Division of Trading and Markets:

Responses to Frequently Asked Questions Concerning Regulation SCI

September 2, 2015 (Updated December 8, 2016)

Responses to these frequently asked questions (“FAQs”) were prepared by and represent the views of the staff of the Division of Trading and Markets (“Staff”). They are not rules, regulations, or statements of the Securities and Exchange Commission (“Commission”).  Further, the Commission has neither approved nor disapproved of these interpretive answers.

For Further Information Contact:  Sara Hawkins, Special Counsel, at (202) 551-5523; Geoff Pemble, Special Counsel, at (202) 551-5628; or Alexander Zozos, Attorney-Adviser, at (202) 551-6932; Division of Trading and Markets, Securities and Exchange Commission, 100 F Street, NE, Washington, DC 20549-6628.

Introduction

The Commission adopted Regulation SCI and Form SCI (“Form”) in November 2014 to strengthen the technology infrastructure of the U.S. securities markets.[1]  Specifically, the rules are designed to reduce the occurrence of systems issues, improve resiliency when systems problems do occur, and enhance the Commission’s oversight and enforcement of securities market technology infrastructure.  Regulation SCI applies to “SCI entities,” a term which includes SROs (including stock and options exchanges, registered clearing agencies, FINRA and the MSRB), alternative trading systems (“ATSs”) that trade NMS and non-NMS stocks exceeding specified volume thresholds, disseminators of consolidated market data (“plan processors”), and certain exempt clearing agencies.  Regulation SCI applies primarily to the systems of SCI entities that directly support any one of six key securities market functions – trading, clearance and settlement, order routing, market data, market regulation, and market surveillance (“SCI systems”).[2] 

Regulation SCI requires SCI entities to establish written policies and procedures reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain their operational capability and promote the maintenance of fair and orderly markets, and that they operate in a manner that complies with the Exchange Act.[3]  In addition, Regulation SCI requires SCI entities to take corrective action with respect to SCI events (defined to include systems disruptions, systems compliance issues, and systems intrusions), notify the Commission of such events, and disseminate information about certain SCI events to affected members or participants (and, for certain major SCI events, to all members or participants of the SCI entity).[4]  Moreover, Regulation SCI requires SCI entities to conduct a review of their systems by objective, qualified personnel at least annually, submit quarterly reports regarding completed, ongoing, and planned material changes to their SCI systems to the Commission,[5] and maintain certain books and records.[6]  It also requires SCI entities to mandate participation by designated members or participants in scheduled testing of the operation of their business continuity and disaster recovery plans, including backup systems, and to coordinate such testing on an industry- or sector-wide basis with other SCI entities.[7]

The compliance date of Regulation SCI is nine months after the effective date of the regulation, or November 3, 2015.  ATSs newly meeting the thresholds in the definition of SCI ATS for the first time are provided an additional six months from the time that an ATS first meets the applicable thresholds to comply with the requirements of Regulation SCI.  Further, with respect to the industry- or sector-wide coordinated testing requirement of Rule 1004(c), SCI entities have 21 months from the effective date, which is an additional year beyond the compliance date for the other requirements of Regulation SCI.

The Staff may update these FAQs periodically.  In each update, the FAQs modified or added after publication of the last version will be marked with MODIFIED” or “NEW”.

The interpretive questions addressed in this document are as follows:

Section 1: SCI Entities

Question 1.01:  For alternative trading systems trading NMS stocks, is the calculation to determine whether such an ATS is an SCI ATS based on both NMS stock prongs of the definition of SCI ATS? 

Under the definition of “SCI ATS” in Rule 1000 of Regulation SCI, with regard to NMS stocks, an ATS will be subject to Regulation SCI if, during at least four of the preceding six calendar months, it had:  (i) five percent or more in any single NMS stock, and 0.25 percent or more in all NMS stocks, of the average daily dollar volume reported by applicable effective transaction reporting plans, or (ii) one percent or more, in all NMS stocks, of the average daily dollar volume reported by applicable effective transaction reporting plans.  In determining whether an ATS meets this definition, the two prongs of the definition must be examined separately.  Specifically, to become subject to Regulation SCI as an SCI ATS with regard to NMS stocks, an ATS would need to meet the applicable volume threshold in either prong of the test (viewed independently of each other) for four out of the previous six calendar months.  As an example, if during a six-month period, an ATS met the first prong of the threshold (had five percent or more of the average daily volume in a single NMS stock and 0.25 percent or more in all NMS stocks) in months one and three only and met the second prong (had one percent or more of the average daily volume in all NMS stocks) in months two and five only, the ATS would not be an SCI ATS.  Rather, the ATS would only become subject to Regulation SCI if it met the first prong for four out of the previous six months or the second prong for four out of the previous six months.

Section 2:  Systems of SCI Entities

Question 2.01:  What does it mean for a system to “be reasonably likely to pose a security threat to SCI systems” in the definition of “indirect SCI systems”? (MODIFIED)

Systems meeting the definition of “indirect SCI systems” are subject to the provisions of Regulation SCI relating to security standards and systems intrusions.[8]  The Commission explained in the SCI Adopting Release that it believed that indirect SCI systems should be included within the scope of Regulation SCI because such systems could serve as vulnerable entry points into SCI systems.[9]  Accordingly, Rule 1000 defines “indirect SCI systems” as “any systems of, or operated by or on behalf of, an SCI entity that, if breached, would be reasonably likely to pose a security threat to SCI systems.”  As the Commission noted in the SCI Adopting Release, whether a system is “reasonably likely to pose a security threat to SCI systems” for purposes of the definition of “indirect SCI systems” in Rule 1000 depends on whether a system is effectively physically or logically separated from SCI systems.[10]  In particular, the analysis should consider whether a system is sufficiently isolated through adequate separation and security controls such that it does not provide vulnerable points of entry into SCI systems.[11]  First, an SCI entity will need to identify which of its systems meet the definition of “SCI systems” in Rule 1000 of Regulation SCI.  SCI entities should then identify the boundaries for their SCI systems, and assess which controls or methods of separation are appropriate or necessary to ensure effective physical or logical separation.  For each of its SCI systems, the SCI entity should consider consulting existing industry standards on logical and physical separation and conform to such standards as appropriate.[12]  In addition, as part of the SCI entity’s annual SCI review required by Rule 1003(b),[13] it would be appropriate for the objective personnel to review the effectiveness of the controls and methods of separation and determine whether non-SCI systems are outside of the scope of the definition of “indirect SCI systems.”  In the SCI Adopting Release, the Commission noted that the universe of an SCI entity’s indirect SCI systems is in the control of each SCI entity.  If an SCI entity establishes reasonably designed and effective controls so that non-SCI systems are logically or physically separated from SCI systems, they will not be indirect SCI systems.  In this regard, it is possible that an SCI entity could design and implement its security controls such that few or none of its non-SCI systems would be reasonably likely to pose a security threat to SCI systems and thus, are not indirect SCI systems.  However, if it is possible for an SCI system to be accessed, for example, via electronic or physical means by an unauthorized user from a non-SCI system, such non-SCI system would be an “indirect SCI system” and would be subject to certain provisions of Regulation SCI.  Further, it should be noted that a non-SCI system need not connect directly to an SCI system to be an “indirect SCI system.”  Rather, a non-SCI system is an “indirect SCI system” if it is reasonably likely to pose a security threat to an SCI system, if breached, whether such threat is posed by virtue of a direct connection to the SCI system, or through another indirect SCI system.

Question 2.02:  Are the SCI systems of plan processors that are securities information processors (“SIPs”) considered to be SCI systems of each SCI SRO that provides and receives market data from the SIPs?

