Official portrait of Securities and Exchange Commission (SEC) Commissioner Luis A. Aguilar. (Photo credit: Wikipedia)

On March 7, 2013, the SEC proposed Regulation SCI ("Reg SCI"), a scheme of new rules requiring certain key market participants to have comprehensive policies and procedures in place surrounding their technological systems. In lieu of the current voluntary system of compliance, Reg SCI (which stands for "Systems, Compliance and Integrity") would require that self-regulatory organizations ("SROs"), certain alternative trading systems, plan processors, and certain exempt clearing agencies carefully design, develop, test, maintain, and surveil systems that are integral to their operations. Such market participants would be required to ensure their core technology meets certain standards, conduct business continuity testing, and provide certain notifications in the event of systems disruptions and other events. The SEC will seek public comment on Reg SCI for 60 days following its publication in the Federal Register.

Aguilar Speaks

In taking the vote in favor of the proposal, on March 7, 2013, Commissioner Luis A. Aguilar offered his comments, which are now published online:Developing Solutions to Ensure that the Automated Systems of Our Marketplace are Secure, Robust, and Reliable. Commissioner Aguilar's remarks begin with this admonition (footnote omitted):

Can The Securities And Exchange Commission Order Lunch?Bill SingerContributor

Securities And Exchange Commission Revolving Door Spins For Mary Jo WhiteBill SingerContributor

Senator Levin Slams Department of Justice's Inaction Against Goldman SachsBill SingerContributor

End the Politics of Wall Street Regulation: Decentralize FINRA and the SEC.Bill SingerContributor

In recent years, the securities markets have undergone significant changes, and none has had more impact than the development of technology systems with ever-increasing speed and capacity. These systems are so fast that, in a blink of an eye, millions of trades can take place and billions of dollars can be transferred from buyers to sellers. Unfortunately, these systems can just as quickly become a destructive force with devastating consequences.

In making his case, Aguilar reminds us of the following incidents (footnotes omitted):

• The Flash Crash of May 6, 2010.2 During the flash crash, in just a matter of minutes, certain equities experienced severe price movements - both up and down - with more than 20,000 trades in over 300 securities executed at prices more than 60% away from their market values. In just a few minutes, nearly $1 trillion in market value evaporated, before making a partial recovery.
• The October 2011 system errors at Direct Edgeexchanges where, in just over four minutes, the exchanges caused about 27 million shares of excess trading. These shares had an approximate market value of $773 million across roughly one thousand securities. The exchanges realized a net loss of $2.1 million in connection with the positions that were assumed and liquidated. The Commission sanctioned the Direct Edge entities for violations of the federal securities laws.In its Order, the Commission noted that the "violations occurred against the backdrop of weaknesses in Respondents' systems, processes, and controls."
• Knight Capital Group Inc.'s $440 million trading loss in August 2012. In just 45 minutes, Knight Capital's computers rapidly bought and sold millions of shares. Those trades pushed the value of many stocks up, and the company's losses appear to have occurred when it had to sell the overvalued shares back into the market at a lower price. As a result, Knight Capital lost approximately $10 million per minute, almost had to go into bankruptcy, and subsequently agreed to be purchased.
• The systems issues associated with the initial public offerings of BATS Global Markets, Inc., andFacebook, Inc., in March and May 2012, respectively. As a result of systems issues, the BATS IPO was abandoned, and the Facebook fiasco resulted in NASDAQ offering up to $62 million to accommodate members for losses attributable to the systems issues.
• The recent admission by BATS that, for a period of more than four years, its computer systems for two equity exchanges and an options platform allowed trades to take place at prices that violated the Commission's regulations, which require exchanges to ensure that investors receive the best price.11

Regulation By Wish

In my opinion, since 1989, the SEC has largely abandoned the meaningful oversight of systemic risk to the markets from high frequency trading, algorithms, and the like.  Instead of doing whatever it takes to stay ahead of what has often proven to be disruptive marketplace innovation, the SEC seems to have adopted the scout's honor system.  As Aguilar's above bullet-points underscore, the promise by self-regulatory organizations to voluntarily police the adequacy of of systems capacity and vulnerability has been a disaster. That we survived the Flash Crash, several mini-Crashes, and the likes of Knight's and BATS meltdowns should not be attributed to sound regulation but to sheer luck.  Throwing pennies into the fountain of NASDAQ  or the NYSE and making a wish hardly strikes me as a sensible regulatory regimen   As Aguilar candidly concludes, "Clearly, the voluntary program has failed, as the above examples illustrate."

In setting forth the pros of Reg SCI, Aguilar seems to applaud the cessation of the failed honor system of voluntary SRO compliance and the imposition of codified regulations, which, he believes will:

(i) establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its systems have adequate levels of capacity, integrity, resiliency, availability, and security to maintain the entity's operational capability and promote the maintenance of fair and orderly markets;

(ii) mandate participation in scheduled testing of the operation of the entity's business continuity and disaster recovery plans, including backup systems, and coordinate such testing on an industry- or sector-wide basis with other entities; and

(iii) make, keep, and preserve records relating to the matters covered by Regulation SCI, and provide them to Commission representatives upon request. The proposal also would require that entities submit all required written notifications and reports to the Commission electronically using new proposed Form SCI. These are all welcomed improvements.

