have aided, abetted,
counseled, commanded, caused, induced, or procured the violation by any
other person of proposed Rule 1000(b)(2)(i) merely because the SCI
entity at which he or she worked experienced a systems compliance
issue, whether or not the employee was able to take advantage of the
safe harbor for individuals under proposed Rule 1000(b)(2)(iii).
---------------------------------------------------------------------------
\220\ The language of proposed Rules 1000(b)(2)(ii)(B) and (C)
is drawn in significant part from language in Section 15(b)(4)(E) of
the Exchange Act, 15 U.S.C. 78o(b)(4)(E), which generally provides a
safe harbor from liability for failure to supervise, with a view to
preventing violations of the securities laws, another person who is
subject to his or her supervision and who commits such a violation.
---------------------------------------------------------------------------
Request for Comment
96. The Commission requests comment generally on all aspects of
proposed Rule 1000(b)(2). Do commenters believe that it is appropriate
to limit the application of the requirements of proposed Rule
1000(b)(2)(i) to SCI systems? Why or why not? Please explain. Do
commenters agree with the requirements of the proposed safe harbor for
SCI entities? Why or why not? Specifically, with respect to proposed
Rule 1000(b)(2)(ii)(A)(1), which would include in the safe harbor a
requirement that each SCI entity establish and maintain written
policies and procedures that provide for testing of all SCI systems and
any changes to such systems prior to implementation, should certain
types of SCI systems be excluded from the proposed requirement? If so,
please specify which types and explain.
97. Should the Commission specify the interval at which SCI
entities would be required to conduct the periodic testing of all SCI
systems contemplated by the safe harbor under proposed Rule
1000(b)(2)(ii)(A)(2)? Why or why not? And if so, what would be an
appropriate interval? Should certain types of SCI systems be tested on
a more or less frequent basis? If so, please specify which types and
explain.
98. With respect to proposed Rule 1000(b)(2)(ii)(A)(3), which would
include in the safe harbor a requirement that an SCI entity establish
and maintain written policies and procedures that provide for a system
of internal controls over changes to SCI
[[Page 18117]]
systems, should the Commission specify minimum standards for internal
controls? If so, please explain why, as well as what such standards
should be.
99. With respect to proposed Rule 1000(b)(2)(ii)(A)(4), which would
include in the safe harbor a requirement that an SCI entity establish
and maintain written policies and procedures that provide for ongoing
monitoring of the functionality of SCI systems to detect whether they
are operating in the manner intended, should the Commission specify the
frequency with which the monitoring of such systems' functionality
should occur? If so, please explain. Should the Commission require
different monitoring frequencies depending on the type of SCI system?
Why or why not? If so, what should they be? Please explain.
100. For purposes of the safe harbor and proposed Rule
1000(b)(2)(ii)(A)(5), do commenters believe the Commission should
require that the assessments of SCI systems compliance be performed by
persons having specified qualifications? Why or why not? If so, what
would be appropriate and/or necessary qualifications for such
personnel?
101. Proposed Rule 1000(b)(2)(ii)(A)(6) would include in the safe
harbor a requirement that each SCI entity establish and maintain
policies and procedures that provide for review by regulatory personnel
of SCI systems design, changes, testing, and controls to prevent,
detect, and address actions that are not in compliance with applicable
federal securities laws and rules and regulations thereunder and the
SCI entity's rules and governing documents, as applicable. Do
commenters believe, for purposes of qualifying for the safe harbor, the
roles and allocations of responsibility for personnel in proposed Rules
1000(b)(2)(ii)(A)(5) and (6) are appropriate? Why or why not?
102. Do commenters agree that in order for an SCI entity to qualify
for the safe harbor from liability under proposed Rule 1000(b)(2)(i),
it should, in addition to establishing and maintaining the policies and
procedures described in proposed Rule 1000(b)(2)(ii)(A)(1)-(6), be
required to establish and maintain a system for applying such policies
and procedures which would reasonably be expected to prevent and
detect, insofar as practicable, any violations of such policies and
procedures by the SCI entity or any person employed by the SCI entity?
Why or why not? To qualify for the safe harbor from liability under
proposed Rule 1000(b)(2)(i), should an SCI entity be further required
to: have reasonably discharged the duties and obligations incumbent
upon the SCI entity by such policies and procedures; and be without
reasonable cause to believe that such policies and procedures were not
being complied with in any material respect? Why or why not? Please
explain.
103. Do commenters agree with the requirements for the proposed
safe harbor for individuals in proposed Rule 1000(b)(2)(iii), which
would provide that a person employed by an SCI entity shall be deemed
not to have aided, abetted, counseled, commanded, caused, induced, or
procured the violation by any other person of proposed Rule
1000(b)(2)(i) if the person employed by the SCI entity: has reasonably
discharged the duties and obligations incumbent upon such person by
such policies and procedures; and was without reasonable cause to
believe that such policies and procedures were not being complied with
in any material respect? Why or why not? Should a similar safe harbor
be available to individuals other than persons employed by SCI
entities? Why or why not? Please explain.
104. Do commenters agree with the Commission's proposed policies
and procedures approach to the requirements of proposed Rule
1000(b)(2)? Why or why not? If not, is there another approach that is
more appropriate? If so, please describe and explain. As discussed
above, the Commission is proposing to include safe harbor provisions in
proposed Rule 1000(b)(2) for SCI entities and employees of SCI
entities. The Commission preliminarily believes that, in the context of
proposed Regulation SCI, this approach may be appropriate to provide
clarity and guidance to SCI entities and SCI entity employees on one
method to comply with the proposed general standard in proposed Rule
1000(b)(2)(i). The Commission solicits commenters' views on the
Commission's proposed approach. Specifically, do commenters agree with
the Commission's proposed approach to provide safe harbors for SCI
entities and employees of SCI entities from liability under proposed
Rule 1000(b)(2)(i)? Why or why not? How do commenters believe the
actions of SCI entities or behavior of employees of SCI entities might
differ if the safe harbors under proposed Rule 1000(b)(2) were not
available? What are the costs and benefits of the Commission's approach
to provide safe harbors? What would be the costs and benefits of other
approaches? Please explain.
105. Do commenters believe there are specific internal controls or
other mechanisms that would reinforce the effectiveness of an SCI
entity's reasonably designed policies and procedures under proposed
Rule 1000(b)(2)? Why or why not? Please explain. How do SCI entities
presently use specific internal controls or other mechanisms to ensure
that their systems operate in a manner that complies with the federal
securities laws and rules and regulations thereunder and their rules
and governing documents, as applicable? How do commenters generally
view the advantages and disadvantages of specific internal controls or
other mechanisms? The Commission is not proposing to prescribe specific
internal controls related to compliance with proposed Rule 1000(b)(2).
Should the Commission propose that any particular internal controls or
other mechanisms be required (for example, that a senior officer be
designated to be responsible for the SCI entity's compliance with
proposed Regulation SCI, or that personnel of the SCI entity certify
that the SCI entity's policies and procedures are reasonably designed)?
3. SCI Events--Action Required; Notification
Proposed Rule 1000(b)(3)-(5) would govern the actions an SCI entity
must take upon any responsible SCI personnel becoming aware of an SCI
event, whether it be a systems disruption, systems compliance issue, or
systems intrusion.\221\
---------------------------------------------------------------------------
\221\ See supra Section III.B.3 for a discussion of the proposed
definition of systems disruption, systems compliance issue, and
systems intrusion.
---------------------------------------------------------------------------
a. Corrective Action
Proposed Rule 1000(b)(3) would require an SCI entity, upon any
responsible SCI personnel becoming aware of an SCI event, to begin to
take appropriate corrective action including, at a minimum, mitigating
potential harm to investors and market integrity resulting from the SCI
event and devoting adequate resources to remedy the SCI event as soon
as reasonably practicable. The Commission is proposing this requirement
to make clear that, upon learning of an SCI event, an SCI entity would
be required to take the steps necessary to remedy the problem or
problems causing the SCI event and mitigate the effects of the SCI
event, if any, on customers, market participants and the securities
markets.
Proposed Rule 1000(a) would define ``responsible SCI personnel'' to
mean, for a particular SCI system or SCI security system impacted by an
SCI event, any personnel, whether an
[[Page 18118]]
employee or agent, of an SCI entity having responsibility for such
system. The proposed definition is intended to include any personnel
used by the SCI entity that has responsibility for the specific
system(s) impacted by a given SCI event. Thus, such personnel would
include, for example, any technology, business, or operations staff
with responsibility for such systems. With respect to systems
compliance issues, such personnel would also include regulatory, legal,
or compliance personnel with legal or compliance responsibility for
such systems. In addition, such ``responsible SCI personnel'' would not
be limited to managerial or senior-level employees of the SCI entity.
For example, the proposed definition is intended to include a junior
systems analyst responsible for monitoring the operations or testing of
an SCI system or SCI security system. The proposed definition would
also include not only applicable employees of the SCI entity, but
applicable agents of the SCI entity as well. Thus, for example, if an
SCI entity were to contract the monitoring of the operations of a given
SCI system to an external firm, the proposed definition of
``responsible SCI personnel'' would include the personnel of such firm
that were responsible for the monitoring. The proposed definition,
however, is not intended to include all personnel of an SCI entity. For
example, personnel of the SCI entity who have no responsibility for any
SCI system or SCI security system of an SCI entity are not intended to
be included in the proposed definition.
b. Commission Notification
Proposed Rule 1000(b)(4) would address the obligation of an SCI
entity to notify the Commission upon any responsible SCI personnel
becoming aware of an SCI event.\222\ Proposed Rule 1000(b)(4)(i) would
require an SCI entity, upon any responsible SCI personnel \223\
becoming aware of a systems disruption that the SCI entity reasonably
estimates would have a material impact on its operations or on market
participants, any systems compliance issue, or any systems intrusion
(``immediate notification SCI event''), to notify the Commission of
such SCI event, which may be done orally or in writing (e.g., by
email). Proposed Rule 1000(b)(4)(ii) would require an SCI entity to
submit a written notification pertaining to any SCI event to the
Commission within 24 hours of any responsible SCI personnel becoming
aware of the SCI event. Proposed Rule 1000(b)(4)(iii) would require an
SCI entity to submit to the Commission continuing written updates on a
regular basis, or at such frequency as reasonably requested by a
representative of the Commission, until such time as the SCI event is
resolved.\224\
---------------------------------------------------------------------------
\222\ Proposed Rule 1000(b)(5), addressed in Section III.C.3.c
below, would address whether and when an SCI entity would be
required to disseminate information regarding an SCI event to its
members or participants.
\223\ See supra III.C.3.a (discussing definition of
``responsible SCI personnel'').
\224\ See supra Section III.B.3.d, for a discussion of
dissemination SCI events.
---------------------------------------------------------------------------
Proposed Rule 1000(b)(4) also would require that any written
notification to the Commission made pursuant to proposed Rules
1000(b)(4)(ii) or 1000(b)(4)(iii) be made electronically on new
proposed Form SCI (Sec. 249.1900), and include all information as
prescribed in Form SCI and the instructions thereto.\225\ To help
ensure that the Commission and its staff receive all information known
by the SCI entity relevant to aiding the Commission's understanding of
an SCI event, proposed Rule 1000(b)(4)(iv) would provide that a written
notification under proposed Rule 1000(b)(4)(ii) must include all
pertinent information known about an SCI event, including: (1) A
detailed description of the SCI event; (2) the SCI entity's current
assessment of the types and number of market participants potentially
affected by the SCI event; (3) the potential impact of the SCI event on
the market; and (4) the SCI entity's current assessment of the SCI
event, including a discussion of the SCI entity's determination
regarding whether the SCI event is a dissemination SCI event or
not.\226\ In addition, to the extent available as of the time of the
initial notification, Exhibit 1 would require inclusion of the
following information: (1) A description of the steps the SCI entity is
taking, or plans to take, with respect to the SCI event; (2) the time
the SCI event was resolved or timeframe within which the SCI event is
expected to be resolved; (3) a description of the SCI entity's rule(s)
and/or governing documents, as applicable, that relate to the SCI
event; and (4) an analysis of the parties that may have experienced a
loss, whether monetary or otherwise, due to the SCI event, the number
of such parties, and an estimate of the aggregate amount of such
loss.\227\
---------------------------------------------------------------------------
\225\ New proposed Form SCI is discussed in detail in Section
III.E below.
\226\ See proposed Rule 1000(b)(4)(iv)(A)(1).
\227\ See proposed Rule 1000(b)(4)(iv)(A)(2).
---------------------------------------------------------------------------
Proposed Rule 1000(b)(4)(iv)(B) would require an SCI entity to
update any of the pertinent information contained in previous written
notifications, including any information required by proposed Rule
1000(b)(4)(iv)(A)(2) that was not available at the time of initial
submission. Subsequent notifications would be required to update any of
the pertinent information previously provided until the SCI event is
resolved.
Proposed Rule 1000(b)(4)(iv)(C) would further require an SCI entity
to provide a copy of any information disseminated to date regarding the
SCI event to its members or participants or on the SCI entity's
publicly available Web site.
The Commission preliminarily believes an SCI entity's obligation to
notify the Commission of significant SCI events should begin upon any
responsible SCI personnel becoming aware of an SCI event. Thus, for all
immediate notification SCI events, an SCI entity would be required to
notify the Commission of the SCI event. Such notification could be made
orally (e.g., by telephone) or in a written form (e.g., by email). The
Commission preliminarily believes that, by not prescribing the precise
method of communication for an initial notification of an immediate
notification SCI event under proposed Rule 1000(b)(4)(i), SCI entities
would have the needed flexibility to determine the most appropriate
method.\228\ Further, if the responsible SCI personnel became aware of
such an SCI event outside of normal business hours, the SCI entity
would still be required to notify the Commission at that time rather
than, for example, the start of the next business day. For all SCI
events, including immediate notification SCI events, an SCI entity
would be required to submit a written notification pertaining to such
SCI event to the Commission on Form SCI, and follow up with regular
written updates until the SCI event is resolved. Even if an SCI entity
had notified the Commission of an immediate notification SCI event in
writing as would be permitted under proposed Rule 1000(b)(4)(i), the
SCI entity would still be required to submit a separate written
notification on Form SCI pursuant to proposed Rule 1000(b)(4)(ii).\229\
---------------------------------------------------------------------------
\228\ The Commission expects that it would establish a telephone
hotline, designated email accounts, or similar arrangements, to
enable receipt of notifications of immediate notification SCI
events.
\229\ See proposed Rule 1000(b)(4)(iv), which would require that
written notifications under 1000(b)(4)(ii) be submitted on Form SCI,
and which would not provide for the ability of SCI entities to
submit a written notification of an immediate notification SCI event
on Form SCI.
---------------------------------------------------------------------------
[[Page 18119]]
The Commission preliminarily believes that the proposed
notification requirement for immediate notification SCI events, the
proposed 24-hour time frame for submission of written notices, and the
proposed continuing update requirement, are appropriately tailored to
help the Commission and its staff quickly assess the nature and scope
of an SCI event, and help the SCI entity identify the appropriate
response to the SCI event, including ways to mitigate the impact of the
SCI event on investors and promote the maintenance of fair and orderly
markets. These requirements would help to ensure not only that the
Commission and its staff are kept apprised of such SCI events,
including their causes and their effect on the markets, but also that
the Commission is aware of the steps and resources necessary to correct
such SCI events, mitigate their effects on other SCI entities and the
market, and prevent recurrence to the extent possible. The Commission
also preliminarily believes that the proposal to require an SCI entity
to update the Commission regularly regarding an SCI event, or at such
frequency as reasonably requested by a representative of the
Commission, until the SCI event is resolved, provides appropriate
flexibility to the Commission to request additional information as
necessary, depending on the facts and circumstances of the SCI event
and the SCI entity's progress in resolving it. At the same time, the
Commission recognizes that the information required to be provided to
it by an SCI entity about an immediate notification SCI event under
proposed Rule 1000(b)(4)(i) would represent the SCI entity's initial
assessment of the SCI event, and that even the written notification on
Form SCI required under proposed Rule 1000(b)(4)(ii) may, in some
cases, be a preliminary assessment of the SCI event for which the SCI
entity may still be in the process of analyzing and assessing the
precise facts and circumstances related to the SCI event. Thus, the
Commission is proposing to only require that SCI entities provide
certain key information for the written notification required under
proposed Rule 1000(b)(4)(ii),\230\ and only provide certain additional
details ``to the extent available as of the time of the notification.''
\231\ In addition, the Commission's proposal allows for the SCI entity
to subsequently ``update any information previously provided regarding
the SCI event, including any information required by paragraph
(b)(4)(iv)(A)(2) which was not available at the time of the
notification made pursuant to paragraph (b)(4)(ii).'' \232\
---------------------------------------------------------------------------
\230\ See proposed Rule 1000(b)(4)(iv)(A)(1).
\231\ See proposed Rule 1000(b)(4)(iv)(A)(2).
\232\ See proposed Rule 1000(b)(4)(iv)(B).
---------------------------------------------------------------------------
Comprehensive reporting of all SCI events would facilitate the
Commission's regulatory oversight of the national securities markets.
The proposed reporting requirements should provide the Commission with
an aggregate and comprehensive set of data on SCI events, a significant
improvement over the current state of administration, whereby SCI
entities report events through multiple methods and with varying
consistency.\233\ The aggregated data that would result from the
reporting of SCI events would also permit the Commission to analyze
such data, e.g., to examine the most common types of events and the
types of systems most often affected. This ability to more efficiently
analyze a comprehensive set of data would help the Commission to carry
out its oversight responsibilities because it would help the Commission
identify more effectively, for example, areas of persistent or
recurring problems across the systems of all SCI entities.
---------------------------------------------------------------------------
\233\ Currently, there is no Commission rule specifically
requiring SCI entities to notify the Commission of systems problems
in writing or in a specific format. Nevertheless, voluntary
communications of systems problems to Commission staff occur in a
variety of ways, including by telephone and email. The Commission
notes that proposed Rule 1000(b)(4) would impose a new reporting
requirement on SCI entities, regardless of whether they currently
voluntarily notify the Commission of SCI events on an ad hoc basis.
As such, the Commission preliminarily believes that a history of
voluntarily reporting such events to the Commission would not lessen
the future burden of reporting such events to the Commission on Form
SCI as required under proposed Rule 1000(b)(4).
---------------------------------------------------------------------------
As discussed in greater detail below, the Commission also
preliminarily believes that submission of required notifications by SCI
entities by filing Form SCI in an electronic format would be less
burdensome and a more efficient filing process for SCI entities and the
Commission than the submission of such notices in non-standardized ad
hoc formats, as they are currently provided under the ARP Program.\234\
---------------------------------------------------------------------------
\234\ See infra Section III.D.2 discussing proposed Rule
1000(d), requiring electronic filings on new proposed Form SCI, and
Section III.E, discussing information proposed to be required to be
submitted on new Form SCI. See also infra note 235 and accompanying
text.
---------------------------------------------------------------------------
c. Dissemination of Information to Members or Participants \235\
---------------------------------------------------------------------------
\235\ The requirements relating to dissemination of information
relating to dissemination SCI events to members or participants
proposed to be included in Regulation SCI relate solely to
Regulation SCI. Nothing in proposed Regulation SCI should be
construed as superseding, altering, or affecting the reporting
obligations of SCI entities under other federal securities laws or
regulations. Accordingly, in the case of an SCI event, SCI entities
subject to the public company reporting requirements of Section 13
or Section 15(d) of the Exchange Act would need to ensure compliance
with their disclosure obligations pursuant to those provisions
(including, for example, with respect to Regulation S-K and Forms
10-K, 10-Q and 8-K) in addition to their disclosure and reporting
obligations under Regulation SCI. See, e.g., CF Disclosure Guidance:
Topic No. 2, Cybersecurity (October 13, 2011), available at: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. As an
additional example, nothing in proposed Regulation SCI should be
construed as superseding the obligations such SCI entities may have
under Regulation FD.
---------------------------------------------------------------------------
Proposed Rule 1000(b)(5) would require information relating to
dissemination SCI events to be disseminated to members or participants,
and specify the nature and timing of such disseminations, with a
limited delay permitted for certain systems intrusions, as discussed
further below.\236\ Proposed Rule 1000(b)(5)(i)(A) would require that
an SCI entity, promptly after any responsible SCI personnel \237\
becomes aware of a dissemination SCI event other than a systems
intrusion, disseminate to its members or participants the following
information about such SCI event: (1) The systems affected by the SCI
event; and (2) a summary description of the SCI event. In addition,
proposed Rule 1000(b)(5)(i)(B) would require an SCI entity to further
disseminate to its members or participants, when known: (1) A detailed
description of the SCI event; (2) the SCI entity's current assessment
of the types and number of market participants potentially affected by
the SCI event; and (3) a description of the progress of its corrective
action for the SCI event and when the SCI event has been or is expected
to be resolved. Proposed Rule 1000(b)(5)(i)(C) would further require an
SCI entity to provide regular updates to members or participants on any
of the information required to be disseminated under proposed Rules
1000(b)(5)(i)(A) and (i)(B).
---------------------------------------------------------------------------
\236\ See supra Section III.B.3.d for a discussion of
dissemination SCI events.
\237\ See supra III.C.3.a (discussing definition of
``responsible SCI personnel'').
---------------------------------------------------------------------------
For the disseminations of information to members or participants to
be meaningful, the Commission preliminarily believes it would be
necessary for an SCI entity to describe the SCI event in sufficient
detail to enable a member or participant to determine whether and how
it was affected by the SCI event and make appropriate decisions based
on that determination. For example, the Commission preliminarily
believes that a general statement that a systems disruption occurred
that impacted trading for a certain period of time would not be
sufficient. The
[[Page 18120]]
dissemination of information should, for example, specify with
particularity such information as necessary to provide readers
meaningful context with regard to the issue, which may include but is
not limited to, details relating to, if applicable: the magnitude of
the issue (such as estimates with respect to the number of shares
affected, numbers of stocks affected, and total dollar volumes of the
affected trades); the specific system(s) or part of the system(s) that
caused the issue; the Commission and SCI entity rule(s) that relate
most directly to the issue; the specific time periods in which the
issue occurred, including whether the issue may be ongoing; and the
specific names of the securities affected. The Commission preliminarily
believes these proposed items, which concern the timing, nature, and
foreseeable possible consequences of a systems problem, comprise the
appropriate minimum detail that a member or participant would need to
assess whether an SCI event affected or would potentially affect that
member or participant, and would assist members and participants in
making investment or business decisions based on disclosed facts rather
than on speculation regarding, for example, the cause of a market
disruption.\238\
---------------------------------------------------------------------------
\238\ See supra note 160, referring to Roundtable panelists
suggesting that communication and disclosure are important elements
of risk mitigation.
---------------------------------------------------------------------------
The Commission preliminarily believes that it is appropriate to
require that the information specified by proposed Rule
1000(b)(5)(i)(A) be disseminated by the SCI entity to its members or
participants promptly after any responsible SCI personnel becomes aware
of an applicable dissemination SCI event. The Commission also
preliminarily believes that it is appropriate to require the further
dissemination of information specified by proposed Rule
1000(b)(5)(i)(B) ``when known'' by the SCI entity. These requirements
reflect the Commission's preliminary view that, given the sensitivities
of such dissemination of information, it is important that, before
information is shared with the SCI entity's members or participants,
the SCI entity be given a reasonable amount of time to gather, confirm,
and preliminarily analyze facts regarding a dissemination SCI event.
The Commission preliminarily believes that the value of dissemination
of information to an SCI entity's members or participants in these
circumstances is enhanced when the SCI entity has taken an appropriate
amount of time to ensure that the information it is sharing with its
members or participants is accurate, such that incorrect information
does not cause or exacerbate market confusion. At the same time, the
Commission preliminarily believes that it is important that basic
information about dissemination SCI events, such as those items
required by proposed Rule 1000(b)(5)(i)(A), be made available to
members or participants promptly.
The proposed requirement relating to dissemination of information
to members or participants of dissemination SCI events, other than
systems intrusions as specified in proposed Rule 1000(b)(5)(i), is
intended to aid members or participants of SCI entities in determining
whether their trading activity has been or might be impacted by the
occurrence of an SCI event at an SCI entity, so that they could
consider that information in making trading decisions, seeking
corrective action or pursuing remedies, or taking other responsive
action. Further, the requirement to disseminate information regarding
dissemination SCI events could provide an incentive for SCI entities to
devote more resources and attention to improving the integrity and
compliance of their systems and preventing the occurrence of SCI
events.
Proposed Rule 1000(b)(5)(ii) would provide a limited exception to
the proposed requirement of prompt dissemination of information to
members or participants for certain systems intrusions.\239\ Proposed
Rule 1000(b)(5)(ii) would require an SCI entity, promptly after any
responsible SCI personnel becomes aware of a systems intrusion, to
disseminate to its members or participants a summary description of the
systems intrusion, including a description of the corrective action
taken by the SCI entity and when the systems intrusion was resolved or
an estimate of when the systems intrusion is expected to be resolved,
unless the SCI entity determines that dissemination of such information
would likely compromise the security of the SCI entity's SCI systems or
SCI security systems, or an investigation of the systems intrusion, and
documents the reasons for such determination.\240\ The Commission
preliminarily believes that information relating to all dissemination
SCI events, including systems intrusions, should be disseminated to
members or participants, but that there may be circumstances in which
such dissemination of information relating to a systems intrusion
should be delayed, for example, to avoid compromising the investigation
or resolution of a systems intrusion.\241\ If an SCI entity determines
to delay the dissemination of information to members or participants
relating to a systems intrusion, it would be required to make an
affirmative determination and document the reasons for such
determination that such dissemination would likely compromise the
security of its SCI systems or SCI security systems, or an
investigation of the systems intrusion. If it cannot make such a
determination, or at whatever point in time such a determination no
longer applies, information relating to the systems intrusion would be
required to be disseminated to the SCI entity's members or
participants.
---------------------------------------------------------------------------
\239\ As noted in supra note 235, the requirements relating to
information disseminations to members or participants proposed to be
included in Regulation SCI, including the proposal to permit an SCI
entity to delay such dissemination for certain systems intrusions,
relate solely to Regulation SCI. Nothing in proposed Regulation SCI
should be construed as superseding, altering, or affecting the
reporting obligations of SCI entities under other federal securities
laws or regulations.
\240\ Unlike proposed Rule 1000(b)(5), proposed Rule 1000(b)(4)
(relating to Commission notification), discussed above in Section
III.C.3.b, would not provide for a delay in reporting any systems
intrusions to the Commission.
\241\ See supra note 239.
---------------------------------------------------------------------------
The information required to be disseminated to members or
participants for systems intrusions by proposed Rule 1000(b)(5)(ii) is
not as extensive as that required to be disseminated to members or
participants for other types of dissemination SCI events. The
Commission is sensitive to the fact that dissemination of too much
detailed information regarding a systems intrusion may provide hackers
or others seeking unauthorized entry into the systems of an SCI entity
with insights into the potential vulnerabilities of the SCI entity's
systems. At the same time, the occurrence of a systems intrusion may
reveal a weakness in the SCI systems or SCI security systems of the SCI
entity that warrants dissemination of information about such event to
the SCI entity's members or participants. Proposed Rule 1000(b)(5)(ii)
is therefore intended to strike an appropriate balance by requiring
dissemination to members or participants, which may be delayed when
necessary, of key summary information about a given systems intrusion.
Request for Comment
106. The Commission requests comment on all aspects of proposed
Rules 1000(b)(3), (4), and (5).
107. Do commenters believe the proposed definition of ``responsible
SCI personnel'' in proposed Rule 1000(a) is appropriate? Why or why
not? Please
[[Page 18121]]
explain. Is the proposed definition sufficiently clear? If not, why
not? Should the proposed definition only apply to personnel of a given
seniority, such as managerial personnel or officers of an SCI entity?
Why or why not? Should the proposed definition include both employees
and agents of an SCI entity? Why or why?
108. As proposed to be required by Rule 1000(b)(3), do commenters
believe the Commission should require an SCI entity, upon any
responsible SCI personnel becoming aware of an SCI event, to begin to
take appropriate corrective action including, at a minimum, mitigating
potential harm to investors and market integrity resulting from the SCI
event and devoting adequate resources to remedy the SCI event as soon
as reasonably practicable? If not, why not? Should the proposed
requirement that an SCI entity take corrective action be triggered by
something other than awareness of an SCI event? If so, what would be an
appropriate trigger, and why?
109. In addition to requiring an SCI entity to take appropriate
corrective action, should the Commission also require an SCI entity to
have written policies and procedures regarding how it should respond to
SCI events, such as an incident response plan that, for example, would
lay out in advance of any SCI event the courses of action,
responsibilities of personnel, chains of command, or similar
information regarding how the SCI entity and its personnel should
respond to various SCI event scenarios? Why or why not? Would such a
requirement be useful? What would be the potential costs and benefits
of such a requirement? Would SCI entities be able to meet the
requirements of proposed Rule 1000(b)(3) without developing such
response plans? \242\ Why or why not? Do SCI entities have such plans
in place today? If so, please describe.
---------------------------------------------------------------------------
\242\ See also supra Section III.C.1.a (requesting comment on
proposed Rule 1000(b)(1)(i)(E) regarding policies and procedures for
development of business continuity plans and on whether the
Commission and/or SCI SROs should propose rules governing how such
plans are tested).
---------------------------------------------------------------------------
110. With respect to proposed Rule 1000(b)(4), do commenters
believe the proposal to require an SCI entity to report all SCI events
to the Commission is appropriate?
111. Are there SCI events that should not be required to be
reported to the Commission? If so, what are they, and why should
reporting of such SCI events not be required? Or, as an alternative,
would it be appropriate for the Commission to require SCI entities to
keep and preserve the documentation relating to certain types of SCI
events without sending that documentation to the Commission? Why or why
not? If so, how would commenters recommend the Commission distinguish
between SCI events that should be reported to the Commission and those
that should only be subject to a recordkeeping requirement? What do
commenters believe might be the advantages or disadvantages of such an
alternative approach? Do commenters believe proposed Rule 1000(b)(4)
may require the reporting of types of issues or types of information
that may not be critical to the goals of proposed Regulation SCI?
Please be specific and describe such situations.
112. What criteria do ARP participants currently use for reporting
ARP events? How many SCI events would an SCI entity expect to report
each year?
113. For immediate notification SCI events, is the initial
notification requirement in proposed Rule 1000(b)(4)(i) to the
Commission appropriate? Why or why not? If so, should this requirement
apply to such SCI events that occur outside normal business hours as
well? If not, what should be the requirement? Should the Commission
require a different notification procedure for immediate notifications
that might occur outside normal business hours? What are the advantages
and disadvantages of different methods of immediate notifications?
Please describe. Do commenters agree that those systems disruptions
that the SCI entity reasonably estimates would have a material impact
on its operations or on market participants should be subject to the
immediate notification requirement? Why or why not? Please explain. Do
commenters agree that all systems compliance issues should be subject
to the immediate notification requirement? Why or why not? Do
commenters agree that all systems intrusions should be subject to the
immediate notification requirement? Why or why not? Should additional
types of SCI events be subject to the immediate notification
requirement? If so, which types of SCI events? Please be specific.
114. Do commenters agree with the proposed 24-hour written
notification requirement for all SCI events?
115. Do commenters believe it is appropriate to require that
written updates be submitted regularly until an SCI event is resolved,
or at such frequency as reasonably requested by a representative of the
Commission?
116. Do commenters believe the proposed required dissemination of
information to an SCI entity's members or participants regarding
dissemination SCI events set forth in proposed Rule 1000(b)(5) are
appropriate? If not, why not? Do commenters believe that requiring the
dissemination of information about dissemination SCI events to members
or participants would promote dissemination of information to persons
who are most directly affected by such events? Why or why not? With
respect to proposed Rule 1000(b)(5), should any of the proposed
requirements relating to dissemination of information to members or
participants be eliminated or modified? \243\ Please explain. What
other information, if any, should be required to be disseminated to
members or participants? Please explain. Could these proposed
requirements have any negative or unintended impact on the market or
market participants? If so, please explain.
---------------------------------------------------------------------------
\243\ See also infra Section III.E.1, discussing proposed
Exhibit 3 to Form SCI, which would require that an SCI entity
provide a copy of any information disseminated to date regarding an
SCI event to its members or participants or on the SCI entity's
publicly available Web site.
---------------------------------------------------------------------------
117. Do commenters agree with the timing requirements contained in
proposed Rule 1000(b)(5)? Do commenters agree that the initial
dissemination of information to members or participants should be
required promptly after an SCI entity's responsible SCI personnel
becomes aware of a dissemination SCI event, as would be required by
proposed Rule 1000(b)(5)(i)(A)? Do commenters believe that more
specific timing requirements would be more appropriate? If so, what
should such requirements be? Should there be a specific time period
requirement with respect to subsequent updates on the status of the
dissemination SCI event? Why or why not? For example, should there be a
requirement that an SCI entity provide updates daily or weekly? If so,
what additional specificity should be included?
118. Do commenters believe it is appropriate to permit an SCI
entity to delay the dissemination of information to members or
participants for certain systems intrusions as proposed in Rule
1000(b)(5)(ii)? Should an SCI entity be required to immediately
disseminate information to members or participants regarding a systems
intrusion, with delays permitted only when the Commission specifically
authorizes the delay? Why or why not? Should the proposed rule impose a
maximum period of time that an SCI entity may delay its dissemination
of information to members or participants for certain systems
intrusions? Why or why not? If
[[Page 18122]]
so, what should such a maximum period of time be and should the rule
set forth a specific maximum time period applicable to all instances?
Please explain.
119. Are there types of dissemination SCI events that should not be
required to be disseminated to members or participants? If so, what are
they, and why should it not be required?
120. Should dissemination of information to members or participants
of any types of dissemination SCI events, other than those that are
systems intrusions, be delayed? If so, please describe the types of SCI
events and explain why. In addition, please describe the time period
within which commenters believe such types of dissemination SCI events
should be disseminated and why such time period would be appropriate.
121. For any types of dissemination SCI events for which commenters
believe information should either not be required to be disseminated to
members or participants or be permitted to have a delay in
dissemination in certain circumstances (such as for systems
intrusions), what might be the impact of such non-dissemination or
delay in dissemination with respect to different types of market
participants?
122. Are there SCI entities for which the proposed requirements in
Rules 1000(b)(3), (b)(4), and (b)(5) would not be appropriate (e.g.,
not cost-effective)? If so, please identify such entity or entities, or
the characteristics of such entity or entities, and explain which
proposed requirements would be inappropriate and why. Is the fact that
they might not be cost-effective an appropriate reason to omit them
generally for those SCI entities, or on a case-by-case basis, as the
Commission determined to be consistent with Exchange Act requirements?
123. What are the current practices of SCI entities with respect to
the dissemination of information about systems issues to members or
participants? What type of information do SCI entities currently
disseminate? Please describe.
4. Notification of Material Systems Changes
Proposed Rule 1000(b)(6) addresses notification to the Commission
regarding planned material systems changes,\244\ which the Commission
believes is important to help ensure it has information about important
changes at an SCI entity that may affect the SCI entity's ability to
effectively oversee the operations of its systems. Proposed Rule
1000(b)(6) would require an SCI entity, absent exigent circumstances,
to notify the Commission in writing at least 30 calendar days before
implementation of any planned material systems changes including a
description of the planned material systems changes as well as the
expected dates of commencement and completion of implementation of such
changes. A written notification to the Commission made pursuant to
paragraph (b)(6) would be required to be made electronically on Form
SCI and include all information as prescribed in Form SCI and the
instructions thereto.\245\
---------------------------------------------------------------------------
\244\ See supra Section III.B.4 (discussing the proposed
definition of material systems change).
\245\ See infra Section III.E.2, discussing proposed new Form
SCI and electronic submission of the notices required by proposed
Rule 1000(b)(6).
---------------------------------------------------------------------------
The Commission preliminarily believes that the proposed 30 calendar
day requirement regarding pre-implementation written notification to
the Commission of planned material systems changes would be an
appropriate time period. The Commission has found through its
experience with the current ARP Inspection Program that this amount of
advance notice typically is needed to allow Commission staff to
effectively monitor technology developments associated with a planned
material systems change. A shorter timeframe might not provide
sufficient time for Commission staff to understand the impact of the
systems change; a longer time frame might unnecessarily interfere with
SCI entities' flexibility in planning and implementing systems changes.
If exigent circumstances existed, or if the information previously
provided to the Commission regarding any planned material systems
change has become materially inaccurate, the SCI entity would be
required to notify the Commission, either orally or in writing, with
any oral notification to be memorialized within 24 hours after such
oral notification by a written notification, as early as reasonably
practicable.\246\ The existence of exigent circumstances would be
determined by the SCI entity and might exist where, for example, a
systems compliance issue or systems intrusion were discovered that
requires immediate corrective action to ensure compliance with the
Exchange Act and the rules and regulations thereunder, and/or the SCI
entity's own rules and procedures. In such cases, it would not be
prudent or desirable to delay corrective action simply to permit the 30
calendar days' advance notice required in non-exigent circumstances. In
addition, there may be circumstances where the information previously
provided to the Commission regarding a material systems change has
become materially inaccurate. For example, if a material systems
change's expected implementation completion date were to be
substantially delayed because of an inability to procure systems
components, or due to difficulties in systems programming, an update to
reflect this development would enable the Commission to make further
inquiry (as appropriate) in order to understand the potential
consequences of the delay. Similarly, an update would be required if
the SCI entity were to decide to significantly alter the scope of its
planned material systems change.
---------------------------------------------------------------------------
\246\ See proposed Rule 1000(b)(6)(ii).
---------------------------------------------------------------------------
The Commission notes further that, in such cases, an SCI entity
might separately be obligated to notify the Commission or its members
or participants pursuant to proposed Rules 1000(b)(4) and (5), as
discussed above.\247\
---------------------------------------------------------------------------
\247\ See supra Section III.B.3.
---------------------------------------------------------------------------
Request for Comment
124. The Commission requests comment generally on proposed Rule
1000(b)(6). Is the proposed requirement to notify the Commission in
advance of implementation of material systems changes appropriate?
125. Should the Commission provide additional guidance on, or
define, what constitutes ``exigent circumstances'' that would obviate
the need for advance notification? If so, what information,
clarification, or definition would be helpful, and why?
126. Do commenters believes that an SCI entity should be required
to provide updated information to the Commission regarding a planned
material systems change if the information previously provided to the
Commission regarding such change were to become materially inaccurate?
Why or why not?
127. Do commenters believe that the proposed notification
requirements would discourage an SCI entity from making necessary
systems changes? Why or why not?
128. Is the proposed requirement that an SCI entity report all
material systems changes too broad or too narrow? Why or why not?
Should all material systems changes be reported to the Commission? If
not, which systems changes should be excluded? Do commenters believe
the proposed rule should specify quantitative criteria or other minimum
thresholds for the effect of a change to an SCI entity's systems on the
entity's capacity, security, and operations, beyond which the SCI
entity would be
[[Page 18123]]
required to notify the Commission of the change?
129. Do commenters believe it is appropriate for the Commission to
require a standardized format for disclosing planned material systems
changes on new proposed Form SCI? If not, why not? What would be a
better approach?
130. Are there SCI entities for which the proposed requirements in
Rule 1000(b)(6) would not be appropriate (e.g., cost-effective)? If so,
please identify such entity or entities, or the characteristics of such
entity or entities, and explain which proposed requirements would be
inappropriate and why. If they are not cost-effective, would that be an
appropriate reason to omit them generally for those SCI entities, or on
a case-by-case basis, as the Commission determined to be consistent
with Exchange Act requirements?
131. How often do SCI entities make material systems changes?
5. Review of Systems
Proposed Rule 1000(b)(7) would require an SCI entity to conduct an
SCI review of the SCI entity's compliance with Regulation SCI not less
than once each calendar year, and submit a report of the SCI review to
senior management of the SCI entity no more than 30 calendar days after
completion of such SCI review. Proposed Rule 1000(a) would define the
term ``SCI review'' to mean a review, following established procedures
and standards, that is performed by objective personnel having
appropriate experience in conducting reviews of SCI systems and SCI
security systems, and which review contains: (1) A risk assessment with
respect to such systems of the SCI entity; and (2) an assessment of
internal control design and effectiveness to include logical and
physical security controls, development processes, and information
technology governance, consistent with industry standards.\248\ In
addition, such review would be required to include penetration test
reviews of the SCI entity's network, firewalls, development, testing
and production systems at a frequency of not less than once every three
years.\249\ The proposed requirement for an annual SCI review would
formalize a practice in place under the current ARP Inspection Program
in which SROs conduct annual systems reviews following established
audit procedures and standards that result in the presentation of a
report to senior SRO management on the recommendations and conclusions
of the review.\250\
---------------------------------------------------------------------------
\248\ See infra discussion of proposed Rule 1000(b)(8). See also
supra publications listed in Table A, Domain: Audit.
\249\ See proposed Rule 1000(a).
\250\ See supra notes 17-21 and accompanying text. Although ARP
policy statements used the term ``independent,'' the Commission is
using the term ``objective'' in proposed Regulation SCI to
distinguish the meaning of ``objective'' from the meaning of
``independent,'' which may be considered a term of art in the
context of financial accounting audits.
---------------------------------------------------------------------------
The risk assessment with respect to SCI entity's systems and
assessment of internal control design and effectiveness should help an
SCI entity assess the effectiveness of its information technology
practices and determine where to best devote resources, including
identifying instances in which the SCI entity was not in compliance
with the policies and procedures required by proposed Rules 1000(b)(1)
and (2). The penetration test reviews of the SCI entity's network,
firewalls, and development, testing and production systems should help
an SCI entity evaluate the system's security and resiliency in the face
of attempted and successful systems intrusions. In requiring a
frequency of not less than once every three years for penetration test
reviews, the Commission seeks to balance the frequency of such tests
with the costs associated with performing the tests.\251\
---------------------------------------------------------------------------
\251\ See infra Section IV.D.2.d (estimating, among other
things, the cost of conducting SCI reviews, including penetration
test reviews).
---------------------------------------------------------------------------
For such assessments and reviews to be effective, the Commission
preliminarily believes that it is important that they be conducted by
objective personnel having appropriate experience performing such types
of reviews. The Commission is not proposing a definition of the term
``objective,'' but preliminarily believes that to satisfy the criterion
that an SCI review be conducted by ``objective personnel,'' it should
be performed by persons who have not been involved in the development,
testing, or implementation of the systems being reviewed.\252\ The
Commission preliminarily believes that persons who were not involved in
the process for development, testing, or implementation of such systems
would likely be in a better position to identify weaknesses and
deficiencies that were not identified in the development, testing, and
implementation stages. As proposed, the SCI review could be performed
by personnel of the SCI entity (e.g., an SCI entity's internal audit
department) or an external firm with objective personnel.
---------------------------------------------------------------------------
\252\ See also supra ARP II note 1 at 22492 n.9.
---------------------------------------------------------------------------
In addition, proposed Rule 1000(b)(7) would require an SCI entity
to submit a report of the SCI review to senior management of the SCI
entity no more than 30 calendar days after completion of such SCI
review.\253\ The proposed 30-day time frame is based on the
Commission's experience with the current ARP Inspection Program that an
entity is able within 30 calendar days to consider the review and
prepare a report for senior management consideration prior to
submission to the Commission.
---------------------------------------------------------------------------
\253\ This proposed requirement would formalize a recommendation
under the current ARP Inspection Program. See supra note 21 and
accompanying text.
---------------------------------------------------------------------------
Request for Comment
132. The Commission requests comment on all aspects of proposed
Rule 1000(b)(7). Is the proposed definition of ``SCI review''
appropriate? Why or why not? And, if not, what would be an appropriate
definition?
133. Is the proposed scope of the SCI review appropriate? Why or
why not? Is it sufficiently clear? Why or why not? Should the SCI
review include, as proposed in Rule 1000(a), an assessment of internal
control design and effectiveness to include logical and physical
security controls, development processes, and information technology
governance, consistent with industry standards? Why or why not? Should
it include, as proposed in Rule 1000(a), penetration test reviews of
the SCI entity's network, firewalls, development, testing and
production systems? Is the proposed frequency of such penetration test
reviews (i.e., not less than once every three years) appropriate? Why
or why not? Should it be more or less frequent? Why or why not?
134. Do commenters agree with the proposed requirement that the
review be performed by persons with appropriate experience conducting
reviews of SCI systems and SCI security systems? Should the Commission
define how it would evaluate whether a person or persons performing the
review would satisfy the proposed requirement that they have
appropriate systems review experience? Are there any credentials or
specific qualifications that the Commission should require or specify
as meeting the requirement? For example, should the Commission specify
that a review be conducted by a Certified Information System Auditor
(CISA) or GIAC Systems and Network Auditor (GSNA) certification? \254\
---------------------------------------------------------------------------
\254\ For further information regarding these certifications,
see, e.g., http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/What-is-CISA/Pages/default.aspx and
http://www.giac.org/certifications.
---------------------------------------------------------------------------
[[Page 18124]]
135. Should the term ``objective personnel'' be defined or further
clarified? If so, what should be such definition?
136. Are there other elements that should be included in the scope
of the SCI review? If so, which ones? For example, should the review
include an assessment of the systems' compliance with the federal
securities laws and rules and regulations thereunder or the entity's
rules or governing documents as applicable? Why or why not?
137. Under what circumstances do SCI entities presently use outside
consultants or other third parties to review their systems and
controls? When such outside reviews are conducted, what is the scope
and the stated purpose? How do outside reviews compare to internal
reviews by audit or other staff in terms of scope or other factors?
What are the considerations used by SCI entities in determining whether
and when to engage outside consultants? How do commenters generally
view the advantages and disadvantages of internal v. external reviews?
The Commission is not proposing at this time any requirements related
to third party reviews. Should the Commission propose to require that
SCI review be conducted by third parties?
138. What are the current practices of SCI entities with respect to
reviews of their SCI systems and SCI security systems? How often are
such reviews conducted? Who conducts such reviews? What do such reviews
entail? What types of assessments or tests are included in such
reviews? Do such reviews include penetration test reviews? Please
describe.
139. Do commenters agree with the proposal to require an SCI entity
to submit a report of the SCI review to senior management of the SCI
entity no more than 30 calendar days after completion of such SCI
review? Why or why not? Is the 30-day time frame reasonable? Would a
shorter or longer time period be more appropriate, such as 20, 45, or
60 days? If so, what should such a time period be and why? Please
explain.
6. Periodic Reports
Proposed Rule 1000(b)(8)(i) would require an SCI entity to submit
to the Commission a report of the SCI review required by paragraph
(b)(7), together with any response by senior management, within 60
calendar days after its submission to senior management of the SCI
entity.
The proposed requirement to submit a report of the SCI review
required by paragraph (b)(7), together with any response by senior
management, within 60 calendar days after its submission to senior
management of the SCI entity, is designed to ensure that the senior
management of the SCI entity is aware of any issues with its systems
and promptly establishes plans for resolving such issues. The
Commission preliminarily believes that the report would also help
ensure that the Commission and its staff receive the report and any
management response in a timely manner,\255\ would help to ensure that
the Commission is aware of areas that may warrant more focused
attention during its inspections (i.e., which SCI entities would
already have identified for itself through its SCI review), and would
allow the Commission to review the SCI entity's progress in resolving
any systems issues. Further, the proposed requirement to submit the
annual report within 60 calendar days after its submission to senior
management is based on the Commission's experience with the current ARP
Inspection Program that 60 calendar days after completion of an annual
review or report is a sufficient period of time to enable senior
management to consider such review or report before submitting it to
the Commission.
---------------------------------------------------------------------------
\255\ See infra Section III.E.3 and General Instructions to the
Form, explaining that, ``within 60 calendar days after its
submission to senior management of the SCI entity, the SCI entity
shall attach [as Exhibit 5] the report of the SCI review of the SCI
entity's compliance with Regulation SCI, together with any response
by senior management.''
---------------------------------------------------------------------------
In addition, proposed Rule 1000(b)(8)(ii) would require each SCI
entity to submit a report within 30 calendar days after the end of June
and December of each year containing a summary description of the
progress of any material systems change during the six-month period
ending on June 30 or December 31, as the case may be, and the date, or
expected date, of completion of implementation of such changes. The
proposed requirement to submit these semi-annual reports within 30
calendar days of the end of each semi-annual period is designed to
ensure that the Commission would have regularly updated information
with respect to the status of ongoing material systems changes that
were originally reported pursuant to proposed Rule 1000(b)(6).\256\
This proposed requirement would formalize a practice in place under the
current ARP Inspection Program in which senior information technology,
audit, and compliance staff of certain SROs prepare such reports in
advance of meeting with Commission staff periodically throughout the
year to present and discuss recently completed systems projects and
proposed systems projects. Further, the proposed requirement to submit
the semi-annual report within 30 calendar days after the end of the
applicable semi-annual period is based on the Commission's experience
with the current ARP Inspection Program that 30 calendar days after
completion of a report is a sufficient time period to enable senior
management to consider such report before submitting it to the
Commission. The Commission is proposing to require these reports to be
submitted to the Commission on a semi-annual basis because the proposal
would separately require information relating to planned material
systems changes to be submitted (absent exigent circumstances or when
information regarding any planned material systems change becomes
materially inaccurate) at least 30 calendar days before their
implementation \257\ and thus requiring an ongoing summary report more
frequently would not, in the Commission's preliminary view, be
necessary. On the other hand, the Commission is concerned that a longer
period of time (such as on an annual basis) would permit significant
updates and milestones relating to systems changes to occur without
notice to the Commission.
---------------------------------------------------------------------------
\256\ As discussed above in supra Section III.C.4, proposed Rule
1000(b)(6)(ii) would require SCI entities to provide the Commission
with an update if the information it previously provided to the
Commission regarding any planned material systems change had become
materially inaccurate.
\257\ See proposed Rule 1000(b)(6); see supra notes 244-247 and
accompanying text.
---------------------------------------------------------------------------
Pursuant to proposed Rule 1000(b)(8)(iii), the reports required to
be submitted to the Commission by proposed Rule 1000(b)(8) would be
required to be submitted electronically as prescribed in Form SCI and
the instructions thereto.\258\
---------------------------------------------------------------------------
\258\ See infra Section III.E discussing new proposed Form SCI
and its contemplated use by SCI entities to submit reports and other
required information to the Commission electronically in a
standardized format with attachments when and as required.
---------------------------------------------------------------------------
Request for Comment
140. Do commenters believe it would be appropriate to require SCI
entities to submit a report of an SCI review to the Commission within
60 calendar days of its submission to senior management of the SCI
entity? Should the Commission lengthen or shorten the time period for
submission? Why or why not? If so, what is an appropriate period?
[[Page 18125]]
141. Is the proposed requirement to submit semi-annual reports on
material systems changes necessary or appropriate? Do commenters
believe it would be appropriate to require each SCI entity to submit a
semi-annual report within 30 calendar days after the end of each semi-
annual period containing a description of the progress of any material
systems change during the applicable semi-annual period and the date,
or expected date, of completion of implementation? Should the
Commission lengthen or shorten the 30-day period for submission? Is the
semi-annual submission requirement appropriate or should these reports
be required to be submitted more or less frequently? If so, please
state what such frequency should be and why.
142. Are there any other reports the Commission should require of
SCI entities? If so, please explain.
143. Are there SCI entities for which the proposed requirements in
Rule 1000(b)(8) would not be cost-effective? If so, please identify
such entity or entities, or the characteristics of such entity or
entities. For proposed requirements that commenters believe would not
be cost-effective, would that be an appropriate reason to omit them
generally for those SCI entities, or on a case-by-case basis, as the
Commission determines to be consistent with Exchange Act requirements?
7. Proposed Rule 1000(b)(9): SCI Entity Business Continuity and
Disaster Recovery Plans Testing Requirements for Members or
Participants
The Commission is proposing Rule 1000(b)(9), which would address
testing of SCI entity business continuity and disaster recovery plans,
including backup systems, by SCI entity members or participants.
Specifically, proposed Rule 1000(b)(9)(i) would require an SCI entity,
with respect to its business continuity and disaster recovery plans,
including its backup systems, to require participation by designated
members or participants in scheduled functional and performance testing
of the operation of such plans, in the manner and frequency as
specified by the SCI entity, at least once every 12 months. Proposed
Rule 1000(b)(9)(ii) would further require an SCI entity to coordinate
such testing on an industry- or sector-wide basis with other SCI
entities. Proposed Rule 1000(b)(9)(iii) would require each SCI entity
to designate those members or participants it deems necessary, for the
maintenance of fair and orderly markets in the event of the activation
of its business continuity and disaster recovery plans, to participate
in the testing of such plans. Proposed Rule 1000(b)(9)(iii) would also
require each SCI entity to notify the Commission of such designations
and its standards for designation on Form SCI and promptly update such
notification after any changes to its designations or standards.\259\
---------------------------------------------------------------------------
\259\ The proposed rule does not specify when the Commission
would need to be notified about the designations and standards
because SCI entities would be required to provide an initial
notification at such point as when proposed Regulation SCI were
effective, and subsequent updates only promptly after its
designations and/or standards changed.
---------------------------------------------------------------------------
The Commission preliminarily believes that the testing
participation requirement in proposed Rule 1000(b)(9) would help an SCI
entity to ensure that its efforts to develop effective business
continuity and disaster recovery plans are not undermined by a lack of
participation by its members or participants that the SCI entity
believes would be necessary to the success of such plans if they were
to be put into effect. The Commission further preliminarily believes
that the appropriate standard for measuring whether a business
continuity and disaster recovery plans can be activated successfully is
whether such activation would likely result in the maintenance of fair
and orderly markets, a goal Congress found important in adopting
Section 11A of the Exchange Act.\260\
---------------------------------------------------------------------------
\260\ See Section 11A(a)(1)(C) and (a)(2), 15 U.S.C. 76k-
1(a)(1)(C) and (a)(2).
