Proposed Rule2023-05775
Regulation Systems Compliance and Integrity
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
April 14, 2023
Issuing agencies
Securities and Exchange Commission
Abstract
The Securities and Exchange Commission ("Commission" or "SEC") is proposing amendments to Regulation Systems Compliance and Integrity ("Regulation SCI") under the Securities Exchange Act of 1934 ("Exchange Act"). The proposed amendments would expand the definition of "SCI entity" to include a broader range of key market participants in the U.S. securities market infrastructure, and update certain provisions of Regulation SCI to take account of developments in the technology landscape of the markets since the adoption of Regulation SCI in 2014. The proposed expansion would add the following entities to the definition of "SCI entity": registered security-based swap data repositories ("SBSDRs"); registered broker-dealers exceeding an asset or transaction activity threshold; and additional clearing agencies exempted from registration. The proposed updates would amend provisions of Regulation SCI relating to systems classification and lifecycle management; third party/vendor management; cybersecurity; the SCI review; the role of current SCI industry standards; and recordkeeping and related matters. Further, the Commission is requesting comment on whether significant-volume alternative trading systems (ATSs) and/or broker-dealers using electronic or automated systems for trading of corporate debt securities or municipal securities should be subject to Regulation SCI.
Full Text
<html>
<head>
<title>Federal Register, Volume 88 Issue 72 (Friday, April 14, 2023)</title>
</head>
<body><pre>
[Federal Register Volume 88, Number 72 (Friday, April 14, 2023)]
[Proposed Rules]
[Pages 23146-23274]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2023-05775]
[[Page 23145]]
Vol. 88
Friday,
No. 72
April 14, 2023
Part II
Securities and Exchange Commission
-----------------------------------------------------------------------
17 CFR Parts 242 and 249
Regulation Systems Compliance and Integrity; Proposed Rule
��Federal Register / Vol. 88 , No. 72 / Friday, April 14, 2023 /
Proposed Rules��
[[Page 23146]]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
17 CFR Parts 242 and 249
[Release No. 34-97143; File No. S7-07-23]
RIN 3235-AN25
Regulation Systems Compliance and Integrity
AGENCY: Securities and Exchange Commission.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: The Securities and Exchange Commission (``Commission'' or
``SEC'') is proposing amendments to Regulation Systems Compliance and
Integrity (``Regulation SCI'') under the Securities Exchange Act of
1934 (``Exchange Act''). The proposed amendments would expand the
definition of ``SCI entity'' to include a broader range of key market
participants in the U.S. securities market infrastructure, and update
certain provisions of Regulation SCI to take account of developments in
the technology landscape of the markets since the adoption of
Regulation SCI in 2014. The proposed expansion would add the following
entities to the definition of ``SCI entity'': registered security-based
swap data repositories (``SBSDRs''); registered broker-dealers
exceeding an asset or transaction activity threshold; and additional
clearing agencies exempted from registration. The proposed updates
would amend provisions of Regulation SCI relating to systems
classification and lifecycle management; third party/vendor management;
cybersecurity; the SCI review; the role of current SCI industry
standards; and recordkeeping and related matters. Further, the
Commission is requesting comment on whether significant-volume
alternative trading systems (ATSs) and/or broker-dealers using
electronic or automated systems for trading of corporate debt
securities or municipal securities should be subject to Regulation SCI.
DATES: Comments should be received on or before June 13, 2023.
ADDRESSES: Comments may be submitted by any of the following methods:
Electronic Comments
<bullet> Use the Commission's internet comment form (<a href="https://www.sec.gov/rules/proposed.shtml">https://www.sec.gov/rules/proposed.shtml</a>); or
<bullet> Send an email to <a href="/cdn-cgi/l/email-protection#4a383f262f67292527272f243e390a392f29642d253c"><span class="__cf_email__" data-cfemail="daa8afb6bff7b9b5b7b7bfb4aea99aa9bfb9f4bdb5ac">[email protected]</span></a>. Please include
File Number S7-07-23 on the subject line.
Paper Comments
<bullet> Send paper comments to, Secretary, Securities and Exchange
Commission, 100 F Street NE, Washington, DC 20549-1090.
All submissions should refer to File Number S7-07-23. This file number
should be included on the subject line if email is used. To help the
Commission process and review your comments more efficiently, please
use only one method of submission. The Commission will post all
comments on the Commission's website (<a href="https://www.sec.gov/rules/proposed.shtml">https://www.sec.gov/rules/proposed.shtml</a>). Comments are also available for website viewing and
printing in the Commission's Public Reference Room, 100 F Street NE,
Washington, DC 20549 on official business days between the hours of 10
a.m. and 3 p.m. Operating conditions may limit access to the
Commission's Public Reference Room. All comments received will be
posted without change. Persons submitting comments are cautioned that
we do not redact or edit personal identifying information from comment
submissions. You should submit only information that you wish to make
available publicly.
Studies, memoranda, or other substantive items may be added by the
Commission or staff to the comment file during this rulemaking. A
notification of the inclusion in the comment file of any materials will
be made available on our website. To ensure direct electronic receipt
of such notifications, sign up through the ``Stay Connected'' option at
<a href="http://www.sec.gov">www.sec.gov</a> to receive notifications by email.
FOR FURTHER INFORMATION CONTACT: Heidi Pilpel, Senior Special Counsel;
David Liu, Special Counsel; Sara Hawkins, Special Counsel; Gita
Subramaniam, Special Counsel; Josh Nimmo, Special Counsel; An Phan,
Special Counsel, at (202) 551-5500, Office of Market Supervision,
Division of Trading and Markets, U.S. Securities and Exchange
Commission, 100 F Street NE, Washington, DC 20549.
SUPPLEMENTARY INFORMATION: The Commission is proposing amendments to
the following rules under the Exchange Act and conforming amendments to
Form SCI.
------------------------------------------------------------------------
Commission reference CFR citation (17 CFR)
------------------------------------------------------------------------
Rule 1000................................ Sec. 242.1000
Rule 1001................................ Sec. 242.1001
Rule 1001(a)............................. Sec. 242.1001(a)
Rule 1001(a)(2).......................... Sec. 242.1001(a)(2)
Rule 1001(a)(2)(v)....................... Sec. 242.1001(a)(2)(v)
Rule 1001(a)(2)(vi)...................... Sec. 242.1001(a)(2)(vi)
Rule 1001(a)(2)(vii)..................... Sec. 242.1001(a)(2)(vii)
Rule 1001(a)(4).......................... Sec. 242.1001(a)(4)
Rule 1002................................ Sec. 242.1002
Rule 1002(b)............................. Sec. 242.1002(b)
Rule 1002(b)(4)(ii)(B)................... Sec. 242.1002(b)(4)(ii)(B)
Rule 1002(b)(5).......................... Sec. 242.1002(b)(5)
Rule 1002(b)(5)(i)....................... Sec. 242.1002(b)(5)(i)
Rule 1002(b)(5)(ii)...................... Sec. 242.1002(b)(5)(ii)
Rule 1002(c)............................. Sec. 242.1002(c)
Rule 1002(c)(3).......................... Sec. 242.1002(c)(3)
Rule 1002(c)(4).......................... Sec. 242.1002(c)(4)
Rule 1002(c)(4)(i)....................... Sec. 242.1002(c)(4)(i)
Rule 1002(c)(4)(ii)...................... Sec. 242.1002(c)(4)(ii)
Rule 1003................................ Sec. 242.1003
Rule 1003(b)............................. Sec. 242.1003(b)
Rule 1003(b)(1).......................... Sec. 242.1003(b)(1)
Rule 1003(b)(2).......................... Sec. 242.1003(b)(2)
Rule 1003(b)(3).......................... Sec. 242.1003(b)(3)
Rule 1004................................ Sec. 242.1004
Rule 1004(a)............................. Sec. 242.1004(a)
Rule 1004(b)............................. Sec. 242.1004(b)
Rule 1005................................ Sec. 242.1005
Rule 1005(c)............................. Sec. 242.1005(c)
------------------------------------------------------------------------
I. Introduction
II. Background and Overview
A. History of Regulation SCI
B. Current Regulation SCI
1. SCI Entities and SCI Systems
2. Reasonably Designed Policies and Procedures
3. SCI Events
4. Systems Changes and SCI Review
5. Business Continuity and Disaster Recovery Testing with
Members/Participants
6. Recordkeeping and Other Provisions (Rules 1005-1007)
C. Overview of Proposed Amendments to Regulation SCI
III. Proposed Amendments to Regulation SCI
A. Definition of SCI Entity
1. Evolution: Current and Proposed SCI Entities
2. New Proposed SCI Entities
3. General Request for Comment on Proposed Expansion of SCI
Entities
B. Request for Comment Regarding Significant-Volume Fixed Income
ATSs and Broker-Dealers Using Electronic or Automated Systems for
Trading of Corporate Debt Securities or Municipal Securities
1. Discussion
2. Request for Comment
C. Strengthening Obligations of SCI Entities
1. Systems Classification and Lifecycle Management
2. Third-Party Provider Management
3. Security
4. SCI Review
5. Current SCI Industry Standards
6. Other Changes
D. SCI Entities Subject to the Exchange Act Cybersecurity
Proposal and/or Regulation S-P
1. Discussion
2. Request for Comment
IV. Paperwork Reduction Act
A. Summary of Collections of Information
B. Proposed Use of Information
1. Rule 1001 of Regulation SCI
2. Rule 1002 of Regulation SCI
3. Rule 1003 of Regulation SCI
4. Rule 1004 of Regulation SCI
5. Rule 1005 and 1007 of Regulation SCI
6. Rule 1006 of Regulation SCI
[[Page 23147]]
C. Respondents
D. Total Initial and Annual Reporting Burdens
1. Rule 1001
2. Rule 1002
3. Rule 1003
4. Rule 1004
5. Rule 1005
6. Rule 1006
7. Summary of the Information Collection Burden
E. Collection of Information Is Mandatory
F. Confidentiality of Responses to Collection of Information
G. Request for Comment
V. Economic Analysis
A. Introduction
B. Baseline
1. New SCI Entities
2. Existing SCI Entities:
3. Current Market Practice
4. Other Affected Parties
C. Analysis of Benefits and Costs of Proposed Amendments
1. General Benefits and Costs of Proposed Amendments
2. Expansion to New SCI Entities
3. Specific Benefits and Costs of Regulation SCI Requirements
for All SCI Entities
D. Efficiency, Competition, and Capital Formation Analysis
E. Reasonable Alternatives
1. Limiting the Scope of the Regulation SCI Provisions for New
SCI Entities
2. Mandating Compliance with Current SCI Industry Standards
3. Requiring Diversity of Back-Up Plan Resources
4. Penetration Testing Frequency
5. Attestation for Critical SCI System Vendors
6. Transaction Activity Threshold for SCI Broker-Dealers
7. Limitation on Definition of ``SCI Systems'' for SCI Broker-
Dealers
VI. Regulatory Flexibility Act Certification
A. ``Small Entity'' Definitions
B. Current SCI Entities
1. SCI SROs
2. The MSRB
3. SCI ATSs
C. Proposed SCI Entities
1. SBSDRs
2. SCI Broker-dealers
3. Exempt Clearing Agencies
D. Certification
Statutory Authority
I. Introduction
The U.S. securities markets are among the largest and most liquid
in the world, attracting a wide variety of issuers and broad investor
participation, and are essential for capital formation, job creation,
and economic growth, both domestically and across the globe. The fair
and orderly functioning of the U.S. securities markets is critically
important to the U.S. economy. In 2014, recognizing the decades-long
transformation of many U.S. securities markets from primarily manual
markets to those that had become almost entirely electronic and highly
dependent on sophisticated technology, including complex and
interconnected trading, clearing, routing, market data, regulatory,
surveillance and other technological systems, the Commission adopted 17
CFR 242.1000 through 242.1007 (``Regulation SCI'') to supersede and
replace the Commission's voluntary Automation Review Policy Program
(``ARP'') and certain provisions of 17 CFR 242.300 through 242.304
(``Regulation ATS'').\1\ Regulation SCI, which applies to ``SCI
entities'' with respect to their ``SCI systems'' and ``indirect SCI
systems,'' was the Commission's first formal extensive regulatory
framework for oversight of the core technology of the U.S. securities
markets.
---------------------------------------------------------------------------
\1\ See Securities Exchange Act Release No. 73639 (Nov. 19,
2014), 79 FR 72252 (Dec. 5, 2014) (``SCI Adopting Release'').
---------------------------------------------------------------------------
The U.S. securities markets have demonstrated resilience since the
adoption of Regulation SCI, with some market observers crediting
Regulation SCI in helping to ensure that markets and market
participants were prepared for the unprecedented trading volumes and
volatility experienced in March 2020 at the onset of the COVID-19
pandemic.\2\ The U.S. securities markets continue to experience changes
and new challenges, however. The growth of electronic trading allows
ever-increasing volumes of securities transactions in a broader range
of asset classes to take place at increasing speed by competing trading
platforms, including those offered by broker-dealers that play multiple
roles in the markets.\3\ In addition, new types of registered entities
that are highly dependent on interconnected technology have entered the
markets.\4\ The prevalence of remote workforces, furthered by the
COVID-19 pandemic,\5\ and increased outsourcing to third-party
providers, including cloud service providers, continue to drive the
markets' and market participants' reliance on new and evolving
technology.\6\ While these advances demonstrate the dynamic and
adaptable nature of the U.S. securities markets and market
participants, the greater dispersal, sophistication, and
interconnection of the technology underpinning our markets bring
potential new risks. These risks include not only the heightened risk
of exposure to cybersecurity events from threat actors intent on doing
harm, but also operational systems problems that can and do arise
inadvertently.
---------------------------------------------------------------------------
\2\ See, e.g., Shane Remolina, Is Remote Trading Leading to a
Paradigm Shift on the Trading Desk?, Traders Magazine (May 20,
2020), available at <a href="http://www.tradersmagazine.com/departments/buyside/is-remote-trading-leading-to-a-paradigm-shift-on-the-trading-desk">www.tradersmagazine.com/departments/buyside/is-remote-trading-leading-to-a-paradigm-shift-on-the-trading-desk</a>
(observing ``no outages'' at the stock exchanges in Mar. 2020 in
contrast to ``glitches'' experienced in 2000s); Financial Industry
Regulatory Authority, Inc. (``FINRA''), Market Structure & COVID-19:
Handling Increased Volatility and Volumes (Apr. 28, 2020), available
at <a href="https://www.finra.org/media-center/finra-unscripted/market-structure-covid19-coronavirus">https://www.finra.org/media-center/finra-unscripted/market-structure-covid19-coronavirus</a> (observing that market infrastructure
and integrity held during the challenges in Mar. 2020, and crediting
Regulation SCI, among other regulatory protections).
\3\ See, e.g., Securities Industry and Financial Markets
Association (``SIFMA''), SIFMA Insights: Electronic Trading Market
Structure Primer (Oct. 2019), available at <a href="https://www.sifma.org/wp-content/uploads/2019/10/SIFMA-Insights-Electronic-Trading-Market-Structure-Primer.pdf">https://www.sifma.org/wp-content/uploads/2019/10/SIFMA-Insights-Electronic-Trading-Market-Structure-Primer.pdf</a> (summarizing electronic trading history and
trends in different markets). See also SEC Staff Report on
Algorithmic Trading in U.S. Capital Markets at 16-19, 37 (Aug. 5,
2020), available at <a href="https://www.sec.gov/files/marketstructure/research/algo_trading_report_2020.pdf">https://www.sec.gov/files/marketstructure/research/algo_trading_report_2020.pdf</a> (discussing broker-dealer ATSs
and internalizers, and other in-house sources of liquidity, such as
single-dealer platforms (``SDPs''), and central risk books operated
by broker-dealers) (``Algorithmic Trading Report''). Staff reports,
Investor Bulletins, and other staff documents (including those cited
herein) represent the views of Commission staff and are not a rule,
regulation, or statement of the Commission. The Commission has
neither approved nor disapproved the content of these staff
documents and, like all staff statements, they have no legal force
or effect, do not alter or amend applicable law, and create no new
or additional obligations for any person.
\4\ See infra section III.A.2.a (discussing registered SBSDRs).
\5\ See FS-ISAC, Navigating Cyber 2021 (Apr. 2021), available at
<a href="https://www.fsisac.com/navigatingcyber2021-report">https://www.fsisac.com/navigatingcyber2021-report</a>. See also Vikki
Davis, Combating the cybersecurity risks of working home, Cyber
Magazine (Dec. 2, 2021), available at <a href="https://cybermagazine.com/cyber-security/combating-cybersecurity-risks-working-home">https://cybermagazine.com/cyber-security/combating-cybersecurity-risks-working-home</a>.
\6\ See, e.g., Angus Loten, Cloud Demand Drives Data Center
Market to New Records, Wall St. J. (Feb. 27, 2020); Angus Loten,
CIOs Accelerate Pre-Pandemic Cloud Push, Wall St. J. (Apr. 26,
2021).
---------------------------------------------------------------------------
As the Commission has acknowledged, Regulation SCI is not, nor can
it be, designed to guarantee that SCI entities have flawless
systems.\7\ Rather, its goals are to strengthen the technology
infrastructure of the U.S. securities markets and improve its
resilience when technology falls short.\8\ To help achieve these goals,
the regulation requires that SCI entities have policies and procedures
reasonably designed to ensure that their systems have levels of
capacity, integrity, resiliency, availability, and security, adequate
to maintain their operational capability and promote the maintenance of
fair and orderly markets, and requires measures that facilitate the
Commission's oversight of securities market technology
infrastructure.\9\ Consistent with the goals of addressing
technological vulnerabilities and improving oversight of the core
[[Page 23148]]
technology of key U.S. securities market entities, the Commission is
proposing amendments to Regulation SCI that would expand its
application to additional key market participants and update certain of
its provisions to take account of the evolution of technology and
trading since the rule's adoption in 2014. The application of
Regulation SCI to a broader range of entities together with updates to
certain provisions--including to account for heightened cybersecurity
risks, wider use of cloud service providers, and the increasingly
complex and interconnected nature of SCI entities' systems--should help
ensure that the technology infrastructure of the U.S. securities
markets remains robust, resilient, and secure.
---------------------------------------------------------------------------
\7\ See SCI Adopting Release, supra note 1, at 72291, 72351.
\8\ See id. at 72257.
\9\ See generally SCI Adopting Release, supra note 1, at 72299,
72372, 72402, 72404-05.
---------------------------------------------------------------------------
The Commission has issued other proposals related to cybersecurity
that would apply to SCI entities as well as other entities under the
Commission's jurisdiction.\10\ Regulation SCI, currently, and as
proposed to be amended, however, differs from these proposals in terms
of its purpose and scope. Regulation SCI applies to entities designated
as key market participants because they play a significant role in the
U.S. securities markets and/or have the potential to impact investors,
the overall market, or the trading of individual securities in the
event of a systems issue. Regulation SCI requires key market
participants to (i) have policies and procedures in place to help
ensure the robustness and resiliency of their market technology
systems, and (ii) provide certain notices and reports to the
Commission, and in some cases, market participants, to facilitate
Commission oversight of securities market infrastructure. While
Regulation SCI has cybersecurity aspects and certain of the proposed
amendments to Regulation SCI would update policies and procedures
requirements designed to keep SCI systems and indirect SCI systems
secure, the proposed amendments are designed, more broadly, to ensure
that SCI entities (current and proposed) have systems technology
adequate to maintain operational capability of the systems on which the
maintenance of fair and orderly markets depend.
---------------------------------------------------------------------------
\10\ These include a proposal to adopt new rules requiring
broker-dealers, major security-based swap participants, national
securities exchanges, national securities associations, security-
based swap data repositories, security-based swap dealers, transfer
agents, and the Municipal Securities Rulemaking Board (``MSRB'') to
adopt and implement written cybersecurity policies and procedures
reasonably designed to address cybersecurity risks to their
``information systems'' and notify the Commission and the public of
significant cybersecurity incidents affecting their information
systems. See Securities Exchange Release No. 97142 (Mar. 15, 2023),
88 FR 20212 (April 5, 2023) (proposing 17 CFR 242.10) (for ease of
reference, this proposal is referred to as the ``Exchange Act
Cybersecurity Proposal''). See also Securities Exchange Release No.
97141 (Mar. 15, 2023), 88 FR 20616 (April 6, 2023) (proposing to
amend 17 CFR part 248, subpart A (``Regulation S-P''), to, among
other things, require broker-dealers, investment companies, SEC-
registered investment advisers, and transfer agents to adopt
incident response programs to address unauthorized access to or use
of customer records and information, including procedures for
providing timely notification to individuals affected by an
information security incident designed to help affected individuals
respond appropriately) (``Regulation S-P 2023 Proposing Release'').
