Statement at Open Meeting on Regulation SCI
Chair Mary Jo White
Nov. 19, 2014
Good morning. This is an open meeting of the U.S. Securities and Exchange Commission on November 19, 2014 under the Government in the Sunshine Act.
The Commission will today consider the staff’s recommendation to adopt Regulation Systems Compliance and Integrity, or Regulation SCI, a very important set of rules central to our ongoing efforts to strengthen the technology infrastructure of the U.S. securities markets, to improve its resilience, and to enhance the Commission’s ability to oversee it.
The Importance of Acting Now
Today marks both an historic shift in the Commission’s regulation of the central functions of the U.S. securities markets and a major step forward in what is – and must be – a continuous process of enhancing the technological infrastructure of our markets. For over two decades, the Commission’s oversight of technology controls in the securities markets has focused closely on the clearing agencies, exchanges, FINRA, and the plan processors that disseminate consolidated market data in the equities and options markets. This oversight, however, has been conducted pursuant to a voluntary program rooted in policy statements that were issued before many Americans even owned a computer, let alone connected to the internet. At the time these policy statements were formulated, they provided a strong framework for the Commission to continue to develop its oversight capabilities as technological change accelerated in the marketplace.
But at the same time, the number and significance of technology-related incidents have grown as our securities markets have attained unprecedented levels of automation, demonstrating the need for stronger, mandatory rules that reflect current market reality. Each of these incidents, irrespective of its cause or the magnitude of its impact, can undermine investor confidence. The Commission simply cannot adequately exercise its oversight over market-impacting issues in the complex, high-speed systems of 2014 using a dated – and voluntary – framework. Today’s market systems demand robust rules, strong internal controls, and vigorous enforcement.
As I have emphasized time and again, the critical infrastructure of the American securities markets must be built on the best, most robust technology feasible. Failures must be minimized and, when they occur, they must be remediated as quickly as possible and promptly reported to the Commission. Investors should expect no less of the world’s premier securities markets –indeed, investor confidence depends on it.
Aligning Regulation and Technology
The recommendation before us today establishes strong rules requiring those market participants most essential to the efficient functioning of the U.S. securities markets have in place robust technology controls and promptly take corrective action when problems arise. I want to highlight four principal ways that I believe the recommendation accomplishes this goal.
First, these rules have a significant and substantial sweep. The rules are broader than the voluntary program they replace. They cover the exchanges, clearing agencies, FINRA, the MSRB, and securities information processors, as well as the alternative trading systems accounting for the bulk of equity trading on such systems. The entities covered by these rules own, operate, and are responsible for the infrastructure that is the core of the U.S. securities markets – systems that ensure that stocks open and close efficiently, that information is transmitted promptly to investors, and that millions of trades that occur every day are executed, cleared, and settled correctly every day.
Let me pause for a moment on alternative trading systems, where some have called for universal coverage. As envisioned by the proposal, the recommendation focuses on larger volume platforms and does not encompass smaller equity platforms that today on average each account for less than 0.2 percent of the consolidated dollar volume in NMS stocks. The staff’s recommendation is risk-based, covering the overwhelming majority of equity market activity on trading platforms that enables the Commission to concentrate its regulatory and examination resources where they will best protect investors. But the recommendation is also dynamic: where a platform develops volume significant enough to impact trading across the market or even in a single security, the controls of Regulation SCI will be triggered.
The recommendation also treats differently platforms that trade exclusively corporate and municipal debt securities. Here, as the release discusses, we should not simply apply by rote the equity market framework as if “one size fits all” when, as I have highlighted before, fixed income markets rely much less on automation and electronic trading, and exhibit considerably less liquidity. Currently, the benefits of applying Regulation SCI to the fixed income markets are thus comparatively low, while the risks of impeding the important regulatory objectives of bringing greater transparency and efficiency to these markets is high.
The second critical element of the rules before us today is that they require comprehensive programs for technology controls in five key areas. The covered entities must implement policies and procedures to ensure that their market systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain their operational capability and promote the maintenance of fair and orderly markets. These entities also need to ensure that their policies and procedures are designed to ensure that their systems operate in compliance with the Exchange Act and their own rules. The rules also now specify a series of minimum standards for these compliance policies and procedures – an important enhancement from the voluntary program.
The scope of these requirements covers virtually every aspect of establishing and maintaining a technological system important for the securities markets. Covered entities will need to address capacity planning, capacity stress testing, systems updates and testing, among other aspects of their systems. As the proposal for Regulation SCI recognized, establishing minimum technical standards for these requirements is not practical today. A single set of widely used industry or government standards that address the diverse systems used by the entities that will be subject to Regulation SCI does not exist today. We cannot, however, responsibly hold up our rules, and the implementation of the critical technological controls they will bring, waiting for the development of such standards. We do, however, maintain the goal of setting uniformly high technical standards. To take the next step toward that goal, the Commission staff today will issue guidance addressing existing industry and government standards that potentially could lay the foundation for the development of a uniform set of SCI standards.