---------------------------------------------------------------------------
The 2003 Interagency White Paper, which underlies the requirement
in proposed Rule 1000(b)(1)(i)(E) pertaining to business continuity and
disaster recovery plans,\261\ identifies three important business
continuity objectives that would apply to SCI entities: (1) Rapid
recovery and timely resumption of critical operations following a wide-
scale disruption; (2) rapid recovery and timely resumption of critical
operations following the loss or inaccessibility of staff in at least
one major operating location; and (3) a high level of confidence,
through ongoing use or robust testing, that critical internal and
external continuity arrangements are effective and compatible.\262\ The
2003 Interagency White Paper also states that it is a ``sound
practice'' for organizations to ``routinely use or test recovery and
resumption arrangements.'' \263\ Further, the Commission's 2003 Policy
Statement on Business Continuity Planning for Trading Markets states,
among other things, that market centers, including SROs, are to: (1)
Have in place a business continuity plan that anticipates the
resumption of trading in the securities traded by that market no later
than the next business day following a wide-scale disruption; (2)
maintain appropriate geographic diversity between primary and back-up
sites in order to assure resumption of trading activities by the next
business day; and (3) confirm the effectiveness of the backup
arrangements through testing.\264\ SCI entities that currently
participate in the ARP Inspection Program are familiar with the
standards identified in the 2003 Interagency White Paper and the
Commission's 2003 Policy Statement on Business Continuity Planning for
Trading Markets.
---------------------------------------------------------------------------
\261\ The 2003 Interagency White Paper is included in Table A as
a proposed SCI industry standard. See supra Section III.C.1.b.
\262\ See supra note 195.
\263\ See id.
\264\ See supra notes 32 and 196.
---------------------------------------------------------------------------
As noted above,\265\ the experience of the equities and options
markets in the wake of Superstorm Sandy demonstrates the importance of
not only an SCI entity itself being able to operate following an event
that triggers its business continuity and disaster recovery plans, but
also that the members or participants of the SCI entity be able to
conduct business with such SCI entity when its business continuity and
disaster recovery plans have been activated. The Commission
preliminarily believes that, even if an SCI entity is able to operate
following an event that triggers its business continuity and disaster
recovery plans, unless there is effective participation by certain of
its members or participants in the testing of such plans, the objective
of ensuring resilient and available markets in general,\266\ and the
maintenance of fair and orderly markets in particular, would not be
achieved. Accordingly, the Commission preliminarily believes that it is
appropriate to require SCI entities to designate members or
participants they believe are necessary to the successful activation of
their business continuity and disaster recovery plans, including backup
systems, and require them to participate in the testing of such plans.
---------------------------------------------------------------------------
\265\ See supra notes 78-83 and accompanying text.
\266\ See proposed Rule 1000(b)(1) (requiring SCI entities to
have policies and procedures relating to, among other things,
resiliency and availability) and supra Section III.C.1.
---------------------------------------------------------------------------
Under the proposed rule, each SCI entity would need to schedule,
and require their designated members or participants to participate in,
scheduled ``functional and performance testing'' \267\ of the entity's
business continuity and
[[Page 18126]]
disaster recovery plans. Such functional and performance testing should
include not only testing of connectivity, but also testing of an SCI
entity's systems, such as order entry, execution, clearance and
settlement, order routing, and the transmission and/or receipt of
market data, as applicable, to determine if they can operate as
contemplated by its business continuity and disaster recovery plans.
---------------------------------------------------------------------------
\267\ As commonly understood, functional testing examines
whether a system operates in accordance with its specifications,
whereas performance testing examines whether a system is able to
perform under a particular workload.
---------------------------------------------------------------------------
Proposed Rule 1000(b)(9)(i) would require that testing of an SCI
entity's business continuity and disaster recovery plans occur at least
once every 12 months. This proposed requirement reflects the
Commission's preliminary view that the testing of business continuity
and disaster recovery plans, including backup systems, must occur
regularly if such plans are to be effective when an actual disaster or
disruption occurs. The Commission preliminarily believes that its
proposed required testing frequency of at least once every 12 months is
the minimum frequency that would be consistent with seeking to ensure
that testing is meaningful and effective.\268\ However, the proposed
rule would not prevent an SCI entity from conducting testing and
requiring participation by members or participants in such testing more
frequently than once every 12 months, if the SCI entity believes it is
necessary or if, for example, it materially modifies its business
continuity and disaster recovery plans.
---------------------------------------------------------------------------
\268\ Consistent with the frequency of testing under proposed
Rule 1000(b)(9), the Securities Industry and Financial Markets
Association coordinates an industry-wide business continuity test
each year in October. See http://www.sifma.org/services/bcp/industry-testing. See also supra notes 81-82 and accompanying text.
---------------------------------------------------------------------------
Proposed Rule 1000(b)(9)(i) would also provide an SCI entity with
discretion to determine the precise manner and content of the testing.
Thus, for example, the SCI entity would have discretion to determine,
for example, the duration of the testing, the sample size of
transactions tested, the scenarios tested, and the scope of the test.
The Commission preliminarily believes that SCI entities are in the best
position to structure the details of the test in a way that would
maximize its utility.
Although proposed Rule 1000(b)(9)(i) would give SCI entities
discretion to determine the precise manner and content of the testing,
the Commission is also proposing Rule 1000(b)(9)(ii), which would
require an SCI entity to coordinate its testing on an industry- or
sector-wide basis with other SCI entities.\269\ The proposed
coordination requirement is designed to enhance the value of testing by
requiring SCI entities to work together to schedule and conduct the
testing in as efficient and effective a manner as possible. Given that
trading in the U.S. securities markets today is dispersed among a wide
variety of exchanges, ATSs, and other trading venues, and is often
conducted through sophisticated algorithmic trading strategies that
access many trading platforms simultaneously, the Commission
preliminarily believes that requiring SCI entities to coordinate
testing is necessary to ensure the goal of achieving robust and
effective business continuity and disaster recovery plans, because it
would result in testing under more realistic market conditions. In
addition, the Commission is cognizant that situations that trigger
implementation of an SCI entity's business continuity and disaster
recovery plans are often not limited in scope to a single SCI entity,
but may affect multiple, or even all, SCI entities at the same time.
Thus, proposed Rule 1000(b)(9)(ii)'s requirement is designed to foster
better coordination and cooperation across the securities industry such
that the markets, investors, and all market participants may benefit
from more efficient and meaningful testing. Further, the Commission
preliminarily believes that it would be more cost-effective for market
participants to participate in the testing of the business continuity
and disaster recovery plans of SCI entities on an industry- or sector-
wide basis because such coordination would likely reduce duplicative
testing efforts.
---------------------------------------------------------------------------
\269\ Thus, to satisfy the requirement of proposed Rule
1000(b)(9)(ii), an SCI entity could coordinate its testing with all
SCI entities, or an appropriate subset of them, such as by asset
class(es) (NMS stocks, non-NMS stocks, municipal debt, corporate
bonds, options) or type of SCI entity (national securities
exchanges, clearing agencies, plan processors).
---------------------------------------------------------------------------
While proposed Rule 1000(b)(9)(ii) would require SCI entities to
coordinate testing on an industry- or sector-wide basis, it would
provide discretion to SCI entities to determine how to best meet this
requirement because the Commission preliminarily believes that SCI
entities currently are best suited to find the most efficient and
effective way to test. Of course, as noted above, each SCI entity may
require its members or participants to participate in additional
testing beyond the industry- or sector-wide testing under proposed Rule
1000(b)(9)(ii).
Proposed Rule 1000(b)(9)(iii) would require each SCI entity to
designate those members or participants it deems necessary, for the
maintenance of fair and orderly markets in the event of the activation
of its business continuity and disaster recovery plans, to participate
in the testing of such plans. In addition, proposed Rule
1000(b)(9)(iii) would require each SCI entity to provide to the
Commission on Form SCI its standards for determining which members or
participants are necessary for the maintenance of fair and orderly
markets in the event of the activation of its business continuity and
disaster recovery plans and promptly update such notification following
any changes to such standards. The Commission believes that the
viability of an SCI entity's business continuity and disaster recovery
plans, and the usefulness of its backup systems, depend upon the
ability of such members or participants to be ready, able, and willing
to use such systems during an actual disaster or disruption. The
proposed requirement that designated members or participants be
required to test such plans in advance reflects the Commission's
preliminary view that the proposed testing would enhance the value of
SCI entities' business continuity and disaster recovery plans, and
thereby advance the goal of achieving resilient and available
markets.\270\
---------------------------------------------------------------------------
\270\ See supra note 266.
---------------------------------------------------------------------------
For SCI SROs, proposed Rule 1000(b)(9)(iii) would require SRO rules
pursuant to Section 19(b) of the Exchange Act, setting forth the
standards for designation. For an SCI ATS or an exempt clearing agency
subject to ARP, the requirement in proposed Rule 1000(b)(9)(iii) would
be satisfied by setting forth such standards in its internal
procedures, as well as any subscriber or similar agreement, as
applicable. For an SCI entity that is a plan processor, proposed Rule
1000(b)(9)(iii) would require an amendment to the applicable SCI Plan
pursuant to Rule 608 of Regulation NMS, setting forth such standards.
Further, proposed Rule 1000(b)(9)(iii) would require each SCI entity to
provide to the Commission on Form SCI the list of designated members or
participants and promptly update such notification following any
changes to the designations.\271\
---------------------------------------------------------------------------
\271\ As discussed in infra Section III.E, Form SCI would also
require SCI entities to attach the relevant provision of their rules
(for SCI SROs), SCI Plans (for plan processors) or subscriber or
similar agreements (for SCI ATSs and exempt clearing agencies
subject to ARP) that require designated members or participants to
participate in the testing required by proposed Rule 1000(b)(9).
---------------------------------------------------------------------------
Request for Comment
144. The Commission requests comment generally on proposed Rule
1000(b)(9).
[[Page 18127]]
145. Do commenters believe the proposal to require an SCI entity,
with respect to its business continuity and disaster recovery plans,
including its backup systems, to require participation by designated
members or participants in scheduled functional and performance testing
of the operation of such plans, in the manner and frequency as
specified by the SCI entity, is appropriate? Why or why not? Is the
proposed requirement that SCI entities require participation in
``functional and performance testing'' appropriate? Why or why not? Is
the term ``functional and performance testing'' clear? If not, why not
and what would be a better description of the nature of the proposed
required testing?
146. Do commenters believe it is appropriate to require that such
testing occur at least once every 12 months? Why or why not? Would
another minimum interval for such testing, such as bi-annually, semi-
annually, or quarterly, be more appropriate? Please explain. Would it
be appropriate to also require such testing to occur following a
material change to the SCI entity's business continuity and disaster
recovery plans? Why or why not? If yes, would it be appropriate to
require such testing within 90 days of the material change? Why or why
not? Would another time period be more appropriate? If so, what should
such time period be?
147. Should the Commission give SCI entities discretion in
designating the members or participants that must participate in the
testing of the business continuity and disaster recovery plans? Why or
why not? Should the Commission instead specify standards for such
designation? If so, what should the standards be based on? For example,
should the standards be based on the size, volume traded or cleared,
and/or geographic proximity of a member or participant to the SCI
entity's backup systems? Why or why not? Should only members or
participants that execute or clear transactions above a certain volume
threshold and/or that account for a certain percentage of trading
volume on the SCI entity be required to participate? Why or why not? If
so, what should be such threshold or thresholds (e.g., 0.5 percent, 1
percent, 5 percent)? Should an SCI entity be required to mandate
participation in testing by some other subset of members or
participants? For example, should such subset comprise members or
participants that account for a certain percentage of trading in each
or all of the equities, options, or fixed-income markets traded through
the SCI entity? Why or why not? If so, what should be such threshold
(e.g., 0.5 percent, 1 percent, 5 percent)? Or, should testing be
mandated only for certain types of market participants (e.g., market
makers, clearing broker-dealers, retail broker-dealers)? If so, for
which types of market participants should testing be mandatory and why?
Please explain. Alternatively, should all members or participants of an
SCI entity (or certain types of SCI entities, e.g., plan processors) be
required to participate in the testing of its business continuity and
disaster recovery plans? Why or why not?
148. Do commenters believe those members or participants that would
likely be designated by SCI entities under proposed Rule
1000(b)(9)(iii) currently have the ability, including the
infrastructure, to participate in the required testing? Do commenters
believe all members or participants of SCI entities currently have the
ability, including the infrastructure, to participate in such testing?
What would be the costs and benefits to a member or participant of an
SCI entity to participate in such testing, including for such member or
participant to establish and maintain connectivity to an SCI entity's
backup systems? What would be the economic effect of this proposed
rule, particularly with regard to a member or participant? Please
describe in detail and provide data to support your views if possible.
149. Should an SCI entity be required to notify the Commission on
Form SCI of its standards for designating members or participants for
testing and its list of designated members or participants? Why or why
not? Should an SCI entity be required to promptly update such
Commission notification if its standards for designation or list of
designated members or participants change? Why or why not? Is there a
more appropriate time period for updating Commission notifications
(e.g., 7 days following a change, 30 days following a change,
quarterly)? Please explain.
150. Proposed Rule 1000(b)(9)(i) would require each SCI entity to
mandate participation by designated members or participants in
``functional and performance testing'' of its business continuity and
disaster recovery plans, including its backup systems, but would leave
to the discretion of the SCI entity the details regarding the manner of
testing. Should the Commission be more prescriptive with respect to
such testing? For example, should the Commission require that SCI
entities periodically operate from their backup facilities during
regular trading hours? Why or why not? Please explain. Are there other
details that the Commission should prescribe in relation to the
proposed rule? If so, please explain.
151. Proposed Rule 1000(b)(9)(ii) would require SCI entities to
coordinate testing on an industry- or sector-wide basis, but would not
specify how or the parameters. Do commenters believe it is appropriate
to leave such discretion to SCI entities? Why or why not? Are the terms
``industry-wide'' and ``sector-wide'' clear? Should the Commission
define these terms? If so, what would be appropriate definitions? Would
such an approach foster the creation of meaningful, efficient testing
of business continuity and disaster recovery plans across SCI entities
and their members or participants? Why or why not? If not, what would
be a more appropriate approach? Should the Commission require a minimum
number of SCI entities needed to satisfy the coordination requirement
of proposed Rule 1000(b)(9)(ii)? Or should that requirement only be
satisfied if all SCI entities (or all SCI entities within a sector of
the industry) participate? Why or why not? Should the Commission
mandate a minimum list of actions that SCI entities must take to
satisfy the requirement of proposed Rule 1000(b)(9)(ii)? If so, what
actions should be required and why? If not, why not?
152. Should the Commission require SCI entities to submit reports
on the results of their testing of business continuity and disaster
recovery plans or reports of any systems testing that was not
successful? If not, why not? If so, should such reports be required to
be submitted within a specified time frame or in a specified manner or
format? Please explain. In addition, should the Commission require SCI
entities to submit reports on systems testing opportunities required of
or made available to members or subscribers and the extent to which
such members or subscribers participate in such opportunities?
153. Would proposed Rule 1000(b)(9) enhance investor confidence in
the integrity of the U.S. securities markets? Why or why not? Please
explain. What would be the costs associated with proposed Rule
1000(b)(9)? What would be the benefits? Please be specific. What would
be the potential competitive impacts of proposed Rule 1000(b)(9),
including impacts on small members or small participants? To the extent
possible, please provide data to support your views.
154. To help ensure that the goals of an SCI entity's business
continuity and disaster recovery plans are achieved, should the
Commission impose other requirements (in addition to the mandatory
testing participation
[[Page 18128]]
requirement in proposed Rule 1000(b)(9)) on the members or participants
of SCI entities? \272\ For example, proposed Rule 1000(b)(1)(i)(E)
would require that an SCI entity's business continuity and disaster
recovery plans allow for ``maintaining backup and recovery capabilities
sufficiently resilient and geographically diverse to ensure next
business day resumption of trading.'' Should the Commission require SCI
entities to mandate that some or all of their members or participants
be able to meet the next business day resumption of trading standards
for SCI entities in proposed Rule 1000(b)(1)(i)(E)? Why or why not? If
not all, which members or participants should be required to meet such
resumption of trading standards? For example, should an SCI entity
require members or participants that execute transactions above a
certain volume threshold and/or that account for a certain percentage
of trading on the SCI entity to meet such resumption of trading
standards? Why or why not? If so, what should be such threshold or
thresholds?
---------------------------------------------------------------------------
\272\ See also infra Section III.G (soliciting comment on
whether broker-dealers, other than SCI ATSs, should be subject to
some or all of the additional system safeguard rules that are
proposed for SCI entities).
---------------------------------------------------------------------------
155. Are there other requirements that SCI entities should mandate
for their members or participants to help SCI entities meet their
obligations under proposed Regulation SCI? If so, what are they? Please
describe. For example, should the Commission also require each SCI
entity to mandate that its members or participants maintain continuous
connectivity with the SCI entity's backup data centers? Why or why not?
If not all, which members or participants should be required to
maintain continuous connectivity with the SCI entity's backup data
centers? For example, should an SCI entity require members or
participants designated under proposed Rule 1000(b)(9)(iii), or that
execute transactions above a certain volume threshold and/or that
account for a certain percentage of trading on the SCI entity, to
maintain such connectivity? Why or why not? If so, what should be such
threshold or thresholds?
D. Proposed Rule 1000(c)-(f): Recordkeeping, Electronic Filing on Form
SCI, and Access
1. Recordkeeping Requirements
The Commission notes that many SCI entities are already subject to
recordkeeping requirements,\273\ but that records relating to systems
review and testing may not be specifically addressed in certain current
recordkeeping rules. Accordingly, the Commission is proposing Rule
1000(c) to specifically address recordkeeping requirements for SCI
entities with respect to records relating to Regulation SCI compliance.
---------------------------------------------------------------------------
\273\ See, e.g., 17 CFR 240.17a-1, applicable to SCI SROs; 17
CFR 240.17a-3, 17a-4, applicable to broker-dealers; and 17 CFR
242.301-303, applicable to ATSs.
It has been the experience of the Commission that SCI entities
presently subject to the ARP Inspection Program (nearly all of whom
are SCI SROs that are also subject to the record keeping
requirements of Rule 17a-1(a)) do generally keep and preserve the
types of records that would be subject to the requirements of
proposed Rule 1000(c). Nevertheless, the Commission preliminarily
believes that Regulation SCI's codification of these preservation
practices will support an accurate, timely, and efficient inspection
and examination process and help ensure that all types of SCI
entities keep and preserve such records.
---------------------------------------------------------------------------
Proposed Rule 1000(c)(1) would require each SCI SRO to make, keep,
and preserve all documents relating to its compliance with Regulation
SCI, as prescribed by Rule 17a-1 under the Exchange Act.\274\ Rule 17a-
1(a) under the Exchange Act requires every national securities
exchange, national securities association, registered clearing agency,
and the MSRB to keep and preserve at least one copy of all documents,
including all correspondence, memoranda, papers, books, notices,
accounts, and other such records as shall be made and received by it in
the course of its business as such and in the conduct of its self-
regulatory activity.\275\ In addition, Rule 17a-1(b) requires these
entities to keep all such documents for a period of not less than five
years, the first two years in an easily accessible place, subject to
the destruction and disposition provisions of Rule 17a-6.\276\ Rule
17a-1(c) requires these entities, upon request of any representative of
the Commission, to promptly furnish to the possession of Commission
representatives copies of any documents required to be kept and
preserved by it pursuant to Rule 17a-1(a) and (b).\277\ The Commission
believes that the breadth of Rule 17a-1 under the Exchange Act is such
that it would require SCI SROs to make, keep, and preserve records
relating to their compliance with proposed Regulation SCI should the
Commission adopt Regulation SCI. Thus, the Commission proposes to
cross-reference Rule 17a-1 in proposed Regulation SCI to be clear that
it intends all SCI entities to be subject to the same recordkeeping
requirements regarding compliance with proposed Regulation SCI.
---------------------------------------------------------------------------
\274\ 17 CFR 240.17a-1.
\275\ See 17 CFR 240.17a-1(a). Such records would, for example,
include copies of incident reports and the results of systems
testing.
\276\ See 17 CFR 240.17a-1(b). Rule 17a-6(a) under the Exchange
Act states: ``Any document kept by or on file with a national
securities exchange, national securities association, registered
clearing agency or the Municipal Securities Rulemaking Board
pursuant to the Act or any rule or regulation thereunder may be
destroyed or otherwise disposed of by such exchange, association,
clearing agency or the Municipal Securities Rulemaking Board at the
end of five years or at such earlier date as is specified in a plan
for the destruction or disposition of any such documents if such
plan has been filed with the Commission by such exchange,
association, clearing agency or the Municipal Securities Rulemaking
Board and has been declared effective by the Commission.'' 17 CFR
240.17a-6(a).
\277\ See 17 CFR 240.17a-1(c).
---------------------------------------------------------------------------
For SCI entities that are not SCI SROs (i.e., SCI ATSs, plan
processors, and exempt clearing agencies subject to ARP), the
Commission is proposing broad recordkeeping requirements relating to
compliance with proposed Regulation SCI that are consistent with those
applicable to SROs under Rule 17a-1 under the Exchange Act. Thus, the
Commission is proposing Rule 1000(c)(2), which would require SCI
entities other than SCI SROs to: (i) Make, keep, and preserve at least
one copy of all documents, including correspondence, memoranda, papers,
books, notices, accounts, and other such records, relating to its
compliance with Regulation SCI, including, but not limited to, records
relating to any changes to its SCI systems and SCI security systems;
(ii) keep all such documents for a period of not less than five years,
the first two years in a place that is readily accessible to the
Commission or its representatives for inspection and examination; \278\
and (iii) upon request of any representative of the Commission,
promptly furnish to the possession of such representative copies of any
documents required to be kept and preserved by it pursuant to (i) and
(ii) above.
---------------------------------------------------------------------------
\278\ The proposed five-year and two-year time frames would be
the same as those applicable to SCI SROs pursuant to Rule 17a-1
under the Exchange Act, and the Commission preliminarily believes it
would be appropriate for all SCI entities to be subject to the same
time frame requirements.
---------------------------------------------------------------------------
Proposed Rule 1000(c)(3), applicable to all SCI entities, would
require each SCI entity, upon or immediately prior to ceasing to do
business or ceasing to be registered under the Exchange Act, to take
all necessary action to ensure that records required to be made, kept,
and preserved by proposed Rule 1000(c) would be accessible to the
Commission or its representatives for the remainder of the period
required by proposed Rule 1000(c). For example, an SCI entity could
fulfill its obligations under proposed Rule 1000(c)(3) by delivering
[[Page 18129]]
such records, immediately prior to deregistration, to a repository or
other similar entity and by making all necessary arrangements for such
records to be readily accessible to the Commission or its
representative, for inspection and examination for the duration of the
requirement under proposed Rule 1000(c)(3).
The Commission preliminarily believes that its ability to examine
for and enforce compliance with proposed Regulation SCI could be
hampered if an SCI entity were not required to adequately provide
accessibility for the full proposed retention period. In addition,
while many SCI events may occur, be discovered, and be resolved in a
short time frame, there may be other SCI events that may not be
discovered until months or years after their occurrences, or may take
significant periods of time to fully resolve. In such cases, having an
SCI entity's records available even after it has ceased to do business
or be registered under the Exchange Act would be beneficial. Because
SCI events have the potential to negatively impact investor decisions,
risk exposure, and market efficiency, the Commission also preliminarily
believes that its ability to oversee the securities markets could be
undermined if it is unable to review records to determine the causes
and consequences of one or more SCI events experienced by an SCI entity
that deregisters or ceases to do business. This information would
provide an additional tool to help the Commission reconstruct important
market events and better understand how such events impacted investor
decisions, risk exposure, and market efficiency.
Proposed Rule 1000(e) would provide that, if the records required
to be made or kept by an SCI entity under proposed Regulation SCI were
prepared or maintained by a service bureau or other recordkeeping
service on behalf of the SCI entity, the SCI entity would be required
to ensure that the records are available for review by the Commission
and its representatives by submitting a written undertaking, in a form
acceptable to the Commission, by such service bureau or other
recordkeeping service, signed by a duly authorized person at such
service bureau or other recordkeeping service. The written undertaking
would be required to include an agreement by the service bureau
designed to permit the Commission and its representatives to examine
such records at any time or from time to time during business hours,
and to promptly furnish to the Commission and its representatives true,
correct, and current electronic files in a form acceptable to the
Commission or its representatives or hard copies of any, all, or any
part of such records, upon request, periodically, or continuously and,
in any case, within the same time periods as would apply to the SCI
entity for such records. The preparation or maintenance of records by a
service bureau or other recordkeeping service would not relieve an SCI
entity from its obligation to prepare, maintain, and provide the
Commission and its representatives with access to such records.
Proposed Rule 1000(e) is substantively the same as the requirement
applicable to broker-dealers under Rule 17a-4(i) of the Exchange
Act.\279\
---------------------------------------------------------------------------
\279\ 17 CFR 240.17a-4(i).
---------------------------------------------------------------------------
The Commission is proposing this requirement for SCI entities to
prevent the inability of the Commission to obtain required SCI entity
records because they are held by a third party that may not otherwise
have an obligation to make such records available to the Commission. In
addition, the requirement that SCI entities obtain from such third
parties a written undertaking would help ensure that such service
bureau or other recordkeeping service is aware of this obligation with
respect to records relating to proposed Regulation SCI. The Commission
preliminarily believes that it is appropriate to include this
requirement in proposed Regulation SCI to help ensure that the
Commission would have prompt and efficient access to all required
records, including those housed at a service bureau or any other
recordkeeping service.\280\
---------------------------------------------------------------------------
\280\ See 17 CFR 240.17a-4(i) (records preserved or maintained
by a service bureau).
---------------------------------------------------------------------------
Request for Comment
156. The Commission requests comment on all aspects of proposed
Rule 1000(c). Specifically, do SCI entities currently make, keep, and
preserve the types of records that would be required to be made, kept,
and preserved by proposed Rule 1000(c)? Are there any records that
could be important to make, keep, and preserve that would not be
captured under proposed Rule 1000(c) or the existing recordkeeping
requirements for SROs under Rule 17a-1? If so, please explain and
identify the records. Should any of the records subject to proposed
Rule 1000(c) not be required? If so, please explain and identify the
records. Should the Commission require SCI entities to furnish records
to Commission representatives electronically in a tagged data format
(e.g., XML, XBRL, or similar structured data formats which may be
tagged)? The Commission notes that a tagged data format would have the
benefit of permitting records to be organized and searched more easily,
and thereby enable more efficient analyses, but that there would also
be costs associated with implementing a tagged data format requirement.
Do commenters believe the benefits of using a tagged data format would
justify the costs? Why or why not? Please explain. If so, should any
particular electronic format be mandated? If so, please describe.
157. Should the Commission lengthen or shorten the proposed periods
for SCI entities to keep and preserve records? If so, by how much and
why? Is it appropriate for an SCI entity, prior to ceasing to do
business or ceasing to be regulated under the Exchange Act, to be
required to ensure that its records are accessible in some way to the
Commission and its representatives? Why or why not? What practical
steps do commenters envision an SCI entity taking to comply with this
proposed requirement?
158. The Commission requests comment on all aspects of proposed
Rule 1000(e). Specifically, would the written undertaking required by
proposed Rule 1000(e) be sufficient to help ensure that the Commission
and its representatives would be able to obtain and examine true,
correct, and current records of SCI entities? Why or why not? Are the
provisions of proposed Rule 1000(e) an appropriate means of addressing
any potential problems with access to books and records at service
bureaus? Why or why not? Are there alternatives that the Commission
should consider with respect to recordkeeping requirements for SCI
entities? If so, please explain your reasoning.
2. Electronic Submission of Reports, Notifications, and Other
Communications on Form SCI
Proposed Rule 1000(d) provides that, except with respect to
notifications to the Commission under proposed Rule 1000(b)(4)(i)
(Commission notification of certain SCI events), and oral notifications
to the Commission under proposed Rule 1000(b)(6)(ii) (Commission
notification of certain material systems changes), any notification,
review, description, analysis, or report required to be submitted to
the Commission under proposed Regulation SCI must be submitted
electronically and contain an electronic signature. This proposed
requirement is intended to provide a uniform manner in which the
Commission would receive--and SCI entities would provide--written
[[Page 18130]]
notifications, reviews, descriptions, analyses, or reports made
pursuant to proposed Regulation SCI. The Commission preliminarily
believes that such standardization would guide SCI entities in
completing such submissions and make it easier and more efficient for
them to draft and submit such required reports. Additionally, the
standardization would make it easier and more efficient for the
Commission to promptly review, analyze, and respond, as necessary, to
the information proposed to be provided.\281\ The electronic signature
requirement is consistent with the intention of the Commission to
receive documents that can be readily accessed and processed
electronically.
---------------------------------------------------------------------------
\281\ This proposed requirement is consistent with electronic-
reporting standards set forth in other Commission rules under the
Exchange Act, such as Rule 17a-25 (Electronic Submission of
Securities Transaction Information by Exchange Members, Brokers, and
Dealers). See 17 CFR 240.17a-25.
---------------------------------------------------------------------------
Proposed Rule 1000(d) also would require that submissions by SCI
entities be filed electronically on new proposed Form SCI, in
accordance with the instructions contained in Form SCI.\282\ The
Commission's proposal contemplates the use of an online filing system,
similar to the electronic form filing system (``EFFS'') currently used
by SCI SROs to submit Form 19b-4 filings, through which an SCI entity
would be able to file a completed Form SCI.\283\ Based on the
widespread use and availability of the Internet, the Commission
preliminarily believes that filing Form SCI in an electronic format
would be less burdensome and a more efficient filing process for SCI
entities and the Commission, as it is likely to be less expensive and
cumbersome than mailing and filing paper forms to the Commission.
---------------------------------------------------------------------------
\282\ See proposed Rule 1000(d) and infra Section III.E.
\283\ See Securities Exchange Act Release No. 50486 (October 4,
2004), 69 FR 60287 (October 8, 2004) (adopting the EFFS for use in
filing Form 19b-4).
---------------------------------------------------------------------------
Request for Comment
159. The Commission requests comment on all aspects of proposed
Rule 1000(d). Do commenters believe that the electronic submission
requirement of proposed Rule 1000(d) is appropriate? Alternatively,
would the submission of a required notification, review, description,
analysis, or report via electronic mail to one or more Commission email
addresses be a more appropriate way for the Commission to implement the
proposed requirement? Are there other alternative methods that would be
preferable? If so, please describe. Should there be any additional
security requirements for such communications (e.g., password
protection or encryption)? If so, please describe. Should the
submissions be made in a tagged data format, e.g., XML, XBRL, or
similar structured data formats which may be tagged? The Commission
notes that a tagged data format would have the benefit of permitting
records to be organized and searched more easily, and thereby enable
more efficient analyses, but that there would also be costs associated
with implementing a tagged data format requirement. Do commenters
believe the benefits of using a tagged data format would justify the
costs? Why or why not? Please explain. If so, should any particular
electronic format be mandated? If so, please describe.
3. Access to the Systems of an SCI Entity
Proposed Rule 1000(f) would require SCI entities to provide
Commission representatives reasonable access to their SCI systems and
SCI security systems. Thus, the proposed rule would facilitate the
access of representatives of the Commission to such systems of an SCI
entity either remotely or on site.\284\ Proposed Rule 1000(f) is
intended to be consistent with the Commission's current authority with
respect to access to records generally \285\ and help ensure that
Commission representatives have ready access to the SCI systems and SCI
security systems of SCI entities in order to evaluate an SCI entity's
practices with regard to the requirements of proposed Regulation
SCI.\286\
---------------------------------------------------------------------------
\284\ For example, with access to an SCI entity's SCI systems
and SCI security systems, Commission representatives could test an
SCI entity's firewalls and vulnerability to intrusions.
\285\ See, e.g., Section 17(b) of the Exchange Act which states
that all records of the entities listed in Section 17(a) ``are
subject at any time, or from time to time, to such reasonable
periodic, special, or other examinations by representatives of the
Commission * * * as the Commission * * * deems necessary or
appropriate in the public interest, for the protection of investors,
or otherwise in furtherance of the purposes of [the Exchange Act].''
\286\ See 15 U.S.C. 78q(b). The Commission believes proposed
Rule 1000(f) also is authorized by Sections 11A, 6(b)(1), 15A(b)(2),
and 17A(b)(3)(A) of the Exchange Act, among others. See supra notes
9-11 and accompanying text.
---------------------------------------------------------------------------
Request for Comment
160. The Commission requests comment generally on proposed Rule
1000(f). Are there restrictions that should be placed on the proposed
access that would still allow the Commission and its representatives to
be able to evaluate an SCI entity's practices with regard to the
requirements of proposed Regulation SCI? If so, what should such
restrictions be and why? Please describe.
E. New Proposed Form SCI
The Commission is proposing that the notices, reports, and other
information required to be provided to the Commission pursuant to
proposed Rules 1000(b)(4), (6), (8), and (10) of Regulation SCI be
submitted electronically on new proposed Form SCI. Proposed Form SCI
would solicit information through a series of questions designed to
elicit short-form answers and also would require SCI entities to
provide information and/or reports in narrative form by attaching
specified exhibits. All filings on proposed Form SCI would require that
an SCI entity identify itself and indicate the basis for submitting
Form SCI, whether a: notification or update notification regarding an
SCI event pursuant to proposed Rule 1000(b)(4); notice of a planned
material systems change pursuant to proposed Rule 1000(b)(6);
submission of a required report pursuant to proposed Rule 1000(b)(8);
or notification of an SCI entity's standards for designation of members
or participants to participate in required testing and the identity of
such designated members or participants pursuant to proposed Rule
1000(b)(9). A filing on Form SCI required by proposed Rules 1000(b)(4),
(6), (8), or (9) would require that an SCI entity provide additional
information on attached exhibits, as discussed below.
1. Notice of SCI Events Pursuant to Proposed Rule 1000(b)(4)
As discussed above, proposed Rule 1000(b)(4)(i) would require an
SCI entity, upon any responsible SCI personnel becoming aware of a
systems disruption that the SCI entity reasonably estimates would have
a material impact on its operations or on market participants, any
systems compliance issue, or any systems intrusion, to notify the
Commission of such SCI event. Proposed Rule 1000(b)(4)(ii) would
require an SCI entity, upon any responsible SCI personnel becoming
aware of any SCI event, to notify the Commission of the SCI event in
writing within 24 hours. Proposed Rule 1000(b)(4)(iii) would require
continuing written updates on a regular basis, or at such frequency as
reasonably requested by a representative of the Commission, until such
time as the SCI event is resolved. Proposed Rule 1000(b)(4)(iv) would
direct an SCI entity to submit the required notifications on Form SCI.
Further, proposed Rule 1000(b)(4)(iv) and new proposed Form SCI would
specify the particular information an
[[Page 18131]]
SCI entity would be required to provide to the Commission to comply
with the Commission notification requirements of proposed Rules
1000(b)(4)(ii) and 1000(b)(4)(iii). As such, proposed Rule 1000(b)(4)
would specify when and how notices would be required to be filed, and
it and new proposed Form SCI would address the content of required
notices.
For a written notification to the Commission of an SCI event under
proposed Rule 1000(b)(4)(ii), new proposed Form SCI would require that
an SCI entity indicate that the filing is being made pursuant to
proposed Rule 1000(b)(4)(ii) and provide the following information in a
short, standardized format: (i) Whether the filing is a Rule
1000(b)(4)(ii) notification or Rule 1000(b)(4)(iii) update of an SCI
event; (ii) the SCI event type(s) (i.e., systems compliance issue,
systems intrusion, and/or systems disruption); (iii) whether the event
is a systems disruption that the SCI entity reasonably estimates would
have a material impact on its operations or on market participants;
(iv) if so, whether the Commission has been notified of the SCI event;
(v) whether the SCI event has been resolved; (vi) the date/time the SCI
event started; (vii) the duration of the SCI event; (viii) the date and
time when responsible SCI personnel became aware of the SCI event; (ix)
the estimated number of market participants impacted by the SCI event;
(x) the type(s) of systems impacted; \287\ and (xi) if applicable, the
type of systems disruption.\288\ In addition, proposed Form SCI would
require attachment of Exhibit 1, providing a narrative description of
the SCI event, including: (1) A detailed description of the SCI event;
(2) the SCI entity's current assessment of the types and number of
market participants potentially affected by the SCI event; (3) the
potential impact of the SCI event on the market; and (4) the SCI
entity's current assessment of the SCI event, including a discussion of
the SCI entity's determination regarding whether the SCI event is a
dissemination SCI event or not.\289\ In addition, to the extent
available as of the time of the initial notification, Exhibit 1 would
require inclusion of the following information: (1) A description of
the steps the SCI entity is taking, or plans to take, with respect to
the SCI event; (2) the time the SCI event was resolved or timeframe
within which the SCI event is expected to be resolved; (3) a
description of the SCI entity's rule(s) and/or governing documents, as
applicable, that relate to the SCI event; and (4) an analysis of the
parties that may have experienced a loss, whether monetary or
otherwise, due to the SCI event, the number of such parties, and an
estimate of the aggregate amount of such loss.\290\
---------------------------------------------------------------------------
\287\ The types of systems listed on proposed Form SCI track the
types of systems that make up the proposed definitions of ``SCI
system'' and ``SCI security system'' in proposed Rule 1000(a).
\288\ The types of systems disruptions listed on proposed Form
SCI track the provisions of the proposed definition of ``system
disruption'' in proposed Rule 1000(a) and include, with respect to
SCI systems: (1) A failure to maintain service level agreements or
constraints; (2) a disruption of normal operations, including
switchover to back-up equipment with near-term recovery of primary
hardware unlikely; (3) a loss of use of any such system; (4) a loss
of transaction or clearance and settlement data; (5) significant
back-ups or delays in processing; (6) a significant diminution of
ability to disseminate timely and accurate market data; or (7) a
queuing of data between system components or queuing of messages to
or from customers of such duration that normal service delivery is
affected.
\289\ See proposed Rule 1000(b)(4)(iv)(A)(1).
\290\ See proposed Rule 1000(b)(4)(iv)(A)(2).
---------------------------------------------------------------------------
Proposed Rule 1000(b)(4)(iii) would require an SCI entity to
provide continuing written updates regularly for each SCI event, or at
such frequency as reasonably requested by a representative of the
Commission, until such time as the SCI event is resolved.\291\ Proposed
Form SCI would require that an SCI entity indicate that it is providing
such written update pursuant to Rule 1000(b)(4)(iii) and attach such
update as Exhibit 2 to Form SCI.
---------------------------------------------------------------------------
\291\ See proposed Rule 1000(b)(4)(iv)(B).
---------------------------------------------------------------------------
If any of the foregoing information is not available for inclusion
on Exhibit 1 as of the date of the initial notification, the SCI entity
would be required to provide such information when it becomes available
on Exhibit 2. The information proposed to be required in narrative
format in Exhibit 1, and if applicable, Exhibit 2, is intended to
elicit a fuller description of the SCI event, and would require an SCI
entity to provide detail and context not easily conveyed in short-form
responses.
Proposed Form SCI would further require attachment of Exhibit 3,
providing a copy in pdf or html format of any information disseminated
to date regarding the SCI event to its members or participants or on
the SCI entity's publicly available Web site.\292\
---------------------------------------------------------------------------
\292\ See proposed Rule 1000(b)(4)(iv)(C).
---------------------------------------------------------------------------
The Commission preliminarily believes that the proposed items of
information required to be disclosed by an SCI entity on Exhibit 1
within 24 hours of any of its responsible SCI personnel becoming aware
of an SCI event, or when available, on Exhibit 2, would help the
Commission and its staff quickly assess the nature and scope of an SCI
event, and help the SCI entity identify the appropriate response to the
SCI event, including ways to mitigate the impact of the SCI event on
investors and promote the maintenance of fair and orderly markets.
2. Notices of Material Changes Pursuant to Proposed Rule 1000(b)(6)
Proposed Rule 1000(b)(6) would require an SCI entity to notify the
Commission of planned material systems changes on proposed Form SCI 30
calendar days in advance of such change, unless exigent circumstances
exist or information previously provided regarding a material systems
change has become materially inaccurate, necessitating notice regarding
a material systems change with less than 30 calendar days' notice. To
implement this requirement, proposed Form SCI would require an SCI
entity to indicate on Form SCI that it is filing a planned material
systems change notification, provide the date of the planned material
systems change, indicate whether exigent circumstances exist or if the
information previously provided to the Commission regarding any planned
material systems change has become materially inaccurate, and, if so,
whether the Commission has been notified orally, and attach as Exhibit
4 a description of the planned material systems change as well as the
expected dates of commencement and completion of implementation of such
changes, or, if applicable, a material systems change that has already
been made due to exigent circumstances.
3. Reports Submitted Pursuant to Rule 1000(b)(8)
Proposed Rule 1000(b)(8) would require an SCI entity to submit to
the Commission: (i) A report of the SCI review required by proposed
Rule 1000(b)(7), together with any response by senior management,
within 60 calendar days after submission of the SCI review to senior
management; and (ii) a report within 30 calendar days after the end of
June and December of each year containing a summary description of the
progress of any material systems change during the six-month period
ending on June 30 or December 31, as the case may be, and the date, or
expected date, of completion of implementation of such changes. For
filings of the reports of SCI reviews, proposed Form SCI would require
an SCI entity to indicate on Form SCI that it is filing a report of SCI
review, indicate the date of completion of the SCI review, and date of
submission of the SCI review to senior management of the SCI entity.
The report of the SCI review required by
[[Page 18132]]
proposed Rule 1000(b)(7), together with any response by senior
management, would be required to be submitted as Exhibit 5 to proposed
Form SCI. For filings of the semi-annual reports of material systems
changes, proposed Form SCI would require an SCI entity to indicate on
Form SCI that it is filing a semi-annual report of material systems
changes, and attach the semi-annual report as Exhibit 6 to proposed
Form SCI.
4. Notifications of Member or Participant Designation Standards and
List of Designees Pursuant to Proposed Rule 1000(b)(9)
Proposed Rule 1000(b)(9) would require an SCI entity to notify the
Commission of its standards for designating members or participants it
deems necessary, for the maintenance of fair and orderly markets in the
event of the activation of the SCI entity's business continuity and
disaster recovery plans, to participate in the testing of such plans as
well as a list of members or participants designated in accordance with
such standards, and prompt updates following any changes to such
standards and designations. Form SCI would require such information to
be submitted as Exhibit 7 to Form SCI. Thus, an SCI SRO would be
required to attach any relevant provisions of its rules, an SCI ATS or
exempt clearing agency subject to ARP would be required to attach its
relevant internal processes or other documents, and a plan processor
would be required to attach the relevant provisions of its SCI Plan.
The Commission preliminarily believes that the proposed mechanism
of submitting the reports, notices, and other information required by
proposed Rules 1000(b)(4), (6), (8), and (10) by attaching them as
exhibits to Form SCI would be an efficient manner for providing such
information to the Commission and its staff, and that it would be more
cost-effective for SCI entities as well as the Commission than
requiring the submission in a paper format or using an electronic
method that differs from that proposed.
5. Other Information and Electronic Signature
In addition to the foregoing, proposed Form SCI would require an
SCI entity to provide Commission staff with point of contact
information for systems personnel and regulatory personnel responsible
for addressing an SCI event, including the name, title, telephone
number and email address of such persons. Proposed Form SCI would also
require the SCI entity to designate on the form contact information for
a senior officer of the SCI entity responsible for matters concerning
the submission of such Form SCI. Finally, proposed Form SCI would
require an electronic signature to help ensure the authenticity of the
Form SCI submission. The Commission preliminarily believes these
proposed requirements would expedite communications between Commission
staff and an SCI entity and help to ensure that only personnel
authorized by the SCI entity are submitting required filings and
working with Commission staff to address an SCI event or systems issue
promptly and efficiently.
To the extent that the Commission receives confidential information
pursuant to these reports and submissions, such information would be
kept confidential, subject to the provisions of applicable law.\293\
---------------------------------------------------------------------------
\293\ See, e.g., 5 U.S.C. 552 (Exemption 4 of the Freedom of
Information Act provides an exemption for ``trade secrets and
commercial or financial information obtained from a person and
privileged or confidential.'' 5 U.S.C. 552(b)(4). Exemption 8 of the
Freedom of Information Act provides an exemption for matters that
are ``contained in or related to examination, operating, or
condition reports prepared by, on behalf of, or for the use of an
agency responsible for the regulation or supervision of financial
institutions.'' 5 U.S.C. 552(b)(8)).
---------------------------------------------------------------------------
Request for Comment
161. The Commission requests comment on all aspects of proposed
Form SCI. Do commenters believe proposed Form SCI would capture the
information necessary to assist the Commission in obtaining relevant
information about SCI events to mitigate the effects of such events on
investors and the public? Specifically, do commenters believe that the
proposal to elicit the following information on Form SCI within 24
hours of any responsible SCI personnel becoming aware of an SCI event
is appropriate: (i) Whether the filing is a Rule 1000(b)(4)(ii)
notification or Rule 1000(b)(4)(iii) update of an SCI event; (ii) the
SCI event type(s) (i.e., systems compliance issue, systems intrusion,
and/or systems disruption); (iii) whether the event is a systems
disruption that the SCI entity reasonably estimates would have a
material impact on its operations or on market participants; (iv) if
so, whether the Commission has been notified of the SCI event; (v)
whether the SCI event has been resolved; (vi) the date/time the SCI
event started; (vii) the duration of the SCI event (viii) the date and
time when responsible SCI personnel became aware of the SCI event; (ix)
the estimated number of market participants impacted by the SCI event;
(x) the type(s) of systems impacted; and (xi) if applicable, the type
of systems disruption.
162. Do commenters believe that all relevant information relating
to a systems disruption, systems compliance issue, or systems intrusion
would be captured on proposed Form SCI? If not, what additional
information should be included on proposed Form SCI? For example,
should proposed Form SCI require that an SCI entity specifically
identify market participants that may have been affected by the SCI
event? Why or why not?
163. Do commenters believe the proposed information required to be
provided to the Commission regarding SCI events in the 24-hour
notification on Exhibit 1 is appropriate? Do commenters believe that
the proposal to require an update notification on Exhibit 2, and the
information required to be provided for such updates, are appropriate?
Why or why not?
164. Commenters that believe the information proposed to be
required on Form SCI, whether in short form or in narrative form on
proposed Exhibits 1 and 2, is not appropriate should explain their
reasoning and suggest alternatives, as appropriate. Should any
information proposed to be required be eliminated? Should any other
information be required? Please describe and explain.
165. Do commenters believe the required contents of proposed
Exhibit 3 are appropriate (i.e., a copy in pdf or html format of any
information disseminated to an SCI entity's members or participants or
on the SCI entity's publicly available Web site)? If not, why not?
166. Do commenters believe submission of proposed Form SCI and
attachment of Exhibits 4, 5, 6, and 7 regarding material systems
changes, SCI reviews, and notifications of standards for designations
and designees for the testing of an SCI entity's business continuity
and disaster recovery plans, is an appropriate method for SCI entities
to provide this information to the Commission? If not, why not? Should
any information proposed to be required be eliminated? Should any other
information be required? Please explain.
167. Is the proposal to require contact information for systems,
regulatory, and senior officer appropriate? Should any information
proposed to be required be eliminated? Is there any other type of
information that proposed Form SCI should require? Is the proposal to
require an electronic signature appropriate? If not, why not?
168. Would proposed Form SCI contain enough information so that the
Commission and its staff would be able
[[Page 18133]]
to accurately analyze SCI events, material changes to systems, and all
other required filings?
169. Upon receiving information submitted as part of an SCI
entity's electronic filing, it is the Commission's objective that such
information be easily analyzed, searched, and manipulated. The
Commission has designed proposed Form SCI with this objective in mind,
particularly with the uniform requirements on the front of the form.
The Commission, however, is cognizant that certain information,
particularly with respect to the information required on the various
exhibits to the proposed form, may not be as easily analyzed, searched,
or manipulated. The Commission seeks comment as to whether it should
mandate that proposed Form SCI as a whole, including the proposed
exhibits, employ a particular structured data format that would allow
the Commission and its staff to analyze, search, and manipulate the
form's information. At the same time, the Commission recognizes that
employing a particular tagged data format may potentially reduce the
flexibility afforded to such entities to collect and report data in a
manner that is more efficient and cost effective for them. The
Commission requests comments as to whether there may be tagged data
formats that are sufficiently flexible and that are accepted and used
throughout the industry, such as XML, XBRL, or another structured data
format that could be used for proposed Form SCI. Are there different
standard data formats currently in use depending on the type of SCI
entity that would enable the Commission to achieve its goals? If so,
what are they? Should the SCI entity have the flexibility to specify
the acceptable data format for submitting information? Why or why not?
Do commenters have concerns with proposed Regulation SCI requiring the
use of a tagged data format, such as XML, XBRL, or some other
structured data format that may be tagged, to report data? If so, what
are they? Are there any licensing fees or other costs associated with
the use of tagged data formats, such as XML, XBRL, or similar
structured data formats that may be tagged? If so, what action should
the Commission take, if any, to help ensure wide availability of a
common data format by all participants?
F. Request for Comment on Applying Proposed Regulation SCI to Security-
Based Swap Data Repositories and Security-Based Swap Execution
Facilities
On July 21, 2010, the President signed the Dodd-Frank Act into
law.\294\ The Dodd-Frank Act was enacted, among other things, to
promote the financial stability of the United States by improving
accountability and transparency of the nation's financial system.\295\
Title VII of the Dodd-Frank Act provides the Commission and the CFTC
with the authority to regulate over-the-counter (``OTC'') derivatives.
---------------------------------------------------------------------------
\294\ The Dodd-Frank Wall Street Reform and Consumer Protection
Act (Pub. L. 111-203, H.R. 4173) (``Dodd-Frank Act'').
\295\ See Public Law 111-203 Preamble.
---------------------------------------------------------------------------
1. Proposed System Safeguard Rules for SB SDRs and SB SEFs
Section 763 of the Dodd-Frank Act amends the Exchange Act by adding
various new statutory provisions to govern the regulation of various
entities, including security-based swap data repositories and security-
based swap execution facilities.\296\ Under the authority of Section
13(n) of the Exchange Act, applicable to SB SDRs, and Section 3D(d) of
the Exchange Act, applicable to SB SEFs, the Commission recently
proposed rules for these entities with regard to their automated
systems' capacity, resiliency, and security.\297\ Specifically, in the
SB SDR Proposing Release and the SB SEF Proposing Release,
respectively, the Commission proposed Rule 13n-6 and Rule 822 under the
Exchange Act, which would set forth the requirements for these entities
with regard to their automated systems' capacity, resiliency, and
security.\298\ In each release, the Commission stated that it was
proposing standards comparable to the standards applicable to SROs,
including exchanges and clearing agencies, and other registrants,
pursuant to the Commission's ARP standards.\299\
---------------------------------------------------------------------------
\296\ See Public Law 111-203, Section 763 (adding Sections
13(n), 3C, and 3D of the Exchange Act). The Dodd-Frank Act also
directs the Commission to harmonize to the extent possible
Commission regulation of SB SDRs and SB SEFs with CFTC regulation of
swap data repositories (``SDRs'') and swap execution facilities
(``SEFs'') under the CFTC's jurisdiction, an endeavor that
Commission staff is undertaking as it seeks to move the SB SDR and
SB SEF proposals toward adoption. See Public Law 111-203, Section
712, directing the Commission, before commencing any rulemaking with
regard to SB SDRs or SB SEFs, to consult and coordinate with the
CFTC for purposes of assuring regulatory consistency and
comparability to the extent possible.
\297\ See Securities Exchange Act Release Nos. 63347 (November
19, 2010), 75 FR 77306 (December 10, 2010) (proposing new Rule 13n-6
under the Exchange Act applicable to SB SDRs) (``SB SDR Proposing
Release''); 63825 (February 2, 2011), 76 FR 10948 (February 28,
2011) (proposing new Rule 822 under the Exchange Act applicable to
SB SEFs) (``SB SEF Proposing Release,'' together with the SB SDR
Proposing Release, the ``SBS Releases''). See also Public Law 111-
203, Section 761(a) (adding Section 3(a)(75) of the Exchange Act)
(defining the term ``security-based swap data repository''), and
Section 761(a) (adding Section 3(a)(77) of the Exchange Act)
(defining the term ``security-based swap execution facility'').
\298\ See SB SDR Proposing Release and SB SEF Proposing Release,
supra note 297.
\299\ See SB SDR Proposing Release, supra note 293, at 77332 and
SB SEF Proposing Release, supra note 297, at 10987.
---------------------------------------------------------------------------
Proposed Rules 13n-6 and 822, applicable to SB SDRs and SB SEFs,
respectively, would require these entities, ``with respect to those
systems that support or are integrally related to the performance of
its activities'' to ``establish, maintain, and enforce written policies
and procedures reasonably designed to ensure that its systems provide
adequate levels of capacity, resiliency, and security.'' \300\ Under
proposed Rules 13n-6 and 822, such policies and procedures, at a
minimum, would require these SB SDRs and SB SEFs to: (i) Establish
reasonable current and future capacity estimates; (ii) conduct periodic
capacity stress tests of critical systems to determine such systems'
ability to process transactions in an accurate, timely, and efficient
manner; (iii) develop and implement reasonable procedures to review and
keep current their system development and testing methodologies; (iv)
review the vulnerability of their systems and data center computer
operations to internal and external threats, physical hazards, and
natural disasters; and (v) establish adequate contingency and disaster
recovery plans.\301\ Proposed Rules 13n-6 and 822 would further require
SB SDRs and SB SEFs to submit, on an annual basis, an ``objective
review'' of their systems to the Commission within 30 calendar days of
its completion; \302\ notify the Commission in writing of material
systems outages; and notify the Commission in writing at least 30
calendar days before implementation of any planned material systems
changes.
---------------------------------------------------------------------------
\300\ See SB SDR Proposing Release, 75 FR 77370 and SB SEF
Proposing Release, 76 FR 11064, supra note 297.
\301\ Id.
\302\ Such review may be performed internally if an external
firm reports on the objectivity, competency, and work performance
with respect to the internal review.
---------------------------------------------------------------------------
To date, the Commission has received two comment letters from one
commenter in response to proposed Rule 13n-6 \303\ and four comment
letters
[[Page 18134]]
in response to proposed Rule 822.\304\ Both comment letters on proposed
Rule 13n-6 expressed support for the proposed rule.\305\ Two commenters
on proposed Rule 822 expressed support for the proposed rule.\306\ Two
other commenters on proposed Rule 822 suggested modifications,
including that the Commission (1) require SB SEFs to establish policies
and procedures reasonably designed to prevent any provision in a valid
swap transaction from being invalidated or modified through the
utilization of, or execution on, a SB SEF; \307\ and (2) provide for
the implementation of the system safeguards requirements on a staged
basis.\308\
---------------------------------------------------------------------------
\303\ See Letter from Larry E. Thompson, General Counsel, The
Depository Trust & Clearing Corporation to Elizabeth M. Murphy,
Secretary, Commission, dated January 24, 2011 (``DTCC SB SDR Letter
1''); and Letter from Larry E. Thompson, General Counsel, Depository
Trust & Clearing Corporation to Mary Shapiro, Chairman, Commission,
dated June 3, 2011 (``DTCC SB SDR Letter 2'').