No.  As the Commission stated in the SCI Adopting Release, because they deal with consolidated market data, the systems of each plan processor that is a SIP are central features of the national market system.[14]  While each such entity is subject to Regulation SCI directly because, as a plan processor, it falls within the definition of SCI entity pursuant to Rule 1000, the SCI systems of such SIPs relating to consolidated market data are not SCI systems of each SCI SRO that provides and receives market data from such SIPs.  “SCI systems” are defined as all computer, network, electronic, technical, automated or similar systems of, or operated by or on behalf of, an SCI entity that, with respect to securities, directly support, among other things, market data.  As such, the systems of, or operated by or on behalf of, such SIPs are SCI systems of the SIP itself and therefore, the SIP is responsible for compliance with the requirements of Regulation SCI with regard to those systems.  Although an SCI SRO that provides such SIP its market data provides it as an input into the SIP’s consolidated data, and may also utilize the SIP’s consolidated market data feed as an input into its trading, routing, or compliance functionality, the SIP is not operating its systems “on behalf of” any SCI SRO.  Therefore, these SIP systems are not considered to be SCI systems of SCI SROs.  Of course, an SCI SRO’s systems that are used to process and send the SCI SRO’s own market data to these SIPs and that receive and process consolidated market data from the SIPs (i.e., systems that interface into and out of the SIP systems) would be SCI systems of the SCI SRO as a system operated by the SCI SRO that directly supports market data.

Question 2.03:  If an SCI entity utilizes a third party to operate SCI systems on its behalf, how may the SCI entity ensure compliance with Regulation SCI with regard to such systems?

As the Commission noted in the SCI Adopting Release, an SCI entity may determine to contract with third parties to operate SCI systems on its behalf.[15]  However, that SCI entity is responsible for having in place processes and requirements to ensure that it is able to satisfy the requirements of Regulation SCI for SCI systems[16] operated on its behalf by a third party and, if an SCI entity is uncertain of its ability to manage a third-party relationship (whether through appropriate due diligence, contract terms, monitoring, or other methods) to satisfy the requirements of Regulation SCI, the SCI entity would need to reassess its decision to outsource the applicable system to such third party.[17]  These requirements include the obligations, under Rule 1001, to establish, maintain and enforce policies and procedures reasonably designed to, among other things, ensure that those SCI systems (1) have levels of capacity, integrity, resiliency, availability and security adequate to maintain the SCI entity’s operational capability and promote fair and orderly markets, and (2) operate in a manner that complies with the Act and the rules and regulations thereunder, and the entity’s rules and governing documents, as applicable.  They also include the obligations of SCI entities under Rules 1002-1005, such as those with respect to SCI events, systems changes, SCI reviews, business continuity and disaster recovery plans, and recordkeeping.

In these cases, however, the Staff believes the expertise and access of the third party directly operating the applicable SCI system could be reasonably leveraged by the SCI entity on whose behalf that system is being operated in fulfilling regulatory obligations under Regulation SCI.  For example, where an SCI entity (“Contracting SCI Entity”) has contracted with another entity (“Operating Entity”) to perform certain functions on its behalf that use SCI systems, the Contracting SCI Entity may look to the Operating Entity to take the initial steps to facilitate the meeting of certain obligations under Regulation SCI, subject to appropriate due diligence by the Contracting SCI Entity.  For instance, the Operating Entity might take the initial steps for establishing the policies and procedures required under Regulation SCI for the relevant SCI system(s).[18] 

Similarly, because the Operating Entity may have more immediate access to information regarding SCI events affecting an SCI system, the Operating Entity may determine to take the initial and supporting role in complying with the rule’s requirements relating to notifications of SCI events under Rule 1002.  For example, the Operating Entity may be asked by the Contracting SCI Entity to draft any applicable notification in the first instance and then provide the Contracting SCI Entity with the draft of the submission, which the Contracting SCI Entity could submit to the Commission after performing its own appropriate due diligence, including review of and any revisions to such draft it deemed appropriate.[19]

The Contracting SCI Entity may rely on the Operating Entity’s expertise, direct access to systems, and more timely information to take the initial steps to help facilitate the Contracting SCI Entity’s compliance with certain requirements of Regulation SCI, so long as the reliance is reasonable and the Contracting SCI Entity exercises appropriate due diligence.[20]  In the case of all applicable requirements of Regulation SCI, the Staff believes that it is important that the Contracting SCI Entity maintain the right (i.e., in its contractual arrangements with the Operating Entity) to request relevant documents and perform regulatory inspections or audits.  Further, it may be appropriate for the Operating Entity to provide to the Contracting SCI Entity certain attestations as to compliance with Regulation SCI requirements.  At the same time, the Staff believes that relying on attestations alone would not constitute sufficient appropriate due diligence by the Contracting SCI Entity.  As noted above, where the Contracting SCI Entity utilizes an Operating Entity to operate SCI systems on its behalf, the Contracting SCI Entity remains responsible for ensuring compliance with Regulation SCI with respect to such SCI systems.   

Question 2.04:  Is every system involved in delivering an order to another trading center an SCI system?

Whether the particular systems used in connection with order routing constitute SCI systems of an SCI entity depends on the particular facts and circumstances of the arrangement.  As a general matter, systems used for routing orders to other trading centers are within the scope of the definition of SCI systems, which includes “all computer, network, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity that, with respect to securities, directly support trading, clearance and settlement, order routing, market data, market regulation, or market surveillance.”  The Staff understands, however, that SCI entities utilize various arrangements for routing orders to other trading centers.  For example, orders may be routed through an affiliated broker-dealer router or through one or more third-party routing brokers, and use a variety of connectivity providers as part of that process.  For example, routed orders may pass through the systems of several routing brokers and telecommunications providers before the routing process is complete and the order reaches its intended destination.

Determining which routing systems are, in fact, SCI systems under Regulation SCI requires an analysis as to which systems “directly support” the order routing functionality offered by the SCI entity.  In this respect, the Staff believes that all systems used by the SCI entity in the order routing process — up to and including those systems that make the determination of which trading center to route a particular order, and the price, size and other characteristics thereof — are systems that “directly support” the order routing of the SCI entity and, as such, are SCI systems of the SCI entity.  The Staff believes this to be the case irrespective of whether such routing logic is housed at a third party (e.g., a third party routing broker), or within the SCI entity or an affiliated broker.  However, the Staff believes that those systems that are involved in the delivery of the order to a trading center after a routing decision is made, and without any ability to alter that routing decision, would generally not be SCI systems of the SCI entity. [21]

The Staff notes that, in addition to the requirements of Regulation SCI, many SCI entities are subject to other obligations under the federal securities laws and rules thereunder with regard to order routing.  For example, Rule 611 of Regulation NMS requires a trading center to establish, maintain, and enforce written policies and procedures that are reasonably designed to prevent trade-throughs on that trading center of protected quotations in NMS stocks that do not fall within an exception set forth in the rule and, if relying on such an exception, that are reasonably designed to assure compliance with the terms of the exception.[22]  A trading center must take prompt action to remedy any deficiencies in such policies and procedures.  To the extent a systems issue with an order routing system results in non-compliance with Regulation NMS, such systems issue would need to be reported to the Commission as a “systems compliance issue” under Regulation SCI.

Question 2.05:  Are the systems of utilities (e.g., power companies) that provide services necessary for the performance of the core functions covered by Regulation SCI considered to be SCI systems of the SCI entities that rely upon them?