See infra section III.D (discussing of how SCI entities would be
affected if the Exchange Act Cybersecurity Proposal, Regulation S-P
2023 Proposing Release, and this proposal are all adopted as
proposed). In addition, the Commission has pending proposals to
address cybersecurity risk with respect to investment advisers,
investment companies, and public companies. See Cybersecurity Risk
Management for Investment Advisers, Registered Investment Companies,
and Business Development Companies, Release Nos. 33-11028, 34-94917,
IA-5956, IC-34497 (Feb. 9, 2022), 87 FR 13524 (Mar. 9, 2022) (``IA/
IC Cybersecurity Proposing Release''); Cybersecurity Risk
Management, Strategy, Governance, and Incident Disclosure, Release
Nos. 33-11038, 34-94382, IC-34529 (Mar. 9, 2022), 87 FR 16590 (Mar.
23, 2022). The Commission has reopened the comment period for the
IA/IC Cybersecurity Proposing Release to allow interested persons
additional time to analyze the issues and prepare their comments in
light of other regulatory developments, including the proposed rules
and amendments regarding this proposal, the Exchange Act
Cybersecurity Proposal and the Regulation S-P 2023 Proposing
Release. The Commission encourages commenters to review those
proposals to determine whether they might affect their comments on
this proposing release.
---------------------------------------------------------------------------
II. Background and Overview
A. History of Regulation SCI
The Commission adopted Regulation SCI in 2014 to supersede and
replace the Commission's legacy voluntary ARP Program as well as
certain provisions of Regulation ATS.\11\ In doing so, the Commission
sought to strengthen the technology infrastructure of the U.S.
securities markets, reduce the occurrence of systems issues in those
markets, improve their resiliency when technological issues arise, and
establish an updated and formalized regulatory framework, thereby
helping to ensure more effective Commission oversight of such
systems.\12\ Several factors contributed to the Commission's decision
to adopt this regulation. Recognizing the growing importance of
technology in the securities markets, the Commission issued the ARP I
and ARP II Policy Statements in 1989 and 1991, respectively.\13\ In the
decades that followed, key market participants in the securities
industry increasingly relied on ever more complex technologies for
trading and clearance and settlement of securities. The increased
reliance on technology introduced challenges for the securities
markets, as evidenced by a variety of market disruptions occurring in a
relatively short time period.\14\ The Commission convened a roundtable
entitled ``Technology and Trading: Promoting Stability in Today's
Markets'' (``Technology Roundtable'') in 2012.\15\ Shortly thereafter,
following Superstorm Sandy on the U.S. East Coast, the U.S. national
securities exchanges closed for two business days in light of concerns
over the physical safety of personnel and the possibility of technical
issues.\16\ These and other developments in U.S. securities markets led
the Commission to consider the effectiveness of the 1980s and 90s-era
ARP Program. The focus of the ARP Program was to ensure that the self-
regulatory organizations (``SROs'') had adequate capacity, security,
and business continuity plans by, among other things, reporting to the
Commission staff their planned systems changes 30 days in advance and
reporting outages in trading and related systems.\17\ While the ARP
Policy Statements were rooted in Exchange Act
[[Page 23149]]
requirements, as policy statements rather than Commission rules,
compliance was voluntary and in many instances the SROs did not fully
disclose problems that occurred. In the SCI Proposing Release, the
Commission stated that ``the continuing evolution of the securities
markets to the current state, where they have become almost entirely
electronic and highly dependent on sophisticated trading and other
technology (including complex regulatory and surveillance systems, as
well as systems relating to the provision of market data, intermarket
routing and connectivity, and a variety of other member and issuer
services), has posed challenges for the ARP Inspection Program.'' \18\
Informed by its review of recent technology problems in the markets,
the discussions at the Technology Roundtable, and its evaluation of the
ARP Program,\19\ the Commission proposed Regulation SCI in 2013 to help
address the technological vulnerabilities, and improve Commission
oversight, of the core technology of key U.S. securities markets
entities, including national securities exchanges and associations,
significant-volume ATSs, clearing agencies, and plan processors.\20\
After considering the views of a wide variety of commenters, the
Commission adopted Regulation SCI in 2014.\21\ In the SCI Adopting
Release, the Commission stated that it was taking a ``measured
approach'' and pursuing an ``incremental expansion from the entities
covered under the ARP Inspection Program'' given the potential costs of
compliance with Regulation SCI.\22\ It added, however, that this
approach would allow it ``to monitor and evaluate the implementation of
Regulation SCI, the risks posed by the systems of other market
participants, and the continued evolution of the securities markets,
such that it may consider, in the future, extending the types of
requirements in Regulation SCI to additional categories of market
participants, such as non-ATS broker-dealers, security-based swap
dealers, investment advisers, investment companies, transfer agents,
and other key market participants.'' \23\ In 2021, the Commission
amended Regulation SCI to add certain ``competing consolidators'' to
the definition of SCI entity.\24\ Specifically, a competing
consolidator that exceeds a five percent consolidated market data gross
revenue threshold over a specified time period is an SCI competing
consolidator because it is a significant source of consolidated market
data for NMS stocks on which market participants rely.\25\
---------------------------------------------------------------------------
\11\ See generally SCI Adopting Release, supra note 1.
\12\ See SCI Adopting Release, supra note 1, at 72252-56
(discussing the background of Regulation SCI).
\13\ See Securities Exchange Act Release Nos. 27445 (Nov. 16,
1989), 54 FR 48703 (Nov. 24, 1989), and 29185 (May 9, 1991), 56 FR
22490 (May 15, 1991).
\14\ See Securities Exchange Act Release No. 69077 (Mar. 8,
2013), 78 FR 18083, 18089 (Mar. 25, 2013) (``SCI Proposing
Release'') (citing, among other things, Findings Regarding the
Market Events of May 6, 2010, Report of the Staffs of the Commodity
Futures Trading Commission (``CFTC'') and SEC to the Joint Advisory
Committee on Emerging Regulatory Issues (Sept. 30, 2010) (``Staff
Report'') and discussing hackers penetrating certain Nasdaq OMX
Group, Inc. computer networks in 2011, a ``software bug'' that
hampered the initial public offerings of BATS Global Markets, Inc.
in 2012, and issues with Nasdaq's trading systems delaying the start
of trading in the high-profile initial public offering of Facebook,
Inc.).
\15\ See Securities Exchange Act Release No. 67802 (Sept. 7,
2012), 77 FR 56697 (Sept. 13, 2012) (File No. 4-652); Technology
Roundtable Transcript, available at <a href="https://www.sec.gov/news/otherwebcasts/2012/ttr100212-transcript.pdf">https://www.sec.gov/news/otherwebcasts/2012/ttr100212-transcript.pdf</a>. A webcast of the
Roundtable is available at <a href="http://www.sec.gov/news/otherwebcasts/2012/ttr100212.shtml">www.sec.gov/news/otherwebcasts/2012/ttr100212.shtml</a>. The Technology Roundtable examined the relationship
between the operational stability and integrity of the securities
market and the ways in which market participants design, implement,
and manage complex and interconnected trading technologies. The
Technology Roundtable also highlighted that quality standards,
testing, and improved response mechanisms were issues ripe for
consideration. See SCI Proposing Release, supra note 14, at 18090-91
(providing for further discussion of the Technology Roundtable).
\16\ See SCI Proposing Release, supra note 14, at 18091. See
also SCI Adopting Release, supra note 1, at 72254-72255 (summarizing
additional disruptions during the period between publication of the
SCI Proposing and Adopting Releases).
\17\ See supra note 13.
\18\ SCI Proposing Release, supra note 14, at 18089.
\19\ See SCI Proposing Release, supra note 14, at 18085-91 for a
further discussion of these considerations.
\20\ As further explained in the SCI Adopting Release, the term
``plan processor'' means ``any self-regulatory organization or
securities information processor acting as an exclusive processor in
connection with the development, implementation and/or operation of
any facility contemplated by an effective national market system
plan.'' See SCI Adopting Release, supra note 1, at 72270 n. 196.
This term refers to the securities information processors that are
exclusive processors (and frequently referred to as the ``SIPs'')
that collect and process (for distribution) quotation data and/or
transaction reports on behalf of the Consolidated Tape Association
System (``CTA Plan''), Consolidated Quotation System (``CQS Plan''),
Joint Self-Regulatory Organization Plan Governing the Collection,
Consolidation, and Dissemination of Quotation and Transaction
Information for Nasdaq-Listed Securities Traded on Exchanges on an
Unlisted Trading Privileges Basis (``Nasdaq UTP Plan''), and Options
Price Reporting Authority (``OPRA Plan''). The CTA Plan and Nasdaq
UTP Plan (applicable to national market system (``NMS'') stocks) are
each a ``transaction reporting plan'' as well as a ``national market
system plan'' as defined in 17 CFR 242.600 (``Rule 600'' of
Regulation NMS). The OPRA Plan (applicable to exchange-listed
options) is a national market system plan. See infra note 212. See
also text accompanying note 212 (discussing these Plans and how
transaction reports containing the price and volume associated with
a transaction involving the purchase or sale of a security are
currently, and anticipated in the future to be, readily available to
enable SCI ATSs and SCI broker-dealers to ascertain the total
average daily dollar volume traded in NMS stock and exchange-listed
options in a calendar month and self-assess if they exceed the
proposed transaction activity thresholds discussed below).
\21\ See generally SCI Adopting Release, supra note 1.
\22\ Id. at 72259.
\23\ Id. See also supra note 10 and accompanying text
(referencing other cybersecurity rules proposed to apply to
Commission registrants).
\24\ See Securities Exchange Act Release No. 90610 (Dec. 9,
2020), 86 FR 18596, 18659-18676 (Apr. 9, 2021) (``Market Data
Infrastructure Adopting Release'') (adopting rules with respect to
competing consolidators and defining ``competing consolidator'' to
mean a securities information processor required to be registered
pursuant to 17 CFR[thinsp]242.614 (``Rule 614'') or a national
securities exchange or national securities association that receives
information with respect to quotations for and transactions in NMS
stocks and generates a consolidated market data product for
dissemination to any person).
\25\ An ``SCI competing consolidator'' is any competing
consolidator, which during at least four of the preceding six
calendar months, accounted for five percent or more of consolidated
market data gross revenue paid to the effective national market
system plan or plans required under 17 CFR 242.603(b) (``Rule
603(b)'') for NMS stocks (1) listed on the New York Stock Exchange,
(2) listed on The Nasdaq Stock Market, or (3) listed on national
securities exchanges other than the New York Stock Exchange or The
Nasdaq Stock Market, as reported by such plan or plans pursuant to
the terms thereof. See Rule 1000. An SCI competing consolidator is
subject to Regulation SCI, and a competing consolidator for which
Regulation SCI does not apply is subject the systems capability
requirement in 17 CFR 242.614(d)(9) (``Rule 614(d)(9)'' of
Regulation NMS). See infra note 28 and accompanying text.
---------------------------------------------------------------------------
B. Current Regulation SCI
1. SCI Entities and SCI Systems
Regulation SCI applies to ``SCI entities.'' \26\ SCI entities are
those that the Commission has determined are market participants that
play a significant role in the U.S. securities markets and/or have the
potential to impact investors, the overall market, or the trading of
individual securities in the event of certain types of systems
problems.\27\ Today SCI entities comprise the self-regulatory
organizations (excluding securities futures exchanges) (``SCI SROs''),
ATSs meeting certain volume thresholds with respect to NMS stocks and
non-NMS stocks (``SCI ATSs''), exclusive disseminators of consolidated
market data (``plan processors''), certain competing disseminators of
consolidated market (``SCI competing consolidators'' \28\), and certain
exempt clearing agencies.\29\
---------------------------------------------------------------------------
\26\ See 17 CFR 242.1000 (defining the term ``SCI entity'' and
terms included therein).
\27\ See SCI Adopting Release, supra note 1, at 72259. Although
some commenters had urged that Regulation SCI apply to fewer
entities and only the most systemically important entities, the
Commission disagreed, stating, ``[L]imiting the applicability of
Regulation SCI to only the most systemically important entities
posing the highest risk to the markets is too limited of a category
of market participants, as it would exclude certain entities that,
in the Commission's view, have the potential to pose significant
risks to the securities markets should an SCI event occur.'' Id.
\28\ See supra notes 24-25 (stating the definitions of competing
consolidator and SCI competing consolidator). SCI competing
consolidators are subject to Regulation SCI after a one-year
transition period. See Market Data Infrastructure Adopting Release,
supra note 24, at 18604. Competing consolidators in the transition
period and competing consolidators below the gross revenue threshold
are subject to a tailored set of operational capability and
resiliency obligations designed to help ensure that the provision of
consolidated market data products is prompt, accurate, and reliable.
See Market Data Infrastructure Adopting Release, supra note 24, at
18690-97 (providing for a full discussion of systems capability
requirements for competing consolidators (that are not subject to
Regulation SCI), but instead subject to Rule 614(d)(9)).
\29\ See 17 CFR 242.1000 (defining the term SCI entity to mean
``an SCI self-regulatory organization, SCI alternative trading
system, plan processor, exempt clearing agency subject to ARP, or
SCI competing consolidator'' and also separately defining each of
these terms). See also SCI Adopting Release, supra note 1, at 72258-
72 (discussing the rationale for inclusion of SCI SROs, SCI ATSs,
plan processors, and certain exempt clearing agencies in the
original adopted definition of SCI entity); infra notes 83-84 and
accompanying text (citing the releases explaining the expansion the
definition of SCI entity to include SCI competing consolidators, and
the recent proposal to further expand the definition of SCI entity
to include certain ATSs that trade U.S. Treasury Securities or
Agency Securities exceeding specified volume thresholds
(``Government Securities ATSs'')).
---------------------------------------------------------------------------
An SCI entity has obligations with respect to its ``SCI systems,''
``critical SCI systems,'' and ``indirect SCI
[[Page 23150]]
systems.'' \30\ ``SCI systems'' are, broadly, the technology systems
of, or operated by or on behalf of, an SCI entity that, with respect to
securities, directly support at least one of six market functions: (i)
trading; (ii) clearance and settlement; (iii) order routing; (iv)
market data; (v) market regulation; or (vi) market surveillance.\31\ In
addition, Regulation SCI defines ``critical SCI systems,'' which are a
subset of SCI systems,\32\ and designated as such because they
represent potential single points of failure in the U.S. securities
markets.\33\
---------------------------------------------------------------------------
\30\ See 17 CFR 242.1000 (defining the terms ``SCI systems,''
``critical SCI systems,'' and ``indirect SCI systems'').
\31\ Id. (defining SCI systems to mean ``all computer, network,
electronic, technical, automated, or similar systems of, or operated
by or on behalf of, an SCI entity that, with respect to securities,
directly support trading, clearance and settlement, routing, market
data, market regulation, or market surveillance'').
\32\ Id. (defining critical SCI systems to mean any SCI systems
of, or operated by or on behalf of, an SCI entity that: (1) Directly
support functionality relating to: (i) Clearance and settlement
systems of clearing agencies; (ii) Openings, reopenings, and
closings on the primary listing market; (iii) Trading halts; (iv)
Initial public offerings; (v) The provision of consolidated market
data; or (vi) Exclusively listed securities; or (2) Provide
functionality to the securities markets for which the availability
of alternatives is significantly limited or nonexistent and without
which there would be a material impact on fair and orderly markets).
\33\ As discussed in the SCI Adopting Release, ``critical SCI
systems'' are subject to certain heightened resilience and
information dissemination provisions of Regulation SCI on the
rationale that, lacking or having limited substitutes, these systems
pose the greatest risks to the continuous and orderly function of
the markets if they malfunction. See SCI Adopting Release, supra
note 1, at 72277-79 (providing additional discussion of critical SCI
systems).
---------------------------------------------------------------------------
The term ``indirect SCI systems'' describes systems of, or operated
by or on behalf of, an SCI entity that, ``if breached, would be
reasonably likely to pose a security threat to SCI systems.'' \34\ The
distinction between SCI systems and indirect SCI systems seeks to
encourage SCI entities physically and/or logically to separate systems
that perform or directly support securities market functions from those
that perform other functions (e.g., corporate email; general office
systems for member regulation and recordkeeping).\35\
---------------------------------------------------------------------------
\34\ Id. at 72279.
\35\ See SCI Adopting Release, supra note 1, at 72281 (``[I]f an
SCI entity designs and implements security controls so that none of
its non-SCI systems would be reasonably likely to pose a security
threat to SCI systems, then it will have no indirect SCI systems.
If, however, an SCI entity does have indirect SCI systems, then
certain provisions of Regulation SCI will apply to those indirect
SCI systems.'').
---------------------------------------------------------------------------
Currently, the application of Regulation SCI is triggered when an
entity meets the definition of SCI entity. If an entity meets the
definition of SCI entity, Regulation SCI applies to its SCI systems and
indirect SCI systems. The scope of an SCI entity's technology systems
is determined by whether they are operated ``by or on behalf of'' the
SCI entity and whether they directly support any of the six market
functions enumerated in the definition. As a result, the SCI systems
and indirect SCI systems of an SCI entity are neither limited by the
type of security nor by the type of business in which an SCI entity
primarily conducts its securities market activities. Thus, if an SCI
entity elects to, or obtains the necessary approvals to, engage in
market functions in multiple types of securities, Regulation SCI's
obligations apply to the relevant functional systems relating to all
such securities.\36\ Accordingly, the SCI systems of an SCI entity may
include systems pertaining to any type of security, whether those
securities are NMS stocks, over-the-counter (OTC) equity securities,
listed options, debt securities, security-based swaps (``SBS''), crypto
asset securities,\37\ or another type of security.\38\
---------------------------------------------------------------------------
\36\ The current definition of ``SCI systems,'' includes the
clause, ``with respect to securities,'' without limitation. SCI
systems ``means all computer, network, electronic, technical,
automated, or similar systems of, or operated by or on behalf of, an
SCI entity that, with respect to securities, directly support
trading, clearance and settlement, order routing, market data,
market regulation, or market surveillance.'' See 17 CFR 242.1000
(emphasis added). But see infra section III.A.2.b.iv (discussing the
proposed limitation to the definition of SCI systems for certain SCI
broker-dealers).
\37\ The term ``digital asset'' refers to an asset that is
issued and/or transferred using distributed ledger or blockchain
technology (``distributed ledger technology''), including, but not
limited to, so-called ``virtual currencies,'' ``coins,'' and
``tokens.'' See Custody of Digital Asset Securities by Special
Purpose Broker-Dealers, Securities Exchange Act Release No. 90788
(Dec. 23, 2020), 86 FR 11627, 11627 n.1 (Feb. 26, 2021) (``Crypto
Asset Securities Custody Release''). A digital asset may or may not
meet the definition of a ``security'' under the Federal securities
laws. See, e.g., Report of Investigation Pursuant to Section 21(a)
of the Securities Exchange Act of 1934: The DAO, Securities Exchange
Act Release No. 81207 (July 25, 2017) (``DAO 21(a) Report''),
available at <a href="https://www.sec.gov/litigation/investreport/34-81207.pdf">https://www.sec.gov/litigation/investreport/34-81207.pdf</a>. See also SEC v. W.J. Howey Co., 328 U.S. 293 (1946). To
the extent digital assets rely on cryptographic protocols, these
types of assets also are commonly referred to as ``crypto assets,''
and ``digital asset securities'' can be referred to as ``crypto
asset securities.'' For purposes of this release, the Commission
does not distinguish between the terms ``digital asset securities''
and ``crypto asset securities.''
\38\ Today, under the current definition of SCI systems, an SCI
entity (current or future) that engages in market functions for any
type of securities, including crypto asset securities, is required
to assess whether the technological systems of, or operated by or on
its behalf, with respect to securities, directly support at least
one of six market functions: (i) trading; (ii) clearance and
settlement; (iii) order routing; (iv) market data; (v) market
regulation; or (vi) market surveillance. As discussed below,
however, the Commission is proposing an amendment to the definition
of SCI systems that would limit its scope solely for certain
proposed SCI broker-dealers. See infra section III.A.2.b.iv.