\304\ See Letter from American Benefits Counsel to Elizabeth M.
Murphy, Secretary, Commission, dated April 8, 2011 (``ABC SB SEF
Letter''); Letter from Nancy C. Gardner, Executive Vice President &
General Counsel, Markets Division, Thomson Reuters to Elizabeth M.
Murphy, Secretary, Commission, dated April 4, 2011 (``Thomson SB SEF
Letter''); Letter from Stephen Merkel, Chairman, Wholesale Markets
Brokers' Association Americas to Elizabeth M. Murphy, Secretary,
Commission, dated April 4, 2011 (``WMBAA SB SEF Letter''); and
Letter from Robert Pickel, Executive Vice Chairman, International
Swaps and Derivatives Association, and Kenneth E. Bentsen, Jr.,
Executive Vice President, Public Policy and Advocacy, Securities
Industry and Financial Markets Association to Elizabeth M. Murphy,
Secretary, Commission, dated April 4, 2011 (``ISDA SIFMA SB SEF
Letter'').
\305\ See DTCC SB SDR Letter 1, supra note 304, at 3; DTCC SB
SDR Letter 2, supra note 304, at 4 (recommending that SB SDRs
``maintain multiple levels of operational redundancy and data
security'').
\306\ See Thomson SB SEF Letter, supra note 304, at 8; WMBAA SB
SEF Letter, supra note 304, at 24.
\307\ See ABC SB SEF Letter, supra note 304, at 10.
\308\ See ISDA SIFMA SB SEF Letter, supra note 304, at 12
(noting that the system safeguard requirements would require time
and systems expertise to implement fully).
---------------------------------------------------------------------------
2. Proposed System Safeguard Rules for SB SDRs and SB SEFs as Compared
to Proposed Regulation SCI
As noted above, proposed Regulation SCI is intended to build upon
and update the Commission's ARP standards,\309\ which were the basis
for proposed Rules 13n-6 and 822 for SB SDRs and SB SEFs, respectively.
Although proposed Rules 13n-6 and 822 have much in common with proposed
Regulation SCI, they differ in scope and detail from proposed
Regulation SCI in a number of ways. Among the differences are certain
provisions in proposed Regulation SCI that proposed Rules 13n-6 and 822
do not include. Specifically, as discussed above, proposed Regulation
SCI would: (i) Define the terms ``SCI systems'' and ``SCI security
systems;'' \310\ (ii) specifically require the establishment,
maintenance, and enforcement of written policies and procedures
reasonably designed to ensure that SCI systems and, for purposes of
security standards, SCI security standards, have levels of capacity,
integrity, resiliency, availability, and security adequate to maintain
an SCI entity's operational capability and promote the maintenance of
fair and orderly markets; \311\ (iii) require SCI entities to establish
policies and procedures regarding standards that result in systems
designed, developed, tested, maintained, operated, and surveilled in a
manner that facilitates the successful collection, processing, and
dissemination of market data; (iv) require SCI entities to establish,
maintain, and enforce reasonably designed written policies and
procedures to ensure that SCI systems operate in the manner intended,
including in a manner that complies with the federal securities laws
and rules and regulations thereunder and, as applicable, the entity's
rules and governing documents; (v) require SCI entities to take
corrective action, including devoting adequate resources, to remedy an
SCI event as soon as reasonably practicable; \312\ (vi) require SCI
entities to have backup and recovery capabilities sufficiently
resilient and geographically diverse to ensure next business day
resumption of trading following a wide scale disruption; (vii) require
an annual SCI review of the SCI entity's compliance with proposed
Regulation SCI and the reporting of such review to the Commission;
(viii) require an SCI entity, with respect to its business continuity
and disaster recovery plans, including its backup systems, to require
participation by designated members or participants in scheduled
functional and performance testing of the operation of such plans at
specified intervals, and to coordinate such required testing with other
SCI entities; (ix) require all SCI events to be reported to the
Commission, and certain types of SCI events to be disseminated to an
SCI entity's members or participants; and (x) establish semi-annual
reporting obligations for planned material systems changes. In
addition, proposed Regulation SCI would establish a system for
submitting required notices, reports, and other information to the
Commission on proposed new Form SCI. Each of these proposed
requirements goes beyond the explicit requirements in proposed Rules
13n-6 and 822.
---------------------------------------------------------------------------
\309\ See supra Sections I and II.
\310\ See proposed Rule 1000(a), which would define ``SCI
systems'' as ``all computer, network, electronic, technical,
automated, or similar systems of, or operated by or on behalf of, an
SCI entity, whether in production, development, or testing, that
directly support trading, clearance and settlement, order routing,
market data, regulation, or surveillance,'' and ``SCI security
systems'' as ``any systems that share network resources with SCI
systems that, if breached, would be reasonably likely to pose a
security threat to SCI systems.''
\311\ While proposed Rule 13n-6 did not specifically include
such a requirement for SB SDRs, the SB SDR Proposing Release stated
that ``[a]s a general matter, the Commission preliminarily believes
that, if an SDR's policies and procedures satisfy industry best
practices standards, then these policies and procedures would be
adequate.'' See SB SDR Proposing Release, supra note 297, at 77333.
See also SB SEF Proposing Release, supra note 297, at 10988.
\312\ See proposed Rule 1000(a), defining ``SCI event'' as an
event at an SCI entity that constitutes: (1) A systems disruption;
(2) a systems compliance issue; or (3) a systems intrusion.
---------------------------------------------------------------------------
3. Consideration of Applying the Requirements of Proposed Regulation
SCI to SB SDRs and/or SB SEFs
If the Commission were to adopt Rules 13n-6 and 822 as proposed in
the SBS Releases and also adopt Regulation SCI as proposed herein,
there would be differences, as noted above, between the obligations
imposed on SB SDRs and SB SEFs with respect to system safeguards on the
one hand and the obligations imposed on SCI entities on the other.
Therefore, the Commission solicits comment on whether it should propose
to apply the requirements of proposed Regulation SCI, in whole or in
part, to SB SDRs and/or SB SEFs. In providing views on whether the
Commission should propose to apply proposed Regulation SCI to SB SDRs
and/or SB SEFs, commenters are encouraged to consider the discussion
regarding each provision of proposed Regulation SCI that is set forth
in Sections III.B through III.E above. Should the Commission to decide
to propose to apply the requirements of proposed Regulation SCI to such
entities, the Commission would issue a separate release discussing such
a proposal.
In enacting Title VII of the Dodd-Frank Act, Congress judged it
important to increase the transparency and oversight of the OTC
derivatives market. In addition, in proposing Regulation SB SEF, the
Commission noted that SB SEFs are intended to ``lead to a more robust,
transparent, and competitive environment for the market for security-
based swaps (``SBS'' or ``SB swaps'').'' \313\ Similarly, in proposing
rules for SB SDRs, the Commission
[[Page 18135]]
noted that ``SDRs may be especially critical during times of market
turmoil, both by giving relevant authorities information to help limit
systemic risk and by promoting stability through enhanced
transparency'' and that, ``[b]y enhancing stability in the SBS market,
SDRs may also indirectly enhance stability across markets, including
equities and bond markets.'' \314\
---------------------------------------------------------------------------
\313\ See SB SEF Proposing Release, supra note 297, at 11035.
\314\ See SB SDR Proposing Release, supra note 297, at 77307.
---------------------------------------------------------------------------
The Commission notes that it may or may not be appropriate to apply
the requirements of proposed Regulation SCI to SB SDRs and SB SEFs. In
particular, SB SDRs will play an important role in limiting systemic
risk and promoting the stability of the SBS market. SB SDRs also would
serve as information disseminators \315\ in a manner similar to plan
processors in the equities and options markets that, under this
proposal, would be subject to the requirements of proposed Regulation
SCI. SB SEFs would function as trading markets, and in that respect
could be viewed as analogous to national securities exchanges and SCI
ATSs, both of which function as trading markets and are included in the
proposed definition of SCI entity.\316\ The Commission preliminarily
believes that the same types of concerns and issues that have resulted
in the Commission previously publishing its ARP policy statements,\317\
developing its ARP Inspection Program,\318\ adopting certain aspects of
the ARP policy statements under Regulation ATS,\319\ and, ultimately,
proposing Regulation SCI,\320\ may similarly apply to SB SDRs and SB
SEFs. In proposing Rule 13n-6, the Commission noted that systems
failures can limit access to data, call into question the integrity of
data, and prevent market participants from being able to report
transaction data, and thereby have a large impact on market confidence,
risk exposure, and market efficiency.\321\ Similarly, in proposing Rule
822, the Commission noted that the proposed system safeguard
requirements for SB SEFs are designed to prevent and minimize the
impact of systems failures that might negatively impact the stability
of the SB swaps market.\322\ At the same time, because the Commission
recognizes that there may be differences between the markets for the
types of securities that would be covered by proposed Regulation SCI
and the SBS market, including differing levels of automation and stages
of regulatory development, the Commission requests comment on whether
it would be appropriate to propose to apply the requirements of
proposed Regulation SCI to SB SDRs and/or SB SEFs. As discussed further
below, the Commission also requests comment on whether, if commenters
believe proposed Regulation SCI should apply to SB SDRs and/or SB SEFs,
the system safeguard rules currently proposed for SB SDRs and SB SEFs
in the SBS Releases should, if adopted, be replaced, at some point in
the future, by the requirements proposed in this release and, if so,
how.
---------------------------------------------------------------------------
\315\ See Securities Exchange Act Release No. 63346 (November
19, 2010), 75 FR 75208, 75227 (December 2, 2010) (proposing
Regulation SBSR).
\316\ See SB SEF Proposing Release, supra note 297, at 10987,
n.246 (``Because SB SEFs would be an integral part of the market for
SB swaps, and therefore an integral part of the national market
system, the Commission believes that it is appropriate to model a SB
SEF's rules on system safeguards on ARP.'').
\317\ See supra notes 1 and 12-18 and accompanying text.
\318\ See supra notes 25-26 and accompanying text.
\319\ See supra note 26 and accompanying text.
\320\ See supra Section I.B.
\321\ See SB SDR Proposing Release, supra note 297, at 77332.
\322\ See SB SEF Proposing Release, supra note 297, at 10987.
---------------------------------------------------------------------------
170. Are the SBS markets sufficiently similar to the markets within
which the proposed SCI entities operate such that it would be
appropriate to apply the same system safeguard requirements to SB SDRs
and/or SB SEFs that would be applicable to SCI entities? Why or why
not? Do commenters believe that there are characteristics of the SBS
markets that the Commission should consider to support its applying
different system safeguard rules to SB SDRs and/or SB SEFs than to SCI
entities? If so, what are those characteristics, and why should
different rules apply to SB SDRs and/or SB SEFs? If not, why not?
171. If the Commission were to propose to apply some or all of the
provisions of proposed Regulation SCI to SB SDRs and/or SB SEFs, should
the Commission propose to apply the provisions of proposed Regulation
SCI differently to SB SDRs versus SB SEFs? For example, should the
Commission propose to apply some or all of the provisions of proposed
Regulation SCI to SB SDRs but not SB SEFs or vice versa? Why or why
not?
172. What effect, if any, would there be of having SB SDRs and/or
SB SEFs subject to different system safeguard rules than those proposed
for SCI entities? Would there be any short term and/or long term impact
of SB SDRs and/or SB SEFs being subject to different system safeguard
rules than those proposed for SCI entities? For example, if SB SEFs
were subject to different system safeguard rules than those proposed
for SCI entities, would there be an impact on competition between SB
SEFs and national securities exchanges that trade SB swaps? Please
describe any expected impact on competition. Are there any provisions
in proposed Regulation SCI that, if applied to SB SEFs, would create
barriers to entry that could preclude small SB SEFs (e.g., those that
do not exceed a specified volume or liquidity threshold) from entering
the SBS market?
173. The Commission also requests comment on whether it should
propose to apply all provisions of proposed Regulation SCI to SB SDRs
and/or SB SEFs or just those provisions comparable to the proposed
system safeguard rules for SB SDRs or SB SEFs.
174. Should the Commission, if it were to propose to apply some or
all of the provisions of proposed Regulation SCI to SB SDRs and/or SB
SEFs, propose that SB SEFs and/or SB SDRs have written policies and
procedures reasonably designed to ensure that their SCI systems and,
for purposes of security standards, SCI security systems, have levels
of capacity, integrity, resiliency, availability, and security,
adequate to maintain their operational capability and promote the
maintenance of fair and orderly markets? Why or why not? If the
Commission were to propose such a requirement for SB SDRs and/or SB
SEFs, should SCI industry standards for SB SDRs and/or SB SEFs be
different from those proposed for SCI entities? If so, please explain
why. What are the industry standards that should apply to SB SEFs and/
or SB SDRs? Please be as specific as possible and explain why a
particular industry standard would be appropriate.
175. Do the characteristics of the SBS market support a need for a
mandatory requirement that SB SDRs and/or SB SEFs maintain backup and
recovery capabilities sufficiently resilient and geographically diverse
to ensure next business day resumption of trading (for SB SEFs) or data
repository services (for SB SDRs) following a wide scale disruption?
Why or why not?
176. Should the Commission propose to require SB SEFs and/or SB
SDRs to establish written policies and procedures regarding standards
that result in systems designed, developed, tested, maintained,
operated, and surveilled in a manner that facilitates the successful
collection, processing, and dissemination of market data? Why or why
not?
177. Should the Commission propose to require SB SEFs and/or SB
SDRs to establish, maintain, and enforce policies and procedures
reasonably designed to ensure that their SCI systems operate in the
manner intended, including in a
[[Page 18136]]
manner that complies with federal securities laws and rules and
regulations thereunder and, as applicable, the entity's rules and
governing documents, as proposed for SCI entities in Rule
1000(b)(2)(i)? Why or why not? Should the Commission propose a safe
harbor from liability for SB SEFs and/or SB SDRs and their respective
employees if they satisfy the elements of a safe harbor, similar to
those for SCI entities in proposed Rules 1000(b)(2)(ii) and (iii)? Why
or why not?
178. Should the Commission propose to require SB SEFs and/or SB
SDRs, with respect to their business continuity and disaster recovery
plans, including their backup systems, to require participation by
designated participants in scheduled functional and performance testing
of the operation of such plans at specified intervals, and to
coordinate such required testing with other SB SEFs and/or SB SDRs, as
proposed for SCI entities in Rule 1000(b)(9)? Why or why not?
179. With regard to the reporting and information dissemination
requirements in proposed Rules 1000(b)(4) and Rule 1000(b)(5) of
Regulation SCI, would it be appropriate to propose that an SB SDR and/
or SB SEF be required to report all SCI events to the Commission, and
disseminate information relating to dissemination SCI events to their
participants? Why, or why not? If not, on what basis should SB SDRs
and/or SB SEFs be distinguished from other SCI entities?
180. Should SB SDRs and/or SB SEFs be required to provide notice
of, and file semi-annual reports for, material systems changes with the
Commission, as proposed for SCI entities in Rules 1000(b)(6) and
(b)(8)? Why or why not?
181. Should SB SDRs and/or SB SEFs be required to undertake an
annual SCI review of systems and submit to the Commission a report of
such review, together with any response of senior management, as
proposed for SCI entities in Rule 1000(b)(7) and (8)? Why or why not?
182. Should SB SDRs and/or SB SEFs be required to submit any
required notices, reports, and other information to the Commission on
proposed new Form SCI? Why, or why not?
183. If the Commission were to determine that it would be
appropriate to propose to apply some or all of the requirements of
proposed Regulation SCI to SB SDRs and/or SB SEFs, should the
Commission propose to apply such requirements of proposed Regulation
SCI to all SB SDRs? To all SB SEFs? Are there distinctions that should
be made between different types of SB SDRs (or SB SEFs) such that some
requirements of proposed Regulation SCI might be appropriate for some
SB SDRs (or SB SEFs) but not others? If so, what are those distinctions
and what are those requirements? For example, should any requirements
be based on criteria such as number of transactions or notional volume
reported to a SB SDR or executed on a SB SEF? If so, what would be an
appropriate threshold for any such criteria, and why?
184. Alternatively, given the nascent stage of regulatory
development of the SBS markets, would it be appropriate to create a
category under proposed Regulation SCI such as ``new SB SCI entity''
that would, for example, be applicable to SB SDRs and/or SB SEFs for a
certain period of time after such entities become registered with the
Commission? If so, what period of time would be appropriate (e.g., one
year, three years, or some other period)? Should there be other
criteria for an SB SEF (or SB SDR) to be considered a new SB SCI
entity? If so, what should be the criteria for inclusion? Would market
share, number of transactions, and/or notional volume be appropriate
criteria? If so, at what level should the criteria thresholds be set,
and why? If not, why not? How should the requirements of proposed
Regulation SCI differ for such ``new SB SCI entities?''
185. The Commission notes that, if it were to adopt proposed
Regulation SCI and proposed Rules 13n-6 and 822, the system safeguard
rules applicable to SB SDRs and SB SEFs would diverge from those
applicable to SCI entities, as well as from those the CFTC has adopted
for SDRs and may adopt for SEFs.\323\ What negative effects, if any, do
commenters believe would result from disparity in the: (1) Commission's
system safeguard rules applicable to SB SDRs and/or SB SEFs; (2)
requirements of Regulation SCI applicable to SCI entities; and (3)
CFTC's system safeguard rules applicable to SDRs and SEFs?
---------------------------------------------------------------------------
\323\ As noted above, SDRs and SEFs, entities similar to SB SDRs
and SB SEFs, respectively, are subject to the CFTC's jurisdiction.
The CFTC's system safeguards rules for SDRs, and those proposed for
SEFs differ from those rules that the Commission is proposing in
Regulation SCI. See 76 FR 54538 (September 1, 2011) (adopting 17 CFR
part 49, Swap Data Repositories: Registration Standards, Duties and
Core Principles, Effective October 31, 2011); 76 FR 1214 (January 7,
2011) (proposing 17 CFR part 37, Core Principles and Other
Requirements for Swap Execution Facilities). For example, for SDRs,
the CFTC requires same day recovery for ``critical SDRs'' whereas
proposed Regulation SCI would require next business day recovery for
trading services (and two-hour recovery for clearing and settlement
services). See CFTC Rule 49.24.
---------------------------------------------------------------------------
186. The Commission seeks commenters' views on all aspects of
whether to propose to apply Regulation SCI to SB SDRs and/or SB SEFs,
taking into account the possibility that any final Commission action on
proposed Rules 13n-6 and 822 could occur prior to any final Commission
action on proposed Regulation SCI. The Commission seeks commenters'
views on whether a proposal to extend the requirements of proposed
Regulation SCI to SB SDRs and/or SB SEFs would be beneficial to help to
promote the integrity, capacity, resiliency, availability, and security
of their systems. The Commission notes that having comparable system
safeguard requirements may be appropriate for SB SDRs and/or SB SEFs
if, as noted above, the same types of concerns and issues that have
resulted in the Commission previously publishing its ARP policy
statements, developing its ARP Inspection Program, adopting certain
aspects of the ARP policy statements under Regulation ATS, and,
ultimately, proposing Regulation SCI, also apply to SB SDRs and/or SB
SEFs.
187. The Commission is particularly interested in commenters' views
on the different benefits and costs associated with applying proposed
Regulation SCI to SB SDRs and/or SB SEFs versus the costs and benefits
of applying proposed Rules 13n-6 and 822 to SB SDRs and SB SEFs,
respectively. In the SBS Proposing Releases, the Commission provided
aggregate estimates of the costs of its proposed rules governing SB
SDRs and SB SEFs. The SB SDR Proposing Release provided an aggregate
initial cost estimate of approximately $214,913,592 to be incurred by
prospective SB SDRs and an aggregate ongoing annualized cost estimate
of approximately $140,302,120, both of which estimates took account of
proposed Rule 13n-6.\324\
[[Page 18137]]
Similarly, the SB SEF Proposing Release provided an aggregate initial
cost estimate of approximately $41,692,900 and an aggregate ongoing
annualized cost estimate of approximately $22,342,700 to be incurred by
prospective SB SEFs, both of which estimates took account of proposed
Rule 822.\325\
---------------------------------------------------------------------------
\324\ See SB SDR Proposing Release, supra note 297, at 77364. In
the SB SDR Proposing Release, the Commission estimated that the
paperwork burden associated with proposed Rule 13n-6 would come from
preparing and implementing policies associated with SB SDR duties,
data collection and maintenance, automated systems and direct
electronic access, and from preparing reports and reviews. See id.
at 77345-46. The Commission estimated that there would be up to 10
SB SDRs subject to the proposed SB SDR rules. See id. at 77355.
Based on the information in the SB SDR Proposing Release, the
Commission estimated that the aggregate burden on an estimated 10 SB
SDRs to prepare and implement the policies and procedures under Rule
13n-6 would be 2100 hours along with 500 hours of outside legal
services at $400 an hour, and that the aggregate annual burden on
such SB SDRs to maintain such policies would be an additional 600
hours. See id. at 77349. Based on the information in the SB SDR
Proposing Release, the Commission estimated that the annual
aggregate burden on SB SDRs to promptly notify the Commission and
submit a written description and analysis of outages and any
remedial measures would be 154 hours and the aggregate annual burden
on SB SDRs to notify the Commission of planned material system
changes would be 1200 hours. See id. at 77349-50. The Commission
estimated that the aggregate annual burden on SB SDRs to submit an
objective review would be 8250 hours and $900,000. See id. at 77350.
\325\ See SB SEF Proposing Release, supra note 297, at 11034. In
the SB SEF Proposing Release, the Commission estimated that the
paperwork burden associated with Rule 822 would come from rule
writing requirements under Rule 822(a)(1), and from reporting
requirements under Rules 822(a)(2), 822(a)(3), and 822(a)(4). See
id. at 11017-19. The Commission also estimated that there would be
up to 20 SB SEFs subject to the proposed SB SEF rules. See id. at
11023. Based on the information in the SB SEF Proposing Release, the
Commission estimated that the aggregate burden on an estimated 20 SB
SEFs to draft rules to implement Rule 822 would be 200 hours, see
id. at 11026, and that the aggregate annual burden on an estimated
20 SB SEFs to comply with the reporting requirements under Rule 822
would be 19,208 hours and $1,800,000. See id. at 11029.
---------------------------------------------------------------------------
If the Commission were to propose to apply Regulation SCI to SB
SDRs and/or SB SEFs, it preliminarily believes that the initial
potential costs of such application could differ from the costs to be
incurred by SCI entities that currently participate in the ARP
Inspection Program on a per entity basis, as described in Sections IV
and V below. This is because prospective SB SDRs and prospective SB
SEFs, unlike those entities, are not now subject to the ARP Inspection
Program and its standards.\326\ However, the Commission preliminarily
believes that the initial potential costs of such application to SB
SDRs and SB SEFs, on a per entity basis, could be equivalent to those
costs estimated below in Sections IV and V with respect to SCI entities
that currently do not participate in the ARP Inspection Program.
Further, as noted above, the SBS Releases have accounted for potential
costs to be incurred by SB SDRs and SB SEFs in implementing the
proposed system safeguard requirements in Rules 13n-6 and 822,
respectively and, as discussed above, the requirements in proposed
Regulation SCI could be incremental to those already proposed in Rules
13n-6 and 822. The Commission therefore preliminarily believes that, if
it were to decide to propose to apply some or all of the requirements
of proposed Regulation SCI to SB SDRs and/or SB SEFs, the costs of
applying proposed Regulation SCI to SB SDRs and/or SB SEFs would be
incremental to the costs associated with proposed Rules 13n-6 and 822.
---------------------------------------------------------------------------
\326\ As stated in the SB SDR Proposing Release, ``[t]he
Commission believes that persons currently operating as SDRs may
have developed and implemented aspects of the proposed rules
already,'' and that ``the Commission does not believe that the one-
time cost of [enhancements to their information technology systems]
will be significant.'' See supra note 297, at 77358.
---------------------------------------------------------------------------
188. The Commission seeks commenters' views regarding the
prospective costs, as well as the potential benefits, of proposed
Regulation SCI to SB SDRs and/or SB SEFs. Commenters should quantify
the costs of applying proposed Regulation SCI to SB SDRs and/or SB
SEFs, to the extent possible. As noted above, commenters are urged to
address specifically each requirement of proposed Regulation SCI and
note whether it would be reasonable to propose to apply each such
requirement to SB SDRs and/or SB SEFs and what the benefits and costs
of such application would be.
4. Timing and Implementation Considerations
As noted above, the Commission has proposed rules providing a
regulatory framework for SB SDRs and SB SEFs, but has not yet adopted
final rules governing these entities. To date, the Commission has not
received any comments with respect to the timing of the implementation
of proposed Rule 13n-6 \327\ but has received one comment in connection
with the timing of the implementation of proposed Rule 822.\328\
---------------------------------------------------------------------------
\327\ The Commission, however, has received comments that
suggest a phase-in approach to the proposed SB SDR rules generally
may be appropriate. These comments generally indicate that a phase-
in approach would be necessary to enable existing swap data
repositories and other market participants to make the necessary
changes to their operations. See, e.g., Letter in response to a
joint public roundtable conducted by Commission and CFTC staff on
implementation issues raised by Title VII of the Dodd-Frank Act on
May 2 and 3, 2011, from The Financial Services Roundtable, available
on the Commission's Web site at: http://www.sec.gov/comments/4-625/4625-1.pdf (stating that ``it may be prudent to have different
portions of a single rulemaking proposal take effect at different
times and with due consideration of steps that are preconditions to
other steps,'' suggesting, as an example, that ``a requirement to
designate a CCO should be implemented quickly, but that the CCO be
given time to design, implement, and test the compliance system
before any requirement to certify as to the compliance system
becomes effective'' and supporting a phase-in approach ``that
recognizes the varying levels of sophistication, resources and scale
of operations within a particular category of market participant'').
\328\ See ISDA SIFMA SB SEF Letter at 12 (``Many of the proposed
rules will pose significant operational and administrative hurdles
for market participants and SB SEFs. For example, the proposed rules
have requirements for system safeguards that will require time and
systems expertise to implement fully. We strongly suggest that SB
SEFs be allowed to adopt the rules on a staged basis so that the
basic functioning of the SB SEF and the market can be established
before all requirements are imposed.''). As with the proposed SB SDR
rules, the Commission has received general comments suggesting that
a phase-in approach for all SB SEF Rules may be generally
appropriate. See, e.g., Thomson SB SEF Letter at 8 (stating that
``in order to ensure the proper operation of these markets, it may
be necessary for the SEC to adopt a phased-in approach and we would
urge avoiding over-hasty rulemaking which could result in unintended
consequences for the markets and the broader economy'').
---------------------------------------------------------------------------
Although the Commission has issued a policy statement regarding the
anticipated sequencing of the compliance dates of final rules to be
adopted by the Commission for certain provisions of Title VII of the
Dodd-Frank Act,\329\ the precise timing for adoption of or compliance
with any final rules relating to SB SDRs or SB SEFs, or for adoption of
or compliance with proposed Regulation SCI, is not known at this time.
In addition, as the Title VII Implementation Policy Statement notes,
any final rules for SB SDRs and SB SEFs potentially would be considered
by the Commission at different times.\330\ As such, specifying the
precise timing and ordering of the implementation of any requirements
of proposed Regulation SCI, or Rules 13n-6 and 822, to SB SDRs and/or
SB SEFs is difficult to predict, should the Commission determine to
proposed to apply some or all of the requirements of proposed
Regulation SCI to SB SDRs and/or SB SEFs, or adopt Rules 13n-6 and 822
to SB SDRs and SB SEFs, respectively.
---------------------------------------------------------------------------
\329\ See Securities Exchange Act Release No. 67177 (June 11,
2012), 77 FR 35625 (June 14, 2012) (Statement of General Policy on
the Sequencing of the Compliance Dates for Final Rules Applicable to
Security-Based Swaps Adopted Pursuant to the Securities Exchange Act
of 1934 and the Dodd-Frank Wall Street Reform and Consumer
Protection Act) (``Title VII Implementation Policy Statement'').
\330\ See id. at 35629 (noting that the rules pertaining to the
registration and regulation of SB SDRs are in the second category of
rules, whereas the rules pertaining to the registration and
regulation of SB SEFs are in the fifth category of rules).
---------------------------------------------------------------------------
189. Nonetheless, the Commission requests comment on what--if the
Commission were to propose to apply some or all of the requirements of
proposed Regulation SCI to SB SDRs and/or SB SEFs--would be the most
appropriate way to implement such requirements for SB SDRs and/or SB
SEFs. For example, should the Commission seek to implement such
requirements for SB SDRs and/or SB SEFs within the same timeframe as
those entities currently defined as SCI entities under the proposal?
Alternatively, should the applicability of some or all of Regulation
SCI to SB SDRs and/or SB SEFs be phased in over time? If so, what
provisions of proposed Regulation SCI should be phased in and
[[Page 18138]]
what would be an appropriate phase-in period? Should there be different
phase-in schedules for different SB SDRs and/or SB SEFs? Why or why
not? If yes, how would the SB SDRs and/or SB SEFs be selected for
different phase-in schedules? Please be specific.
190. Do commenters believe that, because the Commission's actions
to implement the regulatory framework for the SB swaps market are still
in progress, the Commission should not propose to apply the
requirements of Regulation SCI to SB SDRs and/or SB SEFs at the same
time as SCI entities, but instead should adopt the system safeguard
provisions of proposed Rules 13n-6 and 822 and reconsider such
requirements in the future after the SB swaps market and the
Commission's regulation of such market and its participants has
developed further? Why or why not? What would be the impact of this
approach for SB SDRs and/or SB SEFs?
191. As discussed in the SBS Releases,\331\ the system safeguards
requirements in proposed Rules 13n-6 and 822 have their origins in the
Commission's ARP standards. Though they differ in scope and detail, the
provisions of proposed Regulation SCI likewise trace their origin to
the Commission's ARP standards.\332\ If the Commission were to adopt
final rules for SB SDRs and/or SB SEFs before it were to adopt
Regulation SCI, and if the Commission were to decide to propose to
apply some or all of the requirements of proposed Regulation SCI to SB
SDRs and/or SB SEFs, should the Commission require SB SDRs and/or SB
SEFs to comply with the requirements of the system safeguards rules in
proposed Rules 13n-6 and 822 \333\ first, and apply the requirements of
Regulation SCI to SB SDRs and/or SB SEFs at a specific date in the
future? If the Commission were to adopt Rules 13n-6 and 822 prior to
adoption of proposed Regulation SCI, and if the Commission were to
decide to propose to apply some or all of the requirements of proposed
Regulation SCI to SB SDRs and/or SB SEFs, should the Commission delay
implementation of Rules 13n-6 and 822 and instead request that SB SDRs
and/or SB SEFs comply with the Commission's voluntary ARP Inspection
Program until such time as the Commission were to propose and adopt
Regulation SCI for SB SDRs and SB SEFs?
---------------------------------------------------------------------------
\331\ See supra note 299 and accompanying text.
\332\ See supra notes 310-312 and accompanying text.
\333\ See supra notes 298-302 and accompanying text.
---------------------------------------------------------------------------
G. Solicitation of Comment Regarding Potential Inclusion of Broker-
Dealers, Other than SCI ATSs, and Other Types of Entities
1. Policy Considerations
As discussed above, the requirements of proposed Regulation SCI
would apply to national securities exchanges, registered securities
associations, registered clearing agencies, the MSRB, SCI ATSs, plan
processors, and exempt clearing agencies subject to ARP. They would not
apply to other types of market participants, such as market makers or
other broker-dealers. This proposed scope of the definition of SCI
entity in part reflects the historical reach of the ARP policy
statements (which apply, for example, to national securities exchanges)
and existing Rule 301 of Regulation ATS (which applies systems
safeguard requirements to certain ATSs).
Recent events have highlighted the significance of systems
integrity of a broader set of market participants than those proposed
to be included within the definition of SCI entity.\334\ Also, some
broker-dealers have grown in size and importance to the market in
recent years. For example, many orders are internalized by OTC market
makers, one subset of broker-dealers, who handle a large portion of
order flow in the market.\335\ The Commission recognizes that systems
disruptions, systems compliance issues, and systems intrusions at
broker-dealers, including for example OTC market makers and clearing
broker-dealers, could pose a significant risk to the market. Such an
occurrence could impact all orders being handled by a broker-dealer,
which can be significant for larger broker-dealers. If a given broker-
dealer handles a large portion of order flow and suddenly experiences a
systems disruption or systems intrusion, the disruption or intrusion
could cause ripple effects. For example, a systems issue at one broker-
dealer could result in confusion about whether orders are handled
correctly or whether the systems issue at the broker-dealer could have
caused capacity issues elsewhere.\336\
---------------------------------------------------------------------------
\334\ For example, on August 1, 2012, Knight Capital Group, Inc.
(``Knight'') reported that it ``experienced a technology issue at
the opening of trading at the NYSE * * * [which was] related to
Knight's installation of trading software and resulted in Knight
sending numerous erroneous orders in NYSE-listed securities into the
market * * *. Knight has traded out of its entire erroneous trade
position, which has resulted in a realized pre-tax loss of
approximately $440 million.'' See Knight Capital Group Provides
Update Regarding August 1st Disruption To Routing In NYSE-listed
Securities (August 2, 2012), available at: http://www.knight.com/investorRelations/pressReleases.asp?compid=105070&releaseID=1721599.
Among other things, Knight provides market making services in
U.S. equities and U.S. options; institutional sales and trading
services; electronic execution services; and corporate and other
services. See Knight Operating Subsidiaries, available at: http://www.knight.com/ourFirm/operatingSubsidiaries.asp. Knight also
operates two registered ATSs, Knight Match and Knight Bond Point.
See Knight Match, available at: http://www.knight.com/electronicExecutionServices/knightMatch.asp; Knight BondPoint,
available at: http://www.knight.com/electronicExecutionServices/knightBondpoint.asp; and Alternative Trading Systems Active Filers
as of April 30, 2012, available at: http://www.sec.gov/foia/ats/atslist0412.pdf.
\335\ See Concept Release on Equity Market Structure, supra note
42, at 3600 (stating: ``OTC market makers, for example, appear to
handle a very large percentage of marketable (immediately
executable) order flow of individual investors that is routed by
retail brokerage firms. A review of the order routing disclosures
required by Rule 606 of Regulation NMS of eight broker-dealers with
significant retail customer accounts reveals that nearly 100% of
their customer market orders are routed to OTC market makers.'')
\336\ For example, if an e-market-maker handling 20 percent of
message traffic experiences a systems issue, the order flow could be
diverted elsewhere, including to entities that are unable to handle
the increase in message traffic, resulting in a disruption to that
entity's systems as well. Similarly, a broker-dealer accidentally
could run a test during live trading and flood markets with message
traffic such that those markets hit their capacity limits, resulting
in a disruption.
---------------------------------------------------------------------------
The Commission is not at this time proposing to include some
classes of registered broker-dealers (other than SCI ATSs) in the
definition of SCI entity. Were the Commission to decide to propose to
apply the requirements of proposed Regulation SCI to such entities, the
Commission would issue a separate release discussing such a proposal.
Rule 15c3-5, requiring brokers or dealers with market access to
implement risk management controls and supervisory procedures to limit
risk, already seeks to address certain risks posed to the markets by
broker-dealer systems. Specifically, in 2010 when the Commission
adopted Rule 15c3-5 regarding risk management controls and supervisory
procedures for brokers or dealers with market access,\337\ the
Commission stated that
[[Page 18139]]
``broker-dealers, as the entities through which access to markets is
obtained, should implement effective controls reasonably designed to
prevent errors or other inappropriate conduct from potentially causing
a significant disruption to the markets'' and that ``risk management
controls and supervisory procedures that are not applied on a pre-trade
basis or that, with certain limited exceptions, are not under the
exclusive control of the broker-dealer, are inadequate to effectively
address the risks of market access arrangements, and pose a
particularly significant vulnerability in the U.S. national market
system.'' \338\
---------------------------------------------------------------------------
\337\ See Securities Exchange Act Release No. 63241 (November 3,
2010), 75 FR 69792 (November 15, 2010) (``Market Access Release'').
Rule 15c3-5(a)(1) defines ``market access'' to mean: (i) access to
trading in securities on an exchange or ATS as a result of being a
member or subscriber of the exchange or ATS, respectively; or (ii)
access to trading in securities on an ATS provided by a broker-
dealer operator of an ATS to a non-broker-dealer. See 17 CFR
240.15c3-5(a)(1). In adopting Rule 15c3-5(a)(1), the Commission
stated that ``the risks associated with market access * * * are
present whenever a broker-dealer trades as a member of an exchange
or subscriber to an ATS, whether for its own proprietary account or
as agent for its customers, including traditional agency brokerage
and through direct market access or sponsored access arrangements.''
See Market Access Release at 69798. As such, the Commission stated
that ``to effectively address these risks, Rule 15c3-5 must apply
broadly to all access to trading on an Exchange or ATS.'' See id.
\338\ Id. at 69794.
---------------------------------------------------------------------------
Pursuant to Rule 15c3-5, a broker or dealer with market access, or
that provides a customer or any other person with access to an exchange
or ATS through use of its market participant identifier or otherwise,
must establish, document, and maintain a system of risk management
controls and supervisory procedures reasonably designed to manage the
financial, regulatory, and other risks of this business activity.\339\
Rule 15c3-5 also specifies the baseline standards for financial and
regulatory risk management controls and supervisory procedures.\340\
The financial risk management controls and supervisory procedures must
be reasonably designed to systematically limit the financial exposure
of the broker or dealer that could arise as a result of market
access.\341\ The regulatory risk management controls and supervisory
procedures must be reasonably designed to ensure compliance with all
regulatory requirements.\342\
---------------------------------------------------------------------------
\339\ See 17 CFR 240.15c3-5(b). Certain broker-dealers are
exempt from some of the requirements under Rule 15c3-5. See id.
\340\ See 17 CFR 240.15c3-5(c).
\341\ See 17 CFR 240.15c3-5(c)(1). Such financial risk
management controls and supervisory procedures must be reasonably
designed to: (i) Prevent the entry of orders that exceed appropriate
pre-set credit or capital thresholds in the aggregate for each
customer and the broker or dealer, and where appropriate, more
finely-tuned by sector, security or otherwise by rejecting orders if
such orders would exceed the applicable credit or capital
thresholds; and (ii) prevent the entry of erroneous orders, by
rejecting orders that exceed appropriate price or size parameters,
on an order-by-order basis or over a short period of time, or that
indicate duplicative orders. See 17 CFR 240.15c3-5(c)(1).
\342\ See 17 CFR 240.15c3-5(c)(2). Such regulatory risk
management controls and supervisory procedures must be reasonably
designed to: (i) Prevent the entry of orders unless there has been
compliance with all regulatory requirements that must be satisfied
on a pre-order entry basis; (ii) prevent the entry of orders for
securities for a broker or dealer, customer, or other person if such
person is restricted from trading those securities; (iii) restrict
access to trading systems and technology that provide market access
to persons and accounts pre-approved and authorized by the broker or
dealer; and (iv) assure that appropriate surveillance personnel
receive immediate post-trade execution reports that result from
market access. See 17 CFR 240.15c3-5(c)(2).
---------------------------------------------------------------------------
Under the approach set out by Rule 15c3-5, broker-dealers with
market access are responsible in the first instance for establishing
and maintaining appropriate risk management controls, including with
respect to their systems. Although Rule 15c3-5 takes a different and
more limited approach with broker-dealers than proposed Regulation SCI
does with SCI entities, the requirements in Rule 15c3-5 are designed to
address some of the same concerns regarding systems integrity discussed
in this proposal. As an example of reasonable risk control under Rule
15c3-5, the Commission stated, ``a system-driven, pre-trade control
designed to reject orders that are not reasonably related to the quoted
price of the security would prevent erroneously entered orders from
reaching the securities markets, * * * should lead to fewer broken
trades and thereby enhance the integrity of trading on the securities
markets.'' \343\
---------------------------------------------------------------------------
\343\ See Market Access Release, supra note 337, at 69794.
---------------------------------------------------------------------------
In light of recent events, however, the Commission believes that it
is appropriate to consider whether some types or categories of broker-
dealers other than SCI ATSs should also be subject to some or all of
the additional system safeguard rules that are proposed for SCI
entities. Such broker-dealers could include, for example, OTC market
makers (either all or those that execute a significant volume of
orders), exchange market makers (either all or those that trade a
significant volume on exchanges), order entry firms that handle and
route order flow for execution (either all or those that handle a
significant volume of investor orders), clearing broker-dealers (either
all or those that engage in a significant amount of clearing
activities), and large multi-service broker-dealers that engage in a
variety of order handling, trading, and clearing activities.
2. Request for Comment
192. As noted above, at this time, the Commission is not proposing
to apply Regulation SCI to broker-dealers other than SCI ATSs or to
other types of entities that are not covered by the definition of SCI
entity. Were the Commission to decide to propose to apply the
requirements of Regulation SCI to such entities, the Commission would
issue a separate release discussing such a proposal. Nevertheless, the
Commission is soliciting comment generally on whether it should apply
the requirements of proposed Regulation SCI, in whole or in part, to
such entities. Specifically:
193. What are the current practices of broker-dealers in relation
to the requirements of proposed Regulation SCI? \344\ Would the current
practices of broker-dealers that provide market access and comply with
Rule 15c3-5 change if they were also subject to proposed Regulation
SCI? Why or why not? If so, how? Are there broker-dealers who do not
provide the services that would require compliance with Rule 15c3-5? If
so, how do the practices of those broker-dealers compare to the
requirements of proposed Regulation SCI?
---------------------------------------------------------------------------
\344\ As noted above, one ATS currently voluntarily participates
in the ARP Inspection Program. See supra note 91.
---------------------------------------------------------------------------
194. In Section VI.B.2 below, the Commission discusses potential
market failures that may explain why market solutions cannot solve the
problems that proposed Regulation SCI is intended to address. Does the
market for broker-dealer services, including client services, market
maker services, or market access services, suffer from market failures
that limit the ability of the market to solve the issues that proposed
Regulation SCI is intended to address? For example, are broker-dealers'
clients able to easily switch broker-dealers, and how often do clients
use more than one broker-dealer simultaneously (e.g., for redundancy in
case of a problem at a given broker-dealer)? Are broker-dealers subject
to more market discipline than SCI entities? Please explain.
Conversely, does a lack of transparency regarding events like SCI
events limit this market discipline? Why or why not?
195. Given the stated goals and purpose of proposed Regulation SCI
and its various provisions,\345\ what are commenters' views on whether
the scope of the proposed rules should be expanded to cover broker-
dealers, or certain categories of broker-dealers? For example, what are
commenters' views on the impact to overall market integrity or the
protection of investors if an OTC market maker was no longer able to
operate due to a systems disruption, systems compliance issue, or a
systems intrusion? Or an exchange market maker? Or a clearing broker-
dealer? What are commenters' views on the
[[Page 18140]]
importance of different categories of broker-dealers to the stability
of the overall securities market infrastructure, in the context of
requiring them to comply with the proposed rules, in light of the
stated goals and purpose of Regulation SCI? What risks do the systems
of broker-dealers pose on the securities markets?
---------------------------------------------------------------------------
\345\ See supra Section III.
---------------------------------------------------------------------------
196. If the Commission were to subsequently propose to apply some
or all of the requirements of proposed Regulation SCI to some types or
categories of broker-dealers (in addition to SCI ATSs), what types of
broker-dealers should the requirements apply to and why? Are there
distinctions that should be made between different types of broker-
dealers (e.g., OTC market makers, exchange market makers, order entry
firms, clearing broker-dealers, and multi-service broker-dealers) for
this purpose? If so, what are those distinctions and which requirements
should apply?
197. The Commission notes that Roundtable panelists generally did
not distinguish between national securities exchanges, ATSs, and
different types of broker-dealers when addressing how to improve error
prevention and error response strategies. Rather, Roundtable panelists
and commenters referred more generally to ``entities with market
access'' and/or ``execution venues.'' \346\ In this regard, should the
Commission consider expanding the application of Regulation SCI to all
market centers, as that term is defined in Rule 600(b)(38) of
Regulation NMS,\347\ which means any exchange market maker, OTC market
maker, ATS, national securities exchange, or national securities
association? \348\ Why or why not? Would an expansion of proposed
Regulation SCI to include all market centers (i.e., execution venues)
inappropriately exclude the broader category of entities having market
access? Why or why not? Alternatively, should the Commission consider
applying the requirements of proposed Regulation SCI to (a) any
registered market maker or (b) any broker-dealer that offers market
access that, in either case, with respect to any NMS stock, has a
specified percentage of average daily dollar volume? If so, what should
such a percentage be? Would the levels applicable to SCI ATSs that
trade NMS stocks under proposed Rule 1000(a) of Regulation SCI be
appropriate for registered market makers, broker-dealers that offer
market access, or other broker-dealers? Why or why not? If not, what
should such a threshold be?
---------------------------------------------------------------------------
\346\ See, e.g., letter from Better Markets, supra note 74,
arguing that regulators should encourage firms to adopt more robust
software development practices and audit any firm with direct market
access or require third-party certification and mandate minimum
requirements for testing any application that has direct market
access. In addition, the panelist from NYSE stated that common
standards for technology deployment should apply across all
execution venues.
\347\ 17 CFR 242.600(b)(38).
\348\ Rule 600(b)(24) defines exchange market maker to mean any
member of a national securities exchange that is registered as a
specialist or market maker pursuant to the rules of such exchange,
and Rule 600(b)(52) defines OTC market maker to mean any dealer that
holds itself out as being willing to buy from and sell to its
customers, or others, in the U.S., an NMS stock for its own account
on a regular or continuous basis otherwise than on a national
securities exchange in amounts of less than block size. See 17 CFR
242.600(b)(24) and 17 CFR 242.600(b)(52).
---------------------------------------------------------------------------
198. If the Commission were to propose to expand the scope of
proposed Regulation SCI to a subset of broker-dealers, what are
commenters' views on whether, and if so, how, the various different
proposed requirements of Regulation SCI should or should not apply to
such entities?
199. If the Commission were to propose to expand the scope of
proposed Regulation SCI to include a subset of broker-dealers, should
the Commission require such broker-dealers to have written policies and
procedures reasonably designed to ensure that their systems have levels
of capacity, integrity, resiliency, availability, and security adequate
to maintain their operational capability, and promote the maintenance
of fair and orderly markets, as proposed in Rule 1000(b)(1) for SCI
entities? Why or why not? Should SCI industry standards for broker-
dealers be different from those proposed for SCI entities? If so, what
are the standards that should apply to broker-dealers? Please be as
specific as possible and explain why a particular standard would be
appropriate.
200. Should the Commission require such broker-dealers to
establish, maintain, and enforce policies and procedures reasonably
designed to ensure that their systems operate in the manner intended,
including in a manner that complies with federal securities laws and
rules and regulations thereunder, as proposed in Rule 1000(b)(2)(i) for
SCI entities? Why or why not? Should the Commission establish a safe
harbor from liability for such broker-dealers and their respective
employees if they satisfy the elements of a safe harbor, similar to
those in proposed Rules 1000(b)(2)(ii) and (iii) for SCI entities and
their employees? Why or why not?
201. Should the Commission require such broker-dealers, upon any of
their responsible SCI personnel becoming aware of an SCI event, to
begin to take appropriate corrective action including, at a minimum,
mitigating potential harm to investors and market integrity resulting
from the SCI event and devoting adequate resources to remedy the SCI
event as soon as reasonably practicable, as proposed in Rule 1000(b)(3)
for SCI entities? Why or why not? Should such broker-dealers'
corrective action be triggered by something other than awareness of an
SCI event? If so, what would be an appropriate trigger?
202. With regard to the reporting and information dissemination
requirements for SCI entities in proposed Rules 1000(b)(4) and
1000(b)(5), would it be appropriate to require such broker-dealers to
report all SCI events to the Commission, and disclose dissemination SCI
events to their customers?
203. Should such broker-dealers be required to notify the
Commission of material systems changes, as proposed in Rule 1000(b)(6)
for SCI entities? Why or why not?
204. Should such broker-dealers be required to undertake an annual
SCI review of their systems, as proposed in Rule 1000(b)(7) for SCI
entities? Should such broker-dealers also be required to provide the
Commission with reports regarding the SCI review and material systems
changes, as proposed in Rule 1000(b)(8) for SCI entities? Why or why
not?
205. Should such broker-dealers be required to submit any required
notices, reports, and other information to the Commission on proposed
new Form SCI? Why or why not?
206. Alternatively, should the Commission propose to require that
each SCI SRO establish rules requiring that its members adopt written
policies and procedures reasonably designed to ensure that their
systems have levels of capacity, integrity, resiliency, availability,
and security adequate to maintain their operational capability, and
promote the maintenance of fair and orderly markets? Why or why not?
Similarly, should the Commission propose to require that each SCI SRO
establish rules requiring that its members adopt written policies and
procedures reasonably designed to ensure that the systems of such
members operate in the manner intended, including in a manner that
complies with applicable federal securities laws and rules and
regulations thereunder and the SCI SRO's rules? Why or why not? In
either case, would such a proposal raise any competitive issues, such
as between
[[Page 18141]]
national securities exchanges and ATSs? \349\
---------------------------------------------------------------------------
\349\ The Commission notes that all broker-dealers are members
of one or more SCI SROs (such as FINRA and/or a national securities
exchange), while participants on ATSs may include non-broker-dealer
market participants.
---------------------------------------------------------------------------
207. In addition, should the Commission consider including other
entities in the definition of SCI entity (e.g., transfer agents), thus
subjecting them to some or all of the requirements under proposed
Regulation SCI? If yes, to which entities should some or all of
proposed Regulation SCI apply and why? If not, why not? If commenters
believe other types of entities should be included in the definition of
SCI entity, should the Commission include all entities of a given type
in the definition? Why or why not? If not, how should the Commission
distinguish those entities that should be included (e.g., size, volume,
types of services performed, etc.)? Please describe and be as specific
as possible.
208. If the Commission were to subsequently propose and adopt a
rule applying Regulation SCI to all or certain categories of broker-
dealers or other entities, what are commenters' views as to the type
and scale of the costs of such application? Please explain. In
addition, what are commenters' views as to the potential impact on
efficiency, competition, and capital formation of such application?
Please explain.
IV. Paperwork Reduction Act
Certain provisions of the proposal contain ``collection of
information'' requirements within the meaning of the Paperwork
Reduction Act of 1995 (``PRA'') \350\ and the Commission will submit
them to the Office of Management and Budget (``OMB'') for review in
accordance with 44 U.S.C. 3507 and 5 CFR 1320.11. The title of the new
collection of information is Regulation Systems Compliance and
Integrity. An agency may not conduct or sponsor, and a person is not
required to respond to, a collection of information unless it displays
a currently valid OMB control number.
---------------------------------------------------------------------------
\350\ 44 U.S.C. 3501 et seq.
---------------------------------------------------------------------------
A. Summary of Collection of Information
Proposed Regulation SCI would include four categories of
obligations that would require a collection of information within the
meaning of the PRA. Specifically, an SCI entity would be required to:
(1) Establish specified written policies and procedures, and mandate
participation by designated members or participants in certain testing
of the SCI entity's business continuity and disaster recovery plans;
(2) provide certain notifications, disseminate certain information, and
create reports; (3) take corrective actions, identify certain SCI
events for which immediate Commission notification is required, and
identify dissemination SCI events; and (4) comply with recordkeeping
and access requirements relating to its compliance with proposed
Regulation SCI.
1. Requirements To Establish Written Policies and Procedures and
Mandate Participation in Certain Testing
Proposed Rules 1000(b)(1) and (b)(2) would require SCI entities to
establish policies and procedures with respect to various matters.
Proposed Rule 1000(b)(1) would require each SCI entity to establish,
maintain, and enforce written policies and procedures reasonably
designed to ensure that its SCI systems and, for purposes of security
standards, SCI security systems, have levels of capacity, integrity,
resiliency, availability, and security, adequate to maintain the SCI
entity's operational capability and promote the maintenance of fair and
orderly markets. Proposed Rule 1000(b)(1)(i) specifies that such
policies and procedures would be required to include, at a minimum: (A)
The establishment of reasonable current and future capacity planning
estimates; (B) periodic capacity stress tests of such systems to
determine their ability to process transactions in an accurate, timely,
and efficient manner; (C) a program to review and keep current systems
development and testing methodology for such systems; (D) regular
reviews and testing of such systems, including backup systems, to
identify vulnerabilities pertaining to internal and external threats,
physical hazards, and natural or manmade disasters; (E) business
continuity and disaster recovery plans that include maintaining backup
and recovery capabilities sufficiently resilient and geographically
diverse to ensure next business day resumption of trading and two-hour
resumption of clearance and settlement services following a wide-scale
disruption; and (F) standards that result in such systems being
designed, developed, tested, maintained, operated, and surveilled in a
manner that facilitates the successful collection, processing, and
dissemination of market data. Proposed Rule 1000(b)(1)(ii) states that
such policies and procedures would be deemed to be reasonably designed
if they are consistent with current SCI industry standards, which would
be required to be: (A) Comprised of information technology practices
that are widely available for free to information technology
professionals in the financial sector; and (B) issued by an
authoritative body that is a U.S. governmental entity or agency,
association of U.S. governmental entities or agencies, or widely
recognized organization. The proposed SCI industry standards contained
in the publications identified on Table A are intended to serve as
standards that SCI entities could use, if they so choose, to comply
with the requirements of proposed Rule 1000(b)(1), though compliance
with such SCI industry standards would not be the exclusive means to
comply with the requirements of proposed Rule 1000(b)(1).