As a general matter, it is unlikely that the systems of utility companies (such as a power company providing general power services for an SCI entity) would be SCI systems.  As noted above, SCI systems are defined in Rule 1000 as “all computer, network, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity that, with respect to securities, directly support trading, clearance and settlement, order routing, market data, market regulation, or market surveillance.”  Systems that provide general power services undoubtedly support many of the functions of an SCI entity.  However, the Staff believes that such systems generally would indirectly support these functions as they provide products or services that are necessary for the SCI systems to operate, but are not systems that perform the core functions themselves.  Therefore, the Staff does not believe the systems of the utilities such as power companies generally would be SCI systems of an SCI entity.

Though such systems may not be SCI systems, SCI entities should be aware of how issues relating to such systems may impact their obligations under Regulation SCI.  For example, an issue at a power utility may interrupt the electric power supplied to an SCI entity’s SCI systems.  Even if the outage at the power utility’s system would not itself be an SCI event, there is a significant likelihood that an SCI entity would nonetheless experience an SCI event following such an outage.  For example, the power outage may cause one or more SCI systems of an SCI entity to themselves experience systems disruptions, which would require the SCI entity to take certain actions pursuant to Rule 1002 of Regulation SCI (including corrective action, Commission notification, and information dissemination, as applicable).

The Staff also notes that Rule 1001(a) requires that an SCI entity have policies and procedures reasonably designed to ensure that its SCI systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets.  In addition, Rule 1001(a)(2)(iv) requires such policies and procedures to include regular reviews and testing, as applicable, of such systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters.  As such, given the importance of utilities such as the supply of power to the operation of its SCI systems, an SCI entity should consider whether its policies and procedures should contemplate and address the potential occurrence of SCI events that arise from the effect of the failure or disruption of such utilities on SCI systems.

Question 2.06:  Can ATSs have market regulation and/or market surveillance systems under the definition of SCI systems?

As noted above in Question 1.01, an alternative trading system that meets the volume thresholds in the definition of “SCI ATS” in Rule 1000 of Regulation SCI is subject to Regulation SCI as an SCI entity, and its SCI systems, critical SCI systems, and indirect SCI systems must comply with the requirements of Regulation SCI.  Regulation SCI’s definition of “SCI systems” includes all computer, network, electronic, technical, automated or similar systems of, or operated by or on behalf of, an SCI entity that, with respect to securities, directly support market regulation and market surveillance.

In the context of Regulation SCI, the Staff believes that market regulation systems are intended to refer to those used to carry out self-regulatory responsibilities under the Act.  SCI SROs such as national securities exchanges, national securities associations, and registered clearing agencies are subject to a variety of obligations as self-regulatory organizations under the Act, including enforcing their rules and the federal securities laws with respect to their members.[23]  ATSs do not have such self-regulatory responsibilities.  Accordingly, the Staff believes that it is unlikely that an SCI ATS would have systems falling within the category of market regulation systems. 

With respect to market surveillance systems, in adopting Regulation SCI, the Commission narrowed the definition of SCI systems to include those systems relating to “market surveillance,” rather than the broader term “surveillance” which had been in the proposed definition of SCI systems.[24]  In doing so, the Commission stated that it believed that the “change will more appropriately capture only those…surveillance systems that are related to core market functions, such as trading, clearance and settlement, order routing, and market data.”[25]  In the context of Regulation SCI, market surveillance systems of an SCI ATS would consist of those systems used by the SCI ATS in its role as a trading venue to monitor the order entry, trading, or other market-related activities conducted on or by the SCI ATS.  For example, the Staff understands that many ATSs maintain such systems to surveil market-related activities for compliance with certain federal securities laws and the rules and regulations thereunder (such as Regulation SHO).  In addition, the Staff understands that many ATSs also maintain such systems to surveil market-related activities for subscriber compliance with the ATS’s own rules and governing documents, as applicable, such as those designed to limit certain types of trading behavior or otherwise maintain the quality of its market.[26]

Question 2.07:  What is the meaning of “exclusively-listed securities” in the definition of “critical SCI systems”? 

“Critical SCI systems” are a subset of “SCI systems,” and Regulation SCI subjects critical SCI systems to certain heightened requirements, including a two-hour resumption goal following a wide-scale disruption[27] and broader dissemination obligations for “major SCI events.”[28]  Rule 1000 of Regulation SCI defines “critical SCI systems” as “any SCI systems of, or operated by or on behalf of, an SCI entity that:  (1) directly support functionality relating to:  (i) clearance and settlement systems of clearing agencies; (ii) openings, reopenings, and closings on the primary listing market; (iii) trading halts; (iv) initial public offerings; (v) the provision of consolidated market data; or (vi) exclusively-listed securities; or (2) provide functionality to the securities markets for which the availability of alternatives is significantly limited or nonexistent and without which there would be a material impact on fair and orderly markets.”[29]

As discussed in the Regulation SCI Adopting Release, the definition of critical SCI systems in Regulation SCI was designed to cover “those SCI systems whose functions are critical to the operation of the markets, including those systems that represent potential single points of failure in the securities markets.”[30]  With regard to systems that directly support functionality relating to exclusively-listed securities, the Commission stated that such systems “represent single points of failure because exclusively-listed securities, by definition, are listed and traded solely on one exchange.”[31]  Accordingly, the Commission noted that all trading by all market participants in such securities necessarily will be disrupted by a trading disruption or outage on the exclusive listing market.[32]

The Staff believes that whether a security is an “exclusively-listed security” for purposes of Regulation SCI depends on the specific facts and circumstances relating to the listing and trading of such security.  For example, if a security is subject to an intellectual property or other restriction that expressly limits the listing and trading of the security to a single trading venue, that security would clearly be an exclusively-listed security for purposes of Regulation SCI. 

On the other hand, if a security is subject to an intellectual property or other restriction that does not expressly limit trading to a single trading venue (e.g., such that multiple trading venues potentially could list and trade the security if they enter into the requisite licensing or similar arrangement), then there should be an analysis of whether the security has, in fact, been licensed to more than one trading venue.  If so, then the security would not be an “exclusively-listed security” for purposes of Regulation SCI.  If, however, such a security has not, in fact, been licensed to more than one trading venue, it would be considered an “exclusively-listed security,” as an external requirement prevents, limits, or otherwise excludes other trading venues from immediately listing or trading the security.

Finally, if a security is not subject to an intellectual property or other restriction that limits the listing or trading of that security to particular trading venues, but the security lists or trades on only one trading venue due to low demand or other market conditions, such a security would not be considered an “exclusively-listed security” for purposes of Regulation SCI.  In such a case, unlike a security that is subject to an intellectual property or other restriction, there is nothing external that prevents, limits, or otherwise excludes other trading venues from immediately listing or trading the security.

Question 2.08:  Which SCI systems relating to the communication of “trading halts” are “critical SCI systems”? 

Critical SCI systems is defined in Rule 1000 to include any SCI systems of, or operated by or on behalf of, an SCI entity that, among other things, directly support functionality relating to trading halts.  In the SCI Adopting Release, the Commission stated, for the purposes of clarity, that the term “trading halts,” for purposes of this definition, was intended to capture market-wide halts, such as regulatory halts, rather trading halts on an individual market.[33]  The Commission also noted that it is typically the responsibility of the primary listing market to call such a trading halt and stated that, “systems which communicate information regarding trading halts provide an essential service in the U.S. markets and, should a systems issue occur affecting the ability of an SCI entity to provide such notifications, the fair and orderly markets may be significantly impacted.”[34]

Given that the definition of critical SCI systems was designed to identify SCI systems whose functions may represent potential single points of failure in the securities markets,[35] the Staff believes that those systems that are responsible for disseminating such market-wide trading halt communications (typically from the primary listing market to other trading venues and market participants more broadly) across the markets represent potential single points of failure, and as such, are critical SCI systems.  However, those systems used by a trading center to receive such market-wide trading halt communications or to implement a trading halt on a particular market would not be considered to be critical SCI systems, though they would be SCI systems under Regulation SCI.

