Developing Solutions to Ensure that the Automated Systems of Our Marketplace are Secure, Robust, and Reliable
Commissioner Luis A. Aguilar
March 7, 2013
In recent years, the securities markets have undergone significant changes, and none has had more impact than the development of technology systems with ever-increasing speed and capacity. These systems are so fast that, in a blink of an eye, millions of trades can take place and billions of dollars can be transferred from buyers to sellers.1 Unfortunately, these systems can just as quickly become a destructive force with devastating consequences.
Some of the better-known examples of recent system-related issues include:
- The Flash Crash of May 6, 2010.2 During the flash crash, in just a matter of minutes, certain equities experienced severe price movements — both up and down — with more than 20,000 trades in over 300 securities executed at prices more than 60% away from their market values. In just a few minutes, nearly $1 trillion in market value evaporated, before making a partial recovery.3
- The October 2011 system errors at Direct Edge exchanges where, in just over four minutes, the exchanges caused about 27 million shares of excess trading. These shares had an approximate market value of $773 million across roughly one thousand securities. The exchanges realized a net loss of $2.1 million in connection with the positions that were assumed and liquidated.4 The Commission sanctioned the Direct Edge entities for violations of the federal securities laws.5 In its Order, the Commission noted that the “violations occurred against the backdrop of weaknesses in Respondents’ systems, processes, and controls.”6
- Knight Capital Group Inc.’s $440 million trading loss in August 2012.7 In just 45 minutes, Knight Capital’s computers rapidly bought and sold millions of shares. Those trades pushed the value of many stocks up, and the company’s losses appear to have occurred when it had to sell the overvalued shares back into the market at a lower price. As a result, Knight Capital lost approximately $10 million per minute, almost had to go into bankruptcy, and subsequently agreed to be purchased.8
- The systems issues associated with the initial public offerings of BATS Global Markets, Inc., and Facebook, Inc., in March and May 2012, respectively.9 As a result of systems issues, the BATS IPO was abandoned, and the Facebook fiasco resulted in NASDAQ offering up to $62 million to accommodate members for losses attributable to the systems issues.10
- The recent admission by BATS that, for a period of more than four years, its computer systems for two equity exchanges and an options platform allowed trades to take place at prices that violated the Commission’s regulations, which require exchanges to ensure that investors receive the best price.11
These recent events highlight the need for the Commission to develop a secure, robust, and reliable regulatory framework to ensure that our capital markets develop and maintain systems with sufficient capacity, integrity, resiliency, availability, and security.
Today’s rule proposal, Regulation SCI (Systems Compliance and Integrity), is a step in the right direction. It is an important step forward from the purely voluntary program we have today as a result of the Commission’s 1989 policy statement, which states that SROs, on a voluntary basis, should establish comprehensive planning and assessment programs to determine systems capacity and vulnerability. At that time, the Commission noted the impact that systems problems and failures could have on public investors, broker-dealer risk exposure, and market efficiency.12 Clearly, the voluntary program has failed, as the above examples illustrate.
The proposed rule would move beyond the current voluntary program and requires entities to, among other things, (i) establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its systems have adequate levels of capacity, integrity, resiliency, availability, and security to maintain the entity’s operational capability and promote the maintenance of fair and orderly markets; (ii) mandate participation in scheduled testing of the operation of the entity’s business continuity and disaster recovery plans, including backup systems, and coordinate such testing on an industry- or sector-wide basis with other entities; and (iii) make, keep, and preserve records relating to the matters covered by Regulation SCI, and provide them to Commission representatives upon request. The proposal also would require that entities submit all required written notifications and reports to the Commission electronically using new proposed Form SCI. These are all welcomed improvements.
However, although this is a positive step in the right direction, I am concerned that today’s rule proposal does not:
- Mandate compliance with a specific set of Commission-identified minimum standards to ensure that entities establish, maintain, and enforce written policies and procedures reasonably designed to ensure that the entity’s systems provide adequate levels of capacity, integrity, resiliency, availability, and security. While the rule proposal provides a set of model policies and procedure for entities to consider, it fails to require minimum standards for policies and procedures. As a result, the rule proposal may not provide enough assurance that the resulting policies and procedures will meet the goals of the rule.
- Require that an external review of compliance with Regulation SCI be conducted on a periodic basis by an independent third party in order to reduce the risk of conflicts of interests. Simply stated, an internal review may not be as robust and complete due to competing internal business pressures.
- Provide for an entity’s senior officers to certify, in writing, that (i) the entity has processes in place to establish, document, maintain, review, test, and modify controls reasonably designed to achieve compliance with Regulation SCI; and (ii) that the annual budget and staffing levels are adequate for the entity to comply with its obligations under Regulation SCI. As Congress noted in connection with the CEO and CFO Certifications mandated by Section 302 of the Sarbanes-Oxley Act of 2002, “managers should be held accountable for the representations made by their company.”13 I believe that senior officer certifications would be an important tool to ensure compliance with today’s proposed rule.
Moreover, I am concerned that today’s rule proposal would allow an explicit safe harbor for entities and their employees that establish and maintain policies and procedures that are reasonably designed to comply with Regulation SCI. Although it is not stated in today’s release, I have been told by senior staff that the Commission has never previously included an explicit safe harbor in a Commission rule requiring that regulated entities maintain policies and procedures designed to achieve a particular objective.
In my view, an unprecedented safe harbor in a rule that does not require clear, identifiable, and meaningful standards, and that does not require policies and procedures to be reviewed by an independent third party and certified by senior officers, will result in a rule proposal that falls short of its goal — which is to ensure that our capital markets develop and maintain appropriate systems.