---------------------------------------------------------------------------
2. Reasonably Designed Policies and Procedures
The foundational principles of Regulation SCI are set forth in Rule
1001, which requires each SCI entity to establish, maintain, and
enforce written policies and procedures reasonably designed to ensure
that its SCI systems and, for purposes of security standards, indirect
SCI systems, have levels of capacity, integrity, resiliency,
availability, and security adequate to maintain their operational
capability and promote the maintenance of fair and orderly markets.\39\
Rule 1001(a)(2) of Regulation SCI requires that, at a minimum, such
policies and procedures include: current and future capacity planning;
periodic stress testing; systems development and testing methodology;
reviews and testing to identify vulnerabilities; business continuity
and disaster recovery planning (inclusive of backup systems that are
geographically diverse and designed to meet specified recovery time
objectives); standards for market data collection, processing, and
dissemination; and monitoring to identify potential systems
problems.\40\ Under 17 CFR 242.1001(a)(3) (``Rule 1001(a)(3)'' of
Regulation SCI), SCI entities must periodically review the
effectiveness of these policies and procedures and take prompt action
to remedy any deficiencies.\41\ Rule 1001(a)(4) of Regulation SCI
provides that an SCI entity's policies and procedures will be deemed to
be reasonably designed if they are consistent with ``current SCI
industry standards,'' which is defined to be comprised of information
technology practices that are widely available to information
technology professionals in the financial sector and issued by an
authoritative body that is a U.S. governmental entity or agency,
association of U.S. governmental entities or agencies, or widely
recognized organization; however, Rule 1001(a)(4) of Regulation SCI
also makes clear that compliance with such ``current SCI industry
standards'' is not the exclusive means to comply with these
requirements.\42\
---------------------------------------------------------------------------
\39\ See 17 CFR 242.1001(a)(1).
\40\ See 17 CFR 242.1001(a)(2).
\41\ See 17 CFR 242.1001(a)(3).
\42\ See 17 CFR 242.1001(a)(4).
---------------------------------------------------------------------------
Under 17 CFR 242.1001(b)(1) (``Rule 1001(b)(1)'' of Regulation
SCI), each SCI entity is required to establish, maintain,
[[Page 23151]]
and enforce written policies and procedures reasonably designed to
ensure that its SCI systems operate in a manner that complies with the
Exchange Act and the rules and regulations thereunder and the entity's
rules and governing documents, as applicable, and specifies certain
minimum requirements for such policies and procedures.\43\ In addition,
17 CFR 242.1001(b)(2) (``Rule 1001(b)(2)'') requires that at a minimum,
these policies and procedures must include: testing of all SCI systems
and any changes to SCI systems prior to implementation; a system of
internal controls over changes to SCI systems; a plan for assessments
of the functionality of SCI systems designed to detect systems
compliance issues, including by ``responsible SCI personnel'' (defined
below) and by personnel familiar with applicable provisions of the
Exchange Act and the rules and regulations thereunder and the SCI
entity's rules and governing documents; and a plan of coordination and
communication between regulatory and other personnel of the SCI entity,
including by responsible SCI personnel, regarding SCI systems design,
changes, testing, and controls designed to detect and prevent systems
compliance issues.\44\
---------------------------------------------------------------------------
\43\ See 17 CFR 242.1001(b)(1).
\44\ See 17 CFR 242.1001(b)(2).
---------------------------------------------------------------------------
Under 17 CFR 242.1001(b)(3) (``Rule 1001(b)(3)'' of Regulation
SCI), SCI entities must periodically review the effectiveness of these
policies and procedures and take prompt action to remedy any
deficiencies.\45\ Under 17 CFR 242.1001(b)(4) (``Rule 1001(b)(4)'' of
Regulation SCI), individuals are provided with a safe harbor from
liability under Rule 1001(b) if certain conditions are met.\46\
---------------------------------------------------------------------------
\45\ See 17 CFR 242.1001(b)(3).
\46\ See 17 CFR 242.1001(b)(4).
---------------------------------------------------------------------------
Further, 17 CFR 242.1001(c) (``Rule 1001(c)'' of Regulation SCI),
requires SCI entities to establish, maintain, and enforce reasonably
designed written policies and procedures that include the criteria for
identifying responsible SCI personnel, the designation and
documentation of responsible SCI personnel, and escalation procedures
to quickly inform responsible SCI personnel of potential SCI
events.\47\ Rule 1000 of Regulation SCI defines ``responsible SCI
personnel'' to mean, for a particular SCI system or indirect SCI system
impacted by an SCI event, such senior manager(s) of the SCI entity
having responsibility for such system, and their designee(s).\48\ Rule
1000 also defines ``SCI event'' to mean an event at an SCI entity that
constitutes a systems disruption, a systems compliance issue, or a
systems intrusion.\49\ Under 17 CFR 242.1001(c)(2) (``Rule 1001(c)(2)''
of Regulation SCI), SCI entities are required periodically to review
the effectiveness of these policies and procedures and take prompt
action to remedy any deficiencies.\50\
---------------------------------------------------------------------------
\47\ See 17 CFR 242.1001(c).
\48\ 17 CFR 242.1000.
\49\ Id.
\50\ See 17 CFR 242.1001(c)(2).
---------------------------------------------------------------------------
3. SCI Events
Under Rule 1002 of Regulation SCI, SCI entities have certain
obligations regarding SCI events. An ``SCI event'' is defined as: (i) a
``systems disruption,'' which is an event in an SCI entity's SCI
systems that disrupts, or significantly degrades, the normal operation
of an SCI system; and/or (ii) a ``systems intrusion,'' which is any
unauthorized entry into the SCI systems or indirect SCI systems of an
SCI entity; and/or (iii) a ``systems compliance issue,'' which is an
event at an SCI entity that has caused any SCI system of such entity to
operate in a manner that does not comply with the Exchange Act and the
rules and regulations thereunder or the entity's rules or governing
documents, as applicable.\51\
---------------------------------------------------------------------------
\51\ See 17 CFR 242.1000.
---------------------------------------------------------------------------
When any responsible SCI personnel has a reasonable basis to
conclude that an SCI event has occurred, the SCI entity must begin to
take appropriate corrective action which must include, at a minimum,
mitigating potential harm to investors and market integrity resulting
from the SCI event and devoting adequate resources to remedy the SCI
event as soon as reasonably practicable.\52\ With limited
exceptions,\53\ Rule 1002(b) provides the framework for notifying the
Commission of SCI events including, among other things, requirements
to: notify the Commission of the event immediately; provide a written
notification on Form SCI within 24 hours that includes a description of
the SCI event and the system(s) affected, with other information
required to the extent available at the time; provide regular updates
regarding the SCI event until the event is resolved; and submit a final
detailed written report regarding the SCI event.\54\
---------------------------------------------------------------------------
\52\ See 17 CFR 242.1002(a).
\53\ See 17 CFR 242.1002(b)(5) (relating to the exception for de
minimis SCI events).
\54\ See 17 CFR 242.1002(b).
---------------------------------------------------------------------------
Rule 1002(c) of Regulation SCI also requires that SCI entities
disseminate information to their members or participants regarding SCI
events.\55\ These information dissemination requirements are scaled
based on the nature and severity of an event. SCI entities are required
to disseminate certain information about the event to certain of its
members or participants (i.e., those that are reasonably estimated to
have been affected) promptly after any responsible SCI personnel has a
reasonable basis to conclude that an SCI event has occurred. For
``major SCI events,'' such dissemination must be made to all of its
members or participants. In addition, dissemination of information to
members or participants is permitted to be delayed for systems
intrusions if such dissemination would likely compromise the security
of the SCI entity's systems or an investigation of the intrusion.\56\
In addition, 17 CFR 242.1002(c)(4) (``Rule 1002(c)(4)'' of Regulation
SCI) provides exceptions to the dissemination requirements under Rule
1002(c) of Regulation SCI for SCI events to the extent they relate to
market regulation or market surveillance systems or SCI events that
have had, or the SCI entity reasonably estimates would have, either a
de minimis or no impact on the SCI entity's operations or on market
participants.\57\
---------------------------------------------------------------------------
\55\ See 17 CFR 242.1002(c).
\56\ See id. The rule also requires that the SCI entity document
its reasons for delayed notification. Id.
\57\ See 17 CFR 242.1002(c)(4).
---------------------------------------------------------------------------
4. Systems Changes and SCI Review
Under 17 CFR 242.1003(a) (``Rule 1003(a)'' of Regulation SCI), SCI
entities are required to provide reports to the Commission relating to
system changes, including a report each quarter describing completed,
ongoing, and planned material changes to their SCI systems and the
security of indirect SCI systems, during the prior, current, and
subsequent calendar quarters, including the dates or expected dates of
commencement and completion.\58\ Rule 1003(b) of Regulation SCI also
requires that an SCI entity conduct an ``SCI review'' not less than
once each calendar year.\59\ ``SCI review'' is defined in Rule 1000 of
Regulation SCI to mean a review, following established procedures and
standards, that is performed by objective personnel having appropriate
experience to conduct reviews of SCI systems and indirect SCI systems,
and which review contains: a risk assessment with respect to such
systems of an SCI entity; and an assessment of internal control design
and effectiveness of its SCI systems and indirect SCI systems to
include logical and physical security controls,
[[Page 23152]]
development processes, and information technology governance,
consistent with industry standards.\60\ Under Rule 1003(b)(2) and (3),
SCI entities are also required to submit a report of the SCI review to
their senior management, and must also submit the report and any
response by senior management to the report, to their board of
directors, as well as to the Commission.\61\
---------------------------------------------------------------------------
\58\ See 17 CFR 242.1003(a).
\59\ See 17 CFR 242.1003(b).
\60\ See 17 CFR 242.1000. Rule 1003(b)(1) of Regulation SCI also
states that penetration test reviews of an SCI entity's network,
firewalls, and production systems must be conducted at a frequency
of not less than once every three years, and assessments of SCI
systems directly supporting market regulation or market surveillance
must be conducted at a frequency based upon the risk assessment
conducted as part of the SCI review, but in no case less than once
every three years. See 17 CFR 242.1003(b)(1)(i) and (ii) (``Rule
1003(b)(1)(i) and (ii)'').
\61\ See 17 CFR 242.1003(b)(2) and (3).
---------------------------------------------------------------------------
5. Business Continuity and Disaster Recovery Testing With Members/
Participants
Rule 1004 of Regulation SCI sets forth certain requirements for
testing an SCI entity's business continuity and disaster recovery plans
with its members or participants. This rule requires that, with respect
to an SCI entity's business continuity and disaster recovery plan,
including its backup systems, each SCI entity shall: (a) establish
standards for the designation of those members or participants that the
SCI entity reasonably determines are, taken as a whole, the minimum
necessary for the maintenance of fair and orderly markets in the event
of the activation of such plans; (b) designate members or participants
pursuant to the standards established and require participation by such
designated members or participants in scheduled functional and
performance testing of the operation of such plans, in the manner and
frequency specified by the SCI entity, provided that such frequency
shall not be less than once every 12 months; and (c) coordinate the
testing of such plans on an industry- or sector-wide basis with other
SCI entities.\62\
---------------------------------------------------------------------------
\62\ See 17 CFR 242.1004.
---------------------------------------------------------------------------
6. Recordkeeping and Other Provisions (Rules 1005-1007)
SCI entities are required by Rule 1005 of Regulation SCI to make,
keep, and preserve certain records related to their compliance with
Regulation SCI.\63\ In addition, 17 CFR 242.1006 (``Rule 1006'' of
Regulation SCI), provides for certain requirements relating to the
electronic filing, on Form SCI, of any notification, review,
description, analysis, or report to the Commission required to be
submitted under Regulation SCI.\64\ Finally, 17 CFR 242.1007 (``Rule
1007'' of Regulation SCI) requires a written undertaking when records
required to be filed or kept by an SCI entity under Regulation SCI are
prepared or maintained by a service bureau or other recordkeeping
service on behalf of the SCI entity.\65\
---------------------------------------------------------------------------
\63\ See 17 CFR 242.1005. Unlike 17 CFR 242.1005(a) (``Rule
1005(a)'') of Regulation SCI, which relates to recordkeeping
provisions for SCI SROs, 17 CFR 242.1005(b) (``Rule 1005(b)'')
relates to the recordkeeping provision for SCI entities other than
SCI SROs.
\64\ See 17 CFR 242.1006.
\65\ See 17 CFR 242.1007.
---------------------------------------------------------------------------
C. Overview of Proposed Amendments to Regulation SCI
The Commission is proposing amendments to Regulation SCI that would
expand the definition of ``SCI entity'' to include a broader range of
key market participants in the U.S. securities market infrastructure
and update certain provisions of Regulation SCI to take account of
developments in the technology landscape of the markets and the
Commission and its staff's oversight experience since the adoption of
Regulation SCI in 2014. As discussed in section III.A, the Commission
is proposing to expand the definition of SCI entity to include
registered SBSDRs, registered broker-dealers exceeding a size threshold
(``SCI broker-dealers''), and additional clearing agencies exempt from
registration.\66\ As discussed in section III.C, the Commission is also
proposing to update several requirements of Regulation SCI to
acknowledge certain technology changes in the market, including
cybersecurity and third-party provider management challenges since the
adoption of Regulation SCI in 2014, and to account for the experience
and insights the Commission and its staff have gained with respect to
technology issues surrounding SCI entities and their systems. These
include:
---------------------------------------------------------------------------
\66\ See infra section III.A.2.a. through c. (providing a
detailed discussion of each of these categories of entities and
associated proposed definitions).
---------------------------------------------------------------------------
<bullet> Amendments to Rule 1001(a) to require that an SCI entity's
policies and procedures for SCI systems, critical SCI systems, and
indirect SCI systems, address with specificity:
[cir] Systems classification and life cycle management; \67\
---------------------------------------------------------------------------
\67\ See infra section III.C.1.
---------------------------------------------------------------------------
[cir] Management of third-party providers, including cloud service
providers and providers of critical SCI systems; \68\
---------------------------------------------------------------------------
\68\ See infra section III.C.2.
---------------------------------------------------------------------------
[cir] Access controls; \69\ and
---------------------------------------------------------------------------
\69\ See infra section III.C.3.a.
---------------------------------------------------------------------------
[cir] Identification of current SCI industry standards, if any;
\70\
---------------------------------------------------------------------------
\70\ See infra section III.C.5.c.
---------------------------------------------------------------------------
<bullet> Expansion of the definition of ``systems intrusion'' in
Rule 1000 to include a wider range of cybersecurity events; \71\
---------------------------------------------------------------------------
\71\ See infra section III.C.3.c.
---------------------------------------------------------------------------
<bullet> Amendments to Rule 1002 regarding notice of systems
intrusions to the Commission and affected persons; \72\
---------------------------------------------------------------------------
\72\ See infra section III.C.3.c.
---------------------------------------------------------------------------
<bullet> Amendments to the definition of ``SCI review'' and Rule
1003(b) to specify in greater detail the contents of the SCI review and
associated report, and to require annual penetration testing; \73\
---------------------------------------------------------------------------
\73\ See infra sections III.C.3.b and III.C.4.
---------------------------------------------------------------------------
<bullet> Amendments to Rule 1004 to require that SCI entities
designate key third-party providers for participation in annual
business continuity/disaster recovery testing; \74\
---------------------------------------------------------------------------
\74\ See infra section III.C.2.d.
---------------------------------------------------------------------------
<bullet> Amendments to Rule 1001(a)(4) to address how an SCI entity
may avail itself of the safe harbor provision; \75\
---------------------------------------------------------------------------
\75\ See infra section III.C.5.
---------------------------------------------------------------------------
<bullet> Amendments to Rule 1005 to address the maintenance of
records by a former SCI entity; and
<bullet> Changes to Form SCI consistent with the proposed
changes.\76\
---------------------------------------------------------------------------
\76\ See infra section III.C.6.
---------------------------------------------------------------------------
The amendments to Regulation SCI are proposed independently of the
proposals discussed in the Exchange Act Cybersecurity Proposal and
Regulation S-P 2023 Proposing Release. However, the relationship of all
three proposals, as each may apply to an SCI entity, is discussed in
section III.D.
III. Proposed Amendments to Regulation SCI
A. Definition of SCI Entity
1. Evolution: Current and Proposed SCI Entities
Currently, SCI entities are the SCI SROs, SCI ATSs, plan
processors, certain exempt clearing agencies, and, as of 2020, SCI
competing consolidators.\77\ In 2013, the Commission proposed to
include other entities: specifically, ATSs trading corporate debt or
municipal securities (hereafter, ``Fixed Income ATSs'') exceeding
specified volume thresholds.\78\ The Commission did not include any
Fixed Income ATSs as SCI entities at adoption in 2014, however, based
on consideration of comments regarding the risk profile of Fixed
[[Page 23153]]
Income ATSs at that time.\79\ In 2013, the Commission also solicited
comment on the inclusion of several other types of entities, including
SBSDRs and broker-dealers (beyond SCI ATSs).\80\ At adoption in 2014,
comments regarding these and other entities were summarized, with
specific proposals deferred for possible future consideration.\81\ In
sum, the Commission stated in 2014 that it was neither limiting the
applicability of Regulation SCI to only the most systemically important
entities as urged by some commenters, nor taking a broad approach at
the outset, but rather that it was taking a ``measured'' approach in
establishing the initial scope of SCI entities.\82\ Since the initial
adoption of Regulation SCI, the Commission has considered expansion of
the definition of SCI entity several times: first to propose and adopt
certain competing consolidators as SCI entities,\83\ and more recently
to propose and repropose adding ATSs that trade U.S. Treasury
Securities or Agency Securities exceeding specified volume thresholds
(``Government Securities ATSs'') as SCI entities.\84\
---------------------------------------------------------------------------
\77\ See supra notes 27-29 and accompanying text; infra note 83
and accompanying text.
\78\ See SCI Proposing Release, supra note 14, at 18097.
\79\ See SCI Adopting Release, supra note 1, at 72270, 72409
(discussing determination not to apply Regulation SCI to ATSs
trading only corporate debt and municipal securities at that time).
\80\ See SCI Proposing Release, supra note 14, at 18133-41. The
Commission also solicited comment on the inclusion of security-based
swap execution facilities (``SB SEFs''), which entities are now the
subject of another proposal. See Rules Relating to Security-Based
Swap Execution and Registration and Regulation of Security-Based
Swap Execution Facilities, Release No. 94615 (Apr. 6, 2022), 87 FR
28872 (May 11, 2022) (proposing that SB SEFs be subject to 17 CFR
242.800 through 242.835 (``Regulation SE'') which includes
operational capability requirements closely modeled on a detailed
CFTC rule for SEFs (17 CFR 37.1401)). SB SEFs are not further
discussed herein.
\81\ See SCI Adopting Release, supra note 1, at 72364-66
(contemplating possible future proposals).
\82\ See SCI Adopting Release, supra note 1, at 72259 (stating
that this measured approach would enable the Commission to ``monitor
and evaluate the implementation of Regulation SCI, the risks posed
by the systems of other market participants, and the continued
evolution of the securities markets, such that it may consider, in
the future, extending the types of requirements in Regulation SCI to
additional categories of [key] market participants . . . .'').
\83\ See Market Data Infrastructure Adopting Release, supra note
24, at 18659-18676.
\84\ See Securities Exchange Act Release Nos. 90019 (Sept. 28,
2020), 85 FR 87106 (Dec. 31, 2020) (``Government Securities ATS
Proposing Release''); 94062 (Jan. 26, 2022), 87 FR 15496 (Mar. 18,
2022) (``Government Securities ATS Reproposal'') (among other
things, citing operational similarities between Government
Securities ATSs and NMS stock ATSs). In the Government Securities
ATS Reproposal, the Commission proposed amendments to 17 CFR 240.3b-
16(a) (``Rule 3b-16(a)'' of the Exchange Act), which defines certain
terms used in the statutory definition of ``exchange'' under section
3(a)(1) of the Exchange Act, to include systems that offer the use
of non-firm trading interest and provide communication protocols to
bring together buyers and sellers of securities. Trading systems
that may fall within the criteria of proposed 17 CFR 240.3b-16
(``Rule 3b-16''), as proposed to be amended, would likely operate as
ATSs, and possibly SCI ATSs. Because the proposed amendments to Rule
3b-16(a) could result in a greater number of ATSs, and the
amendments proposed to expand and update SCI could impact newly
designated ATSs, commenters are encouraged to review both the
Government Securities ATS Reproposal and this proposal to determine
whether it might affect their comments on this proposal, as well as
their responses to the Commission's request for comment on
application of Regulation SCI to Fixed Income ATS contained herein.
---------------------------------------------------------------------------
The Commission now proposes a further expansion of the definition
of SCI entity to include SBSDRs, certain registered broker-dealers
(i.e., SCI broker-dealers), and additional clearing agencies exempted
from registration. The Commission also solicits comment on whether, in
light of technological changes in the fixed income markets in recent
years, Fixed Income ATSs should again be proposed to be subject to
Regulation SCI, rather than 17 CFR 240.301(b)(6) (``Rule 301(b)(6)'' of
Regulation ATS), and also whether and how broker-dealers trading
corporate debt and municipal securities should be considered.\85\
---------------------------------------------------------------------------
\85\ Currently, Rule 301(b)(6) of Regulation ATS applies to
Fixed Income ATSs exceeding a volume threshold. Under Rule
301(b)(6), an ATS that trades only municipal securities or corporate
debt at a threshold of 20% or more of the average daily volume
traded in the United States, during at least four of the preceding
six calendar months, is required to comply with capacity, integrity,
and security requirements with respect to those systems that support
order entry, order routing, order execution, transaction reporting,
and trade comparison. See 17 CFR 242.301(b)(6). As discussed further
below, the amendments proposed in this release do not include
amendments to modify the numerical volume thresholds or to otherwise
modify Rule 301(b)(6) of Regulation ATS, or move systems
requirements for Fixed Income ATSs from Regulation ATS to Regulation
SCI. The Commission does, however, request comment on the state of
electronic trading and automation in the corporate debt and
municipal securities markets, as well as the risks associated with
entities with significant activity in these markets. See infra
section III.B.
