Regulation SCI: A primer...

A suggestion from a reader was to conduct an analysis of Regulation SCI...

It's 743 pages of A4 (letter to our American reader), so this will not cover everything in painful detail, since I don't want my readers to fall asleep...

[While writing this I saw that Adam Sussman at Liquidnet had written an interesting article on this from the perspective of impact on the buy-side - you can read his here]
[I also recommend this blog post from Themis Trading]
It's 743 pages of A4 (letter to our American reader), so this will not cover everything in painful detail, since I don't want my readers to fall asleep...
The original document can be found here as pdf or here as html.
To clarify, the 743 pages includes a mountain of legalese - one of my favourites is:
"Pursuant to the Exchange Act, 15 U.S.C. 78a et seq., and particularly, Sections 2, 3, 5, 6, 11A, 15, 15A, 17, 17A, 23(a), and 24 thereof, 15 U.S.C. 78b, 78c, 78e, 78f, 78k-1, 78o, 78o-3, 78q, 78q-1, 78x, and 78w(a), the Commission adopts Regulation SCI under the Exchange Act and Form SCI under the Exchange Act, and amends Regulation ATS and Rule 24b-2 under the Exchange Act."

The actual effective part covers pages 706 to 739 including an example of the form to use to report events, instructions on how to use the form and
What is Regulation SCI?
"Regulation SCI will require SCI entities to establish written policies and procedures reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain their operational capability and promote the maintenance of fair and orderly markets, and that they operate in a manner that complies with the Exchange Act.  It will also
require SCI entities to mandate participation by designated members or participants in scheduled testing of the operation of their business continuity and disaster recovery plans, including backup systems, and to coordinate such testing on an industry- or sector-wide basis with other SCI entities.  In addition, Regulation SCI will require SCI entities to take corrective action with respect to SCI events (defined to include systems disruptions, systems compliance issues, and systems intrusions), and notify the Commission of such events.  Regulation SCI will further require SCI entities to disseminate information about certain SCI events to affected members or participants and, for certain major SCI events, to all members or participants of the SCI entity.  In addition, Regulation SCI will require SCI entities to conduct a review of their systems by objective, qualified personnel at least annually, submit quarterly reports regarding completed, ongoing, and planned material changes to their SCI systems to the Commission, and maintain certain books and records."
--page 2
To whom will Regulation SCI apply?
"Regulation SCI will apply to certain self-regulatory organizations (including registered clearing agencies), alternative trading systems (“ATSs”), plan processors, and exempt clearing agencies (collectively, “SCI entities”), and will require these SCI entities to comply with requirements with respect to the automated systems central to the performance of their regulated activities." --page 1
So how does this work?
Reg SCI mandates that a previously voluntary inspection routine is now mandatory.  The inspection routine is called "Automation Review Policy" and is described thus:
"The goal of the ARP inspections is to evaluate whether an ARP entity’s controls over its information technology resources in nine general areas, or information technology “domains,” is consistent with ARP and industry guidelines.  Such guidelines are identified by ARP staff from a variety of information technology publications that ARP staff believes reflects industry standards for securities market participants." --page 9
Now, this is where I find that my scepticism alert starts to twitch.  A bunch of folks read some industry magazines and determine that this is the right way to run an IT operation within financial services? Maybe that's not what they actually do, but the above is a direct cut-and-paste quote from the SEC document.
Now, where do you get objective, qualified personnel to examine the relevant systems of SCI entities?
Scope creep?
"...enable the Commission to monitor and evaluate the implementation of  Regulation SCI, the risks posed by the systems of other market participants, and the continued evolution of the securities markets, such that it may consider, in the future, extending the types of requirements in Regulation SCI to additional categories of market participants, such as non-ATS broker-dealers, security-based swap dealers, investment advisers, investment companies, transfer agents, and other key market participants."--page 29
"Regulation SCI is not designed to solely address system issues that cause widespread systemic disruption, but also to address more limited systems malfunctions and other issues that can harm market participants or create compliance issues"--page 44
So if Regulation SCI does not work, then the answer could well be "more regulation SCI".  Anyone who follows the convoluted ways of the European Union will be familiar with the expression that the solution to any European problem is "more EU".  This sounds like it could go the same way...
Missed opportunities?
The purpose of Reg SCI is clearly to avoid market disruption caused by technology events.  But in that case - why not include technology firms that provide the plumbing?  How many orders and executions are carried by networks such as Fidessa, Sungard STN, ThomsonReuters Autex, Ullink, CRD and others?  If they have an outage - as I have seen in the past - the reporting to clients is poor.