Proposed Rule 1000(b)(2)(i) would require each SCI entity to
establish, maintain, and enforce written policies and procedures
reasonably designed to ensure that its SCI systems operate in the
manner intended, including in a manner that complies with the federal
securities laws and rules and regulations thereunder and the entity's
rules and governing documents, as applicable. An SCI entity would be
deemed not to have violated proposed Rule 1000(b)(2)(i) if: (A) It has
established and maintained policies and procedures reasonably designed
to provide for: (1) testing of all such systems and any changes to such
systems prior to implementation; (2) periodic testing of all such
systems and any changes to such systems after their implementation; (3)
a system of internal controls over changes to such systems; (4) ongoing
monitoring of the functionality of such systems to detect whether they
are operating in the manner intended; (5) assessments of SCI systems
compliance performed by personnel familiar with applicable federal
securities laws and rules and regulations thereunder and the SCI
entity's rules and governing documents, as applicable; and (6) review
by regulatory personnel of SCI systems design, changes, testing, and
controls to prevent, detect, and address actions that do not comply
with applicable federal securities laws and rules and regulations
thereunder and the SCI entity's rules and governing documents, as
applicable; (B) the SCI entity has established and maintained a system
for applying such policies and procedures which would reasonably be
expected to prevent and detect, insofar as practicable, any violation
of such policies and procedures by the SCI entity or any person
employed by the SCI entity; and (C) the SCI entity: has reasonably
discharged the duties and obligations incumbent upon it by such
[[Page 18142]]
policies and procedures; and was without reasonable cause to believe
that such policies and procedures were not being complied with in any
material respect. Further, pursuant to proposed Rule 1000(b)(2)(iii), a
person employed by an SCI entity would be deemed not to have aided,
abetted, counseled, commanded, caused, induced, or procured the
violation by any other person of proposed Rule 1000(b)(2)(i) if the
person employed by the SCI entity: (A) Has reasonably discharged the
duties and obligations incumbent upon such person by such policies and
procedures; and (B) was without reasonable cause to believe that such
policies and procedures were not being complied with in any material
respect.
Proposed Rule 1000(b)(9)(i) would require an SCI entity, with
respect to its business continuity and disaster recovery plans,
including its backup systems, to require participation by designated
members or participants in scheduled functional and performance testing
of the operation of such plans in the manner and frequency as specified
by the SCI entity, at least once every 12 months (e.g., for SCI SROs,
by submitting proposed rule changes under Section 19(b) of the Exchange
Act; for SCI ATSs, by revising membership or subscriber agreements and
internal procedures; for plan processors, through an amendment to an
SCI Plan under Rule 608 of Regulation NMS; and, for exempt clearing
agencies subject to ARP, by revising participant agreements and
internal procedures). Proposed Rule 1000(b)(9)(ii) would further
require an SCI entity to coordinate such required testing on an
industry- or sector-wide basis with other SCI entities. Proposed Rule
1000(b)(9)(iii) would require an SCI entity to designate members or
participants it deems necessary, for the maintenance of fair and
orderly markets in the event of the activation of its business
continuity and disaster recovery plans, to participate in the testing
of such plans. It would also require the SCI entity to notify and
update the Commission of its designations and standards for
designation, and promptly update such notification after any changes to
its designations or standards.
2. Notice, Dissemination, and Reporting Requirements for SCI Entities
A number of proposed rules under Regulation SCI would require SCI
entities to notify or report information to the Commission, or
disseminate information to their members or participants. Proposed
Rules 1000(b)(4), (b)(5), (b)(6), (b)(7), and (b)(8) each contain a
notification, dissemination, or reporting requirement.
Proposed Rule 1000(b)(4) would require notice of SCI events to the
Commission. Proposed Rule 1000(b)(4)(i) would require an SCI entity to
notify the Commission upon any responsible SCI personnel becoming aware
of a systems disruption that the SCI entity reasonably estimates would
have a material impact on its operations or on market participants, any
systems compliance issue, or any systems intrusion.
Proposed Rule 1000(b)(4)(ii) would require an SCI entity, within 24
hours of any responsible SCI personnel becoming aware of any SCI event,
to submit a written notification to the Commission on Form SCI
pertaining to such SCI event.\351\ Proposed Rule 1000(b)(4)(iv)(A)
would specify that, for a notification made pursuant to proposed Rule
1000(b)(4)(ii), an SCI entity must include all pertinent information
known about the SCI event, including: a detailed description of the SCI
event; the SCI entity's current assessment of the types and number of
market participants potentially affected by the SCI event; the
potential impact of the SCI event on the market; and the SCI entity's
current assessment of the SCI event, including a discussion of the
determination of whether the SCI event is a dissemination SCI event or
not. In addition, to the extent available as of the time of the initial
notification, the notification would be required to include: a
description of the steps the SCI entity is taking, or plans to take,
with respect to the SCI event; the time the SCI event was resolved or
timeframe within which the SCI event is expected to be resolved; a
description of the SCI entity's rule(s) and/or governing document(s),
as applicable, that relate to the SCI event; and an analysis of the
parties that may have experienced a loss, whether monetary or
otherwise, due to the SCI event, the number of such parties, and an
estimate of the aggregate amount of such loss. Further, for a written
notification to the Commission of an SCI event under proposed Rule
1000(b)(4)(ii), an SCI entity would be required to attach a copy of any
information disseminated to date regarding the SCI event to its members
or participants or on the SCI entity's publicly available Web site.
---------------------------------------------------------------------------
\351\ For a written notification to the Commission of an SCI
event under proposed Rule 1000(b)(4)(ii), new proposed Form SCI
would require that an SCI entity indicate that the filing is being
made pursuant to Rule 1000(b)(4)(ii) and provide the following
information in a short, standardized format: (i) Whether the filing
is a Rule 1000(b)(4)(ii) notification or Rule 1000(b)(4)(iii) update
of an SCI event; (ii) the SCI event type(s) (i.e., systems
compliance issue, systems intrusion, and/or systems disruption);
(iii) whether the event is a systems disruption that the SCI entity
reasonably estimates would have a material impact on its operations
or on market participants; (iv) if so, whether the Commission has
been notified of the SCI event; (v) whether the SCI event has been
resolved; (vi) the date/time the SCI event started; (vii) the
duration of the SCI event (viii) the date and time when responsible
SCI personnel became aware of the SCI event; (ix) the estimated
number of market participants impacted by the SCI event; (x) the
type(s) of systems impacted; and (xi) if applicable, the type of
systems disruption.
---------------------------------------------------------------------------
Proposed Rule 1000(b)(4)(iii) would require an SCI entity to submit
written updates on Form SCI pertaining to an SCI event to the
Commission on a regular basis, or at such frequency as reasonably
requested by a representative of the Commission, until such time as the
SCI event is resolved. Proposed Rule 1000(b)(4)(iv)(B) specifies that,
for a notification made pursuant to proposed Rule 1000(b)(4)(iii), the
SCI entity would be required to update any information previously
provided regarding an SCI event, including any information under
proposed Rule 1000(b)(4)(iv)(A)(2) that was not available at the time
of submission of a notification under proposed Rule 1000(b)(4)(ii).
Further, for a written notification to the Commission of an SCI event
under proposed Rule 1000(b)(4)(iii), an SCI entity would be required to
attach a copy of any information disseminated to date regarding the SCI
event to its members or participants or on the SCI entity's publicly
available Web site.
Proposed Rule 1000(b)(5) would require dissemination to members or
participants of dissemination SCI events and specify the nature and
timing of such required dissemination, with limited exceptions for
dissemination SCI events that are systems intrusions, as discussed
further below.\352\ Proposed Rule 1000(b)(5)(i)(A) would require that
an SCI entity, promptly after any responsible SCI personnel becomes
aware of a dissemination SCI event, disseminate to its members or
participants the following information about such SCI event: (1) The
systems affected by the SCI event; and (2) a summary description of the
SCI event. In addition, proposed Rule 1000(b)(5)(i)(B) would require an
SCI entity to, when known, further disseminate to its members or
participants: (1) a detailed description of the SCI event; (2) the SCI
entity's
[[Page 18143]]
current assessment of the types and number of market participants
potentially affected by the SCI event; and (3) a description of the
progress of its corrective action for the SCI event and when the SCI
event has been or is expected to be resolved. Proposed Rule
1000(b)(5)(i)(C) would further require that an SCI entity provide
regular updates to members or participants on any of the information
required to be disseminated under proposed Rules 1000(b)(5)(i)(A) and
(i)(B).
---------------------------------------------------------------------------
\352\ As discussed above, the Commission proposes that the term
``dissemination SCI event'' be defined as ``an SCI event that is a:
(1) Systems compliance issue; (2) systems intrusion; or (3) systems
disruption that results, or the SCI entity reasonably estimates
would result, in significant harm or loss to market participants.''
See supra Section III.B.4.d.
---------------------------------------------------------------------------
Proposed Rule 1000(b)(5)(ii) would provide a limited exception to
the proposed requirement of prompt dissemination to members or
participants of information regarding dissemination SCI events for
systems intrusion. Proposed Rule 1000(b)(5)(ii) would require an SCI
entity, promptly after any responsible SCI personnel becomes aware of a
systems intrusion, to disseminate to its members or participants a
summary description of the systems intrusion, including a description
of the corrective action taken by the SCI entity and when the systems
intrusion has been or is expected to be resolved, unless the SCI entity
determines that dissemination of such information would likely
compromise the security of the SCI entity's SCI systems or SCI security
systems, or an investigation of the systems intrusion, and documents
the reasons for such determination.
Proposed Rule 1000(b)(6) would require an SCI entity, absent
exigent circumstances, to notify the Commission on Form SCI at least 30
calendar days before implementation of any planned material systems
change, including a description of the planned material systems change
as well as the expected dates of commencement and completion of
implementation of such change. If exigent circumstances exist, or if
the information previously provided to the Commission regarding any
material systems change has become materially inaccurate, an SCI entity
would instead be required to notify the Commission, either orally or in
writing on Form SCI, with any oral notification to be memorialized
within 24 hours after such oral notification by a written notification,
as early as reasonably practicable.\353\
---------------------------------------------------------------------------
\353\ Form SCI would require an SCI entity to provide the date
of the planned change. The SCI entity must also specify whether
exigent circumstances exist, or if the information previously
provided to the Commission regarding any material systems change has
become materially inaccurate, and if so, whether the Commission has
been orally notified. Further, the notification must include an
Exhibit 4.
---------------------------------------------------------------------------
Proposed Rule 1000(b)(7) would require an SCI entity to conduct an
SCI review of the entity's compliance with Regulation SCI not less than
once each calendar year, and to submit a report of the SCI review to
senior management of the SCI entity for review no more than 30 calendar
days after completion of such SCI review.
Proposed Rule 1000(b)(8) contains two reporting requirements.
Specifically, proposed Rule 1000(b)(8) would require an SCI entity to
submit as an attachment to Form SCI: (i) A report of the SCI review
required by proposed Rule 1000(b)(7), together with any response by
senior management, within 60 calendar days after its submission to
senior management of the SCI entity; \354\ and (ii) a report within 30
calendar days after the end of June and December of each year,
containing a summary description of the progress of any material
systems change during the six-month period ending on June 30 or
December 31, as the case may be, and the date or expected date of
completion of implementation of such change.\355\
---------------------------------------------------------------------------
\354\ This report would be required to be submitted as Exhibit 5
to Form SCI.
\355\ This report would be required to be submitted as Exhibit 6
to Form SCI.
---------------------------------------------------------------------------
3. Requirements To Take Corrective Actions, Identify Immediate
Notification SCI Events, and Identify Dissemination SCI Events
Proposed Rule 1000(b)(3) would require an SCI entity, upon any
responsible SCI personnel becoming aware of an SCI event, to begin to
take appropriate corrective action which would be required to include,
at a minimum, mitigating potential harm to investors and market
integrity resulting from the SCI event and devoting adequate resources
to remedy the SCI event as soon as reasonably practicable. Given these
requirements of proposed Rule 1000(b)(3), SCI entities would likely
work to develop a process for ensuring that they are prepared to comply
with the corrective action requirement and would likely also
periodically review this process.
In addition, proposed Rule 1000(a) would define a ``dissemination
SCI event'' to mean an SCI event that is a: (1) Systems compliance
issue; (2) systems intrusion; or (3) systems disruption that results,
or the SCI entity reasonably estimates would result, in significant
harm or loss to market participants.
Under the proposed Commission notification and member or
participant dissemination requirements of proposed Rules 1000(b)(4) and
(b)(5), when an SCI event occurs, an SCI entity must determine whether
an SCI event is an immediate notification SCI event or a dissemination
SCI event. As such, SCI entities would likely work to develop a process
for ensuring that they are able to make determinations regarding the
nature of the SCI event quickly and accurately, and periodically review
this process.
4. Recordkeeping Requirements
Proposed Rule 1000(c) would set forth recordkeeping requirements
for SCI entities. Under proposed Rule 1000(c)(1), SCI SROs would be
required to make, keep, and preserve all documents relating to their
compliance with Regulation SCI as prescribed in Rule 17a-1 under the
Exchange Act. Under proposed Rule 1000(c)(2), each SCI entity that is
not an SCI SRO would be required to make, keep, and preserve at least
one copy of all documents, including correspondence, memoranda, papers,
books, notices, accounts, and other such records, relating to its
compliance with Regulation SCI including, but not limited to, records
relating to any changes to its SCI systems and SCI security systems,
for a period of not less than five years, the first two years in a
place that is readily accessible to the Commission or its
representatives for inspection and examination. Upon request of any
representative of the Commission, such SCI entities would be required
to promptly furnish to the possession of such representative copies of
any documents required to be kept and preserved by it under proposed
Rule 1000(c)(2). Under proposed Rule 1000(c)(3), upon or immediately
prior to ceasing to do business or ceasing to be registered under the
Exchange Act, an SCI entity must take all necessary action to ensure
that the records required to be made, kept, and preserved by this
section will be accessible to the Commission and its representatives in
the manner required by proposed Rule 1000(c) and for the remainder of
the period required by proposed Rule 1000(c).
In addition, proposed Rule 1000(e) would provide that, if the
records required to be filed or kept by an SCI entity under proposed
Regulation SCI are prepared or maintained by a service bureau or other
recordkeeping service on behalf of the SCI entity, the SCI entity would
be required to ensure that the records are available for review by the
Commission and its representatives by submitting a written undertaking,
in a form acceptable to the Commission, by such service bureau or other
recordkeeping service and signed by a
[[Page 18144]]
duly authorized person at such service bureau or other recordkeeping
service.
B. Proposed Use of Information
1. Requirements To Establish Written Policies and Procedures and
Mandate Participation in Certain Testing
The proposed requirements that SCI entities establish certain
written policies and procedures with respect to their systems, and that
they require designated members or participants to participate in the
testing of their business continuity and disaster recovery plans, would
further the goals of the national market system and reinforce Exchange
Act obligations by requiring entities important to the functioning of
the U.S. securities markets to carefully design, develop, test,
maintain, and surveil systems integral to their operations, and operate
them in compliance with relevant federal securities laws and the rules
and regulations thereunder, as well as their own rules and policies.
2. Notification, Dissemination, and Reporting Requirements for SCI
Entities
The information that would be collected pursuant to the proposed
requirements for notifications, disseminations of information, and
reports would assist the Commission in its oversight of SCI entities
and the securities markets, help ensure the orderly operation of the
U.S. securities markets, and help protect investors and the public
interest. In particular, the proposed requirements that SCI entities
notify the Commission of all SCI events, disseminate information to
members or participants, undertake and submit to the Commission an SCI
review not less than once each calendar year, and submit reports of
material systems changes are designed to help ensure compliance with
the other provisions of proposed Regulation SCI and accountability of
SCI entities in the event of systems problems. Further, the Commission
preliminarily believes that the member or participant information
dissemination requirement for dissemination SCI events would make
members or participants aware that their trading activity might have
been or might be impacted by the occurrence of a dissemination SCI
event, so that they could consider that information in making trading
decisions, seeking corrective action, or pursuing remedies, among other
things. The Commission also preliminarily believes that the prospect of
disseminating information regarding dissemination SCI events to members
or participants would provide an incentive for SCI entities to better
focus on improving the integrity and compliance of their systems.
3. Requirements To Take Corrective Actions, Identify Immediate
Notification Events, and Identify Dissemination SCI Events
The proposed requirement that SCI entities begin to take
appropriate corrective action upon any responsible SCI personnel
becoming aware of an SCI event would help ensure that SCI entities
dedicate adequate resources to timely address an SCI event and place an
emphasis on mitigating potential harm to investors and market
integrity. The proposed threshold for notification of certain SCI
events to the Commission under proposed Rule 1000(b)(4)(i) would help
ensure that the Commission is made aware of significant SCI events when
any responsible SCI personnel becomes aware of such events. The
proposed definition of dissemination SCI event would help ensure
potentially impacted members or participants have basic information
about SCI events so that they might be able to better assess whether
they should use the services of an SCI entity.\356\
---------------------------------------------------------------------------
\356\ See infra Section III.B.3.d (discussing the threshold for
dissemination SCI events).
---------------------------------------------------------------------------
5. Recordkeeping Requirements
The proposed recordkeeping requirements in Rules 1000(c) and (e)
would assist Commission staff during an examination of an SCI entity to
assess its compliance with the proposed rules. In addition, access to
the records of SCI entities would help Commission staff to carry out
its oversight responsibilities of SCI entities and the securities
markets. Further, the proposed recordkeeping requirements would aid SCI
entities and the Commission in documenting, reviewing, and correcting
any SCI event, as well as in identifying market participants that may
have been harmed by such an event.
C. Respondents
The ``collection of information'' requirements contained in
proposed Regulation SCI would apply to SCI entities, as described
below. Currently, there are 26 entities that would satisfy the proposed
definition of SCI SRO,\357\ 15 entities that would satisfy the proposed
definition of SCI ATS,\358\ 2 entities that would satisfy the
definition of plan processor,\359\ and 1 entity that would meet the
definition of exempt clearing agency subject to ARP.\360\ Accordingly,
the Commission estimates that there are currently 44 entities that
would meet the definition of SCI entity and be subject to the
collection of information requirements of proposed Regulation SCI.
---------------------------------------------------------------------------
\357\ See supra notes 93-96 and accompanying text (listing 17
registered national securities exchanges, 7 registered clearing
agencies, FINRA, and the MSRB).
\358\ See supra Section III.B.1.
\359\ See supra note 565.
\360\ See supra note 133 and accompanying text.
---------------------------------------------------------------------------
The Commission requests comment on the accuracy of these estimated
figures.
D. Total Initial and Annual Reporting and Recordkeeping Burdens
As discussed above, all of the national securities exchanges,
national securities associations, registered clearing agencies, and
plan processors currently participate on a voluntary basis in the ARP
Inspection Program.\361\ Under the ARP Inspection Program, Commission
staff conducts on-site inspections and attends periodic technology
briefings by staff of these entities, generally covering systems
capacity and testing, review of systems vulnerability, review of
planned systems development, and business continuity planning.\362\ In
addition, Commission staff monitors systems failures and planned major
systems changes at these entities.\363\
---------------------------------------------------------------------------
\361\ See supra Section I.A.
\362\ See id.
\363\ See id.
---------------------------------------------------------------------------
Under proposed Regulation SCI, many of the principles of the ARP
policy statements with which SCI SROs are familiar would be codified.
However, because the proposed regulation would have a broader scope
than the current ARP Inspection Program and would impose mandatory
recordkeeping obligations on entities subject to the rules,\364\
proposed Regulation SCI would impose paperwork burdens on all SCI
entities. The Commission's total burden estimates reflect the total
burdens on all SCI entities, taking into account the extent to which
some SCI entities already comply with some of the proposed requirements
of Regulation SCI. As discussed below, the Commission preliminarily
believes that the extent of these burdens will vary for different types
of SCI entities. The Commission notes that the hour figures set forth
in this section are the Commission's preliminary best estimate of the
paperwork burden for compliance with proposed Regulation SCI based on a
variety of sources, including the
[[Page 18145]]
Commission's experience with the current ARP Inspection Program and
other similar estimated burdens for analogous rulemakings. However, the
Commission recognizes that commenters may have other informed views of
the actual burdens that would be imposed by these requirements and
thus, the Commission solicits comment on the appropriateness and
accuracy of each of the estimated burdens below.
---------------------------------------------------------------------------
\364\ As discussed more fully in supra Section III.D and infra
Section IV.D.4, SCI SROs are already subject to existing
recordkeeping and retention requirements under Rule 17a-1 and thus
the Commission believes that the proposed recordkeeping obligations
would not impose any new burden on SCI SROs that is not already
accounted for in the burden estimates for Rule 17a-1.
---------------------------------------------------------------------------
1. Requirements To Establish Written Policies and Procedures and
Mandate Participation in Certain Testing
The proposed rules that would require an SCI entity to establish
policies and procedures and to mandate member or participant
participation in business continuity and disaster recovery plans
testing are discussed more fully in Section III.C above.
a. Policies and Procedures Required by Proposed Rule 1000(b)(1)
The Commission preliminarily estimates that an SCI entity that has
not previously participated in the ARP Inspection Program would require
an average of 210 burden hours to develop and draft policies and
procedures reasonably designed to ensure that its SCI systems and, for
purposes of security standards, SCI security systems, have levels of
capacity, integrity, resiliency, availability, and security adequate to
maintain the SCI entity's operational capability and promote the
maintenance of fair and orderly markets, as proposed to be required by
Rule 1000(b)(1) of Regulation SCI (except for policies and procedures
for standards that result in such systems being designed, developed,
tested, maintained, operated, and surveilled in a manner that
facilitates the successful collection, processing, and dissemination of
market data, which are addressed separately).\365\ The estimated 210
hours required for such entities would include the time expended to
draft relevant policies and procedures and the time expended for review
of the draft policies and procedures by the SCI entity's management.
The Commission preliminarily believes that all SCI entities \366\ would
conduct this work internally.\367\
---------------------------------------------------------------------------
\365\ This estimate is based on the Commission's experience with
the ARP Inspection Program and its preliminary estimate in the SB
SDR Proposing Release for a similar requirement. See SB SDR
Proposing Release, supra note 297, at 77349 (estimating the number
of hours it would take to draft policies and procedures reasonably
designed to ensure that the SDR's systems provide adequate levels of
capacity, resiliency, and security). This estimate is for the number
of hours an SCI entity would require over and above the usual and
customary amount of time it would devote to developing policies and
procedures designed to ensure its systems' capacity, integrity,
resiliency, availability, and security. These estimated burdens may
vary depending on an SCI entity's business and regulatory
responsibilities.
\366\ The Commission estimates that there are 44 SCI entities.
Of these, 29 entities currently participate in the ARP Inspection
Program and 15 do not. Because the MSRB is not currently a
participant in the ARP Inspection Program, the estimated burden
hours for the MSRB to develop policies and procedures as required by
proposed Rule 1000(b)(1) (except for policies and procedures for
standards that result in such systems being designed, developed,
tested, maintained, operated, and surveilled in a manner that
facilitates the successful collection, processing, and dissemination
of market data) is 210 hours, which is higher than the number
estimated for all other SCI SROs that currently participate in the
ARP Inspection Program, as discussed below.
\367\ But see infra Section IV.D.6, requesting comment on
whether some SCI entities, particularly those that do not currently
participate in the ARP Inspection Program, would seek to outsource
this work and what the cost to outsource this work would be.
---------------------------------------------------------------------------
For SCI entities that currently participate in the ARP Inspection
Program (29 entities, nearly all of which are SCI SROs \368\), the
Commission preliminarily believes that in developing their policies and
procedures, these entities would be starting from a baseline of fifty
percent, and therefore the average paperwork burden of developing the
proposed policies and procedures would be 105 burden hours.\369\ The
Commission preliminarily believes that a fifty percent baseline for SCI
entities that participate in the ARP Inspection Program is appropriate
because, although these entities already have substantial policies and
procedures in place, proposed Rule 1000(b)(1) would require these
entities to devote substantial time to reviewing and revising their
existing policies and procedures to ensure that they are sufficiently
robust in the context of a new and expanded regulatory regime. The
Commission preliminarily believes that these entities would conduct
this work internally.\370\
---------------------------------------------------------------------------
\368\ 17 registered national securities exchanges + 7 registered
clearing agencies + 1 national securities association + 2 plan
processors + 1 exempt clearing agency subject to ARP + 1 ATS = 29
entities.
\369\ In establishing this baseline estimate, the Commission has
considered what the entities do today; that is, in the absence of
the proposed rule.
\370\ But see infra Section IV.D.6, requesting comment on
whether some SCI entities, particularly those that do not currently
participate in the ARP Inspection Program, would seek to outsource
this work and what the cost to outsource this work would be.
---------------------------------------------------------------------------
With regard to the proposed requirement in Rule 1000(b)(1) that an
SCI entity's policies and procedures include standards that result in
such systems being designed, developed, tested, maintained, operated,
and surveilled in a manner that facilitates the successful collection,
processing, and dissemination of market data, the Commission
preliminarily estimates that each SCI entity would spend an average of
130 hours annually to comply with this requirement.\371\ As this
proposed requirement is not currently addressed by the ARP Inspection
Program, the Commission preliminarily estimates that the total initial
and ongoing burden would be the same for all SCI entities and SCI
entities would conduct this work internally.\372\
---------------------------------------------------------------------------
\371\ This estimate is based on the Commission's experience with
the ARP Inspection Program, and includes the time necessary to
program systems to meet the proposed standard.
\372\ But see infra Section IV.D.6, requesting comment on
whether some SCI entities, particularly those that do not currently
participate in the ARP Inspection Program, would seek to outsource
this work and what the cost to outsource this work would be.
---------------------------------------------------------------------------
As noted above, the Commission preliminarily believes that SCI
entities would handle internally most of the work associated with
establishing, maintaining, and enforcing written policies and
procedures as proposed to be required by Rule 1000(b)(1). However,
based on its experience with the ARP Inspection Program, the Commission
preliminarily believes that SCI entities also would seek outside legal
and/or consulting services in the initial preparation of such policies
and procedures, and that the average cost of such outside legal and/or
consulting advice would be $20,000 per respondent,\373\ for a total of
$880,000 for all respondents.\374\
---------------------------------------------------------------------------
\373\ This estimate is based on the Commission's experience with
the ARP Inspection Program, as well as industry sources. In
addition, the Commission has considered its estimate of the cost
burden under Regulation SDR in connection with the establishment of
certain policies and procedures. See SB SDR Proposing Release, supra
note 297, at 77349 (preliminarily estimating that it would cost
$100,000 to establish, maintain, and enforce five sets of written
policies and procedures, one of which requires policies and
procedures reasonably designed to ensure that the SDR's systems
provide adequate levels of capacity, resiliency, and security).
\374\ ($20,000 outside legal cost) x (44 SCI entities) =
$880,000.
---------------------------------------------------------------------------
As noted above, the Commission preliminarily estimates that the
average initial number of burden hours per respondent to comply with
proposed Rule 1000(b)(1) (except for policies and procedures for
standards that result in such systems being designed, developed,
tested, maintained, operated, and surveilled in a manner that
facilitates the successful collection, processing, and dissemination of
market data) would be 105 hours for SCI entities that are current ARP
Inspection Program participants and 210 hours for SCI entities that are
not current ARP
[[Page 18146]]
Inspection Program participants, for a total of 6,195 hours.\375\ In
addition, the Commission preliminarily estimates that the average
initial number of burden hours per respondent to comply with the
requirement for policies and procedures for standards that result in
such systems being designed, developed, tested, maintained, operated,
and surveilled in a manner that facilitates the successful collection,
processing, and dissemination of market data would be 130 hours for a
total of 5,720 hours for all respondents.\376\
---------------------------------------------------------------------------
\375\ The Commission preliminarily believes that an Attorney and
a Compliance Manager working in collaboration would develop and
draft the required policies and procedures, assisted by, and in
consultation with, Senior Systems Analysts and Operational
Specialists. Thus, the Commission estimates: (Compliance Manager
(including Senior Management Review) at 80 hours + Attorney at 80
hours + Senior Systems Analyst at 25 hours + Operations Specialist
at 25 hours) x (15 potential respondents) + (Compliance Manager
(including Senior Management Review) at 40 hours + Attorney at 40
hours + Senior Systems Analyst at 12.5 hours + Operations Specialist
at 12.5 hours) x (29 potential respondents) = 6,195 burden hours.
\376\ Based on its experience with the ARP Inspection Program,
the Commission estimates: (Compliance Attorney at 30 hours + Senior
Systems Analyst at 100 hours) x (44 potential respondents) = 5,720
burden hours.
---------------------------------------------------------------------------
The Commission preliminarily estimates that, once an SCI entity has
drafted the policies and procedures proposed to be required by Rule
1000(b)(1) (except for policies and procedures for standards that
result in such systems being designed, developed, tested, maintained,
operated, and surveilled in a manner that facilitates the successful
collection, processing, and dissemination of market data), it would
spend on average approximately 60 hours annually to review its written
policies and procedures to ensure that they are up-to-date and to
prepare any necessary new or amended policies and procedures.\377\
Using a fifty percent baseline for SCI entities that participate in the
ARP Inspection Program and therefore currently review and revise
policies and procedures from time to time, the Commission preliminarily
estimates that the total annual ongoing burden to comply with proposed
Rule 1000(b)(1) (except for policies and procedures for standards that
result in such systems being designed, developed, tested, maintained,
operated, and surveilled in a manner that facilitates the successful
collection, processing, and dissemination of market data) would be 30
hours per respondent for this group of respondents. The Commission
therefore estimates the ongoing burden to comply with proposed Rule
1000(b)(1) (except for policies and procedures for standards that
result in such systems being designed, developed, tested, maintained,
operated, and surveilled in a manner that facilitates the successful
collection, processing, and dissemination of market data) to be 870
hours \378\ for SCI entities that are current ARP Inspection Program
participants and 900 hours \379\ for SCI entities that are not ARP
Inspection Program participants, for a total of 1,770 hours for all
respondents.\380\ As noted above, the Commission preliminarily
estimates that the average ongoing number of burden hours per
respondent to comply with the proposed requirement for policies and
procedures for standards that result in such systems being designed,
developed, tested, maintained, operated, and surveilled in a manner
that facilitates the successful collection, processing, and
dissemination of market data would be 130 hours for each respondent,
for a total of 5,720 hours for all respondents.\381\ The Commission
preliminarily believes that the work associated with updating the
policies and procedures proposed to be required by proposed Rule
1000(b)(1) would be done internally.\382\
---------------------------------------------------------------------------
\377\ This estimate is based on the Commission's experience with
the ARP Inspection Program. The Commission has also considered its
preliminary estimate in the SB SDR Proposing Release for a similar
requirement. See SB SDR Proposing Release, supra note 297, at 77349
(estimating the ongoing burden associated with maintaining policies
and procedures reasonably designed to ensure that the SDR's systems
provide adequate levels of capacity, resiliency, and security). This
estimate is for the number of hours an SCI entity would require over
and above the usual and customary amount of time it would devote to
maintaining policies and procedures designed to ensure its systems'
capacity, integrity, resiliency, availability, and security.
\378\ (Compliance Manager at 15 hours + Attorney at 15 hours) x
(29 potential respondents currently participating in the ARP
Inspection Program) = 870 hours.
\379\ (Compliance Manager at 30 hours + Attorney at 30 hours) x
(15 potential respondents not currently participating in the ARP
inspection Program) = 900 hours.
\380\ 870 hours for SCI entities that are current ARP Inspection
Program participants + 900 hours for SCI entities that are not
current ARP Inspection Program participants = 1,770 burden hours.
\381\ (Compliance Attorney at 30 hours + Senior Systems Analyst
at 100 hours) x (44 potential respondents) = 5,720 burden hours.
\382\ But see infra Section IV.D.6, requesting comment on
whether some SCI entities, particularly those that do not currently
participate in the ARP Inspection Program, would seek to outsource
this work and what the cost to outsource this work would be.
---------------------------------------------------------------------------
b. Policies and Procedures Required by Proposed Rule 1000(b)(2)
With regard to proposed Rule 1000(b)(2)(i), which would require
each SCI entity to establish, maintain, and enforce written policies
and procedures reasonably designed to ensure that its SCI systems
operate in the manner intended, including in a manner that complies
with the federal securities laws and rules and regulations thereunder
and, as applicable, the entity's rules and governing documents, the
Commission preliminarily believes that each SCI entity would elect to
comply with the safe harbor provisions in proposed Rules 1000(b)(2)(ii)
and (iii), and preliminarily estimates that each SCI entity would
initially spend approximately 180 hours to design their policies and
procedures accordingly. This estimate would include the time necessary
to review and revise any existing policies and procedures to ensure
that they satisfy the proposed safe harbor provisions, and the
Commission preliminarily believes this estimate would be the same for
all SCI entities.\383\ Therefore, the Commission preliminarily
estimates that proposed Rule 1000(b)(2) would carry an initial one-time
burden of 180 hours per respondent, for a total initial one-time burden
of 7,920 hours for all respondents.\384\ The Commission also
preliminarily estimates that each SCI entity that is an SRO would spend
approximately 120 hours annually to review these written policies and
procedures to ensure that they are up-to-date and to prepare any
necessary new or amended policies and procedures, and that other types
of SCI entities would spend approximately 60 hours to do this
work.\385\ Therefore, the
[[Page 18147]]
Commission preliminarily estimates that proposed Rule 1000(b)(2) would
carry an ongoing annual burden of 120 hours per SRO respondent and 60
hours per non-SRO respondent, for a total ongoing annual burden of
4,200 hours for all respondents.\386\ These estimated burdens per
respondent also would include the time expended for the review of the
draft policies and procedures by the SCI entity's management.
---------------------------------------------------------------------------
\383\ This estimate is based on the Commission's experience with
the ARP Inspection Program and OCIE examinations, which review
policies and procedures of registered entities in conjunction with
examinations of such entities for compliance with the federal
securities laws. Although not currently explicitly required under
the existing ARP Inspection Program or other laws or regulations,
the Commission expects that most, if not all, SCI entities already
voluntarily have certain policies and procedures in place as part of
good business management and oversight to ensure that their SCI
systems operate in the manner intended. However, proposed Rule
1000(b)(2)(i) would set forth specific new requirements with respect
to such policies and procedures, and proposed Rules 1000(b)(2)(ii)
and (iii) would specify how an SCI entity and its employees could
satisfy the new requirement through safe harbors. Because proposed
Rule 1000(b)(2)(i) has no analogue in the ARP Inspection Program and
would create a new requirement for all SCI entities, for purposes of
the PRA, the Commission preliminarily estimates that all SCI
entities would elect to comply with the proposed safe harbor of
proposed Rule 1000(b)(2)(ii) and be subject to the same initial
burden to ensure that their policies and procedures satisfy the
requirements of the proposed safe harbor.
\384\ Based on its experience with OCIE examinations and the ARP
Inspection Program, the Commission estimates: (Compliance Attorney
at 30 hours + Senior Systems Analyst at 150 hours) x (44 potential
respondents) = 7,920 burden hours.
\385\ These estimates are based on the Commission's experience
with the ARP Inspection Program and OCIE examinations. The
Commission notes that its estimate of 120 hours for SCI SROs to
annually review and update the written policies and procedures
proposed to be required by Rule 1000(b)(2)(i), to satisfy the
elements of the safe harbor provisions in proposed Rules
1000(b)(2)(ii) and (iii), is higher than its estimate for SCI SROs
to review and update the policies and procedures proposed to be
required by Rule 1000(b)(1) and its estimate for SCI entities that
are not SCI SROs to review and update the policies and procedures
proposed to be required by Rule 1000(b)(2)(i), to satisfy the
elements of the safe harbor provisions in proposed Rules
1000(b)(2)(ii) and (iii). This higher estimate is based on the
Commission's preliminary belief that the burden for SCI SROs would
be greater because the rules of such entities generally change their
rules with greater frequency. The Commission solicits comment on the
accuracy of this information.
\386\ Based on its experience with OCIE examinations and the ARP
Inspection Program, the Commission estimates: (Compliance Attorney
at 20 hours + Senior Systems Analyst at 100 hours) x (26 potential
SCI SRO respondents) + (Compliance Attorney at 10 hours + Senior
Systems Analyst at 50 hours) x (18 potential non-SCI SRO
respondents) = 4,200 burden hours.
---------------------------------------------------------------------------
As with proposed Rule 1000(b)(1), the Commission preliminarily
believes that SCI entities would handle internally most of the work
associated with establishing and maintaining written policies and
procedures that are reasonably designed to ensure that their SCI
systems operate in the manner intended, including in a manner that
complies with the federal securities laws and rules and regulations
thereunder and, as applicable, the entity's rules and governing
documents, and that meet the requirements of the proposed safe harbor
provisions of proposed Rule 1000(b)(2)(ii).\387\ However, based on its
experience with the ARP Inspection Program, the Commission
preliminarily believes that SCI entities also would seek outside legal
and/or consulting advice in the initial preparation of such policies
and procedures, and that the average cost of outside legal/consulting
advice would be $20,000 per respondent, for a total of $880,000 for all
respondents.\388\
---------------------------------------------------------------------------
\387\ But see infra Section IV.D.6, requesting comment on
whether some SCI entities, particularly those that do not currently
participate in the ARP Inspection Program, would seek to outsource
this work and what the cost to outsource this work would be.
\388\ ($20,000 outside legal cost) x (44 entities) = $880,000.
---------------------------------------------------------------------------
c. Mandate Participation in Certain Testing
Proposed Rule 1000(b)(9) would require each SCI entity, with
respect to its business continuity and disaster recovery plans,
including its backup systems, to require participation by designated
members or participants in scheduled functional and performance testing
of the operation of such plans at specified intervals, and coordinate
such testing on an industry- or sector-wide basis with other SCI
entities. The Commission preliminarily believes that all SCI entities
would be subject to this proposed requirement, and that none of these
entities currently require participation by members or participants in
scheduled functional and performance testing of their business
continuity and disaster recovery plans, as proposed Rule 1000(b)(9)
would have them require.
Although SCI entities may seek to implement the proposed
requirements in different ways (e.g., for SCI SROs, by submitting
proposed rule changes under Section 19(b) of the Exchange Act; for SCI
ATSs, by revising membership or subscriber agreements and internal
procedures; for plan processors, through an amendment to an SCI Plan
under Rule 608 of Regulation NMS; and, for exempt clearing agencies
subject to ARP, by revising participant agreements and internal
procedures), the Commission preliminarily believes that the average
paperwork burden associated with the proposed rule would be the same
for all SCI entities because they would likely make similar changes to
their rules, agreements, procedures, or SCI Plans, and would likely
take similar actions to implement and coordinate mandatory testing.
Based on its experience with SCI entities, the Commission preliminarily
believes that SCI entities, other than plan processors, would handle
this work internally.
The Commission preliminarily estimates that each SCI entity (other
than plan processors) would spend approximately 130 hours initially to
meet the requirements of proposed Rules 1000(b)(9)(i) and (ii). This
estimate takes into consideration the requirement to mandate
participation by designated members or participants in testing under
proposed Rule 1000(b)(9)(i), as well as the requirement under proposed
Rule 1000(b)(9)(ii) that an SCI entity coordinate required testing with
other SCI entities. Specifically, the estimated 130 hours assumes that
it would take an SCI entity 35 hours to write a proposed rule, or
revise a membership/subscriber agreement or participant agreement, as
the case may be, to establish the participation requirement for the SCI
entity's designated members or participants,\389\ and an additional 95
hours of follow-up work (e.g., notice and schedule coordination) to
ensure implementation. Therefore, the Commission preliminarily
estimates that proposed Rules 1000(b)(9)(i) and (ii) would carry an
initial burden of 130 hours per respondent, for a total initial burden
of 5,460 hours for all respondents.\390\ For plan processors, the
Commission preliminarily estimates that proposed Rules 1000(b)(9)(i)
and (ii) would carry an initial cost of $52,000 per respondent,\391\
for a total initial cost of $104,000 hours for all plan
processors.\392\
---------------------------------------------------------------------------
\389\ In establishing this estimate, the Commission considered
its estimate of the burden for an SRO to file an average proposed
rule change. See 2012 Rule 19b-4 collection of information revision
Supporting Statement, Office of Management and Budget, available at:
http://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=201207-3235-002.
\390\ Based on Commission staff experience in reviewing SRO
proposed rule change filings and past estimates for Rule 19b-4 and
Form 19b-4, the Commission estimates as follows: (Compliance Manager
at 10 hours + Attorney at 15 hours + Compliance Clerk at 10 hours) x
(42 potential respondents) + (Compliance Manager at 10 hours +
Attorney at 15 hours + Operations Specialist at 70 hours) x (42
potential respondents) = 5,460 hours to comply with proposed Rules
1000(b)(9)(i) and (ii).
\391\ 130 hours x $400 per hour for outside legal services =
$52,000. See infra note 463.
\392\ $52,000 x 2 plan processors = $104,000.
---------------------------------------------------------------------------
The Commission also preliminarily estimates that each SCI entity
(other than plan processors) would spend approximately 95 hours
annually to review the written rules or requirements to ensure that
they remain up-to-date and to prepare any necessary amendments and
undertake necessary coordination to ensure implementation and
enforcement of the requirement.\393\ Therefore, the Commission
preliminarily estimates that proposed Rules 1000(b)(9)(i) and (ii)
would carry an ongoing annual burden of 95 hours per respondent, for a
total ongoing annual burden of 3,990 hours for all respondents.\394\
For plan processors, the Commission preliminarily estimates that
proposed Rules 1000(b)(9)(i) and (ii) would carry an ongoing annual
cost of $38,000 hours per respondent,\395\ for
[[Page 18148]]
a total ongoing annual cost of $76,000 for all plan processors.\396\
---------------------------------------------------------------------------
\393\ As noted above, the initial burden includes 35 hours to
write a proposed rule, revise an agreement, or amend an SCI Plan.
The Commission does not believe this 35-hour burden would be
applicable on an ongoing basis.
\394\ (Compliance Manager at 10 hours + Attorney at 15 hours +
Operations Specialist at 70 hours) x (42 potential respondents) =
3,990 hours. See supra note 390.
\395\ 95 hours x $400 per hour for outside legal services =
$38,000. See infra note 463.
\396\ $38,000 x 2 plan processors = $76,000.
---------------------------------------------------------------------------
The Commission preliminarily estimates that each SCI entity (other
than plan processors) would spend approximately 35 hours initially to
meet the requirements of proposed Rule 1000(b)(9)(iii). This estimate
takes into consideration the burden for an SCI entity to establish
standards for designating members or participants who must participate
in its business continuity and disaster recovery plans testing and file
such standards with the Commission on Form SCI, as well as the burden
for an SCI entity to determine, compile, and submit its list of
designated members or participants on Form SCI. Specifically, the
Commission estimates that each SCI entity would take 35 hours to write
a proposed rule or an internal procedure, as the case may be, to
establish standards for designating members or participants, to apply
the standards to compile the list of designees, and to file such
standards and the list of designees on Form SCI.\397\ Therefore, the
Commission preliminarily estimates that proposed Rule 1000(b)(9)(iii)
would carry an initial burden of 35 hours per respondent, for a total
initial burden of 1,470 hours for all respondents.\398\ For plan
processors, the Commission preliminarily estimates that proposed Rule
1000(b)(9)(iii) would carry an initial cost of $14,000 per
respondent,\399\ for a total initial cost of $28,000 hours for all plan
processors.\400\
---------------------------------------------------------------------------
\397\ In establishing this estimate, the Commission considered
its estimate of the burden for an SRO to file an average proposed
rule change. See 2012 Rule 19b-4 collection of information revision
Supporting Statement, Office of Management and Budget, available at:
http://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=201207-3235-002.
\398\ Based on Commission staff experience in reviewing SRO
proposed rule change filings and past estimates for Rule 19b-4 and
Form 19b-4, the Commission estimates as follows: (Compliance Manager
at 10 hours + Attorney at 15 hours + Compliance Clerk at 10 hours) x
(42 potential respondents) = 1,470 hours to comply with Rule
1000(b)(9)(iii).
\399\ 35 hours x $400 per hour for outside legal services =
$14,000. See infra note 463.
\400\ $14,000 x 2 plan processors = $28,000.
---------------------------------------------------------------------------
The Commission also preliminarily estimates that each SCI entity
(other than plan processors) would spend approximately 3 hours annually
to review the designation standards to ensure that they remain up-to-
date and to prepare any necessary amendments, to review its list of
designated members or participants, and to update prior Commission
notifications with respect to the standards for designation and the
list of designees.\401\ Therefore, the Commission preliminarily
estimates that proposed Rule 1000(b)(9)(iii) would carry an ongoing
annual burden of 3 hours per respondent, for a total ongoing annual
burden of 126 hours for all respondents.\402\ For plan processors, the
Commission preliminarily estimates that proposed Rule 1000(b)(9)(iii)
would carry an ongoing annual cost of $1,200 hours per respondent,\403\
for a total ongoing annual cost of $2,400 for all plan processors.\404\
---------------------------------------------------------------------------
\401\ In establishing this estimate, the Commission has
considered its estimate of the burden for an SRO to amend a Form
19b-4. Specifically, the Commission estimated that an amendment to
Form 19b-4 would require approximately 3 hours to complete. See
Securities Exchange Act Release No. 50486 (October 4, 2004), 69 FR
60287, 60294 (October 8, 2004).
\402\ (Compliance Manager at 1.5 hours + Attorney at 1.5 hours)
x (42 potential respondents) = 126 hours.
\403\ 3 hours x $400 per hour for outside legal services =
$1,200. See infra note 463.
\404\ $1,200 x 2 plan processors = $2,400.
---------------------------------------------------------------------------
2. Notice, Dissemination, and Reporting Requirements for SCI Entities
The proposed rules that would require an SCI entity to notify the
Commission of SCI events, disseminate certain SCI events to members or
participants, and submit specified reports are discussed more fully in
Section III.C above.
a. Notices Required by Proposed Rule 1000(b)(4)
Proposed Rule 1000(b)(4) would require notice of SCI events to the
Commission.\405\ The burden estimates to comply with proposed Rule
1000(b)(4) include the burdens associated with Commission notification
of immediate notification SCI events and the submission of Form SCI in
accordance with the instructions thereto.
---------------------------------------------------------------------------
\405\ See supra note 351 and accompanying text for details
regarding the content of Form SCI. Currently, there is no law or
rule specifically requiring SCI entities to notify the Commission of
systems problems in writing or in a specific format. Nevertheless,
voluntary communications of systems problems to Commission staff
occur in a variety of ways, including by telephone and email. The
Commission notes that proposed Rule 1000(b)(4) would impose a new
reporting requirement on SCI entities, regardless of whether they
currently voluntarily notify the Commission of SCI events on an ad
hoc basis. As such, the Commission preliminarily believes that a
history of voluntarily reporting such events to the Commission would
not lessen the future burden of reporting such events to the
Commission on Form SCI as required under proposed Rule 1000(b)(4).
---------------------------------------------------------------------------
Proposed Rule 1000(b)(4)(i) would require an SCI entity, upon any
responsible SCI personnel becoming aware of a systems disruption that
the SCI entity reasonably estimates would have a material impact on its
operations or on market participants, any systems compliance issue, or
any systems intrusion, to notify the Commission of such SCI event. As
noted above, notification required by proposed Rule 1000(b)(4)(i) may
be done orally or in writing. The Commission preliminarily estimates
that each SCI entity would experience an average of 40 immediate
notification SCI events per year.\406\ The Commission further
preliminarily estimates that one-fourth of the notifications under
proposed Rule 1000(b)(4)(i) would be in writing (i.e., 10 written
notifications and 30 oral notifications), and that each written
notification would require an in-house attorney half an hour to prepare
and submit to the Commission.\407\ Thus, the Commission preliminarily
estimates that the initial and ongoing burden to comply with the
notification requirement of proposed Rule 1000(b)(4)(i) would be 5
hours annually per respondent, and 220 hours annually for all
respondents.\408\
---------------------------------------------------------------------------
\406\ Because the threshold for immediate notification SCI
events is lower than the threshold for dissemination SCI events, the
estimate for the number of immediate notification SCI events is
higher than the estimate for the number of dissemination SCI events
(i.e., 15 dissemination SCI events). See infra notes 414 and 424 and
accompanying text.
\407\ The Commission preliminarily believes this estimate is
appropriate because the notification required by proposed Rule
1000(b)(4)(i) would not be submitted through Form SCI, and is
intended to be an immediate initial notification when responsible
SCI personnel becomes aware of an immediate notification SCI event
which contains only information known to the SCI entity at that
time.
\408\ (Attorney at 0.5 hour for each notice) x (10 notices) = 5
hours. 5 hours x (44 potential respondents) = 220 burden hours. The
Commission preliminarily believes that SCI entities would handle
internally the work associated with the notification requirement of
proposed Rule 1000(b)(4)(i). But see infra Section IV.D.6,
requesting comment on whether some SCI entities, particularly those
that do not currently participate in the ARP Inspection Program,
would seek to outsource this work and what the cost to outsource
this work would be.
---------------------------------------------------------------------------
Proposed Rule 1000(b)(4)(ii) would require an SCI entity, within 24
hours of any responsible SCI personnel becoming aware of any SCI event,
to submit a written notification to the Commission on Form SCI
pertaining to such SCI event. The Commission preliminarily estimates
that each SCI entity would experience an average of 65 SCI events per
year.\409\ Thus, the
[[Page 18149]]
Commission preliminarily estimates that there would be an average of 65
SCI event notices per year for each respondent. The Commission
preliminarily estimates that each notification under proposed Rule
1000(b)(4)(ii) would require an average of 20 burden hours,\410\ with a
compliance manager and in-house attorney each spending approximately 10
hours in collaboration to draft, review, and submit the report. Thus,
the Commission preliminarily estimates that the initial and ongoing
burden to comply with the reporting requirement of proposed Rule
1000(b)(4)(ii) would be 1,300 hours annually per respondent, and 57,200
hours annually for all respondents.\411\
---------------------------------------------------------------------------
\409\ This estimate is based on Commission's experience with the
ARP Inspection Program. Approximately 175 ARP incidents were
reported to the Commission in 2011 by entities that currently
participate in the ARP Inspection Program. Of those entities, the
Commission believes that 28 would fall under the proposed definition
of SCI entity (since 2011, an additional entity has become part of
the ARP Inspection Program, for a total of 29 SCI entities that
participate in the ARP Inspection Program). Thus, each entity
reported an average of approximately 6 incidents in 2011. Because
the proposed definition of ``SCI event'' is broader than the types
of events covered by the current ARP Inspection Program, and SCI
entities are not currently required by law or rule to report systems
issues to the Commission, the Commission preliminarily believes that
the number of SCI events that would be reported to the Commission
would be significantly more than the number of incidents reported in
2011. The Commission acknowledges that, because these types of
incidents are not required to be reported under the current ARP
Inspection Program, this figure is largely an estimate and is
difficult to ascertain. As such, the Commission seeks comment on the
accuracy of this estimate.
\410\ This estimate includes the burden for attaching an Exhibit
3 (i.e., a copy in pdf or html format of any information
disseminated to date regarding the SCI event to its members or
participants or on the SCI entity's publicly available Web site).
This estimate is based on Commission staff experience with the ARP
Inspection Program. The Commission has also considered its estimate
of the burden to complete Form 19b-4. Specifically, the Commission
has estimated that an SRO would spend approximately 39 hours to
complete a Form 19b-4. See 2012 Rule 19b-4 collection of information
revision Supporting Statement, Office of Management and Budget,
available at: http://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=201207-3235-002. However, the Commission notes that, unlike Form
19b-4, the information contained in Form SCI would only be factual.
As such, the Commission preliminarily believes that the amount of
time for an SCI entity to complete Form SCI would be less than the
amount of time for an SRO to complete Form 19b-4.
\411\ (Compliance Manager at 10 hours for each notice + Attorney
at 10 hours for each notice) x (65 notices) = 1,300 hours. 1,300
hours x (44 potential respondents) = 57,200 burden hours. The
Commission preliminarily believes that SCI entities would handle
internally the work associated with the notification requirement of
proposed Rule 1000(b)(4)(ii). But see infra Section IV.D.6,
requesting comment on whether some SCI entities, particularly those
that do not currently participate in the ARP Inspection Program,
would seek to outsource this work and what the cost to outsource
this work would be.
---------------------------------------------------------------------------
Proposed Rule 1000(b)(4)(iii) would require an SCI entity to submit
written updates to the Commission on Form SCI pertaining to SCI events
on a regular basis, or at such frequency as reasonably requested by a
representative of the Commission, until such time as the SCI event is
resolved. Based on Commission staff's experience with the ARP
Inspection Program, the Commission preliminarily estimates that, on
average, each SCI entity would submit 5 updates per year under proposed
Rule 1000(b)(4)(iii), and that each update would require an average of
3 burden hours,\412\ with a compliance manager and in-house attorney
each spending approximately 1.5 hours in collaboration to draft,
review, and submit the update. Thus, the Commission preliminarily
estimates that the initial and ongoing burden to comply with the
continuous update requirement of proposed Rule 1000(b)(4)(iii) would be
15 hours annually per respondent, and 660 hours annually for all
respondents.\413\
---------------------------------------------------------------------------
\412\ This estimate includes the burden for attaching an Exhibit
3 (i.e., a copy in pdf or html format of any information disclosed
to date regarding the SCI event to its members or participants or on
the SCI entity's publicly available Web site). In determining this
estimate, the Commission has considered its estimate of the burden
for an SRO to amend a Form 19b-4. Specifically, the Commission
estimated that an amendment to Form 19b-4 would require
approximately 3 hours to complete. See Securities Exchange Act
Release No. 50486 (October 4, 2004), 69 FR 60287, 60294 (October 8,
2004).
\413\ (Compliance Manager at 1.5 hours for each update +
Attorney at 1.5 hours for each update) x (5 updates) = 15 hours. 15
hours x (44 potential respondents) = 660 burden hours. The
Commission preliminarily believes that SCI entities would handle
internally the work associated with the reporting requirement of
proposed Rule 1000(b)(4)(iii). But see infra Section IV.D.6,
requesting comment on whether some SCI entities, particularly those
that do not currently participate in the ARP Inspection Program,
would seek to outsource this work and what the cost to outsource
this work would be.
---------------------------------------------------------------------------
b. Disseminations Required by Proposed Rule 1000(b)(5)
Proposed Rule 1000(b)(5) would require disseminations of
information to members or participants relating to dissemination SCI
events. Based on the definition of dissemination SCI event, the
Commission preliminarily estimates that each SCI entity would
experience an average of 14 dissemination SCI events each year that are
not systems intrusions, resulting in an average of 14 member or
participant dissemination per respondent per year under proposed Rule
1000(b)(5)(i).\414\
---------------------------------------------------------------------------
\414\ This estimate is based on the Commission's experience with
the ARP Inspection Program. Specifically, as indicated in the
Economic Analysis Section, approximately 175 ARP incidents were
reported to the Commission in 2011 by entities that currently
participate in the ARP Inspection Program. Of those entities, the
Commission believes that 28 would fall under the proposed definition
of SCI entity (since 2011, an additional entity has become part of
the ARP Inspection Program, for a total of 29 SCI entities that
participate in the ARP Inspection Program). Thus, each entity
reported an average of approximately 6 incidents in 2011. Further,
because proposed Rule 1000(a) would define an SCI event to mean a
systems disruption, systems compliance issue, or systems intrusion,
the scope of proposed Regulation SCI is broader than the scope of
incidents reported to the ARP Inspection Program, which covers
certain systems disruptions and intrusions. As such, the Commission
preliminarily believes that an estimate of 14 dissemination SCI
events per year per SCI entity (other than systems disruptions) is
appropriate.