Question 2.09:  Are systems that support the provision of historical market data included within the scope of the definition of “SCI systems”? (NEW)

Rule 1000 of Regulation SCI defines SCI systems to mean “all computer, network, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity that, with respect to securities, directly support … market data.”  Although Regulation SCI does not define the term “market data,” the Commission stated in the SCI Adopting Release that “that term generally refers to price information for securities, both pre-trade and post-trade, such as quotations and transaction reports.”[36]  The Commission further noted that both consolidated and proprietary market data was within the scope of Regulation SCI, as both types of market data systems “are widely used and relied upon by a broad array of market participants, including institutional investors, to make trading decisions.”[37] 

The Staff believes that the Commission’s statements in the Adopting Release indicate that market data systems are included within the scope of Regulation SCI largely because of their role in supporting price transparency, and thus the trading decisions of market participants.[38]  Specifically, as highlighted by the Commission’s discussion in the Adopting Release,[39] if a “consolidated or a proprietary market data feed became unavailable or otherwise unreliable, it could have a significant impact on the trading of the securities to which it pertains, and could interfere with the maintenance of fair and orderly markets.”[40]  In contrast, the unavailability or unreliability of a historical market data system would not have a similar impact on trading or the maintenance of fair and orderly markets where such data systems do not have a significant role in supporting price transparency.  The Staff therefore believes that, if an SCI entity reasonably determines that a system providing historical market data generally is not used by market participants as a source of price transparency in connection with trading decisions, then it would be appropriate for the SCI entity to categorize such a system as outside of the scope of the definition of “SCI system.”[41]  The Staff notes that whether or not historical market data provided by a system is used by market participants as a source of price transparency in connection with trading decisions will depend on the particular facts and circumstances, including the liquidity of the security and its asset class.  For example, market data that is several days old likely would not be relied upon by market participants in making trading decisions in NMS stocks, particularly those which are highly liquid, but may be used to make trading decisions for certain illiquid fixed income securities.  Accordingly, SCI entities would need to analyze which systems may be appropriately excluded from the definition of “SCI systems” as providing only historical market data that is generally not relied upon by market participants in connection with making trading decisions.  As with other aspects of an SCI entity’s compliance with Regulation SCI, the Commission and its staff may review the SCI entity’s determination with regard to historical market data systems, including the SCI entity’s analysis and factors considered, to assess whether the SCI entity’s determination was, and continues to be, reasonable and consistent with the requirements of Regulation SCI.

Section 3:  SCI Events

Question 3.01:  Does the de minimis exception under Rule 1002(c)(4)(ii) apply to SCI events affecting critical SCI systems?

Yes.  Rule 1002(c)(1)(i) of Regulation SCI requires an SCI entity, promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event that is a systems disruption or systems compliance issue has occurred, to disseminate information about such SCI event, unless an exception applies.  With respect to a “major SCI event” (i.e., an SCI event that has had, or the SCI entity reasonably estimates would have:  (1) any impact on a critical SCI system, or (2) a significant impact on the SCI entity’s operations or on market participants), Rule 1002(c)(3) requires that the information required to be disseminated under Rules 1002(c)(1)-(2) shall be promptly disseminated by the SCI entity to all of its members or participants.

Rule 1002(c)(4) provides certain exceptions to the information dissemination requirement.  In particular, Rule 1002(c)(4)(ii) provides an exception for any SCI event that has had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity’s operations or on market participants.  As noted above, an SCI event that has had or would have any impact on a critical SCI system is a “major SCI event.”  The SCI Adopting Release noted that, because major SCI events are a subset of SCI events, the exception for de minimis events also applies to major SCI events that meet the requirements of Rule 1002(c)(4)(ii).[42]  Therefore, it is possible for an SCI entity to experience an SCI event that affects a critical SCI system (and thus is a major SCI event), but does not require the dissemination of information about such major SCI event to all members or participants because it falls within the de minimis exception to the rule.  For example, if there was a successful virus attack to a server for a critical SCI system, such as a clearance and settlement system of a clearing agency, which was immediately detected by antivirus software and quarantined, and the SCI entity reasonably determined that such attack had no or a de minimis impact on the SCI entity’s operations or on market participants, information about such SCI event would not be required to be disseminated to members or participants under Rule 1002.

Question 3.02:  How should SCI entities contact the Commission for SCI events that require immediate notification to the Commission under Rule 1002(b)(1) or for updates pertaining to such SCI events pursuant to Rule 1002(b)(3)?

Pursuant to Rule 1006, the notifications relating to SCI events required by Rules 1002(b)(2) and 1002(b)(4) are required to be filed electronically with the Commission on Form SCI.  Rules 1002(b)(1) and 1002(b)(3), however, do not prescribe the specific method for providing immediate notifications to the Commission of SCI events or for regular updates to the Commission, respectively.  As noted in the SCI Adopting Release, these rules provide flexibility so that an SCI entity may provide such immediate notifications and updates orally (e.g., by telephone) or in writing (e.g., by email or on Form SCI).[43]  Though it is not required, the Staff encourages SCI entities to make use of Form SCI when appropriate, as it provides a standardized means for submitting such notifications and updates to the Commission; in addition, SCI entities are permitted to electronically request confidential treatment of all information filed on Form SCI in accordance with Regulation SCI.  However, if an SCI entity chooses instead to provide an immediate notification or update of an SCI event to comply with the requirements of Rule 1002(b)(1) or 1002(b)(3) without using Form SCI, it may do so through the designated phone number or email address that Commission staff will make available to each SCI entity prior to the compliance date of Regulation SCI.  Of course, SCI entity personnel may additionally, as a secondary notification, notify or update any other Commission staff that it feels appropriate, including any staff member with whom the SCI entity’s personnel consults regarding the issues relating to a given SCI event.

Question 3.03:  If an SCI entity loses a redundant component of a system but has a seamless failover, is that a systems disruption?

Whether the failure of a system component with a seamless failover to a backup system constitutes a systems disruption depends on the particular facts and circumstances of the incident.  It is not automatically a systems disruption simply because a component failed; nor is it automatically excluded from being an SCI event simply because there was a seamless failover.  Rather, an SCI entity would have to determine whether such a failure meets the definition of “systems disruption” under Rule 1000.  A systems disruption is defined in Rule 1000 as an event in an SCI entity’s SCI systems that disrupts, or significantly degrades, the normal operation of an SCI system.  The Staff encourages SCI entities to establish parameters regarding what constitutes normal operations for each of its SCI systems so that it is able to ascertain when such normal operations have been disrupted or significantly degraded.    

Question 3.04:  Does an SCI entity need to report to the Commission virus alerts produced by its security software on its email systems?

