System Down: What Is Reg SCI's Future?

In November 2014, the US Securities and Exchange Commission (SEC) approved Regulation Systems Compliance and Integrity—otherwise known as Reg SCI—as a means to help curb a spate of market disruptions. What the SEC wanted was to prevent a repeat of what happened on October 30, 2014, when a market-wide disruption halted trading at the New York Stock Exchange (NYSE), Nasdaq, BATS, and various other exchanges. The disruption was caused by a failure with the Security Information Processor (SIP), the system that links the exchanges by consolidating bid-and-ask quotes and trades into a single data feed. This forced NYSE to shift operations to a recovery site in Chicago from its datacenter in Mahwah, NJ.

The SEC’s goal is to assure the public that if another disruption does happen, its cause will be made known and the exchanges can go back online quickly to prevent further damage to the market. The SEC approved the new regulation in 2014, although it only went into effect in November 2015 so as to give time for those affected to comply with its requirements.

Reg SCI is seen as both a step in the right direction for the industry while also being a strong candidate for the scrapheap should the Trump administration prove less regulation-friendly, as is expected. While it’s hard to predict the fate of Reg SCI, and indeed other capital markets regulations, what is clear is that exchanges and market participants have already begun to adhere to many of its requirements, allowing them to focus on other complicated policies. 

The idea behind Reg SCI is to strengthen the market’s technology infrastructure and reduce systems issues that lead to wide-scale glitches and outages. It covers a number of so-called “SCI entities,” self-regulatory organizations (SROs) ranging from exchanges and alternative trading systems (ATSs) to clearing agencies and industry groups. One of the other overarching missions behind enacting the regulation is the hope that by requiring the industry to stand by the performance of the systems underpinning the whole market, future development will be done in an efficient and coordinated way.

A New Prevention

“The opinion of the buy side hasn’t really changed since Reg SCI was passed, that the impact to them is low. But expanding it might not be the answer.” Adam Sussman, Liquidnet

These SCI entities—over 40 of them—must have written policies and procedures in place to ensure they are taking the necessary steps to bolster their systems. These entities include the Financial Industry Regulatory Authority (Finra), the Municipal Securities Rulemaking Board (MSRB), Nasdaq, CBOE, BATS, the Fixed Income Clearing Corporation (FICC), the National Securities Clearing Corporation (NSCC), MIAX, and others. They are required to conduct a review of systems at least annually, identify weaknesses in their recovery procedures, submit quarterly reports to the SEC regarding completed and planned changes to their SCI systems, and maintain books and records of these undertakings. SCI entities must also mandate participation of members in business-continuity testing and disaster recovery plans. 

For now, broker-dealers are exempt from the rule. When the SEC sought industry feedback on the rule, some comment letters suggested adding broker-dealers to the list of SCI entities. Sources tell Waters that if Reg SCI moves forward, the issue of adding broker-dealers is likely to be discussed. 

The exchanges and other SCI entities also have to prove that they have adequate back-up datacenters that can take over in the event that their primary ones fail. If a disruption, security breach or system compliance issue crops up, the entity has to file a report with the SEC stating that it took corrective action, and disseminate that information appropriately. As a result, the Commission created a new form specifically for SCI reporting. 

Adam Sussman, head of market structure and liquidity partnerships at Liquidnet, points out that it’s the sell side that is most affected by Reg SCI, although the buy side welcomed the ruling. The buy side, because it mostly does business with broker-dealers, is not directly affected by the regulation. 

“The opinion of the buy side hasn’t really changed since Reg SCI was passed, that the impact to them is low,” Sussman says. “But expanding it might not be the answer.” 

Testing to determine Reg SCI compliance is under way by the SEC, according to the Commission’s Office of Compliance Inspections and Examinations (OCIE). Pete Driscoll, chief risk and strategy officer at the OCIE, said in November at the Risk USA conference that Reg SCI examinations are one of its priorities for 2017. The Commission started a new program to enhance its cybersecurity examination capabilities, which included hiring data scientists and other technology experts to support these endeavors. Its technology controls program has 23 staff members who go to exchanges, clearinghouses and alternative trading systems to ensure compliance. 

The industry itself is also tasked with conducting its own testing. The Securities Industry and Financial Markets Association (Sifma), an industry group representing securities firms, banks and asset managers, helped coordinate testing with its members in 2016 in parallel with Finra testing. Sifma’s managing director of financial services operations, Ellen Green, tells Waters that it found no widespread issues with industry participants’ systems during its testing. “It was not an examination but rather a coordinated test activity and members participated in our efforts,” Green says. “The feedback firms gave us was that testing went well, that it was successful.” 

