On March 7, 2013, the SEC proposed Regulation SCI ("Reg SCI"), a scheme of new rules requiring certain key market participants to have comprehensive policies and procedures in place surrounding their technological systems. In lieu of the current voluntary system of compliance, Reg SCI (which stands for "Systems, Compliance and Integrity") would require that self-regulatory organizations ("SROs"), certain alternative trading systems, plan processors, and certain exempt clearing agencies carefully design, develop, test, maintain, and surveil systems that are integral to their operations. Such market participants would be required to ensure their core technology meets certain standards, conduct business continuity testing, and provide certain notifications in the event of systems disruptions and other events. The SEC will seek public comment on Reg SCI for 60 days following its publication in the Federal Register.
In taking the vote in favor of the proposal, on March 7, 2013, Commissioner Luis A. Aguilar offered his comments, which are now published online:Developing Solutions to Ensure that the Automated Systems of Our Marketplace are Secure, Robust, and Reliable. Commissioner Aguilar's remarks begin with this admonition (footnote omitted):
In recent years, the securities markets have undergone significant changes, and none has had more impact than the development of technology systems with ever-increasing speed and capacity. These systems are so fast that, in a blink of an eye, millions of trades can take place and billions of dollars can be transferred from buyers to sellers. Unfortunately, these systems can just as quickly become a destructive force with devastating consequences.
In making his case, Aguilar reminds us of the following incidents (footnotes omitted):
In my opinion, since 1989, the SEC has largely abandoned the meaningful oversight of systemic risk to the markets from high frequency trading, algorithms, and the like. Instead of doing whatever it takes to stay ahead of what has often proven to be disruptive marketplace innovation, the SEC seems to have adopted the scout's honor system. As Aguilar's above bullet-points underscore, the promise by self-regulatory organizations to voluntarily police the adequacy of of systems capacity and vulnerability has been a disaster. That we survived the Flash Crash, several mini-Crashes, and the likes of Knight's and BATS meltdowns should not be attributed to sound regulation but to sheer luck. Throwing pennies into the fountain of NASDAQ or the NYSE and making a wish hardly strikes me as a sensible regulatory regimen As Aguilar candidly concludes, "Clearly, the voluntary program has failed, as the above examples illustrate."
In setting forth the pros of Reg SCI, Aguilar seems to applaud the cessation of the failed honor system of voluntary SRO compliance and the imposition of codified regulations, which, he believes will:
(i) establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its systems have adequate levels of capacity, integrity, resiliency, availability, and security to maintain the entity's operational capability and promote the maintenance of fair and orderly markets;
(ii) mandate participation in scheduled testing of the operation of the entity's business continuity and disaster recovery plans, including backup systems, and coordinate such testing on an industry- or sector-wide basis with other entities; and
(iii) make, keep, and preserve records relating to the matters covered by Regulation SCI, and provide them to Commission representatives upon request. The proposal also would require that entities submit all required written notifications and reports to the Commission electronically using new proposed Form SCI. These are all welcomed improvements.
Alas, as has been the case with far too much frequency in recent years, it seems that the SEC commissioners can't agree on whether good is good enough. Read: "Can The Securities And Exchange Commission Order Lunch?" (Street Sweeper, July 12, 2012). Despite praising the move from voluntary standards to regulations, Aguilar hedges his optimism:
However, although this is a positive step in the right direction, I am concerned that today's rule proposal does not
From my perspective, it seems that the SEC is consistent in demonstrating its inability to craft timely, workable responses to evolving market threats. As my long record of criticism of our nation's failed Wall Street regulatory system reflects, this is not a new phenomenon and not one that I believe will be addressed within the framework of our hodgepodge system of federal, state, and self-regulatory regulation - which I see as little more than entrenched silos, back-biting, and inefficient oversight.
That being said, Aguilar sounds his own alarm about Reg SCI, pointing to what he deems a wrong-minded inclusion of a safe harbor for entities and their employees. This purported safe harbor provision would likely offers some degree of immunization from prosecution for potential targets able to demonstrate that they had established and maintained policies and procedures that are reasonably designed to comply with Regulation SCI. In and of itself, neither a particularly novel provision; to the contrary, it is the essence of how these things typically work. Notwithstanding my characterization, Aguilar makes much ado about having been:
told by senior staff that the Commission has never previously included an explicit safe harbor in a Commission rule requiring that regulated entities maintain policies and procedures designed to achieve a particular objective.
In my view, an unprecedented safe harbor in a rule that does not require clear, identifiable, and meaningful standards, and that does not require policies and procedures to be reviewed by an independent third party and certified by senior officers, will result in a rule proposal that falls short of its goal - which is to ensure that our capital markets develop and maintain appropriate systems.
The rule proposal asks a number of important questions that were incorporated at my request to solicit comments from the public. These questions were designed to generate information and assist the Commission in thinking through issues associated with the rule proposal. This is an important part of the Commission's rulemaking process, which is based on a "notice and comment" procedure. I hope that the comments generated will help make this a better rule.
Okay, so - we now seem back to what I have often described as a "Yes But" position.
Aguilar favors codified oversight for today's evolving high tech markets but doesn't like the inclusion of the rumored safe harbor provision based merely upon a reasonableness standard in lieu of more defined benchmarks subject to at least an independent third party's review. Frankly, I hear the good commissioner's concerns and am persuaded by them. All of which led me to anticipate that Aguilar was not going to vote to approve the proposed SCI.
Hey, what do I know? Here's how he put it:
Despite my concerns, I am willing to support today's rule proposal because Regulation SCI would apply to more entities than the Commission's current ARP Inspection Program, and the proposed rule would place obligations on entities not currently included in the Commission's ARP policy statements. The havoc caused by recent events highlight the need to have an updated and formalized regulatory framework for ensuring that the U.S. securities trading markets maintain systems with sufficient integrity, resiliency, and security. Although, I have concerns, I am hopeful they will be addressed at the adoption stage. By then, we should have a full five-member Commission.
Oh my, Yes But. Okay . . . however, all this equivocation leaves me a tad uneasy. When the best that a sitting SEC commissioner can say is that he is "hopeful" that concerns about a proposed rule will be addressed in the future, that's not what I would call a bedrock upon which to build much industry or investor confidence. Sounds more like the theme song to Pinocchio than the way the SEC should be operating. Wishing upon a star is not the way to regulate Wall Street.