The rule proposal asks a number of important questions that were incorporated at my request to solicit comments from the public. These questions were designed to generate information and assist the Commission in thinking through issues associated with the rule proposal. This is an important part of the Commission’s rulemaking process, which is based on a “notice and comment” procedure. I hope that the comments generated will help make this a better rule.
Despite my concerns, I am willing to support today’s rule proposal because Regulation SCI would apply to more entities than the Commission’s current ARP Inspection Program, and the proposed rule would place obligations on entities not currently included in the Commission’s ARP policy statements. The havoc caused by recent events highlight the need to have an updated and formalized regulatory framework for ensuring that the U.S. securities trading markets maintain systems with sufficient integrity, resiliency, and security. Although, I have concerns, I am hopeful they will be addressed at the adoption stage. By then, we should have a full five-member Commission.
Today’s rulemaking is a positive step in addressing the systems challenges posed by large, automated, complex, and fragmented trading centers. As the country’s capital markets regulator, the SEC must be at the forefront of proactively addressing changes in our capital market structure. The SEC should not merely respond to events that have occurred. Regulation SCI is one such proactive effort.
In closing, I want to thank the staff for its efforts. I look forward to the comments we will receive on this proposal.
1 See, Large Trader Reporting Rule, Securities and Exchange Commission Release No. 34-64976 (July 27, 2011); see, Consolidated Audit Trail Securities Exchange Commission Release No. 34-67457 (October 1, 2012); see, Concept Release on Equity Market Structure, Securities Exchange Commission Release No. 34-61358 (January 14, 2010), and Report of the Staffs of the CFTC and SEC to Joint Advisory Committee on Emerging Regulatory Issues (May 18, 2010).
2 See, “Findings Regarding the Market Events of May 6, 2010, Report of the Staffs of the CFTC and SEC to Joint Advisory Committee on Emerging Regulatory Issues.” On May 6, 2010, the prices of many U.S.-based equity products experienced an extraordinarily rapid decline and recovery. That afternoon, major equity indices in both the futures and securities markets, each already down over 4% from their prior-day close, suddenly plummeted a further 5-6% in a matter of minutes before rebounding almost as quickly. Many of the almost 8,000 individual equity securities and exchange traded funds (“ETFs”) traded that day suffered similar price declines and reversals within a short period of time, falling 5%, 10%, or even 15% before recovering most, if not all, of their losses. However, some equities experienced even more severe price moves, both up and down. Over 20,000 trades across more than 300 securities were executed at prices more than 60% away from their values just moments before. Moreover, many of these trades were executed at prices of a penny or less, or as high as $100,000, before prices of those securities returned to their “pre-crash” levels.
3 Id. By the end of the day, major futures and equities indices “recovered” to close at losses of about 3% from the prior day.
4 See, In the Matter of EDGX Exchange, Inc., EDGA Exchange, Inc., and Direct Edge ECN, LLC, Admin. Proc. File No. 3-14586, Exchange Act Release No. 65556 (October 13, 2011), available at http://www.sec.gov/litigation/admin/2011/34-65556.pdf (“Direct Edge Order”) (last visited March 6, 2013); see also, Commission News Release, 2011-208, “SEC Sanctions Direct Edge Electronic Exchanges and Orders Remedial Measures to Strengthen Systems and Controls” (October 13, 2011). EDGX, EDGA, and their affiliated routing broker, Direct Edge ECN LLC (dba DE Route), consented to an Order Instituting Administrative and Cease-and-Desist Proceedings Pursuant to Sections 19(h) and 21C of the Securities Exchange Act of 1934, Making Findings, and Imposing Remedial Sanctions and a Cease-and-Desist Order. Among other things, the Direct Edge Order states:
“National securities exchanges are obligated to ensure that their order quoting, routing, and execution systems, compliance infrastructures, and communications platforms are developed, maintained, and governed to avoid material failures, outages, and other significant contingencies that could pose material risk to the National Market System and to the public interest. While some system outages inevitably will occur and not every outage is a violation of the federal securities laws, such outages, particularly when combined with significant other deficiencies in an exchange’s systems, processes, and controls, can present risks that, left unremediated, could cause harm to investors and other market participants. A national securities exchange must invest appropriate resources necessary to ensure the strength and integrity of its systems, processes, and controls, to comply with its own Commission-approved rules, to provide for adequate backup and failover systems, to prevent or react appropriately to significant system outages and failures, and, ultimately, to ensure an adequate governance and oversight structure necessary for quality assurance, continuous improvement, and process measurement, monitoring, and control.”
Direct Edge Order at pp. 2-3.
7 “Knight Capital Group Provides Update Regarding August 1st Disruption to Routing In NYSE-listed Securities” (August 2, 2012), available at http://www.knight.com/investorRelations/pressReleases.asp?compid=105070&releaseID=1721599 (last visited March 6, 2013).
9 Securities and Exchange Commission Release No. 34-67507, File No. SR-NASDAQ-2012-090 (July 26, 2012).
A number of entities have stated that NASDAQ’s offer of settlement was insufficient. See, Comment Letters available at, http://www.sec.gov/comments/sr-nasdaq-2012-090/nasdaq2012090-5.pdf (last visited March 6, 2013) and http://www.sec.gov/comments/sr-nasdaq-2012-090/nasdaq2012090-7.pdf (last visited March 6, 2013).
13 Senate Committee On Banking, Housing and Urban Affairs, No. 107-205 accompanying S. 2673.