Generally speaking, it is the Staff’s expectation that many corporate email systems of SCI entities will not be subject to Regulation SCI because they do not meet the definition of “SCI systems” or “indirect SCI systems” under Rule 1000 of Regulation SCI.  Specifically, Rule 1000 defines “SCI systems” as “all computer, network, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity that, with respect to securities, directly support trading, clearance and settlement, order routing, market data, market regulation, or market surveillance.”  If the corporate email systems at issue do not directly support any one of the six enumerated areas (i.e., trading, clearance and settlement, order routing, market data, market regulation, market surveillance), they would not constitute SCI systems and would not be subject to Regulation SCI’s reporting rules.  Of course, to the extent that such email systems directly support any one of the six enumerated areas (i.e., trading, clearance and settlement, order routing, market data, market regulation, market surveillance), such functionality would be considered to be an SCI system and, as such, would be subject to the reporting and other requirements of Regulation SCI.[44] 

However, even if the corporate email systems at issue do not directly support the above enumerated areas and thus do not constitute SCI systems, the SCI entity would need to determine whether the corporate email systems fall into the category of “indirect SCI systems,” which are defined in Rule 1000 as “any systems of, or operated by or on behalf of, an SCI entity that, if breached, would be reasonably likely to pose a security threat to SCI systems.”  As discussed in the SCI Adopting Release, whether a system is an indirect SCI system will depend on whether it is effectively physically or logically separated from SCI systems.[45]  Thus, an SCI entity should consider taking the steps necessary to ensure that its corporate email systems would not, if breached, be reasonably likely to pose a security threat to its SCI systems.  However, if the corporate email systems would, if breached, be reasonably likely to pose a security threat to the SCI entity’s SCI systems, they would be indirect SCI systems and subject to the various provisions of Regulation SCI with respect to security, including the reporting requirements with regard to systems intrusions. 

Thus, a virus alert produced by security software on a corporate email system that is not an SCI system or an indirect SCI system would not be indicative of an SCI event that would be reportable pursuant to Rule 1002.  To the extent an email system is an SCI system or an indirect SCI system, however, a virus alert occurring in that system could indicate the occurrence of a “systems intrusion,” i.e., any unauthorized entry into the SCI entity’s SCI systems or indirect SCI systems, which an SCI entity would be required to report to the Commission.  As noted in the SCI Adopting Release, attempted (i.e., unsuccessful) virus attacks would not be required to be reported to the Commission.[46]

Question 3.05:  Would a systems issue that significantly impacts only a small number of market participants constitute a “major SCI event”?

Under Rule 1000 of Regulation SCI, “major SCI event” is defined as an SCI event that has had, or the SCI entity reasonably estimates would have, any impact on a critical SCI system, or a significant impact on the SCI entity’s operations or on market participants.  With respect to an SCI event that is a major SCI event because it has a significant market impact on market participants, the definition does not set forth a minimum number of market participants that must be impacted for an SCI event to be a major SCI event.  Rather than focusing solely on the number of market participants impacted, an SCI entity should analyze the facts and circumstances regarding the impact of an SCI event and may consider how the event affects one or more, or a given group or class, of market participants as a whole and whether it has a “significant impact” on such market participants.  In conducting such an analysis, the Staff believes it would be appropriate that an SCI entity take into account the relative significance of the market participant(s) impacted, whether by trading volume, importance to the operation of the SCI entity, or such other factors an SCI entity determines to be appropriate.  For example, if a systems disruption at an exchange only impacts two market makers but such market makers are two of the largest on the exchange, such an event could constitute a major SCI event if the impact on those two participants would be considered significant.  If an SCI event is deemed to be a major SCI event, information regarding the event would be required to be disseminated to all of an SCI entity’s members or participants (rather than only to those members or participants that have been affected, as is required for SCI events that are not major SCI events).[47]

Question 3.06:  If an SCI entity experiences an SCI event that also impacts other SCI entities, do all of the SCI entities need to report it to the Commission?

Rule 1002(b) of Regulation SCI requires that, upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, the SCI entity must provide the Commission with notifications pertaining to such event, as well as regular updates until the event is resolved.  Although a single incident may affect multiple SCI entities, it is incumbent upon each SCI entity to fulfill its own obligations under Rule 1002(b).  Thus, each SCI entity that experiences an SCI event is required to submit the required notifications and updates under Rule 1002(b), regardless of whether it believes that other SCI entities are also affected by the same systems issue.  This is required even where an SCI event affects a single system that is used by multiple affiliated entities.[48]

As noted in the SCI Adopting Release, the Commission viewed such individualized SCI event notices to be important and did not believe that allowing certain entities to forego notification where a given event appears to be affecting multiple SCI entities would be appropriate because each SCI entity and its systems may be impacted differently by the systems issue, and each entity may have a unique perspective on the details surrounding the event.[49]  In addition, the initial analysis of an SCI entity that it is affected by the same systems issue affecting other SCI entities may be incorrect and, by receiving notifications from various SCI entities, the Commission will be better positioned to determine whether, in fact, they are concurrently experiencing the same event.[50]

In this regard, Rule 1002(b) and Form SCI require, among other things, information regarding the SCI entity’s assessment of the types and number of market participants potentially affected by the SCI event; the potential impact on the market; and a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event.  In many cases, this information will be different for each entity impacted by an SCI event.  For example, the impact of a given SCI event may differ between SCI entities depending upon a wide variety of factors, including the specific policies and procedures in place at an SCI entity relating to the affected system and the types of market participants that comprise an SCI entity’s members or participants, among others.  These individual facts and perspectives are valuable to the Commission and its staff, and may assist the Commission and its staff to gather the relevant facts and develop a more thorough understanding of the event and where the failure or systems issue may have arisen.  The Staff believes that this is the case even in instances where the SCI event affects a single system that is used by multiple affiliated entities.  The Staff believes that in many cases, the information provided pursuant to the requirements of Form SCI would not be identical for each entity, and believes that it is important to have each entity’s individual response to the requirements of Form SCI for the reasons noted above.

Question 3.07:  When is a systems compliance issue “resolved” for purposes of Rule 1002?

A systems compliance issue is defined by Rule 1000 as “an event at an SCI entity that has caused any system of such entity to operate in a manner that does not comply with the Act and the rules and regulations thereunder or the entity’s rules or governing documents, as applicable.”  Several requirements of Rule 1002 regarding Commission notification of SCI events are dependent on the date that an event is resolved, including those relating to submitting updates and the final report to the Commission regarding an SCI event.  If an SCI entity has experienced a systems compliance issue, such an event may be “resolved” for purposes of Regulation SCI in one of two ways.  First, the issue could be resolved when the SCI system’s functionality is modified so that it operates in accordance with the Act, rules and regulations thereunder, and the entity’s existing rules.  Second, in the case where an SCI entity’s systems are operating in a manner that does not comply with the entity’s own rules or governing documents, but are not otherwise in violation of the Act or rules thereunder, the system compliance issue could be resolved by modifying the entity’s rules or governing documents to accurately reflect the operation of the system.  For an SCI SRO, this would be accomplished through the filing with the Commission of a proposed rule change under Section 19(b) and the proposed rule change becoming effective or being approved by the Commission, as applicable.  For other SCI entities, it would entail completing whatever steps are necessary under the entity’s rules or governing documents to effectuate such a modification to such documents.

Question 3.08:  How may information related to an SCI event be disseminated? (NEW)

Rule 1002(c)(1)-(2) of Regulation SCI requires an SCI entity, promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event has occurred, to disseminate certain information about such SCI event, unless one of the exceptions set forth in Rule 1002(c)(4) applies.[51]  With respect to “major SCI events,”[52] Rule 1002(c)(3) requires that such information be promptly disseminated by the SCI entity to all of its members or participants.  For non-major SCI events, the SCI entity must promptly disseminate such information only to those members or participants of the SCI entity that it has reasonably estimated may have been affected by the SCI event, as well as any additional members or participants that it subsequently reasonably estimates may have been affected by the SCI event.[53]

Regulation SCI does not specify the means by which information about SCI events must be disseminated.  However, the Staff understands that, in practice, SCI entities routinely disseminate information regarding major SCI events in writing, such as through an electronic alert to all members or participants, or a public website posting.  Such practices can facilitate the SCI entity’s compliance with its recordkeeping requirements under Rule 1005. 

