It's 743 pages of A4 (letter to our American reader), so this will not cover everything in painful detail, since I don't want my readers to fall asleep...
[I also recommend this blog post from Themis Trading]
To clarify, the 743 pages includes a mountain of legalese - one of my favourites is:
"Pursuant to the Exchange Act, 15 U.S.C. 78a et seq., and particularly, Sections 2, 3, 5, 6, 11A, 15, 15A, 17, 17A, 23(a), and 24 thereof, 15 U.S.C. 78b, 78c, 78e, 78f, 78k-1, 78o, 78o-3, 78q, 78q-1, 78x, and 78w(a), the Commission adopts Regulation SCI under the Exchange Act and Form SCI under the Exchange Act, and amends Regulation ATS and Rule 24b-2 under the Exchange Act."
The actual effective part covers pages 706 to 739 including an example of the form to use to report events, instructions on how to use the form and
require SCI entities to mandate participation by designated members or participants in scheduled testing of the operation of their business continuity and disaster recovery plans, including backup systems, and to coordinate such testing on an industry- or sector-wide basis with other SCI entities. In addition, Regulation SCI will require SCI entities to take corrective action with respect to SCI events (defined to include systems disruptions, systems compliance issues, and systems intrusions), and notify the Commission of such events. Regulation SCI will further require SCI entities to disseminate information about certain SCI events to affected members or participants and, for certain major SCI events, to all members or participants of the SCI entity. In addition, Regulation SCI will require SCI entities to conduct a review of their systems by objective, qualified personnel at least annually, submit quarterly reports regarding completed, ongoing, and planned material changes to their SCI systems to the Commission, and maintain certain books and records." --page 2
Omgeo embed themselves...
"As noted in the SCI Proposal, this definition of “exempt clearing agency subject to ARP” currently covers one entity, Omgeo Matching Services – US, LLC (“Omgeo”). In its comment letter, Omgeo stated that it believed its inclusion as an SCI entity was reasonable because clearing agencies that provide matching services, such as Omgeo, perform a critical role in the infrastructure of the U.S. financial markets in handling large amounts of highly confidential proprietary trade data."--page 75
In effect, Omgeo have increased the cost of market entry for a prospective competitor. A strangely anti-competitive measure by the SEC.
Impact on outsourcing?
" if a system is operated on behalf of an SCI entity and directly supports one of the six key functions listed within the definition of SCI system, it should be included as an SCI system subject to the requirements of Regulation SCI." --page 92
Omgeo and BATS suggested "difficult for SCI entities to ensure compliance by third party vendors absent their willingness to disclose to SCI entities highly detailed information about their intellectual property and proprietary systems"--page 92
How will outsourced providers respond - be interesting to hear from folks who have outsourced SCI systems - what does the outsourcer propose to do?
Baking in operating models...
"if an SCI system experiences an unplanned outage but fails over smoothly to its backup system such that there is no disruption or significant degradation of the normal operation of the system, the outage of the primary system would not constitute a systems disruption"--page 127.
This sort of language implies a primary/secondary failover model. That's not unreasonable, but over recent years many systems have moved to using N-number of inexpensive servers rather than 2 high cost servers. If a firm has five Linux servers designed to run at between 0% and 80% of server processor capacity, each is running at 20% load and one fails, moving the other four to run at 25% is that really a problem? In the same way that very expensive disk arrays have in part been replaced with raid5 or raid6, is a failure really an issue?
Front up to your own mistakes
"The Commission also is not distinguishing between intentional and unintentional systems intrusions, as suggested by some commenters"--page 143
Many years back I worked at a firm where a number of folks has database administrator access to production trading systems. Due to a human error a database script was executed (not by me) that deleted and destroyed a series of production database tables. The system design meant that this was not a problem until or unless the system was restarted, at which point the system would fail as these tables were non-existent. Fortunately I had taken copies of these tables for loading into a test system to test some production issues. The copies I had made were re-purposed to re-populate the production database and there was no issue. It makes a lot of sense to track these issues, since in the case to which I refer a policy change to prevent widespread use of database administrator rights would have prevented any issue occurring.
Cost of compliance?
" The Commission estimates that the average burden to respond to Form SCI will be between one and 125 hours, depending upon the purpose for which the form is being filed" --page 734.
Brake on innovation?
"...the Commission, after considering the views of commenters, has determined to exclude ATSs that trade only municipal securities or corporate debt securities from the definition of SCI ATS at this time. Accordingly, such fixed-income ATSs will not be subject to the requirements of Regulation SCI. Rather, fixed-income ATSs will continue to be subject to the existing requirements in Rule 301(b)(6) of Regulation ATS regarding systems capacity, integrity and security if they meet the twenty percent threshold for municipal securities or corporate debt securities provided by that rule.The Commission believes that this change is warranted given the unique nature of the current fixed-income markets, as noted by several commenters. In particular, fixed-income markets currently rely much less on automation and electronic trading than markets that trade NMS stocks or non-NMS stocks. In addition, the municipal and corporate fixed-income markets tend to be less liquid than the equity markets, with slower execution times and less complex routing strategies"--page 71
When you read the associated reasoning, it appears that these ATS firms are excluded since they are not heavily electronic. Which then means that any corporate bond ATS has a regulatory risk to manage - the risk that due to being successful in driving technology adoption in corporate bond trading the ATS would be liable to regulation SCI.
I suspect that this will create work for consultants to certify process. It will reduce risk taking in IT operations, increase cost of doing business and reduce innovation. I suspect that it will also lead to a vast quantity of unread notices on systems outage being passed around.
Conclusion: Nothing much to see here, pretty much everything apart from the reporting mechanism should be standard operating procedure in a well managed firm.