---------------------------------------------------------------------------
Proposed Rule 1000(b)(5)(i)(A) would require an SCI entity,
promptly after any responsible SCI personnel becomes aware of a
dissemination SCI event other than a systems intrusion, to disseminate
to its members or participants the following information about such SCI
event: (1) The systems affected by the SCI event; and (2) a summary
description of the SCI event.
In addition to the costs for outside legal advice discussed
below,\415\ the Commission estimates that each initial member or
participant dissemination would require an average of 3 hours to
prepare and make available to members or participants, with an in-house
attorney spending approximately 2.67 hours in drafting and reviewing
the dissemination, and a webmaster spending approximately 0.33 hours in
making the dissemination available to members or participants.\416\
Thus, the Commission preliminarily estimates that the initial and
ongoing burden to comply with the initial member or participant
dissemination requirement of proposed Rule 1000(b)(5)(i)(A) would be
approximately 42 hours annually per respondent, and 1,848 hours
annually for all respondents.\417\
---------------------------------------------------------------------------
\415\ See infra note 428.
\416\ This estimate is based on Commission staff's experience
with the ARP Inspection Program. The Commission estimates that each
initial member or participant dissemination would require an average
of 3 hours to prepare and make available the information to members
or participants, instead of 20 hours as estimated for proposed Rule
1000(b)(4)(ii), because the information required to be disseminated
to members or participants would have been used for the initial
written notification on Form SCI. For the same reason, the
Commission preliminarily believes that an in-house attorney will
prepare the dissemination, which will be made available to members
or participants by the webmaster.
\417\ (Attorney at 2.67 hours for each notification + Webmaster
at 0.33 hour for each notification) x (14 notifications per year) =
42 hours. 42 hours x (44 potential respondents) = 1,848 burden
hours. The Commission preliminarily believes that SCI entities would
handle internally most of the work associated with the notification
requirement of proposed Rule 1000(b)(5)(i)(A). But see infra Section
IV.D.6, requesting comment on whether some SCI entities,
particularly those that do not currently participate in the ARP
Inspection Program, would seek to outsource this work and what the
cost to outsource this work would be.
---------------------------------------------------------------------------
Proposed Rule 1000(b)(5)(i)(B) would require the SCI entity to
further disseminate, when known, the following information to its
members or
[[Page 18150]]
participants: (1) A detailed description of the SCI event; (2) the SCI
entity's current assessment of the types and number of market
participants potentially affected by the SCI event; and (3) a
description of the progress of its corrective action for the SCI event
and when the SCI event has been or is expected to be resolved. In
addition to the outside costs discussed below,\418\ the Commission
preliminarily estimates that each update under proposed Rule
1000(b)(5)(i)(B) would require an average of 5 hours to prepare and
make available to members or participants,\419\ with an in-house
attorney spending approximately 4.67 hours in drafting and reviewing
the update, and a webmaster spending approximately 0.33 hour in making
the update available to members or participants. Thus, the Commission
preliminarily estimates that the initial and ongoing burden to comply
with the update requirement of proposed Rule 1000(b)(5)(i)(B) would be
approximately 70 hours annually per respondent, and 3,080 hours
annually for all respondents.\420\
---------------------------------------------------------------------------
\418\ See infra note 428.
\419\ The Commission estimates that each update under proposed
Rule 1000(b)(5)(i)(B) would require an average of 5 hours to prepare
and make available to members or participants, instead of 20 hours
as estimated for proposed Rule 1000(b)(4)(ii), because the
information required to be disseminated to members or participants
would have been used for the initial written notification on Form
SCI.
\420\ (Attorney at 4.67 hours for each update + Webmaster at
0.33 hour for each update) x (14 updates per year) = 70 hours. 70
hours x (44 potential respondents) = 3,080 burden hours. This
estimate is based on Commission staff's experience with the ARP
Inspection Program. The Commission preliminarily believes that SCI
entities would handle internally most of the work associated with
the update requirement of proposed Rule 1000(b)(5)(i)(B). But see
infra Section IV.D.6, requesting comment on whether some SCI
entities, particularly those that do not currently participate in
the ARP Inspection Program, would seek to outsource this work and
what the cost to outsource this work would be.
---------------------------------------------------------------------------
Proposed Rule 1000(b)(5)(i)(C) would require an SCI entity to
provide regular updates to members or participants of any information
required to be disseminated under proposed Rule 1000(b)(5). As noted
above, there were approximately 175 ARP incidents reported to the
Commission in 2011. These incidents had durations ranging from under
one minute to 24 hours, with most incidents having a duration of less
than 2 hours. Based on the relatively short duration of the ARP
incidents reported to the Commission in 2011, the Commission
preliminarily estimates that, on average, each SCI entity would provide
one regular update per year per dissemination SCI event under proposed
Rule 1000(b)(5)(i)(C). In addition to the costs for outside legal
advice discussed below,\421\ the Commission preliminarily estimates
that each update would require an average of 1 hour to prepare and make
available to members or participants,\422\ with an in-house attorney
spending approximately 0.67 hour in drafting and reviewing the update,
and a webmaster spending approximately 0.33 hour in making the update
available to members or participants. Thus, the Commission
preliminarily estimates that the initial and ongoing burden to comply
with the regular update requirement of proposed Rule 1000(b)(5)(i)(C)
would be approximately 14 hours annually per respondent, and 616 hours
annually for all respondents.\423\
---------------------------------------------------------------------------
\421\ See infra note 428.
\422\ This estimate is based on the estimated burden to complete
and submit a written update for an SCI event on Form SCI. See supra
note 412. The Commission estimates that each regular update to a
member or participant dissemination would require an average of 1
hour to prepare and make available to members or participants,
instead of 3 hours, because the information required to be provided
to the Commission in the updates on Form SCI would also be used for
updating the member or participation dissemination. For the same
reason, the Commission preliminarily believes that an attorney will
prepare the update, which will be made available by the webmaster.
\423\ (Attorney at 0.67 hour for each update + Webmaster at 0.33
hour for each update) x (14 updates per year) = 14 hours. 14 hours x
(44 potential respondents) = 616 burden hours. This estimate is
based on Commission staff's experience with the ARP Inspection
Program. The Commission preliminarily believes that SCI entities
would handle internally most of the work associated with the update
requirement of proposed Rule 1000(b)(5)(i)(C). But see infra Section
IV.D.6, requesting comment on whether some SCI entities,
particularly those that do not currently participate in the ARP
Inspection Program, would seek to outsource this work and what the
cost to outsource this work would be.
---------------------------------------------------------------------------
Under proposed Rule 1000(b)(5)(ii), promptly after any responsible
SCI personnel becomes aware of a systems intrusion, the SCI entity
would be required to disseminate to its members or participants a
summary description of the systems intrusion, including a description
of the corrective action taken by the SCI entity and when the systems
intrusion has been or is expected to be resolved, unless the SCI entity
determines that dissemination of such information would likely
compromise the security of the SCI entity's SCI systems or SCI security
systems, or an investigation of the systems intrusion, and documents
the reasons for such determination. Based on the definition of
dissemination SCI event, the Commission preliminarily estimates that
each SCI entity would experience an average of 1 dissemination SCI
event that is a systems intrusion each year, resulting in an average of
1 member or participant dissemination per respondent per year under
proposed Rule 1000(b)(5)(ii).\424\ In addition to the costs for outside
legal advice discussed below,\425\ the Commission estimates that each
member or participant dissemination under proposed Rule 1000(b)(5)(ii)
would require an average of 3 hours to prepare and make available to
members or participants, with an in-house attorney spending
approximately 2.67 hours in drafting and reviewing the dissemination,
and a webmaster spending approximately 0.33 hours in making the
dissemination available to members or participants.\426\ Thus, the
Commission preliminarily estimates that the initial and ongoing burden
to comply with the member or participant dissemination requirement
under proposed Rule 1000(b)(5)(ii) would be approximately 3 hours
annually per respondent, and 132 hours annually for all
respondents.\427\
---------------------------------------------------------------------------
\424\ Based on Commission's experience with the ARP Inspection
Program, the Commission preliminarily believes each SCI entity will
experience on average less than one systems intrusion per year.
However, for purposes of the PRA, the Commission preliminarily
estimates one systems intrusion per respondent per year.
\425\ See infra note 428.
\426\ This estimate includes any burden for an SCI entity to
document its reason for determining that dissemination of
information regarding a systems intrusion would likely compromise
the security of the SCI entity's SCI systems or SCI security
systems, or an investigation of the systems intrusion. This estimate
is based on Commission staff's experience with the ARP Inspection
Program. In determining this estimate, the Commission considered its
burden estimate for proposed Rule 1000(b)(5)(i)(A) because both
rules would require the dissemination of certain basic information
about a dissemination SCI event. For the same reason, the Commission
preliminarily believes that an in-house attorney will prepare the
dissemination, which will be made available by the webmaster.
\427\ (Attorney at 2.67 hours for each notification + Webmaster
at 0.33 hour for each notification) x (1 notification per year) = 3
hours. 3 hours x (44 potential respondents) = 132 burden hours. The
Commission preliminarily believes that SCI entities would handle
internally most of the work associated with the dissemination
requirement of proposed Rule 1000(b)(5)(ii). But see infra Section
IV.D.6, requesting comment on whether some SCI entities,
particularly those that do not currently participate in the ARP
Inspection Program, would seek to outsource this work and what the
cost to outsource this work would be.
---------------------------------------------------------------------------
The Commission preliminarily believes that SCI entities would
internally handle most of the work associated with disseminating
information on dissemination SCI events to members or participants.
However, based on its experience with the ARP Inspection Program, the
Commission preliminarily believes that SCI entities also would seek
outside legal advice in the preparation of the disseminations required
under proposed Rule 1000(b)(5), and that the average cost of outside
legal advice would be
[[Page 18151]]
$15,000 per respondent per year, for a total of $660,000 for all
respondents per year.\428\
---------------------------------------------------------------------------
\428\ ($15,000 outside legal cost) x (44 potential respondents)
= $660,000.
---------------------------------------------------------------------------
c. Notices Required by Proposed Rules 1000(b)(6)
Proposed Rules 1000(b)(6) would require notification to the
Commission on Form SCI of material systems changes. The Commission
preliminarily believes this work would be conducted internally.\429\
The burden estimates to comply with proposed Rule 1000(b)(6) include
the burdens associated with submission of Form SCI in accordance with
the instructions thereto.
---------------------------------------------------------------------------
\429\ But see infra Section IV.D.6, requesting comment on
whether some SCI entities, particularly those that do not currently
participate in the ARP Inspection Program, would seek to outsource
this work and what the cost to outsource this work would be.
---------------------------------------------------------------------------
Specifically, proposed Rule 1000(b)(6) would require the SCI
entity, absent exigent circumstances, to notify the Commission on Form
SCI at least 30 calendar days before the implementation of any planned
material systems change, including a description of the planned
material systems change as well as the expected dates of commencement
and completion of the implementation of such change.\430\ Based on its
experience with the ARP Inspection Program, Commission preliminarily
estimates that there would be an average of 60 planned material systems
changes per respondent per year.\431\ As such, the Commission
preliminarily estimates that there would be an average of 60
notifications per respondent per year, and each notification would
require an average of 2 hours to prepare and submit,\432\ with an
attorney spending approximately 0.33 hours and a senior systems analyst
spending approximately 1.67 hours in drafting and reviewing the
notification. For the 15 SCI entity respondents that do not currently
participate in the ARP Inspection Program, the Commission preliminarily
estimates that the initial and ongoing burden to comply with the notice
requirement of proposed Rule 1000(b)(6) would be approximately 120
hours annually per respondent, and 1,800 hours annually for all
respondents.\433\ Because SCI entities that currently participate in
the ARP Inspection Program already notify the Commission of planned
material systems changes, the Commission preliminarily estimates that
these entities would be starting from a baseline of fifty percent, and
that the increased burden for these 30 SCI entities would be 60 hours
annually per respondent.\434\ The Commission preliminarily estimates
that the total initial and ongoing burden for SCI entities that
currently participate in the ARP Inspection Program would be 60 hours
annually per respondent, for a total burden of 1,740 hours for all of
these respondents.\435\ Thus, the total estimated initial and ongoing
burden to comply with proposed Rule 1000(b)(6) would be 3,540 for all
respondents.\436\
---------------------------------------------------------------------------
\430\ If exigent circumstances exist, or if the information
previously provided to the Commission regarding any planned material
systems change becomes materially inaccurate, the SCI entity would
be required to notify the Commission, either orally or in writing,
with any oral notification to be memorialized within 24 hours after
such oral notification by a written notification, as early as
reasonably practicable.
\431\ This estimate includes instances where the information
previously provided to the Commission regarding any planned material
systems change becomes materially inaccurate.
\432\ In estimating the burden imposed by proposed Rule
1000(b)(6), the Commission also considered its burden estimate for
the same reporting requirement that was proposed for SB SEFs.
Specifically, proposed Rule 822(a)(4) in the SB SEF Proposing
Release would require an SB SEF to notify the Commission in writing
at least 30 calendar days before the implementation of material
systems changes. The Commission estimated that there would be an
average of 60 notifications per respondent per year, and that each
notification would require an average of 2 internal burden hours.
See SB SEF Proposing Release, supra note 297, at 11029.
\433\ (Attorney at 0.33 hour for each notification + Senior
Systems Analyst at 1.67 hours for each notification) x (60
notifications per year) = 120 hours. 120 hours x (15 potential
respondents) = 1,800 burden hours.
\434\ (Attorney at 0.33 hour for each notification + Senior
Systems Analyst at 1.67 hours for each notification) x (30
additional notifications per year) = 60 hours. The Commission
preliminarily believes that the burden would result from the
proposed broadened definitions of ``SCI systems'' and ``SCI security
systems'' in Regulation SCI, as well as the shift from a voluntary
to a mandatory regulatory environment.
\435\ (60 burden hours) x (29 potential respondents) = 1,740
burden hours.
\436\ (1,800 burden hours for SCI entities that do not currently
participate in the ARP Inspection Program + 1,740 burden hours for
SCI entities that currently participate in the ARP Inspection
Program) = 3,540 burden hours.
---------------------------------------------------------------------------
d. SCI Review Required by Proposed Rule 1000(b)(7)
Proposed Rule 1000(b)(7) would require each SCI entity to conduct
an SCI review of its compliance with Regulation SCI not less than once
each calendar year, and submit a report of the SCI review to its senior
management for review no more than 30 calendar days after completion of
such SCI review. The Commission preliminarily estimates that the
initial and ongoing burden of conducting an SCI review and submitting
the SCI review to senior management of the SCI entity for review would
be approximately 625 hours for each respondent \437\ and 27,500 hours
annually for all respondents.\438\
---------------------------------------------------------------------------
\437\ This estimate is the Commission's preliminary best
estimate and is based on Commission staff's experience with SCI
entities participating in the ARP Inspection Program. This estimate
also is the same as the Commission's burden estimate for internal
audits of SB SEFs. See SB SEF Proposing Release, supra note 297, at
11028. Proposed Rule 822 in the SB SEF Proposing Release would
require an SB SEF to submit to the Commission an annual objective
review of the capability of its systems that support or are
integrally related to the performance of its activities, provided
that if a review is performed internally, an external firm shall
report on the objectivity, competency, and work performance with
respect to the internal review. The Commission recognizes that the
annual review requirement proposed for SB SEFs is different, in
certain respects, from the requirement under proposed Rule
1000(b)(7). Specifically, the scopes of the reviews are different
because proposed Rule 1000(b)(7) would require an SCI review of an
SCI entity's compliance with proposed Regulation SCI. Further,
proposed Rule 1000(b)(7) would not require an external review of an
internal SCI review. Nevertheless, the Commission preliminarily
believes that these differences should not result in differences in
the burden estimate for these similar internal audits.
\438\ (Attorney at 80 hours + Manager Internal Auditor at 170
hours + Senior Systems Analyst at 375 hours) x (44 potential
respondents) = 27,500 burden hours.
---------------------------------------------------------------------------
e. Reports Required by Proposed Rule 1000(b)(8)
Proposed Rule 1000(b)(8) would require each SCI entity to submit
certain reports to the Commission. The burden estimates to comply with
proposed Rule 1000(b)(8) include the burdens associated with submission
of Form SCI in accordance with the instructions thereto.
Pursuant to proposed Rule 1000(b)(8)(i), each SCI entity would be
required to submit to the Commission, as an attachment to Form SCI, a
report of the SCI review required by proposed Rule 1000(b)(7), together
with any response by senior management of the SCI entity, within 60
calendar days after its submission to senior management of the SCI
entity. The Commission estimates that each SCI entity would require 1
hour to submit the SCI review using Form SCI, for a total annual
initial and ongoing burden of 44 hours for all respondents.\439\
---------------------------------------------------------------------------
\439\ (Attorney at 1 hour for each submission) x (1 submission
per year) = 1 burden hour. (1 burden hour) x (44 potential
respondents) = 44 burden hours.
---------------------------------------------------------------------------
Proposed Rule 1000(b)(8)(ii) would require each SCI entity to
submit, using Form SCI, a report within 30 calendar days after the end
of June and December of each year, containing a summary description of
the progress of any material systems changes during the six-month
period ending on June 30 or December 31, as the case may be, and the
date, or expected date, of completion of their implementation.
[[Page 18152]]
The Commission preliminarily estimates that the initial and ongoing
burden to comply with proposed Rule 1000(b)(8)(ii) would be
approximately 60 hours per respondent per report or 120 hours
annually,\440\ and 5,280 hours annually for all respondents.\441\
---------------------------------------------------------------------------
\440\ The Commission notes that SCI entities currently do not
submit to the Commission written semi-annual notifications of
material systems changes. This estimate is based on Commission
staff's experience with various entities through the ARP Inspection
Program.
\441\ (Attorney at 10 hours for each report + Senior Systems
Analyst at 50 hours for each report) x (2 reports per year) = 120
burden hours. (120 burden hours) x (43 potential respondents) =
5,280 burden hours. The Commission preliminarily believes that SCI
entities would handle internally the work associated with the
reporting requirement of proposed Rule 1000(b)(8)(ii). But see infra
Section IV.D.6, requesting comment on whether some SCI entities,
particularly those that do not currently participate in the ARP
Inspection Program, would seek to outsource this work and what the
cost to outsource this work would be.
---------------------------------------------------------------------------
3. Requirements To Take Corrective Actions, Identify Immediate
Notification SCI Events, and Identify Dissemination SCI Events
The proposed rules that could result in SCI entities establishing
additional processes for compliance with proposed Regulation SCI are
discussed more fully in Section III.C above.
a. Requirement To Take Corrective Actions
Proposed Rule 1000(b)(3) would require an SCI entity, upon any
responsible SCI personnel becoming aware of an SCI event, to begin to
take corrective action which shall include, at a minimum, mitigating
potential harm to investors and market integrity resulting from the SCI
event and devoting adequate resources to remedy the SCI event as soon
as reasonably practicable. Based on its experience with the ARP
Inspection Program, the Commission believes that entities that
participate in the ARP Inspection Program already take corrective
actions in response to a systems issue, and believes that other SCI
entities also take corrective actions in response to a systems issue.
Nevertheless, the Commission preliminarily believes that proposed Rule
1000(b)(3) would likely result in SCI entities revising their policies
in this regard, which would help to ensure that their information
technology staff has the ability to access systems in order to take
appropriate corrective actions. As such, proposed Rule 1000(b)(3) may
impose a one-time implementation burden on SCI entities associated with
developing a process for ensuring that they are prepared for the
corrective action requirement. Proposed Rule 1000(b)(3) also may impose
periodic burdens on SCI entities in reviewing that process. The
Commission preliminarily estimates that the initial burden to implement
such a process would be 42 hours per SCI entity \442\ or 1,848 hours
for all SCI entities.\443\ The Commission also preliminarily estimates
that the ongoing burden to review such a process would be 12 hours
annually per SCI entity \444\ or 528 hours annually for all SCI
entities.\445\
---------------------------------------------------------------------------
\442\ This estimate is based on the Commission's burden estimate
for proposed Rule 1000(b)(1) because both proposed Rule 1000(b)(1)
and proposed Rule 1000(b)(3) would result in certain policies and
procedures or processes. Because proposed Rule 1000(b)(1) (except
for policies and procedures for standards that result in such
systems being designed, developed, tested, maintained, operated, and
surveilled in a manner that facilitates the successful collection,
processing, and dissemination of market data) would require the
establishment of five policies and procedures at a minimum, the
Commission preliminarily estimates that the initial burden to
establish the process to comply with proposed Rule 1000(b)(3) would
be one-fifth of the initial burden to comply with proposed Rule
1000(b)(1) (except for policies and procedures for standards that
result in such systems being designed, developed, tested,
maintained, operated, and surveilled in a manner that facilitates
the successful collection, processing, and dissemination of market
data), or 42 hours (210 hours / 5). Further, the Commission
preliminarily estimates that the hourly breakdown between different
staff of the SCI entity would be in the same ratio as the
Commission's estimate for proposed Rule 1000(b)(1) (except for
policies and procedures for standards that result in such systems
being designed, developed, tested, maintained, operated, and
surveilled in a manner that facilitates the successful collection,
processing, and dissemination of market data)--Compliance Manager at
16 hours, Attorney at 16 hours, Senior Systems Analyst at 5 hours,
and Operations Specialist at 5 hours. These estimates reflect the
Commission's preliminary view that SCI entities would establish the
process for compliance with proposed Rule 1000(b)(3) internally. But
see infra Section IV.D.6, requesting comment on whether some SCI
entities, particularly those that do not currently participate in
the ARP Inspection Program, would seek to outsource this work and
what the cost to outsource this work would be.
\443\ (42 hours) x (44 potential respondents) = 1,848 burden
hours.
\444\ This estimate is based on the Commission's burden estimate
for proposed Rule 1000(b)(1) because both proposed Rule 1000(b)(1)
and proposed Rule 1000(b)(3) would result in certain policies and
procedures or processes. Because proposed Rule 1000(b)(1) (except
for policies and procedures for standards that result in such
systems being designed, developed, tested, maintained, operated, and
surveilled in a manner that facilitates the successful collection,
processing, and dissemination of market data) would require the
establishment and review of five policies and procedures at a
minimum, the Commission preliminarily estimates that the ongoing
burden to review the process to comply with proposed Rule 1000(b)(3)
would be one-fifth of the ongoing burden to comply with proposed
Rule 1000(b)(1) (except for policies and procedures for Standards
that result in such systems being designed, developed, tested,
maintained, operated, and surveilled in a manner that facilitates
the successful collection, processing, and dissemination of market
data), or 12 hours (60 hours / 5). Further, the Commission
preliminarily estimates that the hourly breakdown between different
staff of the SCI entity would be in the same ratio as the
Commission's estimate for proposed Rule 1000(b)(1) (except for
policies and procedures for standards that result in such systems
being designed, developed, tested, maintained, operated, and
surveilled in a manner that facilitates the successful collection,
processing, and dissemination of market data)--Compliance Manager at
6 hours and Attorney at 6 hours. These estimates reflect the
Commission's preliminary view that SCI entities would review the
process for compliance with proposed Rule 1000(b)(3) internally. But
see infra Section IV.D.6, requesting comment on whether some SCI
entities, particularly those that do not currently participate in
the ARP Inspection Program, would seek to outsource this work and
what the cost to outsource this work would be.
\445\ (12 hours) x (44 potential respondents) = 528 burden
hours.
---------------------------------------------------------------------------
b. Requirements To Identify Immediate Notification SCI Events and
Dissemination SCI Events
Proposed Rule 1000(a) would define a ``dissemination SCI event'' to
mean an SCI event that is a: (1) Systems compliance issue; (2) systems
intrusion; or (3) systems disruption that results, or the SCI entity
reasonably estimates would result, in significant harm or loss to
market participants.
When an SCI event occurs, an SCI entity would need to determine
whether the event is an immediate notification SCI event or a
dissemination SCI event, because the proposed rules would impose
different obligations on SCI entities for these types of SCI events. As
such, immediate notification SCI events and dissemination SCI events
may impose an initial one-time implementation burden on SCI entities in
developing a process to ensure that they are able to quickly and
correctly make a determination regarding whether the SCI event is
subject to proposed Rule 1000(b)(4)(i) or (b)(5). The definition may
also impose periodic burdens on SCI entities in reviewing that process.
[[Page 18153]]
Because the ARP Inspection Program already provides for the
reporting of ``significant system changes'' and ``significant system
outages'' to Commission staff,\446\ the Commission believes that, as
compared to entities that do not participate in the ARP Inspection
Program, entities that currently participate in the ARP Inspection
Program would already have internal processes for determining the
significance of a systems issue.\447\ Therefore, the Commission
preliminarily estimates that the proposed definition would impose half
as much burden on entities that participate in the ARP Inspection
Program as compared to entities that do not participate in the ARP
Inspection Program.
---------------------------------------------------------------------------
\446\ See supra notes 33 and 35 and accompanying text.
\447\ The Commission recognizes that ``significant system
changes'' and ``significant system outages'' differ from the
proposed definitions of ``immediate notification SCI event'' and
``dissemination SCI event.''
---------------------------------------------------------------------------
For SCI entities that currently do not participate in the ARP
Inspection Program, the Commission preliminarily believes that the
initial burden would be 42 hours per entity \448\ or 630 hours for all
such entities.\449\ For entities that currently participate in the ARP
Inspection Program, the Commission preliminarily believes that the
initial burden would be 21 hours \450\ per entity or 609 hours for all
such entities.\451\ For SCI entities that currently do not participate
in the ARP Inspection Program, the Commission preliminarily believes
that ongoing burden would be 12 hours annually per entity \452\ or 180
hours for all such entities.\453\ For SCI entities that currently
participate in the ARP Inspection Program, the Commission preliminarily
believes that ongoing burden would be 6 hours annually \454\ per entity
or 174 hours for all such entities.\455\
---------------------------------------------------------------------------
\448\ This estimate is based on the Commission's burden estimate
for proposed Rule 1000(b)(1) because proposed Rule 1000(b)(1), the
proposed definition of ``immediate notification SCI event,'' and the
definition of ``dissemination SCI event'' would result in certain
policies and procedures or processes. Because proposed Rule
1000(b)(1) (except for policies and procedures for standards that
result in such systems being designed, developed, tested,
maintained, operated, and surveilled in a manner that facilitates
the successful collection, processing, and dissemination of market
data) would require the establishment of five policies and
procedures at a minimum, the Commission preliminarily estimates that
the initial burden to establish the process regarding the SCI event
determinations would be one-fifth of the initial burden to comply
with proposed Rule 1000(b)(1) (except for policies and procedures
for standards that result in such systems being designed, developed,
tested, maintained, operated, and surveilled in a manner that
facilitates the successful collection, processing, and dissemination
of market data), or 42 hours (210 hours / 5). Further, the
Commission preliminarily estimates that the hourly breakdown between
different staff of the SCI entity would be in the same ratio as the
Commission's estimate for proposed Rule 1000(b)(1) (except for
policies and procedures for standards that result in such systems
being designed, developed, tested, maintained, operated, and
surveilled in a manner that facilitates the successful collection,
processing, and dissemination of market data)--Compliance Manager at
16 hours, Attorney at 16 hours, Senior Systems Analyst at 5 hours,
and Operations Specialist at 5 hours. These estimates reflect the
Commission's preliminary view that SCI entities would internally
establish the process for determining whether an SCI event is an
immediate notification SCI event or dissemination SCI event. But see
infra Section IV.D.6, requesting comment on whether some SCI
entities, particularly those that do not currently participate in
the ARP Inspection Program, would seek to outsource this work and
what the cost to outsource this work would be.
\449\ (42 hours) x (15 potential respondents) = 630 burden
hours.
\450\ 42 burden hours x 50% = 21 burden hours. These estimates
reflect the Commission's preliminary view that SCI entities would
internally establish the process for determining whether an SCI
event is an immediate notification SCI event or dissemination SCI
event. But see infra Section IV.D.6, requesting comment on whether
some SCI entities, particularly those that do not currently
participate in the ARP Inspection Program, would seek to outsource
this work and what the cost to outsource this work would be.
\451\ (21 burden hours) x (29 potential respondents) = 609
burden hours.
\452\ This estimate is based on the Commission's burden estimate
for proposed Rule 1000(b)(1) because proposed Rule 1000(b)(1), the
proposed definition of ``immediate notification SCI event,'' and the
proposed definition of ``dissemination SCI event'' would result in
certain policies and procedures or processes. Because proposed Rule
1000(b)(1) (except for policies and procedures for standards that
result in such systems being designed, developed, tested,
maintained, operated, and surveilled in a manner that facilitates
the successful collection, processing, and dissemination of market
data) would require the establishment and maintenance of five
policies and procedures at a minimum, the Commission preliminarily
estimates that the ongoing burden to review the process regarding
the SCI event determinations would be one-fifth of the ongoing
burden to comply with proposed Rule 1000(b)(1) (except for policies
and procedures for standards that result in such systems being
designed, developed, tested, maintained, operated, and surveilled in
a manner that facilitates the successful collection, processing, and
dissemination of market data), or 12 hours (60 hours / 5). Further,
the Commission preliminarily estimates that the hourly breakdown
between different staff of the SCI entity would be in the same ratio
as the Commission's estimate for proposed Rule 1000(b)(1) (except
for policies and procedures for standards that result in such
systems being designed, developed, tested, maintained, operated, and
surveilled in a manner that facilitates the successful collection,
processing, and dissemination of market data)--Compliance Manager at
6 hours and Attorney at 6 hours. These estimates reflect the
Commission's preliminary view that SCI entities would internally
review the process for determining whether an SCI event is an
immediate notification SCI event or dissemination SCI event. But see
infra Section IV.D.6, requesting comment on whether some SCI
entities, particularly those that do not currently participate in
the ARP Inspection Program, would seek to outsource this work and
what the cost to outsource this work would be.
\453\ (12 burden hours) x (15 potential respondents) = 180
burden hours.
\454\ 12 burden hours x 50% = 6 burden hours. These estimates
reflect the Commission's preliminary view that SCI entities would
internally review the process for determining whether an SCI event
is an immediate notification SCI event or dissemination SCI event.
But see infra Section IV.D.6, requesting comment on whether some SCI
entities, particularly those that do not currently participate in
the ARP Inspection Program, would seek to outsource this work and
what the cost to outsource this work would be.
\455\ (6 burden hours) x (29 potential respondents) = 174 burden
hours.
---------------------------------------------------------------------------
4. Recordkeeping Requirements
As more fully discussed in Section III.D above, proposed Rule
1000(c) would specifically require SCI entities other than SCI SROs to
make, keep, and preserve at least one copy of all documents relating to
its compliance with proposed Regulation SCI. The Commission is not
proposing a new recordkeeping requirement for SCI SROs because the
documents relating to compliance with proposed Regulation SCI are
subject to their existing recordkeeping and retention requirements
under Rule 17a-1 under the Exchange Act.\456\ Because Rule 17a-1 under
the Exchange Act requires every SRO to keep on file for a period of not
less than 5 years, the first 2 years in an easily accessible place, at
least one copy of all documents that it makes or receives respecting
its self-regulatory activities, and that all such documents be made
available for examination by the Commission and its representatives,
the Commission believes that proposed Rule 1000(c) would not result in
any burden that is not already accounted for in the Commission's burden
estimates for Rule 17a-1.
---------------------------------------------------------------------------
\456\ See 17 CFR 240.17a-1.
---------------------------------------------------------------------------
For SCI entities other than SCI SROs, Regulation SCI-related
records would be required to be kept for a period of not less than five
years, the first two years in a place that is readily accessible to the
Commission or its representatives for inspection and examination.\457\
Upon the request of any representative of the Commission, an SCI entity
would be required to promptly furnish to the possession of such
representative copies of any documents required to be kept and
preserved by it pursuant to proposed Rule 1000(c).
---------------------------------------------------------------------------
\457\ Under the proposal, upon or immediately prior to ceasing
to do business or ceasing to be registered under the Exchange Act,
an SCI entity would be required to take all necessary action to
ensure that the records required to be made, kept, and preserved by
Rule 1000(c) would be accessible to the Commission and its
representatives in the manner required and for the remainder of the
period required by proposed Rule 1000(c). See proposed Rule
1000(c)(3).
---------------------------------------------------------------------------
[[Page 18154]]
For SCI entities other than SCI SROs, the Commission preliminarily
estimates that the initial and ongoing burden to make, keep, and
preserve records relating to compliance with proposed Regulation SCI
would be approximately 25 hours annually per respondent \458\ for a
total annual burden of 450 hours for all respondents.\459\ In addition,
the Commission estimates that each SCI entity other than an SCI SRO
would incur a one-time burden to set up or modify an existing
recordkeeping system to comply with proposed Rule 1000(c).
Specifically, the Commission estimates that, for each SCI entity other
than an SCI SRO, setting up or modifying a recordkeeping system would
create an initial burden of 170 hours and $900 in information
technology costs for purchasing recordkeeping software,\460\ for a
total initial burden of 3,060 hours \461\ and a total initial cost of
$16,200.\462\
---------------------------------------------------------------------------
\458\ This estimate is based on the Commission's experience with
examinations of registered entities, the Commission's estimated
burden for an SRO to comply with Rule 17a-1, and the Commission's
estimated burden for a SB SEF to keep and preserve documents made or
received in the conduct of its business. Specifically, the
Commission estimated 50 burden hours per respondent per year in
connection with Rule 17a-1 and proposed Rule 818(a) and (b) in the
SB SEF Proposing Release. See 2010 Extension of Rule 17a-1
Supporting Statement, Office of Management and Budget, available at:
http://www.reginfo.gov/public/do/PRAViewICR?ref_nbr=201007-3235-003
and SB SEF Proposing Release, supra note 297, at 11029. Because the
recordkeeping requirements under Rule 17a-1 and under proposed Rule
818(a) and (b) are broader than the recordkeeping requirement under
proposed Rule 1000(c), the Commission preliminarily believes that an
estimate of 25 burden hours per year per SCI entity is appropriate.
Further, the Commission notes that this burden estimate includes the
burden imposed by proposed Rule 1000(e). Specifically, proposed Rule
1000(e) would provide that, if the records required to be filed or
kept by an SCI entity under proposed Regulation SCI are prepared or
maintained by a service bureau or other recordkeeping service on
behalf of the SCI entity, the SCI entity would be required to ensure
that the records are available for review by the Commission and its
representatives by submitting a written undertaking, in a form
acceptable to the Commission, by such service bureau or other
recordkeeping service, which is signed by a duly authorized person
at such service bureau or other recordkeeping service.
\459\ (Compliance Clerk at 25 hours) x (18 potential
respondents) = 450 burden hours.
\460\ This estimate is based on the Commission's experience with
examinations of registered entities and the Commission's estimated
burden for an SB SEF to keep and preserve documents made or received
in the conduct of its business. Specifically, the Commission
estimated that setting up or modifying a recordkeeping system under
proposed Rule 818 would create an initial burden of 345 hours and
$1,800 in information technology costs per respondent. See SB SEF
Proposing Release, supra note 297, at 11030. Because the
recordkeeping requirements under proposed Rule 818 are broader than
the recordkeeping requirement under proposed Rule 1000(c), the
Commission preliminarily believes that the estimates of 170 initial
burden hours and $900 in initial cost are appropriate.
\461\ (170 burden hours) x (18 potential respondents) = 3,060
burden hours.
\462\ ($900) x (18 potential respondents) = $16,200.
---------------------------------------------------------------------------
The Commission preliminarily believes that proposed Rule
1000(c)(3), which would require an SCI entity, upon or immediately
prior to ceasing to do business or ceasing to be registered under the
Exchange Act, to take all necessary action to ensure that the records
required to be made, kept, and preserved by Rule 1000(c)(1) and Rule
(c)(2) remain accessible to the Commission and its representatives in
the manner and for the remainder of the period required by Rule
1000(c), would not result in any additional paperwork burden that is
not already accounted for in the Commission's burden estimates for
proposed Rule 1000(c)(1) and Rule 1000(c)(2).
6. Request for Comment on Extent and Cost of Outsourcing
209. The Commission's estimates of the hourly burdens discussed
above reflect the Commission's preliminary view that SCI entities would
conduct the work proposed to be required by proposed Rules 1000(a),
1000(b)(1), 1000(b)(2), 1000(b)(3), 1000(b)(4), 1000(b)(5), 1000(b)(6),
1000(b)(7), 1000(b)(8), and 1000(b)(9) internally. The Commission
acknowledges, however, that some SCI entities, particularly smaller SCI
entities, and/or SCI entities that do not currently participate in the
ARP Inspection Program, may elect to outsource the work if it would be
more cost effective to so do. The Commission does not at this time have
sufficient information to reasonably estimate the cost to outsource the
work proposed to be required by proposed Rules 1000(a), 1000(b)(1),
1000(b)(2), 1000(b)(3), 1000(b)(4), 1000(b)(5), 1000(b)(6), 1000(b)(7),
1000(b)(8), and 1000(b)(9), or the number of entities that would choose
to outsource this work, for purposes of the PRA. The Commission seeks
comment, however, on its preliminary view that SCI entities would
conduct such work internally. Further, the Commission seeks comment on
whether some SCI entities would in fact find it more cost effective to
outsource the work that would be required to comply with the proposed
rules, and if so, how many of these SCI entities would therefore
outsource this work and at what cost.
For purposes of facilitating such comment, presented below are
certain preliminary assumptions and calculations regarding such
potential outsourcing on which the Commission requests comment.
Specifically, for purposes of soliciting comment, the Commission is
assuming that it would take the same number of hours for a consultant
and/or outside attorney to complete the work to be required by proposed
Rules 1000(a), 1000(b)(1), 1000(b)(2), 1000(b)(3), 1000(b)(4),
1000(b)(5), 1000(b)(6), 1000(b)(7), 1000(b)(8), and 1000(b)(9), as it
would take for an SCI entity to complete that work internally (using
the Commission's preliminary estimates above). Further, the Commission
is assuming that work would be conducted at a rate of $400 per
hour.\463\
---------------------------------------------------------------------------
\463\ This is based on an estimated $400 per hour cost for
outside consulting and/or legal services. This is the same estimate
used for the Commission's consolidated audit trail rule. See
Securities Exchange Act Release No. 67457 (July 18, 2012), 77 FR
45722 (August 1, 2012).
---------------------------------------------------------------------------
Based on the forgoing assumptions, the estimated cost to outsource
the work that the Commission preliminarily assumed would be done
internally would be as follows:
For identification of immediate notification SCI events and
dissemination SCI events: The initial cost would be (a) for an SCI
entity that has not participated in the ARP Inspection Program,
$16,800; \464\ and (b) for an SCI entity that currently participates in
the ARP Inspection Program, $8,400.\465\ The ongoing annual cost would
be (a) for an SCI entity that has not participated in the ARP
Inspection Program, $4,800; \466\ and (b) for an SCI entity that
currently participates in the ARP Inspection Program, $2,400.\467\
---------------------------------------------------------------------------
\464\ 42 hours x $400 = $16,800.
\465\ 21 hours x $400 = $8,400.
\466\ 12 hours x $400 = $4,800.
\467\ 6 hours x $400 = $2,400.
---------------------------------------------------------------------------
For proposed Rule 1000(b)(1) except proposed Rule 1000(b)(1)(i)(F):
The initial cost would be (a) for an SCI entity that has not
participated in the ARP Inspection Program, $84,000; \468\ and (b) for
an SCI entity that currently participates in the ARP Inspection
Program, $42,000.\469\ The ongoing annual costs would be (a) for an SCI
entity that has not participated in the ARP Inspection Program,
$24,000; \470\ and (b) for an SCI entity that currently participates in
the ARP Inspection Program, $12,000.\471\
---------------------------------------------------------------------------
\468\ 210 hours x $400 = $84,000.
\469\ 105 hours x $400 = $42,000.
\470\ 60 hours x $400 = $24,000.
\471\ 30 hours x $400 = $12,000.
---------------------------------------------------------------------------
For proposed Rule 1000(b)(1)(i)(F): The initial cost for each SCI
entity would be $52,000.\472\ The ongoing
[[Page 18155]]
annual cost for each SCI entity would be $52,000.\473\
---------------------------------------------------------------------------
\472\ 130 hours x $400 = 52,000.
\473\ 130 hours x $400 = 52,000.
---------------------------------------------------------------------------
For proposed Rule 1000(b)(2): The initial cost for each SCI entity
would be $72,000.\474\ The ongoing annual cost would be (a) for an SCI
entity that is an SCI SRO, $48,000; \475\ and (b) for an SCI entity
that is not an SCI SRO, $24,000.\476\
---------------------------------------------------------------------------
\474\ 180 hours x $400 = $72,000.
\475\ 120 hours x $400 = $48,000.
\476\ 60 hours x $400 = $24,000.
---------------------------------------------------------------------------
For proposed Rule 1000(b)(3): The initial cost for each SCI entity
would be $16,800.\477\ The ongoing annual cost for each SCI entity
would be $4,800.\478\
---------------------------------------------------------------------------
\477\ 42 hours x $400 = $16,800.
\478\ 12 hours x $400 = $4,800.
---------------------------------------------------------------------------
For proposed Rule 1000(b)(4): The initial and the ongoing annual
cost for each SCI entity would be (a) for proposed Rule 1000(b)(4)(i),
$2,000; \479\ (b) for proposed Rule 1000(b)(4)(ii), $520,000; \480\ and
(c) for proposed Rule 1000(b)(4)(iii), $6,000.\481\
---------------------------------------------------------------------------
\479\ 5 hours x $400 = $2,000.
\480\ 1,300 hours x $400 = $520,000.
\481\ 15 hours x $400 = $6,000.
---------------------------------------------------------------------------
For proposed Rule 1000(b)(5): The initial and the ongoing annual
cost for each SCI entity would be (a) for proposed Rule
1000(b)(5)(i)(A), $16,800; \482\ (b) for proposed Rule
1000(b)(5)(i)(B), $28,000; \483\ (c) for proposed Rule
1000(b)(5)(i)(C), $5,600; \484\ and (d) for proposed Rule
1000(b)(5)(ii), $1,200.\485\
---------------------------------------------------------------------------
\482\ 42 hours x $400 = $16,800.
\483\ 70 hours x $400 = $28,000.
\484\ 14 hours x $400 = $5,600.
\485\ 3 hours x $400 = $1,200.
---------------------------------------------------------------------------
For proposed Rule 1000(b)(6): The initial and ongoing annual cost
would be (a) for SCI entities that do not currently participate in the
ARP Inspection Program, $48,000; \486\ and (b) for SCI entities that
currently participate in the ARP Inspection Program, $24,000.\487\
---------------------------------------------------------------------------
\486\ 120 hours x $400 = $48,000.
\487\ 60 hours x $400 = $24,000.
---------------------------------------------------------------------------
For proposed Rule 1000(b)(7): The initial and ongoing annual cost
would be $250,000 for each SCI entity.\488\
---------------------------------------------------------------------------
\488\ 625 hours x $400 = $250,000.
---------------------------------------------------------------------------
For proposed Rule 1000(b)(8): The initial and ongoing annual cost
for each SCI entity would be (a) for proposed Rule 1000(b)(8)(i), $400;
\489\ and (b) for proposed Rule 1000(b)(8)(ii), $48,000 for each SCI
entity.\490\
---------------------------------------------------------------------------
\489\ 1 hour x $400 = $400.
\490\ 120 hours x $400 = 48,000.
---------------------------------------------------------------------------
For proposed Rule 1000(b)(9)(i) and (ii): The initial annual cost
would be $52,000 for each SCI entity.\491\ The ongoing annual cost
would be $38,000 for each SCI entity.\492\
---------------------------------------------------------------------------
\491\ 130 hours x $400 = $52,000.
\492\ 95 hours x $400 = $38,000.
---------------------------------------------------------------------------
For proposed Rule 1000(b)(9)(iii): The initial annual cost would be
$14,000 for each SCI entity.\493\ The ongoing annual cost would be
$1,200 for each SCI entity.\494\
---------------------------------------------------------------------------
\493\ 35 hours x $400 = $14,000.
\494\ 3 hours x $400 = $1,200.
---------------------------------------------------------------------------
210. As discussed above, the Commission requests comment on these
preliminary estimates regarding potential outsourcing and the
underlying assumptions. For example, is it reasonable to assume that
the number of hours for a consultant and/or outside attorney to
complete the work would be the same as the number of hours for internal
staff to complete the work? If not, why not? Are there certain types of
SCI entities (e.g., those having relatively few employees or a smaller
number of systems) that would be more likely to find it cost effective
to outsource the work, either initially or an ongoing basis? Please
explain. Would the cost to outsource vary depending on the extent and
volume of the outsourcing, or the period of time over which such
outsourcing took place? Please explain.
7. Total Paperwork Burden Under Regulation SCI
Based on the foregoing, the Commission preliminarily estimates that
the total one-time initial burden for all SCI entities to comply with
Regulation SCI would be 133,482 hours \495\ and the total one-time
initial cost would be $2.6 million.\496\ The Commission preliminarily
estimates that the total annual ongoing burden for all SCI entities to
comply with Regulation SCI would be 117,258 hours \497\ and the total
annual ongoing cost would be $738,400.\498\
---------------------------------------------------------------------------
\495\ 133,482 hours = 26,765 (policies and procedures/mandatory
testing requirements) + 100,120 (notification, dissemination, and
reporting) + 3,087 (requirements to take corrective actions,
identify immediate notification SCI events, and identify
dissemination SCI events) + 3,510 (recordkeeping).
\496\ $2.6 million = $1.9 million (policies and procedures/
mandatory testing requirements) + $660,000 (notification,
dissemination, and reporting) + $16,200 (recordkeeping).
\497\ 117,258 hours = 15,806 (policies and procedures/mandatory
testing requirements) + 100,120 (notification, dissemination, and
reporting) + 882 (requirements to take corrective actions, identify
immediate notification SCI events, and identify dissemination SCI
events) + 450 (recordkeeping).
\498\ $738,400 = $78,400 (policies and procedures/mandatory
testing requirements) + $660,000 (notification, dissemination, and
reporting).
---------------------------------------------------------------------------
211. The Commission seeks comment on the collection of information
burdens associated with proposed Regulation SCI. Specifically:
212. Do commenters agree with the Commission's estimate of the
number of respondents required to comply with proposed Regulation SCI?
Why or why not?
213. Do commenters agree with the Commission's estimate of the
burden for SCI entities to comply proposed Regulation SCI? Why or why
not?
214. Would there be additional burdens, beyond those described
here, associated with the collection of information under proposed
Regulation SCI? Please explain.
215. How much additional burden would proposed Regulation SCI
impose upon those SCI entities that already are voluntarily in
compliance with existing ARP Policy Statements?
216. Would SCI entities generally perform the work required by
proposed Regulation SCI internally or outsource the work?
E. Collection of Information Is Mandatory
All collections of information pursuant to the proposed rules would
be a mandatory collection of information.
F. Confidentiality
To the extent that the Commission receives confidential information
pursuant to the reports and submissions that SCI entities would submit
under proposed Form SCI, such information would be kept confidential,
subject to the provisions of applicable law.\499\
---------------------------------------------------------------------------
\499\ See, e.g., 5 U.S.C. 552. Exemption 4 of the Freedom of
Information Act provides an exemption for ``trade secrets and
commercial or financial information obtained from a person and
privileged or confidential.'' 5 U.S.C. 552(b)(4). Exemption 8 of the
Freedom of Information Act provides an exemption for matters that
are ``contained in or related to examination, operating, or
condition reports prepared by, on behalf of, or for the use of an
agency responsible for the regulation or supervision of financial
institutions.'' 5 U.S.C. 552(b)(8)).
---------------------------------------------------------------------------
G. Retention Period of Recordkeeping Requirements
SCI entities would be required to retain records and information
under proposed Regulation SCI for a period of not less than five years,
the first two years in a place that is readily accessible to the
Commission or its representatives.\500\
---------------------------------------------------------------------------
\500\ See proposed Rule 1000(c).
---------------------------------------------------------------------------
H. Request for Comments
217. Pursuant to 44 U.S.C. 3506(c)(2)(B), the Commission solicits
comment to: (1) Evaluate whether the proposed collection of information
is necessary for the proper performance of
[[Page 18156]]
the functions of the agency, including whether the information shall
have practical utility; (2) evaluate the accuracy of the agency's
estimate of the burden of the proposed collection of information; (3)
enhance the quality, utility, and clarity of the information to be
collected; and (4) minimize the burden of collection of information on
those who are to respond, including through the use of automated
collection techniques or other forms of information technology.
Persons wishing to submit comments on the collection of information
requirements should direct them to the Office of Management and Budget,
Attention: Desk Officer for the Securities and Exchange Commission,
Office of Information and Regulatory Affairs, Room 3208, New Executive
Office Building, Washington, DC 20503; and should send a copy to
Elizabeth M. Murphy, Secretary, Securities and Exchange Commission, 100
F Street NE., Washington, DC 20549-1090 with reference to File No. S7-
01-13. OMB is required to make a decision concerning the collection of
information between 30 and 60 days after publication, so a comment to
OMB is best assured of having its full effect if OMB receives it within
30 calendar days of publication. The Commission will submit the
proposed collection of information to OMB for approval. Requests for
the materials to be submitted to OMB by the Commission with regard to
this collection of information should be in writing, refer to File No.
S7-01-13, and be submitted to the Securities and Exchange Commission,
Office of Investor Education and Advocacy, 100 F Street NE.,
Washington, DC 20549-0213.
I. Reduced Burdens From Proposed Repeal of Rule 301(b)(6) (OMB Control
Number 3235-0509)
The instant proposal also would amend Regulation ATS under the
Exchange Act, by removing paragraph (b)(6) of Rule 301 thereunder.\501\
Removal of Rule 301(b)(6) would eliminate certain ``collection of
information'' requirements within the meaning of the PRA that the
Commission has submitted to OMB in accordance with 44 U.S.C. 3507 and 5
CFR 1320.11, and that OMB has approved. The approved collection of
information is titled ``Rule 301: Requirements for Alternative Trading
Systems,'' and has a valid OMB control number of 3235-0509.\502\ Some
of the information collection burdens imposed by Regulation ATS would
be reduced by the proposed repeal of Rule 301(b)(6). Specifically, the
paperwork burdens that would be eliminated by the repeal of Rule
301(b)(6) would be: (i) Burdens on ATSs associated with the requirement
to make records relating to any steps taken to comply with systems
capacity, integrity and security requirements under Rule 301 (estimated
to be 20 hours and $2,212); \503\ and (ii) burdens on ATSs associated
with the requirement to provide notices to the Commission to report
systems outages (estimated to be 2.5 hours and $276.50).\504\
---------------------------------------------------------------------------
\501\ See 17 CFR 242.301(b)(6). See also Securities Exchange Act
Release No. 40760 (December 8, 1998), 63 FR 70844 (December 22,
1998) (``ATS Release'').
\502\ See Rule 301: Requirements for Alternative Trading Systems
OMB Control No: 3235-0509 (Rule 301 supporting statement), available
at: http://www.reginfo.gov. This approval has an expiration date of
February 28, 2014.
\503\ The Commission estimated that two alternative trading
systems that register as broker-dealers and comply with Regulation
ATS would trigger this requirement, and that the average compliance
burden for each response would be 10 hours of in-house professional
work at $316 per hour. Thus, the total compliance burden per year
was estimated to be 20 hours (2 respondents x 10 hours = 20 hours).
The total annualized cost burden was estimated to be $2,212 ($316 x
20 hours x 35% = $2,212). See Rule 301: Requirements for Alternative
Trading Systems OMB Control No: 3235-0509 (Rule 301 supporting
statement), available at: http://www.reginfo.gov.
\504\ The Commission estimated that two alternative trading
systems that register as broker-dealers and comply with Regulation
ATS would meet the volume thresholds that trigger systems outage
notice obligations approximately 5 times a year, and that the
average compliance burden for each response would be .25 hours of
in-house professional work at $316 per hour. Thus, the total
compliance burden per year was estimated to be 2.5 hours (2
respondents x 5 responses each x .25 hours = 2.5 hours). The total
annualized cost burden was estimated to be $276.50 ($316 x .25 hours
per response x 10 responses x 35% = $276.50). See id.
---------------------------------------------------------------------------
The Commission will submit the proposed amended collection of
information to reflect these reductions to OMB for approval. Requests
for the materials to be submitted to OMB by the Commission with regard
to this collection of information should be in writing, refer to File
No. S7-01-13, and be submitted to the Securities and Exchange
Commission, Office of Investor Education and Advocacy, 100 F Street
NE., Washington, DC 20549-0213.
V. Economic Analysis
A. Background
As discussed more fully above, the Commission believes that the
convergence of several developments--the evolution of the markets to
become significantly more dependent upon sophisticated automated
systems (driven by regulatory developments and the continual evolution
of technologies for generating, routing, and executing orders), the
limitations of the existing ARP Inspection Program, and the lessons of
recent events (as discussed in Section I.D above)--highlight the need
to consider an updated and formalized regulatory framework for ensuring
that the U.S. securities trading markets develop and maintain systems
with adequate capacity, integrity, resiliency, availability, and
security, and reinforce the requirement that SCI systems operate in
compliance with the Exchange Act. The Commission is also cognizant of
the comments made at the Roundtable and the comment letters submitted
in connection with the Roundtable.\505\ Proposed Regulation SCI would
codify and enhance the Commission's ARP Inspection Program, as well as
establish specific requirements to help ensure that the SCI systems of
SCI entities operate in compliance with the federal securities laws and
rules.
---------------------------------------------------------------------------
\505\ See supra Section I.D.
---------------------------------------------------------------------------
Specifically, proposed Regulation SCI would require each SCI entity
to establish, maintain, and enforce written policies and procedures
reasonably designed to ensure that its SCI systems and, for purposes of
security standards, SCI security systems, have levels of capacity,
integrity, resiliency, availability, and security, adequate to maintain
the SCI entity's operational capability and promote the maintenance of
fair and orderly markets, as well as written policies and procedures
reasonably designed to ensure that its SCI systems operate in the
manner intended, including in a manner in compliance with the federal
securities laws and rules, and its own rules or governing documents, as
applicable. Proposed Regulation SCI also would require SCI entities to
provide certain notices and reports to the Commission on Form SCI
regarding, among other things, SCI events and material systems changes.