Omgeo embed themselves...
"As noted in the SCI Proposal, this definition of “exempt clearing agency subject to ARP” currently covers one entity, Omgeo Matching Services – US, LLC (“Omgeo”).  In its comment letter, Omgeo stated that it believed its inclusion as an SCI entity was reasonable because clearing agencies that provide matching services, such as Omgeo, perform a critical role in the infrastructure of the U.S. financial markets in handling large amounts of highly confidential proprietary trade data."--page 75
In effect, Omgeo have increased the cost of market entry for a prospective competitor.  A strangely anti-competitive measure by the SEC.

Impact on outsourcing?
" if a system is operated on behalf of an SCI entity and directly supports one of the six key functions listed within the definition of SCI system, it should be included as an SCI system subject to the requirements of Regulation SCI." --page 92
Omgeo and BATS suggested "difficult for SCI entities to ensure compliance by third party vendors absent their willingness to disclose to SCI entities highly detailed information about their intellectual property and proprietary systems"--page 92
How will outsourced providers respond - be interesting to hear from folks who have outsourced SCI systems - what does the outsourcer propose to do? 
Baking in operating models...
"if an SCI system experiences an unplanned outage but fails over smoothly to its backup system such that there is no disruption or significant degradation of the normal operation of the system, the outage of the primary system would not constitute a systems disruption"--page 127. 
This sort of language implies a primary/secondary failover model.  That's not unreasonable, but over recent years many systems have moved to using N-number of inexpensive servers rather than 2 high cost servers.  If a firm has five Linux servers designed to run at between 0% and 80% of server processor capacity, each is running at 20% load and one fails, moving the other four to run at 25% is that really a problem?  In the same way that very expensive disk arrays have in part been replaced with raid5 or raid6, is a failure really an issue?

Front up to your own mistakes
"The Commission also is not distinguishing between intentional and unintentional systems intrusions, as suggested by some commenters"--page 143
Many years back I worked at a firm where a number of folks has database administrator access to production trading systems.  Due to a human error a database script was executed (not by me) that deleted and destroyed a series of production database tables.  The system design meant that this was not a problem until or unless the system was restarted, at which point the system would fail as these tables were non-existent.  Fortunately I had taken copies of these tables for loading into a test system to test some production issues.  The copies I had made were re-purposed to re-populate the production database and there was no issue.  It makes a lot of sense to track these issues, since in the case to which I refer a policy change to prevent widespread use of database administrator rights would have prevented any issue occurring.

Cost of compliance?
" The Commission estimates that the average burden to respond to Form SCI will be between one and 125 hours, depending upon the purpose for which the form is being filed" --page 734.

Brake on innovation?
"...the Commission, after considering the views of commenters, has determined to exclude ATSs that trade only municipal securities or corporate debt securities from the definition of SCI ATS at this time.  Accordingly, such fixed-income ATSs will not be subject to the requirements of Regulation SCI.  Rather, fixed-income ATSs will continue to be subject to the existing requirements in Rule 301(b)(6) of Regulation ATS regarding systems capacity, integrity and security if they meet the twenty percent threshold for municipal securities or corporate debt securities provided by that rule.The Commission believes that this change is warranted given the unique nature of the current fixed-income markets, as noted by several commenters.  In particular, fixed-income markets currently rely much less on automation and electronic trading than markets that trade NMS stocks or non-NMS stocks.  In addition, the municipal and corporate fixed-income markets tend to be less liquid than the equity markets, with slower execution times and less complex routing strategies"--page 71

When you read the associated reasoning, it appears that these ATS firms are excluded since they are not heavily electronic.  Which then means that any corporate bond ATS has a regulatory risk to manage - the risk that due to being successful in driving technology adoption in corporate bond trading the ATS would be liable to regulation SCI.

I suspect that this will create work for consultants to certify process.  It will reduce risk taking in IT operations, increase cost of doing business and reduce innovation. I suspect that it will also lead to a vast quantity of unread notices on systems outage being passed around. 

Conclusion: Nothing much to see here, pretty much everything apart from the reporting mechanism should be standard operating procedure in a well managed firm.