---------------------------------------------------------------------------
2. New Proposed SCI Entities
When it adopted Regulation SCI, the Commission acknowledged that
there may be other categories of entities not included in the
definition of SCI entity that, given their increasing size and
importance, could pose risks to the market should an SCI event occur,
but decided to include only certain key market participants at that
time.\86\ The Commission proposes to expand the definition of SCI
entity to include SBSDRs, certain types of broker-dealers, and
additional clearing agencies exempted from registration as additional
key market participants that would also have to comply with Regulation
SCI because they play a significant role in the U.S. securities markets
and/or have the potential to impact investors, the overall market, or
the trading of individual securities in the event of a systems issue.
If this amendment is adopted, these new SCI entities would become
subject to all provisions of Regulation SCI, including the provisions
proposed to be amended as discussed in section III.C of this release.
---------------------------------------------------------------------------
\86\ See SCI Adopting Release, supra note 1, at 72259. See also
supra note 82 and accompanying text.
---------------------------------------------------------------------------
a. Registered Security-Based Swap Data Repositories (SBSDRs)
The Commission proposes to expand the application of Regulation SCI
to SBSDRs. As registered securities information processors that
disseminate market data and provide price transparency in the SBS
market, and centralized trade repositories for SBS data for use by
regulators, SBSDRs play a key role in the SBS market.\87\
---------------------------------------------------------------------------
\87\ Rule 1000 would define the term registered security-based
swap data repository to mean ``a security-based swap data
repository, as defined in 15 U.S.C. 78c(a)(75), and that is
registered with the Commission pursuant to 15 U.S.C. 78m(n) and
Sec. 240.13n-1,'' with a proviso that compliance with Regulation
SCI would not be required until six months after the entity's
registration is effective. See proposed Rule 1000.
---------------------------------------------------------------------------
As noted, the Commission solicited comment on the inclusion of
SBSDRs as SCI entities when it first proposed Regulation SCI in
2013.\88\ At that time, the Commission anticipated that SBSDRs would
``play an important role in limiting systemic risk and promoting the
stability of the SBS market [and] also would serve as information
disseminators in a manner similar to plan processors in the equities
and options markets.'' \89\ But it also acknowledged that there may be
differences between the equities and options markets and the SBS
market, ``including differing levels of automation and stages of
regulatory development.'' \90\
---------------------------------------------------------------------------
\88\ See supra text accompanying note 80.
\89\ SCI Proposing Release, supra note 14, at 18135 (citation
omitted).
\90\ Id.
---------------------------------------------------------------------------
Comments received on the inclusion of SBSDRs as SCI entities in the
SCI Proposing Release were limited. One commenter stated that ``the
similarities between certain SCI entities and SB SDRs . . . do not
provide a clear justification for a different set of rules.'' \91\
Another commenter stated that SBSDRs should have standards that are
consistent with, but not identical to, those of SCI entities because
the
[[Page 23154]]
functions that SBSDRs perform are significantly different from those
performed by SCI entities.\92\ Other commenters, however, felt the
practical differences between options and equities and derivatives
called for some form of harmonization of rules, but not direct
application of Regulation SCI to these entities.\93\ The Commission
deferred and stated in the SCI Adopting Release that, ``should [it]
decide to propose to apply the requirements of Regulation SCI to SB
SDRs [it] would issue a separate release discussing such a proposal.''
\94\ Taking into account the role of SBSDRs in the SBS market, their
reliance on technology to perform their functions, and the current
state of regulatory development in the SBS market, the Commission is
doing so now.
---------------------------------------------------------------------------
\91\ SCI Adopting Release, supra note 1, at 72364.
\92\ See id.
\93\ See id.
\94\ SCI Adopting Release, supra note 1, at 72364; SCI Proposing
Release, supra note 14, at 18134.
---------------------------------------------------------------------------
i. Role of SBSDRs and Associated Risks
Title VII of the Dodd-Frank Act, enacted in 2010, provided for a
comprehensive, new regulatory framework for swaps and security-based
swaps, including regulatory reporting and public dissemination of
transactions in security-based swaps.\95\ In 2015, the Commission
established a regulatory framework for SBSDRs to provide improved
transparency to regulators and help facilitate price discovery and
efficiency in the SBS market.\96\ Under this framework, SBSDRs are
registered securities information processors and disseminators of
market data in the SBS market,\97\ thereby serving Title VII's goal of
having public dissemination of price information for all security-based
swaps, to enhance price discovery for market participants.\98\ Like
FINRA's Trade Reporting and Compliance Engine (``TRACE'') and the
MSRB's Electronic Municipal Market Access (``EMMA''),\99\ SBSDRs serve
an important function for market participants because they disseminate
market data, thereby providing price transparency in the SBS
market.\100\ Just as TRACE and EMMA provide price transparency to
market participants and regulatory information to regulators, SBSDRs
are designed to meet two purposes as mandated by Title VII of the Dodd-
Frank Act: (1) to provide SBS data and information to regulators to
surveil the markets and assess for market risks; and (2) to enhance
price discovery to market participants.\101\ As discussed in detail
below, given that SBSDRs rely on automated systems and are designed to
limit systemic risk and promote the stability of the markets they
serve, the Commission believes that including SBSDRs in the definition
of SCI entities would better ensure that SBSDR systems are robust,
resilient, and secure. Additionally, this approach is reasonable and
consistent as other entities that play a key price transparency role in
their respective markets, such as plan processors, SCI competing
consolidators, FINRA and the MSRB, are SCI entities, and their systems
that directly support market data, among other functions, are currently
SCI systems.\102\
---------------------------------------------------------------------------
\95\ Public Law 111-203, section 761(a) (adding Exchange Act
section 3(a)(75) (defining SBSDR)) and section 763(i) (adding
Exchange Act section 13(n) (establishing a regulatory regime for
SBSDRs)).
\96\ See Security-Based Swap Data Repository Registration,
Duties, and Core Principles, Securities Exchange Act Release No.
74246 (Feb. 11, 2015), 80 FR 14438, 14441 (Mar. 19, 2015) (``SBSDR
Adopting Release''); Regulation SBSR--Reporting and Dissemination of
Security-Based Swap Information, Securities Exchange Act Release No.
74244 (Feb. 11, 2015), 80 FR 14563 (Mar. 19, 2015) (``SBSR Adopting
Release'').
\97\ See 17 CFR 242.909 (``A registered security-based swap data
repository shall also register with the Commission as a securities
information processor on Form SDR.''); see also Form SDR (``With
respect to an applicant for registration as a security-based swap
data repository, Form SDR also constitutes an application for
registration as a securities information processor.'').
\98\ See, e.g., SBSR Adopting Release, supra note 96, at 14604-
05.
\99\ FINRA members are subject to transaction reporting
obligations under FINRA Rule 6730, while municipal securities
dealers are subject to transaction reporting obligations under MSRB
Rule G-14. See FINRA Rule 6730(a)(1) (requiring FINRA members to
report transactions in TRACE-Eligible Securities, which FINRA Rule
6710 defines to include a range of fixed-income securities). See
also MRSB Rule G-14 (requiring transaction reporting by municipal
bond dealers). EMMA, established by the MSRB in 2009, serves as the
official repository of municipal securities disclosure providing the
public with free access to relevant municipal securities data, and
is the central database for information about municipal securities
offerings, issuers, and obligors. Additionally, the MSRB's Real-Time
Transaction Reporting System (``RTRS''), with limited exceptions,
requires municipal bond dealers to submit transaction data to the
MSRB within 15 minutes of trade execution, and such near real-time
post-trade transaction data can be accessed through the MSRB's EMMA
website.
\100\ See Committee on Payment and Settlement Systems and
Technical Committee of the International Organization of Securities
Commissions, Principles for financial market infrastructures, at
1.14, Box 1 (Apr. 16, 2012) (``PFMI''), available at <a href="https://www.bis.org/publ/cpss101a.pdf">https://www.bis.org/publ/cpss101a.pdf</a> (stating that ``[a] TR [trade
repository] may serve a number of stakeholders that depend on having
effective access to TR services, both to submit and retrieve data.
In addition to relevant authorities and the public, other
stakeholders can include exchanges, electronic trading venues,
confirmation or matching platforms, and third-party service
providers that use TR data to offer complementary services.'').
\101\ See, e.g., SBSR Adopting Release, supra note 96, at 14604-
05.
\102\ See SBSDR Adopting Release, supra note 96.
---------------------------------------------------------------------------
As centralized repositories for SBS data for use by regulators,
SBSDRs provide important infrastructure that assists relevant
authorities in performing their market oversight.\103\ Data maintained
by SBSDRs may assist regulators in preventing market abuses, performing
supervision, and resolving issues and positions if an institution
fails.\104\ SBSDRs are required to collect and maintain accurate SBS
transaction data so that relevant authorities can access and analyze
the data from secure, central locations, thereby putting the regulators
in a better position to monitor for potential market abuse and risks to
financial stability.\105\ SBSDRs also have the potential to reduce
operational risk and enhance operational efficiency, such as by
maintaining transaction records that would help counterparties to
ensure that their records reconcile on all of the key economic
details.\106\
---------------------------------------------------------------------------
\103\ See generally PFMI, supra note 100, at 1.14 (stating that
``[b]y centralising the collection, storage, and dissemination of
data, a well-designed TR that operates with effective risk controls
can serve an important role in enhancing the transparency of
transaction information to relevant authorities and the public,
promoting financial stability, and supporting the detection and
prevention of market abuse.'').
\104\ See Security-Based Swap Data Repository Registration,
Duties, and Core Principles, Exchange Act Release No. 63347 (Nov.
19, 2010), 75 FR 77306, 77307 (Dec. 10, 2010), corrected at 75 FR
79320 (Dec. 20, 2010) and 76 FR 2287 (Jan. 13, 2011) (``SBSDR
Proposing Release'').
\105\ See SBSDR Adopting Release, supra note 96, at 14440
(stating that ``SDRs are required to collect and maintain accurate
SBS transaction data so that relevant authorities can access and
analyze the data from secure, central locations, thereby putting
them in a better position to monitor for potential market abuse and
risks to financial stability.'').
\106\ See SBSDR Proposing Release, supra note 104, at 77307
(stating that ``[t]he enhanced transparency provided by an SDR is
important to help regulators and others monitor the build-up and
concentration of risk exposures in the SBS market . . . . In
addition, SDRs have the potential to reduce operational risk and
enhance operational efficiency in the SBS market.'').
---------------------------------------------------------------------------
Furthermore, SBSDRs themselves are subject to certain operational
risks that may impede the ability of SBSDRs to meet the goals set out
in Title VII of the Dodd-Frank Act and the Commission's rules.\107\ For
instance, the links established between an SBSDR and other entities,
including unaffiliated clearing agencies and other SBSDRs, may expose
the SBSDR to vulnerabilities outside of its direct control.\108\
Without appropriate
[[Page 23155]]
safeguards in place for the systems of SBSDRs, their vulnerabilities
could lead to significant failures, disruptions, delays, and
intrusions, which could disrupt price transparency and oversight of the
SBS market. For instance, an SBSDR processes and disseminates trade
data using electronic systems, and if these systems fail, public access
to timely and reliable trade data for the derivatives markets could
potentially be compromised.\109\ Also, if the data stored at an SBSDR
is corrupted, the SBSDR would not be able to provide accurate data to
relevant regulatory authorities, which could hinder the oversight of
the derivatives markets. Moreover, because SBSDRs receive and maintain
proprietary and sensitive information (e.g., trading data, non-public
personal information), it is essential that their systems be capable of
ensuring the security and integrity of this data.
---------------------------------------------------------------------------
\107\ See SBSDR Adopting Release, supra note 96 at 14450 (``SDRs
themselves are subject to certain operational risks that may impede
the ability of SDRs to meet these goals, and the Title VII
regulatory framework is intended to address these risks.'').
\108\ See PFMI, supra note 100, at 3.20.20 (stating that ``A TR
should carefully assess the additional operational risks related to
its links to ensure the scalability and reliability of IT
[information technology] and related resources. A TR can establish
links with another TR or with another type of FMI. Such links may
expose the linked FMIs to additional risks if not properly designed.
Besides legal risks, a link to either another TR or to another type
of FMI may involve the potential spillover of operational risk. The
mitigation of operational risk is particularly important because the
information maintained by a TR can support bilateral netting and be
used to provide services directly to market participants, service
providers (for example, portfolio compression service providers),
and other linked FMIs.'').
\109\ See PFMI, supra note 100, at 1.14, Box 1 (stating that
``[t]he primary public policy benefits of a TR, which stem from the
centralisation and quality of the data that a TR maintains, are
improved market transparency and the provision of this data to
relevant authorities and the public in line with their respective
information needs. Timely and reliable access to data stored in a TR
has the potential to improve significantly the ability of relevant
authorities and the public to identify and evaluate the potential
risks posed to the broader financial system.'').
---------------------------------------------------------------------------
Along with the reliance of SBSDRs on automated systems to perform
their functions, regulatory development of the SBS market has proceeded
significantly since 2015. In particular, security-based swap dealers
have registered with the Commission,\110\ SBSDRs have registered with
the Commission,\111\ security-based swap execution facilities
(``SBSEF'') registration has been proposed,\112\ and straight-through
processing has increased in the market.\113\ On November 8, 2021, SBS
data began being reported to SBSDRs, which in turn began disseminating
such data to the Commission and the public.\114\ In light of the
important role of SBSDRs in the markets for security-based swaps, their
level of automation, and the regulatory development of the SBS market
in recent years, the Commission believes it is timely to propose
enhanced requirements for registered SBSDRs with respect to their
technology systems that are central to the performance of their
regulated activities.
---------------------------------------------------------------------------
\110\ See List of Security-Based Swap Dealers and Major
Security-Based Swap Participants, Commission (last updated Jan. 4,
2023), available at: <a href="https://www.sec.gov/files/list_of_sbsds_msbsps_1_4_2023locked_final.xlsx">https://www.sec.gov/files/list_of_sbsds_msbsps_1_4_2023locked_final.xlsx</a>.
\111\ The Commission approved the registration of two SBSDRs in
2021. See Security-Based Swap Data Repositories, DTCC Data
Repository (U.S.), LLC, Order Approving Application for Registration
as a Security-Based Swap Data Repository, Securities Exchange Act
Release No. 91798 (May 7, 2021), 86 FR 26115 (May 12, 2021);
Security-Based Swap Data Repositories, ICE Trade Vault, LLC, Order
Approving Application for Registration as a Security-Based Swap Data
Repository, Securities Exchange Act Release No. 92189 (Jun. 16,
2021), 86 FR 32703 (Jun. 22, 2021).
\112\ See Rules Relating to Security-Based Swap Execution and
Registration and Regulation of Security-Based Swap Execution
Facilities, Securities Exchange Act Release No. 94615 (Apr. 6,
2022), 87 FR 28872 (May 11, 2022).
\113\ See, e.g., Security-Based Swap Data Repositories, DTCC
Data Repository (U.S.), LLC, Notice of Filing of Application for
Registration as a Security-Based Swap Data Repository, Securities
Exchange Act Release No. 91071 (Feb. 5, 2021), 86 FR 8977 (Feb. 10,
2021) (``[T]he SDR process is an end-to-end straight through
process; from the receipt of data, processing and maintenance of
data, and dissemination of data, processes are automated and do not
require manual intervention.'').
\114\ See SEC Approves Registration of First Security-Based Swap
Data Repository; Sets the First Compliance Date for Regulation SBSR,
Press Release, Commission (May 7, 2021), available at: <a href="https://www.sec.gov/news/press-release/2021-80">https://www.sec.gov/news/press-release/2021-80</a>.
---------------------------------------------------------------------------
ii. Current Regulation
The Commission believes the current technology regulation framework
for SBSDRs should be strengthened. SBSDR technology regulation is
currently governed by 17 CFR 240.13n-6 (``Rule 13n-6''), a broad,
principles-based operational risk rule,\115\ which the Commission
adopted in 2015 when regulatory development of the SBS market was still
nascent and SBSDRs were not yet registered with the Commission under 17
CFR 240.13n-1 (``Rule 13n-1'').\116\ Additionally, Rule 13n-6 was
adopted shortly after the adoption of Regulation SCI, with
modifications that did not include some of the more detailed proposed
requirements.\117\ As a result, the two currently-registered SBSDRs
(which are affiliated with registered clearing agencies that are
subject to Regulation SCI) \118\ remain subject to the broad
principles-based rule, Rule 13n-6, which is the only applicable
operational risk requirement for SBSDRs in the Commission's current
regulatory framework.
---------------------------------------------------------------------------
\115\ See 17 CFR 240.13n-6.
\116\ See SBSDR Adopting Release, supra note 96, at 14499, 14550
(``[T]he Commission may consider the application of any features of
Regulation SCI to SDRs in the future.''); SCI Adopting Release,
supra note 1, at 72364.
\117\ See SBSDR Adopting Release, supra note 96, at 14499
(stating that ``[t]he Commission is not adopting Rule 13n-6 as
proposed because, after proposing Rule 13n-6, the Commission
considered the need for an updated regulatory framework for certain
systems of the U.S. securities trading markets and adopted
Regulation Systems Compliance and Integrity (`Regulation SCI').'').
Specifically, the Commission stated that the rule as adopted better
sets an appropriate core framework for the policies and procedures
of SBSDRs with respect to automated systems and that the framework
adopted is ``broadly consistent'' with Regulation SCI. See id.
Therefore, the Commission declined to adopt more prescriptive
elements of the rule as proposed, including proposed Rule 13n-6(b),
which would have required that every security-based swap data
repository, with respect to those systems that support or are
integrally related to the performance of its activities: (1)
establish, maintain, and enforce written policies and procedures
reasonably designed to ensure that its systems provide adequate
levels of capacity, resiliency, and security. These policies and
procedures shall, at a minimum: (i) establish reasonable current and
future capacity estimates; (ii) conduct periodic capacity stress
tests of critical systems to determine such systems' ability to
process transactions in an accurate, timely, and efficient manner;
(iii) develop and implement reasonable procedures to review and keep
current its system development and testing methodology; (iv) review
the vulnerability of its systems and data center computer operations
to internal and external threats, physical hazards, and natural
disasters; and (v) establish adequate contingency and disaster
recovery plans; (2) on an annual basis, submit an objective review
to the Commission within thirty calendar days of its completion.
Where the objective review is performed by an internal department,
an objective, external firm shall assess the internal department's
objectivity, competency, and work performance with respect to the
review performed by the internal department. The external firm must
issue a report of the objective review, which the security-based
swap data repository must submit to the Commission on an annual
basis, within 30 calendar days of completion of the review; (3)
promptly notify the Commission of material systems outages and any
remedial measures that have been implemented or are contemplated
(prompt notification includes the following: (i) immediately notify
the Commission when a material systems outage is detected; (ii)
immediately notify the Commission when remedial measures are
selected to address the material systems outage; (iii) immediately
notify the Commission when the material systems outage is addressed;
and (iv) submit to the Commission within five business days of the
occurrence of the material systems outage a detailed written
description and analysis of the outage and any remedial measures
that have been implemented or are contemplated); and (4) notify the
Commission in writing at least thirty calendar days before
implementation of any planned material systems changes. See SBSDR
Proposing Release, supra note 104, at 77370.
\118\ The two registered SBSDRs, DTCC Data Repository (U.S.),
LLC and ICE Trade Vault, LLC, are affiliated with the registered
clearing agencies, Depository Trust Company and ICE Clear Credit
LCC, respectively.
---------------------------------------------------------------------------
Rule 13n-6 requires that SBSDRs, with respect to those systems that
support or are integrally related to the performance of their
activities, establish, maintain, and enforce written policies and
procedures reasonably designed to ensure that their systems provide
adequate levels of capacity, integrity, resiliency, availability, and
[[Page 23156]]
security.\119\ The operational risk principles underlying Rule 13n-6
are an essential part of the rules that comprise the core framework for
SBSDRs that the Commission established in 2015 at the opening of its
regulatory regime governing SBSDRs. The core framework influences all
applicable requirements relevant to SBSDRs that follow. The core
framework not only addresses SBSDR operational risk, but also other
SBSDR enumerated duties, including registration, market access to
services and data, governance arrangements, conflicts of interest, data
collection and maintenance, privacy and disclosure requirements, and
chief compliance officers,\120\ thereby implementing the provisions of
Exchange Act section 13(n).\121\ Therefore, the SBSDR core framework,
which Rule 13n-6 is a part, is different in focus and broader in scope
than proposed Regulation SCI--as it relates to SBSDRs--which is focused
on, among things, protecting the security of SBSDR systems. While Rule
13n-6 may not provide the absolute requirements relating to SBSDR
operational risk, as the Commission's regulatory regime continues to
evolve, Rule 13n-6 sets forth an enumerated duty for operational risk
concerns that registered SBSDRs must address--at the time of
registration and throughout its registration with the Commission.