Further, proposed Regulation SCI would require SCI entities to
disseminate information to members or participants relating to
dissemination SCI events and to begin taking appropriate corrective
action upon any responsible SCI personnel becoming aware of an SCI
event. Additionally, proposed Regulation SCI would require each SCI
entity to conduct an SCI review at least annually, and submit a report
of such review to the Commission, together with any response by senior
management. Further, proposed Regulation SCI would require an SCI
entity, with respect to its business continuity and disaster
[[Page 18157]]
recovery plans, to require participation by designated members or
participants in scheduled functional and performance testing of the
operation of such plans and coordinate such testing with other SCI
entities. Proposed Regulation SCI would also require SCI entities to
make, keep, and preserve books and records related to compliance with
Regulation SCI.
The Commission is sensitive to the economic effects of proposed
Regulation SCI, including its costs and benefits.\506\ As discussed
further below, the Commission requests comment on all aspects of the
costs and benefits of the proposal, including any effects the proposed
rules may have on efficiency, competition, and capital formation.
---------------------------------------------------------------------------
\506\ See also supra Section III.F (requesting comment on
applying proposed Regulation SCI to SB SDRs and/or SB SEFs and
discussing the potential costs and benefits of applying proposed
Regulation SCI to SB SDRs and/or SB SEFs).
---------------------------------------------------------------------------
B. Economic Baseline
As noted in Section I.A above, all registered national securities
exchanges, all active registered clearing agencies, FINRA, two plan
processors, one ATS, and one exempt clearing agency participate in the
current ARP Inspection Program, which covers their automated
systems.\507\ Under the ARP policy statements and through the ARP
Inspection Program, these entities, among other things, are expected to
establish current and future capacity estimates, conduct capacity
stress tests, conduct annual reviews of whether affected systems can
perform adequately in light of estimated capacity levels, and identify
possible threats to the systems.\508\ The ARP policy statements and
Commission staff letters address, among other things, independent
reviews, the reporting of certain systems changes, intrusions, and
outages, and the need to comply with relevant laws and rules.\509\
---------------------------------------------------------------------------
\507\ As noted above, the Commission, in the ARP I Release,
defined the term ``automated systems'' to refer ``collectively to
computer systems for listed and OTC equities, as well as options,
that electronically route orders to applicable market makers and
systems that electronically route and execute orders, including the
data networks that feed the systems * * * [and encompasses] systems
that disseminate transaction and quotation information and conduct
trade comparisons prior to settlement, including the associated
communication networks.'' See supra note 12.
\508\ A more complete description of the history of the ARP
Inspection Program is discussed in supra Section I.A.
\509\ The ARP policy statements and Commission staff letters are
discussed in supra Section I.A.
---------------------------------------------------------------------------
Trading volume in the securities markets has become increasingly
dispersed across a broader range of market centers in recent
years,\510\ with ATSs accounting for a significant portion of
volume.\511\ However, no ATSs currently meet or exceed the volume
thresholds that would trigger compliance with the system safeguard
requirements of Rule 301(b)(6) of Regulation ATS.\512\ Thus, while ATSs
comprise a significant portion of consolidated volume, only one ATS
currently participates in the ARP Inspection Program.\513\ Dark pools
alone comprised approximately 13 percent of consolidated volume last
spring,\514\ but also are not part of the ARP Inspection Program.
Further, ATSs that trade fixed income securities, including municipal
and corporate debt securities, and non-NMS stocks (also referred to as
OTC equities) are not represented in the ARP Inspection Program and do
not meet the current thresholds in Regulation ATS for the application
of systems safeguard rules.
---------------------------------------------------------------------------
\510\ See supra notes 44, 47, and 51.
\511\ See supra note 50 and accompanying text.
\512\ See supra Section III.B.1.
\513\ See supra note 25 and accompanying text.
\514\ See Nina Mehta, Dark Pools Capture Record U.S. Volume
Share, Bloomberg (March 1, 2012), available at: http://rblt.com/news_details.aspx?id=187.
---------------------------------------------------------------------------
Proposed Regulation SCI would apply to SROs (including national
securities exchanges,\515\ national securities associations, registered
clearing agencies, and the MSRB \516\), SCI ATSs,\517\ plan
processors,\518\ and exempt clearing agencies subject to ARP.\519\ As
such, proposed Regulation SCI would specifically cover the trading of
NMS stocks, OTC equities, listed options, and debt securities. The
proposed rules also would impact multiple markets for services,
including the markets for trading services, listing services,
regulation and surveillance services, clearing and settlement services,
and market data.
---------------------------------------------------------------------------
\515\ Proposed Regulation SCI would not apply to an exchange
that lists or trades security futures products that is notice-
registered with the Commission as a national securities exchange
pursuant to Section 6(g) of the Exchange Act, including security
futures exchanges. See supra note 97 and accompanying text.
\516\ In 2011, the total par amount of municipal securities
traded was approximately $3.3 trillion in approximately 10.4 million
trades. See MSRB 2011 Fact Book at 8-9, available at: http://www.msrb.org/msrb1/pdfs/MSRB2011FactBook.pdf.
\517\ See supra Section III.B.1 for the discussion of SCI ATSs.
\518\ In addition, the Commission is soliciting comment on
whether, and if so how, proposed Regulation SCI should apply to SB
SDRs and/or SB SEFs. See supra Section III.F.
\519\ See supra Section III.B.1 for the discussion of exempt
clearing agencies subject to ARP.
---------------------------------------------------------------------------
As indicated above, many of the entities in these service markets
are currently covered by the ARP Inspection Program. Therefore, the
Commission recognizes that any economic effects, including costs and
benefits, should be compared to a baseline of current practices that
recognizes current practices pursuant to the ARP Inspection Program and
the limitations of the ARP Inspection Program discussed in Section I.C
above.\520\ In addition to the ARP Inspection Program, Commission staff
has provided guidance to ARP entities on certain aspects of the ARP
Inspection Program (e.g., in the 2001 Staff ARP Interpretive
Letter).\521\ Further, Commission staff has provided guidance on issues
outside the current scope of the ARP Inspection Program (e.g., in the
2009 Staff Systems Compliance Letter), but that are proposed to be
addressed by Regulation SCI.\522\ Below, the Commission provides
information on the current practices related to the types of market
events addressed by proposed Regulation SCI, including, where
available, information the Commission may have on the frequency of such
events. In addition, the Commission describes why each relevant service
market may not be structured in a way as to create a competitive
incentive to prevent the occurrence of these market events.\523\
---------------------------------------------------------------------------
\520\ See also supra Section I.A for the discussion of the
current scope of the ARP Inspection Program. The Commission
acknowledges that, to the extent current practices of SCI entities
have been informed by the ARP policy statements, such practices have
not been subject to a cost-benefit analysis and that the discussion
herein considers only the incremental costs and benefits (i.e.,
compared to current practices).
\521\ See 2001 Staff ARP Interpretive Letter, supra note 35.
\522\ See 2009 Staff Systems Compliance Letter, supra note 36.
\523\ The Commission compares current practices to each of the
proposed rules in infra Section V.B.3.
---------------------------------------------------------------------------
1. SCI Events
a. Systems Disruptions
Currently, market participants employ a variety of measures to
avoid systems disruptions for a variety of reasons, including to
maintain competitive advantages, to provide optimal service to members
with access to the trading and/or other services provided by the
entity, to comply with legal obligations and, where applicable, to
participate in the ARP Inspection Program. The range of such measures
are possibly highly variable among SCI entities and within the systems
employed by SCI entities. For example, matching engines are likely
accorded high priority given the importance of low latency in trading.
Industry standards are not codified for such entities and systems,
except such as in an entity's rulebook or subscriber agreement.
Typically, however, market participants follow industry standards and
take measures that include weekend
[[Page 18158]]
system testing and internal performance monitoring.
When system disruptions do occur, market participants take
corrective action in the interest of remaining competitive, to provide
optimal service, and to comply with legal obligations. To place the
effectiveness of the current ARP Inspection Program in perspective,
there were approximately 175 ARP incidents reported to the Commission
in 2011. These incidents had durations ranging from under one minute to
24 hours, with most incidents having a duration of less than 2 hours.
As noted above, the Commission believes that clearing systems and
matching engines generally are given greater priority than other
systems at SCI entities with regard to corrective action. In addition,
the Commission believes that SCI entities that currently participate in
the ARP Inspection Program strive to adhere to the next business day
resumption standard for trading and two-hour resumption standard for
clearance and settlement services, standards which the proposed rule
would codify for all SCI entities.
As discussed in Section I.A, participation in the ARP Inspection
Program entails, among other things, conducting annual assessments of
affected systems, providing notifications of significant system changes
to the Commission, and reporting significant system outages to the
Commission. Further, Commission staff has provided guidance to the SROs
and other participants in the ARP Inspection Program on what should be
considered a ``significant system change'' and a ``significant system
outage'' for purposes of reporting systems changes and problems to
Commission staff.\524\ As such, the Commission believes that entities
that currently participate in the ARP Inspection Program have certain
processes for determining whether a systems change or outage is
``significant.'' Specifically, the 2001 Staff ARP Interpretive Letter
sets forth the types of outages and changes that should be reported to
the Commission and the timing of reporting. Also, as discussed below,
the ARP policy statements are focused on automated systems.
Specifically, entities that participate in the ARP Inspection Program
follow the ARP policy statements with respect to systems that directly
support trading, clearance and settlement, order routing, and market
data. While generally only trading, clearance and settlement, order
routing, and market data systems follow the guidelines in the ARP
policy statements, ARP staff inspects all the categories of systems
that are included in the proposed definition of ``SCI systems.'' \525\
However, ARP staff generally inspects systems that are not directly
related to trading, clearance and settlement, order routing, or market
data only if they detect red flags.
---------------------------------------------------------------------------
\524\ See supra note 35.
\525\ See supra Section III.B.2.
---------------------------------------------------------------------------
As discussed above, the ARP Inspection Program has garnered
participation by all active registered clearing agencies, all
registered national securities exchanges, FINRA, plan processors, one
ATS, and one exempt clearing agency.\526\ Specifically, the Commission
estimates that there are currently 29 SCI entities that are
participants in the ARP Inspection Program.\527\ As noted, there were
approximately 175 ARP incidents reported to the Commission in 2011.
Although some entities provide the public with notices of outages,\528\
others may choose otherwise and are not required to do so.
---------------------------------------------------------------------------
\526\ See supra Section I.A.
\527\ See supra note 368.
\528\ See e.g., NYSE Market Status, available at: http://usequities.nyx.com/nyse/market-status; NYSE Amex Options Outage
Update, available at: http://www.nyse.com/pdfs/Trader_Update_Amex_Outage_0928.pdf; and NYSE Arca, Recap: Exchange Outage on
Monday Morning March 7, 2011, available at: http://www.nyse.com/pdfs/2011037ExchangeOutageNotice.pdf.
---------------------------------------------------------------------------
Further, as discussed above, pursuant to Rule 301(b)(6) of
Regulation ATS, certain aspects of the ARP policy statements apply to
ATSs that meet the thresholds set forth in that rule.\529\ Currently,
no ATSs meet such thresholds and, as such, none are required by
Commission rule to implement systems safeguard measures. The Commission
recognizes that it is in the interest of every market participant that
does not participate in the ARP Inspection Program to try to avoid
systems disruptions. Specifically, the Commission understands that
generally, ATSs, like entities that currently participate in the ARP
Inspection Program, employ a variety of measures to avoid systems
disruptions, including systems testing, performance monitoring, and the
use of fail-over back-up systems. In fact, one ATS currently
voluntarily participates in the ARP Inspection Program.\530\ However,
inasmuch as the ARP Inspection Program and the testing done and other
measures taken by those entities that participate in the program have
been beneficial to the industry, the systems of SCI entities could
still be improved. For example, contingency planning in preparation of
catastrophic events has not been fully adequate, as evidenced in the
wake of Superstorm Sandy, when an extended shutdown of the equities and
options markets resulted from, among other things, the exchanges'
belief regarding the inability of some market participants to
adequately operate from the backup facilities of all market
centers.\531\ Although testing protocols were in place and the chance
to participate in such testing was available, not all members or
participants participated in such testing.\532\ Proposed Regulation SCI
would require that designated members or participants of an SCI entity
participate in scheduled functional and performance testing of the
operation of the SCI entity's business continuity and disaster recovery
plans, including its backup systems, and further require that SCI
entities coordinate the testing of such plans on an industry- or
sector-wide basis with other SCI entities. The Commission preliminarily
believes that these proposed requirements would mitigate the chances of
similar disruptions in the future.\533\
---------------------------------------------------------------------------
\529\ Specifically, Rule 301(b)(6) of Regulation ATS applies to
ATSs that, during at least four of the preceding six months, had:
(A) With respect to any NMS stock, 20 percent or more of the average
daily volume reported by an effective transaction reporting plan;
(B) with respect to equity securities that are not NMS stocks and
for which transactions are reported to a self-regulatory
organization, 20 percent or more of the average daily volume as
calculated by the self-regulatory organization to which such
transactions are reported; (C) with respect to municipal securities,
20 percent or more of the average daily volume traded in the United
States; or (D) with respect to corporate debt securities, 20 percent
or more of the average daily volume traded in the United States. See
17 CFR 242.301(b)(6)(i).
\530\ See supra note 91.
\531\ See supra Section I.D; see also supra Section III.C.7.
\532\ See supra Section I.D. In addition, the Commission
understands that the scope of testing was limited.
\533\ See proposed Rule 1000(b)(9); see also supra Section
III.C.7.
---------------------------------------------------------------------------
b. Systems Compliance Issues
Currently, systems compliance issues (as proposed to be defined in
Rule 1000(a)) are not covered by the ARP Inspection Program. However,
national securities exchanges are subject to Section 6(b) of the
Exchange Act, which requires an exchange to be organized and to have
the capacity to carry out the purposes of the Exchange Act and to
comply with the provisions of the Exchange Act, the rules and
regulations thereunder, and its own rules.\534\ FINRA is subject to
Section 15A(b) of the Exchange Act, which requires a national
securities association to be organized and have the capacity to carry
out the purposes of the Exchange Act and to comply with the provisions
of the
[[Page 18159]]
Exchange Act, the rules and regulations thereunder, the MSRB rules, and
its own rules.\535\ Further, an ATS could face Commission sanctions if
it fails to comply with relevant federal securities laws and rules and
regulations thereunder. Events such as those described above have
recently drawn attention to systems compliance issues.\536\ In part due
to the fact that systems compliance issues are not part of the ARP
Inspection Program, the Commission does not receive comprehensive data
regarding such issues and, thus, their incidence cannot be concretely
quantified. However, based on Commission staff's experience with SROs
and the rule filing process, the Commission estimates that there are
likely approximately seven systems compliance issues per SCI entity per
year.
---------------------------------------------------------------------------
\534\ See 15 U.S.C. 78f(b).
\535\ See 15 U.S.C. 78o-3(b).
\536\ See, e.g., supra notes 62-63 and accompanying text.
---------------------------------------------------------------------------
c. Systems Intrusions
In ARP I, the Commission stated its view that SROs should promptly
notify Commission staff of any instances in which unauthorized persons
gained or attempted to gain access to SRO systems.\537\ Market
participants employ a wide variety of measures to prevent and respond
to systems intrusions. Generally, market participants use measures such
as firewalls to prevent systems intrusions, and use detection software
to identify systems intrusions. Once an intrusion has been identified,
the affected systems typically would be isolated and quarantined, and
forensics would be performed. Several SCI entities have been the
subject of security issues in recent years.\538\ The Commission
believes that, currently, these events are rarely revealed to the
public or to the members or participants of SCI entities.
---------------------------------------------------------------------------
\537\ See ARP I, supra note 1. See also text accompanying supra
note 17.
\538\ For example, as discussed above, in February 2011, NASDAQ
OMX Group, Inc. announced that hackers had penetrated certain of its
computer networks. See supra note 61 and accompanying text.
---------------------------------------------------------------------------
2. Potential for Market Solutions
This section discusses potential market solutions and their
shortcomings. Various SCI and non-SCI entities offer and compete to
provide services in markets for trading services, listing services,
regulatory services, clearance and settlement services, and market
data. The markets for each of these services are regulated and
competitive, which may make it difficult to determine if markets are
functioning well due to competitive pressure or regulation, and how
much can be attributed to each. However, there are limitations to such
competition and following is a discussion of some limitations that are
common to all of these markets. Notwithstanding what may be the
limitations to competition in each of these markets, the Commission is
also mindful, in evaluating whether, and if so, how, to regulate in
this space, of the need to craft rules that appropriately take into
account the tradeoffs between the resulting costs and benefits, and the
effects on efficiency, competition, and capital formation, that would
accompany such regulation.
Market participants may be unaware when SCI events disrupt
transactions due to, for example, a lack of timely and consistently
disseminated information about SCI events. First, providers of services
that experience SCI events may lack the incentive to disclose such
events. Second, other providers of services may choose to not publicly
comment on the identity of providers who experienced SCI events.\539\
For example, providers of trading services may choose not to point to
other providers because the next SCI event may occur on their own
systems. In addition, a person or entity pointing at other providers
may be exposed to litigation risks.
---------------------------------------------------------------------------
\539\ The Commission notes, however, that certain providers of
trading services do provide public disclosure of systems issues at
another provider. For example, when one trading venue perceives that
a second venue is non-responsive when orders are routed to that
second venue, the first venue will declare self-help under Rule 611
of Regulation NMS, which permits the first venue to cease to route
orders to the second venue in certain instances. Certain trading
venues would provide public notification of self-help. See, e.g.,
NASDAQ Market System Status, available at: http://www.nasdaqtrader.com/Trader.aspx?id=MarketSystemStatus.
---------------------------------------------------------------------------
While some SCI events may not directly impact markets, they are
still an indication of the risk of SCI events at a given SCI entity. It
is likely that market participants assume that services operate as
promised until an SCI event occurs. Reputation and good experiences
with a trading venue may cause market participants to trust its
effectiveness. In the absence of problems, however, a system may be
assumed to be fully functional. Once a problem occurs, market
participants will update their prior assumptions and should correctly
infer that the system is not as robust as previously believed.
Moreover, in the case of SCI events that disrupt the entire market
or large portions of it (e.g., the data outages during the flash crash
on May 6, 2010), all providers of trading services may be affected at
the same time and, as a result, market participants may find it
challenging to identify service providers with lower risks of such SCI
events. In light of the foregoing, members and participants of SCI
entities would be important recipients of information disseminated
about SCI events because they are the parties who would most naturally
need, want, and be able to act on the information and, where
applicable, share such disseminated information to other interested
market participants, as discussed further below.
a. Market for Trading Services
Trading services are offered by entities that would meet the
definition of SCI entity, including equities exchanges, options
exchanges, and SCI ATSs, as well as by entities that would not be
included in the proposed definition of SCI entity, such as ATSs that
are not SCI ATSs, OTC market makers, and broker-dealers. As discussed
above in Section I.B, there are currently 13 national securities
exchanges that trade equity securities, with none having an overall
market share of greater than 20 percent.\540\ There are currently 11
national securities exchanges that trade options.\541\ Of these
exchanges, CBOE, ISE, and Nasdaq OMX Phlx have the most significant
market share.\542\ ATSs--both ECNs and dark pools--as well as OTC
market makers and broker-dealers also execute substantial volumes of
stocks and bonds.\543\
---------------------------------------------------------------------------
\540\ See supra note 47 and accompanying text. These national
securities exchanges are: BATS; BATS-Y; CBOE; CHX; EDGA; EDGX;
Nasdaq OMX BX; Nasdaq OMX Phlx; Nasdaq; NSX; NYSE; NYSE MKT; and
NYSE Arca.
\541\ These national securities exchanges are: BATS Exchange
Options Market; BOX; C2; CBOE; ISE; MIAX; NASDAQ Options Market;
Nasdaq OMX BX Options; Nasdaq OMX Phlx; NYSE Amex Options; and NYSE
Arca.
\542\ Specifically, during 2012, CBOE had 26.46% of the market
share, Nasdaq OMX Phlx had 19.77%, and ISE had 15.78%. Calculated
using data regarding number of contracts traded from Options
Clearing Corporation, available at: http://www.theocc.com/market-data/volume/.
\543\ As discussed above in Section III.B.1, the Commission
estimates that the proposed definition of ``SCI entity'' would
capture approximately 15 SCI ATSs (10 SCI ATSs in NMS stocks, two
SCI ATSs in non-NMS stocks, and three SCI ATSs in municipal
securities and corporate debt securities).
---------------------------------------------------------------------------
With respect to the competitive nature of the market for trading
services, as well as the limitations to the competitive effects, all
providers of trading services compete and have incentives to avoid
systems disruptions, systems compliance issues, and systems intrusions
because, for example, brokers and other entities will be inclined to
route orders away from trading venues
[[Page 18160]]
that have frequent systems problems. Indeed, trading service providers
expend resources to provide quality services and attempt to mitigate
systems disruptions, systems compliance issues, and systems intrusions;
however, it is not clear how to distinguish between efforts
attributable to competitive pressures, rather than existing legal
requirements and regulatory programs such as the ARP Inspection
Program.\544\
---------------------------------------------------------------------------
\544\ See also supra Section V.B.1, noting the various reasons
why SCI entities currently take action to address systems problems.
---------------------------------------------------------------------------
The Commission recognizes that there may be limits with respect to
the extent to which competition ameliorates systems problems associated
with trading services. However, the Commission remains mindful of the
need to craft rules that appropriately take into account the tradeoffs
between the costs and benefits, and the effects on efficiency,
competition, and capital formation, associated with any such rules. The
Commission preliminarily believes that it is important for SCI entity
members or participants to know about risks for SCI events at a given
service provider. As discussed above, if information about SCI events
is not disseminated to members or participants of SCI entities or are
not attributable to specific SCI entities, market participants may
misjudge the quality of trading services or otherwise make decisions
without fully accounting for such risks. Furthermore, as evidenced by
the extended shutdown of the equities and options markets that resulted
from, among other things, the exchanges' belief regarding the inability
of some market participants to adequately operate from the backup
facilities of all market centers, contingency planning has not been
adequate to help prevent market-wide outages.\545\ For example, as
noted above, the NYSE offered its members the opportunity to
participate in testing of its backup systems, but not all members chose
to participate in such testing, and the Commission understands that the
scope of the test was limited.\546\
---------------------------------------------------------------------------
\545\ See supra Section I.D.
\546\ See supra Section I.D. See also supra notes 83 and 532 and
accompanying text.
---------------------------------------------------------------------------
In addition, even though there are multiple trading venues,
suppliers of trading services may have limited ability to transact in
particular securities (e.g., certain index options may only trade on
one options exchange). As a result, competition in the market for
trading services may not sufficiently mitigate the occurrence of SCI
events, and there may be insufficient disclosure of information
regarding the quality of trading services offered by SCI entities.
b. Market for Listing Services
Certain SCI entities are in the market for listing services. In
this market, exchanges compete to list issuers to collect listing fees
and to provide ancillary services to listed companies. The NYSE and
Nasdaq are the largest U.S. exchanges in terms of the number of equity
securities listed, with the NYSE and Nasdaq serving as the listing
market for 3,262 and 2,691 securities, respectively, as of February 4,
2013.\547\ U.S. exchanges face competition from other U.S. exchanges
and from non-U.S. exchanges.
---------------------------------------------------------------------------
\547\ See NASDAQ Company List, available at: http://www.nasdaq.com/screening/company-list.aspx, for the list of
companies listed on NYSE and NASDAQ.
---------------------------------------------------------------------------
Competition for listings may be limited by many factors. With
respect to the limitations of competitive forces in the market for
listing services, first, while a company can be listed on a certain
exchange, trading does not necessarily occur on that exchange. In fact,
the majority of trading occurs away from the listing exchange in
today's U.S. equities markets.\548\ Second, there are switching costs
associated with moving a listing from one exchange to another, which
may cause issuers to remain at their current exchange, even in response
to the occurrence of some SCI events. Third, certain exchanges also may
be considered more ``prestigious'' than others and, to this extent,
they may wield market power over other exchanges when competing for
issuers. As a result, these exchanges may not be properly incentivized
to provide the level of service they otherwise might if they were
subject to greater competition. Members and participants of SCI
entities that serve as underwriters to issuers would be important
recipients of information disseminated by SCI entities about
dissemination SCI events, particularly if they share such information
with issuers making listing decisions.
---------------------------------------------------------------------------
\548\ See BATS Market Volume Summary, available at: http://www.batstrading.com/market_summary/ (displaying the dispersion of
trading in equity securities, which indicates that trading occurs
away from listing exchanges).
---------------------------------------------------------------------------
c. Market for Regulation and Surveillance Services
Regulation and surveillance are required by statutes and rules and,
therefore, all regulated market participants (e.g., exchanges or ATSs)
have a demand for regulation and surveillance services. Suppliers in
this market may be in-house or third parties, and potentially include
all of the exchanges and FINRA. Because of regulatory services
agreements (``RSAs'') between FINRA and several national securities
exchanges, as of February 2011, FINRA's Market Regulation Department
was responsible for surveillance of 80 percent of the trading volume in
U.S. equity markets and 35 percent of the volume in U.S. options
markets.\549\ Also, in 2011, BATS and BATS-Y entered into RSAs with
CBOE as the supplier.\550\ On the other hand, some exchanges have not
entered into RSAs.
---------------------------------------------------------------------------
\549\ See FINRA 2011 Annual Regulatory and Examination
Priorities Letter (February 8, 2011), available at: http://www.finra.org/web/groups/industry/@ip/@reg/@guide/documents/industry/p122863.pdf.
\550\ See BATS Global Markets, Inc., Amendment No. 5 to Form S-
1, dated March 21, 2012 (Registration No. 333-174166).
---------------------------------------------------------------------------
There are other regulatory services arrangements in addition to
RSAs. For example, in 2008, the Commission declared effective a plan
for allocating regulatory responsibilities pursuant to Rule 17d-2,\551\
which among other things, allocated regulatory responsibility for the
surveillance, investigation, and enforcement of Common Rules \552\ over
Common NYSE Members,\553\ with respect to NYSE-listed stocks and NYSE
Arca-listed stocks, to NYSE and over Common FINRA Members,\554\ with
respect to NASDAQ-listed stocks, Amex-listed stocks, and any CHX
solely-listed stock, to FINRA.\555\
---------------------------------------------------------------------------
\551\ See Securities Exchange Act Release No. 58536 (September
12, 2008), 73 FR 54646 (September 22, 2008). See also 17 CFR
240.17d-2 (permitting SROs to propose joint plans for the allocation
of regulatory responsibilities with respect to their common
members).
\552\ Such rules include federal securities laws and rules
promulgated by the Commission pertaining to insider trading, and the
rules of the plan participants that are related to insider trading
as provided on Exhibit A to a Rule 17d-2 Plan. See Agreement for the
Allocation of Regulatory Responsibility of Surveillance,
Investigation and Enforcement for Insider Trading pursuant to Sec.
17(d) of the Securities Exchange Act of 1934, 15 U.S.C. Sec.
78q(d), and Rule 17d-2 thereunder.
\553\ Common NYSE Members include those who are members of the
NYSE and of at least one of the plan participants. See id.
\554\ Common FINRA Members include those who are members of
FINRA and of at least one of the plan participants. See id.
\555\ Participants in this plan are: BATS, BATS-Y, CBOE, CHX,
EDGA, EDGX, FINRA, Nasdaq OMX BX, Nasdaq OMX Phlx, Nasdaq, NSX,
NYSE, NYSE Amex, and NYSE Arca. See id. In January 2011, this Rule
17d-2 plan was amended as a result of an agreement under which FINRA
assumed the responsibility for performing the market surveillance
and enforcement functions previously conducted by NYSE Regulation
for its U.S. equities and options markets. Under the plan, FINRA
charges participants a fee for the performance of regulatory
responsibilities. See Securities Exchange Act Release No. 63750
(January 21, 2011), 76 FR 4948 (January 27, 2011). There are other
types of Rule 17d-2 plans, including multilateral and bilateral
plans. While other SROs perform some regulatory functions under the
options-related market surveillance and Regulation NMS multiparty
17d-2 plans, FINRA provides the bulk of services under all other
17d-2 plans.
---------------------------------------------------------------------------
[[Page 18161]]
With respect to limitations of competition that are specific to the
market for regulatory and surveillance services, if investors, issuers,
or other market participants become aware of SCI events by virtue of
the members or participants of SCI entities sharing information they
have received about dissemination SCI events, and such information
suggests that an SRO has low-quality regulation and surveillance, they
may avoid such venues since they may feel that their interests are not
being adequately protected. In the case of an RSA, there is competition
among providers of such services because the user of the service can
enter into a contract with a different provider. An SRO that purchases
regulatory and surveillance services pursuant to an RSA retains the
ultimate responsibility and liability for its self-regulatory
obligations, and has an interest in seeking a service provider that
would provide a high level of regulatory and surveillance
services.\556\ Since the purchaser of these services could face
Commission sanctions and experience damages to their reputation for
violations resulting from inadequate regulation and surveillance,
providers of these services may have the incentive to ensure that they
provide a high level of service.
---------------------------------------------------------------------------
\556\ In contrast to an RSA, under Rule 17d-2(d) under the
Exchange Act, ``[u]pon the effectiveness of such a plan or part
thereof, any self-regulatory organization which is a party to the
plan shall be relieved of responsibility as to any person for whom
such responsibility is allocated under the plan to another self-
regulatory organization to the extent of such allocation.'' 17 CFR
240.17d-2(d).
---------------------------------------------------------------------------
A factor that limits competition in this market is that it is
highly concentrated. As noted above, FINRA accounts for the
surveillance of 80 percent of trading volume in U.S. equity markets
and, although any SRO could potentially be a provider of such services,
not all choose to do so, and thus there may not be many alternatives
for RSAs. With respect to the market for Rule 17d-2 plans, the
Commission recognizes that the level of competition may be limited, as
Rule 17d-2 was intended to address regulatory duplication for broker-
dealers that are members of more than one SRO, and one of which is
usually FINRA.
d. Market for Clearance and Settlement Services
Certain SCI entities are in the market for clearance and settlement
services. There are seven registered clearing agencies with active
operations--DTC, FICC, NSCC, OCC, ICE Clear Credit, ICE Clear Europe,
and CME \557\--as well as one exempt clearing agency.\558\ An SCI event
in this market could have very disruptive and widespread effects on the
financial markets. Because each clearing agency has a critical role in
the operation of a particular product market, clearing agencies may
already have heightened incentives to ensure that their systems have
adequate levels of capacity, integrity, resiliency, availability, and
security.\559\ At the same time, one of the major impediments to
competition in this market is that it is highly concentrated in
particular classes of securities (e.g., equities or options). This may
limit incentives for clearing agencies to have levels of capacity,
integrity, resiliency, availability, and security that are appropriate
for their role in the securities market. Thus, for the market for
clearance and settlement services, it is especially important for the
Commission and clearing agency participants to have current and
accurate information about SCI events to help ensure that the clearing
agencies are properly incentivized to provide high-quality service.
---------------------------------------------------------------------------
\557\ As noted above, active registered clearing agencies are
part of the current ARP Inspection Program. See supra note 95 and
accompanying text.
\558\ As noted above, Omgeo is part of the current ARP
Inspection Program. See supra notes 133-135 and accompanying text.
\559\ See generally 2003 Interagency White Paper, supra note 31.
---------------------------------------------------------------------------
e. Market for Market Data
Finally, certain SCI entities provide market data. There are two
different types of market data, namely consolidated data and
proprietary data. As discussed above, when Congress mandated a national
market system in 1975, it emphasized that the systems for collecting
and distributing consolidated market data would ``form the heart of the
national market system.'' \560\ Moreover, the Commission has identified
certain benefits of consolidated market data, including providing the
public with access to a comprehensive, accurate, and reliable source of
information for NMS stocks.\561\ One of the Commission's primary
concerns is that the market for consolidated data functions properly.
---------------------------------------------------------------------------
\560\ See Concept Release on Equity Market Structure, supra note
42, at 3600 (quoting H.R. Rep. No. 94-229, 94th Cong., 1st Sess. 93
(1975)).
\561\ See supra note 187 and accompanying text.
---------------------------------------------------------------------------
Market data is a critical part of the investment and trading
process.\562\ The data is needed for pre- and post-trade transparency
and allows market participants to make well-informed investment and
trading decisions.\563\ Indeed, based on Commission staff experience,
the Commission understands that many trading algorithms make trading
decisions based primarily on market data and rely on that data being
current and accurate. An SCI event in connection with market data could
significantly disrupt markets.\564\
---------------------------------------------------------------------------
\562\ See supra notes 187-189 and accompanying text.
\563\ See id.
\564\ For example, on January 3, 2013, Nasdaq reported that its
securities information processor (which is the plan processor of the
CQS Plan, an SCI plan) experienced ``an issue with stale data,''
which lasted approximately 10 to 15 minutes. See http://www.nasdaq.com/article/update-traders-report-technical-issue-involving-nasdaq-listed-securities-20130103-01046#.URutFaVEHmd. See
also http://www.reuters.com/article/2013/01/03/exchanges-data-outage-idUSL1E9C3DQL20130103. As a result, last sale and quotation
data was not available for Nasdaq-listed (``Tape C'') securities
during that time. See id. Although proprietary data feeds were
available, only subscribers receiving such feeds could continue
trading with current market data during the outage. Market centers
EDGA and EDGX temporarily suspended trading in all Tape C securities
in response to the outage. See id.
---------------------------------------------------------------------------
The process of collecting and disseminating consolidated quotation
and transaction data is governed by the SCI plans. For securities
listed on Nasdaq, data distribution is governed by the Nasdaq UTP Plan.
For securities listed on NYSE, NYSE Amex, and several other exchanges,
data distribution is governed by the CTA Plan and the CQS Plan. For
options, data distribution is governed by the OPRA Plan. These SCI
plans also oversee the collection of fees for access to the
consolidated data network, and the allocation of the resulting revenue
across the exchanges. Currently, there are two entities designated as
plan processors by SCI plans--SIAC and Nasdaq.\565\ Due to the extreme
concentration in the market segment for consolidated data, there is
virtually no competition between SCI plan processors which could lead
to little incentive in ensuring a high-quality product with minimal
disruptions.
---------------------------------------------------------------------------
\565\ See supra note 131.
---------------------------------------------------------------------------
3. Proposed Regulation SCI and Its Impact on Current Practices
Proposed Regulation SCI would be a codification and enhancement of
the current ARP Inspection Program. As discussed further below with
respect to each of the proposed rules, proposed Regulation SCI would:
(A) Be mandatory and codify many aspects of the ARP policy statements;
(B) expand the scope of the ARP policy statements to other types of
systems and event types; and (C) expand the scope of the ARP Inspection
Program to other types of entities.
[[Page 18162]]
With respect to different types of systems, as discussed in more
detail above, the ARP policy statements are focused on automated
systems.\566\ Specifically, entities that participate in the ARP
Inspection Program follow the ARP policy statements with respect to
systems that directly support trading, clearance and settlement, order
routing, and market data.\567\ Proposed Regulation SCI, on the other
hand, would apply to more types of systems than the ARP policy
statements. As discussed above, in addition to the systems covered by
the ARP Inspection Program, the proposed definition of ``SCI systems''
would also include systems that directly support regulation and
surveillance that are not currently part of the ARP Inspection Program.
Further, the provisions of proposed Regulation SCI relating to security
standards and systems intrusions would also apply to ``SCI security
systems,'' which would be defined to mean any systems that share
network resources with SCI systems that, if breached, would be
reasonably likely to pose a security threat to SCI systems.
---------------------------------------------------------------------------
\566\ See supra Section I.A for more discussion of the ARP
policy statements and the ARP Inspection Program. According to ARP
I, the term ``automated systems'' or ``automated trading systems''
means computer systems for listed and OTC equities, as well as
options, that electronically route orders to applicable market
makers and systems that electronically route and execute orders,
including the data networks that feed the systems. The term
``automated systems'' also encompasses systems that disseminate
transaction and quotation information and conduct trade comparisons
prior to settlement, including the associated communication
networks. Moreover, ARP I states that because lack of adequate
communications capacity can be as damaging to the overall
performance of an exchange during peak periods as poorly designed
order processing, capacity tests of the data networks that feed the
computer systems also should be conducted. See ARP I, supra note 1,
at n.21.
\567\ While generally only trading, clearance and settlement,
order routing, and market data systems follow the guidelines in the
ARP policy statements, ARP staff inspects all the categories of
systems that are included in the proposed definition of ``SCI
systems.'' However, ARP staff generally inspects systems that do not
directly support trading, clearance and settlement, order routing,
or market data only if staff detects red flags.
---------------------------------------------------------------------------
Additionally, while the ARP Inspection Program and proposed
Regulation SCI both cover certain types of systems disruptions \568\
and systems intrusions,\569\ proposed Regulation SCI also would cover
systems compliance issues. Finally, the ARP Inspection Program includes
29 participants that are SCI entities, consisting of 17 registered
national securities exchanges, seven registered clearing agencies,
FINRA, two plan processors, one ATS, and one exempt clearing agency.
Because no ATSs currently satisfy the thresholds in Rule 306(b)(6)(i)
of Regulation ATS, no ATSs currently are subject to the systems
safeguard requirements of Regulation ATS \570\ although, as noted
above, one ATS voluntarily participates in the ARP Inspection Program.
Proposed Regulation SCI would include all of the entities currently
under the ARP Inspection Program. With respect to ATSs, proposed
Regulation SCI would include an estimated 10 SCI ATSs in NMS stocks, an
estimated two SCI ATSs in non-NMS stocks, an estimated three SCI ATSs
in municipal securities and corporate debt securities, and one SRO
(i.e., the MSRB).
---------------------------------------------------------------------------
\568\ See 2001 Staff ARP Interpretive Letter, supra note 35. See
also supra Section III.B.3.a for a discussion of the differences
between the definition of ``significant system outage'' as used
currently in the ARP Inspection Program and the proposed definition
of ``systems disruption.''
\569\ See ARP I, supra note 1, at 48707 (referring to instances
where unauthorized persons gained or attempted to gain access to
systems). Proposed Rule 1000(a) would define ``systems intrusion''
to mean any unauthorized entry into the SCI systems or SCI security
systems of the SCI entity.
\570\ See 17 CFR 242.301(b)(6).
---------------------------------------------------------------------------
Proposed Rules 1000(b)(4) and (b)(5) would require, respectively,
that all SCI events be reported to the Commission, and that information
relating to dissemination SCI events be disseminated to members or
participants of an SCI entity. Proposed Rule 1000(a) would define a
dissemination SCI event to mean an SCI event that is a: (1) Systems
compliance issue; (2) systems intrusion; or (3) systems disruption that
results, or the SCI entity reasonably estimates would result, in
significant harm or loss to market participants. Under the ARP
Inspection Program, only ``significant'' outages should be reported to
the Commission, and there are no quantitative standards to define
``significant'' outage. Similarly, proposed Regulation SCI would not
specify a quantitative standard for immediate notification SCI events
or dissemination SCI events. Instead, immediate notification SCI events
would include any systems disruption that the SCI entity reasonably
estimates would have a material impact on its operations or on market
participants, any systems compliance issue, and any systems intrusion.
With respect to dissemination SCI events, certain information about all
systems compliance issues and systems intrusions would be required to
be disseminated to members or participants, although information about
systems intrusions in some cases could be delayed. Systems disruptions
would also be dissemination SCI events, however, only if they result,
or the SCI entity reasonably estimates would result, in significant
harm or loss to market participants.
Proposed Rule 1000(b)(1) (Capacity, Integrity, Resiliency,
Availability, and Security) addresses the capacity, integrity,
resiliency, availability, and security of the systems of SCI entities.
Rule 1000(b)(1) would require an SCI entity to establish, maintain, and
enforce written policies and procedures reasonably designed to ensure
that its SCI systems and, for purposes of security standards, SCI
security systems, have levels of capacity, integrity, resiliency,
availability, and security, adequate to maintain the SCI entity's
operational capability and promote the maintenance of fair and orderly
markets.
Proposed Rule 1000(b)(1)(i) would further require that an SCI
entity's policies and procedures include the establishment of
reasonable current and future capacity planning estimates, periodic
capacity stress tests, a program to review and keep current systems
development and testing methodology, regular reviews and testing of
such systems, including backup systems, business continuity and
disaster recovery plans, and standards that result in systems that
facilitate the successful collection, processing, and dissemination of
market data. The items in proposed Rule 1000(b)(1)(i)(A)-(E) are the
same as those in the ARP Inspection Program and Rule 301(b)(6) of
Regulation ATS.\571\
---------------------------------------------------------------------------
\571\ See supra Section III.C.1 for a detailed discussion of
proposed Rule 1000(b)(1), including comparisons to the provisions of
the ARP Inspection Program.
---------------------------------------------------------------------------
Proposed Rule 1000(b)(1)(ii) would further provide that an SCI
entity's policies and procedures would be deemed to be reasonably
designed if they are consistent with current SCI industry
standards.\572\ The Commission preliminarily believes that SCI entities
would be familiar with such standards because they would be required to
be widely available for free to information technology professionals in
the financial sector, and must be issued by an authoritative body that
is a U.S. governmental entity or agency, association of U.S.
governmental entities or agencies, or widely recognized
organization.\573\ As noted above, compliance with the identified SCI
industry standards would not be the exclusive means to comply with the
[[Page 18163]]
requirements of proposed Rule 1000(b)(1).
---------------------------------------------------------------------------
\572\ See proposed Rule 1000(b)(1)(ii).
\573\ See infra text commencing at note 630, discussing examples
of SCI industry standards that may originate from NIST publications
and/or other publications listed in Table A, and the potential costs
they may impose on SCI entities.
---------------------------------------------------------------------------
Proposed Rule 1000(b)(2)(i) (Systems Compliance) is not currently
part of the ARP Inspection program and would require each SCI entity to
establish, maintain, and enforce written policies and procedures
reasonably designed to ensure that its SCI systems operate in the
manner intended, including in a manner that complies with the federal
securities laws and rules and regulations thereunder and the entity's
rules and governing documents, as applicable.\574\
---------------------------------------------------------------------------
\574\ However, as noted above in Section V.B.1.b, SCI entities
are already required to comply with relevant laws and rules.
---------------------------------------------------------------------------
Proposed Rule 1000(b)(3) (Corrective Action) would require that,
upon any responsible SCI personnel becoming aware of an SCI event, an
SCI entity begin to take appropriate corrective action. The Commission
understands that market participants already take steps to address
systems issues should they occur, but preliminarily believes that
proposed Rule 1000(b)(3) may result in SCI entities incurring
additional information technology costs, primarily because proposed
Rule 1000(b)(3) requires each SCI entity, upon any responsible SCI
personnel becoming aware of an SCI event, to begin to take appropriate
corrective action. Thus, SCI entities would not be able to delay the
start of taking corrective action, which in turn could result in some
SCI entities potentially seeking to, for example, update their systems
with newer technology earlier than they might have otherwise. As these
increased costs would likely occur primarily as a result of SCI
entities making usual and customary investments sooner than they would
otherwise, these costs are difficult to quantify.
Proposed Rule 1000(b)(4) (Commission Notification) would require
that an SCI entity notify the Commission of all SCI events. Proposed
Rule 1000(b)(4) would apply to more entities, systems, and types of
systems issues than the ARP policy statements (or the 2001 Staff ARP
Interpretive Letter) and also require more detailed reporting to the
Commission.\575\
---------------------------------------------------------------------------
\575\ See discussion of proposed Rule 1000(b)(4) in supra
Section III.C.4. In addition, proposed Rule 1000(d) would require,
with limited exception, that any written notification, review,
description, analysis, or report to the Commission be submitted
electronically on Form SCI.
---------------------------------------------------------------------------
Proposed Rule 1000(b)(5) (Dissemination of Information to Members
or Participants) would require an SCI entity to disseminate information
relating to dissemination SCI events to members or participants.
Proposed Rule 1000(b)(5) would impose a new requirement that is not
currently part of the ARP Inspection Program. As noted above in Section
V.B.1.a, some entities provide their members or participants with
notices of outages currently. However, although proposed Rule
1000(b)(5) would permit information regarding some systems intrusions
to be delayed,\576\ the Commission expects that dissemination of
information to members or participants about dissemination SCI events
would increase significantly.
---------------------------------------------------------------------------
\576\ See proposed Rule 1000(b)(5)(ii).
---------------------------------------------------------------------------
With respect to proposed Rule 1000(b)(6) (Material Systems
Changes), while entities may voluntarily submit similar material
systems change notifications to the Commission under the ARP Inspection
Program, proposed Regulation SCI would set forth more detailed
requirements.\577\ Proposed Rule 1000(b)(6) would require an SCI entity
to notify the Commission of planned material systems changes on
proposed Form SCI at least 30 calendar days in advance of such change,
unless exigent circumstances exist or information previously provided
to the Commission regarding a planned material systems change has
become materially inaccurate, necessitating notice regarding a material
systems change with less than 30 calendar days' notice.
---------------------------------------------------------------------------
\577\ See supra Sections III.C.4 and III.E.2 discussing the
reporting requirements in proposed Rule 1000(b)(6).
---------------------------------------------------------------------------
Proposed Rule 1000(b)(7) (SCI Review) would require an SCI entity
to conduct an SCI review of its compliance with Regulation SCI at least
annually, and submit a report of the SCI review to senior management of
the SCI entity for review no more than 30 calendar days after
completion of the SCI review. Because systems reviews have always been
part of the ARP Inspection Program, the Commission believes that most
SCI entities currently undertake annual systems reviews, reports of
which the Commission understands are reviewed by senior management. The
Commission believes, however, that the scope of the systems review
undertaken by ARP entities, and senior management involvement in in
such reviews, varies among ARP entities. The Commission expects that
proposed Regulation SCI, which defines the parameters of an SCI review,
would foster greater consistency in the approach that SCI entities take
with respect to systems reviews.
Proposed Rule 1000(b)(8) (Reports) would require an SCI entity to
submit various reports to the Commission. Specifically, proposed Rule
1000(b)(8)(i) would require an SCI entity to submit a report of the SCI
review required by proposed Rule 1000(b)(7), together with any response
by senior management, within 60 calendar days after its submission to
senior management of the SCI entity. Proposed Rule 1000(b)(8)(ii) would
require an SCI entity to submit a report, within 30 calendar days after
the end of June and December of each year, containing a summary
description of the progress of any material systems change during the
six-month period ending on June 30 or December 31, as the case may be,
and the date, or expected date, of completion of implementation of such
changes. Such reports to be filed with the Commission pursuant to
proposed Rule 1000(b)(8) would be required to be filed electronically
on Form SCI. Proposed Rule 1000(b)(8) would codify current practice
under the ARP Inspection Program, in which ARP entities submit reports
of systems reviews and report progress on material systems changes to
ARP staff. However, proposed Rule 1000(8) would specify a more detailed
process for submission of such reports.
Proposed Rule 1000(b)(9) (SCI Entity Business Continuity and
Disaster Recovery Plans Testing Requirements for Members or
Participants) is not part of the current ARP Inspection Program and
would require an SCI entity, with respect to its business continuity
and disaster recovery plans, including its backup systems, to require
participation by designated members or participants in scheduled
functional and performance testing of the operation of such plans, in
the manner and frequency as specified by the SCI entity, at least once
every 12 months. In addition, the proposed rule would require an SCI
entity to coordinate such testing on an industry- or sector-wide basis
with other SCI entities.\578\ Further, the proposed rule would require
each SCI entity to designate those members or participants it deems
necessary, for the maintenance of fair and orderly markets in the event
of the activation of its business continuity and disaster recovery
plans, to participate in the testing of such plans. Each SCI entity
would be required to notify the Commission of such designations and its
standards for designation, and promptly update such notification after
any changes to its designations or standards. Although nothing prevents
SCI entities from doing so, the Commission currently does not mandate
that members or participants of SCI entities test the business
continuity and disaster recovery plans, including
[[Page 18164]]
backup systems, of SCI entities. This proposed rule would allow greater
oversight by the Commission over the business continuity and disaster
recovery capabilities of SCI entities. While the Commission believes
that many SCI entities currently provide the opportunity for their
members or participants to test their business continuity and disaster
recovery plans, the Commission believes that few require participation
by all or designated members or participants in such testing.\579\ In
addition, the Commission understands that, to the extent such
participation occurs, it may in many cases be limited in nature (e.g.,
testing for connectivity to backup systems). Finally, while the
securities industry does coordinate certain testing, the Commission
believes that the two-day closure of the equities and options markets
in the wake of Superstorm Sandy has shown that more significant testing
and better coordination of such testing could benefit market
participants.\580\
---------------------------------------------------------------------------
\578\ See supra note 269 and accompanying text.
\579\ See infra note 641.
\580\ See supra Section I.D.
---------------------------------------------------------------------------
Proposed Rules 1000(c) and (e) relate to the recordkeeping
requirements under proposed Regulation SCI. As discussed above, SCI
SROs already are subject to recordkeeping requirements that would apply
to all documents relating to their compliance with proposed Regulation
SCI.\581\ Further, entities that participate in the ARP Inspection
Program currently keep records related to the ARP Inspection Program,
and the Commission recognizes that all SCI entities are subject to some
recordkeeping requirement. Nevertheless, with respect to SCI entities
other than SCI SROs, proposed Rules 1000(c) and (e) would impose
specific recordkeeping requirements with respect to documents related
to compliance with Regulation SCI and thus would impose a burden on
such entities.
---------------------------------------------------------------------------
\581\ See supra Section III.D.1.
---------------------------------------------------------------------------
Lastly, proposed Rule 1000(f) would require SCI entities to provide
Commission representatives reasonable access to its SCI systems and SCI
security systems to allow Commission representatives to assess the
entity's compliance with proposed Regulation SCI. As discussed above,
although the Commission believes that Section 17(b) of the Exchange Act
already provides the Commission with authority to access the systems of
SCI entities, the Commission is proposing Rule 1000(f) to highlight
such authority and help ensure that Commission representatives have
ready access to systems of SCI entities.\582\
---------------------------------------------------------------------------
\582\ See supra Section III.D.3.
---------------------------------------------------------------------------
C. Consideration of Costs and Benefits, and the Effect on Efficiency,
Competition, and Capital Formation
Section 3(f) of the Exchange Act requires the Commission, whenever
it engages in rulemaking pursuant to the Exchange Act and is required
to consider or determine whether an action is necessary or appropriate
in the public interest, to consider, in addition to the protection of
investors, whether the action would promote efficiency, competition,
and capital formation.\583\ In addition, Section 23(a)(2) of the
Exchange Act requires the Commission, when making rules under the
Exchange Act, to consider the impact such rules would have on
competition.\584\ Exchange Act Section 23(a)(2) prohibits the
Commission from adopting any rule that would impose a burden on
competition not necessary or appropriate in furtherance of the purposes
of the Exchange Act.\585\ In considering these matters, the Commission
has been mindful of the history and background discussed above and has
considered the impact proposed Regulation SCI would have on
competition, and preliminarily believes that proposed Regulation SCI
would promote efficiency, competition, and capital formation, and would
not impose a burden on competition not necessary or appropriate in
furtherance of the purposes of the Exchange Act.
---------------------------------------------------------------------------
\583\ 15 U.S.C. 78c(f).
\584\ 15 U.S.C. 78w(a)(2).
\585\ 15 U.S.C. 78w(a)(2).
---------------------------------------------------------------------------
1. Summary of Benefits, Costs and Quantification
While the current practices of some SCI entities already satisfy
some of the requirements of proposed Regulation SCI, the Commission
preliminarily believes proposed Regulation SCI could benefit the U.S.
financial markets in several ways. The Commission preliminarily
believes that Regulation SCI should result in fewer systems
disruptions, systems compliance issues, and systems intrusions. It
should also increase the information available to the Commission
regarding any systems disruptions, systems compliance issues, and
systems intrusions that do occur. In addition, it should increase the
information available to members or participants of SCI entities
regarding dissemination SCI events. As explained further below, such
disseminations of information could promote the ability of market
participants to assess the operation of markets because events would be
more transparent. The changes also could reduce market participants'
search costs, ultimately improving the ability of competition to
discourage SCI events and potentially improving the allocative
efficiency of capital. To the extent that Regulation SCI promotes the
allocation of capital to its most efficient uses, the Commission
preliminarily believes that Regulation SCI may promote capital
formation.\586\ The potential economic costs of proposed Regulation SCI
include compliance costs, which the Commission attempts to quantify,
and other costs. Such other costs include costs associated with the
increase in costs and time needed to make systems changes to comply
with new and amended rules and regulations, the impact on innovation,
and barriers to entry.\587\
---------------------------------------------------------------------------
\586\ The Commission notes, however, that whether there is
ultimately an effect on capital formation will depend, in part, on
the degree of the potential effects on allocative efficiency.
\587\ See infra Section V.C.3.b.
---------------------------------------------------------------------------
The Commission discusses below a number of costs and benefits that
are related to proposed Regulation SCI. Many of these costs and
benefits are difficult to quantify with any degree of certainty,
especially as the practices of market participants are expected to
evolve and appropriately adapt to changes in technology and market
developments. In addition, the extent to which the proposed rule's
standards and the ability to enforce such standards will help reduce
the frequency and severity of SCI events is unknown. Therefore, much of
the discussion is qualitative in nature but, where possible, the
Commission quantifies the costs.
Many, but not all, of the costs of the proposed rules involve a
collection of information, and these costs and burdens are discussed in
the Paperwork Reduction Act Section above.\588\ When monetized, those
estimated burdens and costs for SCI entities total approximately $44
million in initial costs and approximately $37 million in annual
ongoing costs. In addition, in the Economic Cost Section below,\589\
the
[[Page 18165]]
Commission has quantified other costs for SCI entities that total
between approximately $17.6 million \590\ and $132 million \591\ in
initial costs and between $11.7 million \592\ and $88 million \593\ in
annual ongoing costs. When aggregated, the total quantified costs for
SCI entities are estimated as between approximately $61.6 million \594\
and $176 million \595\ in initial costs and between $48.7 million \596\
and $125 million \597\ in annual ongoing costs. In addition to the
costs to SCI entities, the Commission also preliminarily estimates the
total costs to members or participants of SCI entities to participate
in the business continuity and disaster recovery plans testing
specified by proposed Rule 1000(b)(9) to be $66 million annually.\598\
Thus, the total quantified costs for SCI entities and members or
participants of SCI entities are estimated as between approximately
$127.6 million \599\ and $242 million \600\ in initial costs and
between $114.7 million \601\ and $191 million \602\ in annual ongoing
costs. A detailed discussion of other potential economic costs of the
proposal, such as potential costs to the Commission and potential
burdens on competition, is provided below.