When an SCI event is not a “major SCI event,” and dissemination only is required to be made to affected members and participants, it may in some cases be practical to communicate the required information orally (e.g., by telephone).  While Regulation SCI is sufficiently flexible to permit the oral dissemination of such information, Rule 1005 requires SCI entities to make, keep, and preserve all documents relating to their compliance with Regulation SCI.

Section 4: Business Continuity and Disaster Recovery Plans (“BC/DR plans”) Testing

Question 4.01:  Do the testing requirements of Rule 1004 require two different tests, i.e., one test that includes participation of members or participants and another test that is industry- or sector-wide?

No.  Rule 1004 does not require two separate tests of BC/DR plans, one which includes the participation of members or participants and one that does not.  Rather, Rule 1004(b) and (c) should be read in conjunction, so that SCI entities can conduct functional and performance testing of their BC/DR plans with the participation of designated members or participants and in coordination with other SCI entities on an industry- or sector- wide basis not less than once every 12 months.[54]  Further, as stated by the Commission in the SCI Adopting Release, participation by members and participants of SCI entities in the testing of SCI entity BC/DR plans on an industry- or sector-wide basis would reduce duplicative efforts and be more cost effective than if members or participants were to test with each SCI entity on an individual basis.[55]  Therefore, Rule 1004 provides for coordinated BC/DR plan testing that includes the participation of designated members or participants.  At the same time, the Commission noted in the SCI Adopting Release that SCI entities are not required to conduct all functional and performance testing at once and in coordination with other SCI entities all at the same time.[56]  Rather, the Commission noted that if, to meet the requirements of the rule, a single annual test cannot be properly conducted, SCI entities have flexibility to design their testing to include, for example, weekend testing and testing in segments over the course of a year.[57] 

Question 4.02:  When are SCI entities required to complete their initial testing of their business continuity and disaster recovery plans with designated members or participants, as required by Rule 1004(b)?

Rule 1004 of Regulation SCI sets forth the requirements for testing an SCI entity’s BC/DR plans with members or participants.  This rule requires that, with respect to an SCI entity’s BC/DR plan, including its backup systems, each SCI entity shall:  (a) establish standards for the designation of those members or participants that the SCI entity reasonably determines are, taken as a whole, the minimum necessary for the maintenance of fair and orderly markets in the event of the activation of such plans; (b) designate members or participants pursuant to the standards established and require participation by such designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency specified by the SCI entity, provided that such frequency shall not be less than once every 12 months; and (c) coordinate the testing of such plans on an industry- or sector-wide basis with other SCI entities.

The practical effect of Rule 1004(b) is that SCI entities have up to 12 months from the compliance date of Regulation SCI to conduct the initial functional and performance testing of BC/DR plans with designated members or participants since Rule 1004(b), by its terms, requires that the frequency of such testing “not be less than once every 12 months.”  Consequently, SCI entities would have until November 2, 2016 (12 months from the compliance date of Regulation SCI) to complete their initial BC/DR testing with designated members or participants.

Section 5:  Recordkeeping

Question 5.01:  What type of “written undertaking” will satisfy the requirements of Rule 1007 relating to service bureaus or other recordkeeping services?

To ensure that records required to be filed or kept by an SCI entity under Regulation SCI are prepared or maintained by a service bureau or other recordkeeping service on behalf of the SCI entity are available for review by the Commission and its representatives, Rule 1007 of Regulation SCI provides that the SCI entity must submit “a written undertaking, in a form acceptable to the Commission, by such service bureau or other recordkeeping service, signed by a duly authorized person at such service bureau or other recordkeeping service.”  Rule 1007 further provides that such a written undertaking “shall include an agreement by the service bureau to permit the Commission and its representatives to examine such records at any time or from time to time during business hours, and to promptly furnish to the Commission and its representatives true, correct, and current electronic files in a form acceptable to the Commission or its representatives or hard copies of any or all or any part of such records, upon request, periodically, or continuously and, in any case, within the same time periods as would apply to the SCI entity for such records.”  The written undertaking required by Rule 1007 may be in the form of a letter containing the required elements and should be submitted to the Commission as soon as an SCI entity engages a service bureau or other recordkeeping service.  This letter, as well as any subsequent update (as necessary), should be submitted to the designated email address or physical address that Commission staff will make available to each SCI entity prior to the compliance date of Regulation SCI.

Section 6:  Compliance Dates

Question 6.01:  When is the report of the first annual SCI review due to the Commission?

Rule 1003(b)(1) of Regulation SCI requires an SCI entity to conduct an “SCI review” of the SCI entity’s compliance with Regulation SCI not less than once per calendar year.[58]  An SCI review must contain (1) a risk assessment with respect to an SCI entity’s SCI systems and indirect SCI systems, and (2) an assessment of internal control design and effectiveness of such systems to include logical and physical security controls, development processes, and information technology governance, consistent with industry standards.[59]  Pursuant to Rule 1003(b)(2), an SCI entity must submit a report of the SCI review to senior management of the SCI entity for review no more than 30 calendar days after completion of such a review.  Moreover, under Rule 1003(b)(3), an SCI entity must submit to the Commission, and to the board of directors of the SCI entity or the equivalent of such board, a report of the SCI review and any response by senior management within 60 calendar days after its submission to senior management.  Consequently, if an SCI entity’s initial SCI review (“2015 SCI review”) was completed on December 31, 2015, the report of the SCI review would be due to senior management of the SCI entity no later than January 30, 2016, with such report and any response by senior management due to the Commission and the SCI entity’s board no later than March 31, 2016.

The Staff recognizes that the 2015 SCI review will be the first such review conducted pursuant to the requirements of Regulation SCI, and SCI entity personnel and the objective personnel performing such review will be considering the assessments required by the review for the first time.  Furthermore, given that the applicable Regulation SCI compliance date is November 3, 2015, this initial review necessarily will be based on a smaller amount of operational information, reporting, and other data than subsequent SCI reviews.  The Staff also acknowledges that SCI entities are likely to be fine-tuning their policies and procedures during the initial months following the Regulation SCI compliance date.  

Accordingly, the Staff would expect the 2015 SCI review to be primarily focused on assessing the design and initial implementation of the SCI entity’s policies and procedures and other mechanisms for compliance with Regulation SCI, including their reasonableness and comprehensiveness.  Although any significant weaknesses revealed during the initial implementation period would, of course, need to be addressed by the 2015 SCI review, the Staff acknowledges that a limited amount of operational data may be generated during that period and, as such, the Staff believes it is appropriate to focus on such design and implementation aspects for purposes of the 2015 SCI review.  In subsequent years, however, the objective personnel performing SCI reviews would need to fully assess the operational data generated during the applicable year in performing their assessments.

Question 6.02:  When does the calculation begin for determining whether an alternative trading system is an SCI ATS?

Under the definition of “SCI ATS” in Rule 1000 of Regulation SCI, an ATS will be subject to Regulation SCI if, during at least four of the preceding six calendar months, it had: 

  • With respect to NMS stocks:  (i) five percent or more in any single NMS stock, and 0.25 percent or more in all NMS stocks, of the average daily dollar volume reported by applicable effective transaction reporting plans, or (ii) one percent or more, in all NMS stocks, of the average daily dollar volume reported by applicable effective transaction reporting plans; or
  • With respect to non-NMS stocks and for which transactions are reported to a SRO, five percent or more of the average daily dollar volume as calculated by the SRO to which such transactions are reported. 