Compliance with the core principles and requirements in the SBSDR
rules, including Rule 13n-6, is, thus, an important building block for
better ensuring the integrity of an SBSDR's data quality upon which the
Commission and the securities markets rely. In this regard, the
Commission believes that Rule 13n-6 should be preserved, with the
requirements of this proposal, if adopted, working to complement Rule
13n-6.\122\ Specifically, the proposed requirements of Regulation SCI
on SBSDRs would exist and operate in conjunction with Rule 13n-6 and
would prescribe certain key features and more detailed functional
requirements to help ensure that SBSDR market systems are robust,
resilient, and secure.\123\
---------------------------------------------------------------------------
\119\ See 17 CFR 240.13n-6.
\120\ See 17 CFR 240.13n-1 through 240.13n-12; See SBSDR
Adopting Release, supra note 96, at 14440-42.
\121\ 15 U.S.C. 78m(n).
\122\ When adopting Rule 13n-6, the Commission acknowledged the
potential application of Regulation SCI provisions to SBSDRs in the
future. See SBSDR Adopting Release, supra note 96, at 14438, 14499
(stating that ``[c]onsistent with this approach and in recognition
of the importance of SDRs as the primary repositories of SBS trade
information, the Commission may consider the application of any
features of Regulation SCI to SDRs in the future.''). Additionally,
as guidance, the Commission stated that, in preparing their policies
and procedures to comply with Rule 13n-6, SBSDRs may consider
whether to incorporate aspects of Regulation SCI that may be
appropriate for their particular implementation of Rule 13n-6. See
id., at 14499, n.826 (stating that ``[i]n preparing their policies
and procedures, SDRs may consider whether to incorporate aspects of
Regulation SCI that may be appropriate for their particular
implementation of Rule 13n-6, including where an SDR is related by
virtue of its corporate structure to an entity subject to Regulation
SCI.'').
\123\ In 2014, the SEC's SBSDR regulatory framework was subject
to a Level 2 assessment by the Bank for International Settlements'
Committee on Payments and Market Infrastructures (``CPMI'') and the
International Organization of Securities Commissions (``IOSCO''),
which concluded that ``the U.S. jurisdiction has developed rules or
proposed rules that completely and consistently implement the
majority of Principles that are applicable to CCPs [central
counterparties] [but that] [t]he progress of the U.S. jurisdiction
towards completely and consistently implementing the Principles for
[trade repositories] has been more limited.'' See CPMI-IOSCO,
Implementation Monitoring of PFMIs: Level 2 assessment report for
central counterparties and trade repositories--United States (Feb.
26, 2015), available at <a href="https://www.iosco.org/library/pubdocs/pdf/IOSCOPD477.pdf">https://www.iosco.org/library/pubdocs/pdf/IOSCOPD477.pdf</a>. Additionally, CPMI-IOSCO issued guidance for cyber
resilience for financial market infrastructures (``FMIs''),
including trade repositories. See CPMI-IOSCO, Guidance on cyber
resilience for financial market infrastructures (June 2016),
available at <a href="https://www.iosco.org/library/pubdocs/pdf/IOSCOPD535.pdf">https://www.iosco.org/library/pubdocs/pdf/IOSCOPD535.pdf</a>; see also CPMI-IOSCO, Implementation monitoring of
the PFMI: Level 3 assessment on Financial Market Infrastructures'
Cyber Resilience (Nov. 2022), available at <a href="https://www.iosco.org/library/pubdocs/pdf/IOSCOPD723.pdf">https://www.iosco.org/library/pubdocs/pdf/IOSCOPD723.pdf</a> (presenting the results of an
assessment of the state of cyber resilience (as of Feb. 2021) at 37
FMIs from 29 jurisdictions that participated in this exercise in
2020 to 2022).
---------------------------------------------------------------------------
Regulation SCI, among other things, defines the scope of systems
covered, and requires: the establishment, maintenance, and enforcement
of written policies and procedures to ensure that SCI systems have
levels of capacity, integrity, resiliency, availability, and security
adequate to maintain operational capacity and promote the maintenance
of fair and orderly markets, with minimum elements that include, among
others, standards designed to facilitate the successful collection,
processing, and dissemination of market data and robust business
continuity and disaster recovery plans; policies and procedures
designed to ensure compliance with the federal securities laws;
corrective action and reporting and dissemination of SCI events,
quarterly reporting of material systems changes, and an annual SCI
review; and participation of key members in SCI entity's business
continuity and disaster recovery plans.
The Commission believes that SBSDRs operate with similar complexity
and in a similar fashion as other registered securities information
processors that are currently subject to Regulation SCI and that they
play an important role in the SBS market and face similar technological
vulnerabilities as existing SCI entities, such as FINRA's TRACE and
MSRB's EMMA. For example, were an SBSDR to experience a systems issue,
market participants could be prevented from receiving timely
information regarding accurate prices for individual SBSs. Given
SBSDRs' reliance on automated systems and their dual Dodd-Frank
mandated role of providing price transparency to market participants
and SBS data to regulators to surveil markets to better ensure that
systemic risk is limited and market stability is enhanced, the
Commission believes it appropriate to include SBSDRs into the scope of
the Regulation SCI proposal.
Currently, there are two registered SBSDRs that would become
subject to Regulation SCI should the Regulation SCI amendments be
adopted.\124\
---------------------------------------------------------------------------
\124\ See supra note 118.
---------------------------------------------------------------------------
iii. Request for Comment
1. The Commission requests comment generally on the inclusion of
SBSDRs as SCI entities. Is their inclusion appropriate? Why or why not?
Please be specific and provide examples, if possible, to illustrate
your points.
2. Should all or some aspects of Regulation SCI apply to SBSDRs?
Why or why not? If only a portion, please specify which portion(s) and
explain why. If all, explain why.
3. Are the definitions of SCI systems and indirect SCI systems
appropriate for SBSDRs? Why or why not? Are there any systems of SBSDRs
that should be included but would not be covered by these definitions?
Please explain. Are there any systems of SBSDRs that should be excluded
by these definitions? Please explain. Do SBSDRs have any systems that
would or should be covered by the definition of critical SCI systems?
Please explain.
4. Is current Rule 13n-6 sufficient to govern the technology of
SBSDRs? If not, why not? Would the Regulation SCI proposed
requirements, together with Rule 13n-6, be sufficient to address
operational risk concerns posed by SBSDRs? Why or why not? Should Rule
13n-6 serve as an operational risk requirement for new SBSDR
registrants during the first year registered with the Commission, with
Regulation SCI proposed requirements imposed after the first year of
registration? Why or why not? Please be specific and respond with
examples, if possible.
5. Given the current practices of SBSDRs, would the proposed
Regulation SCI requirements pose unreasonable or unworkable
difficulties
[[Page 23157]]
for them, technologically, legally, operationally, or procedurally? Why
or why not? Please be specific and respond with examples, if possible.
6. Should Regulation SCI distinguish among different types of
SBSDRs such that some requirements of Regulation SCI might be
appropriate for some SBSDRs but not others? Why or why not? If so, what
are those distinctions and what are those requirements? For example,
should any requirements be based on criteria such as number of
transactions or notional volume reported to a SBSDR? If so, what would
be an appropriate threshold for any such criteria, and why? Please be
specific and provide examples, if possible.
7. Because proposed Regulation SCI would include SBSDRs as ``SCI
entities,'' SBSDRs that share systems with affiliated clearing agencies
could be required to classify those shared systems as SCI systems of
the SBSDR and indirect SCI systems of the clearing agency, and vice
versa. Is this outcome appropriate? Why or why not? Please be specific
and provide examples, if possible.
8. Is Regulation SCI, including as proposed to be amended,
comprehensive and robust enough to address SBSDRs that rely on third-
party providers to support core SBSDR operations? Why or why not?
Please be specific and provide examples, if possible.
b. SCI Broker-Dealers
The Commission further proposes to expand the application of
Regulation SCI by including certain broker-dealers--to be referred to
as ``SCI broker-dealers''--in the definition of SCI entity. An SCI
broker-dealer would be a broker or dealer registered with the
Commission pursuant to section 15(b) of the Exchange Act that exceeds
one or more size thresholds. An SCI broker-dealer would be a broker-
dealer that meets or exceeds: (i) a total assets threshold, or (ii) one
or more transaction activity thresholds.
The proposed thresholds are designed to identify the largest U.S.
broker-dealers by size, as measured in two different ways. The first is
analysis of broker-dealer size based on total assets reported on Form
X-17A-5 (Financial and Operational Combined Uniform Single (``FOCUS'')
Report Part II, Item 940),\125\ which reveals the largest firms based
on their balance sheets at a point in time, and which is a measure used
by the Board of Governors of the Federal Reserve System (``Federal
Reserve Board'') to calculate and provide to the public on a quarterly
basis a measure of total assets of all security broker-dealers.\126\
The second is a measure of broker-dealer size using transaction
activity to identify significant firms active in certain enumerated
types of securities. As discussed further below, the total assets
threshold is expressed in terms of the broker-dealer's total assets at
specified points in time as a percentage of the ``total assets of all
security broker-dealers'' with ``total assets of all security-broker-
dealers'' being calculated and made publicly available by the Federal
Reserve Board for the associated preceding calendar quarter, or any
subsequent provider of such information.\127\ The trading activity
threshold is expressed in terms of the sum of buy and sell transactions
that the broker-dealer transacted during a specified time period as a
percentage of reported total average daily dollar volume in one or more
enumerated types of securities. The proposed total assets threshold is
broadly similar to the approach banking regulators use to assess the
appropriate capital and liquidity requirements for banks.\128\ The
proposed transaction activity thresholds are similar to, but
distinguishable from, the market share thresholds for SCI ATSs.\129\
The proposed threshold approaches in the proposed definition of SCI
broker-dealer are designed to identify entities that play key roles in
the U.S. securities markets due to the magnitude of their activity in
these markets.\130\
---------------------------------------------------------------------------
\125\ See Form X-17A-5, FOCUS Report, Part II, at 3, available
at <a href="https://www.sec.gov/files/formx-17a-5_2_2.pdf">https://www.sec.gov/files/formx-17a-5_2_2.pdf</a> (requiring broker-
dealers to report their total assets in Item 940).
\126\ See infra note 127.
\127\ For additional detail on the calculation of total assets
of all security broker-dealers, see Z.1: Financial Accounts of the
United States, available at <a href="https://www.federalreserve.gov/apps/fof/Guide/z1_tables_description.pdf">https://www.federalreserve.gov/apps/fof/Guide/z1_tables_description.pdf</a>; ((i) stating that the term
``security broker-dealers'' refers to firms that buy and sell
securities for a fee, hold an inventory of securities for resale, or
do both; and firms that make up this sector are those that submit
information to the Commission on one of two reporting forms, either
the Financial and Operational Combined Uniform Single Report of
Brokers and Dealers (FOCUS) or the Report on Finances and Operations
of Government Securities Brokers and Dealers (FOGS); and (ii)
describing the major assets of the security brokers and dealers
sector). Currently, this information is readily accessible on the
Federal Reserve Economic Data (``FRED'') website. See Board of
Governors of the Federal Reserve System (US), Security Brokers and
Dealers; Total Assets (Balance Sheet), Level [BOGZ1FL664090663Q],
retrieved from FRED, Federal Reserve Bank of St. Louis, available
at: <a href="https://fred.stlouisfed.org/series/BOGZ1FL664090663Q">https://fred.stlouisfed.org/series/BOGZ1FL664090663Q</a> (making
publicly available the total assets of all security brokers and
dealers, as calculated and updated quarterly by the Federal Reserve
Board).
\128\ See infra notes 178-180 and accompanying text.
\129\ See infra section III.A.b.iii.
\130\ See infra text accompanying notes 138-142 (summarizing
comments on the SCI Proposing Release from commenters urging that
application of Regulation SCI to broker-dealers should be limited to
those with substantial transaction volume or having a large
``footprint'').
---------------------------------------------------------------------------
i. Background
There are approximately 3,500 broker-dealers registered with the
Commission pursuant to section 15(b) of the Exchange Act, and these
entities encompass a broad range of sizes, business activities, and
business models.\131\ In 2013, the Commission proposed to include
significant volume ATSs in the definition of SCI entity but at that
time did not propose to include any other aspects of broker-dealer
operations.\132\ Rather, the Commission solicited comment on whether
certain classes of broker-dealers should be covered. In particular, the
Commission sought comment on whether Regulation SCI should apply, for
example, to OTC market makers \133\ (either all or those
[[Page 23158]]
that execute a significant volume of orders), exchange market makers
\134\ (either all or those that trade a significant volume on
exchanges), order-entry firms that handle and route order flow for
execution (either all or those that handle a significant volume of
investor orders), clearing broker-dealers (either all or those that
engage in a significant amount of clearing activities), and/or large
multi-service broker-dealers that engage in a variety of order
handling, trading, and clearing activities.\135\ Although OTC market
makers and clearing broker-dealers were noted specifically as examples
of categories of broker-dealers that could pose significant risk to the
market if a large portion of the order flow they handle or process were
disrupted due to a systems issue, the Commission broadly solicited
commenters' views on the importance of different categories of broker-
dealers to the stability of overall securities market infrastructure
and the risks posed by their systems.\136\
---------------------------------------------------------------------------
\131\ This estimate is derived from information on broker-dealer
FOCUS Report Form X-17A-5 Schedule II filings as of Dec. 31, 2021,
as well as the third quarter of 2022. See also FINRA, 2022 FINRA
Industry Snapshot (Mar. 2022), available at <a href="https://www.finra.org/sites/default/files/2022-03/2022-industry-snapshot.pdf">https://www.finra.org/sites/default/files/2022-03/2022-industry-snapshot.pdf</a>. Section
15(b)(8) of the Exchange Act prohibits any broker-dealer from
effecting transactions in securities unless it is a member of a
registered national securities association (i.e., FINRA) or effects
securities transactions solely on a national securities exchange of
which it is a member. See 15 U.S.C. 78o(b)(8); see also 17 CFR
240.15b9-1 (``Rule 15b9-1'') (exempting proprietarily trading
dealers from section 15(b)(8)'s national securities association
membership requirement if they are a member of a national securities
exchange and meet certain other requirements). But see Securities
Exchange Act Release No. 95388 (July 29, 2022), 87 FR 49930 (Aug.
12, 2022) (proposing amendments to Exchange Act Rule 15b9-1 that
would generally require proprietary trading firms that are
registered broker-dealers to become a registered member of a
national securities association (i.e., FINRA) if they effect
securities transactions otherwise than on an exchange of which they
are a member). See also Securities Exchange Act Release No. 94524
(Mar. 28, 2022), 87 FR 23054 (Apr. 18, 2022) (``Dealer-Trader
Release'') (proposing to further define ``dealer'' and ``government
securities dealer'' to identify certain activities that would
constitute a ``regular business'' requiring a person engaged in
those activities to register as a ``dealer'' or a ``government
securities dealer,'' absent an exception or exemption). Because the
proposed amendments to further define the definition of dealer could
result in a greater number of dealers and the amendments proposed to
expand and update Regulation SCI could impact these newly designated
dealers, commenters also are encouraged to review the Dealer-Trader
Release to determine whether it might affect their comments on this
proposal.
\132\ See SCI Proposing Release, supra note 14, at 18138-42.
\133\ An OTC market maker is a dealer that holds itself out as
willing to buy and sell NMS stocks on a continuous basis in amounts
of less than block size otherwise than on an exchange. See 17 CFR
242.600(b)(64).
\134\ An exchange market maker is any member of a national
securities exchange that is registered as a specialist or market
maker pursuant to the rules of such exchange. See 17 CFR
242.600(b)(32).
\135\ See SCI Proposing Release, supra note 14, at 18139-40.
\136\ See SCI Proposing Release, supra note 14, at 18138-40
(including questions 194-196 soliciting comment on whether and how
to distinguish between and among categories of broker-dealers, such
as OTC market makers, order entry firms that handle and route order
flow for execution, clearing broker-dealers, and large multi-service
broker-dealers that engage in a variety of order handling, trading,
and clearing activities).
---------------------------------------------------------------------------
As summarized in the SCI Adopting Release, commenters' views
varied.\137\ One commenter opined that market makers and brokers or
dealers that execute orders internally by trading as a principal or
crossing orders as an agent and handle market share that exceeds that
of certain SCI ATSs should be subject to Regulation SCI.\138\ Others
stated that market makers, high frequency trading firms, or any firm
with market access should be included, arguing that these market
participants could present systemic risks to the market and had ``a
significant footprint in the markets.'' \139\ Others stated that
broker-dealers should be SCI entities because 17 CFR 240.15c3-5 (``Rule
15c3-5'' or ``Market Access Rule''),\140\ requiring the implementation
of risk management and supervisory controls to limit risk associated
with routing orders to exchanges or ATSs, was not sufficient by itself,
as it does not address the reliability or integrity of the systems that
implement such controls.\141\ One commenter stated that Regulation SCI
should be extended to any trading platforms that transact significant
volume, including systems that are not required to register as an ATS
because all executions are against the bids and offers of a single
dealer.\142\ In contrast, other commenters argued that broker-dealers
should not be subject to Regulation SCI because they must comply with
other Exchange Act and FINRA rules and the proposed Regulation SCI
requirements would be ``duplicative and unduly burdensome.'' \143\ At
adoption, the Commission stated that ``should [it] decide to propose to
apply the requirements of Regulation SCI to [broker-dealer operations
other than ATSs, it] would issue a separate release discussing such a
proposal and would take these comments into account.'' \144\
---------------------------------------------------------------------------
\137\ See SCI Adopting Release, supra note 1, at 72365.
\138\ See id. (citing letter from the New York Stock Exchange,
Inc. (``NYSE'')).
\139\ See id. (citing letters from Liquidnet, Inc., David Lauer,
and R.T. Leuchtkafer).
\140\ See 17 CFR 240.15c3-5.
\141\ See SCI Adopting Release, supra note 1, at 72365 (citing
letters from David Lauer and the NYSE).
\142\ See id. (citing letter from BlackRock at 4, in which
BlackRock stated that trading systems that ``transact significant
volume'' are ``venues that have a meaningful role and impact on the
equity market'').
\143\ See id.
\144\ SCI Adopting Release, supra note 1, at 72366.
---------------------------------------------------------------------------
In considering expansion of Regulation SCI to broker-dealers or
broker-dealer operations beyond SCI ATSs, the Commission has considered
the extent to which current Commission and FINRA rules affect how
broker-dealers design and review their systems for capacity, integrity,
resiliency, availability, and/or security adequate to maintain
operational capability and promote the maintenance of fair and orderly
markets and compliance with federal securities laws and regulations,
and whether additional technology oversight is appropriate for certain
broker-dealers based on the magnitude of their activity in the markets
today.\145\ The Commission proposes to apply Regulation SCI to a
limited number of the approximately 3,500 broker-dealers registered
with the Commission. The proposed thresholds are designed to identify
firms that, by virtue of their total assets or level of transaction
activity over a period of time and on a consistent basis, play a
significant role in the orderly functioning of U.S. securities markets.
The thresholds are designed to identify firms that, if adversely
affected by a technology event, could disrupt or impede orderly and
efficient market operations more broadly.
---------------------------------------------------------------------------
\145\ As noted above, the concurrently issued Exchange Act
Cybersecurity Proposal would establish minimum ``cybersecurity
rules'' for all broker-dealers. That proposal does not, however,
independently address weaknesses in broker-dealer operational
capacity or resiliency not attributable to cybersecurity breaches.
---------------------------------------------------------------------------
ii. Current Regulatory Oversight of Broker-Dealer Systems Technology
There are a number of Commission and FINRA rules that affect how
broker-dealers design and maintain their technology and promote
business continuity and regulatory compliance.\146\ Although these
rules may support the goal of more resilient broker-dealer systems,
they are not designed to address the same concerns that Regulation SCI
addresses and are not a substitute for Regulation SCI.\147\
---------------------------------------------------------------------------
\146\ 17 CFR 240.3a1-1(a)(2) (``Rule 3a1-1(a)(2)''), exempts
from the Exchange Act section 3(a)(1) definition of ``exchange'' an
organization, association, or group of persons that complies with
Regulation ATS. All such exempted ATSs must be a registered broker-
dealer and become a member of an SRO, which typically is FINRA.