Good Isn't Good Enough?

Alas, as has been the case with far too much frequency in recent years, it seems that the SEC commissioners can't agree on whether good is good enough.  Read: "Can The Securities And Exchange Commission Order Lunch?" (Street Sweeper, July 12, 2012). Despite praising the move from voluntary standards to regulations, Aguilar hedges his optimism:

However, although this is a positive step in the right direction, I am concerned that today's rule proposal does not

• Mandate compliance with a specific set of Commission-identified minimum standards to ensure that entities establish, maintain, and enforce written policies and procedures reasonably designed to ensure that the entity's systems provide adequate levels of capacity, integrity, resiliency, availability, and security. While the rule proposal provides a set of model policies and procedure for entities to consider, it fails to require minimum standards for policies and procedures. As a result, the rule proposal may not provide enough assurance that the resulting policies and procedures will meet the goals of the rule.
• Require that an external review of compliance with Regulation SCI be conducted on a periodic basis by an independent third party in order to reduce the risk of conflicts of interests. Simply stated, an internal review may not be as robust and complete due to competing internal business pressures.
• Provide for an entity's senior officers to certify, in writing, that (i) the entity has processes in place to establish, document, maintain, review, test, and modify controls reasonably designed to achieve compliance with Regulation SCI; and (ii) that the annual budget and staffing levels are adequate for the entity to comply with its obligations under Regulation SCI. As Congress noted in connection with the CEO and CFO Certifications mandated by Section 302 of the Sarbanes-Oxley Act of 2002, "managers should be held accountable for the representations made by their company." I believe that senior officer certifications would be an important tool to ensure compliance with today's proposed rule.

Too Safe A Harbor

From my perspective, it seems that the SEC is consistent in demonstrating its inability to craft timely, workable responses to evolving market threats.  As my long record of criticism of our nation's failed Wall Street regulatory system reflects, this is not a new phenomenon and not one that I believe will be addressed within the framework of our hodgepodge system of federal, state, and self-regulatory regulation - which I see as little more than entrenched silos, back-biting, and inefficient oversight.

That being said, Aguilar sounds his own alarm about Reg SCI, pointing to what he deems a wrong-minded inclusion of a safe harbor for entities and their employees. This purported safe harbor provision would likely offers some degree of immunization from prosecution for potential targets able to demonstrate that they had established and maintained policies and procedures that are reasonably designed to comply with Regulation SCI.  In and of itself, neither a particularly novel provision; to the contrary, it is the essence of how these things typically work. Notwithstanding my characterization, Aguilar makes much ado about having been:

told by senior staff that the Commission has never previously included an explicit safe harbor in a Commission rule requiring that regulated entities maintain policies and procedures designed to achieve a particular objective.

In my view, an unprecedented safe harbor in a rule that does not require clear, identifiable, and meaningful standards, and that does not require policies and procedures to be reviewed by an independent third party and certified by senior officers, will result in a rule proposal that falls short of its goal - which is to ensure that our capital markets develop and maintain appropriate systems.

The rule proposal asks a number of important questions that were incorporated at my request to solicit comments from the public. These questions were designed to generate information and assist the Commission in thinking through issues associated with the rule proposal. This is an important part of the Commission's rulemaking process, which is based on a "notice and comment" procedure. I hope that the comments generated will help make this a better rule.

Bill Singer's Comment

Okay, so - we now seem back to what I have often described as a "Yes But" position.

Aguilar favors codified oversight  for today's evolving high tech markets but doesn't like the inclusion of the rumored safe harbor provision based merely upon a reasonableness standard in lieu of more defined benchmarks subject to at least an independent third party's review.  Frankly, I hear the good commissioner's concerns and am persuaded by them.  All of which led me to anticipate that Aguilar was not going to vote to approve the proposed SCI.

Hey, what do I know?  Here's how he put it:

Despite my concerns, I am willing to support today's rule proposal because Regulation SCI would apply to more entities than the Commission's current ARP Inspection Program, and the proposed rule would place obligations on entities not currently included in the Commission's ARP policy statements. The havoc caused by recent events highlight the need to have an updated and formalized regulatory framework for ensuring that the U.S. securities trading markets maintain systems with sufficient integrity, resiliency, and security. Although, I have concerns, I am hopeful they will be addressed at the adoption stage. By then, we should have a full five-member Commission.

Oh my, Yes But.  Okay . . . however, all this equivocation leaves me a tad uneasy.  When the best that a sitting SEC commissioner can say is that he is "hopeful" that concerns about a proposed rule will be addressed in the future, that's not what I would call a bedrock upon which to build much industry or investor confidence.  Sounds more like the theme song to Pinocchio than the way the SEC should be operating.  Wishing upon a star is not the way to regulate Wall Street.