The Securities and Exchange Commission (SEC) has recently proposed Regulation Systems Compliance and Integrity (Reg SCI), which would apply to certain self-regulatory organizations (including registered clearing agencies), alternative trading systems (ATSs), plan processors, and exempt clearing agencies subject to the commission’s Automation Review Policy (collectively, SCI entities), and would require these entities to comply with requirements regarding their automated systems that support the performance of their regulated activities.
In their proposal released on March 7, 2013, the SEC preliminarily estimated that the total one-time initial burden for all SCI entities to comply with Regulation SCI would be 133,482 hours and the total one-time initial cost would be $ 2.6 million. The SEC preliminarily estimates that the total annual ongoing burden for all SCI entities to comply with Regulation SCI would be 117,258 hours and the total annual ongoing cost would be $ 738,400.
As explained by Commissioner Luis A. Aguilar, the proposed rule would move beyond the current voluntary program and require entities to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its systems have adequate levels of capacity, integrity, resiliency, availability, and security to maintain the entity’s operational capability and promote the maintenance of fair and orderly markets, mandate participation in scheduled testing of the operation of the entity’s business continuity and disaster recovery plans, including backup systems, and coordinate such testing on an industry- or sector-wide basis with other entities, and finally make, keep, and preserve records relating to the matters covered by Regulation SCI, and provide them to SEC representatives upon request.
Recent events prompted the SEC into action. On May 6, 2010, the price s of many U.S.-based equity products experienced an extraordinarily rapid decline and recovery, with major equity indices in both the futures and securities markets, each already down over four percent from their prior day close, suddenly plummeting a further five to six percent in a matter of minutes before rebounding almost as quickly. According to the May 6 Staff Report (published on September 30, almost five months after the incident), many individual equity securities and exchange traded funds suffered similar price declines and reversals within a short period of time, falling 5%, 10%, or even 15% before recovering most, if not all, of their losses. The May 6 Staff Report stated that some equities experienced even more severe price moves, both up and down, with over 20,000 trades in more than 300 securities executed at prices more than 60 percent away from their values just moments before.
Both before and after the May 6, 2010 incident, individual markets also experienced other systems-related issues. In February 2011, NASDAQ revealed that hackers had penetrated certain of its computer networks, though NASDAQ reported that at no point did this intrusion compromise its trading systems.
In October 2011, the SEC sanctioned EDGX and EDGA, two national securities exchanges run by Direct Edge for violations of federal securities laws arising from systems incidents. In the Direct Edge order, the SEC noted that the “violations occurred against the backdrop of weaknesses in respondents’ systems, processes, and controls.”
More recently, in 2012, systems issues hampered the initial public offerings of BATS Global Markets and Facebook. On March 23, 2012, BATS announced that a “software bug” caused BATS to shut down the IPO of its own stock, BATS Global Markets. On May 18, 2012, issues with NASDAQ’s trading systems delayed the start of trading in the high-profile IPO of Facebook and some market participants experienced delays in notifications over whether orders had been filled.
While these are illustrative high-profile examples, they are not the only instances of disruptions and other systems problems experienced by SROs and ATSs. Moreover, as pointed out by John J. Rapa, Tellefsen and Company’s Chief Executive Officer, market impacting events such as those above cannot be easily foreseen nor adequately tested for; the next major headline event will not necessarily the same as these. That’s why Commissioner Aguilar’s observation regarding the need to request senior officers to certify, in writing, that entities have processes in place to establish, document, maintain, review, test, and modify controls reasonably designed to achieve compliance, and that the annual budget and staffing levels are adequate for the entity to comply with its obligations, is appropriate at this time when the SEC is eager to restore trust in the markets.
The Sarbanes-Oxley Act of 2002, section 302, “Corporate Responsibility for Financial Reports,” requires the CEO and CFO of publicly traded companies to certify the appropriateness of their financial statements and disclosures and to certify that they fairly present, in all material respects, the operations and financial condition of the company. That was not the first time, and won’t be the last time either, that executive management had been asked to provide some form of assurance on the overall financial statements or the details and assertions that underlie the statements.
While it remains to be seen whether this type of certification statements, signed, notarized, and available for public view, would be the final and necessary measure to ensure the public that management would take full responsibility, and be held legally accountable, its mere existence would put the onus on CTOs and CIOs to go beyond rubber stamping their staff’s decisions and declarations. It is not about having the most sophisticated kill switch in trading entities’ infrastructure; it is about management defining and constantly monitoring the appropriate criteria by which these switches will be activated. Indeed, conventional wisdom suggests that when people know they can and will be held accountable for their actions, their behaviors change. Furthermore, these new rules should make it easier for government officials to make fraud cases against executives found to have intentionally filed false certifications under perjury charges.
As Professors Ronald E. Marden, Randal K. Edwards, and William D. Stout, admit in the CPA Journal, some might question the additional value of these certifications in the same way they questioned the Sarbanes-Oxley Act. Enforcement of the laws is what is important, not the public relations value of a few more signatures on a certificate of integrity. Indeed, enforcement of these laws is what will bring out the added value of any statement. Enforcement actions against those who perpetrated fraud in these cases will go a long way toward restoring investor confidence.
Edgar Perez is author of The Speed Traders: An Insider’s Look at the New High-Frequency Trading Phenomenon That is Transforming the Investing World (McGraw-Hill Inc., 2011), 交易快手： 透视正在改变投资世界的新兴高频交易 (China Financial Publishing House, 2012), Investasi Super Kilat: Pandangan Orang dalam tentang Fenomena Baru Frekuensi Tinggi yang Mentransformasi Dunia Investasi (Kompas Gramedia 2012), and the forthcoming Knightmare on Wall Street, The Knight Capital Story. Mr. Perez is on Facebook (https://www.facebook.com/AmericasUltimateNetworker), Twitter (http://twitter.com/mredgarperez) and Weibo (http://www.weibo.com/edgarperez).