The effective date of Regulation SCI was February 3, 2015, after which ATSs must evaluate whether they met the enumerated thresholds specified in the definition of “SCI ATS” (i.e., during four of the preceding six-months).  Specifically, in determining whether it falls into the category of SCI ATS, an ATS should, beginning with the month of February 2015 (and in each month thereafter), review its trading activity in the prior six-month period to determine whether it has met the thresholds applicable to SCI ATSs.

Paragraph (c) of the definition of SCI ATS also provides that an ATS that meets any of the volume thresholds in the definition for the first time is not required to comply with the requirements of Regulation SCI until six months after satisfying the thresholds for the first time.  For example, if an ATS satisfied the thresholds in the definition of SCI ATS for the first time in June 2015, it would have six months from that time to become fully compliant with Regulation SCI, and thus would have to comply with the requirements of Regulation SCI by December 2015.[60]

 

[1] See Securities Exchange Act Release No. 73639 (November 19, 2014), 79 FR 72252 (December 5, 2014) (“SCI Adopting Release”).

[2] Regulation SCI also applies to “indirect SCI systems,” which are any systems that, if breached, are likely to pose a security threat to SCI systems.  Further, certain SCI systems that are “critical SCI systems” are held to certain heightened requirements under Regulation SCI.  See 17 CFR 242.1000 (definitions of “SCI systems,” “indirect SCI systems,” and “critical SCI systems”). 

[3] See 17 CFR 242.1001.

[4] See 17 CFR 242.1002.  See also 17 CFR 242.1006.

[5] See 17 CFR 242.1003. 

[6] See 17 CFR 242.1005.  See also 17 CFR 242.1007.

[7] See 17 CFR 242.1004. 

[8] See SCI Adopting Release, 79 FR at 72280-81.

[9] See id.

[10] See SCI Adopting Release, 79 FR at 72280.

[11] Id.

[12] For example, NIST 800-53 Rev. 4, “Security and Privacy Controls for Federal Information Systems and Organizations” contains controls that would be relevant to risk assessments and system interconnections and separation.  Among others, such controls include:  System and Communications Protection Control Family (particularly SC-7 (Boundary Protection)); CA-3 (System Interconnections), CA-9 (Internal System Connections), PL-2 (System Security Plan), PL-8 (Information Security Architecture), RA-3 (Risk Assessment), AC-5 (Separation of Duties), AC-6 (Least Privilege), AC-14, (Permitted Actions without Identification or Authentication), AC-17 (Remote Access), AC-20 (Use of External Information Systems), CM-5 (Access Restrictions for Change), CM-7 (Least Functionality), and SA-9 (External Information System Services).  In addition, the Appendices to NIST Special Publication 800-47, “Security Guide for Interconnecting Information Technology Systems,” describes a formally documented interconnection that details responsibilities, logical protections and controls, and other issues that are relevant to the NIST 800-53, Rev. 4 control CA-3 (System Interconnections)).  See Staff Guidance on Current SCI Industry Standards, November 19, 2014, available at http://www.sec.gov/rules/final/2014/staff-guidance-current-sci-industry-standards.pdf (listing NIST 800-53 Rev. 4 as one example of a publication that an SCI entity could look to in developing reasonable policies and procedures to comply with Rule 1001(a) of Regulation SCI).

[13] See 17 CFR 242.1003(b).

[14] See SCI Adopting Release, 79 FR at 72271.

[15] See SCI Adopting Release, 79 FR at 72275-76.  These contracts may be with another SCI entity, as in the case of a regulatory services agreement, or with a non-SCI entity.

[16] Rule 1000 defines SCI systems as “all computer, network, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity that, with respect to securities, directly support trading, clearance and settlement, order routing, market data, market regulation, or market surveillance.” 

[17] See SCI Adopting Release, 79 FR at 72275-76.

[18] Appropriate due diligence and oversight by the Contracting SCI Entity in such case could include, among other things:  (1) reviewing the policies and procedures developed by the Operating Entity; (2) discussing any concerns it identifies with the Operating Entity and working with the Operating Entity to ensure that the policies and procedures comply with Regulation SCI; and (3) periodically reviewing the maintenance and enforcement of the policies and procedures by the Operating Entity, including through assessing the reports of SCI reviews, which should include any weaknesses in such policies and procedures.  The Contracting SCI Entity could also incorporate the policies and procedures of the Operating Entity into its own policies and procedures and detail its policies and procedures for conducting appropriate due diligence and overseeing the performance of the Operating Entity under Regulation SCI.  However, the Staff does not believe it would be sufficient for the Contracting SCI Entity to solely rely on representations of the Operating Entity with respect to the adequacy of its policies and procedures, or to merely assume they are being maintained and enforced by the Operating Entity in accordance with Regulation SCI.

[19] In cases where the Operating Entity is itself an SCI entity (“Operating SCI Entity”) and, for example, the Operating SCI Entity uses a market surveillance system for itself as well as on behalf of the Contracting SCI Entity such that the system is an SCI system of each SCI entity, the Staff believes that it would be acceptable for the Operating SCI Entity to provide immediate notifications of SCI events to the Commission via phone or email on behalf of the Contracting SCI Entity.  In such cases, it would be appropriate that the SCI entities have written agreements in place to authorize the Operating SCI Entity to provide such immediate notifications on behalf of the Contracting SCI Entity, as well as itself, including designating appropriate personnel of the Operating SCI Entity as “responsible SCI personnel” for the limited purpose of immediate notifications under Rule 1002(b)(1).  In addition, such agreements should ensure that the Contracting SCI Entity is immediately informed of such communications (for example, a notification submitted via email could be sent to the Contracting SCI Entity at the same time that it is sent to the Commission).  The Staff notes that if the SCI entities choose to use the EFFS system for such immediate notifications, each would have to individually submit a Form SCI for the SCI event (i.e., in this example, both the Contracting SCI Entity and the Operating SCI Entity).  Ultimately, however, each SCI entity remains responsible for ensuring its own compliance with Regulation SCI, including ensuring both the timely submission of any required SCI event notification, as well as the accuracy and completeness of such notifications.

[20] For example, the Contracting SCI Entity and the Operating Entity may agree that it is appropriate for the Operating Entity to take certain corrective actions, as required by Rule 1002(a), following SCI events.  In such cases, among other things, the Contracting SCI Entity could be notified of the SCI event and the action to be taken, and the Contracting SCI Entity could periodically review and assess the Operating Entity’s performance with regard to corrective action taken in response to SCI events.  Further, with respect to reporting systems changes pursuant to Rule 1003(a), as with the notifications required by Rules 1002(b)(2)-(4), the Operating Entity may determine to, for example, provide the Contracting SCI Entity with a draft of the applicable submission, which the Contracting SCI Entity could submit to the Commission after performing its own appropriate due diligence, including review of and any revisions to such draft it deemed appropriate.  In addition, where the third party operating the SCI system is an Operating SCI Entity, the Contracting SCI Entity may also determine that it is appropriate to allow the Operating SCI Entity’s objective personnel to conduct the SCI review (or employ third party objective personnel to conduct such SCI review) and prepare the report of the SCI review as required by Rule 1003(b).  In such instances, the Contracting SCI Entity would need to exercise appropriate due diligence, which could include, but is not necessarily limited to, among other things, ensuring that the SCI review is conducted in accordance with the requirements of Regulation SCI (e.g., that it is performed by experienced, objective personnel), as well as reviewing the SCI report and taking appropriate action to ensure that any noted deficiencies are appropriately remedied.