---------------------------------------------------------------------------
\588\ See supra Section IV.
\589\ See infra Section V.C.4.a (estimating the cost for: (i)
Complying with the substantive requirements that are the subject of
the policies and procedures required by proposed Rules 1000(b)(1)
and (2), including consistency with SCI industry standards (which,
solely for purposes of this Economic Analysis, would be the proposed
SCI industry standards contained in the publications identified in
Table A); (2) establishing and maintaining a methodology for
ensuring that the SCI entity is prepared for the corrective action
requirement under proposed Rule 1000(b)(3); and (iii) establishing
and maintaining a methodology for determining whether an SCI event
is an immediate notification SCI event or a dissemination SCI
event).
\590\ See infra note 634 (estimating cost for complying with the
substantive requirements underlying policies and procedures required
by proposed Rules 1000(b)(1) and (2)).
\591\ See infra note 635 (estimating cost for complying with the
substantive requirements underlying policies and procedures required
by proposed Rules 1000(b)(1) and (2)).
\592\ See infra note 639 (estimating cost for complying with the
substantive requirements underlying policies and procedures required
by proposed Rules 1000(b)(1) and (2)).
\593\ See infra note 640 (estimating cost for complying with the
substantive requirements underlying policies and procedures required
by proposed Rules 1000(b)(1) and (2)).
\594\ $61.6 million = $44 million (PRA cost) + $17.6 million
(other costs for SCI entities).
\595\ $176 million = $44 million (PRA cost) + $132 million
(other costs for SCI entities).
\596\ $48.7 million = $37 million (PRA cost) + $11.7 million
(other costs for SCI entities).
\597\ $125 million = $37 million (PRA cost) + $88 million (other
costs for SCI entities).
\598\ See infra note 643 and accompanying text.
\599\ $127.6 million = $44 million (PRA cost) + $17.6 million
(other costs for SCI entities) + $66 million (costs for members or
participants of SCI entities).
\600\ $242 million = $44 million (PRA cost) + $132 million
(other costs for SCI entities) + $66 million (costs for members or
participants of SCI entities).
\601\ $114.7 million = $37 million (PRA cost) + $11.7 million
(other costs for SCI entities) + $66 million (costs for members or
participants of SCI entities).
\602\ $191 million = $37 million (PRA cost) + $88 million (other
costs for SCI entities) + $66 million (costs for members or
participants of SCI entities).
---------------------------------------------------------------------------
2. Economic Benefits
Broadly, although the current practices of some SCI entities
already satisfy some of the requirements of proposed Regulation SCI,
the Commission preliminarily believes that proposed Regulation SCI
would bring several overarching benefits to the securities markets.
First and most significantly, the Commission preliminarily believes
that proposed Regulation SCI would promote more robust systems and
hence fewer systems disruptions and market-wide closures, systems
compliance issues, and systems intrusions. As a result, the Commission
expects fewer interruptions to SCI systems, including systems that
directly support execution facilities, matching engines, and the
dissemination of market data, and fewer errors with the pricing of
securities, which should promote price efficiency. The Commission also
expects fewer interruptions to other SCI systems, including systems
that directly support regulatory systems and surveillance systems,
which should help ensure compliance with relevant laws and rules. In
addition, the Commission would expect fewer interruptions to SCI
security systems, which should help prevent problems that could lead to
disruption of an SCI entity's general operations and, ultimately, its
market-related activities.\603\
---------------------------------------------------------------------------
\603\ See supra Section III.B.2, discussing the Commission's
proposed definitions of SCI systems and SCI security systems.
---------------------------------------------------------------------------
Second, the Commission preliminarily believes that proposed
Regulation SCI would enhance the availability of relevant information
to members or participants of SCI entities and promote dissemination of
information to persons (i.e., members or participants of SCI entities)
who are most directly affected by dissemination SCI events and who
would most naturally need, want, and be able to act on the information.
The increased availability of information regarding SCI events should
reduce the costs to members or participants of SCI entities when
evaluating SCI entities and improve their ability to make more informed
decisions about whether or not to avoid dealing with entities that
experience significant systems issues. This enhanced information, as
well as the improved price efficiency, should lead to greater
allocative efficiency of capital. Moreover, it is expected that the
increased awareness of dissemination SCI events would enhance
competition among SCI entities with respect to the maintenance of
robust systems.
Third, the Commission preliminarily believes that fewer market-
wide, unscheduled shutdowns would have many of the same benefits as
avoidance of temporary shutdowns, but on a greater scale. Fourth, the
Commission preliminarily believes that its own ability to monitor the
markets and ensure their smooth functioning would be significantly
enhanced by proposed Regulation SCI. These potential benefits are
discussed in more detail below in relation to each of the proposed
rules.
a. Rule 1000(a) Definitions
In general, the definitions in Rule 1000(a) either clarify a
provision or circumscribe the scope of a provision in proposed
Regulation SCI. Therefore, many of the costs and benefits associated
with the impacts of the definitions are incorporated in the discussion
below on the costs and benefits of the substantive provisions where the
definitions are used.
This section contains a discussion of the benefits of the expansion
in scope that are not discussed above. In summary, the Commission
preliminarily believes that the proposed definition of ``SCI entity''
and ``SCI event,'' although they would broaden the scope of Regulation
SCI beyond the scope of the ARP Inspection Program, are essential parts
of proposed Regulation SCI.
i. SCI Entities
As explained above, the difference between the entities that
currently participate in the ARP Inspection Program and the entities
covered by proposed Regulation SCI is the inclusion of additional ATSs
and the MSRB. Because no ATSs currently meet the thresholds specified
in Rule 301(b)(6) of Regulation ATS, other than the one ATS that
currently participates in the ARP Inspection Program, none are subject
to the systems safeguard requirements under that rule even though they
comprise a significant portion of consolidated volume.\604\ The
Commission preliminarily believes that the inclusion of SCI ATSs under
proposed Regulation SCI would help ensure that ATSs, which serve as
markets to bring buyers and sellers together in the national market
system, are subject to rules regarding systems capacity, integrity,
resiliency, availability, security, and compliance, including those
rules that could help prevent SCI events and that require Commission
reporting and the dissemination of information to
[[Page 18166]]
members or participants of SCI entities.\605\ The Commission
preliminarily believes that the inclusion of the MSRB in proposed
Regulation SCI would provide benefits to the market because, as noted
above, the MSRB is the only SRO relating to municipal securities and
the sole provider of consolidated market data for the municipal
securities market.\606\
---------------------------------------------------------------------------
\604\ As noted above, one ATS voluntarily participates in the
ARP Inspection Program. See supra note 25.
\605\ Proposed Regulation SCI would not expand the types of
securities currently covered by the ARP Inspection Program and Rule
301(b)(6) of Regulation ATS. The Commission recognizes that although
currently no ATSs are subject to the systems safeguard requirements
under Rule 301(b)(6) because they do not satisfy the thresholds in
that rule, the Commission estimates that approximately 15 ATSs would
be subject to proposed Regulation SCI.
\606\ As discussed above, in 2008, the Commission amended Rule
15c2-12 to designate the MSRB as the single centralized disclosure
repository for continuing municipal securities disclosure. In 2009,
the MSRB established EMMA, which serves as the official repository
of municipal securities disclosure, providing the public with free
access to relevant municipal securities data, and is the central
database for information about municipal securities offerings,
issuers, and obligors. Additionally, the MSRB's RTRS, with limited
exceptions, requires municipal bond dealers to submit transaction
data to the MSRB within 15 minutes of trade execution, and such near
real-time post-trade transaction data can be accessed through the
MSRB's EMMA Web site. See supra note 96.
---------------------------------------------------------------------------
ii. Systems and SCI Events
As stated above, proposed Regulation SCI would expand on current
practice, would apply a broader range of systems, and would include
more event types. Specifically, entities that participate in the ARP
Inspection Program follow the ARP policy statements with respect to
systems that directly support trading, clearance and settlement, order
routing, and market data. The proposed definition of ``SCI systems''
would include the foregoing systems as well as those that directly
support regulation and surveillance. The Commission preliminarily
believes that including regulation and surveillance systems could help
ensure the SCI entity's ability to monitor its compliance with relevant
laws, rules, and its own rules, and detect any violations of such laws
or rules. Further, the provisions of proposed Regulation SCI regarding
systems security and intrusions also would apply to ``SCI security
systems.'' \607\ Because SCI security systems may present potentially
vulnerable entry points to an SCI entity's network, the Commission also
preliminarily believes that it is important for proposed Regulation SCI
to include those systems with respect to security standards and systems
intrusions.\608\
---------------------------------------------------------------------------
\607\ See supra Section III.B.2, discussing the Commission's
proposed definitions of SCI systems and SCI security systems.
\608\ See id.
---------------------------------------------------------------------------
By defining SCI events to include systems disruptions, systems
compliance issues, and systems intrusions, proposed Regulation SCI
would further assist the Commission in its oversight of SCI entities.
As stated above, SCI entities already follow practices similar to parts
of proposed Regulation SCI for certain systems disruptions and systems
intrusions. The inclusion of systems compliance issues should help the
Commission and market participants to become better informed of the
efforts of the SCI entities to comply with relevant laws and rules, and
their own rules as applicable, and could enhance the enforcement of
such laws and rules. Further, by defining a dissemination SCI event to
include a subset of SCI events (i.e., a systems compliance issue,
systems intrusion, or systems disruption that would result, or the SCI
entity reasonably estimates would result in significant harm or loss to
market participants), proposed Regulation SCI would further assist SCI
entity members or participants in their decisions regarding whether or
not to utilize the systems of a given SCI entity.
b. Rule 1000(b)(1)-(10) Requirements for SCI Entities
The development and growth of automated electronic trading have
allowed increasing volumes of securities transactions across the
multitude of trading centers that constitute the U.S. national market
system. These securities transactions take place within an
interconnected market where systems disruptions, systems compliance
issues, and systems intrusions at one market center can impact or harm
trading throughout the entire national market system. Thus, there is a
need for operators of significant market systems, such as SCI entities,
to have in place robust systems to prevent systems issues or, in the
event that systems issues occur, to recover quickly.
Proposed Rule 1000(b)(1)-(2) would set forth requirements relating
to written policies and procedures that SCI entities would be required
to establish, maintain, and enforce. Proposed Rule 1000(b)(1) would
require an SCI entity to establish, maintain, and enforce written
policies and procedures reasonably designed to ensure that its SCI
systems and, for purposes of security standards, SCI security systems,
have levels of capacity, integrity, resiliency, availability, and
security, adequate to maintain the SCI entity's operational capability
and promote the maintenance of fair and orderly markets.
The rule would further provide that an SCI entity's policies and
procedures must include the establishment of reasonable current and
future capacity planning estimates, periodic capacity stress tests, a
program to review and keep current systems development and testing
methodology of such systems, regular reviews and testing of such
systems, including backup systems, business continuity and disaster
recovery plans, and standards that result in such systems facilitating
the successful collection, processing, and dissemination of market
data.\609\ As discussed above, the Commission regards SCI entities as
part of the critical infrastructure of the U.S. securities markets and
therefore, although proposed Rule 1000(b)(1)(i)(A)-(E) would codify
certain provisions of the ARP policy statements, the Commission
preliminarily believes that specifically setting forth these
requirements in a Commission rule would benefit the securities markets
by helping to diminish the risks and incidences of systems intrusions,
systems compliance issues, and systems disruptions. Such policies and
procedures should also assist in speedy recoveries from systems
intrusions, systems compliance issues, and systems disruptions.
Proposed Rule 1000(b)(1)(i)(F) does not have precedent in Regulation
ATS or the ARP policy statements, and would require SCI entities to
have standards that result in such systems being designed, developed,
tested, maintained, operated, and surveilled in a manner that
facilitates the successful collection, processing, and dissemination of
market data. The Commission preliminarily believes that this proposal
should help to ensure that timely and accurate market data is available
to all market participants.
---------------------------------------------------------------------------
\609\ See proposed Rule 1000(b)(1)(i)(A)-(F), discussed in supra
Section III.C.1.a.
---------------------------------------------------------------------------
Proposed Rule 1000(b)(1)(ii) would deem an SCI entity's policies
and procedures required by proposed Rule 1000(b)(1) to be reasonably
designed if they are consistent with current SCI industry
standards.\610\ Thus, the SCI industry standards would provide
flexibility to allow each SCI entity to determine how to best meet the
requirements in proposed Rule 1000(b)(1), taking into account, for
example, its nature, size, technology, business model, and other
aspects of its business, because compliance with SCI
[[Page 18167]]
industry standards would not be the exclusive means by which an SCI
entity could satisfy the requirements of proposed Rule 1000(b)(1).
---------------------------------------------------------------------------
\610\ Proposed SCI industry standards are contained in the
publications that are set forth in Table A. See supra Section
III.C.1.b.
---------------------------------------------------------------------------
Proposed Rule 1000(b)(2)(i), which would require written policies
and procedures reasonably designed to ensure that an SCI entity's SCI
systems operate in the manner intended, should help to minimize
instances where systems do not operate in compliance with the federal
securities laws and rules and regulations thereunder and, as
applicable, the entity's rules and governing documents. In particular,
the elements of the safe harbor for SCI entities in proposed Rule
1000(b)(2)(ii)(A) relating to policies and procedures on testing and
monitoring also should help to ensure, on an ongoing basis, that an SCI
entity's SCI systems operate in the manner intended, including in a
manner that complies with the federal securities laws and rules and
regulations thereunder and, as applicable, the entity's rules and
governing documents, thus minimizing systems compliance issues and
consequently the total time needed to bring a system back into
compliance.\611\ In addition, the elements of the safe harbor in
proposed Rule 1000(b)(2)(ii)(A) relating to policies and procedures for
systems compliance assessments by personnel familiar with applicable
laws and rules and systems reviews by regulatory personnel should help
ensure the performance of effective compliance audits and reviews, and
should help provide assurance that SCI entities are operating in
compliance with applicable laws and rules.
---------------------------------------------------------------------------
\611\ As noted above, the Commission recognizes that SCI
entities are already required to comply with federal securities
laws, rules and regulations thereunder, and their own rules.
---------------------------------------------------------------------------
Proposed Rule 1000(b)(3), which would require an SCI entity to
begin taking appropriate corrective action upon any responsible SCI
personnel becoming aware of an SCI event, should further help ensure
that SCI entities invest sufficient resources as soon as reasonably
practicable to address systems intrusions, systems compliance issues,
and systems disruptions.\612\
---------------------------------------------------------------------------
\612\ As noted above, the Commission believes that SCI entities
already take corrective actions in response to systems issues.
---------------------------------------------------------------------------
Moreover, proposed Rules 1000(b)(1)-(3) should improve price
efficiency by reducing the likelihood and duration of systems issues,
thereby helping to avoid the price inefficiencies that occur during
times when systems disruptions, systems compliance issues, or systems
intrusions can make systems unavailable or unreliable. Specifically,
systems issues that could impact the accuracy or the timeliness, and
thus the reliability, of market data could lead to inaccuracies in
pricing and slow-down pricing, and make data less reliable. Therefore,
to the extent that proposed Rules 1000(b)(1)-(3) could reduce the
likelihood or duration of systems issues, they may lead to more
reliable market data (because there would be less inaccuracies and the
market data would be more timely), which could help improve the quality
of market data. This, in turn, could enhance price efficiency in the
market for market data, which then could promote allocative efficiency
of capital and capital formation.
Proposed Regulation SCI is intended, in part, to facilitate the
Commission's ability to monitor the impact on the securities markets by
SCI entities' systems that support the performance of the entities'
activities. The Commission preliminarily believes that proposed Rules
1000(b)(1)-(3), as well as 1000(b)(4), would provide for more effective
Commission oversight of the operation of the systems of SCI entities.
Specifically, while entities that participate in the ARP Inspection
Program already notify Commission staff of certain systems issues, the
Commission preliminarily believes that proposed Rule 1000(b)(4),
relating to Commission notification of SCI events, should further
enhance the effectiveness of Commission oversight of the operation of
SCI entities. Under the proposed rule, upon any responsible SCI
personnel becoming aware of an immediate notification SCI event,\613\
an SCI entity would be required to notify the Commission of the SCI
event. Within 24 hours of any responsible SCI personnel becoming aware
of an SCI event, an SCI entity would be required to submit a written
notification pertaining to such SCI event on Form SCI. Until such time
as the SCI event is resolved, the SCI entity would be required to
provide updates regularly, or at such frequency as requested by an
authorized representative of the Commission. Although this process
would represent costs to an SCI entity,\614\ the documentation of SCI
events will help prevent such systems failures from being dismissed or
ignored as glitches or momentary issues because it would focus the SCI
entity's attention on the issue and encourage allocation of SCI entity
resources to resolve the issue as soon as reasonably practicable.
---------------------------------------------------------------------------
\613\ See supra Section III.C.3.b.
\614\ See supra Section IV.D.2.a.
---------------------------------------------------------------------------
As noted above, the Commission is concerned that members or
participants of SCI entities may be unaware of the occurrence of some
SCI events, and therefore may make decisions without all relevant
information. Proposed Rule 1000(b)(5) would require an SCI entity, upon
any responsible SCI personnel becoming aware of a dissemination SCI
event other than a systems intrusion, to disseminate certain
information regarding the dissemination SCI event to its members or
participants.\615\ Such information would include the systems affected
by the event and a summary description of the event. When known, the
SCI entity would be required to further disseminate to its members or
participants: a detailed description of the SCI event; its current
assessment of the types and number of market participants potentially
affected by the SCI event; and a description of the progress of its
corrective action for the SCI event and when the SCI event has been or
is expected to be resolved. An SCI entity also would be required to
provide regular updates to members or participants regarding the
disseminated information. The Commission preliminarily believes that
proposed Rule 1000(b)(5) would help market participants--specifically
the members or participants of SCI entities--to better evaluate the
operations of SCI entities based on more readily available information.
---------------------------------------------------------------------------
\615\ For a dissemination SCI event that is a systems intrusion,
an SCI entity must disseminate to members or participants a summary
description of the systems intrusion, including a description of the
corrective action taken by the SCI entity and when the systems
intrusion has been or is expected to be resolved, unless it
determines that dissemination of such information would likely
compromise the security of the SCI entity's SCI systems or SCI
security systems, or an investigation of the systems intrusion.
---------------------------------------------------------------------------
As discussed above,\616\ the Commission believes that the existing
competition among the markets has not sufficiently mitigated the
occurrence of certain systems problems, and thus preliminarily believes
that requiring the dissemination of information about certain SCI
events, as described above, to members or participants could
potentially further incentivize SCI entities to create more robust
systems. In addition, targeting this set of market participants (i.e.,
an SCI entity's members or participants) to receive information about
dissemination SCI events has the benefit of providing the information
to those that are most likely to need, want, and act on the
information, without imposing the additional costs associated with
requiring broader public dissemination. Moreover, another benefit of
increased dissemination of information about dissemination SCI events
to SCI entity
[[Page 18168]]
members or participants would be the resultant reduction in search
costs for market participants when they are gathering information to
make a determination with respect to the use of an entity's services.
Also, proposed Rule 1000(b)(5) would require SCI entities to
disseminate specified information for dissemination SCI events, which
would allow market participants to more easily compare the available
information from all SCI entities for which they are members or
participants. The foregoing benefits would be further enhanced to the
extent information relating to dissemination SCI events is shared by
members or participants of SCI entities with other market participants.
Lastly, because an SCI entity would be permitted to delay dissemination
of information regarding a systems intrusion to members or participants
if it determines that such information would likely compromise the
security of its SCI systems or SCI security systems, or an
investigation of the systems intrusion, proposed Rule 1000(b)(5) would
not undermine the need to maintain the non-public nature of certain
systems intrusions for a temporary period (until the SCI entity
determines that dissemination of such information would not likely
compromise the security of the SCI entity's SCI systems or SCI security
systems, or an investigation of the systems intrusion).
---------------------------------------------------------------------------
\616\ See supra Section V.B.2.
---------------------------------------------------------------------------
In summary, because proposed Regulation SCI would, among other
things, require SCI entities to provide members and participants with
more information regarding their operations, the Commission
preliminarily believes that SCI entities would have additional
incentives to establish and maintain more robust automated systems to
minimize the occurrence of SCI events. Fewer systems issues could
improve pricing efficiency which, in turn, could promote allocative
efficiency of capital and thus, capital formation.
In addition to the Commission notification requirements under
proposed Rule 1000(b)(4), the Commission preliminarily believes that
proposed Rule 1000(b)(6) would enhance the Commission's oversight of
the operation of SCI entities, even though entities participating in
the ARP Inspection Program may already provide these types of
notifications to Commission staff. Proposed Rule 1000(b)(6) would
require an SCI entity to notify the Commission on Form SCI of material
systems changes at least 30 calendar days before the implementation of
any planned material systems change. In the case of exigent
circumstances, or if the information previously provided regarding a
planned material systems change becomes materially inaccurate, proposed
Rule 1000(b)(6) would require oral or written notification as early as
reasonably practicable. Any oral notification of planned material
systems change must be memorialized within 24 hours by a written
notification on Form SCI. The Commission preliminarily believes that
this provision would provide the Commission and its staff advance
notice and time to evaluate planned material systems changes by SCI
entities, thus improving the Commission's ability to oversee SCI
entities.
Proposed Rule 1000(b)(7) would require an SCI entity to conduct an
SCI review of its compliance with Regulation SCI not less than once
each calendar year, and submit a report of the SCI review to senior
management of the SCI entity for review no more than 30 calendar days
after completion of such SCI review. The Commission preliminarily
believes that the proposal to require SCI entities to conduct an
objective assessment of their systems at least annually would result in
SCI entities having an improved awareness of the relative strengths and
weaknesses of their systems independent of the assessment of ARP staff,
which should in turn improve the value and efficiency of an ARP
inspection.
Proposed Rule 1000(b)(8) would require each SCI entity to submit
certain periodic reports to the Commission through Form SCI, including
annual reports on the SCI reviews of its compliance with Regulation SCI
and semi-annual reports on the progress of material systems changes.
These reports should keep the Commission informed, on an ongoing basis,
by providing information with which the Commission could evaluate each
SCI entity's compliance with Regulation SCI and the progress of its
material systems changes.
The Commission preliminarily believes that proposed Rules
1000(b)(1)-(8), taken together, should result in actual systems
improvements as well as enhanced availability of relevant information
regarding SCI events to the Commission and members or participants of
SCI entities. This, in turn, could facilitate better decisions by
market participants, which could promote allocative efficiency of
capital and capital formation, potentially providing an overall benefit
to the securities markets and promoting the protection of investors and
the public interest. Additionally, the means by which trading is
conducted may be altered as a result of Regulation SCI. For example, if
an SCI entity member or participant submits orders to a particular
market for execution, and subsequently learns that the execution
venue's systems in use may be prone to failure, such member or
participant may choose to favor another market in the future. This
change would potentially enhance competition as SCI entity members or
participants rely on information disseminated regarding dissemination
SCI events to make more informed choices about the best venue for
execution.
Proposed Rule 1000(b)(9)(i) would require an SCI entity, with
respect to its business continuity and disaster recovery plans,
including its backup systems, to require participation by designated
members or participants in scheduled functional and performance testing
of the operation of such plans, in the manner and frequency as
specified by the SCI entity, at least once every 12 months. Proposed
Rule 1000(b)(9)(ii) would further require an SCI entity to coordinate
such testing on an industry- or sector-wide basis with other SCI
entities. The Commission expects that this proposed requirement should
help ensure that the securities markets will have improved backup
infrastructure and fewer market-wide shutdowns, thus helping SCI
entities and other market participants to avoid lost revenues and
profits that would otherwise result from such shutdowns. Further, the
notifications required by proposed Rule 1000(b)(9)(iii) should keep the
Commission informed, on an ongoing basis, of an SCI entity's current
standards for designating members or participants and current list of
designees.
c. Rule 1000(c)-(f)--Recordkeeping, Electronic Filing, and Access
While all SCI entities already are subject to some recordkeeping
and access requirements, the Commission preliminarily believes the
proposed recordkeeping and access requirements specifically related to
proposed Regulation SCI would enhance the ability of the Commission to
evaluate SCI entities' compliance. Specifically, proposed Rule 1000(c)
would require each SCI entity, other than an SCI SRO, to make, keep,
and preserve at least one copy of all documents and records relating to
its compliance with Regulation SCI for a period of not less than five
years.\617\ Each SCI entity also would be required to furnish such
[[Page 18169]]
documents to Commission representatives upon request. Further,
according to proposed Rule 1000(e), if the records required to be filed
or kept by an SCI entity under proposed Regulation SCI are prepared or
maintained by a service bureau or other recordkeeping service on behalf
of the SCI entity, the SCI entity must ensure that such records are
available to review by the Commission and its representatives by
submitting a written undertaking by such service bureau or
recordkeeping service to that effect. The Commission preliminarily
believes that these proposed rules should allow Commission staff to
perform efficient inspections and examinations of SCI entities for
their compliance with the proposed rules, and should increase the
likelihood that Commission staff may identify conduct inconsistent with
the proposed rules at earlier stages in the inspection and examination
process.
---------------------------------------------------------------------------
\617\ As discussed above in Section III.D.1, Regulation SCI-
related documents would already be included in SCI SROs'
comprehensive recordkeeping requirements under Rule 17a-1 under the
Exchange Act.
---------------------------------------------------------------------------
Proposed Rule 1000(d) would require SCI entities to electronically
submit all written information to the Commission through Form SCI
(except any written notification submitted pursuant to proposed Rule
1000(b)(4)(i)). The Commission preliminarily believes that this
provision would allow the Commission to receive information in a
uniform electronic format with specified content, which would enhance
Commission staff's ability to review and analyze submitted information.
Finally, proposed Rule 1000(f) would require each SCI entity to
give Commission representatives reasonable access to its SCI systems
and SCI security systems to allow Commission representatives to assess
its compliance with proposed Regulation SCI. The Commission
preliminarily believes that this provision would enhance Commission
oversight by specifically highlighting the Commission's authority to
have its representatives directly access and examine SCI entities'
systems to confirm their compliance with proposed Regulation SCI.
The Commission preliminarily believes that these requirements would
place the Commission in a stronger position to assess the risks
relating to SCI entities' systems and, thus, would provide the
Commission with greater ability to protect investors. The Commission
also preliminarily believes that its oversight should help ensure that
SCI entities are reasonably equipped to handle market demand and
provide liquidity, including during periods of market distress.
3. Economic Costs
a. Direct Compliance Costs
The Commission recognizes that proposed Regulation SCI would impose
costs on SCI entities, as well as costs on certain members or
participants of SCI entities. The Commission preliminarily believes
that the majority of these costs would be direct compliance costs. SCI
entities would incur costs in establishing, maintaining, and enforcing
policies and procedures related to systems capacity, integrity,
resiliency, availability, security, and compliance.\618\ SCI entities
also would incur costs in taking appropriate corrective actions upon
any responsible SCI personnel becoming aware of an SCI event,\619\
notifying and updating the Commission with respect to the occurrence of
SCI events,\620\ disseminating information to members or participants
regarding dissemination SCI events,\621\ notifying the Commission of
material systems changes,\622\ conducting SCI reviews,\623\ submitting
to the Commission periodic reports,\624\ requiring designated members
to participate in testing of business continuity and disaster recovery
plans and coordinating such testing,\625\ and complying with
recordkeeping and access requirements.\626\
---------------------------------------------------------------------------
\618\ See proposed Rules 1000(b)(1) and (2). These proposed
rules would also impose costs for outside legal and/or consulting
advice, as set forth in the Paperwork Reduction Act Section above.
See supra Section IV.
\619\ See proposed Rule 1000(b)(3).
\620\ See proposed Rule 1000(b)(4).
\621\ See proposed Rule 1000(b)(5). This proposed rule would
also impose costs for outside legal advice, as set forth in the
Paperwork Reduction Act discussion above. See supra Section IV.
\622\ See proposed Rule 1000(b)(6).
\623\ See proposed Rule 1000(b)(7).
\624\ See proposed Rule 1000(b)(8).
\625\ See proposed Rule 1000(b)(9).
\626\ See proposed Rules 1000(c), (e), and (f).
---------------------------------------------------------------------------
As stated above in Section IV.D, proposed Regulation SCI would
codify many of the ARP policy statement principles familiar and
applicable to current participants in the ARP Inspection Program. The
Commission recognizes, however, that the proposed rules would apply to
entities that are not currently covered by the ARP Inspection Program,
and would cover areas not currently within the scope of the ARP
Inspection Program. Thus, those costs are incremental relative to the
current compliance cost of the ARP Inspection Program.
While proposed Regulation SCI would codify the provisions of the
ARP policy statements, the proposed definitions of ``SCI entity,''
``SCI event,'' ``SCI systems,'' and ``SCI security systems'' are
broader than the entities, events, and systems covered by the ARP
Inspection Program and, as stated above, will include more entities,
events, and systems. Specifically, proposed Rule 1000(b)(1)(i) would
codify aspects of the ARP policy statements \627\ with the exception of
Rule 1000(b)(1)(i)(F), which would require policies and procedures
regarding standards that result in systems being designed, developed,
tested, maintained, operated, and surveilled in a manner that
facilitates the successful collection, processing, and dissemination of
market data. In addition, because the ARP policy statements provide
that SROs should promptly notify Commission staff of certain system
outages and any instances in which unauthorized persons gained or
attempted to gain access to their systems, proposed Rule 1000(b)(4),
among other things, would codify parts of the ARP policy
statements.\628\ Further, because the ARP policy statements provide
that SROs should notify Commission staff of certain changes to their
automated systems, proposed Rule 1000(b)(6) would codify a part of the
ARP policy statements.\629\ Lastly, because the ARP policy statements
provide that SROs should undertake reviews of their systems, proposed
Rule 1000(b)(7), among other things, would reflect this part of the ARP
policy statements. With respect to the proposed requirements that are
not currently covered by the ARP Inspection Program, they include:
policies and procedures in addition to those required by proposed Rule
1000(b)(1)(i)(A)-(E) that would be necessary to achieve policies and
procedures reasonably designed to ensure that systems of an SCI entity
have levels of capacity, integrity, resiliency, availability, and
security, adequate to maintain the SCI entity's operational capability
and promote the maintenance of fair and orderly markets; policies and
procedures reasonably designed to ensure the operation of SCI systems
in the manner intended; the initiation of appropriate corrective
actions upon any responsible SCI personnel becoming aware of an SCI
event; the dissemination of information to members or participants;
[[Page 18170]]
requirements regarding member or participant testing; and recordkeeping
and access with respect to Regulation SCI-related documents.
---------------------------------------------------------------------------
\627\ Rule 301(b)(6) of Regulation ATS also contains similar
requirements for ATSs that meet the thresholds in that rule.
\628\ However, because of the proposed definition of ``SCI
event,'' SCI entities must also report systems compliance issues to
the Commission. Proposed Regulation SCI would also set forth
detailed and specific requirements with respect to Commission
notifications.
\629\ Again, proposed Regulation SCI would also set forth more
detailed and specific requirements with respect to such Commission
notifications.
---------------------------------------------------------------------------
Many of these incremental costs are calculated in detail in the
Paperwork Reduction Act Section above, which estimates that the total
one-time initial burden for all SCI entities to comply with Regulation
SCI would be approximately 133,482 hours and $2.6 million, and that the
total annual ongoing burden for all SCI entities to comply with
Regulation SCI would be approximately 117,258 hours and $738,400.
In addition to the direct cost estimates derived from the Paperwork
Reduction Act burdens, the Commission preliminarily believes that SCI
entities could incur costs when enforcing the policies and procedures
required under proposed Rules 1000(b)(1) and (2), taking corrective
action to mitigate the potential harm resulting from an SCI event under
proposed Rule 1000(b)(3), and in determining whether an SCI event is an
immediate notification SCI event or meets the definition of a
dissemination SCI event under proposed Rule 1000(a).
As discussed in detail in Section III.C.1 above, proposed Rule
1000(b)(1) would require SCI entities to establish, maintain, and
enforce written policies and procedures reasonably designed to ensure
that their SCI systems and, for purposes of security standards, SCI
security systems, have levels of capacity, integrity, resiliency,
availability, and security, adequate to maintain the SCI entity's
operational capability and promote the maintenance of fair and orderly
markets. In addition to the burden of establishing and maintaining such
policies and procedures as set forth in the Paperwork Reduction Act
Section above, the Commission preliminarily believes that SCI entities
would incur costs in enforcing the substantive requirements that are
the subject of the policies and procedures.
Further, as discussed in detail in Section III.C.2 above, proposed
Rule 1000(b)(2) would require SCI entities to establish, maintain, and
enforce written policies and procedures reasonably designed to ensure
that their SCI systems operate in the manner intended, including in a
manner that complies with federal securities laws and rules and
regulations thereunder and the entity's rules and governing documents,
as applicable. In addition to the burden of establishing and
maintaining such policies and procedures as set forth in the Paperwork
Reduction Act Section above, the Commission preliminarily believes that
SCI entities would incur costs in enforcing the substantive
requirements that are the subject of the policies and procedures.
As noted above,\630\ NIST is an agency within the U.S. Department
of Commerce that has issued numerous special publications regarding
information technology systems. For example, one of the publications
listed in Table A is the NIST Draft Security and Privacy Controls for
Federal Information Systems and Organizations (Special Publication 800-
53 Rev. 4) (February 2012) (``NIST 800-53'').\631\ This publication is
a security controls catalog providing guidance for selecting and
specifying security controls for federal information systems and
organizations. NIST 800-53 addresses how federal entities should
achieve secure information systems, taking into account the fundamental
elements of: (i) Multitiered risk management; (ii) the structure and
organization of controls; (iii) security control baselines; (iv) the
use of common controls and inheritance of security capabilities; (v)
external environments and service providers; (vi) assurance and
trustworthiness; and (vii) revisions and extensions to security
controls and control baselines, among others. Although NIST 800-53 sets
forth standards for federal agencies, it is also intended to serve a
diverse audience of information system and information security
professionals, including those having information system, security,
and/or risk management and oversight responsibilities, information
system development responsibilities, information security
implementation and operational responsibilities, information security
assessment and monitoring responsibilities, as well as commercial
companies producing information technology products, systems, security-
related technologies, and security services.\632\
---------------------------------------------------------------------------
\630\ See supra Section III.C.1.b.
\631\ See NIST 800-53, available at: http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf.
\632\ See id. at 3.
---------------------------------------------------------------------------
The Commission preliminarily believes that many SCI entities will
choose to establish, maintain, and enforce policies and procedures that
are consistent with the proposed SCI industry standards contained in
the publications set forth in Table A for purposes of satisfying the
requirements of proposed Rule 1000(b)(1). However, as noted above,
compliance with the identified SCI industry standards would not be the
exclusive means to comply with the requirements of proposed Rule
1000(b)(1). The Commission understands that the Table A publications,
including NIST 800-53, are familiar to information technology personnel
employed by many SCI entities, and that some SCI entities, particularly
the SCI SROs and plan processors that participate in the ARP Inspection
Program, currently adhere to all or at least some of the standards in
NIST 800-53, or similar standards set forth in publications issued by
other standards setting bodies, with some entities fully or nearly
fully implementing such standards, while other entities may not have
implemented such standards as broadly. For SCI entities that are not
part of the ARP Inspection Program, while such entities may be familiar
with such publications and standards generally, the Commission is not
certain as to the level of compliance with such standards, and believes
that there may be some such entities that are fully or nearly fully
complaint, while others may have little or no compliance with such
standards.
With respect to the substantive systems requirements resulting from
adherence to SCI industry standards (which, solely for purposes of this
Economic Analysis Section, the Commission assumes to be the proposed
SCI industry standards contained in the publications identified in
Table A, or publications setting forth substantially similar standards)
underlying proposed Rule 1000(b)(1), as noted above, the Commission
believes that certain entities that would satisfy the definition of SCI
entity, particularly some that currently participate in the ARP
Inspection Program, already comply with some of the requirements. On
the other hand, the Commission believes that some SCI entities,
including some that currently participate in the ARP Inspection
Program, do not currently comply with some or all of the proposed
requirements. Further, although the Commission believes that each SCI
entity would incur costs in complying with these requirements, the
Commission believes that some entities already comply with SCI industry
standards with respect to some of their systems. Moreover, the
Commission acknowledges that certain SCI entities are larger or more
complex than others, and that proposed Rule 1000(b)(1) would impose
higher costs on larger and more complex systems.
Because the Commission does not at this time have sufficient
information to reasonably estimate each SCI entity's current level of
compliance with the proposed SCI industry standards contained in the
publications set forth in Table A, the Commission estimates a
[[Page 18171]]
range of average costs for each SCI entity to comply with such
standards. The Commission acknowledges that some SCI entities would
incur costs near the bottom of the range because their systems policies
and procedures currently meet SCI industry standards (which, as noted
above, solely for purposes of this Economic Analysis Section, the
Commission assumes to be the proposed SCI industry standards contained
in the publications identified in Table A or in substantially similar
publications). On the other hand, some SCI entities would incur costs
near the middle or top of the range because their systems policies and
procedures do not currently meet such standards. Because the Commission
lacks sufficient information regarding the current practices of all SCI
entities, the Commission seeks comment on the extent to which SCI
entities already have in place systems policies and procedures that
would meet the proposed SCI industry standards (which, solely for
purposes of this Economic Analysis Section, the Commission assumes to
be the proposed SCI industry standards contained in the publications
identified in Table A or in substantially similar publications).
Further, unlike the Paperwork Reduction Act Section where the
Commission estimates a fifty-percent baseline with respect to proposed
Rule 1000(b)(1)(i)(A)-(E) for entities that currently participate in
the ARP Inspection Program, the Commission preliminarily estimates the
same cost range for all SCI entities for compliance with the proposed
substantive requirements that are the subject of the policies and
procedures. On the one hand, the Commission believes that certain SCI
entities (in particular, some entities that participate in the ARP
Inspection Program) may already comply with some of the substantive
requirements and thus would incur less incremental cost for complying
with such requirements. On the other hand, the Commission believes that
some SCI entities that currently participate in the ARP Inspection
Program are larger and have more complex systems than those that do not
participate in the ARP Inspection Program and, therefore, would incur
more incremental cost for complying with the substantive requirements.
As such, the Commission preliminarily believes it is unlikely that SCI
entities that do not participate in the ARP Inspection Program would
incur twice the cost as SCI entities that participate in the ARP
Inspection Program to comply with the substantive systems requirements
underlying the policies and procedures required by proposed Regulation
SCI.
Based on discussion with industry participants, the Commission
preliminarily estimates that, to comply with the substantive
requirements that are the subject of the policies and procedures
required by proposed Rules 1000(b)(1) and (2), including consistency
with the SCI industry standards (which, solely for purposes of this
Economic Analysis, the Commission assumes to be the proposed SCI
industry standards contained in the publications identified in Table A
or in substantially similar publications) in connection with proposed
Rule 1000(b)(1), on average, each SCI entity would incur an initial
cost of between approximately $400,000 and $3 million.\633\ Based on
this average, the Commission preliminarily estimates that SCI entities
would incur a total initial cost of between approximately $17.6 million
\634\ and $132 million.\635\ The Commission seeks comment on the
estimated average initial cost range for SCI entities to comply with
the substantive requirements underlying the policies and procedures
required by proposed Rules 1000(b)(1) and (2).
---------------------------------------------------------------------------
\633\ The Commission preliminarily estimates a range of cost for
complying with the substantive requirements that are the subject of
the policies and procedures required by proposed Rules 1000(b)(1)
and (2) because some SCI entities are already in compliance with
some of these substantive requirements. For example, the Commission
believes that many SCI SROs (e.g., certain national securities
exchanges and registered clearing agencies) already have or have
begun implementation of business continuity and disaster recovery
plans that include maintaining backup and recovery capabilities
sufficiently resilient and geographically diverse to ensure next
business day resumption of trading and two-hour resumption of
clearance and settlement services following a wide-scale disruption.
\634\ $17.6 million = ($400,000) x (44 SCI entities).
\635\ $132 million = ($3 million) x (44 SCI entities).
---------------------------------------------------------------------------
The preliminary cost estimates described above represent an
estimated average cost range per SCI entity, and the Commission
acknowledges that some of the costs to comply with the substantive
requirements of proposed Rules 1000(b)(1) and (2) may be significantly
higher than the estimated average for some SCI entities, while some of
the costs may be significantly lower for other SCI entities. In
particular, the Commission preliminarily believes that the costs
associated with the requirement in proposed Rule 1000(b)(1)(i)(E) that
an SCI entity have policies and procedures that include maintaining
backup and recovery capabilities sufficiently resilient and
geographically diverse to ensure next business day resumption of
trading and two-hour resumption of clearance and settlement services
following a wide-scale disruption is an area in which different SCI
entities may encounter significantly different compliance costs. For
example, among national securities exchanges, the Commission
understands that many, though not all, national securities exchanges
already have or soon expect to have backup facilities that do not rely
on the same infrastructure components used by their primary facility.
For those national securities exchanges that do not have such backup
facilities, the cost to build and maintain such facilities may result
in their compliance costs being significantly higher than those of
national securities exchanges that already satisfy the proposed
requirement.\636\ The application of the geographic diversity
requirement to other entities, such as ATSs, under the proposed rule,
would depend on the nature, size, technology, business model, and other
aspects of their business.
---------------------------------------------------------------------------
\636\ As noted, solely for purposes of this Economic Analysis,
the Commission has assumed that the SCI industry standards would be
those contained in the publications identified in Table A or in
substantially similar publications. However, as proposed Rule
1000(b)(1)(ii) makes clear, compliance with such current industry
standards, including the geographic diversity requirements contained
in the 2003 Interagency White Paper, supra note 31, is not the
exclusive means to comply with the requirements of proposed Rule
1000(b)(1). See also supra note 182.
---------------------------------------------------------------------------
218. The Commission requests commenters' views on how many SCI
entities would not currently satisfy the proposed requirement relating
to geographic diversity of backup sites. The Commission requests
commenters' views on the costs of establishing backup sites to satisfy
the proposed geographic diversity requirement, particularly for
entities that currently would not satisfy the proposed requirement. In
such a case, given the likely significant cost and time associated with
building such backup sites, how long do commenters believe it would
take for SCI entities to come into compliance with such a proposed
requirement? Would it be appropriate for the Commission to allow an
extended period prior to which compliance with this proposed
requirement would be effective? Why or why not? If so, how long should
such period be and why? Should such an extended period only be
permitted for a subset of SCI entities. If so, how should such a subset
be determined? Please describe.
As noted above, because the Commission does not at this time have
sufficient information to reasonably estimate each SCI entity's current
level
[[Page 18172]]
of compliance with the substantive requirements underlying the policies
and procedures, the Commission preliminarily estimates a range of
average initial costs for each SCI entity to comply with the
substantive requirements underlying the policies and procedures
required by proposed Rules 1000(b)(1) and (2). Based on the estimates
of the initial costs, Commission estimates a range of average ongoing
cost for each SCI entity to comply with the requirements using two-
thirds of the initial cost. The Commission preliminarily believes that
a two-thirds estimate is appropriate because although proposed Rules
1000(b)(1) and (2) would require SCI entities to comply with certain
systems requirements including, for example, establishing reasonable
current and future capacity planning estimates on an ongoing basis, as
well as conducting tests and reviews of their systems on an going
basis, the Commission preliminarily believes that SCI entities would
incur an additional initial cost to, for example, revise the underlying
software code of their systems to the extent needed to bring those
systems into compliance with the requirements of the proposed rules.
Therefore, the Commission preliminarily estimates that, to comply with
the substantive requirements that are the subject of the policies and
procedures required by proposed Rules 1000(b)(1) and (2), including
consistency with SCI industry standards in connection with proposed
Rule 1000(b)(1), on average, each SCI entity would incur an ongoing
annual cost of between approximately $267,000 \637\ and $2
million.\638\ Based on this estimated range, the Commission
preliminarily estimates that SCI entities would incur a total ongoing
cost of between approximately $11.7 million \639\ and $88 million.\640\
The Commission seeks comment on the estimated average ongoing cost
range for SCI entities to comply with the substantive requirements
underlying the policies and procedures required by proposed Rules
1000(b)(1) and (2).
---------------------------------------------------------------------------
\637\ $266,667 = $400,000 (estimated initial cost to comply with
the substantive requirements) x (\2/3\).
\638\ $2 million = $3 million (estimated initial cost to comply
with the substantive requirements) x (\2/3\).
\639\ $11.7 million = ($266,667) x (44 SCI entities).
\640\ $88 million = ($2 million) x (44 SCI entities).
---------------------------------------------------------------------------
The mandatory testing of SCI entity business continuity and
disaster recovery plans, including backup systems, as proposed to be
required under proposed Rule 1000(b)(9), would place an additional
burden on SCI entities. The Commission believes that some SCI entities
require some or all of their members or participants to connect to
their backup systems \641\ and that most, if not all, SCI entities
already offer their members or participants the opportunity to test
such plans, although they do not currently mandate participation by all
members or participants in such testing. In addition, market
participants, including SCI entities, already coordinate certain
business continuity plan testing to some extent. Thus, the Commission
preliminarily believes that additional costs of proposed Rule
1000(b)(9) to SCI entities would be minimal. However, for SCI entity
members or participants, additional costs could be significant, and
highly variable depending on the business continuity and disaster
recovery plans being tested. However, based on discussions with market
participants, the Commission preliminarily estimates the cost of the
testing of such plans to range from immaterial administrative costs
(for SCI entity members and participants that currently maintain
connections to SCI entity backup systems) to a range of $24,000 to
$60,000 per year per member or participant in connection with each SCI
entity. Costs at the higher end of this range would accrue for members
or participants who would need to invest in additional infrastructure
and to maintain connectivity with an SCI entity's backup systems in
order to participate in testing.\642\ The Commission is unable at this
time to provide a precise cost estimate for the total aggregate cost to
SCI entity members and participants of the requirements relating to
proposed Rule 1000(b)(9), as it does not know how each SCI entity will
determine its standards for designating members or participants that it
would require to participate in the testing required by proposed Rule
1000(b)(9)(i), and thus does not know the number of members or
participants at each SCI entity that would be designated as required to
participate in testing, and whether such designated members and
participants are those that already maintain connections to SCI entity
backup systems. However, the Commission preliminarily believes that an
aggregate annual cost of approximately $66 million to designated
members and participants is a reasonable estimate.\643\ The Commission
requests comment on these estimates and the assumptions underlying
them.
---------------------------------------------------------------------------
\641\ See, e.g., CBOE Rule 6.18 (requiring Trading Permit
Holders to take appropriate actions as instructed by CBOE to
accommodate CBOE's ability to trade options via the back-up data
center); CBOE Regulatory Circular RG12-163 (stating that Trading
Permit Holders are required to maintain connectivity with the back-
up data center and have the ability to operate in the back-up data
center should circumstances arise that require it to be used); NYSE
Rule 49(b)(2)(iii) (requiring NYSE members to have contingency plans
to accommodate the use of the systems and facilities of NYSE Arca,
NYSE's designated backup facility). See also Securities Exchange Act
Release No. 52446 (September 15, 2005), 70 FR 55435 (September 21,
2005) (approving a proposed rule change by each of DTC, FICC, and
NSCC imposing fines on ``top tier'' members that fail to conduct
required connectivity testing for business continuity purposes, as
reflected, e.g., in NSCC Rules and Procedures, Addendum P, available
at: http://www.dtcc.com/legal/rules_proc/nscc_rules.pdf). See
also, e.g., BATS Rule 18.38, Nasdaq Options Rule 13, and BOX Rule
3180 (permitting each exchange to require members to participate in
computer systems testing in the manner and frequency prescribed by
such exchange).
\642\ Based on industry sources, the Commission understands that
most of the larger members or participants of SCI entities already
maintain connectivity with the backup systems of SCI entities while,
among smaller members or participants of SCI entities, there is a
lower incidence of members or participants maintaining such
connectivity. The Commission requests comment on the accuracy of
this understanding.
\643\ This estimate assumes that 44 SCI entities would each
designate an average of 150 members or participants to participate
in the necessary testing. Based on industry sources, the Commission
understands that many SCI entities have between 200 and 400 members
or participants, though some have more and some have fewer. In
addition, the Commission preliminarily believes that is reasonable
to estimate that the members or participants of SCI entities that
are most likely to be designated to be required participate in
testing are those that conduct a high level of activity with the SCI
entity, or that play an important role for the SCI entity (such as
market makers) and that such members or participants currently are
likely to already maintain connectivity with an SCI entity's backup
systems. Therefore, the Commission estimates the average cost for
each member or participant of an SCI entity to be $10,000, which
takes into account the fact that the Commission preliminarily
believes that many members or participants of SCI entities that
would be required to participate in such testing would already have
such connectivity, and thus have minimal cost. Based on these
assumptions, the Commission estimates that the total aggregate cost
to all members or participants of all SCI entities to be
approximately $66 million (44 SCI entities x 150 members or
participants x $10,000 = $66 million).
---------------------------------------------------------------------------
The Commission preliminarily believes that the corrective action to
mitigate harm resulting from SCI events would impose modest incremental
costs on SCI entities because in the usual course of business, SCI
entities already take corrective actions in response to systems issues.
Proposed Rule 1000(b)(3) supplements the existing incentives of SCI
entities to correct an SCI event quickly by focusing on potential harm
to investors and market integrity and by requiring SCI entities to
devote adequate resources to begin to take corrective action as soon as
reasonably practicable. Based on its experience with the ARP Inspection
Program, the Commission believes that entities currently participating
in the ARP Inspection Program already take
[[Page 18173]]
corrective actions in response to a systems issue, and believes that
other SCI entities also take corrective actions in response to a
systems issue. Nevertheless, the Commission preliminarily believes that
proposed Rule 1000(b)(3) could result in modestly increased costs for
SCI entities per SCI event for corrective action relative to current
practice for SCI entities, as a result of undertaking corrective action
sooner than they might have otherwise and/or increasing investment in
newer more updated systems earlier than they might have otherwise. If,
however, proposed Regulation SCI reduces the frequency and severity of
SCI events, the overall costs to SCI entities of corrective action may
not increase significantly from the costs incurred without proposed
Regulation SCI. However, the degree to which proposed Regulation SCI
will reduce the frequency and severity of SCI events is unknown. Thus,
the Commission is, at this time, unable to estimate the precise impact
of proposed Regulation SCI due to an SCI entity's corrective action.
Thus, the Commission requests comment regarding the costs associated
with proposed Regulation SCI's corrective action requirements,
including what such costs would be on an annualized basis.\644\
---------------------------------------------------------------------------
\644\ See also supra Section IV.D.3 (estimating paperwork
burdens associated with SCI entities developing a process for
ensuring that they are prepared to take corrective action as
required by proposed Rule 1000(b)(3), and reviewing that process on
an ongoing basis).
---------------------------------------------------------------------------
When an SCI event occurs, an SCI entity needs to determine whether
the event is an immediate notification SCI event or dissemination SCI
event because the proposed rule would impose different obligations on
SCI entities for such events. Identifying these types of SCI events may
impose one-time implementation costs on SCI entities associated with
developing a process for ensuring that they are able to quickly and
correctly make such determinations, as well as periodic costs in
reviewing the adopted process.\645\
---------------------------------------------------------------------------
\645\ The initial and ongoing burden associated with making
these determinations are discussed in the Paperwork Reduction Act
Section above. See supra Section IV.D.3 (estimating burdens
resulting from SCI entities determining whether an SCI event is an
immediate notification SCI event or dissemination SCI event).
---------------------------------------------------------------------------
The Commission notes that proposed Rule 1000(d) would require that
any written notification, review, description, analysis, or report to
the Commission (except any written notification submitted pursuant to
proposed Rule 1000(b)(4)(i)) be submitted electronically and contain an
electronic signature. This proposed rule would require that every SCI
entity have the ability to submit forms electronically with an
electronic signature. The Commission believes that most, if not all,
SCI entities currently have the ability to access and submit an
electronic form such that the requirement to submit Form SCI
electronically will not impose new implementation costs. The initial
and ongoing costs associated with various electronic submissions of
Form SCI are discussed in the Paperwork Reduction Act Section
above.\646\
---------------------------------------------------------------------------
\646\ See supra Section IV.D.2 (estimating burdens resulting
from notice, dissemination, and reporting requirements for SCI
entities).
---------------------------------------------------------------------------
The Commission recognizes that some of the costs imposed by
proposed Regulation SCI may ultimately be transferred to
intermediaries, such as market participants that access national
securities exchanges or clearing agencies, for example, in the form of
higher fees. The Commission recognizes that, if costs relating to
compliance with proposed Regulation SCI are passed on in the form of
increased prices to users of SCI entities, there may be a loss of
efficiency as a result of the net increase in costs to SCI entity
customers. The Commission also preliminarily believes that, for some
SCI entities, the cost estimates may be lower than the actual costs to
be incurred, such as for entities that are not currently part of the
ARP Inspection Program or that have complex automated systems. However,
on balance, the Commission preliminarily believes that the incremental
direct cost estimates above are appropriate.
b. Other Costs
The Commission recognizes that proposed Regulation SCI could have
other potential costs that cannot be quantified at this time. For
example, entities covered by the proposed rule frequently make systems
changes to comply with new and amended rules and regulations such as
rules and regulations under federal securities laws and SRO rules. The
Commission recognizes that, for entities that meet the definition of
SCI entities, because they must continue to comply with proposed
Regulation SCI when they make systems changes, proposed Regulation SCI
could increase the costs and time needed to make systems changes to
comply with new and amended rules and regulations. The Commission
requests comment on the nature of such additional costs and time.
The Commission also considered whether proposed Regulation SCI
would impact innovation in ATSs or raise barriers to entry. The
Commission recognizes that, if proposed Regulation SCI were to cause
SCI entities, including ATSs, to allocate resources towards ensuring
they have robust systems and the personnel necessary to comply with
proposed Regulation SCI's requirements and away from new features for
their systems, or investing in research and development, proposed
Regulation SCI may have a negative impact on innovation among such
entities and thus impact competition. Similarly, if the costs of
proposed Regulation SCI were to be viewed by persons considering
forming new ATSs to be so onerous so as to dissuade them from starting
new ATSs, competition would also be negatively impacted. To balance any
concern about discouraging innovation and raising barriers to entry
against the need for regulation, the Commission proposes thresholds for
SCI ATSs that are designed to include only the ATSs that are most
likely to have a significant impact on markets due to an SCI event, and
requests comment on the thresholds.\647\ The tradeoffs associated with
these thresholds are discussed in more detail below.
