SCI: A Whale of a Regulation
Though I have all the mandatory mobile devices, including a tablet and an e-reader, I still find it easier to come to terms with regulations in hard copy. Somehow the act of marking up the document and scribbling notes in the margins helps me get through the thicket of terms and references.
So last Wednesday, as soon as it was issued, I dutifully downloaded the final version of the SEC's Regulation Systems Compliance and Integrity (Reg SCI) and fired up my old inkjet. Then I headed out to lunch. An hour or so later, I returned to find the laptop out of memory, the printer stalled mid-job, and the whole situation in a bit of a mini-meltdown.
As you have probably guessed, the problem was the length of Reg SCI. At 742 pages, it defies not only printing but also any kind of easy interpretation. For a frame of reference, Reg NMS was only 371 pages. Much of the document consists of background and a detailed response to the more than 60 comment letters received since the regulation was proposed in March 2013. But there is a lot to get through, no matter how you look at it. Here, I try to give an overview by posing some key questions, so at least you can decide if you need to delve into it further.
Does Reg SCI apply to me?
Not likely, unless you work for one of the 44 "SCI entities" listed in the regulation. These include 18 registered national securities exchanges, seven registered clearing agencies, and 14 alternative trading systems (ATS).
But there are a couple of caveats to this. The regulation applies to systems operated "by or on behalf of" these entities, and it states explicitly that covered systems operated by third parties fall under the regulation. Also, the SEC has left open the door to expanding the coverage of Reg SCI down the road to include additional categories of market participants, such as "non-ATS broker-dealers, security-based swap dealers, investment advisers, investment companies, transfer agents, and other key market participants."
What does it cover?
Reg SCI is a comprehensive update of the approach to overseeing the US securities markets' technology infrastructure. It requires SCI entities to establish written policies and procedures regarding systems capacity, integrity, resiliency, availability, and security adequate to maintain their operational capability. It also requires the entities to participate in scheduled testing of the operation of their business continuity and disaster recovery plans and to coordinate such testing with other SCI entities. It requires the entities to take corrective action with respect to SCI events, defined to include "systems disruptions, systems compliance issues, and systems intrusions," and to notify the SEC (and, in some cases, internal parties) of such events. Finally, Reg SCI requires the entities to conduct an annual review of their systems by objective, qualified personnel and to submit quarterly reports regarding completed, ongoing, and planned material changes to their SCI systems to the SEC.
When does it become effective?
The regulation will become effective 60 days after publication in the Federal Register. The compliance date then follows nine months after it becomes effective, except for alternative trading systems that are being brought in based on new thresholds. The industry- or sector-wide coordinated testing requirement also has different compliance periods.