Accordingly, FINRA rules applicable to broker-dealers apply to ATSs.
A similar discussion of FINRA rules applicable to ATSs appears in
the SCI Adopting Release, supra note 1, at 72263.
\147\ See infra notes 148-166 and accompanying text. See also
SCI Adopting Release, supra note 1, at 72263 (n. 115 and
accompanying text), 72365 (discussing comments received).
---------------------------------------------------------------------------
As some commenters on the SCI Proposing Release stated, the Market
Access Rule is relevant to certain broker-dealer systems. The Market
Access Rule requires broker-dealers with market access to implement, on
a market-wide basis, effective financial and regulatory risk management
controls and supervisory procedures reasonably designed to limit
financial exposure and ensure compliance with applicable regulatory
requirements, and thus seeks to address, among other things, certain
risks posed to the markets by broker-dealer systems.\148\ Pursuant to
the Market Access Rule, a broker or dealer with market access, or that
provides a customer or any other
[[Page 23159]]
person with access to a national securities exchange or ATS through use
of its market participant identifier or otherwise, must establish,
document, and maintain a system of risk management controls and
supervisory procedures reasonably designed to manage the financial,
regulatory, and other risks of this business activity.\149\ The Market
Access Rule specifies standards for financial and regulatory risk
management controls and supervisory procedures.\150\ It requires that
the financial risk management controls and supervisory procedures must
be reasonably designed to limit systematically the financial exposure
of the broker or dealer that could arise from market access.\151\ In
addition, the Market Access Rule requires that regulatory risk
management controls and supervisory procedures be reasonably designed
to ensure compliance with all regulatory requirements.\152\ As such,
the focus of the Market Access Rule requires controls to prevent
technology and other errors that can create some of the more
significant risks to broker-dealers and the markets, namely those that
arise when a broker-dealer enters orders into a national securities
exchange or ATS, including when it provides sponsored or direct market
access to customers or other persons, where the consequences of such an
error can rapidly magnify and spread throughout the markets. Further,
the Market Access Rule requires specific controls and procedures around
a broker-dealer entering orders on a national securities exchange or
ATS that Regulation SCI does not and would not prescribe.
---------------------------------------------------------------------------
\148\ See Securities Exchange Act Release No. 63241 (Nov. 3,
2010), 75 FR 69792 (Nov. 15, 2010) (``Market Access Release'').
Under 17 CFR 240.15c3-5(a)(1) (``Rule 15c3-5(a)(1)''), ``market
access'' is defined to mean: (i) access to trading in securities on
an exchange or ATS as a result of being a member or subscriber of
the exchange or ATS, respectively; or (ii) access to trading in
securities on an ATS provided by a broker-dealer operator of an ATS
to a non-broker-dealer. See 17 CFR 240.15c3-5(a)(1). In adopting
Rule 15c3-5(a)(1), the Commission stated that ``the risks associated
with market access . . . are present whenever a broker-dealer trades
as a member of an exchange or subscriber to an ATS, whether for its
own proprietary account or as agent for its customers, including
traditional agency brokerage and through direct market access or
sponsored access arrangements.'' See Market Access Release at 69798.
As such, the Commission stated that ``to effectively address these
risks, Rule 15c3-5 must apply broadly to all access to trading on an
Exchange or ATS.'' Id.
\149\ See 17 CFR 240.15c3-5(b).
\150\ See 17 CFR 240.15c3-5(c).
\151\ See 17 CFR 240.15c3-5(c)(1).
\152\ See 17 CFR 240.15c3-5(c)(2). See also 17 CFR 240.15c3-
5(a)(2) (defining ``regulatory requirements'' to mean all Federal
securities laws, rules and regulations, and rules of self-regulatory
organizations, that are applicable in connection with market
access).
---------------------------------------------------------------------------
In contrast, the policies and procedures required by Regulation SCI
apply broadly to technology that supports trading, clearance and
settlement, order routing, market data, market regulation, and market
surveillance and, among other things, address their overall capacity,
integrity, resilience, availability, and security independent of market
access. Whereas the Market Access Rule prescribes specific controls and
procedures around a broker-dealer entering orders on an exchange or
ATS, it is not designed to ensure that the key technology pervasive and
important to the functioning of the U.S. securities markets is robust,
resilient, and secure.\153\ Among other requirements, the policies and
procedures requirements of Regulation SCI are designed to help ensure
that the systems of SCI entities are adequate to maintain operational
capability independent of any specific SCI event (i.e., a systems issue
such as a systems disruption, systems intrusion, or systems compliance
issue). Further, the SCI review requirement obligates an SCI entity to
assess the risks of its systems and effectiveness of its technology
controls at least annually, identify weaknesses, and ensure compliance
with the safeguards of Regulation SCI. The Market Access Rule and
Regulation SCI, therefore, have different requirements and would
operate in conjunction with each other to help ensure that SCI broker-
dealer SCI systems, whether used for access to the national securities
exchanges or ATSs or not, are robust, resilient, and secure.
---------------------------------------------------------------------------
\153\ See also supra note 141 and accompanying text.
---------------------------------------------------------------------------
Broker-dealers are also subject to the Commission's financial
responsibility rules (17 CFR 240.15c3-1 (``Rule 15c3-1'') and 17 CFR
240.15c3-3 (``Rule 15c3-3'')) under the Exchange Act. Rule 15c3-1
requires broker-dealers to maintain minimum amounts of net capital,
ensuring that the broker-dealer at all times has enough liquid assets
to promptly satisfy all creditor claims if the broker-dealer were to go
out of business.\154\ Rule 15c3-3 imposes requirements relating to
safeguarding customer funds and securities.\155\ These rules provide
protections for broker-dealer counterparties and customers and can help
to mitigate the risks to, and impact on, customers and other market
participants by protecting them from the consequences of financial
failure that may occur because of a systems issue at a broker-dealer,
and thus have a different scope and purpose from Regulation SCI.\156\
---------------------------------------------------------------------------
\154\ See 17 CFR 240.15c3-1.
\155\ See 17 CFR 240.15c3-3.
\156\ Similarly, 17 CFR 248.30 (``Rule 30'' of Regulation S-P),
which requires registered brokers and dealers to have written
policies and procedures that are reasonably designed to safeguard
customer records and information--to insure their security and
confidentiality, protect against threats or hazards to their
security and integrity and protect against unauthorized access or
use that could result in substantial harm or inconvenience to any
customer--is not designed to help ensure operational capability of
market related systems. In addition, 17 CFR 248.201 (``Regulation S-
ID'') requires financial institutions or creditors (defined to
include registered broker-dealers) that have one or more covered
accounts, as defined in 17 CFR 248.201(b)(3) (e.g., brokerage
account), to develop and implement a written identity theft
prevention program to detect, prevent, and mitigate identity theft
in connection with covered accounts that includes policies and
procedures to identify and incorporate red flags into the program,
detect and respond to red flags, and incorporate periodic updates to
the program. This rule, however, is also not designed to ensure
operational capability of market related systems.
---------------------------------------------------------------------------
Pursuant to 17 CFR 240.17a-3 (``Rule 17a-3'' under the Exchange
Act) and 17 CFR 240.17a-4 (``Rule 17a-4'' under the Exchange Act),
broker-dealers are required to make and keep current records detailing,
among other things, securities transactions, money balances, and
securities positions.\157\ A systems issue at a broker-dealer would not
excuse the broker-dealer for noncompliance with these
requirements.\158\ Further, a broker-dealer that fails to make and keep
current the records required by Rule 17a-3 must give notice to the
Commission of this fact on the same day and, thereafter, within 48
hours transmit a report to the Commission stating what the broker-
dealer has done or is doing to correct the situation.\159\ Regulation
SCI, however, more directly addresses mitigating the impact of
technology failures with respect to SCI systems and indirect SCI
systems (which include systems that are not used to make and keep
current the records required by Rule 17a-3). Specifically, it requires
notifications to the Commission for a different set of events--systems
intrusions, systems compliance issues, and systems disruptions--than
the notification requirements of 17 CFR 240.17a-11 (``Rule 17a-11''),
and is therefore not duplicative of Rule 17a-11. In addition, it
requires that, when an SCI event has occurred, an SCI entity must begin
to take appropriate corrective action which must include, at a minimum,
mitigating potential harm to investors and market integrity resulting
from the SCI event and devoting adequate resources to remedy the SCI
event as soon as reasonably practicable.
---------------------------------------------------------------------------
\157\ See 17 CFR 240.17a-3; 17 CFR 240.17a-4.
\158\ See, e.g., Securities Exchange Act Release No. 40162 (July
2, 1998), 63 FR 37668 (July 13, 1998) (stating that computer systems
with ``Year 2000 Problems'' may be deemed not to have accurate and
current records and be in violation of Rule 17a-3).
\159\ See 17 CFR 240.17a-11.
---------------------------------------------------------------------------
FINRA also has several rules that are similar to, but take a
different approach from, Regulation SCI. For example, FINRA Rule 4370
requires that each broker-dealer create and maintain a written business
continuity plan identifying procedures relating to an emergency or
significant business disruption that are reasonably designed to enable
them to meet their existing obligations to customers. The procedures
must also address the broker-dealer's existing relationships
[[Page 23160]]
with other broker-dealers and counterparties. A broker-dealer is
required to update its plan in the event of any material change to the
member's operations, structure, business, or location and must conduct
an annual review of its business continuity plan to determine whether
any modifications are necessary in light of changes to the member's
operations, structure, business, or location. The rule sets forth
general minimum elements that a broker-dealer's business continuity
plan must address.\160\
---------------------------------------------------------------------------
\160\ Specifically, FINRA Rule 4370 requires that each plan
must, at a minimum, address: data back-up and recovery; all mission
critical systems; financial and operational assessments; alternate
communications between customers and the member; alternate
communications between the member and its employees; alternate
physical location of employees; critical business constituent, bank,
and counter-party impact; regulatory reporting; communications with
regulators; and how the member will assure customers' prompt access
to their funds and securities in the event that the member
determines that it is unable to continue its business.
---------------------------------------------------------------------------
This rule is akin to Regulation SCI's Rule 1001(a)(2)(v) requiring
policies and procedures for business continuity and disaster recovery
plans.\161\ However, unlike Regulation SCI, the FINRA rule does not
include the requirement that the business continuity and disaster
recovery plans be reasonably designed to achieve next business day
resumption of trading and two-hour resumption of critical SCI systems
following a wide-scale disruption, nor does it require the functional
and performance testing and coordination of industry or sector-testing
of such plans, which are instrumental in achieving the goals of
Regulation SCI with respect to SCI entities.\162\ In addition, FINRA
Rule 4370 contains certain provisions that Regulation SCI does
not.\163\ For example, a broker-dealer must disclose to its customers
through public disclosure statements how its business continuity plan
addresses the possibility of a future significant business disruption
and how the member plans to respond to events of varying scope.\164\
Accordingly, FINRA Rule 4370 and Regulation SCI would operate in
conjunction with one another to help ensure that an SCI broker-dealer
has business continuity and disaster recovery plans to achieve the
goals of each rule.
---------------------------------------------------------------------------
\161\ See SCI Adopting Release, supra note 1, at 72263-64.
\162\ Id.
\163\ See supra note 160.
\164\ See FINRA Rule 4370(e).
---------------------------------------------------------------------------
FINRA Rule 3110(b)(1) requires each broker-dealer to establish,
maintain, and enforce written procedures to supervise the types of
business in which it engages and to supervise the activities of
registered representatives, registered principals, and other associated
persons that are reasonably designed to achieve compliance with
applicable securities laws and regulations.
This supervisory obligation extends to member firms' outsourcing of
certain ``covered activities''--activities or functions that, if
performed directly by a member firm, would be required to be the
subject of a supervisory system and written supervisory procedures
pursuant to FINRA Rule 3110.\165\ This rule is broadly similar to Rule
1001(b) of Regulation SCI regarding policies and procedures to ensure
systems compliance. However, unlike Rule 1001(b), which focuses on
ensuring that an entity's systems operate in compliance with the
Exchange Act, the rules and regulations thereunder, and the entity's
rules and governing documents, this FINRA rule does not specifically
address compliance of broker-dealers' systems. Further, this provision
does not cover more broadly policies and procedures akin to those in
Rule 1001(a) of Regulation SCI regarding ensuring the SCI entity's
operational capability. FINRA Rule 3110(b)(1) and Regulation SCI would
operate in conjunction to help ensure that the SCI systems of SCI
broker-dealers, including those operated by third parties, are robust,
resilient, and operate as intended.
---------------------------------------------------------------------------
\165\ See FINRA, Regulatory Notice 21-29: Vendor Management and
Outsourcing (Aug. 13, 2021), available at <a href="https://www.finra.org/sites/default/files/2021-08/Regulatory-Notice-21-29.pdf">https://www.finra.org/sites/default/files/2021-08/Regulatory-Notice-21-29.pdf</a>; FINRA,
Notice to Members 05-48: Outsourcing (July 2005), available at
<a href="https://www.finra.org/sites/default/files/NoticeDocument/p014735.pdf">https://www.finra.org/sites/default/files/NoticeDocument/p014735.pdf</a>.
---------------------------------------------------------------------------
FINRA Rule 3130 requires a broker-dealer's chief compliance officer
to certify annually that the member has in place processes to
establish, maintain, review, test, and modify written policies and
procedures reasonably designed to achieve compliance with applicable
FINRA rules, MSRB rules, and federal securities laws and regulations.
This rule is similar to Rule 1001(b) of Regulation SCI regarding
policies and procedures to ensure systems compliance; however, like
FINRA Rule 3130(b)(1), it does not specifically address compliance of
broker-dealers' systems, and does not require similar policies and
procedures to those in Rule 1001(a) of Regulation SCI regarding
operational capability of SCI entities. Therefore, FINRA Rule 3130 and
Regulation SCI would operate in conjunction with each other to help
ensure compliance with applicable law.
FINRA Rule 4530 imposes a regime for reporting certain events to
FINRA, including, among other things, compliance issues and other
events where a broker-dealer has concluded, or should have reasonably
concluded, that a violation of securities or other enumerated law,
rule, or regulation of any domestic or foreign regulatory body or SRO
has occurred. This requirement is similar to Regulation SCI's reporting
requirements under Rule 1002 with respect to systems compliance issues;
however, it does not cover reporting of systems disruptions and systems
intrusions that did not also involve a violation of a securities law,
rule, or regulation. Further, the FINRA reporting rule differs from the
Commission notification requirements with respect to the scope, timing,
content and required recipient of the reports. FINRA Rule 4530
addressing reporting of certain issues to FINRA is thus not duplicative
of Regulation SCI, which, among other things, was designed to enhance
direct Commission oversight of entities designated as key entities
because they play a significant role in the U.S. securities markets.
Additionally, while regulations and associated guidance applicable
to bank holding companies promulgated by the Federal Reserve Board and
other bank regulators address operational resilience, their direct
application is to bank holding companies rather than broker-dealers
registered with the Commission. For example, a 2020 interagency paper
issued by the Federal Reserve Board, the Office of the Comptroller of
the Currency, and the Federal Deposit Insurance Corporation sets forth
``sound practices'' for the largest, most complex firms, including U.S.
bank holding companies, to follow to strengthen their operational
resilience. While this publication offers key strategies for covered
entities to follow to remain resilient, many of which are similar to
what Regulation SCI requires, they are not mandatory for registered
broker-dealers.\166\ Thus,
[[Page 23161]]
although some Exchange Act and FINRA rules other than Regulation SCI
support the goal of robust and resilient broker-dealer systems, the
Commission believes that additional protections, reporting of systems
problems, and direct Commission oversight of broker-dealer technology
is appropriate for the largest broker-dealers.
---------------------------------------------------------------------------
\166\ See Federal Reserve Board, SR 20-24: Interagency Paper on
Sound Practices to Strengthen Operational Resilience (Nov. 2, 2020),
(``Banking Interagency Paper''), available at <a href="https://www.federalreserve.gov/supervisionreg/srletters/SR2024.htm">https://www.federalreserve.gov/supervisionreg/srletters/SR2024.htm</a> (``To
help large and complex domestic firms address unforeseen challenges
to their operational resilience, the sound practices are drawn from
existing regulations, guidance, and statements as well as common
industry standards that address operational risk management,
business continuity management, third-party risk management,
cybersecurity risk management, and recovery and resolution
planning.''). The paper applies to national banks, state member
banks, state nonmember banks, savings associations, U.S. bank
holding companies, and savings and loan holding companies that have
average total consolidated assets greater than or equal to (a) $250
billion or (b) $100 billion and have $75 billion or more in average
cross-jurisdictional activity, average weighted short-term wholesale
funding, average nonbank assets, or average off-balance sheet
exposure. As discussed below, the Commission's proposed approach to
identifying SCI broker-dealers similarly takes into account the size
of the firm, as measured by a total assets threshold and/or market
activity thresholds.
---------------------------------------------------------------------------
iii. Proposed Thresholds for an ``SCI Broker-Dealer''
Overview
As proposed, Regulation SCI would apply to a limited number of
broker-dealers that satisfy: (i) a total assets threshold, or (ii) one
or more transaction activity thresholds.
The Commission preliminarily believes that a broker-dealer that
meets the proposed thresholds for assets or transaction activity,
whether operating in multiple markets or predominantly in a single
market, that becomes unreliable or unavailable due to a systems issue,
risks disrupting fair and orderly market functioning.
Current Regulation SCI applies to all national securities exchanges
and certain significant-volume ATSs, all of which are highly dependent
on sophisticated automated and interconnected systems. As electronic
trading has grown, and continues to grow in some asset classes, many
broker-dealers are similarly dependent on sophisticated and
interconnected automated systems.\167\ These broker-dealer systems
contribute to the orderly functioning of U.S. securities markets,
encompassing, for example, systems for trading and quoting, order
handling, dissemination and processing of market data, and the process
of clearance and settlement.
---------------------------------------------------------------------------
\167\ For example, see Algorithmic Trading Report, supra note 3
(discussing many uses of computer systems in contemporary markets,
particularly with respect to the trading of equity and debt
securities).
---------------------------------------------------------------------------
An ``SCI broker-dealer'' would be a broker or dealer registered
with the Commission pursuant to section 15(b) of the Exchange Act
which:
<bullet> In at least two of the four preceding calendar quarters,
ending March 31, June 30, September 30, and December 31, reported to
the Commission, on Form X-17A-5 (Sec. 249.617),\168\ total assets in
an amount that equals five percent (5%) or more of the total assets of
all security brokers and dealers; or \169\
---------------------------------------------------------------------------
\168\ Broker-dealers that file Form X-17A-5 on a monthly basis
would use their total assets, as reported on Item 940 of Form X-17A-
5, for the months ending Mar. 31, June 30, Sept. 30, and Dec. 31.
Broker-dealers that file Form X-17A-5 on a quarterly basis would use
their total assets, as reported on Item 940 of Form X-17A-5, for the
quarters ending Mar. 31, June 30, Sept. 30, and Dec. 31.
\169\ See definition of SCI broker-dealer in proposed amended
Rule 1000. The term ``total assets of all security brokers and
dealers'' would, for purposes of this threshold, mean the total
assets calculated and made publicly available by the Board of
Governors of the Federal Reserve, or any subsequent provider of such
information, for the associated preceding calendar quarter. Id. See
supra note 127; infra text accompanying notes 181-185.
---------------------------------------------------------------------------
<bullet> During at least four of the preceding six calendar months:
[cir] With respect to transactions in NMS stocks, transacted
average daily dollar volume in an amount that equals ten percent (10%)
or more of the average daily dollar volume \170\ reported by or
pursuant to applicable effective transaction reporting plans, provided,
however, that for purposes of calculating its activity in transactions
effected otherwise than on a national securities exchange or on an
alternative trading system, the broker-dealer shall exclude
transactions for which it was not the executing party; or
---------------------------------------------------------------------------
\170\ For June 2022, the average daily dollar volume in NMS
stocks, as reported by applicable effective transaction reporting
plans, was approximately $560 billion, with 10% of that reflecting
approximately $56 billion.
---------------------------------------------------------------------------
[cir] With respect to transactions in exchange-listed options
contracts, transacted average daily dollar volume in an amount that
equals ten percent (10%) or more of the average daily dollar volume
\171\ reported by an applicable effective national market system plan;
or
---------------------------------------------------------------------------
\171\ For June 2022, the average daily dollar volume in
exchange-listed options contracts, as reported by an applicable
effective national market system plan, was approximately $23.8
billion, with 10% of that reflecting approximately $2.4 billion.
