By Laura Anthony, Esq.
The SEC rightfully points out that outwardly inconsequential technological issues may later prove to have been a significant cause of larger issues. In addition, an SCI entity’s records of small events may prove useful to the SEC in identifying patterns, weaknesses or circumstances that result in significant issues. Along the same lines, the SEC requires recordkeeping and reporting related to both intentional and unintentional SCI Events.
Obligations of SCI Entities
Regulation SCI requires covered entities to establish written policies and procedures, with specific controls and systems that support trading, clearance and settlement, order routing, market data, market regulation and market surveillance. The written procedures must address levels of capacity, integrity, resiliency, availability and security. Such written policies must be designed to ensure that technological systems can maintain operations with minimal disruptions to the trading markets.
Regulation SCI also requires covered entities to comply with quarterly regulatory notification and reporting requirements and mandatory testing. Testing must include designated third parties and test business continuity and disaster recovery plans, including backup systems. SCI-covered entities must report any disruptions in their systems, compliance issues or system intrusions. The systems and technology of an SCI-covered entity must be reviewed annually by third-party qualified sources.
The specific systems obligations of SCI entities are laid out in Rules 1001-1004 of Regulation SCI. Rule 1001 contains the policy and procedure requirements with respect to operational capacity and maintenance of fair and orderly markets. Rule 1002 contains the obligations with respect to SCI events, including corrective action, SEC notification and information dissemination. Rule 1003 contains requirements related to material system changes, and SCI reviews. Finally, Rule 1004 contains requirements related to business continuity and disaster recovery plan testing.
Rule 1001 generally requires SCI entities to maintain reasonably designed policies and procedures to ensure the adequate capacity, integrity, resiliency, availability, and security of SCI systems (and security for indirect SCI systems) to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets. Guidance and discussion on the Rule indicate that the SEC has a risk-based approach requiring more robust policies and procedures for higher-risk systems. An SCI entity’s policies and procedures should ensure its own operational capability, including the ability to maintain effective operations, minimize or eliminate the effect of performance degradations, and have sufficient backup and recovery capabilities.
SCI policies and procedures must provide, at a minimum, (i) the establishment of reasonable current and future technology infrastructure capacity planning estimates; (ii) periodic capacity stress tests of systems to determine their ability to process transactions in an accurate, timely, and efficient manner; (iii) a program to review and keep current systems development and testing methodology; (iv) regular reviews and testing, as applicable including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or man-made disasters.; (v) business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and are reasonably designed to achieve next-business-day resumption of trading and two-hour resumption of clearance and settlement services following a wide-scale disruption; (vi) standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data (in this regard, a sample of reasonable standards are provided in Table A); and (vii) standards for monitoring SCI systems and making prompt changes as necessary.
Rule 1001 requires that SCI entities establish written policies and procedures designed to ensure that the entity complies with the Securities Exchange Act and the rules and regulations thereunder as well as the entity’s own governing documents. The Rule provides a non-exhaustive list of minimum elements that must be included in such compliance policies and procedures. These elements include: “(i) testing of all SCI systems and any changes to SCI systems prior to implementation; (ii) a system of internal controls over changes to SCI systems; (iii) a plan for assessments of the functionality of SCI systems designed to detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Act and the rules and regulations thereunder and the SCI entity’s rules and governing documents; and (iv) a plan of coordination and communication between regulatory and other personnel of the SCI entity, including by responsible SCI personnel, regarding SCI systems design, changes, testing, and controls designed to detect and prevent systems compliance issues.”
Note 1: Read Part I of this Article. Click HERE
Note 2: Read Part II of this Article. Click HERE
Note 3: Original appeared on Legal & Compliance, LLC on 12 April 2016. Click HERE
Securities attorney Laura Anthony is the founding partner of Legal & Compliance, LLC, a corporate, securities and business transactions law firm. The firm’s experienced legal team provides ongoing corporate counsel to small and mid-size private companies, OTC and exchange traded issuers as well as private companies going public on the NASDAQ, NYSE MKT or over-the-counter market, such as the OTCQB and OTCQX. For nearly two decades Legal & Compliance, LLC has served clients providing fast, personalized, cutting-edge legal service. The firm’s reputation and relationships provide invaluable resources to clients including introductions to investment bankers, broker-dealers, institutional investors and other strategic alliances.