---------------------------------------------------------------------------
\647\ See supra Section III.B.1 and supra notes 100-123 and
accompanying text.
---------------------------------------------------------------------------
Finally, by specifying the timing, type, and format of information
to be submitted to the Commission and by requiring electronic
submission of Form SCI, Commission staff should be able to more
efficiently review and analyze the information submitted. It is
particularly important for the Commission to be able to review and
analyze filings on Form SCI efficiently because proposed Regulation SCI
would require all SCI events to be reported to the Commission. The
Commission is not proposing at this time to require the data to be
submitted in a tagged data format (e.g., XML, XBRL, or another
structured data format that may be tagged), although it has requested
specific comment as to whether it should, and the costs and benefits of
doing so.\648\ The Commission recognizes that it could more readily
analyze filings submitted in a tagged data format than in PDF format,
and the subsequent potential benefits to investors may be greater.
However, these benefits are balanced against the costs to the SCI
entities of submitting filings in a tagged format.
---------------------------------------------------------------------------
\648\ See, e.g., request for comment in supra Section III.D.1.
---------------------------------------------------------------------------
c. Scaling
The Commission recognizes that the benefits of every provision of
proposed Regulation SCI may not justify the costs
[[Page 18174]]
of the provision if every requirement applied to every SCI entity and
SCI event. In particular, the Commission recognizes that applying each
requirement to every SCI entity and every SCI event could adversely
affect competition and efficiency. Therefore, the Commission has
proposed that not all SCI events be subject to the same requirements as
immediate notification SCI events and dissemination SCI events and that
ATSs that do not meet the definition of SCI ATS, and broker-dealers who
are not ATSs, should not be subject to same requirements as SCI
entities. The discussion that follows lays out the tradeoffs associated
with determining the appropriate cutoffs for determining which events
are immediate notification SCI events or dissemination SCI events, and
which ATSs are SCI ATSs. In sum, the Commission believes that the
requirements balance the need for regulation against the potential
efficiency, competition, and capital formation concerns of the
regulation. In the Commission's judgment, the cost of complying with
the proposed rules would not be so large as to significantly raise
barriers to entry or otherwise alter the competitive landscape of the
entities involved.
As defined in proposed Rule 1000(a), a dissemination SCI event is
an SCI event that is a: systems compliance issue; systems intrusion; or
system disruption that results, or the SCI entity reasonably estimate
would result, in a significant harm or loss to market participants. If
the criteria for dissemination SCI events is set too low, the member or
participant dissemination requirements under proposed Regulation SCI
could be very costly.\649\ Therefore, the Commission carefully
considered tradeoffs in defining the term dissemination SCI event. On
the one hand, the definition should ensure that SCI events that have
significant impacts on the markets are captured as dissemination SCI
events.\650\ On the other hand, not every SCI event should be included.
There are higher costs associated with dealing with dissemination SCI
events as compared to SCI events that are not dissemination SCI events
due to the additional requirements relating to dissemination of
information to members or participants. Second, SCI entity members or
participants may be provided with unnecessary information if
information about too many SCI events that do not have significant
impact on the markets is disseminated to members or participants. If
there is excessive dissemination of insignificant events, truly
important events may get hidden among others that do not have the same
degree of significance or impact on the securities markets.\651\ SCI
entity members or participants also may not pay attention to
disseminated SCI events if an excessive number of insignificant events
are disseminated and notifications about SCI events may become routine.
The proposed definition of dissemination SCI event is an attempt to
balance these concerns.
---------------------------------------------------------------------------
\649\ As noted above, an immediate notification SCI event
includes any systems disruption that the SCI entity reasonably
estimates would have a material impact on its operations or on
market participants, any systems compliance issue, or any systems
intrusion. See supra Section III.C.3.b. As with dissemination SCI
events, if the criteria for immediate notification SCI events is set
too low, SCI entities would incur additional costs in providing
immediate notification to the Commission.
\650\ With respect to immediate Commission notification, the
Commission should be immediately notified of any systems disruption
that the SCI entity reasonably estimates would have a material
impact on its operations or on market participants, any systems
compliance issue, or any systems intrusion.
\651\ Similarly, immediate Commission notification of only
immediate notification SCI events should help the Commission focus
its attention on SCI events that may potentially impact an SCI
entity's operations or market participants.
---------------------------------------------------------------------------
Section III.B.1 discusses the definition of ``SCI ATS'' in proposed
Rule 1000(a). The proposal would replace the threshold for NMS stocks
of 20 percent or more of the average daily volume in any NMS stock. The
proposal bases the definition of SCI ATS on average daily dollar volume
and sets the threshold at five percent or more in any single NMS stock
and one-quarter percent of more in all NMS stocks, or one percent or
more in all NMS stocks. The proposal changes the threshold for non-NMS
stocks to at least five percent of the aggregate average daily dollar
volume from twenty percent of the average daily share volume. These
proposed thresholds reflect developments in equities markets that
resulted in a higher number of trading venues and less concentrated
trading, and are designed to ensure that the proposed rule is applied
to all ATSs that trade more than a limited amount of securities and for
which SCI events may cause significant impact on the overall market.
The main benefit of the proposed thresholds is to bring more ATSs into
the SCI ATS definition than currently subject to the systems safeguard
provisions of Rule 301(b)(6) of Regulation ATS, which in turn would
make them SCI entities. This would help ensure that SCI ATSs that trade
a certain amount of securities are covered by the proposed regulation.
The Commission recognizes the potential for a low threshold to
discourage automation and innovation but, as noted below, the
Commission has balanced the concerns regarding discouraging automation
and innovation against the need for regulation, and preliminarily
believes that innovation is unlikely to be hampered and automation is
likely to continue to increase. To that extent, the proposed rule uses
a two-prong approach for NMS stocks. The threshold is based on market
share in individual stocks. However, it is also required that the ATS
has a certain market share of the overall market in all NMS stocks to
prevent an ATS from being subject to proposed Regulation SCI for
meeting the five percent threshold in any single NMS stock for a micro-
cap stock, but not having significant market share in all NMS stocks.
As discussed above, the Commission believes that approximately 10 NMS
stock ATSs and two non-NMS stock ATSs would fall within the definition
of SCI ATS.\652\
---------------------------------------------------------------------------
\652\ See supra Section III.B.1.
---------------------------------------------------------------------------
For municipal and corporate debt securities, the proposal would
lower the threshold from 20 percent or more to five percent or more.
However, the proposal contemplates a two-prong approach considering
either average daily dollar volume or average daily transaction volume,
and exceeding the threshold in either one would qualify an ATS as an
SCI ATS. The use of the two metrics is intended to take into account
the fact that ATSs in the debt securities markets may handle primarily
retail trades (i.e., large transaction volume but small dollar volume)
or institutional-sized trades (i.e., large dollar volume but small
transaction volume).
The proposed thresholds for municipal and corporate debt securities
are different from the proposed thresholds for NMS stocks. This
difference reflects the fact that, in the debt securities markets
(i.e., municipal securities and corporate debt securities), the degree
of automation and electronic trading is much lower than in the markets
for NMS stocks, which the Commission preliminarily believes may reduce
the need for more stringent rules and regulations. In addition, the
Commission preliminarily believes that the imposition of a threshold
lower than five percent on the current debt securities markets could
have the unintended effect of discouraging automation in these markets
and discouraging new entrants into these markets. Also, due to the
large number of issues outstanding in these debt securities markets,
trading volume may be extremely low in a given issue, but also may
fluctuate significantly from
[[Page 18175]]
day to day and issue to issue. Therefore, the thresholds for debt
securities consider aggregate volume instead of volume in an individual
issue. As discussed above, the Commission preliminarily believes that
three municipal securities and corporate debt securities ATSs would
fall within the definition of SCI ATS.\653\
---------------------------------------------------------------------------
\653\ See id.
---------------------------------------------------------------------------
D. Request for Comment on Economic Analysis
219. The Commission is sensitive to the potential economic effects,
including the costs and benefits, of proposed Regulation SCI. The
Commission has identified above certain costs and benefits associated
with the proposal and requests comment on all aspects of its
preliminary economic analysis.\654\ The Commission encourages
commenters to identify, discuss, analyze, and supply relevant data,
information, or statistics regarding any such costs or benefits. In
particular, the Commission seeks comment on the following:
---------------------------------------------------------------------------
\654\ The Commission has also considered the views expressed in
comment letters submitted in connection with the Roundtable, as well
as the views expressed by Roundtable participants. See supra Section
I.C.
---------------------------------------------------------------------------
220. Do commenters agree that the release provides a fair
representation of current practices and how those current practices
would change under proposed Regulation SCI? Why or why not? Please be
specific in your response regarding current practices and how they
would change under proposed Regulation SCI.
221. Do commenters agree with the Commission's characterization of
the relevant markets in which SCI entities participate, as well as the
market failures identified with respect to each of the relevant
markets? Why or why not? Specifically, do commenters agree with the
identified level of competition in each of the relevant markets? Why or
why not?
222. What is a typical market participant's general level of
expectation of how well the market operates? Do market participants
currently have all the information they need to make informed decisions
that manage their exposure to SCI events? If not, would proposed
Regulation SCI provide the needed information? Why or why not?
223. Do commenters agree with the Commission's analysis of the
costs and benefits of each provision of proposed Regulation SCI,
including the definitions under proposed Rule 1000(a)? Why or why not?
224. Do commenters believe that there are additional benefits or
costs that could be quantified or otherwise monetized? If so, please
identify these categories and, if possible, provide specific estimates
or data.
225. Are there any additional benefits that may arise from proposed
Regulation SCI? Or are there benefits described above that would not
likely result from proposed Regulation SCI? If so, please explain these
benefits or lack of benefits in detail.
226. Are there any additional costs that may arise from proposed
Regulation SCI? Are there any potential unintended consequences of
proposed Regulation SCI? Or are there costs described above that would
not likely result from proposed Regulation SCI? If so, please explain
these costs or lack of costs in detail.
227. Do the types or extent of any anticipated benefits or costs
from proposed Regulation SCI differ between the different types of SCI
entities? For example, do potential benefits or costs differ with
respect to SCI SROs as compared to SCI ATSs? Please explain.
228. Are there methods (including any suggested by Roundtable
panelists or commenters) by which the Commission could reduce the costs
imposed by Regulation SCI while still achieving the goals? Please
explain.
229. Does the release appropriately describe the potential impacts
of proposed Regulation SCI on the promotion of efficiency, competition,
and capital formation? Why or why not?
230. To the extent that there are reasonable alternatives to any of
the rules under proposed Regulation SCI, what are the potential costs
and benefits of those reasonable alternatives relative to the proposed
rules? What are the potential impacts on the promotion of efficiency,
competition, and capital formation of those reasonable alternatives?
For example, what would be the effect on the economic analysis of
requiring SCI entities to conduct an SCI review that requires
penetration testing annually? What would be the effect on the economic
analysis of requiring SCI entities to inform members and participants
of all SCI events? What would be the effect on the economic analysis of
requiring filing in a tagged data format (e.g., XML, XBRL, or another
structured data format that may be tagged)? What would be the effect on
the economic analysis of including broker-dealers, or a subset thereof,
in the definition of SCI entities?
231. In addition, as noted above, the proposed requirement that an
SCI entity disseminate information relating to dissemination SCI events
to its members or participants is focused on disseminating information
to those who need, want, and can act on the information disseminated.
The Commission also preliminarily believes that this proposed
requirement could promote competition and capital formation. Are there
alternative mechanisms for achieving the Commission's goals while
promoting competition and capital formation? Are there costs associated
with this proposed approach that have not been considered? For example,
would the requirement to disseminate information to members or
participants about dissemination SCI events increase an SCI entity's
litigation costs, or cause an SCI entity to lose business (e.g., if
market participants misjudge the meaning of information disseminated
about dissemination SCI events)? Would the benefits of the proposed
information dissemination outweigh the costs? Why or why not? Please
explain.
232. The Commission also generally requests comment on the
competitive or anticompetitive effects, as well as the efficiency and
capital formation effects, of proposed Regulation SCI on market
participants if the proposed rules are adopted as proposed. Commenters
should provide analysis and empirical data to support their views on
the competitive or anticompetitive effects, as well as the efficiency
and capital formation effects, of proposed Regulation SCI.
233. Finally, as stated above, proposed Rule 1000(b)(1) would
require SCI entities to establish, maintain, and enforce written
policies and procedures, reasonably designed to ensure that their SCI
systems and, for purposes of security standards, SCI security systems,
have levels of capacity, integrity, resiliency, availability, and
security, adequate to maintain the SCI entity's operational capability
and promote the maintenance of fair and orderly markets. As discussed
above, the Commission is proposing that an SCI entity's policies and
procedures required by proposed Rule 1000(b)(1) be deemed to be
reasonably designed if they are consistent with current SCI industry
standards.\655\ However, the costs identified above may not fully
incorporate all of the costs of adhering to initial or future SCI
industry standards. For example, if a SCI industry standard is based on
the standards of NIST (which issues a number of the publications listed
in Table A), it could include additional requirements not otherwise
required in proposed Regulation SCI such as establishment of assurance-
related
[[Page 18176]]
controls (including, for example, conduct of integrity checks on
software and firmware components, or monitoring of established secure
configuration settings). Any additional requirements would likely
impose costs on SCI entities. Therefore, the Commission requests
comment on what benefits or costs, quantifiable or otherwise, could
potentially be imposed by the identification of SCI industry standards.
What are market participants' current level of compliance with the
industry standards contained in the publications listed in Table A?
What would be the costs to SCI entities (in addition to the cost of
adhering to current practice) of the Commission identifying examples of
industry standards? What would be the benefits? Please explain.
---------------------------------------------------------------------------
\655\ Proposed SCI industry standards are contained in the
publications identified in Table A. See supra Section III.C.1.b.
---------------------------------------------------------------------------
VI. Consideration of Impact on the Economy
For purposes of the Small Business Regulatory Enforcement Fairness
Act of 1996, or ``SBREFA,'' \656\ the Commission must advise OMB as to
whether proposed Regulation SCI constitutes a ``major'' rule. Under
SBREFA, a rule is considered ``major'' where, if adopted, it results or
is likely to result in: (1) An annual effect on the economy of $100
million or more (either in the form of an increase or decrease); (2) a
major increase in costs or prices for consumers or individual
industries; or (3) a significant adverse effect on competition,
investment or innovation.
---------------------------------------------------------------------------
\656\ Public Law 104-121, Title II, 110 Stat. 857 (1996)
(codified in various sections of 5 U.S.C., 15 U.S.C. and as a note
to 5 U.S.C. 601).
---------------------------------------------------------------------------
234. The Commission requests comment on the potential impact of
proposed Regulation SCI on the economy on an annual basis, on the costs
or prices for consumers or individual industries, and any potential
effect on competition, investment, or innovation. Commenters are
requested to provide empirical data and other factual support for their
views to the extent possible.
VII. Regulatory Flexibility Act Certification
The Regulatory Flexibility Act (``RFA'') \657\ requires Federal
agencies, in promulgating rules, to consider the impact of those rules
on small entities. Section 603(a) \658\ of the Administrative Procedure
Act,\659\ as amended by the RFA, generally requires the Commission to
undertake a regulatory flexibility analysis of all proposed rules, or
proposed rule amendments, to determine the impact of such rulemaking on
``small entities.'' \660\ Section 605(b) of the RFA states that this
requirement shall not apply to any proposed rule or proposed rule
amendment, which if adopted, would not have significant economic impact
on a substantial number of small entities.
---------------------------------------------------------------------------
\657\ 5 U.S.C. 601 et seq.
\658\ 5 U.S.C. 603(a).
\659\ 5 U.S.C. 551 et seq.
\660\ Although Section 601(b) of the RFA defines the term
``small entity,'' the statute permits agencies to formulate their
own definitions. The Commission has adopted definitions for the term
``small entity'' for purposes of Commission rulemaking in accordance
with the RFA. Those definitions, as relevant to this proposed
rulemaking, are set forth in Rule 0-10, 17 CFR 240.0-10. See
Securities Exchange Act Release No. 18451 (January 28, 1982), 47 FR
5215 (February 4, 1982) (File No. AS-305).
---------------------------------------------------------------------------
A. SCI Entities
Paragraph (a) of Rule 0-10 provides that for purposes of the RFA, a
small entity when used with reference to a ``person'' other than an
investment company means a person that, on the last day of its most
recent fiscal year, had total assets of $5 million or less.\661\ With
regard to broker-dealers, small entity means a broker or dealer that
had total capital of less than $500,000 on the date in the prior fiscal
year as of which its audited financial statements were prepared
pursuant to Rule 17a-5(d) under the Exchange Act, or, if not required
to file such statements, total capital of less than $500,000 on the
last business day of the preceding fiscal year (or in the time that it
has been in business, if shorter), and that is not affiliated with any
person that is not a small business or small organization.\662\ With
regard to clearing agencies, small entity means a clearing agency that
compared, cleared, and settled less than $500 million in securities
transactions during the preceding fiscal year (or in the time that it
has been in business, if shorter), had less than $200 million of funds
and securities in its custody or control at all times during the
preceding fiscal year (or in the time that it has been in business, if
shorter), and is not affiliated with any person (other than a natural
person) that is not a small business or small organization.\663\ With
regard to exchanges, a small entity is an exchange that has been exempt
from the reporting requirements of Rule 601 under Regulation NMS, and
is not affiliated with any person (other than a natural person) that is
not a small business or small organization.\664\ With regard to
securities information processors, a small entity is a securities
information processor that had gross revenue of less than $10 million
during the preceding year (or in the time it has been in business, if
shorter), provided service to fewer than 100 interrogation devices or
moving tickers at all times during the preceding fiscal year (or in the
time it has been in business, if shorter), and is not affiliated with
any person (that is not a natural person) that is not a small business
or small organization.\665\ Under the standards adopted by the Small
Business Administration (``SBA''), entities engaged in financial
investments and related activities are considered small entities if
they have $7 million or less in annual receipts.\666\
---------------------------------------------------------------------------
\661\ See 17 CFR 240.0-10(a).
\662\ See 17 CFR 240.0-10(c).
\663\ See 17 CFR 240.0-10(d).
\664\ See 17 CFR 240.0-10(e).
\665\ See 17 CFR 240.0-10(g).
\666\ See SBA's Table of Small Business Size Standards,
Subsector 523 and 13 CFR 121.201. Such entities include firms
engaged in investment banking and securities dealing, securities
brokerage, commodity contracts dealing, commodity contracts
brokerage, securities and commodity exchanges, miscellaneous
intermediation, portfolio management, investment advice, trust,
fiduciary and custody activities, and miscellaneous financial
investment activities.
---------------------------------------------------------------------------
Based on the Commission's existing information about the entities
that will be subject to proposed Regulation SCI, the Commission
preliminarily believes that SCI entities that are self-regulatory
organizations (national securities exchanges, national securities
associations, registered clearing agencies, and the MSRB) or exempt
clearing agencies subject to ARP would not fall within the definition
of ``small entity'' as described above. With regard to plan processors,
which are defined under Rule 600(b)(55) of Regulation NMS to mean a
self-regulatory organization or securities information processor acting
as an exclusive processor in connection with the development,
implementation and/or operation of any facility contemplated by an
effective NMS plan,\667\ the Commission's definition of ``small
entity'' as it relates to self-regulatory organizations and securities
information processors would apply. The Commission preliminarily does
not believe that any plan processor would be a ``small entity'' as
defined above. With regard to SCI ATSs, because they are registered as
broker-dealers, the Commission's definition of ``small entity'' as it
relates to broker-dealers would apply. As stated above, the Commission
preliminarily believes that approximately 15 ATSs would satisfy the
definition of SCI ATSs and would be impacted by proposed Regulation
SCI.\668\ The Commission preliminarily does not believe that any of
these 15 SCI
[[Page 18177]]
ATSs would be a ``small entity'' as defined above.
---------------------------------------------------------------------------
\667\ See 17 CFR 242.600(b)(55).
\668\ See supra Section III.B.1, discussing the proposed
definition of SCI entity.
---------------------------------------------------------------------------
B. Certification
For the foregoing reasons, the Commission certifies that proposed
Regulation SCI would not have a significant economic impact on a
substantial number of small entities for the purposes of the RFA.
235. The Commission requests comment regarding this certification.
The Commission requests that commenters describe the nature of any
impact on small entities and provide empirical data to illustrate the
extent of the impact.
VIII. Statutory Authority and Text of Proposed Amendments
Pursuant to the Exchange Act, 15 U.S.C. 78a et seq., and
particularly, Sections 2, 3, 5, 6, 11A, 15, 15A, 17, 17A, and 23(a)
thereof, 15 U.S.C. 78b, 78c, 78e, 78f, 78k-1, 78o, 78o-3, 78q, 78q-1,
and 78w(a), the Commission proposes to adopt Regulation SCI under the
Exchange Act and Form SCI under the Exchange Act, and to amend
Regulation ATS under the Exchange Act.
List of Subjects in 17 CFR Parts 242 and 249
Securities, brokers, reporting and recordkeeping requirements.
For the reasons stated in the preamble, the Commission is proposing
to amend title 17, chapter II of the Code of Federal Regulations as
follows:
PART 242--REGULATIONS M, SHO, ATS, AC, NMS AND SCI AND CUSTOMER
MARGIN REQUIREMENTS FOR SECURITY FUTURES
0
1a. The authority citation for part 242 continues to read as follows:
Authority: 15 U.S.C. 77g, 77q(a), 77s(a), 78b, 78c, 78g(c)(2),
78i(a), 78j, 78k-1(c), 78l, 78m, 78n, 78o(b), 78o(c), 78o(g),
78q(a), 78q(b), 78q(h), 78w(a), 78dd-1, 78mm, 80a23, 80a-29, and
80a-37.
0
1b. The heading of part 242 is revised to read as set forth above.
Sec. 242.301--[Amended]
0
2. In Sec. 242.301, remove and reserve paragraph (b)(6).
0
3. Add an undesignated center heading and Sec. 242.1000 to read as
follows:
Regulation SCI--Systems Compliance and Integrity
Sec. 242.1000 Definitions and requirements for SCI entities
(a) Definitions. For purposes of this section, the following
definitions shall apply:
Dissemination SCI event means an SCI event that is a:
(1) Systems compliance issue;
(2) Systems intrusion; or
(3) Systems disruption that results, or the SCI entity reasonably
estimates would result, in significant harm or loss to market
participants.
Electronic signature has the meaning set forth in Sec. 240.19b-
4(j) of this chapter.
Exempt clearing agency subject to ARP means an entity that has
received from the Commission an exemption from registration as a
clearing agency under Section 17A of the Act, and whose exemption
contains conditions that relate to the Commission's Automation Review
Policies (ARP), or any Commission regulation that supersedes or
replaces such policies.
Material systems change means a change to one or more:
(1) SCI systems of an SCI entity that:
(i) Materially affects the existing capacity, integrity,
resiliency, availability, or security of such systems;
(ii) Relies upon materially new or different technology;
(iii) Provides a new material service or material function; or
(iv) Otherwise materially affects the operations of the SCI entity;
or
(2) SCI security systems of an SCI entity that materially affects
the existing security of such systems.
Plan processor has the meaning set forth in Sec. 242.600(b)(55).
Responsible SCI personnel means, for a particular SCI system or SCI
security system impacted by an SCI event, any personnel, whether an
employee or agent, of the SCI entity having responsibility for such
system.
SCI alternative trading system or SCI ATS means an alternative
trading system, as defined in Sec. 242.300(a), which during at least
four of the preceding six calendar months, had:
(1) With respect to NMS stocks:
(i) Five percent (5%) or more in any single NMS stock, and one-
quarter percent (0.25%) or more in all NMS stocks, of the average daily
dollar volume reported by an effective transaction reporting plan; or
(ii) One percent (1%) or more in all NMS stocks of the average
daily dollar volume reported by an effective transaction reporting
plan;
(2) With respect to equity securities that are not NMS stocks and
for which transactions are reported to a self-regulatory organization,
five percent (5%) or more of the average daily dollar volume as
calculated by the self-regulatory organization to which such
transactions are reported;
(3) With respect to municipal securities, five percent (5%) or more
of either:
(i) The average daily dollar volume traded in the United States; or
(ii) The average daily transaction volume traded in the United
States; or
(4) With respect to corporate debt securities, five percent (5%) or
more of either:
(i) The average daily dollar volume traded in the United States; or
(ii) The average daily transaction volume traded in the United
States.
SCI entity means an SCI self-regulatory organization, SCI
alternative trading system, plan processor, or exempt clearing agency
subject to ARP.
SCI event means an event at an SCI entity that constitutes:
(1) A systems disruption;
(2) A systems compliance issue; or
(3) A systems intrusion.
SCI review means a review, following established procedures and
standards, that is performed by objective personnel having appropriate
experience in conducting reviews of SCI systems and SCI security
systems, and which review contains:
(1) A risk assessment with respect to such systems of an SCI
entity; and
(2) An assessment of internal control design and effectiveness to
include logical and physical security controls, development processes,
and information technology governance, consistent with industry
standards; provided however, that such review shall include penetration
test reviews of the network, firewalls, development, testing, and
production systems at a frequency of not less than once every three
years.
SCI security systems means any systems that share network resources
with SCI systems that, if breached, would be reasonably likely to pose
a security threat to SCI systems.
SCI self-regulatory organization or SCI SRO means any national
securities exchange, registered securities association, or registered
clearing agency, or the Municipal Securities Rulemaking Board; provided
however, that for purposes of this section, the term SCI self-
regulatory organization shall not include an exchange that is notice
registered with the Commission pursuant to 15 U.S.C. 78f(g) or a
limited purpose national securities association registered with the
Commission pursuant to 15 U.S.C. 78o-3(k).
SCI systems means all computer, network, electronic, technical,
automated, or similar systems of, or operated by or on behalf of, an
SCI entity, whether in production, development, or testing, that
directly support trading, clearance and
[[Page 18178]]
settlement, order routing, market data, regulation, or surveillance.
Systems compliance issue means an event at an SCI entity that has
caused any SCI system of such entity to operate in a manner that does
not comply with the federal securities laws and rules and regulations
thereunder or the entity's rules or governing documents, as applicable.
Systems disruption means an event in an SCI entity's SCI systems
that results in:
(1) A failure to maintain service level agreements or constraints;
(2) A disruption of normal operations, including switchover to
back-up equipment with near-term recovery of primary hardware unlikely;
(3) A loss of use of any such system;
(4) A loss of transaction or clearance and settlement data;
(5) Significant back-ups or delays in processing;
(6) A significant diminution of ability to disseminate timely and
accurate market data; or
(7) A queuing of data between system components or queuing of
messages to or from customers of such duration that normal service
delivery is affected.
Systems intrusion means any unauthorized entry into the SCI systems
or SCI security systems of an SCI entity.
(b) Requirements for SCI entities. Each SCI entity shall:
(1) Capacity, Integrity, Resiliency, Availability, and Security.
Establish, maintain, and enforce written policies and procedures
reasonably designed to ensure that its SCI systems and, for purposes of
security standards, SCI security systems, have levels of capacity,
integrity, resiliency, availability, and security, adequate to maintain
the SCI entity's operational capability and promote the maintenance of
fair and orderly markets.
(i) Such policies and procedures shall include, at a minimum:
(A) The establishment of reasonable current and future capacity
planning estimates;
(B) Periodic capacity stress tests of such systems to determine
their ability to process transactions in an accurate, timely, and
efficient manner;
(C) A program to review and keep current systems development and
testing methodology for such systems;
(D) Regular reviews and testing of such systems, including backup
systems, to identify vulnerabilities pertaining to internal and
external threats, physical hazards, and natural or manmade disasters;
(E) Business continuity and disaster recovery plans that include
maintaining backup and recovery capabilities sufficiently resilient and
geographically diverse to ensure next business day resumption of
trading and two-hour resumption of clearance and settlement services
following a wide-scale disruption; and
(F) Standards that result in such systems being designed,
developed, tested, maintained, operated, and surveilled in a manner
that facilitates the successful collection, processing, and
dissemination of market data; and
(ii) For purposes of this paragraph (b)(1), such policies and
procedures shall be deemed to be reasonably designed if they are
consistent with current SCI industry standards, which shall be:
(A) Comprised of information technology practices that are widely
available for free to information technology professionals in the
financial sector; and
(B) Issued by an authoritative body that is a U.S. governmental
entity or agency, association of U.S. governmental entities or
agencies, or widely recognized organization. Compliance with such
current SCI industry standards, however, shall not be the exclusive
means to comply with the requirements of this paragraph (b)(1).
(2) Systems Compliance. (i) Establish, maintain, and enforce
written policies and procedures reasonably designed to ensure that its
SCI systems operate in the manner intended, including in a manner that
complies with the federal securities laws and rules and regulations
thereunder and the entity's rules and governing documents, as
applicable.
(ii) Safe harbor from liability for SCI entities. An SCI entity
shall be deemed not to have violated paragraph (b)(2)(i) of this
section if:
(A) The SCI entity has established and maintained policies and
procedures reasonably designed to provide for:
(1) Testing of all such systems and any changes to such systems
prior to implementation;
(2) Periodic testing of all such systems and any changes to such
systems after their implementation;
(3) A system of internal controls over changes to such systems;
(4) Ongoing monitoring of the functionality of such systems to
detect whether they are operating in the manner intended;
(5) Assessments of SCI systems compliance performed by personnel
familiar with applicable federal securities laws and rules and
regulations thereunder and the SCI entity's rules and governing
documents, as applicable; and
(6) Review by regulatory personnel of SCI systems design, changes,
testing, and controls to prevent, detect, and address actions that do
not comply with applicable federal securities laws and rules and
regulations thereunder and the SCI entity's rules and governing
documents, as applicable;
(B) The SCI entity has established and maintained a system for
applying such policies and procedures which would reasonably be
expected to prevent and detect, insofar as practicable, any violations
of such policies and procedures by the SCI entity or any person
employed by the SCI entity, and
(C) The SCI entity:
(1) Has reasonably discharged the duties and obligations incumbent
upon the SCI entity by such policies and procedures; and
(2) Was without reasonable cause to believe that such policies and
procedures were not being complied with in any material respect.
(iii) Safe harbor from liability for individuals. A person employed
by an SCI entity shall be deemed not to have aided, abetted, counseled,
commanded, caused, induced, or procured the violation by any other
person of paragraph (b)(2)(i) of this section if the person employed by
the SCI entity:
(A) Has reasonably discharged the duties and obligations incumbent
upon such person by such policies and procedures; and
(B) Was without reasonable cause to believe that such policies and
procedures were not being complied with in any material respect.
(3) Corrective Action. Upon any responsible SCI personnel becoming
aware of an SCI event, begin to take appropriate corrective action
which shall include, at a minimum, mitigating potential harm to
investors and market integrity resulting from the SCI event and
devoting adequate resources to remedy the SCI event as soon as
reasonably practicable.
(4) Commission Notification. (i) Upon any responsible SCI personnel
becoming aware of a systems disruption that the SCI entity reasonably
estimates would have a material impact on its operations or on market
participants, any systems compliance issue, or any systems intrusion,
notify the Commission of such SCI event.
(ii) Within 24 hours of any responsible SCI personnel becoming
aware of any SCI event, submit a written notification pertaining to
such SCI event to the Commission.
(iii) Until such time as the SCI event is resolved, submit written
updates pertaining to such SCI event to the Commission on a regular
basis, or at
[[Page 18179]]
such frequency as reasonably requested by a representative of the
Commission.
(iv) Any written notification to the Commission made pursuant to
paragraphs (b)(4)(ii) or (b)(4)(iii) of this section shall be made
electronically on Form SCI (Sec. 249.1900 of this chapter), and shall
include all information as prescribed in Form SCI and the instructions
thereto, including:
(A) For a notification made pursuant to paragraph (b)(4)(ii) of
this section:
(1) All pertinent information known about an SCI event, including:
a detailed description of the SCI event; the SCI entity's current
assessment of the types and number of market participants potentially
affected by the SCI event; the potential impact of the SCI event on the
market; and the SCI entity's current assessment of the SCI event,
including a discussion of the determination of whether the SCI event is
a dissemination SCI event or not; and
(2) To the extent available as of the time of the notification: A
description of the steps the SCI entity is taking, or plans to take,
with respect to the SCI event; the time the SCI event was resolved or
timeframe within which the SCI event is expected to be resolved; a
description of the SCI entity's rule(s) and/or governing document(s),
as applicable, that relate to the SCI event; and an analysis of parties
that may have experienced a loss, whether monetary or otherwise, due to
the SCI event, the number of such parties, and an estimate of the
aggregate amount of such loss.
(B) For a notification made pursuant to paragraph (b)(4)(iii) of
this section, an update of any information previously provided
regarding the SCI event, including any information required by
paragraph (b)(4)(iv)(A)(2) of this section which was not available at
the time of submission of the notification made pursuant to paragraph
(b)(4)(ii) of this section. Subsequent updates shall update any
information provided regarding the SCI event until the SCI event is
resolved.
(C) For notifications made pursuant to paragraphs (b)(4)(ii) or
(b)(4)(iii) of this section, attach a copy of any information
disseminated to date regarding the SCI event to its members or
participants or on the SCI entity's publicly available Web site.
(5) Dissemination of information to members or participants. (i)(A)
Promptly after any responsible SCI personnel becomes aware of a
dissemination SCI event other than a systems intrusion, disseminate to
its members or participants the following information about such SCI
event:
(1) The systems affected by the SCI event; and
(2) A summary description of the SCI event; and
(B) When known, further disseminate to its members or participants:
(1) A detailed description of the SCI event;
(2) The SCI entity's current assessment of the types and number of
market participants potentially affected by the SCI event; and
(3) A description of the progress of its corrective action for the
SCI event and when the SCI event has been or is expected to be
resolved; and
(C) Provide regular updates to members or participants of any
information required to be disseminated under paragraphs (b)(5)(i)(A)
and (b)(5)(i)(B) of this section.
(ii) Promptly after any responsible SCI personnel becomes aware of
a systems intrusion, disseminate to its members or participants a
summary description of the systems intrusion, including a description
of the corrective action taken by the SCI entity and when the systems
intrusion has been or is expected to be resolved, unless the SCI entity
determines that dissemination of such information would likely
compromise the security of the SCI entity's SCI systems or SCI security
systems, or an investigation of the systems intrusion, and documents
the reasons for such determination.
(6) Material Systems Changes. (i) Absent exigent circumstances,
notify the Commission in writing at least 30 calendar days before
implementation of any planned material systems change, including a
description of the planned material systems change as well as the
expected dates of commencement and completion of implementation of such
changes.
(ii) If exigent circumstances exist, or if the information
previously provided to the Commission regarding any planned material
systems change has become materially inaccurate, notify the Commission,
either orally or in writing, with any oral notification to be
memorialized within 24 hours after such oral notification by a written
notification, as early as reasonably practicable.
(iii) A written notification to the Commission made pursuant to
this paragraph (b)(6) shall be made electronically on Form SCI (Sec.
249.1900 of this chapter), and shall include all information as
prescribed in Form SCI and the instructions thereto.
(7) SCI Review. Conduct an SCI review of the SCI entity's
compliance with Regulation SCI not less than once each calendar year,
and submit a report of the SCI review to senior management of the SCI
entity for review no more than 30 calendar days after completion of
such SCI review.
(8) Reports. Submit to the Commission:
(i) A report of the SCI review required by paragraph (b)(7) of this
section, together with any response by senior management, within 60
calendar days after its submission to senior management of the SCI
entity;
(ii) A report, within 30 calendar days after the end of June and
December of each year, containing a summary description of the progress
of any material systems change during the six-month period ending on
June 30 or December 31, as the case may be, and the date, or expected
date, of completion of implementation of such changes; and
(iii) Any reports to be filed with the Commission pursuant to this
paragraph (b)(8) shall be filed electronically on Form SCI (Sec.
249.1900 of this chapter), and shall include all information as
prescribed in Form SCI and the instructions thereto.
(9) SCI Entity Business Continuity and Disaster Recovery Plans
Testing Requirements for Members or Participants. With respect to an
SCI entity's business continuity and disaster recovery plans, including
its backup systems:
(i) Require participation by designated members or participants in
scheduled functional and performance testing of the operation of such
plans, in the manner and frequency as specified by the SCI entity, at
least once every 12 months; and
(ii) Coordinate the testing of such plans on an industry- or
sector-wide basis with other SCI entities.
(iii) Each SCI entity shall designate those members or participants
it deems necessary, for the maintenance of fair and orderly markets in
the event of the activation of its business continuity and disaster
recovery plans, to participate in the testing of such plans pursuant to
paragraph (i) of this section. Each SCI entity shall notify the
Commission of such designations and its standards for designation, and
promptly update such notification after any changes to its designations
or standards. A written notification made pursuant to this paragraph
(b)(9)(iii) shall be made electronically on Form SCI (Sec. 249.1900 of
this chapter), and shall include all information as prescribed in Form
SCI and the instructions thereto.
(c) Recordkeeping Requirements Related to Compliance with
Regulation SCI. (1) An SCI SRO shall make, keep, and preserve all
documents relating to its compliance with Regulation SCI as
[[Page 18180]]
prescribed in Sec. 240.17a-1 of this chapter.
(2) An SCI entity that is not an SCI SRO shall:
(i) Make, keep, and preserve at least one copy of all documents,
including correspondence, memoranda, papers, books, notices, accounts,
and other such records, relating to its compliance with Regulation SCI,
including, but not limited to, records relating to any changes to its
SCI systems and SCI security systems;
(ii) Keep all such documents for a period of not less than five
years, the first two years in a place that is readily accessible to the
Commission or its representatives for inspection and examination; and
(iii) Upon request of any representative of the Commission,
promptly furnish to the possession of such representative copies of any
documents required to be kept and preserved by it pursuant to
paragraphs (c)(2)(i) and (c)(2)(ii) of this section.
(3) Upon or immediately prior to ceasing to do business or ceasing
to be registered under the Securities Exchange Act of 1934, an SCI
entity shall take all necessary action to ensure that the records
required to be made, kept, and preserved by this section shall be
accessible to the Commission and its representatives in the manner
required by this section and for the remainder of the period required
by this section.
(d) Electronic Submission. (1) Except with respect to notifications
to the Commission made pursuant to paragraph (b)(4)(i) of this section
or oral notifications to the Commission made pursuant to paragraph
(b)(6)(ii) of this section, any notification, review, description,
analysis, or report to the Commission required under this rule shall be
submitted electronically on Form SCI (Sec. 249.1900 of this chapter)
and shall contain an electronic signature; and
(2) The signatory to an electronically submitted Form SCI shall
manually sign a signature page or document, in the manner prescribed by
Form SCI, authenticating, acknowledging, or otherwise adopting his or
her signature that appears in typed form within the electronic filing.
Such document shall be executed before or at the time Form SCI is
electronically submitted and shall be retained by the SCI entity in
accordance with paragraph (c) of this section.
(e) Requirements for Service Bureaus. If records required to be
filed or kept by an SCI entity under this rule are prepared or
maintained by a service bureau or other recordkeeping service on behalf
of the SCI entity, the SCI entity shall ensure that the records are
available for review by the Commission and its representatives by
submitting a written undertaking, in a form acceptable to the
Commission, by such service bureau or other recordkeeping service,
signed by a duly authorized person at such service bureau or other
recordkeeping service. Such a written undertaking shall include an
agreement by the service bureau to permit the Commission and its
representatives to examine such records at any time or from time to
time during business hours, and to promptly furnish to the Commission
and its representatives true, correct, and current electronic files in
a form acceptable to the Commission or its representatives or hard
copies of any or all or any part of such records, upon request,
periodically, or continuously and, in any case, within the same time
periods as would apply to the SCI entity for such records. The
preparation or maintenance of records by a service bureau or other
recordkeeping service shall not relieve an SCI entity from its
obligation to prepare, maintain, and provide the Commission and its
representatives access to such records.
(f) Access. Each SCI entity shall provide Commission
representatives reasonable access to its SCI systems and SCI security
systems to allow Commission representatives to assess the SCI entity's
compliance with this rule.
PART 249--FORMS, SECURITIES EXCHANGE ACT OF 1934
0
4. The general authority citation for part 249 continues to read in
part as follows:
Authority: 15 U.S.C. 78a et seq. and 7201 et seq.; 12 U.S.C.
5461 et seq.; and 18 U.S.C. 1350, unless otherwise noted.
* * * * *
0
5. Add subpart T, consisting of Sec. 249.1900, to read as follows:
Subpart T--Form SCI, for filing notices and reports as required by
Regulation SCI.
Sec. 249.1900 Form SCI, for filing notices and reports as required by
Regulation SCI.
Form SCI shall be used to file notice and reports as required by
Sec. 242.1000 of this chapter.
Note: The text of Form SCI does not, and the amendments will
not, appear in the Code of Federal Regulations.
General Instructions for Form SCI
A. Use of the Form
Except with respect to notifications to the Commission made
pursuant to proposed Rule 1000(b)(4)(i) or oral notifications to the
Commission made pursuant to proposed Rule 1000(b)(6)(ii), all
notifications and reports required to be submitted pursuant to Rule
1000 of Regulation SCI under the Securities Exchange Act of 1934
(``Act'') shall be filed in an electronic format through an electronic
form filing system (``EFFS''), a secure Web site operated by the
Securities and Exchange Commission (``Commission'').
B. Need for Careful Preparation of the Completed Form, Including
Exhibits
This form, including the exhibits, is intended to elicit
information necessary for Commission staff to work with SCI self-
regulatory organizations, SCI alternative trading systems, plan
processors, and exempt clearing agencies subject to ARP (collectively,
``SCI entities'') to ensure the capacity, integrity, resiliency,
availability, and security of their automated systems. An SCI entity
must provide all the information required by the form, including the
exhibits, and must present the information in a clear and
comprehensible manner. Form SCI shall not be considered filed unless it
complies with applicable requirements.
C. When To Use the Form
Form SCI is comprised of five distinct types of filings to the
Commission required by Rule 1000(b). The first type of filings is
``(b)(4)'' filings for notifications regarding systems disruptions,
systems compliance issues, or systems intrusions (collectively, ``SCI
events''). The other four types of filings are: ``(b)(6)'' filings for
notifications of planned material systems changes; ``(b)(8)(i)''
filings for reports of SCI reviews; ``(b)(8)(ii)'' filings for semi-
annual reports of material systems changes; and ``(b)(9)(iii)'' filings
for notifications of designations and standards under Rule 1000(b)(9).
In filling out Form SCI, an SCI entity shall select the type of filing
and provide all information required under Rule 1000(b) specific to
that type of filing.
Notifications for SCI Events
For (b)(4) filings, an SCI entity must notify the Commission using
Form SCI by selecting the appropriate box in Section 1 and filling out
all information required by the form. Initial notifications of an SCI
event require the inclusion of an Exhibit 1 and must be submitted no
later than 24 hours after any responsible SCI personnel becomes aware
of the SCI event. For the initial notification of an SCI event, the SCI
entity must include the information required by each item under Part 1
of
[[Page 18181]]
Exhibit 1. To the extent available as of the time of the initial
notification, the SCI entity must also include the information listed
under the items under Part 2 of Exhibit 1.
If the SCI entity has not provided all the information required by
Part 2 of Exhibit 1, any information required by Exhibit 1 requires
updating, or the SCI event has not been resolved, the SCI entity must
file one or more updates regarding the SCI event by attaching an
Exhibit 2. Such updates must be submitted on a regular basis, or at
such frequency as reasonably requested by a representative of the
Commission. The notification to the Commission regarding an SCI event
is not considered complete until all information required by Exhibit 1,
including all information required by Part 2 of Exhibit 1, has been
submitted to the Commission.
For each SCI event, an SCI entity must also attach an Exhibit 3
(which may be included with an Exhibit 1 or Exhibit 2, as the case may
be) for any information disseminated regarding the SCI event to its
members or participants or on the SCI entity's publicly available Web
site.
Other Notifications and Reports
For (b)(6) filings, absent exigent circumstances, an SCI entity
must notify the Commission using Form SCI at least 30 calendar days
before implementation of any planned material systems change. If
exigent circumstances exist, or if the information previously provided
to the Commission regarding any planned material systems change has
become materially inaccurate, an SCI entity must notify the Commission,
either orally or in writing, with any oral notification to be
memorialized within 24 hours after such oral notification by a written
notification, as early as reasonably practicable. For (b)(6) filings,
the SCI entity must select the appropriate box in Section 2 and fill
out all information required by the form, including Exhibit 4. Exhibit
4 must include a description of the planned material systems change as
well as the expected dates of commencement and completion of
implementation of such change.
For (b)(8)(i) filings, an SCI entity must submit its report of its
SCI review to the Commission using Form SCI. A (b)(8)(i) filing must be
submitted to the Commission within 60 calendar days after the SCI
review has been submitted to senior management of the SCI entity. The
SCI entity must select the appropriate box in Section 2 and fill out
all information required by the form, including Exhibit 5. Exhibit 5
must include the report of the SCI review, together with any response
by senior management.
For (b)(8)(ii) filings, an SCI entity must submit its semi-annual
report of material systems changes to the Commission using Form SCI. A
(b)(8)(ii) filing must be submitted to the Commission within 30
calendar days after the end of June and December of each year. The SCI
entity must select the appropriate box in Section 2 and fill out all
information required by the form, including Exhibit 6. Exhibit 6 must
include a report with a summary description of the progress of any
material systems change during the six-month period ending on June 30
or December 31, as the case may be, and the date, or expected date, of
completion of implementation of such changes.
For (b)(9) filings, an SCI entity must notify the Commission of its
designations and standards under Rule 1000(b)(9). The SCI entity must
select the appropriate box in Section 2 and fill out all information
required by the form, including Exhibit 7. Exhibit 7 must include the
SCI entity's standards for designating members or participants that it
deems necessary, for the maintenance of fair and orderly markets in the
event of activation of its business continuity and disaster recovery
plans, to participate in the testing of such plans pursuant to Rule
1000(b)(9)(i), as well as the SCI entity's list of designated members
or participants. If an SCI entity changes its designations or
standards, it must promptly notify the Commission of such changes on
Exhibit 7.
D. Documents Comprising the Completed Form
The completed form filed with the Commission shall consist of Form
SCI, responses to all applicable items, and any exhibits required in
connection with the filing. Each filing shall be marked on Form SCI
with the initials of the SCI entity, the four-digit year, and the
number of the filing for the year.
E. Contact Information; Signature; and Filing of the Completed Form
Each time an SCI entity submits a filing to the Commission on Form
SCI, the SCI entity must provide the contact information required by
Section 4 of Form SCI. The contact information for systems personnel,
regulatory personnel, and a senior officer is required. Space for
additional contact information, if appropriate, is also provided.
All notifications and reports required to be submitted through Form
SCI shall be filed through the EFFS. In order to file Form SCI through
the EFFS, SCI entities must request access to the Commission's External
Application Server by completing a request for an external account user
ID and password. Initial requests will be received by contacting (202)
551-5777. An email will be sent to the requestor that will provide a
link to a secure Web site where basic profile information will be
requested.
A duly authorized individual of the SCI entity shall electronically
sign the completed Form SCI as indicated in Section 5 of the form. In
addition, a duly authorized individual of the SCI entity shall manually
sign one copy of the completed Form SCI, and the manually signed
signature page shall be preserved pursuant to the requirements of Rule
1000(c).
F. Paperwork Reduction Act Disclosure
This collection of information will be reviewed by the Office of
Management and Budget in accordance with the clearance requirements of
44 U.S.C. 3507. An agency may not conduct or sponsor, and a person is
not required to respond to, a collection of information unless it
displays a currently valid control number. The Commission estimates
that the average burden to respond to Form SCI will be between one and
sixty hours depending upon the purpose for which the form is being
filed. Any member of the public may direct to the Commission any
comments concerning the accuracy of this burden estimate and any
suggestions for reducing this burden.
Except with respect to notifications to the Commission made
pursuant to proposed Rule 1000(b)(4)(i) or oral notifications to the
Commission made pursuant to proposed Rule 1000(b)(6)(ii), it is
mandatory that an SCI entity file all notifications, updates, and
reports required by Regulation SCI using Form SCI. The Commission will
treat as confidential all information collected pursuant to Form SCI.
Subject to the provisions of the Freedom of Information Act, 5 U.S.C.
522 (``FOIA''), and the Commission's rules thereunder (17 CFR
200.80(b)(4)(iii)), the Commission does not generally publish or make
available information contained in any reports, summaries, analyses,
letters, or memoranda arising out of, in anticipation of, or in
connection with an examination or inspection of the books and records
of any person or any other investigation.
G. Exhibits
List of exhibits to be filed, as applicable:
Exhibit 1. Notification of SCI Event. The SCI entity shall include:
[[Page 18182]]
Part 1: All pertinent information known about the SCI event,
including: (1) A detailed description of the SCI event; (2) the SCI
entity's current assessment of the types and number of market
participants potentially affected by the SCI event; (3) the potential
impact of the SCI event on the market; and (4) the SCI entity's current
assessment of the SCI event, including a discussion of the
determination of whether the SCI event is a dissemination SCI event or
not.
Part 2: To the extent available as of the time of the notification:
(1) A description of the steps the SCI entity is taking, or plans to
take, with respect to the SCI event; (2) the time the SCI event was
resolved or timeframe within which the SCI event is expected to be
resolved; (3) a description of the SCI entity's rule(s) and/or
governing document(s), as applicable, that relate to the SCI event; and
(4) an analysis of parties that may have experienced a loss, whether
monetary or otherwise, due to the SCI event, the number of such
parties, and an estimate of the aggregate amount of such loss.
Exhibit 2. Update Notification of SCI Event. The SCI entity shall
provide an update of any information previously provided regarding an
SCI event on Exhibit 1, including any information under Part 2 of
Exhibit 1 which was not available at the time of submission of Exhibit
1. Subsequent updates shall update any information provided regarding
the SCI event until the SCI event is resolved.
Exhibit 3. Information Disseminated. The SCI entity shall attach a
copy in pdf or html format of any information disseminated to date
regarding the SCI event to its members or participants or on the SCI
entity's publicly available Web site.
Exhibit 4. Notification of Planned Material Systems Change. The SCI
entity shall, absent exigent circumstances, notify the Commission in
writing at least 30 calendar days before implementation of any planned
material systems change, including a description of the planned
material systems change as well as the expected dates of commencement
and completion of implementation of such changes. If exigent
circumstances exist, or if the information previously provided to the
Commission regarding any planned material systems change has become
materially inaccurate, the SCI entity shall notify the Commission,
either orally or in writing, with any oral notification to be
memorialized within 24 hours after such oral notification by a written
notification on Form SCI, as early as reasonably practicable.
Exhibit 5. Report of SCI Review. Within 60 calendars days after its
submission to senior management of the SCI entity, the SCI entity shall
attach the report of the SCI review of the SCI entity's compliance with
Regulation SCI, together with any response by senior management.
Exhibit 6. Semi-Annual Report of Material Systems Changes. Within
30 calendar days after the end June and December of each year, the SCI
entity shall attach the report containing a summary description of the
progress of any material systems change during the six-month period
ending on June 30 or December 31, as the case may be, and the date, or
expected date, of completion of implementation of such changes.
Exhibit 7. Notification of Designations and Standards under Rule
1000(b)(9). The SCI entity shall attach: (1) Its standards for
designating members or participants it deems necessary, for the
maintenance of fair and orderly markets in the event of the activation
of its business continuity and disaster recovery plans, to participate
in the testing of such plans pursuant to Rule 1000(b)(9)(i); and (2) a
list of the designated members or participants, including the name and
address of such members or participants.
H. Explanation of Terms
Dissemination SCI Event means an SCI event that is a: (1) Systems
compliance issue; (2) systems intrusion; or (3) systems disruption that
results, or the SCI entity reasonably estimates would result, in
significant harm or loss to market participants.
Material Systems Change means a change to one or more: (1) SCI systems
of an SCI entity that: (i) Materially affects the existing capacity,
integrity, resiliency, availability, or security of such systems; (ii)
relies upon materially new or different technology; (iii) provides a
new material service or material function; or (iv) otherwise materially
affects the operations of the SCI entity; or (2) SCI security systems
of an SCI entity that materially affects the existing security of such
systems.
Responsible SCI personnel means, for a particular SCI system or SCI
security system impacted by an SCI event, any personnel, whether an
employee or agent, of the SCI entity having responsibility for such
system.
SCI entity means an SCI self-regulatory organization, SCI alternative
trading system, plan processor, or exempt clearing agency subject to
ARP.
SCI event means an event at an SCI entity that constitutes: (1) A
systems disruption; (2) a systems compliance issue; or (3) a systems
intrusion.
Systems Compliance Issue means an event at an SCI entity that has
caused any SCI system of such entity to operate in a manner that does
not comply with the federal securities laws and rules and regulations
thereunder or the entity's rules or governing documents, as applicable.
Systems Disruption means an event in an SCI entity's SCI systems or
procedures that results in: (1) A failure to maintain service level
agreements or constraints; (2) a disruption of normal operations,
including switchover to back-up equipment with near-term recovery of
primary hardware unlikely; (3) a loss of use of any such system; (4) a
loss of transaction or clearance and settlement data; (5) significant
back-ups or delays in processing; (6) a significant diminution of
ability to disseminate timely and accurate market data; or (7) a
queuing of data between system components or queuing of messages to or
from customers of such duration that normal service delivery is
affected.
Systems Intrusion means any unauthorized entry into the SCI systems or
SCI security systems of the SCI entity.
[See attachment--proposed Form SCI]
BILLING CODE P
[[Page 18183]]
[GRAPHIC] [TIFF OMITTED] TP25MR13.034
[[Page 18184]]
[GRAPHIC] [TIFF OMITTED] TP25MR13.035
[[Page 18185]]
[GRAPHIC] [TIFF OMITTED] TP25MR13.036
[[Page 18186]]
[GRAPHIC] [TIFF OMITTED] TP25MR13.037
Dated: March 8, 2013.
By the Commission.
Kevin M. O'Neill,
Deputy Secretary.
[FR Doc. 2013-05888 Filed 3-22-13; 8:45 am]
BILLING CODE C