---------------------------------------------------------------------------
[cir] With respect to transactions in U.S. Treasury Securities,
transacted average daily dollar volume in an amount that equals ten
percent (10%) or more of the total average daily dollar volume \172\
made available by the self-regulatory organizations \173\ to which such
transactions are reported; or
---------------------------------------------------------------------------
\172\ For June 2022, the average daily dollar volume in U.S
Treasury Securities, according to FINRA TRACE data, was
approximately $634.1 billion, with 10% of that reflecting
approximately $63.4 billion.
\173\ Currently, there is one self-regulatory organization to
which transactions in U.S Treasury Securities are reported (i.e.,
FINRA).
---------------------------------------------------------------------------
[cir] With respect to transactions in Agency Securities, transacted
average daily dollar volume in an amount that equals ten percent (10%)
or more of the total average daily dollar volume \174\ made available
by the self-regulatory organizations \175\ to which such transactions
are reported.
---------------------------------------------------------------------------
\174\ For June 2022, the average daily dollar volume in Agency
Securities, according to FINRA TRACE data was approximately $223
billion, with 10% of that reflecting approximately $22.3 billion.
\175\ Currently, there is one self-regulatory organization to
which transactions in U.S Treasury Securities are reported (i.e.,
FINRA) and one organization to which transactions in Agency
securities are reported (i.e., FINRA).
---------------------------------------------------------------------------
An SCI broker-dealer would be required to comply with the
requirements of Regulation SCI six months after the SCI broker-dealer
satisfied either threshold for the first time.
The proposed thresholds are designed to identify the largest U.S.
broker-dealers. To assess which broker-dealers should be subject to
Regulation SCI,\176\ the Commission has taken into account the size of
registered broker-dealers based on analyses of: (i) total assets
reported on Form X-17A-5 (Financial and Operational Combined Uniform
Single (``FOCUS'') Report Part II, Item 940),\177\ and (ii) transaction
activity in certain asset classes.
---------------------------------------------------------------------------
\176\ See supra note 82 and accompanying text.
\177\ See Form X-17A-5, FOCUS Report, Part II, at 3, available
at <a href="https://www.sec.gov/files/formx-17a-5_2_2.pdf">https://www.sec.gov/files/formx-17a-5_2_2.pdf</a> (requiring broker-
dealers to report their total assets in Item 940).
---------------------------------------------------------------------------
Proposed Total Assets Threshold
A broker-dealer would be an SCI broker-dealer and included in the
definition of SCI entity if, in at least two of the four preceding
calendar quarters ending March 31, June 30, September 30, and December
31, it reported to the Commission on Form X-17A-5, FOCUS Report Part
II, Item 940 total assets in an amount that equals five percent or more
of the total assets of all security brokers and dealers. Congress and
multiple regulators have used total assets as a factor in assessing
whether an entity warrants heightened oversight. For example, under the
Dodd-Frank Act, the Financial Stability Oversight Council (``FSOC'')
considers financial assets as one factor to determine whether a U.S.
non-bank financial services company is supervised by the Federal
Reserve Board and subject to enhanced prudential standards.\178\
Furthermore, the Dodd-Frank Act requires the Federal Reserve Board to
establish enhanced prudential standards for bank holding companies over
a certain threshold of total assets.\179\ Additionally, the Federal
[[Page 23162]]
Deposit Insurance Corporation (``FDIC'') increases its Deposit
Insurance Fund assessment for large and highly complex institutions as
compared to small banks.\180\
---------------------------------------------------------------------------
\178\ See Dodd-Frank Act section 113(a)(2), 12 U.S.C.
5323(a)(2).
\179\ See Dodd-Frank Act section 165, 12 U.S.C. 5365(a)(1). See
also Federal Reserve Board, Prudential Standards for Large Bank
Holding Companies, Savings and Loan Holding Companies, and Foreign
Banking Organizations, 84 FR 59032 (Nov. 1, 2019), and Federal
Reserve Board, Changes to Applicability Thresholds for Regulatory
Capital and Liquidity Requirements, 84 FR 59230 (Nov. 1, 2019). See
SCI Adopting Release, supra note 1, at 72259, and also definition of
``critical SCI systems'' in 17 CFR 142.1000.
\180\ See FDIC, Deposit Insurance Fund, Assessment Rates &
Methodology (last updated July 20, 2021), available at <a href="https://www.fdic.gov/resources/deposit-insurance/deposit-insurance-fund/dif-assessments.html">https://www.fdic.gov/resources/deposit-insurance/deposit-insurance-fund/dif-assessments.html</a>.
---------------------------------------------------------------------------
Although a broker-dealer's total assets alone could be used as the
proposed rule's measure of an entity's size and significance, to ensure
that a total assets measure reflects significant activity in relative
terms, the Commission proposes to scale each broker-dealer's total
assets (the numerator) to a quarterly measure of ``total assets of all
security brokers and dealers,'' as calculated by the Federal Reserve
Board (the denominator).\181\ The firm's total assets filed on FOCUS
reports (of which each firm has current and direct knowledge) would be
divided by the broader measure of total assets for all securities
brokers and dealers calculated and made publicly available by the
Federal Reserve Board, or any subsequent provider of such information,
for the purpose of comparing the size of a broker-dealer to the group
of entities tracked by the Federal Reserve Board.\182\ The Commission
understands that the Federal Reserve Board publishes total assets for
all security brokers and dealers approximately ten weeks after the end
of the quarter (e.g., 2022 third quarter results ((for quarter ending
September 30, 2022)) were published on December 13, 2022). Therefore,
the information for the preceding quarter should be available prior to
the date on which the firm's FOCUS report is required to be filed with
the Commission for the relevant quarter. To enable each firm to
calculate whether it exceeds the threshold at the time it files its
FOCUS report (which is due 17 days after the end of the quarter/
month),\183\ broker-dealers would compare their total assets to the
previous quarter on or before the FOCUS report filing deadline.
Accordingly, to assess whether it exceeds the threshold for a relevant
calendar quarter, a broker-dealer would divide its total assets
reported on Form X-17A-5, FOCUS Report Part II, Item 940 for that
quarter by the total assets of all security brokers and dealers for the
preceding quarter, as made available by the Federal Reserve.\184\
Although it is possible that the total assets of all security brokers
and dealers could increase or decrease sharply from one quarter to the
next, the FRED data shows that this has occurred rarely and that the
asset totals in the Federal Reserve Board's data generally do not
change significantly from quarter to quarter.\185\ The Commission
therefore believes that overall, the data made available by the Federal
Reserve Board is an appropriate and consistent figure for use as a
denominator in the proposed threshold.\186\
---------------------------------------------------------------------------
\181\ See supra note 127. This figure has been calculated by the
Federal Reserve Board and made available on the Federal Reserve
Economic Data (FRED) website for many years. As stated above, the
total assets figure calculated by the Federal Reserve Board is based
on the information reported to the Commission by ``security broker-
dealers'' on either the FOCUS report or the FOGS report. See id.
\182\ Id.
\183\ Form X-17A-5 must be filed within 17 business days after
the end of each calendar quarter, within 17 business days after the
end of the fiscal year where that date is not the end of a calendar
quarter, and/or monthly, in accordance with 17 CFR 240.17a-5,
240.17a-12, or 240.18a-7, as applicable. See Instructions to Form X-
17A-5, FOCUS Report, Part II, at 2, available at <a href="https://www.sec.gov/files/formx-17a-5_22.pdf">https://www.sec.gov/files/formx-17a-5_22.pdf</a>.
\184\ See supra note 127. For example, to assess whether it
exceeds the threshold for the calendar quarter ending Dec. 31, a
broker-dealer would divide its total assets reported Form X-17A-5,
FOCUS Report Part II, Item 940 for the quarter ending Dec. 31, and
divide that by the total assets of security brokers and dealers for
the third quarter (ending Sept. 30) of the same year, as obtained
from the Federal Reserve Board. If a broker-dealer reported $350
billion, $385 billion, $359 billion, and $386 billion in total
assets on its FOCUS reports for Q4 2022, Q3 2022, Q2 2022, and Q1
2022, respectively, the broker-dealer would divide its total assets
for each quarter by 5.07 trillion (for Q3 2022), $5.07 trillion (for
Q2 2022), $5.23 trillion (for Q1 2022), and $4.96 trillion (for Q1
2021), respectively. See infra note 185. The broker-dealer's total
assets as a percentage of the total assets of all security broker-
dealers would be 6.9% for Q4 2022, 7.6% for Q3 2022. 6.9% for Q2
2022, and 7.8% for Q1 2022. In all four quarters, the broker-dealer
would exceed the 5% threshold and therefore meet the definition of
SCI broker-dealer.
\185\ See Board of Governors of the Federal Reserve System (US),
Security Brokers and Dealers; Total Assets (Balance Sheet), Level
[BOGZ1FL664090663Q], retrieved from FRED, Federal Reserve Bank of
St. Louis; <a href="https://fred.stlouisfed.org/series/BOGZ1FL664090663Q">https://fred.stlouisfed.org/series/BOGZ1FL664090663Q</a>. The
total assets data from the Federal Reserve shows a sharp drop at the
time of the financial crisis, from Q3 2008 to Q4 2008. See id. More
recent data show total assets for all security-broker dealers for
purpose of the proposed denominator in recent quarters in trillion
dollars as follows: Q3 2022: 5.07 trillion; Q2 2022: $5.07 trillion;
Q1 2022: $5.23 trillion; Q4 2021: $4.96 trillion; Q3 2021: $5.05
trillion; Q2 2021: $4.94 trillion. See id.
\186\ The Federal Reserve Board data includes total assets
reported on both FOCUS and FOGS forms. Its use would result in a
conservative number of broker-dealers meeting the total assets
threshold (i.e., because elimination of FOGS data would reduce the
size of the denominator). The Commission solicits comment below on
whether another figure would be a more appropriate and useful
measure for determining if a broker-dealer is in the top 5% of all
broker-dealers in terms of its total assets, and if a percentage
threshold is better measure than a dollar measure.
---------------------------------------------------------------------------
If a firm meets or exceeds the threshold in two of the four
preceding calendar quarters, it would be required to comply with
Regulation SCI beginning six months after the end of the quarter in
which the SCI broker-dealer satisfied the proposed asset threshold for
the first time. Based on data from recent quarters, at the proposed
threshold, a broker-dealer registered with the Commission pursuant to
section 15(b) of the Exchange Act and having total assets on its
balance sheet in excess of approximately $250 billion in two of the
preceding four calendar quarters would be an SCI broker-dealer for as
long as it continued to satisfy the threshold.\187\
---------------------------------------------------------------------------
\187\ As a specific example, based on totals retrieved from FRED
(see supra note 127) a broker-dealer assessing its total assets in
Dec. 2022 would determine if that level exceeded 5% of total assets
in two of the preceding four quarters (approximately $253 billion,
$253 billion, $261 billion, and $248 billion, for Q3 of 2022, Q2 of
2022, Q1 of 2022, and Q4 of 2021, respectively). See also Banking
Interagency Paper, supra note 166 (applicable to banking
institutions having in excess of an average of $250 billion in total
assets).
---------------------------------------------------------------------------
The Commission believes that the proposed threshold of five percent
of total assets is a reasonable approach to identifying the largest
broker-dealers. In addition to its broad consistency with the approach
taken by banking regulators,\188\ this approach takes into
consideration the multiple roles that the largest broker-dealers play
in the U.S. securities markets. Not only do the largest broker-dealers
generate liquidity in multiple types of securities, but many also
operate multiple types of trading platforms.\189\ Further, entities
with assets at this level also take risk that they seek to hedge, in
some cases using ``central risk books'' for that and other purposes,
and engage in routing substantial order flow to other trading
venues.\190\ For these reasons, the
[[Page 23163]]
Commission believes that systems issues at firms having assets at this
level would have the potential to impact investors, the overall market,
and the trading of individual securities, and that therefore their
market technology should be subject to the requirements and safeguards
of Regulation SCI. The threshold is designed to be appropriately high
enough to ensure that only the largest broker-dealers are subject to
the obligations, and associated burdens and costs, of Regulation SCI.
It is also designed to be a relative measure that does not become
outdated over time, as the size of the overall market expands or
contracts.
---------------------------------------------------------------------------
\188\ See, e.g., supra notes 166 and 187 (discussing Banking
Interagency Paper).
\189\ For a broad discussion of these roles, see, e.g.,
Rosenblatt Securities, 2022 US Equity Trading Venue Guide (May 24,
2022) (discussing among other things the features of single-dealer
platforms for equity securities that are operated by broker-
dealers); Regulation of NMS Stock Alternative Trading Systems,
Securities Exchange Act Release No. 83663 (July 18, 2018), 83 FR
38768 at 38770-72 (Aug. 7, 2018) (discussing among other things the
operational complexity of multi-service broker-dealer with
significant brokerage and dealing activity apart from operation of
one or more ATSs).
\190\ See, e.g., Rosenblatt Securities, Central Risk Books: What
the Buy Side Needs to Know (Oct. 18, 2018) (stating that all of the
biggest bank-affiliated broker-dealers have some form of central
risk book and that the ``critical mass of order flow or principal
activity, spread across asset classes and regions'' may not justify
the operation of these books for smaller more focused firms). See
also Algorithmic Trading Report, supra note 3, at 41-42 (describing
central risk books as an important source of block liquidity). All
of the firms that satisfy the proposed total assets threshold also
satisfy at least one of the proposed trading activity thresholds.
See infra text accompanying note 219.
---------------------------------------------------------------------------
As noted, the proposed total assets threshold for SCI broker-
dealers would include a proposed time period measurement of ``at least
two of the four preceding calendar quarters.'' Requiring that the
threshold is met in two out of the four preceding quarters would help
mitigate the effect of a steep increase/decrease in total assets in any
individual quarter.
Further, this measurement is designed to capture only the broker-
dealers that are consistently at or above the proposed five percent
threshold, and would not include a broker-dealer that may have had an
anomalous quarterly increase, so that a short-term spike in total
assets uncharacteristic of the broker-dealer's overall total asset
history would not cause it to become subject to Regulation SCI.
Although the Commission is also proposing a time period measurement of
``at least four of the preceding six calendar months'' for the trading
activity thresholds discussed below (consistent with the time period
measurement for SCI ATSs),\191\ using a quarterly measure for the total
asset threshold is appropriate because FOCUS reports are required at
least quarterly for all broker-dealers and the proposed scaling measure
is one that is updated quarterly. Based on its analysis of FOCUS
reports during the period from Q4 2021 through Q3 2022, the Commission
estimates that five entities would exceed the proposed threshold (with
the fifth-ranked firm in each quarter reporting total assets in excess
of $300 billion, and all firms ranging from approximately seven to 14
percent of the total assets reported by the Federal Reserve Board for
the previous quarter), and further anticipates that this threshold
would result in little, if any, variation in which firms exceed the
threshold over the course of four calendar quarters.\192\
---------------------------------------------------------------------------
\191\ See Rule 1000 (definition of ``SCI ATS'') (providing a
time period measurement of ``at least four of the preceding six
calendar months'').
\192\ As with other entities that are SCI entities because they
satisfy a threshold (e.g., SCI ATSs), an SCI broker-dealer would no
longer be an SCI broker-dealer, and thus no longer be subject to
Regulation SCI, in the quarter when it no longer satisfies the total
assets test (i.e., it does not meet the threshold in two of the
previous four quarters). This assumes the broker-dealer also does
not meet or no longer satisfies the proposed transaction activity
threshold.
---------------------------------------------------------------------------
Proposed Transaction Activity Threshold
In the Commission's view, a broker-dealer's transaction activity is
another reasonable measure for estimating the significance of a broker-
dealer's role in contributing to fair and orderly markets. In several
asset classes, the transaction activity of each of a relatively small
number of broker-dealers constitutes a share of trading that could, if
affected by a systems issue, negatively impact fair and orderly
markets. For example, in NMS stocks, some broker-dealers constitute
significant concentrations of on-exchange trading, and some broker-
dealers execute off-exchange transactions at levels that rival or
exceed the volume of trading on current SCI entities.\193\ For listed
options, which are required to execute on a national securities
exchange, a small number of firms participate in a high proportion of
trades.\194\ Similarly, transaction reporting data for U.S. Treasury
Securities and Agency Securities reveal that a handful of broker-
dealers each represent a significant percentage of the average weekly
(for U.S. Treasury Securities) or daily (for Agency Securities) dollar
volume reported by FINRA (currently the only SRO to which such
transactions are reported).\195\
---------------------------------------------------------------------------
\193\ For example, in Sept. 2022, one broker-dealer executed a
greater proportion of shares in NMS stocks than all but two national
securities exchanges. See, e.g., FINRA, OTC Transparency Data,
available at <a href="https://otctransparency.finra.org/otctransparency">https://otctransparency.finra.org/otctransparency</a>;
CBOE, Historical Market Volume Data, available at <a href="https://www.cboe.com/us/equities/market_statistics/historical_market_volume/">https://www.cboe.com/us/equities/market_statistics/historical_market_volume/</a>.
\194\ As discussed further below in this section, the Commission
estimates that six firms would satisfy the 10% options transaction
activity threshold.
\195\ As discussed further below in this section, the Commission
estimates that four firms would satisfy the 10% U.S. Treasury
Security transaction activity threshold, and six firms would satisfy
the 10% Agency Security transaction activity threshold.
---------------------------------------------------------------------------
Accordingly, the Commission is proposing to include as an SCI
entity any registered broker-dealer that, irrespective of the size of
its balance sheet, consistently engages in transaction activity at a
substantially high level in certain enumerated asset classes, scaled as
a percentage of total average daily dollar volume over a specified time
period.\196\ If a significant systems issue at a broker-dealer that
meets the proposed thresholds were to occur, the concern is that its
effect would have widespread impact, for example, by impeding the
ability of other market participants to trade securities in one or more
of the identified asset classes, interrupting the price discovery
process, or contributing to capacity issues at other broker-dealers.
Further, if executions were delayed by a systems disruption in an SCI
broker-dealer's trading, order routing, clearance and settlement, or
market data system, due to the magnitude of the proposed covered
transaction activity in which these firms consistently engage, the
delay could have cascading effects disruptive to the broader
market.\197\
---------------------------------------------------------------------------
\196\ As discussed further below, the Commission proposes that
average daily dollar volume be the denominator used as the scaling
measure for each relevant asset class. See infra notes 211-217 and
accompanying text (discussing entities that currently and may in the
future receive and make available transaction reports, or aggregated
volume statistics in NMS stocks, exchange-listed options, U.S.
Treasury Securities, and Agency Securities).
\197\ For example, capacity constraints, whether due to risk
management, or operational capability limitations of systems, could
limit how much one broker-dealer could handle a sudden increase in
order flow from a large broker-dealer. For context, based on
analysis of data from the Consolidated Audit Trail, in 2022, two
large market makers in NMS stocks engaged in over-the counter
transactions (all purchases and all sales effected otherwise than on
a national securities exchange or ATS) having a total dollar volume
of at least $37 billion on most trading days; with at least a
quarter of trading days in 2022 having total dollar volume of $42.3
billion or more, and all trading days having an average total dollar
volume of $37.3 billion. Counting volume across all venues (all
purchases and all sales effected over-the counter, on a national
securities exchange, or on ATS), these figures for the same two
firms, respectively, are: at least $82.2 billion, ($67.6 marked as
principal/riskless principal) on most trading days; at least $97.1
billion ($83.7 billion marked as principal/riskless principal) on at
least a quarter of the trading days; and $83.5 billion ($69.4
billion marked as principal/riskless principal) as the average for
all trading days.
---------------------------------------------------------------------------
The proposed transaction thresholds are broadly similar across
different types of securities. However, because of differences in
market structure, there are notable differences in the application of
the thresholds across types of securities.
Regulation SCI currently applies to, among other entities, national
securities exchanges for both listed equities and listed options, and
to ATSs trading significant volume in NMS stocks. A national securities
exchange and an ATS are a type of ``trading center,'' as that term is
defined in 17 CFR 242.600 through 242.614 (``Regulation NMS'').\198\
For purposes of counting
[[Page 23164]]
transaction activity in NMS stocks, the proposed thresholds are
anchored to broker-dealer activity conducted on or as a trading center.
Therefore, the Commission is proposing, with respect to the transaction
thresholds for NMS stocks, to include broker-dealer activity on
national securities exchanges and NMS Stock ATSs, as well as broker-
dealer activity as a trading center. Broker-dealer activity ``as a
trading center'' refers in this context to trading activity in NMS
stocks not effected on a national securities exchange or on an ATS, but
by the broker-dealer, where the broker-dealer is the executing party,
either as principal or as agent.\199\ A similar distinction is not made
for exchange-listed options contracts because those transactions are
executed on a national securities exchange.\200\
---------------------------------------------------------------------------
\198\ Rule 600 of Regulation NMS defines the term trading center
to mean: a national securities exchange or national securities
association that operates an SRO trading facility, an alternative
trading system, an exchange market maker, an OTC market maker, or
any other broker or dealer that executes orders internally by
trading as principal or crossing orders as agent. 17 CFR
242.600(b)(95).