The third critical element of these rules is that they demand action if a systems incident does occur. A covered entity experiencing systems problems must take prompt corrective action and notify the Commission, as well as their members and participants. The process of correction and notification today is too often piecemeal and inconsistent – investors deserve better and, under these rules, there will be a strong, coherent standard for addressing systems issues and sharing this market-critical information.
Fourth, the rules require enhanced responsibility and accountability. Market participants covered by the new rules must report quarterly to the Commission about their systems changes and undertake an annual review of compliance with Regulation SCI performed by objective personnel. The requirement of objectivity means that a covered entity must have in place mechanisms to identify and mitigate all conflicts of interest that a reviewer may have, whether that reviewer is internal or external. A report of the annual review must be submitted to senior management for their review and response, and filed with the Commission. The final rule enhances the accountability called for by the original proposal, defining specifically who in senior management must review the report and requiring the report to be provided to the Board of Directors.
Taken together, these requirements are designed to promote the continued improvement of technology systems and procedures and to ensure the involvement and investment of senior management in compliance with Regulation SCI. We will look closely at the annual reviews and senior management responses, and I am confident that our focus will result in these reports and responses being accorded the appropriate level of attention by the entities submitting them.
Regulation SCI is the latest regulatory step to enhance market infrastructure. While I have just highlighted several important aspects of this rulemaking, there are many other important requirements in the recommendation before the Commission today, including rules focusing on enhanced business continuity and disaster recovery planning and testing.
In addition, just as today’s recommendation should not be seen as the end of our work to strengthen the interconnected technology infrastructure of our securities markets, it should also not be viewed in isolation from the regulatory steps we have already taken. Over the last four years, the Commission has worked with FINRA and the exchanges to put in place a series of measures, including the “limit-up/limit-down” moderator and enhanced market-wide circuit breakers, to address extraordinary volatility as occurred during the “Flash Crash” of May 2010. The Commission has also adopted and enforced important rules for better market access controls at broker-dealers in order to address the risks that a single market participant can pose to the markets and investors. And incidents over the last few years have highlighted the potential exposures of large broker-dealers and the importance of the compliance with and enforcement of these measures. Over the last year and a half, we have also worked closely with the equity exchanges to put in place new “kill switches” that market participants can use to better control their risks. Most recently, FINRA and the exchanges have undertaken a series of improvements to critical market infrastructure in the wake of the August 2013 incident with the Nasdaq tape, including greatly enhanced backup protections for the consolidated data providers.
As the examples of incidents and other regulatory actions we have previously taken illustrate, today’s rule is an important and vital piece in an expanding constellation of measures to strengthen the technology infrastructure of the U.S. securities markets. We cannot responsibly delay action today as we actively explore additional steps to modernize and strengthen our regulations to bring them in line with today’s technology. As set forth in the proposing release, another important issue for our review is whether Regulation SCI – which is already broader than the existing voluntary regime – should be adapted and expanded to cover other types of market participants whose operations can have a significant market impact if they are disrupted.
With Regulation SCI adopted, the staff will be considering this issue and how best to respond to it. My own view is that we need to address any regulatory gaps that exist for market participants whose systems would have a significant market impact if they were disrupted. And, to build on the investment of resources that produced today’s rules, I have directed the staff to prepare recommendations for the Commission’s consideration as to whether an SCI-like framework should be developed for other key market participants, such as broker-dealers and transfer agents.
Just as our markets are evolving continuously, so too must our efforts to enhance the critical infrastructure on which investors rely daily. I look forward to continuing to work with my fellow Commissioners, the staff, and market participants to do all we can to ensure that the U.S. securities markets remain the strongest and most vibrant in the world.
Before turning the meeting over to Dave Shillman in the Division of Trading and Markets to discuss the proposed rule, I would like to express my thanks to him as well as David Liu, Heidi Pilpel, Sara Hawkins, Yue Ding, David Garcia, Beth Badawy and Donna Chambers from the Division of Trading and Markets for their work on this rulemaking. Thank you also to Annie Small, Meridith Mitchell, Lori Price, Rich Levine, Robert Teply, and Janice Mitnick from the Office of the General Counsel; Mark Flannery, Jennifer Marietta-Westberg, Amy Edwards, Christopher Meeks, Mike Watson, and Seung Won Woo from the Division of Economic and Risk Analysis; Drew Bowden, Marc Wyatt, John Polise, Connie Kiggins, Michael Hershaft, Ed Schmidt, and Harrison Lou from the Office of Compliance Inspections and Examinations; and Todd Scharf from the Office of Information Technology.
I also would like to thank the Commissioners and all of our counsel for their very hard work and comments on the proposed rule.