[21] The Staff notes that the analysis in Question 2.04 regarding the types of systems that “directly support” order routing is limited to the order routing function.  A different analysis may apply to systems supporting the other key functions covered by Regulation SCI – trading, clearance and settlement, market data, market regulation, and market surveillance – which involve different processes and risks.

[22] See 17 CFR 242.611.

[23] Sections 6(b), 15A, and 17A(b)(3) of the Exchange Act impose obligations on national securities exchanges, national securities associations, and clearing agencies, respectively, to be “so organized” and “[have] the capacity to…carry out the purposes of [the Exchange Act].” See Sections 6(b)(1), 15A(b)(2), and 17A(b)(3) of the Exchange Act, 15 U.S.C. 78f(b)(1), 78o-3(b)(2), 78q-1(b)(3), respectively. 

[24] In adopting Regulation SCI, the Commission similarly narrowed the definition of SCI systems to include those systems relating to “market regulation,” rather than the broader term “regulation” as was proposed.  See Rule 1000 of Regulation SCI.

[25] See SCI Adopting Release, 79 FR at 72275.

[26] The Staff notes that a market surveillance system need not be used exclusively by an SCI ATS to be considered an SCI system.  For example, a market surveillance system used to surveil trading activity on an SCI ATS that is also used to surveil trading by the customers of its broker-dealer operator or other affiliates would be an SCI system.  However, to the extent certain components of such a market surveillance system are used exclusively to surveil trading activity of the customers of its broker-dealer operator or other affiliates, those components of the market surveillance system would not be an SCI system.

Further, the Staff notes that whether a system used for market surveillance meets the definition of SCI system is not dependent on whether such system conducts real-time surveillance.  In the SCI Adopting Release, the Commission expressly stated that it was not limiting the definition of SCI systems strictly to real-time systems because such a limitation could “exclude relevant systems, such as certain… market surveillance systems operated by or on behalf of an SCI entity, which the Commission views as integral to one or more of the six functions identified in the definition.”  See SCI Adopting Release, 79 FR at 72274, n.226.

[27] See 17 CFR 242.1001(a)(2)(v).

[28] See 17 CFR 242.1002(c)(3).

[29] See 17 CFR 242.1000.

[30] See SCI Adopting Release, 79 FR at 72277.

[31] See SCI Adopting Release, 79 FR at 72279.

[32] Id.

[33] See SCI Adopting Release, 79 FR at 72278, n.286.

[34] See SCI Adopting Release, 79 FR at 72278.

[35] See SCI Adopting Release, 79 FR at 72277.

[36] See SCI Adopting Release, 79 FR at 72275.  Under Regulation SCI, market data systems may meet either the definition of “SCI systems” or “critical SCI systems.”  Specifically, systems that “[d]irectly support functionality relating to … [t]he provision of consolidated market data” are “critical SCI systems,” while other types of market data systems, such as those that directly support proprietary market data systems, are “SCI systems.”  In the Adopting Release, the Commission emphasized the importance of consolidated market data, noting that it “provides the public with ready access to a comprehensive and reliable source of information for the prices and volume of any NMS stock at any time during the trading day” and “helps to ensure that the public is aware of the best displayed prices for a stock, no matter where they may arise in the national market system.”  See SCI Adopting Release, 79 FR at 72279.

[37] See SCI Adopting Release, 79 FR at 72275. 

[38] In this regard, the Commission noted in the SCI Adopting Release that systems providing or directly supporting price transparency are within the scope of SCI systems, while systems solely providing or directly supporting other types of data, such as systems used by market participants to submit disclosure documents, are not within the scope of SCI systems, so long as they do not also directly support price transparency.  See SCI Adopting Release, 79 FR at 72275.

[39] See SCI Adopting Release, 79 FR at 72255, nn. 31-33 (discussing market events that have involved market data-related systems issues that resulted in extended halts in trading on options exchanges, stock exchanges, and in the OTC equity securities markets).

[40]    See SCI Adopting Release, 79 FR at 72275 (discussing the meaning of “market data” and concluding that both proprietary market data and consolidated market data are within the scope of the definition of SCI systems and subject to Regulation SCI).

[41]    In contrast, as noted by the Commission in the SCI Adopting Release, the consolidated audit trail repository would fall within the definition of “SCI system” as a market regulation system.  See SCI Adopting Release, 79 FR at 72275, n.246.

[42] See SCI Adopting Release, 79 FR at 72336 at n. 991.

[43] See SCI Adopting Release, 79 FR at 72354.

[44] Even when an email system is used to directly support one of the six enumerated areas, it does not necessarily mean that an SCI entity’s entire email system is subject to Regulation SCI.  For example, if an SCI entity uses email to alert market participants of “self-help” issues, and the SCI entity determines that such functionality “directly supports” trading and/or routing, if the “self-help” functionality is effectively separated, such as through physical separation or the existence of appropriate safeguards, to ensure that the functionality is sufficiently segregated from the remainder of the corporate email system, then only the “self-help” email functionality would be subject to Regulation SCI, while the remainder of the corporate email system would not.

[45] See SCI Adopting Release, 79 FR at 72280-81.

[46] See SCI Adopting Release, 79 FR at 72288.

[47] Of course, for SCI events that are not major SCI events, an SCI entity is free (but is not required) to disseminate information about such events to all of its members or participants.

[48] In appropriate circumstances, one SCI Entity may contract with another SCI Entity to take steps to facilitate the meeting of certain obligations under Regulation SCI, including the immediate notification requirements with respect to SCI events.  See supra note 19 (FAQ 2.03).

[49] See SCI Adopting Release, 79 FR at 72325.

[50] Id.

[51] The information required to be disseminated for systems disruptions or systems compliance issues is set forth in Rule 1002(c)(1), and the information required to be disseminated for systems intrusions is set forth in Rule 1002(c)(2).

[52] A “major SCI event” is defined in Rule 1000 to mean “an SCI event that has had, or the SCI entity reasonably estimates would have:  (a) any impact on a critical SCI system; or (b) a significant impact on the SCI entity’s operations or on market participants.”

[53] See 17 CFR 242.1002(c)(3).

[54] In this regard, paragraphs (c) and (d) of Rule 1004 both refer to the testing of “such plans,” i.e., referencing the same BC/DR plans of an SCI entity.

[55] See SCI Adopting Release, 79 FR at 72354.

[56] See SCI Adopting Release, 79 FR at 72352.

[57] See SCI Adopting Release, 79 FR at 72352, n. 1182.

[58] However, penetration test reviews of the network, firewall, and production systems must be conducted at a frequency of not less than once every three years, and assessments of SCI systems directly supporting market regulation or market surveillance must be conducted at a frequency based upon a risk assessment, but not less than once every three years.  See Rule 1003(b)(i)-(ii).

[59] See 17 CFR 242.1000.

[60] The Staff notes that an ATS meeting the definition of SCI ATS as of the Effective Date does not receive an additional six months to comply with Regulation SCI after the November 3, 2015 compliance date.  Rather, the six-month compliance period for SCI ATSs would give such an ATS until August 2015 to comply, but because the compliance date of Regulation SCI is November 3, 2015 for all entities, the ATS would not be required to comply with Regulation SCI until November 3, 2015.  In other words, if the six-month compliance period for ATSs newly meeting the thresholds would result in a compliance date prior to the November 3, 2015 compliance date, such ATS will not be required to comply with Regulation SCI until the November 3, 2015.