\199\ See 17 CFR 242.600(a)(95), defining ``trading center'' to
include, among other entities, ``an OTC market maker, or any other
broker or dealer that executes orders internally by trading as
principal or crossing orders as agent.''
\200\ In some cases, matching of orders for exchange-listed
options occur on an ATS, with matches then routed to one or more
national securities exchange for execution.
---------------------------------------------------------------------------
The ``trading center'' term in Regulation NMS applies only to NMS
securities; however, there exist today electronic venues for fixed
income securities that perform similar functions as trading centers and
that are equally important to investors to execute trades in fixed
income securities. Such electronic trading venues, particularly for
U.S. Treasury Securities and Agency Securities (where electronic
trading is prevalent \201\), have developed from a market structure in
which electronic bilateral trading was and continues to be important.
For this reason, the Commission is proposing to include under the SCI
broker-dealer threshold all trades for U.S. Treasury Securities and
Agency Securities in which a broker-dealer may participate.
---------------------------------------------------------------------------
\201\ See Government Securities ATS Reproposal, supra note 84.
---------------------------------------------------------------------------
As proposed, an ``SCI broker-dealer'' would include a broker-dealer
that, during at least four of the preceding six calendar months: (i)
with respect to transactions in NMS stocks, transacted average daily
dollar volume in an amount that equals ten percent (10%) or more of the
average daily dollar volume reported by or pursuant to applicable
effective transaction reporting plans, provided, however, that for
purposes of calculating its activity in transactions effected otherwise
than on a national securities exchange or on an alternative trading
system, the broker-dealer shall exclude transactions for which it was
not the executing party; (ii) with respect to transactions in exchange-
listed options contracts, transacted average daily dollar volume in an
amount that equals ten percent (10%) or more of the average daily
dollar volume reported by an applicable effective national market
system plan; (iii) with respect to transactions in U.S. Treasury
Securities, transacted average daily dollar volume in an amount that
equals ten percent (10%) or more of the total average daily dollar
volume made available by the self-regulatory organizations to which
such transactions are reported; or (iv) with respect to transactions in
Agency securities, transacted average daily dollar volume in an amount
that equals ten percent (10%) or more of the total average daily dollar
volume made available by the self-regulatory organizations to which
such transactions are reported.\202\
---------------------------------------------------------------------------
\202\ The proposed definition of SCI broker-dealer does not
include a transaction activity threshold for equity securities that
are not NMS stocks and for which transactions are reported to an SRO
as a category in the proposed transaction activity threshold. The
size of this market, as currently measured, is substantially smaller
than the other asset classes enumerated. Based on its analysis of
data from the Consolidated Audit Trail, between Oct. 2021 and Sept.
2022, for example, the average daily dollar volume for this market
segment was approximately $2.6 billion. Nor do the proposed
amendments to Regulation SCI include Fixed Income ATSs or broker-
dealers that exceed a transaction activity threshold in corporate
debt or municipal securities. But see infra section III.A.3
(requesting comment on the matter).
---------------------------------------------------------------------------
The Commission proposes to add a definition of ``U.S. Treasury
Security'' and ``Agency Security'' to clarify how the transaction
activity threshold for these asset classes would operate.\203\ A ``U.S.
Treasury Security'' would mean a security issued by the U.S. Department
of the Treasury. ``Agency Security'' would mean a debt security issued
or guaranteed by a U.S. executive agency, as defined in 5 U.S.C. 105,
or government-sponsored enterprise, as defined in 2 U.S.C. 622(8).
These definitions are designed to provide the scope of securities an
SCI broker-dealer must include when assessing whether it has satisfied
the proposed transaction activity threshold. The proposed definitions
are similar to and consistent with those in FINRA's rules,\204\ to
avoid confusion and facilitate the comparison between data used to
create the numerator and denominator when assessing whether a broker-
dealer surpassed the U.S. Treasury Security or Agency Security
transaction thresholds.
---------------------------------------------------------------------------
\203\ The Commission believes that the terms NMS stock and
exchange-listed options are currently well understood. See Rule 600
of Regulation NMS (defining the terms NMS stock and NMS security and
distinguishing NMS stocks from listed options on the basis of how
transaction reports are made available).
\204\ See FINRA Rules 6710(l) and 6710(p). FINRA Rule 6710 also
establishes which securities are eligible for transaction reporting
to the ``Trade Reporting and Compliance Engine'' (TRACE), which is
the automated system developed by FINRA that, among other things,
accommodates reporting and dissemination of transaction reports
where applicable.
---------------------------------------------------------------------------
As is the case currently for the thresholds applicable to SCI
ATSs,\205\ the proposed thresholds for SCI broker-dealers would include
a proposed time period measurement of ``at least four of the preceding
six calendar months.'' Specifically, the proposed time measurement
period is designed to capture broker-dealers that consistently meet the
proposed thresholds and not capture broker-dealers with relatively low
transaction activity that may have had an anomalous increase in trading
on a given day or few days. In other words, a short-term spike in
transaction activity uncharacteristic of a broker-dealer's overall
activity should not cause it to become subject to Regulation SCI; using
the proposed time period of at least four of the preceding six calendar
months would help ensure this.
---------------------------------------------------------------------------
\205\ See Rule 1000 (definition of ``SCI ATS'').
---------------------------------------------------------------------------
The proposed thresholds would generally take into account all of a
broker-dealer's transactions.\206\ The thresholds proposed are designed
to identify firms whose transaction activity is of such a magnitude
that a systems issue negatively impacting that activity could
contribute to a disruption in fair and orderly markets, and for which
the application of Regulation SCI is therefore appropriate.
---------------------------------------------------------------------------
\206\ As described further above and below, the proposed
threshold for NMS stocks would operate slightly differently.
---------------------------------------------------------------------------
With respect to NMS stocks, only transactions which the broker-
dealer (i) trades on a national securities exchange or an ATS, or (ii)
executes off of a national securities exchange or an ATS would be
counted. When a broker-dealer is the non-executing counterparty to an
off-exchange, non-ATS transaction that transaction would not be counted
for that broker-dealer.\207\ The purpose of this approach is to count
towards the threshold for NMS stocks broker-dealer activity on or as a
trading center.
---------------------------------------------------------------------------
\207\ The volume for that trade, as reported through an
effective transaction reporting plan, would still be included in the
overall calculation of market volume used as the denominator in
threshold calculations.
---------------------------------------------------------------------------
To assess whether it satisfies the proposed thresholds, a broker-
dealer would need to determine its average daily dollar volume in an
enumerated asset class each calendar month, and
[[Page 23165]]
divide that figure by the total reported average daily dollar volume
for that month. More specifically, its numerator would be the average
daily dollar volume during the calendar month, taking into account all
relevant purchase and sale transactions \208\ in which the broker-
dealer engaged during that calendar month, as determined by the broker-
dealer from information in its books and records, as required to be
kept pursuant to Exchange Act Rule 17a-3.\209\ The denominator would be
the total average daily dollar volume for each calendar month, as that
total is determined from one or more sources that receive and make
available transaction reports, or, as the case may be, aggregated price
and volume statistics.
---------------------------------------------------------------------------
\208\ For NMS stocks, this would exclude those purchases or
sales off-exchange and not effected through an ATS, in which the
broker-dealer was not the executing party. As specific examples,
when broker-dealer A routes a customer order to broker-dealer B for
routing and execution, and broker-dealer B executes the customer
order as principal or crosses it against another order it is
holding, the volume for that order would contribute towards the
threshold for broker-dealer B but not for broker-dealer A.
Similarly, if broker-dealer A sends an order to the single-dealer
platform operated by broker-dealer B, and broker-dealer B executes a
trade against that order, the volume would contribute towards the
threshold for broker-dealer B but not for broker-dealer A. For any
asset class, the proposed definition of SCI broker-dealer would not
exclude from a broker-dealer operator's transaction tally
transactions executed on its own ATS. For example, if the broker-
dealer operator trades as a participant on its ATS, or where a
broker-dealer operator acts as a counterparty to every trade on its
own ATS, its volume would be counted as trading activity of the
broker-dealer.
\209\ See 17 CFR 240.17a-3(a)(6) (requiring a broker-dealer to
keep a memorandum of each brokerage order given or received for the
purchase or sale of a security, to include the price at which the
order executed); 17 CFR 240.17a-3(a)(7) (requiring a memorandum of
purchases and sales of a security for its own account, to include
the price).
---------------------------------------------------------------------------
With respect to NMS stocks, information necessary to calculate the
denominator currently is available from the plan processors (i.e., the
SIPs) of the CTA/CQ Plans and Nasdaq UTP Plan. These Plans are
effective transaction reporting plans, and effective national market
systems plans.\210\ Following implementation of the Market Data
Infrastructure rules, the information necessary to calculate the
denominator would be available from a competing consolidator or may be
self-determined by a self-aggregator that obtains the information
pursuant to effective transaction reporting plans, as required by 17
CFR 242.601 (``Rule 601'' of Regulation NMS) and 17 CFR 242.603(b)
(``Rule 603(b)'' of Regulation NMS).\211\ For listed options, total
average daily dollar volume may be determined from consolidated
information made available by the plan processor of the OPRA Plan.\212\
---------------------------------------------------------------------------
\210\ See supra note 20 and infra note 211. See also infra note
262 (stating that an ATS that trades NMS stocks is subject to
Regulation SCI if its trading volume reaches: (i) 5% or more in any
single NMS stock and 0.25% or more in all NMS stocks of the average
daily dollar volume reported by applicable transaction reporting
plans; or (ii) 1% or more in all NMS stocks of the average daily
dollar volume reported by applicable transaction reporting plans).
\211\ With respect to NMS stocks, Rule 601 of Regulation NMS (17
CFR 242.601) requires national securities exchanges and national
securities associations to report transactions and last sale data
pursuant to an effective transaction reporting plan filed with the
Commission in accordance with 17 CFR 242.608 (``Rule 608'' of
Regulation NMS). See 17 CFR 242.601. The national securities
exchanges and FINRA comply with Rule 601 by satisfying the
requirements of Rule 603(b) of Regulation NMS (which requires the
national securities exchanges and FINRA to act jointly pursuant to
one or more effective national market system plans, to disseminate
consolidated information, including transactions, in NMS stocks).
Currently, transaction information is consolidated by the
(exclusive) plan processor of each effective national market system
plan (i.e., the CTA/CQ Plan and Nasdaq UTP Plan for NMS stocks). See
CTA Plan, available at <a href="https://www.ctaplan.com">https://www.ctaplan.com</a>; Nasdaq UTP Plan,
available at <a href="https://www.utpplan.com">https://www.utpplan.com</a>. After the implementation of
the Market Data Infrastructure rules (see Market Data Infrastructure
Adopting Release, supra note24) national securities exchanges and
FINRA will be required to provide transaction reports to competing
consolidators and/or self-aggregators pursuant to new effective
national market system plans that satisfy the requirements of Rule
603(b). Pursuant to 17 CFR 242.600(a)(14) (Rule 600(a)(14) of
Regulation NMS) the term ``competing consolidator'' means a
securities information processor required to be registered pursuant
to Rule 614 of Regulation NMS or a national securities exchange or
national securities association that receives information with
respect to quotations for and transactions in NMS stocks and
generates a consolidated market data product for dissemination to
any person. Pursuant to 17 CFR 242.600(a)(83) (Rule 600(a)(83) of
Regulation NMS) the term ``self-aggregator'' means a broker, dealer,
national securities exchange, national securities association, or
investment adviser registered with the Commission that receives
information with respect to quotations for and transactions in NMS
stocks, including all data necessary to generate consolidated market
data, and generates consolidated market data solely for internal use
(with a proviso that a self-aggregator may make consolidated market
data available to its affiliates that are registered with the
Commission for their internal use). See Market Data Infrastructure
Adopting Release, supra note 24 (providing a full discussion of
these terms). Following implementation of the Market Data
Infrastructure rules, a broker-dealer may obtain consolidated
average daily dollar volume from its chosen competing consolidator,
or independently calculate that figure itself, as a ``self-
aggregator.''
\212\ See OPRA Plan, available at <a href="https://www.opraplan.com">https://www.opraplan.com</a>.
---------------------------------------------------------------------------
With respect to U.S. Treasury Securities and Agency Securities,
total average daily dollar volume may be determined from information
made available by SROs to which transactions in U.S. Treasury
Securities and Agency Securities are reported. Currently there is only
one SRO to which this information is reported: FINRA.\213\ In
connection with its TRACE system, FINRA is currently the most complete
source of aggregate volume in U.S. Treasury Securities and Agency
Securities.\214\ Specifically, FINRA Rule 6750(a) requires FINRA to
disseminate information on Agency Securities, immediately upon receipt
of the transaction report.\215\ With respect to U.S. Treasury
Securities, information in TRACE regarding individual transactions is
for regulatory purposes only and is not disseminated publicly. However,
pursuant to FINRA Rule 6750, on March 10, 2020, FINRA began posting on
its website weekly, aggregate data on the trading volume of U.S.
Treasury Securities reported to TRACE, and the Commission recently
approved website posting of aggregate data more frequently (i.e.,
daily).\216\ Notwithstanding the transparency provided by FINRA/TRACE,
aggregate trading volume in U.S. Treasury and Agency securities does
not purport to reflect the whole of these markets, as aggregate volume
statistics are limited to volume reported by TRACE reporters, including
ATSs, registered-broker dealers that are members of FINRA, and
[[Page 23166]]
depository institutions meeting transaction volume thresholds in U.S.
Treasury Securities, agency-issued debt and mortgage-backed
securities.\217\
---------------------------------------------------------------------------
\213\ However, should a national securities exchange (an SRO)
trade U.S. Treasury or Agency Securities in the future, if
transaction reports are made available by that SRO, they would be
relevant to determining consolidated average daily dollar volume.
\214\ See FINRA, Trade Reporting and Compliance Engine (TRACE),
available at <a href="https://www.finra.org/filing-reporting/trace">https://www.finra.org/filing-reporting/trace</a>. FINRA
Rule 6730(a)(1) requires FINRA members to report transactions in
TRACE-Eligible Securities, which FINRA Rule 6710 defines to include
U.S. Treasury Securities and Agency Securities. For each transaction
in U.S. Treasury Securities and Agency Securities, a FINRA member
would be required to report the CUSIP number or similar numeric
identifier or FINRA symbol; size (volume) of the transaction; price
of the transaction (or elements necessary to calculate price);
symbol indicating whether transaction is a buy or sell; date of
trade execution (``as/of'' trades only); contra-party's identifier;
capacity (principal or agent); time of execution; reporting side
executing broker as ``give-up'' (if any); contra side introducing
broker (in case of ``give-up'' trade); the commission (total dollar
amount), if applicable; date of settlement; if the member is
reporting a transaction that occurred on an ATS pursuant to FINRA
Rule 6732, the ATS's separate Market Participant Identifier
(``MPID''); and trade modifiers as required. For when-issued
transactions in U.S. Treasury Securities, a FINRA member would be
required to report the yield in lieu of price. See FINRA Rule
6730(c).
\215\ See FINRA Rule 6750(a).
\216\ See Securities Exchange Act Release No. 95438 (Aug. 5,
2022), 87 FR 49626 (Aug. 11, 2022) (Order Approving a Proposed Rule
Change to Amend FINRA Rule 6750 Regarding the Publication of
Aggregated Transaction Information on U.S. Treasury Securities). The
implementation date for these TRACE enhancements for U.S. Treasury
Securities was Feb. 13, 2023, at which point the weekly data reports
were replaced with daily and monthly reports. Using daily reports of
U.S. Treasury Security data, broker-dealers should have the
information necessary to complete the calculations needed to assess
if they satisfy the proposed threshold.
\217\ See Federal Reserve Board, Agency Information Collection
Activities: Announcement of Board Approval Under Delegated Authority
and Submission to OMB (Oct. 21, 2021) 86 FR 59716 (Oct. 28, 2021).
---------------------------------------------------------------------------
Counting all relevant purchases and sales from all broker-dealers
may result in counting a transaction more than once across the market,
and would sum to total volume across broker-dealers that exceeds what
is reported pursuant to the relevant plans or SRO. Similarly, summing
the percentages that result from dividing the total activity of each
broker-dealer by the total volume reported by the relevant plans or SRO
would result in a value greater than 100 percent.\218\ Accordingly, the
proposed ten percent (10%) transaction activity thresholds for
measuring a broker-dealer's significance in the markets are not market
share thresholds analogous to the current SCI ATS volume thresholds.
However, because the types of transactions proposed to be counted are a
measure of a broker-dealer's size and significance, it is particularly
useful if that measure continues to reflect significant activity as the
size of the overall market expands or contracts and remains stable
relative to a recognizable measure so that it does not become outdated
over time. Therefore, the Commission proposes as a denominator a
measure that would scale each broker-dealer's average daily dollar
transaction volume to consolidated average daily dollar transaction
volume, the latter being determinable from information reported by, or
made available by or pursuant to, applicable effective transaction
reporting or national market system plans or self-regulatory
organizations, as described above.
---------------------------------------------------------------------------
\218\ Transaction reporting systems generally report volume for
trades, rather than volume for purchase and sales separately.
Consequently, adding up the total purchase and sale activity for all
broker-dealers will not equal the total volume reported through
these systems. For example, a trade for 100 shares of an NMS stock
between two broker-dealers on a national securities exchange would
be reported by the effective transaction reporting plan as 100
shares, even though one broker-dealer bought 100 shares and another
sold 100 shares. Similarly, because broker-dealers often trade with
customers, doubling the transaction volume reported through these
systems does not provide an accurate measure of total broker-dealer
purchase and sale activity. After the implementation of the Market
Data Infrastructure rules (see Market Data Infrastructure Adopting
Release, supra note 24) national securities exchanges on which NMS
stocks are traded and FINRA, each of which is required by Rule 601
of Regulation NMS to file a transaction reporting plan in accordance
with Rule 608 of Regulation NMS, will be further required, pursuant
to Rule 603(b) of Regulation NMS, to make available to all competing
consolidators and self-aggregators its information with respect to
quotations for and transactions in NMS stocks, including all data
necessary to generate consolidated market data. Following
implementation of the Market Data Infrastructure rules, a broker-
dealer may determine average daily dollar volume from information
provided by its chosen competing consolidator, or independently
calculate that figure itself, as a ``self-aggregator.''
---------------------------------------------------------------------------
Any broker-dealer that transacts, as proposed, ten percent (10%) or
more of the average daily dollar volume in an enumerated asset class,
during at least four of the preceding six calendar months would be an
SCI broker-dealer. The proposed trading activity thresholds are
designed to measure the size of a broker-dealer's footprint in the
market in terms that provide a method for assessing the size of its
footprint as the market grows (or shrinks). In this way, the proposed
thresholds identify broker-dealers by their transaction activity as
compared to a consistent measure of market volume, and give a sense of
the size and significance of a broker-dealer activity in the markets in
a manner that should not become outdated over time.
The Commission also believes that a threshold of ten percent (10%)
or more in the identified asset classes is appropriately high enough to
apply Regulation SCI only to the large broker-dealers on which the
maintenance of fair and orderly markets depend. The Commission
estimates that 17 entities would satisfy one or more of the proposed
transaction activity thresholds (the same five entities identified by
the total assets threshold plus 12 additional entities).\219\ In sum,
the Commission believes that the proposed total assets threshold and
transaction activity thresholds are appropriate measures for
identifying broker-dealers that would pose a substantial risk to the
maintenance of fair and orderly markets in the event of a systems
issue.
---------------------------------------------------------------------------
\219\ See supra text accompanying notes 189-190.
---------------------------------------------------------------------------
SCI broker-dealers would not have to comply with the requirements
of Regulation SCI until six months after the end of the quarter in
which the SCI broker-dealer satisfied the proposed asset threshold for
the first time, or six months after the end of the month in which the
SCI broker-dealer satisfied one of the proposed activity thresholds for
the first time. The Commission believes this is an appropriate amount
of time for firms to come into compliance with Regulation SCI.
iv. Proposed Revision to Definition of ``SCI Systems'' for Certain SCI
Broker-Dealers; SCI Entities Trading Multiple Asset Classes, Which May
Include Crypto Asset Securities
In conjunction with the proposed inclusion of SCI broker-dealers as
SCI entities, the Commission proposes to limit the definition of ``SCI
systems'' for an SCI broker-dealer that qualifies as an SCI entity only
because it satisfies a transaction activity threshold. Specifically,
the Commission is proposing to revise the definition of ``SCI systems''
to add a limitation that states, ``provided, however, that with respect
to an SCI broker-dealer that satisfies only the requirements of
paragraph (2) of the definition of `SCI broker-dealer,' such systems
shall include only those systems with respect to the type of securit
[…truncated; see source link]Indexed from Federal Register on April 14, 2023.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.