The industry group is continuing to coordinate and work with its members to provide support and materials on resiliency and response to widespread disruptions. 

How Much Credit

MSRB executive director Lynette Kelly notes that for many firms subject to the new requirement, these improvements were already in motion. “We support the SEC’s efforts to ensure that the technology infrastructure of the US securities markets is secure and resilient,” she says. “Prior to the implementation of Reg SCI, the MSRB maintained a robust technology control program that served as our baseline for compliance with the new rules. We look forward to continuing to work with the SEC and other SCI entities to meet the important goals of Reg SCI.”

Reg SCI, for some industry practitioners, has not exactly been helpful and has not made much of a dent in its goal of protecting and maintaining the integrity of the market’s systems. While there were several outages relating to individual exchanges in 2016, they did not wreak havoc on the wider marketplace. Industry players do not believe that Reg SCI should be credited for the lack of a wide-scale contagion. Rather, exchanges are always working diligently to prevent disruptions, given that they cost money and—in some cases—heads might roll. 

Jim Myers, senior manager of business consulting for Sapient, tells Waters that Reg SCI “is hard to characterize as useful. I don’t credit Reg SCI for this because it’s punitive for exchanges to have outages. It’s in nobody’s best interest if systems go down.” 

Exchanges make money when people are trading on their platforms and if there is a major outage, that won’t happen. Myers says exchanges and other SCI entities have already made investments to create back-up datacenters to support their primary ones in case there is a disruption. Demand to connect to datacenters further from exchanges is also increasing. Exchanges want to ensure that their systems continue chugging along so that trading doesn’t cease even without a regulation specifying what needs to be done. 

Some see Reg SCI as unnecessary, an additional regulatory burden for exchanges that already have it in their best interest to keep systems running. Analysts say SCI entities might see the forms that have to be submitted to the SEC as more paperwork that has to be completed. Aite Group analyst Spencer Mindlin says the rule can even distract exchanges from tending to their systems. “The time spent complying with the regulation is time away from taking care of the house,” Mindlin says. “The regulation assumes that firms are not already applying 100 percent of their focus to ensure their systems do not break.”

But Reg SCI has not been all bad, since it has helped to improve certain things like timestamps for data as well as underscoring the importance of systems management. Some, like Liquidnet’s Sussman, say that Reg SCI makes exchanges more accountable and forces them to implement consistent upgrades to systems. “The rule doesn’t make the market more prone to outages but rather makes the firms involved more accountable because it increases the level of internal scrutiny of their systems,” he says.

Uncertain Environment

Reg SCI came into being during a time of great regulatory upheaval, in a move conceived to combat widespread system disruptions. The SEC sought assurances that glitches could be contained and the public would not be left in the dark. But the Trump administration has made no secret of the fact that it disapproves of the number of regulations enacted during the Obama administration. That could leave rules like Reg SCI in a precarious position. 

The incoming administration of the SEC—led by new chairman Jay Clayton—is believed to support a moratorium on new regulations and may even choose to roll back some of the rules added to the statute books before this year that it considers extraneous. 

Sapient’s Myers goes so far as to call Reg SCI “kind of frivolous,” and he, along with a number of other sources who spoke to Waters for this feature, say that the larger and more complex regulations like Dodd–Frank will take up most of the focus of the new government. Sussman and others note that the current political landscape could mean Reg SCI might come in for closer scrutiny. 

“The political landscape now with the administration shift in the SEC is that market stability is not going to be on the top of their list of regulations to enhance,” Sussman says. “It just may not be their area of focus for them.” 

Ostensibly, Reg SCI is the easiest regulation for entities subject to its scope to comply with, given that other regulations are highly complex and involve significant changes to the way banks and other market participants do business. But it is also one of the obvious candidates for potential repeal precisely because it is considered as an additional layer of policy. But as is true with most anything under the new administration, the future is unknown. 

Salient Points

• Reg SCI is seen by some market participants as just another added layer of regulation that can distract them from crucial systems work.
• SCI entities are beefing up their resiliency and are motivated to prevent systems disruptions, regardless of what’s mandated. Outages cost money, after all. 
• More complex regulations are in the pipeline that will require greater focus from banks, SCI entities and regulators. Reg SCI is not likely to be as pressing.